How Tookitaki Helps New Zealand Banks Meet AML/CFT Act Requirements

New Zealand's AML/CFT framework has matured significantly since the AML/CFT Act 2009 was enacted. The sector has moved through the initial compliance build-out phase — establishing written programmes, conducting risk assessments, putting monitoring in place — into the examination and enforcement phase. The Financial Markets Authority (FMA), Reserve Bank of New Zealand (RBNZ), and Department of Internal Affairs (DIA) are all actively examining institutions, and the focus of those examinations has shifted from "do you have a programme?" to "does your programme actually work?"

For New Zealand banks, non-bank deposit takers, and the growing population of reporting entities covered since the 2021 VASP amendments, the transaction monitoring and SAR filing obligations are where examination findings most frequently occur.

This page covers what New Zealand's AML/CFT regime requires, where compliance teams are typically found deficient, and how Tookitaki's FinCense platform is designed to address those requirements.

New Zealand's AML/CFT Obligations in Practice

The AML/CFT Programme Requirement

Under Section 57 of the AML/CFT Act 2009, every reporting entity must establish, implement, and maintain a written AML/CFT programme. The programme must be risk-based — designed around the specific ML/FT risks the institution faces — and must include transaction monitoring procedures adequate to detect suspicious activity.

The AML/CFT programme is a living document. It must be reviewed and updated when material changes occur: new products or services, new customer segments, changes to the business model, and changes in the external risk environment (including updates to New Zealand's national risk assessment or changes to the FATF country risk list).

Transaction Monitoring and Suspicious Activity Reporting

Reporting entities must monitor transactions for suspicious activity and file Suspicious Activity Reports (SARs) with the New Zealand Police Financial Intelligence Unit within three working days of forming a suspicion. There is no minimum threshold for SAR filing — the obligation arises when there are grounds to suspect that a transaction is or may be related to a money laundering offence or the financing of terrorism.

The tipping-off prohibition applies: once a SAR has been filed or is intended to be filed, the customer cannot be informed. This makes the internal workflow — from alert to investigation to filing decision — operationally important. The workflow must be fast enough to meet the three-working-day deadline without requiring analysts to shortcut the investigation.

Reporting entities must also file Prescribed Transaction Reports (PTRs) for:

• Cash transactions of NZD 10,000 or more
• International wire transfers of NZD 1,000 or more

PTRs must be filed with the FIU within 10 working days of the transaction.

If you are newer to transaction monitoring concepts, our introduction to transaction monitoring sets out the fundamentals.

The Section 59 Audit Requirement

Section 59 of the AML/CFT Act mandates an independent audit of the AML/CFT programme every two years. The audit must be conducted by someone with relevant expertise who is independent of the compliance function — typically an external auditor or a separate internal audit team.

The Section 59 audit is not a checkbox exercise. Auditors assess whether the programme is effective, not just whether it exists. Monitoring coverage, alert investigation quality, SAR filing timeliness, and staff training completion are all examined. Institutions that cannot produce documentation of their monitoring programme — scenario design, alert logs, investigation records, SAR filings — will not satisfy an independent auditor.

This is the key difference between New Zealand and many other AML frameworks: the two-year audit cycle creates a hard deadline that cannot be deferred. If the monitoring programme has been running on vendor defaults without calibration, or if the alert investigation workflow has no documented disposition records, the audit will find it.

Where New Zealand Institutions Are Found Deficient

FMA and RBNZ examination findings published over the past three years identify consistent patterns:

Monitoring systems running without calibration. Institutions that deployed monitoring systems at programme inception and never revisited scenario design, thresholds, or false positive rates. The Section 59 audit surfaces this immediately — auditors ask for evidence of monitoring reviews, and "we have not changed anything since implementation" is an audit finding.

Alert investigation records that do not meet documentation standards. An alert that is investigated and closed without a written record of what was reviewed, what was concluded, and why a SAR was or was not filed does not satisfy the audit standard. Many institutions track alert volume but not alert disposition quality.

