The Department of Internal Affairs (DIA) has published updated AML/CFT Programme Guidance and new Guidance for Enhanced Customer Due Diligence (ECDD).

These are the first guidance publications issued by the DIA in its capacity as incoming sole AML/CFT supervisor from 1 July 2026.

The updates reflect recent amendments to the Anti-Money Laundering and Countering Financing of Terrorism Act (the Act).

The updated AML/CFT Programme Guidance is available here and the updated guidance for ECDD is available here.

Who needs to read it? Why?

All reporting entities should review the updated guidance and ensure their AML/CFT programmes reflect the recent amendments and the DIA's expectations – particularly regarding ECDD.

What has changed?

Risk assessment and Programme Guidance 

The updates to the Programme Guidance largely reflect recent legislative amendments and do not represent a significant shift in the DIA's expectations, except regarding account monitoring and law firm SAR obligations.

Key changes reflected in the updated Programme Guidance include:

• NRA and SRA now mandatory risk inputs: Reporting entities must incorporate all relevant risks from the NRA and any applicable SRA into their risk assessments;
• Address verification removed for standard CDD: Reporting entities must still collect the customer’s address or registered office but no longer need to verify it, but a requirement remains where ECDD is required;
• New IVCOP content: The previous discussion on the 2013 IVCOP has been replaced to recognise the new 2026 IVCOP;
• Prohibition where reporting entity does not conduct CDD clarified: The DIA confirms that the prohibition applies where a customer fails or refuses to provide information, provides inadequate information, or where there are reasonable grounds to believe information is fraudulent;
• Enhanced account monitoring expectations: The DIA clarifies that reporting entities should examine and investigate alerts flagging higher-risk activity, although all alerts must be reviewed and triaged in accordance with a risk-based approach, with clear timeframes for review, action and reporting, and the framework for this documented in the AML/CFT programmes;
• SAR obligation may re-engage on loss of privilege: A law firm may need to submit a SAR where privileged information subsequently loses its privileged status through waiver or third-party disclosure; and
• Reporting and record production timeframes updated: PTR deadline extended from 10 to 20 working days; law firms subject to a 5 working day SAR deadline; and a tiered record production framework applies, with a default 20 working day period where no date is specified.

The updated ECDD Guidance contains substantive changes regarding the treatment of lower-risk trusts, politically exposed persons (PEPs), and termination of business relationships where ECDD is not performed.

Updated Guidance clarifies expectations with respect to the reduced verification requirements for low-risk trusts

The DIA expects that AML/CFT programmes set out the specific circumstances (informed by the risk assessment) in which reporting entities will not verify a trust's SoW or SoF. It specifies that “potential circumstances” include:

• a trust that has been risk-rated as low risk; 
• a simple family trust whose sole asset is non-income generating (such as the family home); or 
• the trust does not yet hold any assets. 

Reporting entities should keep records documenting why they were satisfied that risks were adequately mitigated by the other CDD steps taken – i.e., standard CDD, nature and purpose of business relationship information, and obtaining SoW/SoF information.

New specified criteria for a low risk 'domestic family trust'

The criteria are that the trust is established in New Zealand, with beneficiaries who are related or connected through familial relationships, with beneficiaries and trustees that are New Zealand residents or have a clear New Zealand connection, and which is primarily established to hold simple family assets such as a residential property.The DIA recognises that ‘domestic family trust’ includes whanau trusts.

Risk-based approach for identifying PEPs

The DIA confirms that recent amendments requiring reasonable steps, according to the level of risk, be taken identify PEPs provide flexibility in how those steps are implemented. Minimal measures are sufficient where PEP exposure is low and more robust screening (including internet and media searches and commercially available databases) is expected where exposure is higher. Reporting entities are expected to assess their PEP exposure in their risk assessment and allow that assessment to drive the controls embedded in their programmes.

Interim restrictions required where immediate cessation of business relationship not possible

The DIA expects that where ECDD cannot be completed and immediate termination of the business relationship is not possible due to other contractual obligations, appropriate interim restrictions should be applied – restrictions may include ceasing access to other products, limiting transaction types, or applying enhanced account monitoring. During this period, in addition to complying with all other obligations under the Act, reporting entities are expected to document the termination process, including communications with the customer and the reasons for their AML/CFT decisions.

What next?

If you have questions about these changes or how they affect your business, please contact one of our experts.
 

This article was co-authored by Sarah Waller, a Law Clerk in our Financial Services team.