Page last updated: 27 March 2023


Find answers to common questions related to AML/CFT regime. Please check the information we provide in each section before contacting us – it may save you time. 

What is money laundering?

Money laundering describes the process by which criminals make ‘dirty’ money obtained from their criminal activities look legitimate, or 'clean'.

They aim to make this dirty money look like it has come from a legitimate source, and therefore difficult to connect with its criminal past. Once that is achieved, criminals can introduce their dirty money into the financial system undetected.

From there, the money can be transferred between bank accounts or financial products in New Zealand or abroad or used to purchase goods and services.

What is terrorist financing?

Terrorist financing is the financial support of terrorists or those who encourage, plan or engage in terrorism.

Terrorist financing may involve funds raised from legitimate sources, such as personal donations and profits from businesses and charitable organisations. It may also be drawn from criminal sources, such as the drug trade, the smuggling of weapons and other goods, fraud, kidnapping and extortion.

People who finance terrorism often use similar methods and tools to those used for money laundering.

When did it all take effect?

The Anti-Money Laundering and Countering Financing of Terrorism Act 2009 (AML/CFT Act) was passed in 2009 and came fully into effect on 30 June 2013.

The time period was intended to give reporting entities time to undertake their risk assessments and to plan and implement their systems and controls before requirements came into force.

What are regulations, codes of practice and guidelines?

The AML/CFT Act sets many obligations at a relatively high level. More detail is set out in the regulations, codes of practice and guidelines:

Regulations - These contain minimum standards and thresholds. They are mandatory and must be followed. The regulations also contain several exceptions to the obligations under the Act.

Codes of practice - These set out methods on how reporting entities can comply with their obligations. While not mandatory, they can provide a defense against charges of non-compliance (a 'safe-harbour'), if followed correctly. A reporting entity that fully complies with the code will be compliant with the relevant parts of the legislation. If a reporting entity decides to opt-out of all, or part of, the code, it is required to have provided written notification to its supervisor. This notification states that the reporting entity has opted out of compliance with all, or part of, the code, and intends to satisfy its obligations by some other equally effective means.

Guidelines - These outline other non-binding guidance from supervisors.


The Minister of Justice is empowered under section 157 to make exemptions from any or all of the provisions of the AML/CFT Act. Exemptions may be granted for businesses, transactions, products, services or customers and may be subject to conditions. For more details visit the Ministry of Justice's website.

Reporting entities are required to assess the money laundering and financing of terrorism risk that they may reasonably expect to face in the course of their business.

In making this assessment, the AML/CFT Act requires a reporting entity to consider:

  • the nature, size and complexity of its business
  • the products and services it offers
  • the methods by which it delivers products and services to its customers
  • the types of customers it deals with
  • the countries it deals with
  • the institutions it deals with
  • any guidance material produced by supervisors
  • any other factors that are set out in regulations.

Reporting entities also need to consider whether any of their products involve new or developing technologies that may favour customer anonymity. The AML/CFT Act also specifies that reporting entities must consider particular activities, such as wire transfers and correspondent banking relationships.

Guidelines have been published to help reporting entities develop their own risk assessment. The Countries Assessment guideline will help you develop procedures on the assessment of risks associated with the countries you deal with, when you need to undertake this assessment and how to approach the assessment.

An AML/CFT programme sets out a reporting entity's internal policies, procedures and controls to detect money laundering and financing of terrorism and to manage and mitigate the risk of it occurring. The programme must be in writing and be based on its risk assessment.

Certain elements of a programme are specifically required by the Act, including:

  • vetting senior managers and AML staff
  • training senior managers and AML staff
  • customer due diligence, including enhanced CDD and simplified CDD
  • suspicious activity reporting
  • monitoring and record-keeping
  • monitoring and managing compliance with the AML/CFT programme.

Risk-based systems and controls should be based on the nature, size and complexity of a reporting entity's business, along with any money laundering and financing of terrorism risks it may face.

Read more about the AML/CFT programme.

What obligations are placed on firms?

Basic obligations imposed on reporting entities include:

  • assessing the money laundering and financing of terrorism risk that it may reasonably expect to face in the course of its business
  • establishing, implementing and maintaining an AML/CFT programme (procedures, policies and controls) to detect, manage and mitigate the risk of money laundering and the financing of terrorism
  • customer due diligence (CDD) (identification and verification of identity) and ongoing CDD
  • suspicious activity reporting
  • record-keeping.

Reporting entities have considerable flexibility within the limits prescribed by the AML/CFT Act and Regulations, in how they meet their obligations.

What are the record-keeping requirements for evidence of staff vetting performed?

We expect reporting entities to keep records of the staff vetting they carry out under their AML/CFT programme. Consistent with the record-keeping obligations in Part 2 of the Act, we would expect these records to be kept for a period of at least 5 years after the relevant employment relationship ends. For other requirements of staff vetting please refer to Part 3 of the AML/CFT Programme Guideline (May 2018) released by the supervisors.

Can one person be the compliance officer for a designated business group?

Yes, provided that the person is employed by at least one of the DBG members he or she administers and maintains all of the members' AML policies, as well as reporting to a senior manager of each reporting entity that appointed him.

Can an AML Officer be an external appointment?

Only if a reporting entity has no employees.

What level of seniority does the AML/CFT compliance officer have to hold?

The AML/CFT compliance officer has to report to a senior manager of the reporting entity.

