New Zealand’s biometric processing privacy code: What it means for AML verification

New Zealand’s Biometric Processing Privacy Code officially came into force this week. This marks a major update to how organisations that collect and use people's biometric information in biometric processing operate.

The Code comes into force on two staggered dates:

• 3 November 2025 for biometric processing that starts after 3 November 2025
• 3 August 2026 for biometric processing already in use on or before 3 November 2025

The Code, issued by the Office of the Privacy Commissioner (OPC), strengthens protections for individuals while giving clearer direction to businesses that use biometric technology within their business processes, especially those in regulated sectors subject to anti-money laundering (AML) regulations. The code formalises existing best practice and introduces new transparency and proportionality tests for biometric processing.

For compliance teams using First AML’s verification tools, the transition is seamless. Our existing controls already align with the new Code, and we’ve updated our privacy policy and the wording for electronic identity verification (EIV) consent to reflect these changes and ensure compliance.

What biometric data means under the Code

The Code defines biometric information as data derived from a person’s physical or behavioural traits that can be used to verify or recognise their identity.

Common examples include:

• Facial recognition images or templates
• Voice recordings used for verification
• Iris or fingerprint scans

In practice, this covers most digital ID verification processes used for AML onboarding, such as when a customer uploads an identity document and takes a selfie or a live video to confirm a match with the photo on their ID.

Key regulatory changes and what they mean

1. A higher bar for necessity and proportionality

The Code introduces a formal requirement to assess whether biometric collection is necessary and proportionate to the purpose. Agencies must ensure that no less privacy-intrusive method is available and document their assessment.

How First AML complies

Our biometric verification is used solely for identity verification and fraud prevention, both lawful purposes under the Anti-Money Laundering Act. Each biometric process has undergone a documented privacy and proportionality assessment.

2. Transparent collection and informed consent

Individuals must be clearly told what biometric data is collected, why it’s needed, how long it will be kept, and whether they can use a non-biometric alternative.

How First AML complies

We’ve updated our Privacy Policy and EIV consent wording to include full disclosure of:

• What biometric data is collected, and its purpose
• The availability of alternative, manual (non-biometric) verification
• Retention and deletion details
• Privacy contact information and how to raise concerns

These updates ensure every verification includes clear, informed consent that meets the OPC’s new expectations.

3. Prohibition on secondary use and categorisation

The Code restricts organisations from using biometric data for unrelated purposes, such as emotion or demographic analysis.

How First AML complies

First AML does not perform biometric categorisation. Biometric data is processed only to verify identity, not to infer attributes like age, ethnicity, or sentiment.

4. Retention and deletion

Biometric information must not be stored longer than necessary. Agencies must clearly state how long they retain it and securely delete it when no longer required.

How First AML complies

Biometric images and verification templates are retained only as required by AML record-keeping obligations, and may be deleted on request from our customers or from the end user. All biometric data is encrypted, and deletion events and logs are auditable.

5. Strengthened security and sub-processor safeguards

The Code reinforces the need for strong technical and contractual protections when biometric data is handled by third-party service providers.

How First AML complies

Biometric data processed through First AML is encrypted in transit and at rest, stored in ISO 27001-certified cloud environments, and managed through least-privilege access controls. All sub-processors are contractually bound by equivalent safeguards, and none may use biometric data for secondary purposes. See our security page for further information.

6. Cross-border disclosure transparency

The Code states that if biometric data is sent overseas, organisations must inform individuals if the overseas recipient may not be subject to comparable protections.

How First AML complies

Biometric information is processed only by trusted service providers, such as Onfido, in jurisdictions with established privacy and data protection frameworks (including the United Kingdom, European Union and Australia). These providers are selected based on their adherence to protections comparable to New Zealand and Australian privacy laws.

To meet transparency expectations under the Code, First AML publishes details of all current sub-processors and their processing locations at First AML Sub-Processors.

7. Clear rights of access, correction and complaint

The Code reiterates that individuals have the right to access and correct their biometric information and to complain to the OPC if unsatisfied.

How First AML supports this

Our updated Privacy Policy outlines how individuals can request access to or deletion of biometric data, or raise a privacy concern. The privacy team can be contacted anytime at privacy@firstaml.com.

What this means for compliance teams

For most First AML customers, the introduction of the Biometric Processing Privacy Code won’t change how you use the platform day-to-day.

Here’s what to focus on:

• Review your internal privacy documentation to ensure references to the Biometric Processing Privacy Code are included.
• Confirm your client-facing privacy notices or engagement letters reflect the Code’s transparency standards. This includes clear disclosure of what biometric data you collect, how you use it, and the availability of alternative verification methods.
• Keep your privacy assessments on file, in case the OPC requests evidence of compliance. These assessments should document why biometric processing is necessary for your business and why less intrusive methods aren't suitable.

Have any additional questions?

We are here to help. Contact your Customer Success Manager or email support@firstaml.com for any further questions related to the Biometric Processing Privacy Code and how First AML handles biometric data.

Additional resources

• Official guidance and full text of the Code: Office of the Privacy Commissioner – Biometric Processing Privacy Code
• Practical guidance on identity verification compliance: Privacy Commissioner: Using facial recognition to verify customer identities

Legal insights

• MinterEllison Insights - Biometric Processing Privacy Code now in force 
• Dentons - New Zealand’s Privacy Commissioner issues Biometric Processing Privacy Code 
• Bell Gully - Biometrics regulation arrives: are you ready?