The Philippines operates one of the more layered sanctions frameworks in Southeast Asia. Obligations come from three directions simultaneously: international designations through the UN Security Council, domestic terrorism designations through the Anti-Terrorism Council, and oversight of the entire framework by the Anti-Money Laundering Council.

The stakes became concrete between 2021 and 2023. The Philippines sat on the FATF grey list for two years, subject to heightened monitoring and increased scrutiny from correspondent banks and international counterparties. Exiting the grey list — which the Philippines achieved in January 2023 — required demonstrating measurable improvements in sanctions enforcement, among other areas of AML/CFT reform.

That exit does not reduce compliance pressure. In many respects, it increases it. BSP-supervised institutions that allowed monitoring gaps to persist during the grey-list period now face examiners who know exactly what to look for — and who are checking whether post-2023 improvements are real or cosmetic.

The Philippine Sanctions Framework: Who Issues the Lists

Before a financial institution can build a screening programme, it needs to understand what it is screening against. In the Philippines, that means four distinct sources of designation.

UN Security Council Lists

Philippine law requires immediate asset freezes of persons and entities designated under UNSC resolutions. The key designations are:

• UNSCR 1267/1989: Al-Qaeda and associated individuals and entities
• UNSCR 1988: Taliban
• UNSCR 1718: North Korea — persons and entities associated with DPRK's weapons of mass destruction and ballistic missile programmes

These lists are maintained on the UN's consolidated sanctions list, which is updated without a fixed schedule. Designations can be added multiple times in a single week. The legal freeze obligation under Philippine law attaches immediately upon UNSC designation — there is no grace period between the designation appearing on the list and the institution's obligation to act.

AMLC — The Philippines' Financial Intelligence Unit

The Anti-Money Laundering Council is the Philippines' primary FIU and the central authority for AML/CFT supervision. AMLC maintains its own domestic watchlist and can apply to the Court of Appeals for freeze orders against individuals and entities not listed by the UNSC but suspected of money laundering or terrorism financing under Philippine law.

For BSP-supervised institutions, AMLC is both a regulator and a reporting recipient. Sanctions matches must be reported to AMLC. STR and CTR obligations flow through AMLC's systems. When BSP or AMLC conducts an examination and finds screening deficiencies, AMLC is the body that determines the regulatory response.

OFAC — Not a Legal Obligation, But a Practical Necessity

The US Treasury's Office of Foreign Assets Control SDN (Specially Designated Nationals) list is not a direct legal obligation for Philippine-incorporated entities. It becomes unavoidable through correspondent banking. Any Philippine financial institution that processes USD transactions or maintains US correspondent banking relationships must screen against the OFAC SDN list or risk losing those relationships. For Philippine banks, money service businesses, and remittance companies with any USD exposure — which covers the vast majority — OFAC screening is a business-critical function regardless of its legal status.

Domestic Terrorism Designations Under the Anti-Terrorism Act 2020

Republic Act 11479, the Anti-Terrorism Act 2020, gives the Anti-Terrorism Council (ATC) authority to designate individuals and groups as terrorists. This is a domestic designation mechanism that operates independently of UNSC processes.

The freeze obligation for ATC-designated persons and entities is the same as for UNSC designations: 24 hours. Upon an ATC designation being published, a BSP-supervised institution must freeze the assets of that person or entity within 24 hours and report the freeze to AMLC. There is no provision for a staged or delayed response.

The BSP Regulatory Framework for Sanctions Screening

BSP-supervised institutions — banks, quasi-banks, money service businesses, e-money issuers, and virtual asset service providers — are governed by a framework built across several circulars.

BSP Circular 706 (2011) is the foundational AML circular. It established the AML programme requirements that all BSP-supervised institutions must meet, including customer identification, transaction monitoring, record-keeping, and screening obligations. Subsequent circulars have amended and extended these requirements.

BSP Circular 950 (2017) tightened CDD and screening requirements in the context of financial inclusion products, specifically basic deposit accounts. Even simplified or low-feature accounts are subject to screening obligations under this circular.

BSP Circular 1022 (2018) introduced an explicit requirement for real-time sanctions screening of wire transfers. This is not a requirement for batch screening to be completed within a reasonable timeframe — it is a requirement for screening at the point of wire transfer instruction, before the transaction is processed.

The core BSP screening requirement covers:

• All customers at onboarding
• Beneficial owners of corporate accounts
• Counterparties in wire transfers and other transactions
• Ongoing re-screening when applicable sanctions lists are updated

This last point is where many institutions fall short. Screening at onboarding is not sufficient. The obligation is continuous. When a new designation is added to the UNSC consolidated list or the AMLC domestic list, existing customers and counterparties must be re-screened against the updated list.

AMLC Reporting Requirements When a Match Occurs

When a sanctions match is confirmed, three reporting obligations are triggered under Philippine law.

Covered Transaction Reports (CTRs): Any transaction involving a designated person or entity must be reported to AMLC as a CTR, regardless of the transaction amount. There is no minimum threshold. A PHP 500 cash deposit from a designated individual is a reportable covered transaction.

Freeze reporting: When assets are frozen following a sanctions match, the institution must notify AMLC within 24 hours of the freeze action. This is a separate obligation from the CTR — both must be filed.

Suspicious Transaction Reports (STRs): STRs cover the broader category of suspicious activity, including transactions that do not involve a confirmed designated person but where the institution has grounds to suspect money laundering or terrorism financing. The STR filing deadline is 5 business days from the date of determination — meaning the date on which the compliance team concluded the activity was suspicious, not the date of the underlying transaction. This distinction matters when BSP or AMLC reviews filing timelines.

All screening records, alert decisions, and freeze reports must be retained for a minimum of 5 years. When AMLC or BSP conducts an examination, they will request documentation of screening activity — not just whether screens were run, but when they were run, against which list versions, what matches appeared, and what decision was made on each match.

What Effective Sanctions Screening Requires in Practice

Compliance with BSP screening obligations requires more than purchasing a watchlist database. The following requirements shape what a compliant programme must deliver.

List Coverage

The minimum legal requirement is the UNSC consolidated list plus the AMLC domestic watchlist. A compliant programme that screens only against these two sources will still miss OFAC designations that are operationally necessary for any institution with USD exposure. Best practice adds the OFAC SDN list, the EU Consolidated List, and ATC domestic designations — and maintains the update cadence for each.

Screening Frequency

Customer records must be re-screened every time a sanctions list is updated. The UNSC consolidated list can be updated multiple times in a single week. A batch re-screening process that runs overnight or over 24-48 hours will miss the window on new designations. For UNSC and ATC designations, the freeze obligation is 24 hours from the designation — not 24 hours from the institution's next scheduled screening run.

Fuzzy Name Matching and Alias Coverage

Sanctions designations frequently involve names transliterated from Arabic, Russian, Korean, or Chinese into Roman script. A system that does only exact string matching will miss clear matches. The practical standard is phonetic and fuzzy matching with configurable similarity thresholds, so that variations in transliteration are caught by the algorithm rather than escaping through string-exact gaps.

Each designated person or entity may carry dozens of aliases in the list data. An institution that screens only against primary names and ignores AKA entries is screening against an incomplete version of the list. Alias coverage must be built into the matching logic, not treated as optional.

Beneficial Ownership Screening

BSP requires screening of beneficial owners for corporate accounts — not just the entity name at the surface level. A company may not appear on any sanctions list, but if the individual who ultimately owns or controls that company is a designated person, the account presents the same sanctions risk. Screening the entity name without screening the beneficial owner fails to meet BSP requirements and fails to detect the actual risk. For KYC processes and beneficial ownership verification, the data collected at onboarding needs to feed directly into the screening workflow.

False Positive Management

Name similarity matching in Southeast Asian contexts generates significant false positive volumes. Common names — variations of "Mohamed," "Ahmad," "Lim," "Santos" — will match against designated individuals even when the account holder has no connection to the designation. A retail banking customer whose name generates a match is almost certainly not the designated person, but the institution still needs a documented process for reaching and recording that conclusion.

A compliant programme needs disambiguation tools: date of birth matching, nationality, address, and other identifiers that allow analysts to clear false positives with documented rationale. Without this, the volume of alerts from a large customer base becomes unmanageable, and the resolution of legitimate matches gets buried.

Common Compliance Gaps in Philippine Sanctions Screening

BSP and AMLC examinations of sanctions screening programmes repeatedly find the same categories of deficiency.