Refer to the following guides and reports for more information:

The FMA recently visited us to examine our AML/CFT compliance. Does that count as an AML/CFT audit?


When exactly do I need to have my audit completed by?

That will depend on when the financial activities of your business were first captured under section 5 of the AML/CFT Act or additional regulations. Consider the examples below:

  1. If your business was captured by the AML/CFT Act or regulations as at 30 June 2013, then it was due to be completed by 30 June 2015. This is regardless of when you formally implemented your AML/CFT compliance programme.
  2. If you are a new business and your financial activities were captured by the AML/CFT Act or regulations at a later date then you have two years from that date to have your audit completed.
  3. Thereafter, businesses have two years from the date of their last AML/CFT audit to have their next audit completed. For example, if your first audit report had a date of 29 June 2015, then your next audit report date should be no later than 29 June 2017. 

Why does the AML/CFT Act require an audit report to be done on a two-yearly basis?

This is to ensure that reporting entities have, and will continue to have, robust systems and processes in place to detect and deter money laundering and the financing of terrorism.

What period should my audit report cover?

The audit report will provide an opinion by the auditor at a point in time. To support the opinion the auditor will examine evidence stretching back from the audit report date. Most likely, the period will cover the time between your last audit and your current audit.

Does the FMA have a list of recommended auditors?

We do not have a list of recommended auditors. The AML/CFT Act requires the auditor to be independent and suitably qualified – refer to our monitoring reports for more information on this.

Businesses offering AML/CFT audit services include:

  • AML/CFT specialist consultant firms and individuals
  • specialist regulatory compliance consultant firms and individuals
  • audit and accounting firms
  • other reporting entities.

How do I know if the auditor is suitably qualified to conduct the audit?

You should expect that your auditor has the required expertise of the AML/CFT Act and its regulations. Your audit will be more effective if your auditor understands your industry and has audit experience. It is imperative you are comfortable with the auditor you appoint as we may request you to provide evidence your auditor is appropriately qualified. Please refer to our monitoring reports.

How can I ensure the auditor is independent?

Your audit report should confirm the auditor’s independence and any other services they may have provided to you in addition to the audit. The AML/CFT Act states that the person who conducts the audit must be independent, and not involved in the development of a reporting entities AML/CFT risk assessment, or the establishment, implementation or maintenance of its programme. Please refer to our monitoring reports for more information on auditor independence. You should record your consideration of the auditor’s independence as we may ask you to provide this to us.

What response can I expect from the FMA if my auditor identifies issues?

We expect most reporting entities will have compliance issues until their AML/CFT programme matures. The audit is an opportunity to identify those issues and correct them. If there are significant issues identified we encourage you to engage with us early to discuss the matter and to review the actions you propose to take. If we select you for a monitoring visit, we are likely to request a copy of your remediation plan and check your progress. In cases where significant issues are appropriately addressed, we are unlikely to engage further.

Can I apply for an exemption from having an AML/CFT audit performed?

We are not in a position to grant a waiver or exemption from having an AML/CFT audit performed. 

Can I apply for an extension for an AML/CFT audit report?

Except when we have brought forward your AML/CFT audit on request, we are unable to offer extensions. 

Do I need to have an audit performed if my business is being wound up within two years of my last audit?

No. However, if there is some uncertainty when the business will close and it’s possible that it may extend beyond the two year period, we strongly recommend you have your audit completed.  If your business is still a reporting entity after two years from your last audit, then you must have it completed.

What is CDD?

CDD involves:

a) gathering information about customer identity
b) verifying a customer's identity, to ensure the customer is who they say they are.

In most cases, reporting entities will also need to establish and verify the identity of any beneficial owner, meaning the individual who ultimately owns or controls the customer or on whose behalf a transaction is conducted.

CDD also involves establishing and verifying the identity of any person who acts on behalf of a customer.

The Amended Identity Verification Code of Practice 2013 sets out methods by which reporting entities can comply with their obligations to verify the name and date of birth of customers who have been assessed as low to medium risk. The code is not mandatory but provides a 'safe-harbour' if followed correctly. If a reporting entity decides to opt-out of this Code, it must adopt practices that are equally effective.

The Beneficial ownership guideline has been published to help reporting entities develop procedures on the verification of beneficial ownership.

What is ongoing CDD?

Ongoing CDD means regularly reviewing customer information and having systems to conduct account monitoring. Under section 31 of the AML/CFT Act ongoing CDD is required to ensure the ongoing business relationship is consistent with the reporting entity's knowledge about the customer's business and risk profile and to identify grounds for reporting any suspicious transaction. This is required for all customers, including existing customers.

What are PEPs?

Politically-exposed persons (PEPs) are individuals who, by virtue of their position in public life, may be vulnerable to corruption. The definition of a PEP can be found in Section 5 of the AML/CFT Act. The New Zealand legislation currently limits this concept to foreign PEPs, and does not include domestic PEPs, ie persons who hold or have held public offices in New Zealand. Reporting entities are required to give specific consideration to the risks involved with PEPs and should:

  • have procedures in place to determine whether a customer or a beneficial owner of a customer, is a PEP or a close associate of a PEP
  • obtain senior management approval for establishing or maintaining business relationships with PEPs
  • take reasonable measures to establish the source of wealth and source of funds of PEPs
  • conduct enhanced, ongoing monitoring of the business relationship.

What if someone doesn't have a passport and they don't drive?

