New Zealand's financial institutions face a significant regulatory update coming into effect on 1 June 2025. While the change may seem straightforward, its implementation requires careful consideration and a strategic approach to compliance.
What's Changing?
The new regulation states:
"A reporting entity must risk-rate a new customer when conducting customer due diligence. The reporting entity must keep a record of the customer's risk rating and review the customer's risk rating."
While many reporting entities already incorporate risk rating into their compliance processes, this regulation formalises the requirement across the board. All reporting entities are now required to document their risk rating methodology, implement consistent processes, and demonstrate compliance.
Practical Implementation Strategies
With no specific guidance yet available from supervisors, financial institutions need to develop their own approach. Supervisors are likely to be more understanding of imperfect but genuine attempts at compliance rather than complete inaction.
Starting Simple
When implementing customer risk rating systems, the most effective approach is to start with simplicity:
- Determine the key parameters for your risk rating algorithm
- Map out a manual approach before moving to automation
- Assess whether your initial parameters provide meaningful risk differentiation
- Add complexity incrementally as you learn from early implementation
Reviewing Risk Ratings
The regulation doesn't just require initial risk rating—it also requires reviews. Rather than attempting to reassess all customers simultaneously (an overwhelming undertaking), consider a trigger-based approach:
- When submitting a Suspicious Activity Report (SAR)
- When a customer relocates to a high-risk jurisdiction
- When detecting activity that heightens suspicion levels
- For high-risk customers, implementing periodic reviews (e.g., quarterly)
Your customer's risk profile isn't static. What begins with information collected during onboarding should evolve as you build a history of their behaviour and transactions. As your understanding of a customer deepens, so too should the sophistication of their risk assessment.
Enhancing Transaction Monitoring with Risk Ratings
While the regulation does not explicitly require the use of risk ratings in transaction monitoring, there is a clear opportunity to strengthen financial crime prevention by integrating these ratings into your monitoring approach.
Two Primary Approaches
Option 1: Risk-Based Rules
Incorporate risk ratings directly into your monitoring rules, creating different thresholds and parameters based on risk categories.
Option 2: Uniform Rules with Risk-Informed Reviews
Apply consistent rules across all customers, but consider their risk profile when reviewing generated alerts.
These approaches aren't mutually exclusive. Many institutions begin with uniform rules and gradually incorporate risk-based segmentation as they gather more data.
Practical Example: High-Value Deposits
Consider implementing a simple rule that flags high-value deposits. Initially, you might set a relatively low threshold for all customers to capture comprehensive data. After analysis, patterns may emerge:
- Should high-risk customers have lower thresholds than low-risk ones?
- Do patterns correlate with other factors, like customer age, rather than risk level?
- Should thresholds adjust for third-party or international deposits?
This iterative process of refinement might take months or even years. The key is continuous improvement rather than set-and-forget implementation.
Documentation: Your Compliance Safeguard
Whatever approach you take, thorough documentation is essential:
- Document your initial risk rating methodology
- Record the justification for any changes to algorithms or rules
- Maintain evidence of ongoing reviews and updates
- Ensure all processes align with your documented programme
When supervisors review your compliance efforts, they will expect to see not just what you are doing, but also why you made specific choices in your approach.
Preparing for June 2025: Key Takeaways
As the compliance deadline approaches, focus on these priorities:
- Update your AML/CFT programme to include customer risk rating procedures
- Implement processes for both initial rating and subsequent reviews
- Consider how to integrate risk ratings into your transaction monitoring
- Start simple and refine your approach as you learn
- Document everything—methodologies, changes, and justifications
With thoughtful implementation, this regulatory change offers more than just compliance - it presents an opportunity to strengthen your financial crime prevention framework and better protect your customers.
About Our Financial Crime Roundtables
This article features insights gathered from a recent Jade ThirdEye roundtable for Auckland-based financial crime specialists held at Hotel Debrett. The event featured special guests Martin Dilly, Certified Anti-Money Laundering Specialist and the first in Australasia to gain CAMS-Audit; Claire Rees, Financial Crime Regulatory Specialist at Jade ThirdEye with over 21 years of experience in Risk Management roles in financial services; and Colin Dixon, Jade ThirdEye's AML Solutions Specialist, who has been working on Jade ThirdEye for over 12 years.
As part of our commitment to fighting financial crime, Jade ThirdEye regularly hosts roundtables and events across Australia, New Zealand, and the UK. These gatherings bring financial crime professionals together to share knowledge, discuss emerging challenges, and collaborate on solutions in our collective effort against financial crime.
Explore insights from our other recent events:
