In late May 2025 the Department of Internal Affairs (DIA) and the Financial Markets Authority (FMA) released (separately) guidance on the requirement to risk-rate customers under the Anti-Money Laundering and Countering Financing of Terrorism Act 2009 (the Act). By way of background, from 1 June 2025 all reporting entities under the Act are required to risk-rate new customers when conducting either standard or enhanced customer due-diligence (CDD).
The guidance released by the DIA and the FMA is substantially identical, and it is not clear why this guidance was not released under the joint branding of the three supervisors, building on the October 2024 AML/CFT Programme Guideline which outlined the supervisors' initial views on the risk-rating requirements. The guidance contains, additionally to outlining the legal requirements, details on the DIA/FMA's views on the following:
- Risk-rating process (including their views of the level of sophistication of a risk-rating model)
- The relationship between risk-rating and CDD
- Updating a customer's risk-rating when conducting ongoing CDD
- Record-keeping
- Updating of AML/CFT programmes in relation to risk-rating.
As suggested previously in the October 2024 AML/CFT Programme Guideline, the supervisors' view is that the risk-rating process should be tailored to fit within the size/complexity of the relevant reporting entity. However, to assist smaller businesses, the supervisors included an example risk-rating onboarding table which can be amended and adopted to fit within a reporting entity's existing policies, processes and controls. We note that it is not mandatory to adopt this table, nor does adopting this table provide a safe harbour for compliance with the risk-rating requirement.
Our views
This guidance is relevant and important for all reporting entities and is welcome given there is limited detail in the relevant amendment regulation about the risk-rating requirement, and it was not previously clear what the expectation of the supervisors would be. We recommend that all reporting entities consider this guidance when determining their process to risk-rate customers and accordingly updating their AML/CFT Compliance Programme and Risk Assessment.
If you would like to discuss any aspect of the guidance or the New Zealand AML/CFT regime generally, please get in touch with our financial services regulation team.
This article was prepared by Andrew Suggate (senior associate) and Tom Carr (solicitor).