Screening only at onboarding. Customer records are screened when the account is opened and not again. List updates are not triggering re-screening of the existing base. A customer who was clean at onboarding may have been designated three months later, and the institution has no process to detect this.

Single-list screening. Many institutions screen against the UNSC consolidated list and nothing else. AMLC domestic designations are missed. ATC designations are missed. OFAC SDN entries that are relevant to the institution's USD transactions are missed entirely.

No alias coverage. The screening system matches against primary names only. An Al-Qaeda-affiliated entity listed under an abbreviation or a known alias does not trigger an alert because the system only checked the primary designation entry.

Manual re-screening. Compliance teams run manual re-screening processes when list updates arrive, relying on staff to download updated lists, upload them to a matching tool, run the comparison, and review results. At any meaningful customer volume, this process cannot keep pace with the frequency of UNSC and AMLC list updates.

No audit trail. When examiners arrive, the institution cannot produce documentation showing when each customer was screened, against which list version, what matches were generated, and how each match was resolved. BSP and AMLC expect to see this trail. An institution that can confirm its processes are compliant but cannot document them is in the same examination position as one that has no process at all.

How Technology Addresses the Screening Challenge

The compliance gaps above are, in most cases, operational gaps — the result of processes that cannot scale or that depend on manual steps that introduce delay and inconsistency.

Automated sanctions screening addresses the core operational constraints directly.

Automated list update ingestion means the screening system pulls updated lists as they are published — UNSC, AMLC, OFAC, ATC — without requiring a compliance team member to manually download and upload files. The update cycle matches the publication cycle of the list issuer, not the availability of the compliance team.

Fuzzy and phonetic matching with configurable thresholds means the compliance team sets the sensitivity. Higher sensitivity catches more potential matches at the cost of higher false positive volume; lower sensitivity reduces noise but requires careful calibration to ensure real matches are not suppressed. Both ends of this calibration should be documented and defensible to an examiner.

Alias and AKA screening is built into the match logic rather than being a secondary check. Every screening event covers the full designation entry, including all aliases, for every list in scope.

Beneficial owner screening runs as part of the corporate account onboarding workflow. When a company is onboarded and its beneficial owners are identified, those owners are screened at the same time and on the same re-screening schedule as the entity itself.

Audit trail documentation captures every screening event with timestamp, list version used, match score, analyst decision, and documented rationale for the decision. This output is the record that examiners request. For transaction monitoring programmes that need to meet this same documentation standard, the record-keeping requirements are parallel — screening logs and TM investigation records together constitute the compliance evidence trail.

When a sanctions match is confirmed in a wire transfer, the screening system can trigger both the freeze action and a transaction monitoring alert simultaneously, rather than requiring two separate manual escalation paths.

FinCense for Philippine Sanctions Screening

Sanctions screening in isolation from the broader AML programme creates its own operational problem — a match that triggers a freeze also needs to generate a CTR filing, which needs to be linked to the customer's transaction monitoring record, which may also be generating STR activity. Managing these as separate workflows produces documentation fragmentation and examination risk.

FinCense covers sanctions screening as part of an integrated AML and fraud platform. It is not a standalone screening tool connected to a separate transaction monitoring system via manual hand-offs.

For Philippine institutions, FinCense is pre-configured with the relevant list sources: UNSC consolidated list, AMLC domestic designations, OFAC SDN, and ATC designations. Screening events are logged in a format suitable for BSP and AMLC examination review.

If you are building or reviewing your sanctions screening programme against BSP requirements, the Transaction Monitoring Software Buyer's Guide provides a structured evaluation framework — covering list coverage, matching quality, audit trail requirements, and integration with TM workflows.

Book a demo to see FinCense running against Philippine sanctions scenarios — including UNSC designation matching, AMLC domestic list screening, and beneficial owner checks for corporate accounts under BSP Circular 706 requirements.

In late April 2026, Australian authorities arrested a Melbourne accountant allegedly linked to a sprawling money laundering and mortgage fraud syndicate connected to illicit tobacco, drug importation networks, and scam operations targeting Australian victims. The case quickly drew attention not only because of the arrest itself, but because of what sat behind it: shell companies, AI-generated documentation, questionable mortgage applications, introducer networks, and an estimated AUD 3 billion in suspect loans under scrutiny across the banking system.