There are many different types of documents that can be used under the Amended Identity Verification Code of Practice 2013 but there will always be some people, for example, the very young, who don't have the required identification documents. In order to comply with the code you will need to put in place exception handling procedures for these customers. Note that exception handling should only be used where the person genuinely does not hold the identification documents, not where they have just left them at home.

What happens if I take over an existing customer base?

If the customers are existing customers of the reporting entity, you aren't expected to do CDD on all of those customers right away, but you do need to review them periodically (ongoing customer due diligence) to make sure you have the correct information. You must obtain further CDD information if there is a material change in the nature or purpose of the business relationship, if you consider that you have insufficient CDD information, or if the information you hold is inconsistent with the customer's profile.

If the customers are not existing customers of the reporting entity, but are existing customers of another reporting entity that has conducted CDD, then you may be able to rely on the CDD completed by that other reporting entity, if you meet the requirements of sections 32, 33 or 34 of the AML/CFT Act. You will still need to complete ongoing CDD.

Do we have to identify a customer every time they put in $20,000?

No. Once you have accepted a customer as your client you will have obtained all of the required information about the customer, including the nature and purpose of the business relationship. Part of the nature and purpose of the business relationship extends to how much you will expect the customer to deposit with you, and how regularly. If the customer follows the given profile you do not need to conduct CDD for every deposit. However, it would be prudent to request more information from the customer if the customer's behaviour changes significantly.

If a trust is a discretionary trust and the beneficiaries are not named, how do we do CDD on beneficiaries?

Assuming none of the beneficiaries is a beneficial owner of the trust, you only need to record a description of each class or type of beneficiary. You do not have to create a list of potential beneficiaries.

For more detail on CDD for trust beneficiaries see regulation 6 of the AML/CFT (Requirements and Compliance) Regulations 2011.

Will you be providing a list of politically exposed persons (PEPs)?

No. There are a lot of existing sources of information and services that provide PEP checks. We understand that some industry bodies are looking at linking into these for their members.


If someone sets up a company and then asks you to set up an account providing a certificate of incorporation, is the Companies Office CDD enough?

Not on its own. The Companies Office does some CDD, but your obligations under the AML/CFT Act amount to a higher level of CDD than the Companies Office carries out.

Can we use the IRD B2B messaging as a verification procedure for KiwiSaver?

The IRD B2B messaging can be used in lieu of a statement issued by a government agency required in para 3(f) of the Amended Identity Verification Code of Practice 2013. This can only be used for KiwiSaver.

Can a financial adviser certify an original ?

No. Financial advisers cannot certify identity documents. The code of practice contains a list of trusted referees who can certify identity documents. A reporting entity does not have to comply with the provisions of a code of practice, but if they don't intend to comply they must notify their supervisor in writing in advance and must comply with the relevant obligation by an equally effective means.

Although a financial adviser is not a trusted referee under the code, a reporting entity may rely on a Financial Advice Provider, who is also a reporting entity, to conduct CDD on their behalf in accordance with the conditions set out in section 33 of the Act. Alternatively, they may appoint a person as an agent to conduct CDD on their behalf in accordance with section 34.

This is different from certifying identity documents as a trusted referee under the code.

The reporting entity remains responsible for the CDD conducted on their behalf under s33 or by an agent under s34.

Can a reporting entity accept an electronic copy of documentation certified by a trusted referee under part 2 of the Amended Identity Verification Code of Practice 2013?

This depends on whether the electronic copy of the document meets the requirements for an electronically signed document under section 22 of the Electronic Transactions Act 2002 (ETA). Fax or pdf scanned copy of the trusted referee's signature will not be sufficient for the purposes of the code and cannot be accepted in place of the trusted referee's original certification.

For practical reasons, reporting entities may start to set up a client's account based on a fax or scanned copy of certified documents, provided the originals are forwarded by post and are received before any transactions are undertaken. Alternatively, if a reporting entity chooses to rely on electronically certified documentation in accordance with the ETA, the reporting entity will need to ensure that the trusted referee's electronic signature reliably identifies the trusted referee and their approval of the original document.

Section 24 of the ETA provides an example of the type of electronic signature that would be presumed to be sufficiently reliable. Reporting entities are not obliged to accept documents signed by an electronic signature unless they choose to do so.

Is there protection from breach of privacy under the AML/CFT Act for people who submit SARs?

Yes, section 44 of the AML/CFT Act protects anyone who properly reports a suspicious activity to the Police FIU.

Should we inform on a client?

Under the AML/CFT Act restrictions in the Privacy Act 2020, legal professional privilege and other similar provisions do not extend to suspicious activities. This is also the case under the Financial Transactions Reporting Act 1996. Under section 40 of the AML/CFT Act reporting entities must report SARs where there are reasonable grounds for suspicion.

Does every SAR report need to go directly to the Police Financial Intelligence Unit and not through supervisors?

SARs must go to the Police Financial Intelligence Unit, not to your supervisor.  However, under section 41 of the Act, SARs must be signed by a person authorised by a reporting entity to sign them.  This could mean that SARs will be sent to the Police Financial Intelligence Unit via compliance or AML officers rather than directly from the person generating the SAR.

Do we report suspicious persons?

SARs do not merely relate to transactions either completed or attempted.  The integral component of the SAR is suspicion. It is therefore subjective and composed of many factors which may be relevant to include in a SAR.  These include the person sending or receiving the transaction; their behaviour; the time; the place; the amount; implausible sounding stories; the involvement of countries of interest; the transaction type; and the presence of recognised money laundering typologies.

