What Do I Need To Do?

How to start with AML/CFT compliance

We know, it can be hard to even get started. Here, we talk you through the basics. These are the foundational  building blocks to get you meeting your requirements under the AML/CFT Act.

You can access the resources you need to get started in our Resource Centre, or engage the expert Fiducia team to do the heavy lifting for you.

Industry & Supervisor

1. Determine Your Industry & Supervisor

Once you know you are a reporting entity, you need to confirm who your supervisor is. Supervisors are important because they are the government agency who monitors which businesses in New Zealand have requirements under the AML/CFT Act.  They also monitor how well those businesses are carrying out their requirements and providing AML/CFT guidance and information specific to those business’ industry.

In New Zealand, you will have one of three supervisors:

  • Department of Internal Affairs (DIA): supervises casinos, non-deposit taking lenders, money changers, money remitters, payroll remitters, debt collectors, factors, financial leasors, safe deposit box vaults, non-bank credit card providers, stored value card providers and cash transporters, and any other reporting entities not supervised by the Reserve Bank or the Financial Markets Authority. You can contact the DIA here if you need their opinion on what industry your business belongs to
  • Financial Markets Authority (FMA): supervises issuers of securities, licensed supervisors, fund managers, brokers and custodians, financial advisers, derivatives issuers, DIMS providers and peer to peer lending and equity crowd funding service providers. You can contact the FMA here if you need their opinion on what industry your business belongs to
  • Reserve Bank of New Zealand (RBNZ): supervises banks, life insurers, and non-bank deposit takers, such as credit unions and building societies. You can contact the RBNZ here if you need their opinion on what industry your business belongs to

 See the section on What Are The Rules? to learn about the specific industry requirements and guidance your supervisor expects you to adhere to.

Appoint AML/CFT Compliance Officer

2. Appoint an AML/CFT Compliance Officer

Appointing an AML/CFT Compliance Officer is required under the AML/CFT Act.

The right person for the AML/CFT Compliance Officer role is different in every organisation. It depends how many layers of governance you have, the level of AML/CFT knowledge in your business and who has the time.

There are some key requirements in the AML/CFT Act relating to the Compliance Officer that you need to know. An AML/CFT Compliance Officer must:

  • Be an employee of your business. It is only if your business does not have employees that you can appoint someone outside your business as an AML/CFT Compliance Officer;
  • Report directly to a senior manager in your business, if they are not one already;
  • Assume responsibility for the administration and maintenance of your business’ AML/CFT regime.

The AML/CFT Programme Guideline, issued by the New Zealand supervisors, provides more information on the role of an AML/CFT Compliance Officer.

When advising clients, we point out that the AML/CFT Compliance Officer should be someone with an appropriate amount of authority and knowledge of your business operations. AML/CFT Compliance Officers may be exposed to liability under the AML/CFT Act for compliance failings, along with your senior managers and board members, so they need to be appropriately equipped to handle the responsibility.

You need to let your supervisor know who your AML/CFT Compliance Officer is, and keep them updated if it changes.

Complete Risk Assessment & Programme

3. Complete an AML/CFT Risk Assessment & Programme

An AML/CFT risk assessment and programme is the foundation of your AML/CFT regime. This is the bedrock documentation you must have in order to be considered compliant in New Zealand.

While the AML/CFT principles and ideas are similar in counties around the world, the New Zealand regime has particular requirements that mean it’s almost impossible to simply transfer a risk assessment and programme from another country to meet the New Zealand standards.

A risk assessment identifies and manages the particular inherent vulnerabilities your business has to ML/TF activity. Section 58 of the AML/CFT Act outlines the minimum requirements for a risk assessment. There is no one way to write a risk assessment, but there is now well tested best-practice methodologies and styles that capture the information your supervisors are looking for in a risk assessment.

Programmes manage and mitigate the ML/TF risks you identified in the risk assessment. Section 57 of the AML/CFT Act outlines the minimum requirements for a programme.  Your programme should contain three sections:

  1. Policies: the guiding AML/CFT standards your business is committing to. The policies define ‘what are we going to do’
  2. Procedures: are specific and dynamic working documents. They record step-by-step guidelines that illustrate to every person within your business how the policies will be undertaken. The procedures specify ‘how are we going to implement the policies’
  3. Controls: how your business will measure whether the procedures are working to manage and mitigate the ML/TF risks you’ve identified in your risk assessment.

