Reporting Entities Under New Zealand’s AML/CFT Laws

Alex Solo
byAlex Solo12 min read
Getting Finance
Contents

If you run a small business in New Zealand, “AML/CFT” can sound like something that only banks and big finance companies need to worry about.

But in reality, a wide range of everyday businesses can be “reporting entities” under New Zealand’s anti-money laundering and countering financing of terrorism regime - and that comes with serious compliance obligations.

This guide explains what the rules around AML/CFT reporting entities in New Zealand are getting at, how to work out whether your business is captured, and what you need to have in place if you are.

Important note: This article is general information only. Whether you’re a reporting entity (and exactly what you must do) can depend on your specific services, how your transactions work, and your client base - so it’s worth getting tailored legal advice before you assume you are (or aren’t) captured.

What Is A “Reporting Entity” Under AML/CFT In New Zealand?

In New Zealand, the key law is the Anti-Money Laundering and Countering Financing of Terrorism Act 2009 (the AML/CFT Act).

Broadly, the AML/CFT Act is designed to stop criminals from using legitimate businesses to:

  • launder money (i.e. turn “dirty” money into money that looks legitimate), or
  • finance terrorism (i.e. move funds to support terrorist activities).

A reporting entity is a person or business that provides certain services (called “captured activities”) that are considered higher risk for money laundering or terrorism financing.

If you’re a reporting entity, you must take practical steps like:

  • carrying out customer due diligence (CDD) - often called “KYC” (know your customer),
  • having an AML/CFT risk assessment and programme,
  • keeping records, monitoring transactions, and
  • making certain reports to the authorities (for example, suspicious activity, and in some cases prescribed transaction reporting).
  • having your AML/CFT programme independently audited on a regular basis (commonly at least every 2 years, or on request by your supervisor).

These aren’t “nice to have” steps - they are legal obligations, and regulators can take enforcement action if you get them wrong.

Being A Reporting Entity Is About What You Do (Not Just Who You Are)

A common trap for small business owners is assuming AML/CFT only applies to certain industries by default.

In practice, the test is often:

  • what services you provide,
  • how you get paid and how funds move, and
  • whether your service involves handling money, assets, or client structures in a way that could be abused.

So two businesses that look similar on paper can have very different AML/CFT obligations depending on how they operate.

Which Businesses Are AML/CFT Reporting Entities In New Zealand?

The AML/CFT Act captures a range of industries. Some are obvious (like banks), and some catch small businesses by surprise (like certain professional services).

Below are common categories that may be reporting entities in New Zealand.

Financial Services Providers

This category covers many businesses dealing with financial products or services, such as:

  • banks and non-bank deposit takers
  • lenders and finance companies
  • money remitters and currency exchangers
  • payment service providers (particularly where you are transferring money or value for customers, or controlling funds as part of the payment flow)
  • some investment-related services

If your business holds, transfers, converts, safeguards, or controls funds for customers, it’s worth checking whether your activity falls within the AML/CFT regime.

Trust And Company Service Providers (TCSPs)

Many small businesses provide “back office” services that can quietly become AML/CFT-captured - especially where they help clients set up or manage entities and structures.

You may be providing TCSP services if you do things like:

  • form companies or other entities for clients
  • provide registered office address services
  • act as (or arrange) nominee directors or shareholders
  • act as a trustee, or arrange trustees
  • manage client funds in relation to entity formation/administration

If you’re building a new venture that offers these services, it’s a good idea to get your broader legal setup right too (for example, your Company Set Up and governance documents) because compliance obligations can grow quickly once you’re dealing with client money and client structures.

Real Estate Agents

Real estate is a well-known money laundering risk area internationally, so real estate agents are commonly captured.

In simple terms, AML/CFT obligations often apply to work involved in buying and selling real property (and sometimes related services). Because property transactions can involve large sums and complex ownership structures, regulators expect strong identity verification and transaction monitoring.

Law Firms (When Doing Captured Work)

Many people are surprised to learn that some legal services can fall under AML/CFT - but it generally depends on the type of legal work, particularly where lawyers handle transactions or help create/manage structures.