I trade carbon credits for my own account as part of my business. Does this make me a reporting entity under the Act?

Carbon credits are not treated as securities for the purposes of the Act. This means that trading carbon credits will not make you a reporting entity under paragraph (vii) of the definition of 'financial institution'. You could still be a reporting entity if you invest funds in carbon credits on behalf of others or if you manage an individual or collective portfolio of carbon credits. It is also important to distinguish between carbon credits and derivatives linked to carbon credits. If you trade in derivatives linked to carbon credits then you will be a reporting entity under paragraph (vii) of the definition of 'financial institution'.

Supervisors have not issued templates for risk assessments or AML/CFT programmes. This is because one size does not fit all. Each business is likely to have an odd policy or process that is unique to that business.

How do you know who is your supervisor?

Section 130 of the AML/CFT Act explains what sectors each supervisor is responsible for. In addition, the FMA and the Department of Internal Affairs (DIA) have a list of their reporting entities on their respective websites. If in doubt get in touch with anyone of the supervisors and they will point you in the right direction.

What happens if you come under two supervisors?

The supervisors have a process in place for when this situation arises. Reporting entities will only have one supervisor. That supervisor can call upon another supervisor to assist where certain products or services offered by the reporting entity fall outside the leading supervisors area of expertise, for example, a reporting entity that offers both life insurance products and managed investment products. Contact the relevant supervisors so that this process can be implemented.

Is there a register of reporting entities?

There is not a register in a legal sense but we do keep lists. We get information from the FSPR, use open source searching and also learn of reporting entities from Fair Go. If you or any reporting entities you know aren't on the FSPR, let us know.

Entities that are eligible may choose to form a designated business group (DBG). This enables the entities to share a risk assessment and some, but importantly not all, aspects of their AML/CFT programmes.

Guidelines have been published to help reporting entities decide whether they are eligible to form a DBG. The DBG scope guideline outlines the obligations that may be shared by members of a DBG. The DBG formation guideline highlights the eligibility criteria and election process when forming or joining a DBG. It also explains the process for notifying an AML/CFT supervisor about the formation of, or change to, a DBG and provides the forms for doing so.

There will be occasions where the business of a DBG will be split between more than one supervisor. In these circumstances, supervisors will agree on who would be the best supervisor for the group. This may depend on where the majority of the DBG business lies.

I am an issuer of securities registered on the FSPR. Am I a reporting entity under the Act?

You are not automatically a reporting entity just because you are registered on the FSPR. You will be a reporting entity if you issue debt securities in the ordinary course of your business or if you participate in securities issues and provide financial services in relation to those issues. We have issued a guideline on issuers of securities and participants in issues to help you understand whether you are a reporting entity.

The provisions of the Financial Service Providers (Registration and Dispute Resolution) Act 2008 (FSP Act) that determine whether an entity should be registered on the FSPR are not identical to the provisions in the AML/CFT Act that deal with whether an entity is a reporting entity. Although the purposes of the AML/CFT Act and the FSP Act overlap, the FSP Act has a wider purpose.

Some issuers may, therefore, need to register on the FSPR even though they may not be reporting entities for AML/CFT Act purposes and conversely some entities may be reporting entities even though they are not required to register on the FSPR.

I am an issuer of equity securities. The only financial service I provide in relation to the securities is to act as the issuer under section 5(i) of the FSP Act. Am I a reporting entity?

You will only be a reporting entity if you are participating in securities issues and the provision of financial services related to those issues as defined under paragraph (viii) of the definition of financial institution or if you perform a financial service as defined in section 5 of the FSP Act, in addition to acting as an issuer of securities. 

If you only act as an issuer of securities and do not provide other financial services such as being a promoter, manager, Financial Advice Provider, client money or property service provider or underwriter, then you will not be a reporting entity under paragraph (viii) of the definition of financial institution.  The guideline on issuers of securities and participants in issues has been published to help issuers understand whether they are reporting entities or not.

I am an issuer of debt securities, am I a reporting entity?

An issuer of retail debt securities falls into the category of 'accepting deposits or other repayable funds from the public' under paragraph (a)(i) of the definition of 'financial institution' in the AML/CFT Act.  To decide whether you are a reporting entity, you must decide whether you issue debt securities to the public in the ordinary course of business.  The 'Interpreting ordinary course of business guideline' can help.

If you have a separate company or SPV in your group structure whose primary purpose is to issue retail debt securities, then issuing debt securities to the public would usually be in the ordinary course of business for that SPV. If, however, the SPV has not issued debt securities for a significant period of time and has no intention to issue more, then you may decide the SPV does not issue debt securities to the public in the ordinary course of business.  We cannot give definitive guidance on what 'a significant period of time' might be, because this will depend upon the nature of your business.

We have an SPV that issues debt securities in the ordinary course of business, on whom should it complete CDD?

A reporting entity, such as your SPV, must complete CDD on its customers, their beneficial owners and anyone acting on behalf of its customers.  This CDD must be completed before the issuance of the debt securities.  The customers of the SPV will be the people who purchase the debt securities directly from the SPV (primary market purchasers).

You would not normally need to complete ongoing CDD on people who may purchase your debt securities in the secondary market, because these people are not your customers and in most cases would not be beneficial owners of your customers.

We have an SPV that issued debt securities before 30 June 2013, but has no intention of issuing further securities. Is it a reporting entity under the AML/CFT Act?

No. We would expect that your SPV is not currently issuing debt securities in the ordinary course of business, even though some of its debt securities may still be traded in the secondary market.  If however, there is an intention to issue further debt securities in the future, then the SPV will be a reporting entity.  This would mean it would need to comply with the ongoing obligations under the AML/CFT Act such as appointing an AML/CFT officer, submitting an annual report and producing a risk assessment and AML/CFT programme.

Note that the analysis under the AML/CFT Act will not always be the same as that under the FSP Act, so an issuer may need to register on the FSPR even if it is not required to be a reporting entity for the AML/CFT Act’s purposes.

If an issuer of securities has conducted CDD on the initial purchasers of their securities, do they have to conduct CDD on all subsequent people who purchase the securities in an independent secondary market?

No. The AML/CFT Act only requires a reporting entity to conduct CDD on customers; beneficial owners of customers; and people acting on behalf of a customer. An issuer of securities may be required to conduct CDD on the initial purchasers of its securities (for example if it is issuing debt securities, or issuing equity securities and providing financial services in relation to those equity securities, in the ordinary course of business) because those purchasers will be customers of the entity.

If someone purchases the securities in a secondary market that is independent of the reporting entity, and the entity does not have any other business relationship with the purchaser, then the purchaser does not become a customer simply by holding the securities. The reporting entity does not need to conduct CDD on that secondary market purchaser.

Where a reporting entity makes payments due under securities to a person who has purchased those securities in an independent secondary market, this will not in itself mean the purchaser is a customer of the reporting entity.  Payments could include interest installments, dividends or a final redemption amount.  These payments on their own will not trigger an obligation to conduct CDD on the purchaser. 

However, if a reporting entity facilitates the purchase of its securities, or otherwise enters into a business relationship with the purchaser of those securities, then the purchaser would become a customer of the reporting entity.  In these circumstances, the reporting entity should conduct CDD on the purchaser in accordance with the AML/CFT Act before entering into the business relationship unless an exemption applies.

Yes. Anyone who provides a crowdfunding platform or is a peer-to-peer lender, as defined in the Financial Markets Conduct (Phase 1) Regulations 2014 is participating in an issue of securities and providing a financial service in relation to those securities.  This means they will be a 'financial institution' under section 5 of the AML/CFT Act and they are therefore reporting entities.  They may also perform other financial activities that mean they fall within the definition of a financial institution, although this will not affect their obligations under the AML/CFT Act.  All investors and issuers (or all lenders and borrowers in the peer-to-peer context) using their services will be their 'customers' for the purposes of the AML/CFT Act.

Are Financial Advice Providers Reporting Entities? 

If you are a Financial Advice Provider (FAP) (including an Authorised Body named on an FAP’s licence) you must consider whether you are a Reporting Entity under the AML/CFT Act. 

Is my business an AML/CFT Reporting Entity?

There are two ways a FAP can be a reporting entity. They can be captured as a ‘financial institution’ or captured by Regulation 16 of the AML/CFT Definitions Regulations 2011. A FAP can be captured by either or both of these ways.  

Businesses captured as a ‘financial institution’ 

Providing financial advice, on its own, does not fall under the definition of ‘financial institution’ in section 5 of the AML/CFT Act. 

Some FAPs do more than just provide financial advice. For example, they may handle client money or trade on behalf of clients.  These FAPs will likely be Reporting Entities as a result of (and in respect of) those additional activities, capturing them as a ‘financial institution’ (see the definition in section 5 of the AML/CFT Act).     

Businesses captured by Regulation 16 

In addition, some FAPs will be Reporting Entities if they arrange for another Reporting Entity to provide relevant services in respect of relevant products to that Reporting Entity’s customers.

A relevant service is a service provided by the other Reporting Entity while carrying out a financial activity (for example, managing funds, or trading transferable securities for a customer) – see the definition of a “financial institution” in section 5 of the AML/CFT Act for the full list.  

The relevant products are listed under Regulation 16(5). They include interests in managed investment schemes and equity securities (stocks).  Examples of products that are not captured include: 

  • Fire and general insurances 
  • Life insurance and income protection (however, an investment-linked contract of insurance is captured) 
  • Mortgage/consumer credit contracts    
  • A fixed term deposit product issued by a registered bank. 

What does Regulation 16 mean in practice? 

Regulation 16 captures FAPs who do something more than just provide financial advice.  It is directed at FAPs who are in effect the “customer interface”, of the relevant product or service provider in question. 

A FAP might “arrange” for another reporting entity to provide a relevant service where it is filling out application forms on behalf of the customer and/or liaises with a relevant product or service provider on the customer’s behalf.  

For example, ABC Limited is a Financial Advice Provider.  Sandra is a financial adviser for ABC Limited, engaged to provide advice to clients on ABC Limited’s behalf.  Sandra advises Cary to invest in the Global Growth Fund, managed by Global Growth Management Limited.  In addition to giving Cary that advice, Sandra also fills in the application forms for Cary, and liaises with Global Growth Management Limited in relation to Cary’s investment in the Global Growth Fund. 

By doing this, ABC Limited is arranging for Global Growth Management Limited (another reporting entity) to provide a relevant service (managing funds) in respect of a relevant product (a managed investment product) to Cary.  This additional activity makes ABC Limited a Reporting Entity under Regulation 16. 

My business is an FAP that only arranges for clients to invest in KiwiSaver schemes. Is my business a Reporting Entity?  

No, but you will still have some obligations.   

Arranging for clients to invest in KiwiSaver schemes is something that would ordinarily be caught by Regulation 16. See Regulation 16 AML/CFT (Definitions) RAML legislation. However, Part 8 of the Class Exemptions exempts FAPs who only arrange for investments in retirement schemes.   

The effect of the class exemption is that: 

  • The FAP will have no obligations under the AML/CFT Act itself.  This means that the FAP will not be a “Reporting Entity”, (due to Regulation 18). See Regulation 18 AML/CFT (Definitions) Regulation 2011.   
  • Instead, the FAP must comply with the conditions to the class exemption (see clause 4 of that class exemption, which sets out the conditions). 

Note that a FAP that only advises on KiwiSaver (and does not arrange for clients to invest in KiwiSaver) will not be a Reporting Entity and will not have any AML obligations in respect of that advice.   

Your obligations as an AML reporting entity

If your business services are captured for AML/CFT purposes, you must ensure that your Reporting Entity status is up to date on the Financial Service Providers Register (FSPR).

If you are unsure whether your business services are captured under the AML/CFT Act, we recommend you seek independent legal advice. 

As a reporting entity, you will need to meet your obligations under the AML/CFT Act. For more information on these obligations and how to comply, view the AML webpage. 

AML/CFT obligations under FSLAA

In general, your AML/CFT obligations have not changed. 

If you were a Reporting Entity before 15 March 2021

  • You (or your business) will likely still be a reporting entity. You need to consider if there have been any changes to your business offering that could affect your status as a reporting entity. 
  • If you have changed your business offering (e.g., by providing additional services, alongside financial advice), or if you previously had a different FMC Act licence type, you need to review your risk assessment to determine if it needs amending, and then consider if you need to update your AML/CFT programme accordingly.  

If you are a new Reporting Entity 

You must: 

  • appoint an AML Compliance Officer 
  • conduct and document your AML/CFT risk assessment 
  • develop, implement, and document your AML/CFT programme 
  • file an annual AML/CFT Report to the FMA 
  • file Suspicious Activity Reporting to the Financial Intelligence Unit of the NZ Police. 

This list is a summary of obligations only. For more information on your obligations, how to comply, and guidance, visit our AML webpage. 

Annual AML/CFT Reports 

All Reporting Entities (REs) must submit an annual AML/CFT Report. One form must be completed for each RE. REs that are eligible members of a DBG may allow another member of the DBG to complete Part Two (Questions 4-5) on their behalf. However, they must still complete a form. 

You may submit your annual report any time from 1 July, but by no later than 31 August. Reports should be submitted through the FMA's Online Services portal. If you are unable to complete or upload your annual report, please contact us before the 31 August deadline.

For more information on how to complete your annual AML/CFT report, please download the  Annual AML/CFT report user guide. 

In most fund structures we would expect the fund manager to be a reporting entity. The fund manager is likely to be 'managing individual or collective portfolios' (under paragraph (a)(ix) of the definition of a financial institution) and/or 'investing, administering, or managing funds or money on behalf of other persons' (under paragraph (a)(xi) of the definition of a financial institution).

Typically, limited partnerships to enable pooled investment opportunities are considered by the FMA to operate as fund structures, unless there are factors that alter this arrangement.  If this is the case then we would generally consider that the entity within the limited partnership structure acting as the manager would be the reporting entity, as it is the entity most likely to be carrying out the activities noted above.  This may be a separate entity (for example, a management company to which the general partner has delegated management responsibilities) or the general partner itself.  In our view, the recipients of those activities – and the “customers” of the relevant reporting entity – are the limited partners.  Absent other factors, we would not expect other entities within the limited partnership structure, including the limited partnership itself, to be reporting entities in respect of the same financial activities carried out by the manager.  However, if another entity within the limited partnership structure is carrying out additional financial activities in the ordinary course of business, it may be a reporting entity in respect of those activities and will need to comply accordingly.

In some fund structures, such as venture capital funds or property investment structures using an investment company, there may not be a fund manager conducting the activities described in paragraphs (ix) or (xi) of the definition of financial institution. It may be difficult to identify an individual entity that is conducting these financial activities.

In these circumstances, you should consider whether the fund structure as a whole could be considered to be a legal arrangement under which the financial activities are conducted. It is useful to look at this from the investor's point of view to understand whether they would consider that they are receiving the services described in paragraphs (ix) or (xi). If the investor is receiving these financial services from the fund, then the fund entity that interacts with the investor would be a reporting entity.

I run an investment company that invests funds on its own behalf. How could it be a reporting entity under paragraph (xi) of the definition of financial institution?

You should consider the substance of your activities, rather than the legal form adopted. An investment company may be considered to be 'investing, administering, or managing funds or money on behalf of other persons' where, in substance, the investment activities are being conducted for the benefit of and in the interests of the underlying equity investors.

The fact that a company is investing funds for its own benefit does not prevent the conclusion that it is also investing funds for the benefit of its investors. A company that has the 'look and feel' of a fund or pooled investment vehicle is also likely to be a reporting entity under paragraph (ix) of the definition of financial institution ('managing individual or collective portfolios').

This does not mean that all companies that invest in and manage assets will be reporting entities. The vast majority of companies will not be reporting entities under paragraphs (ix) or (xi) and there is effectively a presumption that companies are not acting as a fund or pooled investment vehicle for their ordinary shareholders, but if a company has the look and feel of a fund or pooled investment vehicle then it will be a reporting entity.

At one end of the spectrum, there are companies who actively manage assets as part of a non-investment business, for example, power generation companies and milk producers. These types of companies would not be considered to be managing a portfolio for the purposes of the AML/CFT Act or undertaking their investments on behalf of their equity investors.

At the other end of the spectrum are investment companies that passively invest as a look-through vehicle for investors. These types of companies would be considered to be investing on behalf of their investors, and may also be managing a portfolio for the purposes of the AML/CFT Act. They would, therefore, be reporting entities.

Most companies will fall somewhere between the two ends of this spectrum, but only companies that 'look and feel' like a fund or pooled investment vehicle are intended to be reporting entities under these paragraphs. There is no single determining factor, but factors that may be relevant include:

  • The legal form of the relationship between an investor and the relevant entity and whether the rights, benefits and AML/CFT risks are analogous to an investment in a fund or other pooled investment vehicle
  • Whether there is a recognisable investment strategy for investing in a portfolio of assets
  • The employment structure of the entity, for example, are the majority of individuals employed in assessing potential investments and divestments and related administrative roles?
  • The reasonable perceptions of investors, i.e. whether they would consider themselves to be investing in an asset class or portfolio, rather than investing in a business
  • The way the company describes and/or markets itself, for example, references to the opportunity to make an investment in its portfolio
  • The nature of any assets invested in by the company. For example, are assets independent and unrelated or are they integral parts of a wider business?
  • Whether the way in which assets are held is similar to the way a fund or other pooled investment vehicle would be expected to hold assets
  • The active or passive nature of activities undertaken by the company in relation to its assets
  • The number of independent assets held
  • The frequency with which new equity funds are raised
  • The frequency of acquisition and divestment of assets

Other factors may also be relevant. If in doubt please contact us at [email protected] to discuss.

We have a pooled investment vehicle structured as an investment company and a separate investment manager. The investment manager is a reporting entity under the AML/CFT Act, will the investment company also be a reporting entity?

Each individual entity needs to be assessed against the definition of 'reporting entity' in the AML/CFT Act. Although you should consider each part of the definition of 'financial institution paragraphs (viii), (ix) and/or (xi) may be most relevant. If you determine that your investment manager is conducting all relevant activities, rather than the investment company, then the investment manager will be a reporting entity and the investment company may not be a reporting entity.

However, this does not mean that the reporting entity can avoid conducting customer due diligence on the investors in your pooled investment vehicle. The investment company would be considered to be the facility through which the investment manager is conducting the activities and these activities would be considered to be conducted on behalf of the investors (see previous question and answer). The investors would, therefore, be 'customers' of the investment manager for the purposes of the AML/CFT Act.

Our investment company is a reporting entity and has shares traded in the secondary market. Do we have to identify people who purchase the shares in the secondary market?

We would not usually expect reporting entities to complete ongoing customer due diligence on people who may purchase their securities in the secondary market. Secondary market purchasers are not customers of the reporting entity and in most cases would not be beneficial owners of customers.

If the reporting entity is on notice that the original person who purchased the securities in the primary market was actually acting on behalf of a subsequent investor, then the subsequent investor will be a 'beneficial owner' under the AML/CFT Act and the reporting entity must conduct customer due diligence on that beneficial owner, but we would not normally expect this to be the case.

Am I exempt from the AML/CFT Act under regulation 16 (relevant services provided to related entities) of the AML/CFT (Exemptions) Regulations, if my only customers are related entities?

Regulation 16 of the exemptions regulations apply when 'the recipient of the service' is related to the person that provides the financial service. In most cases, this will mean that a person is exempt from the AML/CFT Act if their only customers are related entities, however, in some cases the recipient of service will be a third party who may have no contractual link to the person providing the service.

If a non-related person is the recipient of your financial service, then you will be a reporting entity. It is useful to look at this from the investor's point of view to understand whether they would consider they are receiving financial services as described in the definition of financial institution in section 5 of the AML/CFT Act.

How does the FMA supervise AML/CFT?

FMA is committed to a risk-based approach in countering money laundering and terrorist financing. This means we allocate our resources and efforts to the areas where we perceive the greatest threat to our statutory objectives, in order to:

  • detect and deter money laundering and the financing of terrorism
  • maintain and enhance New Zealand's international reputation by adopting, where appropriate in the New Zealand context, recommendations issued by the Financial Action Task Force
  • contribute to public confidence in the financial system.

Criminals are increasingly flexible and innovative in their efforts to launder money and attempt to avoid detection. It is therefore important that our anti-money laundering responses are flexible, proportionate and cost-effective. These are the main characteristics of a risk-based AML/CFT regime.

Is it the same as Australia?

No. One of the policy drivers behind the legislation was trans-Tasman integration, but only where it is appropriate for New Zealand. The detail in the legislation and the Government's approach differs in a number of areas, so it is imperative that reporting entities fully understand their obligations under the New Zealand regime.

Completing your annual AML/CFT report

Click on any of the topics below to find answers about completing your annual AML/CFT report. If you can't find the answers you're are looking for please email us at [email protected]

General information 

Why do I need to submit an annual AML/CFT report?

All reporting entities (as defined in the AML/CFT Act) must prepare an annual report on their risk assessment and compliance programme under section 60 of the AML/CFT Act. This needs to be in the format set out in Schedule 2 of the Anti-Money Laundering and Countering Financing of Terrorism (Requirements and Compliance) Regulations 2011 and must be submitted to the relevant AML/CFT supervisor. A list of AML/CFT supervisors can be found here. Information from these reports provides us with important information on AML/CFT reporting entities and will help us:

  • understand the risk of money laundering and financing of terrorism activities in each reporting entity
  • ensure that information we have on our reporting entities is accurate and up-to-date
  • determine the best use of our resources.

When can I submit my annual AML/CFT report?

You must submit your report between the 1st of July and the 31st of August annually. The dates are fixed because the information included in the report must include data up to, and including 30th of June annually. 

What does the annual AML/CFT report cover?

The covers five broad topics:

  • Part 1 – Business contact details and organisation structure
  • Part 2 – AML/CFT risk assessment and AML/CFT programme
  • Part 3 – Products and services, customers and channels
  • Part 4 – AML/CFT supervisor-specific questions
  • Part 5 – Compliance with exemptions

Schedule 2 of the AML/CFT (Requirements and Compliance) Regulations 2011 determines the content for the annual AML/CFT report.

PLEASE NOTE:  For questions 6.2.1 up to and including 6.2.74, the total percentage (%) should add up to 100%.

Can I submit a handwritten report or create my own annual AML/CFT report, based on the user guide or some other template?

No. We cannot accept reports based on individually designed templates. Submissions must only be made by completing and submitting our annual AML/CFT report submission form. See the instructions above about how to open and complete it.

Can I use a template provided by another supervisor (or anyone else) to complete my annual AML/CFT report?

No. You should use the template provided by your own supervisor. If we are your supervisor then submissions must be made using our annual AML/CFT report submission form. See the instructions above about how to open and complete it.

As a reminder, we supervise: issuers of securities, licensed supervisors, fund managers, client money or property service providers, certain financial advice providers, derivatives issuers, DIMS providers and peer to peer lending and equity crowdfunding service providers.

What happens if I don't submit an annual AML/CFT report?

If you do not submit a report, compliance action may be taken against you.

What happens if I supply false or misleading information?

Penalties may apply if false or misleading information is supplied.

Am I exempt from submitting an annual AML/CFT report?

If you have a full exemption from the AML/CFT Act, you do not need to submit a report. If you have a partial exemption, you may be required to submit a report. 

If you do not know whether you need to submit a report, please contact us at [email protected]

Does each member of a designated business group (DBG) need to complete a separate annual AML/CFT form?

Yes. Each member of a DBG must complete a separate annual AML/CFT form, except as noted in Part Two (Questions 4-5) for reporting entities that are eligible members of a DBG.

If you are a member of a DBG, you may allow another member to answer Part Two on your behalf. However, please note that you are responsible for the information provided. If you are eligible, use the space provided in Part Two to specify this, together with the legal name and registered number of the member answering Part Two on your behalf. Then leave this part blank and go to Part Three. You are required to answer all other parts of the form.

What happens if my reporting entity doesn't have an FSP number do I still need to complete a report? 

You are required to have an FSP number to complete the report. 

I am registered on the FSPR to provide a number of financial services, but do not currently provide any. Do I still need to complete an annual AML/CFT report?

You are not a reporting entity unless you carry on some activity that falls within the definition of 'reporting entity' in section 5 of the AML/CFT Act. This includes activities that have been declared by regulations for people to be reporting entities. If you are not a reporting entity, then you do not need to complete a report.

I am overseas for an extended period of time so will have difficulty completing my AML/CFT annual report. May I have an extension beyond 31 August to complete the report?

FMA is not able to grant any extensions.

I sold my reporting entity 'entity 1'? that was in scope for AML/CFT purposes - a few months ago to a separate reporting entity 'entity 2'. Entity 2 is in scope for AML/CFT and will complete an annual AML/CFT report.

  • Do I still need to complete an annual AML/CFT report for entity 1?

Reporting entities are required to submit a report. It does not matter whether the ownership of a reporting entity has changed. This means that entity 1 is still required to submit a report even though the ownership has been transferred. The new management of entity 1 will be responsible for making sure it submits its annual report based on the business it has conducted over the year.

  • When entity 2 completes its annual AML/CFT report, should it also include all of entity 1s business (ie for the full year regardless of when ownership passed)?

There is no requirement for entity 2 to include entity 1's business in entity 2's report. Each reporting entity can submit its own report. However, if it is more convenient, entity 2 could include all of entity 1's business within entity 2's report - in which case entity 1 would not need to complete a separate report.

  • Also what if entity 1 had simply stopped trading or stopped undertaking any financial activities which would bring it into the scope of the AML/CFT Act after 1 July 2018 but before 30 June?

If entity 1 has conducted activities that make it a 'reporting entity' (as defined in section 5 of the AML/CFT Act) at any point during the year, then it will need to complete a report.

How to submit your report

The e-services portal is no longer available, to submit your annual AML/CFT report please follow this link -

For guidance on how to fill in the form, please see the Annual AML/CFT report user guide.

Can I save my responses and go back to complete them at a later date?

Yes. You can save your report and go back into it at any time. When completing the form, we recommend you regularly save your responses.

Need help?

If you experience any problems submitting your report or if you need help, please contact us

NOTE: This information does not constitute legal advice. Please consult the relevant statute and regulations and seek independent advice if necessary.