You can design your AML/CFT risk assessment and programme yourself, or you can use Fiducia to make sure you’re on the right path.

Give us a call to discuss your options.

AML/CFT Training & Maintenance

4. AML/CFT Training & Maintenance

One of the most common mistakes we see with AML/CFT reporting entities is their newly completed risk assessment and programme falls into a drawer, and stays there. This is a mistake because when it comes time for your independent AML/CFT audit, you are being assessed on how effectively your AML/CFT requirements are being carried out.

Further, not keeping your AML/CFT risk assessment up to date or actually carrying out the policies, procedures and controls in your AML/CFT programme can expose you to civil and criminal liability under the AML/CFT Act.

There are three things you need to do to keep on top of your AML/CFT regime.

Board or Senior Management Reporting

Your business will have its own governance and reporting processes; every business is different. No matter how you are structured, you must ensure that your board or senior management has signed off your business’ AML/CFT policies, your staff are carrying out your procedures, and controls are measuring and recording how effective your business’ management of its ML/TF risks.

Have clear policies, procedures, and controls relating to how AML/CFT related decisions, information, and risks will be communicated and recorded throughout your business

AML/CFT Training

The AML/CFT Act requires that senior managers, the AML/CFT Compliance Officer, and those engaged in AML/CFT related duties in your business to undergo AML/CFT training. There are no other formal requirements relating to AML/CFT training, but we know that it needs to be focused on the current capacity of your staff, the specific ML/TF risk of your industry, and relevant to the New Zealand regulatory environment.

A good way to undertake AML/CFT training is to:

An advantage of the Fiducia AML/CFT consulting engagements is that we offer training to your business as we go.  Fiducia also designs customised AML/CFT training to businesses; give us a call to discuss your options.

Reports & Audits

5. Annual Reports & Independent Audits

On top of the daily, weekly, and monthly AML/CFT procedures that you will be carrying out in maintaining your AML/CFT compliance, there are a couple of other things you need to regularly do.

Annual Report

Every year in August, all three AML/CFT supervisors require you to complete and submit an annual report. This report asks you to record data and commentary relating to your AML/CFT regime; this data and information should be easily accessed in a well-drafted risk assessment.

Find your supervisor’s annual report submission process here:

Independent Audit

Every two years, you must appoint an independent and qualified AML/CFT auditor to undertake a compliance audit of your AML/CFT regime.

There are few specific rules in New Zealand about who can be an auditor, and how the audit should take place. We outline Fiducia’s approach to independent audits here.

Your supervisor often relies on your auditor to give them a view as to whether you are meeting the minimum requirements of the AML/CFT Act, and carrying them out effectively.

Supervisor Desk-Based or Onsite Reviews

Every now and then, your supervisor may send you a letter or email informing you that they are undertaking a desk-based or onsite review of your AML/CFT compliance regime.

A desk-based review will mean you submit your risk assessment, programme, and any other policies, procedures, and controls you have, for supervisor staff to read and make an assessment as to whether these documents meet the requirements of the AML/CFT Act.

An onsite review will mean your supervisor undertakes a desk-based review and makes a visit to your place of business to interview your staff, inspect your records, and make a determination as to whether you are effectively carrying out the requirements of the AML/CFT Act.

Some reporting entities never receive contact from their supervisor and some hear from them regularly. Responding quickly and honestly to your supervisor is extremely important to maintaining a positive relationship with them.

Give us a call if you’d like assistance with preparing for or responding to independent auditor and supervisor reviews and reports.


The Fiducia AML/CFT Newsletter comes out every month and is full of all you need to know about the issues affecting your business.

Subscribe now and stay in the know.

Subscribe Now

Hey! This fine print matters! Any content that you’re accessing here may be inaccurate, incomplete or outdated. The reasons for this include that only the New Zealand AML/CFT regulators can tell you what constitutes AML/CFT compliance. Their guidance continues to develop as the regime develops and matures. Your use and interpretation of any content on this site is your responsibility (not ours) and is at your own risk. This content does not constitute investment or financial advice, taxation advice, accounting advice or legal advice, and that use of our services does not establish a fiduciary relationship of any kind.  See Section 9 of our Terms and Conditions for all information relating to your use of the content on this site.