For compliance teams, this is not just another fraud story.

It is a glimpse into how organised financial crime is evolving inside legitimate financial infrastructure.

The striking part is not that fraud occurred. Banks deal with fraud every day. What makes this case different is the apparent convergence of multiple risk layers: professional facilitators, synthetic documentation, organised criminal networks, and the use of legitimate financial products to absorb and move illicit value at scale.

And increasingly, these schemes no longer look obviously criminal at first glance.

From Street Crime to Structured Financial Engineering

According to reporting linked to the investigation, authorities allege the syndicate used accountants, brokers, shell entities, and false financial documentation to obtain loans from major Australian banks. Some reports also referenced the use of AI-generated documentation to support fraudulent applications.

That detail matters.

Financial crime has historically relied on concealment. Today, many criminal operations are moving toward something more sophisticated: financial engineering.

The objective is no longer simply to hide illicit funds. It is to integrate them into legitimate financial systems through structures that appear commercially plausible.

Mortgage lending becomes an entry point.
Professional services become enablers.
Corporate structures become camouflage.

The result is a fraud ecosystem that can look remarkably normal until investigators connect the dots.

Why This Case Should Concern Compliance Teams

On the surface, this appears to be a mortgage fraud and money laundering investigation.

But underneath sits a much broader operational challenge for banks and fintechs.

The alleged scheme touches several areas simultaneously:

• Fraudulent onboarding
• Synthetic or manipulated financial documentation
• Shell company misuse
• Introducer and intermediary risk
• Proceeds laundering
• Organised criminal coordination

This is precisely where many traditional detection frameworks begin to struggle.

Because each individual activity may not independently appear suspicious enough to trigger escalation.

A shell company alone is not unusual.
An accountant referral is not inherently risky.
A mortgage application with inflated income may look like isolated fraud.

But together, these elements create a networked typology.

That network effect is what modern financial crime increasingly relies upon.

The Growing Role of Professional Facilitators

One of the most uncomfortable realities emerging globally is the role of professional facilitators in enabling financial crime.

Not necessarily career criminals.
Not necessarily front-line fraudsters.

But individuals operating within legitimate professions who allegedly help structure, legitimise, or move illicit value.

The Melbourne accountant case reflects a broader pattern regulators globally have been warning about:

• Accountants
• Lawyers
• Company formation agents
• Mortgage intermediaries
• Real estate facilitators

These actors sit close to financial systems and often possess the expertise needed to create legitimacy around suspicious activity.

For financial institutions, this creates a difficult challenge.

Professional status can unintentionally reduce scrutiny.

And that makes risk harder to identify early.

The AI Layer Changes the Game

Perhaps the most important dimension of this case is the alleged use of AI-generated documentation.

That should concern every compliance and fraud leader.

Historically, document fraud carried operational friction.
Creating convincing falsified records required time, skill, and manual effort.

AI dramatically lowers that barrier.

Income statements, payslips, identity documents, corporate records, and supporting financial evidence can now be manipulated faster, cheaper, and at greater scale than before.

More importantly, AI-generated fraud often looks cleaner than traditional forgery.

That creates two immediate risks:

1. Verification systems become easier to bypass

Static document checks or basic OCR validation may no longer be sufficient.

2. Fraud investigations become slower and more complex

Investigators now face increasingly sophisticated synthetic evidence that appears internally consistent.

The compliance industry is entering a phase where fraud is no longer just digital. It is becoming algorithmically enhanced.

Why Mortgage Fraud Is Becoming an AML Problem

Mortgage fraud has traditionally been treated primarily as a credit risk issue.

That approach is becoming outdated.

Cases like this demonstrate why mortgage fraud increasingly overlaps with AML and organised crime risk.

Authorities allege the syndicate was linked not only to loan fraud, but also to illicit tobacco networks, drug importation activity, and scam proceeds.

That changes the lens entirely.

Fraudulent loans are not merely bad lending decisions. They can become mechanisms for:

• Laundering criminal proceeds
• Converting illicit funds into property assets
• Creating financial legitimacy
• Recycling criminal capital into the economy

In other words, lending channels themselves can become laundering infrastructure.

And this is not unique to Australia.

