AML (Anti-Money Laundering) and CFT (Countering the Financing of Terrorism) refer to the laws, regulations, and procedures designed to prevent criminals from disguising the proceeds of crime and funding terrorism. The AML/CFT Act in New Zealand ensures that businesses identify and mitigate these risks to protect the financial system from abuse​.

AML/CFT obligations apply to businesses known as reporting entities, which are classified into Phase 1 and Phase 2 entities under the AML/CFT Act: Phase 1 entities (since 2013) include financial institutions such as banks, money remitters, fund managers, casinos, and virtual asset service providers (VASPs). Phase 2 entities (since 2018) include lawyers, accountants, real estate agents, high-value dealers, and trust and company service providers (TCSPs). Each of these sectors has specific obligations under the Act, such as conducting customer due diligence (CDD), reporting suspicious activities, and maintaining a risk-based AML/CFT compliance programme​​.

As a reporting entity, you must comply with the following AML/CFT obligations: 1. Conduct Customer Due Diligence (CDD) Verify the identity of customers, beneficial owners, and those acting on behalf of customers. Apply Standard, Simplified, or Enhanced CDD based on the risk level. Collect and verify Source of Wealth (SoW) and Source of Funds (SoF) for high-risk customers​. 2. Develop and Maintain an AML/CFT Risk Assessment Identify money laundering (ML) and terrorism financing (TF) risks specific to your business. Assess risks related to customers, transactions, products, services, and geographical exposure​. 3. Implement an AML/CFT Compliance Programme Establish policies, procedures, and controls to mitigate identified risks. Designate an AML Compliance Officer responsible for oversight. Provide ongoing staff training on AML/CFT obligations​. 4. Monitor and Report Suspicious Activities Submit Suspicious Activity Reports (SARs) to the Financial Intelligence Unit (FIU) when unusual or suspicious transactions occur. File Prescribed Transaction Reports (PTRs) for large cash transactions over NZD 10,000 and international wire transfers over NZD 1,000​. 5. Perform Ongoing CDD and Transaction Monitoring Regularly review customer information and update CDD records. Identify unusual transaction patterns and monitor high-risk clients​. 6. Maintain Records for at Least Five Years Keep records of CDD documents, transaction history, and AML compliance activities. Ensure records are readily available for audits and regulatory inspections​. 7. Conduct Independent Audits and File Annual Reports Undergo an independent AML/CFT audit at least every three years. Submit an Annual AML/CFT Report to the relevant regulator (DIA, FMA, or RBNZ)​. Failure to meet these obligations can result in significant fines, legal action, or reputational damage

Non-compliance can lead to: Heavy financial penalties (fines up to NZD 2 million for individuals, NZD 5 million for companies) Criminal charges and potential imprisonment Reputational damage and loss of business trust Regulatory intervention from the Department of Internal Affairs (DIA), Financial Markets Authority (FMA), or Reserve Bank of New Zealand (RBNZ)​.

Your business is captured under the AML/CFT Act if it conducts activities that pose a risk of money laundering or terrorism financing. The Act applies to reporting entities, which fall into two phases: Phase 1 entities (since 2013) – Includes banks, financial institutions, money remitters, casinos, and Virtual Asset Service Providers (VASPs). Phase 2 entities (since 2018) – Includes lawyers, accountants, real estate agents, high-value dealers, and trust and company service providers (TCSPs). How to determine if your business is captured Your business is likely captured if it: Handles financial transactions on behalf of customers, such as transferring money, managing client funds, or conducting currency exchange. Provides trust and company services, including setting up or managing trusts, companies, or nominee arrangements. Conducts real estate transactions, such as acting as an agent for property sales or purchases. Trades in high-value goods, such as cars, jewellery, or artwork, and accepts cash payments of NZD 10,000 or more. If you are unsure whether your business is captured, contact Seamless AML for expert guidance and compliance support​​.

An AML/CFT risk assessment is a mandatory process where businesses identify, assess, and document the money laundering and terrorism financing (ML/TF) risks they may face. It is necessary because: It helps businesses understand their exposure to financial crime based on customer types, services, products, and geographic locations. It ensures AML/CFT programmes are tailored to the specific risks of the business. It is a legal requirement under the AML/CFT Act, and failure to conduct one can result in penalties, regulatory enforcement, and reputational damage. A risk assessment must be documented, regularly reviewed, and updated to reflect changes in business operations, emerging threats, or regulatory requirements​.

An AML/CFT compliance programme is a structured framework of policies, procedures, and controls that businesses must implement to identify, manage, and mitigate money laundering and terrorism financing risks. It ensures compliance with the AML/CFT Act and helps businesses detect and prevent financial crime. The programme must satisfy Section 57 of the AML/CFT Act, which outlines the minimum requirements businesses must meet. It should be risk-based, tailored to the nature of the business, and regularly reviewed to ensure effectiveness. The AML/CFT Programme Guideline, published by regulators, provides additional guidance on how to develop and implement a compliant programme​​.

Both your AML/CFT risk assessment and compliance programme must be reviewed and updated at least annually to ensure they remain effective and aligned with regulatory requirements. Updates should also be made when: New risks emerge, such as changes in customer behaviour, services, products, or regulatory expectations. The business introduces new products, services, or customer types that could impact risk exposure. Internal audits or compliance reviews identify weaknesses in policies or procedures. Regulatory bodies release updated guidance, sector risk assessments, or enforcement actions that affect compliance. Your compliance programme must always be based on your most recent risk assessment, so both documents must be reviewed together to ensure consistency​​.

