DIA takes the reins: what reporting entities need to know about the new AML/CFT guidance package

The Department of Internal Affairs (DIA) became the single supervisor for all AML/CFT reporting entities on 1 July 2026. To accompany that transition, DIA has released a substantial package of new and updated guidance, with further guidance expected.
For reporting entities, this is more than an administrative change. While some updates are largely consequential or technical, others may require entities to revisit key aspects of their AML/CFT compliance framework, including their risk assessment, AML/CFT programme, customer due diligence processes, outsourcing arrangements, audit approach and prescribed transaction reporting obligations.
The most immediate issue for some non-bank financial institutions (NBFIs) is DIA's updated position on wire transfers and prescribed transaction reporting. NBFIs should prioritise a review of the new wire transfers guidance now, assess whether it changes their obligations, and plan any required implementation work well ahead of the end of the transition period the DIA has put in place.
Key changes
DIA's guidance package is extensive, and its practical impact will vary depending on an entity's business model, customer base and existing compliance framework. Some of the more significant updates include:
-
Wire transfers and prescribed transaction reporting (particularly relevant to NBFIs): DIA has adopted an interpretation that may require some NBFIs to report wire transfers even where a bank is also reporting the transaction. NBFIs should assess whether the new guidance characterises them as acting as an ordering institution or beneficiary institution for AML/CFT purposes and whether changes to systems, processes and documentation may be required. DIA has provided a transitional implementation period until 30 June 2027.
-
Risk assessment and country risk guidance (relevant to all reporting entities): DIA's updated guidance reflects that the National Risk Assessment 2024 and sector risk or other risk assessments by supervisors are mandatory considerations in reporting entity risk assessments, while also introducing substantive additional content to the country risk guidance. Entities should consider whether their existing risk assessment and country risk methodology remain aligned with requirements.
-
Ordinary course of business and territorial scope (particularly relevant to entities near the boundary of the regime): DIA has significantly expanded guidance on when activities are conducted in the ordinary course of business and when sufficient New Zealand connections exist for AML/CFT obligations to apply. These updates are important for businesses assessing whether they are captured by the New Zealand AML/CFT regime, or who have previously made an assessment based on prior guidance.
-
Customer due diligence, outsourcing and reliance (relevant to all reporting entities): DIA has refreshed guidance across a range of topics including beneficial ownership, trusts, outsourcing arrangements and reliance on another reporting entity. Some of these updates contain additional examples and practical guidance that may affect existing compliance approaches.
-
Independent audits (particularly relevant to entities approaching their next audit cycle): DIA's updated audit guidance includes expanded commentary on audit timing, auditor independence, assurance levels and remediation. It should be considered before finalising audit scope or auditor appointments.
Implications for reporting entities
Reporting entities should not assume that the 1 July guidance package is merely a rebranding exercise. The practical impact will differ between entities, but the release should prompt a structured review of AML/CFT settings against DIA's updated expectations.
As a starting point, reporting entities should:
-
identify which of the new and updated guidance documents are relevant to their business;
-
assess whether any key legal or operational assumptions need to be revisited;
-
review whether changes are required to their risk assessment, AML/CFT programme, customer due diligence procedures, outsourcing arrangements, reliance arrangements and audit planning; and
-
prioritise any changes that may require systems development, operational remediation or third-party support.
NBFIs should pay particular attention to the updated wire transfer guidance and whether implementation work may be required before the end of DIA's transitional period on 30 June 2027.
What can reporting entities expect from DIA?
The scale of DIA's guidance programme signals that the regulator is serious about communicating its expectations on how to comply with the AML/CFT Act, with the expectation that reporting entities will review and, where necessary, uplift their AML/CFT frameworks accordingly.
It can be difficult to implement new guidance quickly. In practice, entities that proactively assess the impact of the guidance, identify any gaps and develop credible implementation or remediation plans are likely to be better placed than those that adopt a "wait and see" approach.
Related development: AML/CFT levy confirmed
Alongside the move to a single supervisor, the Government has confirmed the structure of the AML/CFT levy that will partially fund the regulatory system. The levy is intended to support enhanced DIA supervision, increased financial intelligence capability within the Police Financial Intelligence Unit, and support the Ministry of Justice's stewardship of the regime.
The levy will apply to three groups of reporting entities in sectors assessed as high-risk or medium-high risk:
-
banks and deposit takers, which will contribute 85% of total levy costs;
-
the gambling sector, including casinos, online casinos and TAB/Entain, which will contribute 9%; and
-
NBFIs and designated non-financial businesses and professions, which will contribute the remaining 6%.
The levy will be payable from 1 July 2027, but will fund costs incurred from 1 July 2026. Further details will be set out in regulations, and the levy will be reviewed every three years.
How we can help
The breadth of DIA's guidance package means that many reporting entities will be asking whether their current compliance framework remains fit for purpose.
If you would like assistance understanding how DIA's updated guidance applies to your business, please get in touch.