Globally, regulators are increasingly concerned about the intersection between:

• Property markets
• Organised crime
• Shell companies
• Professional facilitators
• Financial fraud

The Hidden Weakness: Fragmented Detection

One of the reasons schemes like this persist is that institutions often detect risks in silos.

Fraud teams monitor application anomalies.
AML teams monitor transaction flows.
Credit teams monitor repayment risk.

But organised financial crime cuts across all three simultaneously.

That fragmentation creates blind spots.

For example:

A mortgage application may appear slightly suspicious.
A linked company may show unusual registration behaviour.
Certain transactions may display layering characteristics.

Individually, each signal looks weak.

Together, they form a typology.

This is where many financial institutions face operational friction today. Systems are often designed to detect isolated irregularities, not coordinated criminal ecosystems.

The Introducer Risk Problem

The investigation also places renewed focus on introducer channels and third-party referrals.

Banks rely heavily on ecosystems of brokers, accountants, and intermediaries to originate business.

Most are legitimate.

But the challenge lies in identifying the small percentage that may introduce heightened risk into the onboarding process.

The difficulty is not simply fraud detection. It is behavioural detection.

Questions institutions increasingly need to ask include:

• Are referral patterns unusually concentrated?
• Do certain intermediaries repeatedly connect to high-risk profiles?
• Are similar documentation anomalies appearing across applications?
• Are linked entities or applicants sharing hidden identifiers?

These are network questions, not transaction questions.

And network visibility is becoming critical in modern financial crime prevention.

The Organised Crime Convergence

Another important aspect of the Melbourne case is the alleged overlap between scam networks, drug importation, illicit tobacco, and financial fraud.

This reflects a broader global trend: organised crime convergence.

Criminal groups no longer specialise narrowly.

The same networks increasingly participate across:

• Cyber-enabled scams
• Drug trafficking
• Illicit tobacco
• Identity fraud
• Loan fraud
• Money laundering

What changes is not necessarily the network.
What changes is the revenue stream.

This creates a difficult environment for financial institutions because criminal typologies no longer fit neatly into separate categories.

What Financial Institutions Should Be Looking For

Cases like this highlight the need for institutions to move beyond isolated red flags and toward contextual intelligence.

Some behavioural indicators relevant to these typologies include:

• Multiple applications linked through shared intermediaries
• Rapid company formation before lending activity
• Inconsistencies between declared income and transaction behaviour
• High-value loans supported by unusually uniform documentation
• Connections between borrowers, directors, and shell entities
• Sudden movement of funds after loan disbursement
• Layered transfers inconsistent with expected customer activity

None of these alone guarantees criminal activity.

But together, they may indicate something more organised.

Why Static Controls Are No Longer Enough

One of the biggest lessons from this case is that static compliance controls are increasingly insufficient against adaptive criminal operations.

Criminal networks evolve quickly.

Rules, thresholds, and manual review processes often do not.

This is especially problematic when schemes involve:

• Multiple institutions
• Professional facilitators
• Cross-product abuse
• AI-enhanced fraud techniques

Modern detection increasingly requires:

• Behavioural analytics
• Network intelligence
• Entity resolution
• Real-time risk correlation
• Collaborative intelligence models

The future of AML and fraud prevention will depend less on detecting individual suspicious events and more on understanding relationships, coordination, and behavioural patterns.

Why Financial Institutions Need a More Connected Detection Approach

Cases like the Melbourne fraud investigation expose a growing gap in how financial institutions detect complex financial crime.

Traditional systems are often designed around isolated controls:

• onboarding checks,
• transaction monitoring,
• fraud rules,
• credit risk reviews.

But organised financial crime no longer operates in silos.

The same network may involve:

• shell companies,
• synthetic documents,
• mule accounts,
• professional facilitators,
• layered fund movement,
• and abuse across multiple financial products simultaneously.

This is where financial institutions increasingly need a more connected and intelligence-driven approach.

Tookitaki’s FinCense platform is designed to help institutions move beyond static rule-based monitoring by combining:

• behavioural intelligence,
• network-based risk detection,
• AML and fraud convergence,
• and collaborative typology-driven insights through the AFC Ecosystem.