SAR filing outside the three-working-day window. The three-day deadline is short. Institutions with manual escalation workflows — where an analyst flags a concern to a manager who reviews and approves before filing — frequently find that the window closes before the internal process completes. Automated escalation with defined approval timeframes is required.

PTR coverage gaps for wire transfers. The NZD 1,000 threshold for international wire transfers is low relative to most institutions' standard transaction volumes. Systems calibrated for high-value transfer detection frequently miss PTR-eligible wire transfers in the NZD 1,000–5,000 range. This is a recurring finding in DIA examinations of remittance companies and money changers.

AML/CFT programme not updated for material business changes. Institutions that launched new products, entered new customer segments, or changed delivery channels without updating their risk assessment and programme. The Section 59 auditor will compare the programme to the current business model — any gap is a finding.

How Tookitaki's FinCense Platform Supports NZ Compliance

Programme Design and Risk-Based Configuration

FinCense implementation begins with the institution's AML/CFT risk assessment. Monitoring scenarios are configured to reflect the specific risks identified — customer segments, products, geographic exposures, and delivery channel risks. This produces the documented traceability between risk assessment and monitoring design that Section 59 auditors require.

The platform includes pre-configured scenarios based on New Zealand typologies — identified in the New Zealand National Risk Assessment and the FMA/RBNZ supervisory guidance — covering cash structuring, international transfer patterns, mule account behaviour, rapid fund cycling, and VASP-specific transaction patterns. Each scenario is calibrated against the institution's actual transaction data before deployment.

SAR and PTR Workflow Management

FinCense case management tracks every alert from generation through to disposition. For alerts that escalate to SAR filing, the system:

• Records the full investigation trail with timestamps — transaction data reviewed, analyst notes, escalation steps, approval decisions
• Tracks elapsed time from alert generation to SAR filing, with automated escalation if the three-working-day window is at risk
• Pre-populates FIU SAR fields from the case record, reducing manual data entry and the risk of omission
• Flags PTR-eligible transactions automatically — cash at NZD 10,000+ and wire transfers at NZD 1,000+ — with alerts for structuring patterns designed to avoid both thresholds
• Records PTR submission dates and FIU reference numbers against each transaction

The audit trail produced by this workflow satisfies the Section 59 auditor's documentation requirements. Every alert, every investigation, every filing decision is preserved with the information needed to demonstrate that the programme is functioning as designed.

Section 59 Audit Readiness

FinCense generates monitoring programme review reports that document scenario performance, alert volumes, false positive rates, calibration changes, and SME review outcomes over any defined period. These reports are designed to be produced for a Section 59 auditor — the data is captured in the platform as the monitoring programme operates.

When an auditor asks "show me evidence that your monitoring programme was reviewed in the past twelve months" - Tookitaki's support team can help provide you with the required report.

The calibration log — recording every scenario adjustment, its rationale, and the date it was made — is preserved as a permanent record. Institutions that can show auditors a calibration history, not just a current configuration, are demonstrably managing their monitoring programme rather than simply maintaining it.

Preparing for Your Next Section 59 Audit

For New Zealand compliance teams approaching a two-year audit cycle, the questions that Section 59 auditors consistently ask include:

• Can you produce a mapping between your ML/FT risk assessment and each active monitoring scenario?
• What is the documented process for alert investigation and disposition — and does every alert have a disposition record?
• What evidence exists that SAR filing is consistently meeting the three-working-day deadline?
• When was the monitoring programme last calibrated, and what was changed?
• Are PTR-eligible wire transfers being captured at the NZD 1,000 threshold — not just high-value transfers?
• Has the AML/CFT programme been updated to reflect any material changes to the business in the past two years?

If any of these cannot be answered from live programme documentation, the gap will be found in the audit.

For a broader overview of New Zealand's AML/CFT obligations and how they compare to other APAC frameworks, see our AML/CFT Compliance New Zealand guide and our Transaction Monitoring in New Zealand article.

To see how FinCense addresses the specific obligations of New Zealand's AML/CFT Act — including Section 59 audit readiness — book a demo with Tookitaki's APAC compliance team.