Resources

NZ AML/CFT update: Customer risk rating guidance - what you need to know

From 1 June 2025, the third and final phase of amendments to New Zealand’s Anti-Money Laundering and Countering Financing of Terrorism (AML/CFT) Act 2009 will be enacted. A key change is the new requirement for reporting entities to risk-rate customers as part of their customer due diligence (CDD) processes.

The Department of Internal Affairs (DIA) has released new guidance on customer risk rating. Below is a practical breakdown of what the guidance covers.

Key requirements

  • Mandatory risk rating: From 1 June 2025, all reporting entities must assign a risk rating to new customers when forming a business relationship or conducting occasional transactions as part of CDD.
  • Record-keeping & ongoing review: Reporting entities must maintain records of customer risk ratings and the rationale behind them. Risk ratings must be reviewed during ongoing monitoring and updated when customer behaviour or circumstances change. The risk rating process should also be periodically tested and refined to ensure it remains effective.

Developing a risk rating process

  • Risk-based approach: There is no one-size-fits-all model. Your customer risk rating process should be risk-based to reflect your business’s firm-wide risk assessment, including customer types, delivery channels, and exposure to sector and national-level risks.
  • For smaller or less complex businesses:  A simple manual process using basic categories (low/medium/high) based on known risk indicators is suggested.
  • For larger or complex businesses: A more sophisticated approach is encouraged. Examples include scorecards, matrix-based tools, or automated models that combine scoring and rating scales with qualitative assessments.

Risk rating at initial onboarding and ongoing CDD

  • Onboarding: Use the information gathered during CDD (e.g. purpose of relationship, transaction patterns, screening status) to determine a customer’s initial risk rating.
  • Two-step approach: For manual processes, assign an initial risk rating based on early client information. Then confirm or adjust the rating once all CDD checks are completed.
  • Ongoing CDD: The initial risk rating should influence how often you review the customer and what controls you apply (e.g. transaction limits, senior approval). If a customer’s behaviour changes, update the risk rating accordingly.
  • Existing customers: The guidance suggests that reporting entities to risk-rate pre-June 2025 customers when they next undergo an ongoing CDD review. This will help bring consistency across your customer base.

Record-keeping

Reporting entities must keep records of each customer's risk rating, the dates of any reviews or updates. The records should include reasons behind each risk rating decision. These records must be easily accessible and retained for at least five years after the business relationship ends.

For further information, please visit:


About First AML

First AML comes from the perspective of both a technology provider, but also as compliance professionals. Prior to releasing, First AML’s all-in-one AML workflow platform, we processed over 2,000,000 AML cases ourselves. Understanding the acute problem that faces firms these days as they try to scale their own AML, is in our DNA.

That's why First AML now powers thousands of compliance experts around the globe to reduce the time and cost burden of complex and international entity KYC. Source stands out as a leading solution for organisations with complex or international onboarding needs. It provides streamlined collaboration and ensures uniformity in all AML practices.

Keen to find out more? Book a demo today!

Related