In scenarios like the Melbourne case, this becomes particularly important because risks rarely appear through a single alert. Instead, suspicious behaviour emerges gradually through relationships, patterns, and hidden connections across customers, entities, transactions, and intermediaries.

For compliance teams, the challenge is no longer just detecting suspicious transactions in isolation.

It is identifying organised financial crime ecosystems before they scale into systemic exposure.

The Bigger Question for the Industry

The Melbourne case is ultimately about more than one accountant or one syndicate.

It raises a larger question for financial institutions:

How much organised criminal activity already exists inside legitimate financial systems without appearing obviously criminal?

That question becomes more urgent as:

• AI lowers fraud barriers
• Organised crime becomes financially sophisticated
• Criminal groups exploit professional ecosystems
• Financial products become laundering mechanisms

The industry is moving into a period where financial crime detection can no longer rely purely on surface-level anomalies.

Understanding context is becoming the real differentiator.

Conclusion: The New Face of Financial Crime

The alleged fraud ring uncovered in Australia reflects the changing architecture of modern financial crime.

This was not simply a forged application or isolated scam.

Authorities allege a coordinated ecosystem involving professionals, shell entities, fraudulent lending activity, and links to broader criminal networks.

That matters because it shows how deeply organised crime can embed itself within legitimate financial infrastructure.

For compliance teams, the challenge is no longer just identifying suspicious transactions.

It is recognising complex financial relationships before they scale into systemic exposure.

And increasingly, that requires institutions to think less like rule engines — and more like investigators connecting networks, behaviours, and intent.

New Zealand's anti-money laundering framework did not arrive fully formed. It was built in two deliberate phases.

Phase 1 came into effect from 2013. Banks, non-bank deposit takers, and financial institutions were brought under the Anti-Money Laundering and Countering Financing of Terrorism Act 2009 (the AML/CFT Act). Phase 2 followed between 2018 and 2019, extending obligations to lawyers, conveyancers, accountants, real estate agents, trust and company service providers, and casinos.

The result is one of the broadest reporting entity frameworks in the Asia-Pacific region. A law firm advising on a property transaction is a reporting entity. So is an accountancy practice handling company formations. So is a cryptocurrency exchange. If you are a compliance officer or senior manager at any organisation in these sectors, the AML/CFT Act applies to you — and the obligations are substantive.

Understanding what the Act requires is not optional. Three separate supervisory agencies actively examine reporting entities, and enforcement actions have been taken across all three sectors.

The AML/CFT Act 2009 — Primary Legislation and Key Amendments

The primary legislation is the Anti-Money Laundering and Countering Financing of Terrorism Act 2009. It is the single statute that governs all AML/CFT obligations for reporting entities in New Zealand.

The Act has been amended several times since its original enactment. The most significant structural change came in 2017, when amendments extended the framework to Phase 2 entities — the DNFBPs (designated non-financial businesses and professions) that came on stream from 2018 onwards. A further set of amendments was passed in 2023 via the Anti-Money Laundering and Countering Financing of Terrorism (Definitions) Amendment Act 2023, which updated the definitions framework to bring virtual asset service providers (VASPs) and digital assets into clearer alignment with FATF standards.

The Three-Supervisor Structure

New Zealand uses a split supervisory model that is uncommon in the Asia-Pacific region. Most APAC jurisdictions assign AML supervision to a single financial intelligence unit or prudential regulator. New Zealand has three:

• Financial Markets Authority (FMA): Supervises financial markets participants, licensed insurers, and certain non-bank financial institutions.
• Reserve Bank of New Zealand (RBNZ): Supervises registered banks and non-bank deposit takers.
• Department of Internal Affairs (DIA): Supervises lawyers, conveyancers, accountants, real estate agents, trust and company service providers, and casinos.

Each supervisor has its own examination approach and publication practice. A law firm subject to DIA supervision operates under the same Act as a bank supervised by the RBNZ — but the examination focus and sector context will differ. Reporting entities need to understand which supervisor they report to, because guidance, templates, and examination priorities vary.

Who Is a Reporting Entity in New Zealand

The AML/CFT Act defines "reporting entity" across three broad categories.

Financial institutions include registered banks, non-bank deposit takers, life insurers, money changers, and remittance service providers. These entities have been subject to the Act since Phase 1.