CDD is the process of verifying a customer's identity to assess the risk of money laundering. It involves collecting and verifying: Full name, date of birth, and address Identification documents (passport, driver’s licence, etc.) Beneficial ownership details if the customer represents a company or trust​.

Enhanced Customer Due Diligence (EDD) is an additional level of scrutiny required for high-risk customers or transactions. It goes beyond standard identity verification and involves collecting more detailed information about a customer's background, financial activities, and the legitimacy of their funds. EDD is required in situations where there is an increased risk of money laundering or terrorism financing. This includes dealing with politically exposed persons (PEPs), customers from high-risk jurisdictions, or those with complex ownership structures. It is also necessary when a transaction appears unusual, suspicious, or lacks a clear legal purpose. When applying EDD, businesses must obtain extra details such as Source of Wealth (SoW) and Source of Funds (SoF). This means verifying where a customer’s money comes from through documents like bank statements, tax records, investment reports, or property sale agreements. In some cases, in-person verification or biometric authentication may be required. EDD is not a one-off process. High-risk customers and transactions must be continuously monitored, with regular updates to their information. Any unusual behaviour should be reported to the Financial Intelligence Unit (FIU) as a Suspicious Activity Report (SAR). Failing to conduct EDD when required can result in severe regulatory penalties, reputational damage, and increased exposure to financial crime.

For ongoing business relationships, CDD should be reviewed regularly. For high-risk clients, updates should be done annually or when there are changes in customer behaviour. For one-off transactions, records must be kept for at least five years​.

Yes, businesses can rely on third parties for certain AML/CFT compliance obligations, but ultimate responsibility remains with the business itself. Third-party reliance is permitted for: Customer Due Diligence (CDD) – You may rely on another reporting entity (e.g., a bank, lawyer, or accountant) to verify customer identity. Designated Business Groups (DBGs) – Businesses can share AML/CFT responsibilities within a formally registered group. AML/CFT service providers – External compliance firms can assist with electronic identity verification, transaction monitoring, and independent audits. However, when relying on a third party, you must: Ensure they comply with AML/CFT obligations under New Zealand law. Have written agreements outlining the responsibilities of each party. Maintain access to all customer records and verification documents for regulatory audits. If the third party fails to meet compliance standards, your business remains liable for any breaches​.

A Suspicious Activity Report (SAR) is a report submitted to the New Zealand Police Financial Intelligence Unit (FIU) when a transaction or activity appears suspicious and may be linked to money laundering or terrorism financing. You must file a SAR when (note this list is not exhaustive): A customer’s transaction is unusual, lacks a clear legal or economic purpose, or is inconsistent with their normal behaviour. A customer refuses to provide requested information or provides false or misleading details. A transaction appears to be structured to avoid reporting thresholds (e.g., multiple small deposits instead of one large one). Funds originate from or are sent to high-risk jurisdictions with weak AML controls. A customer shows reluctance to share information about beneficial ownership or the source of funds. SARs must be submitted as soon as possible after suspicious activity is identified. Businesses should not inform the customer that a SAR has been filed, as this is considered tipping off and is illegal​.

A Prescribed Transaction Report (PTR) is a mandatory report for large cash transactions and international wire transfers. You must submit a PTR for: Cash transactions of NZD 10,000 or more (including deposits, withdrawals, currency exchanges). International wire transfers of NZD 1,000 or more, whether sent or received. PTRs must be filed with the FIU within 10 working days of the transaction occurring. These reports help authorities detect and prevent money laundering, tax evasion, and terrorist financing​.

Red flags for money laundering vary by industry, but common indicators include unusual, complex, or unexplained transactions that lack a clear business or economic purpose. Below are key warning signs for different sectors: Real Estate Property purchases made with large amounts of cash or third-party payments. Frequent buying and selling ("flipping") of properties with no clear reason. Transactions involving offshore companies or trusts to obscure ownership. Clients reluctant to provide source of funds or beneficial ownership details. Settlement amounts that don’t match the sales agreement. Accounting & Legal Services Clients requesting to set up complex company structures without a clear business reason. Unexplained cash deposits into business accounts or trust accounts. Frequent movement of funds between multiple entities without a clear purpose. Clients who refuse to provide financial records or tax information. Unusual payments to foreign accounts with no business link. Financial Institutions & Money Remitters Multiple large cash deposits just below reporting thresholds. Transactions that do not match a customer’s normal financial behaviour. Wire transfers to or from high-risk jurisdictions. Use of multiple accounts in different names for no clear reason. Clients who avoid face-to-face interactions or provide inconsistent information. Virtual Asset Service Providers (VASPs) & Cryptocurrency Businesses Frequent high-value cryptocurrency transactions with no supporting business activity. Customers using privacy-enhancing tools (e.g., tumblers, mixers) to obfuscate transactions. Rapid movement of funds between wallets or exchanges, especially cross-border. Deposits from or withdrawals to sanctioned or high-risk jurisdictions. Clients unwilling to disclose wallet ownership or transaction history. High-Value Dealers (Luxury Goods, Jewellery, Cars, Art, Precious Metals) Large purchases made in cash with no clear source of funds. Buyers refusing to provide personal details or requesting to stay anonymous. Third parties making payments on behalf of the actual buyer. Frequent high-value transactions from customers with no prior history. Overpaying for goods and requesting refunds in a different account. What to Do If You Identify a Red Flag If you observe suspicious activity, conduct Enhanced Due Diligence (EDD) and consider filing a Suspicious Activity Report (SAR) with the Financial Intelligence Unit (FIU)​​.