New Zealand's Department of Internal Affairs issues guidance on mandatory customer risk-rating under the AML/CFT regime from 1 June 2025

New Zealand's Department of Internal Affairs has published guidance to help reporting entities implement a customer risk-rating system for new customers under the Anti-Money Laundering and Countering Financing of Terrorism Act 2009. From 1 June 2025, reporting entities must risk-rate new customers when establishing a business relationship or when a person seeks to conduct an occasional transaction or activity, keep a record of the rating, and review and update it as part of ongoing customer due diligence and account monitoring. The guidance sets out supervisors’ expectations for a risk-based approach, emphasising that there is no one-size-fits-all model and that the approach should be aligned to the entity’s risk assessment and AML/CFT programme, and be proportionate to the nature, size and complexity of the business. It highlights key inputs for risk assessment, including customer, country and institution exposure, products and services, delivery channels, and relevant national and sector risk assessments, and notes that higher-risk indicators should be assessed in combination. For smaller, less complex businesses a simple low, medium and high framework may be sufficient, while larger or more complex entities may need more sophisticated scorecards or matrix tools. Record-keeping expectations include retaining risk-rating records (including review and update dates) for at least five years after the end of the business relationship or completion of an occasional transaction, and keeping records in a form that is immediately accessible. The Department also encourages reporting entities to use ongoing customer due diligence to align their approach by risk-rating customers onboarded before 1 June 2025.