Transaction Monitoring in New Zealand: FMA, RBNZ and DIA Requirements

New Zealand sits under less external scrutiny than Singapore or Australia, but its domestic enforcement record tells a different story. Three supervisors — the Reserve Bank of New Zealand, the Financial Markets Authority, and the Department of Internal Affairs — run active examination programmes. A mandatory Section 59 audit every two years creates a hard compliance deadline. And the AML/CFT Act's risk-based approach means institutions cannot rely on vendor defaults or generic rule sets to satisfy supervisors.

For banks, payment service providers, and fintechs operating in New Zealand, transaction monitoring is the operational centre of AML/CFT compliance. This guide covers what the Act requires, how the supervisory structure affects monitoring obligations, and where institutions most commonly fail examination.

The AML/CFT Act 2009: New Zealand's Core Framework

New Zealand's AML/CFT framework is governed by the Anti-Money Laundering and Countering Financing of Terrorism Act 2009. Phase 1 entities — banks, non-bank deposit takers, and most financial institutions — came into scope in June 2013. Phase 2 extended obligations to lawyers, accountants, real estate agents, and other designated businesses in stages from 2018 to 2019.

The Act operates on a risk-based model. There is no prescriptive list of transaction monitoring rules an institution must run. Instead, institutions must:

• Conduct a written risk assessment that identifies their specific ML/FT risks based on customer type, product set, and delivery channels
• Implement a compliance programme derived from that assessment, including monitoring and detection controls designed to address identified risks
• Review and update the risk assessment whenever material changes occur — new products, new customer segments, new channels

This principle-based approach gives institutions flexibility but removes the ability to claim compliance by pointing to a vendor's default configuration. If your monitoring is not designed around your assessed risks, supervisors will find the gap.

Three Supervisors: FMA, RBNZ and DIA

New Zealand's supervisory structure is unusual among APAC jurisdictions. While Australia has AUSTRAC and Singapore has MAS, New Zealand has three supervisors, each with jurisdiction over distinct entity types:

Each supervisor publishes its own guidance and runs its own examination priorities. The practical implication: guidance from AUSTRAC or MAS does not map directly onto New Zealand's framework. Institutions need to engage with their specific supervisor's published materials and annual risk focus areas.

For most banks and payment companies, RBNZ is the relevant supervisor. For digital asset businesses and VASPs, DIA is the supervisor following the 2021 amendments.

Who Must Comply

The Act applies to "reporting entities" — a defined category covering most financial businesses operating in New Zealand:

• Banks (including branches of foreign banks)
• Non-bank deposit takers: credit unions, building societies, finance companies
• Money remittance operators and foreign exchange dealers
• Life insurance companies
• Securities dealers, brokers, and investment managers
• Trustee companies
• Virtual asset service providers (VASPs) — brought in scope June 2021

The VASP inclusion is significant. The AML/CFT (Amendment) Act 2021 extended reporting entity obligations to crypto exchanges, digital asset custodians, and related businesses. DIA supervises most VASPs, with specific guidance on digital asset typologies.

Transaction Monitoring Obligations

The AML/CFT Act does not use "transaction monitoring" as a defined technical term the way MAS Notice 626 does. What it requires is that institutions implement systems and controls within their compliance programme to detect unusual and suspicious activity.

In practice, a compliant transaction monitoring function requires:

Documented risk-based detection scenarios. Monitoring rules or behavioural detection scenarios must be designed to detect the specific ML/FT risks identified in your risk assessment. A retail bank serving Pacific Island remittance customers needs different scenarios than a corporate securities dealer. Supervisors check the alignment between the risk assessment and the monitoring controls — generic vendor defaults that have not been configured to your institution's risk profile will not satisfy this requirement.

Alert investigation records. Every alert generated must be investigated, and the investigation and disposition decision must be documented. An alert closed as a false positive requires documentation of why. An alert that escalates to a SAR requires the full investigation trail. Alert backlogs — alerts generated but not reviewed — are among the most common examination findings.

Annual programme review with board sign-off. The Act requires the compliance programme, including monitoring controls, to be reviewed annually. The compliance officer must report to senior management and the board. Evidence of this reporting chain is a standard examination request.

Calibration and effectiveness review. Supervisors look for evidence that monitoring scenarios are reviewed for effectiveness — whether they are generating useful alerts or producing excessive false positives without adjustment. A monitoring programme that has not been reviewed or calibrated since deployment will attract scrutiny.

