From 1 June 2025, Phase Three of the Anti-Money Laundering and Countering Financing of Terrorism (AML/CFT) Act 2009 takes effect, marking the final stage of reforms.
Phases One and Two expanded compliance obligations beyond financial institutions to include banks, casinos, lawyers, accountants, real estate agents, and high-value goods dealers, targeting high-risk activities and disrupting billions in illicit transactions.
Phase Three builds on these changes, aligning New Zealand with global AML/CFT standards while tightening compliance rules, increasing regulatory scrutiny, and imposing greater obligations on businesses.
WHY THESE CHANGES MATTER
The Financial Action Task Force (FATF) sets international AML/CFT standards that drive New Zealand’s AML/CFT laws. Weaknesses in the country’s framework expose New Zealand to the risk of being “grey-listed”, which would trigger increased international monitoring, higher compliance costs for cross-border transactions, and potential financial restrictions.
Regulators designed Phase Three to strengthen due diligence and risk-rating obligations, with the intention of reducing the risk of grey-listing and bolstering compliance before FATF’s next evaluation in 2028/2029.
WHAT’S CHANGING?
Phase Three imposes new obligations on individuals, businesses, and organisations that qualify as reporting entities.
A reporting entity is any person or organisation that must comply with the AML/CFT Act. This includes financial service providers, law firms, accounting firms, real estate agencies, high-value dealers, and operators of betting or gaming services. It also covers businesses and individuals brought in by regulation, such as online marketplaces handling over $10,000 per customer in a 12-month period from 1 June 2025, unless specifically exempted.
From that date, reporting entities across these sectors will face stricter obligations in three key areas:
1) Customer risk assessments & ongoing monitoring:
- all new customers must be risk-rated (low, medium, or high) during due diligence;
- transactions must be continuously monitored for unusual activity and dealings with high-risk jurisdictions.
2) Enhanced customer due diligence (Enhanced CDD) for suspicious transactions:
If a transaction or activity appears suspicious and may require a Suspicious Activity Report (SAR), the business must also immediately carry out Enhanced Due Diligence (EDD), including:
- verifying the source of funds;
- reconfirming the customer’s identity;
- assessing transaction’s purpose and nature;
- increasing transaction monitoring.
CDD categories: when each applies
- Standard vs. Enhanced CDD: Standard CDD applies to most routine transactions. Enhanced CDD is required in high-risk situations (e.g., politically exposed persons (PEPs), complex or unusually large transactions, or customers from high-risk jurisdictions).
- Simplified CDD: Used for low-risk entities (e.g., listed issuers, trustee corporations, registered banks, and listed companies). This reduces compliance obligations while maintaining AML/CFT safeguards.
3) Third-party customer due diligence (CDD) requirements:
- Reporting entities relying on third-party CDD will not be liable if they acted in good faith, had reasonable cause to believe the third party met AML/CFT standards, and ensured the third party is an approved entity meeting all regulatory conditions.
- While CDD can be outsourced, businesses remain responsible for verifying compliance to avoid liability.
WHAT DO YOU NEED TO DO?
Taking action now will help businesses to remain compliant and mitigate the risks of any penalties when Phase Three takes effect. To comply with the new rules in Phase Three, businesses should take these proactive steps:
- Review internal policies: Ensure your AML/CFT risk assessment processes align with the new requirements.
- Update customer onboarding procedures: Implement systems to risk-rate and monitor new customers.
- Train staff: Educate teams on identifying and responding to suspicious transactions.
- Check third-party compliance: If outsourcing due diligence, confirm that your provider meets legal requirements.
FURTHER INFORMATION
For tailored advice on how these changes impact your business, contact our Business Law team.