Not every legal matter triggers AML/CFT obligations, but certain transaction-focused services can. If you’re running a law-adjacent business (or partnering with one), it’s important not to guess - AML/CFT classification should be checked carefully.

Accountants (When Doing Captured Work)

Accounting firms can also be captured where they provide certain services (for example, services connected to client funds or forming/managing entities).

As with legal services, it’s not always “all accounting work” - it can be about whether you’re providing captured activities, especially where you’re enabling movement of value or the creation of structures.

Casinos (And Other Cash-Intensive Activity)

Casinos are generally captured due to the inherent risks around cash and rapid movement of funds.

If your business is cash-intensive, has international customers, or is involved in moving funds (for example, currency exchange or remittance services offered alongside another business), it’s smart to check where the law draws the line for your activity - because AML/CFT obligations generally attach to the captured service, not the general “type” of business.

How Do You Know If Your Small Business Is A Reporting Entity?

For most small businesses, the hardest part isn’t doing the compliance work - it’s confidently deciding whether you’re captured in the first place.

Here’s a practical way to approach it.

1) Identify Your “Activities” (Not Just Your Industry Label)

Start by listing, in plain English, what you actually do day-to-day. For example:

  • Do you ever receive money on behalf of a client?
  • Do you transfer money between parties?
  • Do you hold funds in escrow or trust-like arrangements?
  • Do you help clients set up companies or trusts?
  • Do you provide registered office or “virtual office” services?
  • Do you help clients buy or sell businesses or property where you manage the transaction process?

One “yes” doesn’t automatically mean you’re captured, but these are classic risk triggers.

2) Map Your Money Flows

AML/CFT risk is heavily tied to how money moves. Consider:

  • Who pays you, and how (bank transfer, card, cash, crypto, overseas transfer)?
  • Do you ever receive funds that are then paid onwards to someone else?
  • Do you deal with international customers or international payments?
  • Do you accept unusually large one-off payments?

Even if you don’t think of yourself as “financial services”, the way you handle money may be what matters.

3) Consider Your Clients And Risk Profile

Risk can also increase depending on your customer base, such as:

  • clients based overseas
  • clients using complex company/trust structures
  • clients operating in cash-heavy industries
  • clients who are politically exposed persons (PEPs) or linked to high-risk jurisdictions

You don’t need to make judgment calls about people - the point is to design a compliance approach that matches your actual risk exposure.

4) Get Advice Early (Before You Scale)

It’s much easier (and cheaper) to build AML/CFT compliance into your business from day one than to retrofit it after you’ve onboarded dozens of clients.

And if you’re buying an existing business that may be captured (for example, an accounting practice or a trust services business), legal due diligence is key - that’s often where compliance gaps show up. A Legal Due Diligence process can help you identify compliance risks before you commit.

What Are Your Main Obligations If You Are A Reporting Entity?

If you are a reporting entity, you’re expected to have an AML/CFT framework that actually works in practice - not just a document that sits in a folder.

While the exact requirements depend on your situation, here are the major building blocks most reporting entities need to understand.

Risk Assessment And AML/CFT Programme

You typically need to:

  • prepare a written risk assessment (how your business could be misused for money laundering or terrorism financing), and
  • implement an AML/CFT programme (your policies, procedures, and controls to manage that risk).

Your programme should be tailored. Templates can be a starting point, but if your actual business model differs from the template assumptions, you can end up with obligations you don’t follow (or missing controls you do need).

Customer Due Diligence (CDD) / Know Your Customer (KYC)

CDD is the part most business owners recognise: verifying who your customer is.

Depending on the situation, this can include:

  • identifying and verifying the customer
  • identifying beneficial owners (who ultimately owns or controls an entity)
  • understanding the nature and purpose of the business relationship
  • conducting enhanced CDD for higher-risk situations

For small businesses, the practical challenge is balancing compliance with a smooth onboarding experience. The goal is to build a process that’s consistent, explainable to clients, and properly documented.

Ongoing Monitoring And Suspicious Activity Reporting

AML/CFT compliance isn’t just “check ID once and move on”. You generally need ongoing monitoring, which can include:

  • reviewing transactions for unusual patterns
  • keeping customer details up to date
  • escalating and documenting internal concerns

If something seems suspicious, reporting entities may have obligations to report to the appropriate authorities (often through the Police Financial Intelligence Unit).

Depending on your business type and transactions, you may also need to lodge prescribed transaction reports (PTRs) for certain transactions - commonly including large cash transactions (for example, NZD $10,000 or more) and international wire transfers above a set threshold (for example, NZD $1,000 or more).

This can be uncomfortable for business owners - nobody wants to risk upsetting a client - but the whole point of AML/CFT is that your business shouldn’t become an easy vehicle for criminal activity.

Record Keeping

Most reporting entities must keep records for certain periods, such as records of:

  • CDD/KYC documents and verification steps
  • transaction and business relationship records
  • copies of reports and internal decisions

Good record keeping isn’t just about compliance - it protects you if you’re ever audited or questioned about what checks you performed.

Training And Internal Controls

If you have staff (or contractors) involved in onboarding customers or processing transactions, training is critical. One weak link in your process can create serious risk.

It’s also important your broader business documentation supports compliance. For example, if staff access customer identification documents and sensitive information, you’ll usually want strong internal privacy controls and security expectations (often backed by an Acceptable Use Policy).

Who Regulates Reporting Entities (And What Happens If You Get It Wrong)?

In New Zealand, AML/CFT reporting entities are supervised by different agencies depending on the business type. Common supervisors include:

  • the Department of Internal Affairs (DIA)
  • the Financial Markets Authority (FMA)
  • the Reserve Bank of New Zealand (RBNZ)

Your supervisor can require information, conduct audits/inspections, and take action if you’re non-compliant.

Common Compliance Risks For Small Businesses

In our experience, small businesses often run into trouble because they:

  • don’t realise they’re captured until a bank, partner, or customer asks for AML information
  • have policies but don’t follow them consistently
  • fail to identify beneficial owners properly (especially for companies and trusts)
  • don’t keep enough records to prove what they did
  • don’t have clear internal escalation processes for suspicious activity
  • overlook the requirement for regular independent audits of their AML/CFT programme
  • miss or misunderstand when prescribed transaction reporting is required

AML/CFT And Privacy: Handling Customer Data Properly

AML/CFT compliance usually means collecting and storing personal information (like identity documents, proof of address, and information about beneficial owners).

That means you also need to take privacy seriously under the Privacy Act 2020.

Practical steps often include:

  • telling customers what you collect and why (often through a Privacy Policy)
  • storing documents securely and limiting access
  • having a plan if something goes wrong (a Data Breach Response Plan can be a very practical safeguard)

This is one area where getting advice early can save you headaches later - because “AML required us to collect it” doesn’t automatically mean you can store it forever or share it freely.

Practical Next Steps If You Think You Might Be A Reporting Entity

If you’re reading this and thinking, “We might be captured,” don’t stress - you’re not alone, and you don’t have to solve it all in one day.

Here’s a practical roadmap that works well for many small businesses.

Step 1: Confirm Whether You’re Captured

Before you invest time and money into a full compliance system, confirm whether your services are actually captured activities under the AML/CFT Act.

This is especially important if you:

  • offer mixed services (some captured, some not)
  • operate across borders
  • deal with trusts, companies, or nominee arrangements

Step 2: Document Your Risk Assessment

Even if you’re small, your risk assessment should be specific and realistic - based on how your business actually works.

A good risk assessment helps you avoid overcomplicating compliance. For example, you might decide that you don’t need enhanced measures for most clients, but you do need stronger checks for overseas customers or complex ownership structures.

Step 3: Build A Simple, Repeatable Customer Onboarding Process

Consistency is everything. You want onboarding steps that your team can follow every time, such as:

  • what documents you accept
  • how you verify them
  • how you identify beneficial owners
  • when you refuse service or escalate concerns

If your onboarding touches multiple legal areas (for example, contracts, privacy, payment terms, and service scope), it can also be a good time to review your customer-facing terms. Depending on your model, that may include a broader Contract Review so your agreements align with how you actually deliver services.

Step 4: Put Governance And Accountability In Place

AML/CFT compliance works best when someone is clearly responsible for it. That can include:

  • appointing a compliance officer (where required/appropriate)
  • setting internal reporting lines
  • making sure directors/owners understand the risks

If your business is growing (or bringing on new owners), it’s also worth thinking about your decision-making rules and internal authority documents, such as a Directors Resolution process - because compliance decisions often need to be properly documented.

Step 5: Treat Compliance As Part Of Your Brand

It’s easy to see AML/CFT as annoying admin. But if you handle it well, it can actually build trust with:

  • banks and payment providers
  • strategic partners
  • higher-value clients (who often expect robust compliance)
  • investors and acquirers (who don’t want hidden regulatory risk)

Think of AML/CFT as part of building a business that can scale confidently.

Key Takeaways

  • A business can be an AML/CFT reporting entity in New Zealand based on the services it provides (captured activities), not just its industry label.
  • Common reporting entities include certain financial services providers, trust and company service providers, real estate agents, and some professional services when doing captured work.
  • If you’re a reporting entity, you may need an AML/CFT risk assessment, an AML/CFT programme, customer due diligence (KYC) processes, ongoing monitoring, record keeping, staff training, regular independent audits, and (where applicable) prescribed transaction reporting.
  • AML/CFT compliance often requires collecting sensitive customer information, so you should also comply with the Privacy Act 2020 and have strong data handling practices in place.
  • Non-compliance can lead to audits, enforcement action, and serious business risk - so it’s worth confirming early whether you’re captured and setting up a workable compliance system from day one.

If you’d like help working out whether your business is a reporting entity (and what you need to do next), you can reach us at 0800 002 184 or team@sprintlaw.co.nz for a free, no-obligations chat.

Alex Solo
Alex Solo

Alex is Sprintlaw's co-founder and principal lawyer. Alex previously worked at a top-tier firm as a lawyer specialising in technology and media contracts, and founded a digital agency which he sold in 2015.

Need legal help?

Get in touch with our team

Tell us what you need and we'll come back with a fixed-fee quote - no obligation, no surprises.

Keep reading

Related Articles

Purchase Money Security Interest (PMSI) In New Zealand Under The PPSA

Purchase Money Security Interest (PMSI) In New Zealand Under The PPSA

If you sell goods on credit, supply stock to other businesses, or finance equipment for customers, you’ll probably come across the term purchase money security interest (PMSI). It sounds technical, but the...

8 Jun 2026
Read more
Protecting Commercially Sensitive Information In New Zealand

Protecting Commercially Sensitive Information In New Zealand

If you run a small business, you’re probably sharing information all the time - with staff, contractors, suppliers, potential investors, and even customers. Some of that information is routine. But some of...

8 Jun 2026
Read more
Personal Property Securities Register (PPSR) In New Zealand: Why It Matters

Personal Property Securities Register (PPSR) In New Zealand: Why It Matters

If you’re running a small business, it’s normal to focus on day-to-day cashflow, customers, and keeping operations moving. But there’s one legal register that can quietly make or break your position if...

5 Jun 2026
Read more
Personal Guarantees In New Zealand: Risks And Key Considerations

Personal Guarantees In New Zealand: Risks And Key Considerations

If you’re running a small business, it’s pretty common to be asked to sign a personal guarantee – especially when you’re applying for finance, leasing premises, or setting up accounts with key...

5 Jun 2026
Read more
Personal Guarantee Template NZ: What To Include And Key Business Risks

Personal Guarantee Template NZ: What To Include And Key Business Risks

If you sell goods or services on credit, take on a new lease, or apply for funding, you’ve probably seen the words “personal guarantee” pop up in the paperwork. It can feel...

4 Jun 2026
Read more
Owner Financing When Buying Or Selling A Business In New Zealand

Owner Financing When Buying Or Selling A Business In New Zealand

If you’re buying or selling a business, the price is often only half the story. The other half is how that price will be paid. That’s where owner financing can be a...

2 Jun 2026
Read more
Need support?

Need help with your business legals?

Speak with Sprintlaw to get practical legal support and fixed-fee options tailored to your business.

Get StartedBook A Call