Reporting Requirements: PTRs and SARs

Transaction monitoring outputs feed two mandatory reporting obligations:

Prescribed Transaction Reports (PTRs) are threshold-based and mandatory — they do not require suspicion. PTRs must be filed with the New Zealand Police Financial Intelligence Unit (FIU) via the goAML platform for:

• Cash transactions of NZD 10,000 or more
• International wire transfers of NZD 1,000 or more (in or out)

The filing deadline is within 10 working days of the transaction. PTR monitoring requires specific detection for transactions at and around these thresholds, including structuring patterns where customers conduct multiple sub-threshold transactions to avoid PTR obligations.

Suspicious Activity Reports (SARs) — New Zealand uses "SAR" rather than "STR" (Suspicious Transaction Report). SARs must be filed as soon as practicable, and no later than three working days after forming a suspicion. The threshold for suspicion is lower than many teams assume: reasonable grounds to suspect money laundering or financing of terrorism are sufficient — certainty is not required.

SARs are filed with the NZ Police FIU via goAML. The tipping-off prohibition under the Act makes it a criminal offence to disclose to a customer that a SAR has been filed or is under consideration.

The Section 59 Audit Requirement

The most operationally distinctive element of New Zealand's framework is the Section 59 audit. Every reporting entity must arrange for an independent audit of its AML/CFT programme at intervals of no more than two years.

The auditor must assess whether:

• The risk assessment accurately reflects the entity's current ML/FT risk profile
• The compliance programme is adequate to manage those risks
• Transaction monitoring controls are functioning as designed and generating appropriate outputs
• PTR and SAR reporting is accurate, complete, and timely
• Staff training is adequate

The two-year cycle creates a hard deadline. Institutions with monitoring gaps, stale risk assessments, or unresolved findings from the previous audit cycle will face those issues again. The audit is also a forcing function for calibration: institutions that have not reviewed their detection scenarios or addressed alert backlogs before the audit will have those gaps documented in the audit report — which supervisors can and do request.

How NZ Compares to Australia and Singapore

For compliance teams managing obligations across multiple APAC jurisdictions, the structural differences matter:

The wire transfer threshold is the most operationally significant difference. New Zealand's NZD 1,000 threshold for international wires generates substantially more PTR volume than Australian or Singapore equivalents. Institutions managing cross-border payment flows into or out of New Zealand need PTR-specific monitoring that can handle this volume.

Common Transaction Monitoring Gaps in NZ Examinations

Supervisors across all three agencies have documented recurring compliance failures. The most common transaction monitoring gaps are:

Risk assessment not driving monitoring design. The risk assessment identifies high-risk customer segments or products, but the monitoring system runs generic rules that do not target those specific risks. Supervisors treat this as a material failure — the Act requires the programme to be derived from the risk assessment, not run alongside it.

PTR monitoring gaps. Institutions with strong SAR-based monitoring often have inadequate controls for PTR-triggering transactions. Structuring below the NZD 10,000 cash threshold requires specific detection scenarios that standard bank rule sets do not include.

Alert backlogs. Alerts generated but not reviewed within a reasonable timeframe are a consistent finding. Unlike some jurisdictions with prescribed investigation timelines, the Act does not specify deadlines — but supervisors expect evidence of timely review, and large backlogs indicate the monitoring system is generating more output than the team can process.

Stale risk assessments. The Act requires risk assessments to be updated when material changes occur. Institutions that have launched new products, added new customer segments, or changed delivery channels without updating their risk assessment are out of compliance with this requirement.

VASP-specific coverage gaps. For DIA-supervised VASPs, standard bank-oriented monitoring rule sets do not address digital asset typologies: wallet clustering, rapid conversion between asset types, cross-chain transfers, and structuring patterns in low-value token transactions. VASPs need detection scenarios specific to their product and customer risk profile.

What a Compliant NZ Transaction Monitoring Programme Requires

For institutions operating under the AML/CFT Act, a compliant monitoring programme requires:

• A current, documented risk assessment aligned to your actual customer base and product set
• Monitoring scenarios designed to detect the specific risks in that assessment, not vendor defaults
• Alert investigation workflows with documented disposition for every alert
• PTR-specific detection for cash and wire transactions at and around the NZD 10,000 and NZD 1,000 thresholds
• SAR workflow with a three-working-day filing deadline built into case management
• Annual programme review with board sign-off documentation
• Section 59 audit preparation: calibration review, rule effectiveness documentation, and remediation of any open findings before the audit cycle closes

For institutions evaluating whether their current monitoring system can support these requirements across New Zealand and other APAC markets, see our Transaction Monitoring Software Buyer's Guide.