Designated non-financial businesses and professions (DNFBPs) include lawyers (when conducting relevant activities such as conveyancing, company formation, or managing client funds), conveyancers, accountants, real estate agents, trust and company service providers, and casino operators. These entities have been captured since Phase 2.

Virtual asset service providers (VASPs) — including cryptocurrency exchanges, custodian wallet providers, and other businesses facilitating digital asset transfers — were brought into the framework from June 2021 following amendments to the Act.

The breadth of this list matters. Unlike jurisdictions where AML obligations fall almost exclusively on banks and financial institutions, New Zealand compliance officers in professional services firms face the same core obligations as a registered bank. The complexity of building an AML/CFT programme may differ, but the legal requirements do not.

The Seven AML/CFT Programme Requirements

Under Section 56 of the AML/CFT Act, every reporting entity must have a written AML/CFT programme. The programme is not a theoretical document — it must reflect how the organisation actually operates, and it must be implemented in practice.

The seven required elements are:

1. Risk assessment. A documented assessment of the money laundering and terrorism financing risks posed by the entity's products, services, customers, and delivery channels. This must be reviewed and updated when material changes occur.
2. Compliance officer. A designated AML/CFT compliance officer must be appointed. This role can be filled internally or by an approved external provider. The compliance officer is accountable for day-to-day programme management and regulatory reporting.
3. Customer due diligence (CDD) and enhanced due diligence (EDD) procedures. Written procedures covering how the entity identifies customers, verifies their identity, and applies EDD where required. See the section below for what this means in practice.
4. Ongoing CDD and account monitoring. Continuous monitoring of transactions against customer risk profiles. The Act does not permit periodic-only review — monitoring must be ongoing.
5. Record keeping. Records of CDD, transactions, and reports must be retained for a minimum of five years.
6. Staff training. All relevant staff must receive AML/CFT training appropriate to their role. Training records must be maintained.
7. AML/CFT audit. An independent audit of the AML/CFT programme must be conducted at least every two years for most entities. This is a statutory requirement under Section 59 of the Act. The auditor must be independent of the compliance function.

CDD Requirements in Practice

New Zealand's CDD framework follows a risk-based approach consistent with FATF Recommendations, but the specific requirements are set out in the AML/CFT Act and its regulations.

Standard CDD applies to all customers at onboarding and must include identity verification using reliable, independent source documents. For individuals, this means a government-issued photo ID plus address verification. For legal entities, it means a certificate of incorporation and — critically — verification of beneficial ownership. Understanding who ultimately owns or controls a company or trust is a requirement, not an option.

For more detail on what the verification process involves, the complete guide to transaction monitoring covers how identity data feeds into ongoing monitoring workflows. The KYC guide sets out the broader identity verification framework in detail.

Enhanced CDD (EDD) is triggered where the risk assessment or customer circumstances indicate higher risk. EDD triggers under the AML/CFT Act and its associated regulations include:

• Politically exposed persons (PEPs) and their associates
• Customers from jurisdictions on the FATF grey or black list
• Complex or unusual business structures where beneficial ownership is difficult to verify
• Transactions that are inconsistent with the customer's established profile

For EDD customers, the entity must also obtain and verify source of funds and, in some cases, source of wealth. This is not a box-ticking exercise — the documentation must be sufficient to explain the customer's financial activity.

Ongoing monitoring is where many reporting entities fall short. The Act requires continuous monitoring of transactions against customer risk profiles. A quarterly review schedule is not sufficient compliance. Monitoring must be calibrated to detect anomalies as they arise, which in practice means transaction monitoring systems or documented manual procedures that operate at transaction level.

Transaction Reporting Obligations

Reporting entities have two distinct filing obligations with the New Zealand Police Financial Intelligence Unit (FIU).

Suspicious Activity Reports (SARs)

A Suspicious Activity Report must be filed when a reporting entity suspects that a transaction or activity may involve money laundering, terrorism financing, or the proceeds of a predicate offence. There is no minimum threshold — the obligation is triggered by suspicion, not transaction size.

SARs must be filed "as soon as practicable." The Act does not specify a number of business days, but FIU guidance is unambiguous: file without delay. Once a SAR is being prepared or has been filed, the entity must not tip off the customer that a report is being made or that a suspicion exists. Tipping off is a criminal offence under the Act.

Prescribed Transaction Reports (PTRs)

PTRs are required for:

• Cash transactions of NZD 10,000 or above (or the foreign currency equivalent)
• Certain international wire transfers of NZD 1,000 or above

PTRs are filed with the NZ Police FIU. Unlike SARs — which are discretionary in the sense that they require a judgment call on suspicion — PTR filing is mechanical and threshold-based. Every qualifying cash transaction and wire transfer must be reported, regardless of whether the entity suspects anything unusual.

The volume of PTR filings at institutions handling significant cash flows or international payments makes automation a practical necessity rather than a preference.

The Audit Requirement — What Examiners Look For

The mandatory two-year audit under Section 59 is not a light-touch compliance check. It is a substantive review of whether the AML/CFT programme is working in practice. The supervisor — FMA, RBNZ, or DIA — may request the audit report at any time.

An AML/CFT audit must assess:

• Whether the risk assessment is current and accurately reflects the entity's actual customer and product mix
• Whether the written AML/CFT programme is being implemented as documented
• Whether CDD procedures are being followed at the individual account and transaction level — including transaction sampling
• Whether staff training records are complete and training content is appropriate

Audit findings are not optional to address. Where the auditor identifies gaps, the entity must remediate them. Supervisors will look at both the audit report and the entity's response to it.

What Regulators Actually Flag

Examination findings across New Zealand reporting entities follow recognisable patterns. The following issues appear repeatedly in supervisory communications and enforcement actions:

Outdated risk assessments. Risk assessments that were prepared at the time of onboarding to the Act and have not been updated since. If the entity's products, customer base, or delivery channels have changed and the risk assessment has not been revised to reflect this, it is not compliant.

Incomplete CDD for legacy customers. Entities that onboarded Phase 2 customers before their AML/CFT obligations commenced often have documentation gaps at account level. Remediating legacy CDD files is a known, ongoing issue across DNFBPs.

Periodic monitoring treated as ongoing monitoring. Quarterly customer reviews do not satisfy the ongoing monitoring obligation. Regulators have been explicit about this distinction.

Beneficial ownership gaps for trusts and complex structures. Verifying who ultimately controls a discretionary trust or a multi-layered corporate structure is difficult. Leaving this as "pending" or accepting incomplete documentation is one of the more frequently cited CDD failures.

PTR and SAR filing delays. Smaller DNFBPs — accountancy practices, law firms, real estate agencies — that are less familiar with the FIU reporting system often delay filings or miss them entirely. The obligation does not diminish because an entity is small or because the compliance team is not specialised.

How Technology Supports AML/CFT Compliance for NZ Reporting Entities

For financial institutions handling significant transaction volumes, manual transaction monitoring is not a workable approach. The PTR threshold at NZD 10,000 for cash transactions requires automated cash monitoring and report generation. SAR filing requires a case management workflow — alert review, investigation documentation, decision rationale, and a filing record that can be produced to a supervisor on request.

Automated transaction monitoring systems must apply New Zealand-specific typologies and thresholds, not just generic international rule sets. The NZ customer risk profile and the specific triggers in the AML/CFT Act differ from those in Australian or Singaporean frameworks. A system calibrated for another jurisdiction will not deliver accurate detection for a New Zealand entity.

For the two-year audit, AML/CFT systems need to produce exportable audit trails. Auditors will want to see alert volumes, disposition decisions, and calibration history. A system that cannot generate this output creates a significant gap at audit time.

When evaluating technology options, the Transaction Monitoring Software Buyer's Guide provides a structured framework for assessing vendor capabilities against your specific obligations and transaction profile.

Tookitaki's FinCense for New Zealand Compliance

New Zealand's AML/CFT framework places specific, auditable obligations on reporting entities across sectors that most AML platforms were not designed to support. FinCense is built to address this directly — with configurable typologies for NZ reporting obligations, PTR automation, SAR case management, and audit-ready transaction trails.

If you are building or reviewing your AML/CFT programme ahead of your next supervisor examination or two-year audit, talk to our team. We work with reporting entities across financial services and professional services sectors in New Zealand and across the APAC region.

Book a demo to see how FinCense supports New Zealand AML/CFT compliance — or speak with one of our experts about your specific programme requirements.