AML/CFT reforms taking effect from 1 July 2026 offer genuine opportunities to streamline compliance, but the entities that benefit will be those that actively engage with the changes, not those that wait and see. Central to to the reforms is the appointment of the Department of Internal Affairs (DIA) as New Zealand’s single AML/CFT supervisor from 1 July 2026.

What this means in practice

The recent and upcoming changes are not simply deregulatory. Although they are intended to bolster the system where needed and reduce unnecessary burden, they are not “hands-off”.

Instead, they:

• Require reporting entities to assess risk more actively and justify risk-based decisions;
• Create opportunities to streamline lower-risk processes where controls are well designed and documented; and
• Give DIA stronger tools to respond where compliance is inadequate.

The reforms create room for smarter compliance, not lighter compliance. Reporting entities that can show their risk-based decisions are deliberate, documented and defensible will be best placed to benefit from the increased flexibility.

We recommend that reporting entities:

• Review recent regulator guidance, particularly on enhanced CDD and AML/CFT programmes;
• Reassess risk settings, especially relating to trusts, PEPs and verification of beneficial owners;
• Update policies, procedures and controls to reflect new verification pathways, use of digital identity and electronic sources and exception handling processes; and
• Ensure programmes align with updated legislative definitions and obligations and appropriately document reliance on risk-based concessions.

In our experience, key challenges include:

• Determining when it is appropriate to rely on reduced verification steps;
• Embedding digital identity solutions in a way that is compliant and defensible;
• Updating legacy systems built around prescriptive rules; and
• Designing workable exception handling frameworks.

A single supervisor 

At Simpson Grierson's recent Meet the Regulator session with DIA, the message was clear: DIA intends to work constructively with sectors to combat financial crime, while taking seriously its role as steward of the AML/CFT system. Laura Olsen, Acting Director AML/CFT, emphasised DIA's intention to work in partnership with sectors, while recognising reporting entities as the first line of defence against financial crime.

That philosophy will underpin one of the most significant reforms to New Zealand's AML/CFT regime. From 1 July 2026, DIA will become the sole AML/CFT supervisor for all reporting entities. The move away from the current three-supervisor model should support a more consistent approach to supervision and enforcement, along with clearer expectations and guidance across sectors.

More broadly, recent and upcoming reforms accompanying the move to a single supervisor create real opportunities for more practical, risk-based compliance. However, those opportunities will need to be carefully implemented. Reporting entities will need to engage with the changes, make deliberate judgement calls, and document their approach.

Reporting entities should not assume a softer regulatory stance where enforcement is warranted. DIA has made it clear that it will continue to take proportionate enforcement action in cases of significant non-compliance. For example, DIA has recently warned a number of firms for repeated failures to conduct the required independent audit of compliance.

The move to a single supervisor is also accompanied by a more flexible rule-making framework. Requirements that previously needed regulations or ministerial notices may now be addressed through rules or notices made by relevant government agency leaders (including DIA, the Ministry of Justice and the Commissioner of Police). In practice, this should allow AML/CFT requirements to be updated more quickly and in a more targeted way.

The reforms also pave the way for an AML/CFT levy to help fund the compliance model. The Ministry of Justice has already consulted on the structure of the levy, which will be implemented through regulations. The levy is expected to apply from 1 July 2027.

Compliance amendments affecting reporting entities 

The Act is amended in several important ways (effective 19 May 2026 except where noted), including:

• Greater flexibility in customer due diligence (CDD), including a more risk-based approach to trust source of wealth/funds verification and identifying politically exposed persons (PEPs);
• Consolidated and updated definitions, including moving key definitions and obligations into the Act, extending certain designated non-financial businesses and professions (DNFBP) captured activities to preparatory work, and adding new definitions for money or value transfer services and stored value instruments;
• Targeted compliance clarifications, including stopping customer relationships or transactions and considering suspicious activity reporting where CDD is not completed, more explicit record-keeping and prompt document production requirements, and confirmation that compliance officers must be individuals and may sit at senior management level; and
• Stronger enforcement framework, including express civil liability for failing to carry out or review a risk assessment or file annual reports, and (from 1 July 2026) new supervisor powers to issue censures and require information.

New Identity Verification Code of Practice (from 1 July 2026)

A new Identity Verification Code of Practice (IVCOP) will introduce practical changes that may simplify some onboarding and verification processes from 1 July 2026.^[1] The new Code continues to provide a “safe harbour”. Following it is not mandatory, but if you do so, you are considered compliant. 

If a reporting entity continues to accept documents or use the electronic sources it currently does in accordance with the IVCOP 2013, this will likewise be compliant with the IVCOP 2026 (except if accepting certified copies through electronic means). If current processes are working well, there may be no need to change them immediately, but reporting entities should still assess when and how to adopt the new flexibility.

The Code introduces some clearer verification pathways and extends its application to high‑risk customers, not just low‑ and medium‑risk. This means the Code is both more flexible and broader in scope. Nevertheless, there are some areas that lack clarity and care will be needed when working through them, such as the expectations around linking the presenter of an identity document to the claimed identity.

A key shift is towards modern, technology-enabled verification with certain government-backed electronic sources now being able to be used as a single reliable source in many cases. 

The Code also introduces additional flexibility, for example:

• Reduced verification steps for beneficial owners and persons acting on behalf of customers for low or medium risk clients who are legal persons or legal arrangements with more than one beneficial owner, or who qualify for simplified CDD;
• No need to repeat identity verification where it has already been completed, unless there are concerns about its adequacy; 
• Express permission for standard exception-handling processes; and
• Ability to rely on certified documents for up to 12 months.

However, these concessions rely on having well-calibrated risk assessments and clearly documented policies, procedures and controls.

Get in touch

If you would like to understand how these reforms affect your organisation, or how to take advantage of the increased flexibility safely, please get in touch with our AML/CFT team. We can help you respond to the changes in a practical, proportionate and defensible way.

We can assist with:

• Targeted programme reviews to identify opportunities and risks arising from the reforms;
• Redesigning identity verification processes, including documenting digital and electronic solutions compliantly;
• Advice on beneficial owner and PEP risk settings;
• Developing exception-handling frameworks;
• Preparing for DIA supervision and engagement; and
• Training boards, senior management and compliance officers.