Understanding New Zealand's new address verification rules

New Zealand has removed the long-standing requirement to verify a customer’s residential address during standard customer due diligence (CDD). This brings it in line with global risk-based practice and will reduce onboarding friction. The change comes into effect the day after Royal assent.   

The Government has positioned this as immediate relief for businesses, but the change also marks a broader move toward a more proportionate, risk-based model of compliance that better aligns with global practice.

For reporting entities, the update simplifies onboarding for many customers while increasing the need for clear risk assessments and robust, well documented decision making.

What the change involves

Previously, reporting entities were required to collect and verify a customer’s address for all standard CDD. Verification often meant either conducting electronic verification or collecting a utility bill, bank statement, tenancy agreement or similar document. Many customers struggled to provide acceptable evidence and onboarding delays were common.

The updated rule removes the universal requirement to verify the address for standard CDD. Firms must still collect the address, but verification only needs to occur when the customer or activity presents higher risk.

Verification remains necessary in enhanced due diligence (EDD) situations.

Examples include:

• politically exposed persons (PEPs)
• complex ownership structures or
• customers whose transactions indicate elevated concerns.

The obligation has therefore shifted from a blanket requirement to one informed by context and risk level.

Why this reform was introduced

The Government noted several reasons for making this adjustment. A key driver is proportionality. Many customers pose low inherent risk, and the verification burden previously placed on them provided limited benefit to financial crime prevention. Another influence is the desire for closer alignment with international standards. Modern AML regimes encourage entities to exercise informed judgement rather than apply rigid documentation rules to every case. Practical efficiency also played a role, as address verification has long been one of the most common sources of customer frustration and onboarding delays.

“AML rules have been unclear for too long, and businesses have been forced into overly conservative, box-ticking compliance...This is good for both businesses and their customers...They’ll no longer face the frustration of having to prove an address they can’t easily provide.”

- Hon Nicole McKee

By focusing compliance attention on circumstances where it is genuinely needed, the updated rule aims to make New Zealand’s AML system more effective while reducing unnecessary administrative friction.

Practical examples of applying the new rule

Consider a local, long-standing client onboarding for a straightforward residential real estate transaction. They provide a New Zealand driver's licence and other standard identity documents. Their background, transaction purpose and anticipated activity all align with a low-risk profile. In this situation, collecting but not verifying their address may be entirely reasonable.

On the other hand, imagine a new client based overseas who wishes to establish a trust structure to invest in commercial property. The complexity of the arrangement, the cross-border elements and the nature of the transaction elevate risk. In that case, verifying the address of relevant parties may remain appropriate, even though the formal requirement has been relaxed.

What matters is not the rule itself, but whether the business can show that the decision fits its documented risk methodology.

Why risk assessments matter more than ever

The shift toward risk-based verification places greater emphasis on the quality of an entity’s risk assessment methodology. Because address verification is no longer required for all customers, businesses must be able to explain why a customer was categorised as low risk and therefore why address verification was not conducted.

This places increased importance on:

• having clear risk indicators
• consistent application by staff and
• strong documentation that supports each decision.

When supervisors or auditors review a file, the rationale behind the risk determination will be as important as the information collected.

Implications for compliance processes

Entities will need to update their AML programmes to reflect the revised requirements. For example:

• Policies and procedures should specify the circumstances in which address verification is appropriate.
• Onboarding workflows may need to shift from universal verification to logic that triggers checks only when relevant.
• Staff training should reinforce how risk factors influence verification decisions.
• Record keeping processes must capture not only the information obtained from customers but also the reasoning behind decisions to verify or not verify addresses.

Practical next steps for reporting entities

Businesses should begin by reviewing their risk assessment frameworks to ensure they clearly describe the indicators that determine when verification is required.

• Customer due diligence procedures should be updated so that onboarding processes reflect the new rule.
• Staff training should be refreshed to ensure consistent decision making.
• Firms may also wish to note that the change takes effect the day after Royal assent (likely this side of Christmas) and
• that official updates and supporting materials can be found on the Ministry of Justice and Department of Internal Affairs websites.

By applying thoughtful, risk-based decision making and maintaining robust compliance processes, businesses can implement the new requirement with confidence while continuing to meet their obligations effectively.