On 18 May 2026, two Acts amending the New Zealand AML/CFT regime received Royal Assent. The Anti-Money Laundering and Countering Financing of Terrorism (Supervisor, Levy, and Other Matters) Amendment Act 2026 reorganises the supervisory architecture of the regime. The Anti-Money Laundering and Countering Financing of Terrorism Amendment Act 2026 makes substantive changes to the customer due diligence regime.

Together, the two Acts represent the most significant reform of New Zealand's AML/CFT regime since the AML/CFT Act 2009 came into force. The substantive CDD changes are now in force. The supervisory consolidation takes effect on 1 July 2026.

This article sets out what each Act does, the practical implications for reporting entities, and what practitioners should do in the weeks leading up to the supervisory transition.

The supervisor consolidation

Since the AML/CFT Act 2009 came into force, the regime has been supervised by three agencies: the Department of Internal Affairs, the Financial Markets Authority, and the Reserve Bank of New Zealand, each responsible for different sectors of the reporting-entity population.

The three-supervisor structure has created inconsistency in guidance, supervisory approach and escalation pathways for firms operating across sectors. Practitioners working across sectors have had to deal with different supervisory styles and the cost of maintaining relationships with multiple regulators. Reporting entities at the boundary between supervisors have sometimes faced uncertainty about which regulator's view should take precedence. The 2026 reforms collapse the three supervisors into one.

From 1 July 2026, the Department of Internal Affairs will become the sole AML/CFT supervisor for the regime, with broader rule-making, inspection and enforcement powers. A national AML/CFT strategy will sit alongside the consolidated supervisor, and the legislation provides for an industry levy to help fund the regime, with implementation subject to further government decisions.

For reporting entities previously supervised by the FMA or the RBNZ, the change is not just administrative. The supervisor they have worked with for more than a decade is changing. The DIA's approach is set out in published material, but firms will still need to work through what that means for engagement, assurance and escalation in practice. The DIA has historically supervised a different mix of reporting entities, and its operational expectations may not align in every respect with what those firms have previously dealt with.

Practitioners should not assume that DIA supervision will simply be FMA or RBNZ supervision under a different name. The substance of the obligations is unchanged, but the supervisory voice is different, and the relationship has to be rebuilt.

The substantive changes to the CDD regime

Alongside the supervisory consolidation, the Anti-Money Laundering and Countering Financing of Terrorism Amendment Act 2026 makes substantive changes to the customer due diligence regime. Those amendments are in force now. The most significant changes are:

• Enhanced customer due diligence requirements for low-risk trusts are reduced. Reporting entities are still required to collect information on the source of funds and the source of wealth for trusts, but the obligation to verify that information is relaxed where standard CDD has already mitigated the identified risks. This is a meaningful change in a country where trust structures are common in the customer base.
• Address verification requirements are narrowed. The general obligation to verify the address of most customers is being limited to cases where a specific level of risk has been identified, thereby reducing the compliance burden and improving access to banking and other services for customers without traditional address evidence.
• Reporting timeframes are adjusted. Some reporting timeframes have been extended, reducing pressure in areas where the previous deadlines were operationally tight.
• The mandatory customer risk rating obligation continues. Already in effect since 1 June 2025, reporting entities must risk-rate all new customers when applying standard or enhanced CDD, and must review those ratings over time. This is one of the foundational requirements for any risk-based AML/CFT programme.

Compliance simplification and a more risk-based regime

The government presents the reforms as compliance simplification, and, in significant respects, they do reduce low-value compliance burden. The relaxation of address verification, the reduction in ECDD requirements for low-risk trusts, and the adjusted reporting timeframes should ease pressure on reporting entities, particularly smaller firms whose operational capacity has been stretched by the existing requirements.

The reforms also shift the regime more clearly towards risk-based compliance. The mandatory customer risk rating obligation, the relaxation of verification where standard CDD has already mitigated the identified risk, and the narrowing of address verification to risk-identified cases all require reporting entities to make better judgements about where risk in the customer base actually sits.

In practice, a more risk-based regime should focus compliance efforts where they matter most. That means reducing effort where the risk is genuinely low, while expecting firmer judgement where the risk is higher. Reporting entities that have invested in robust risk-rating capability will find the reforms easier to absorb than those that have leaned on procedural defaults to avoid making risk judgements.

Implications for cross-Tasman banking groups

Several large New Zealand banks are subsidiaries of Australian parents. Their AML/CTF programmes are typically aligned to a parent-group standard, with local New Zealand adaptations to reflect the AML/CFT Act 2009 and DIA guidance.

Australian parent groups are also managing significant AML/CTF reform activity in their home regime, while their New Zealand subsidiaries absorb the structural and substantive changes set out here. That creates pressure on programme delivery, technology capacity, vendor partners and second-line resourcing. Where the same internal teams are supporting both programmes, prioritisation decisions will need to be made early and explicitly.

For New Zealand subsidiaries of Australian parents, there is also a question of regulatory voice. The parent-group standard reflects AUSTRAC's expectations. The New Zealand subsidiary now answers to DIA. Where the two diverge, the local programme has to choose its line carefully.

What practitioners should do before the supervisor transition

For all reporting entities, the substantive changes to ECDD for low-risk trusts and to address verification are now in force and require updates to policies, procedures, and training. Firms that have not yet updated their CDD playbooks should do so as a priority.

For firms previously supervised by the FMA or the RBNZ, the transition to DIA on 1 July 2026 requires a deliberate re-baselining of the regulatory relationship. That includes reviewing the firm's most recent guidance from the previous supervisor against any new DIA guidance, identifying any divergence in supervisory expectations, and updating compliance documentation to reflect the new supervisory line.

For all firms, the customer risk rating obligation that came into force on 1 June 2025 should now be fully embedded. Firms that have treated customer risk rating as a documentation exercise rather than an operational discipline are likely to find the DIA's substantive expectations harder to meet.

For firms with cross-Tasman parent groups, the prioritisation of internal resources between Australian AML/CTF reform work and the New Zealand supervisory transition is as much a governance question as a programme question. The demands may fall on the same delivery capacity, so the trade-off needs to be made consciously rather than by default.

Across the board, the direction is consistent: less low-value compliance burden, more substantive risk-based depth, and more enforcement capacity in the hands of a single supervisor. Programmes designed around the old model, particularly those that have leaned heavily on documented process at the expense of judgement, may find the transition more demanding in the first twelve months after commencement. Firms should expect attention to evidence of effectiveness, not just evidence of process.

What comes next

The 2026 reforms are not the end of the New Zealand AML/CFT reform programme. A further package of legislative reforms is scheduled for introduction in mid-2026. The substantive content of that package is still being developed, but practitioners should not assume the programme is finished on 1 July.

The immediate reform direction is clear. New Zealand has moved to a more risk-based, single-supervisor regime. Further legislative development is likely to build on that direction, although the details are still emerging.

Final thought

For New Zealand reporting entities, the next twelve months will be defined by two things. First, the operational embedding of the substantive CDD changes already in force. Secondly, the building of a new relationship with the DIA as consolidated supervisor.

Most reporting entities will have the documentation in place. Far fewer will be equally ready for supervision. That difference is likely to show in the quality of implementation, engagement and assurance in the months after 1 July.