How do AML and banking regulations in New Zealand require identity verification and how will the Biometric Processing Privacy Code change AML onboarding practices?
Executive summary
New Zealand’s AML/CFT framework requires reporting entities to perform customer due diligence (CDD) and to verify customers’ identities using documentary, electronic and risk‑based methods enforced by supervisors including the Reserve Bank, FMA and Department of Internal Affairs (DIA) [1] [2]. The new Biometric Processing Privacy Code tightens privacy, proportionality, accuracy and disclosure rules for any use of biometric systems, meaning many biometric identity‑checks used for AML onboarding will need fresh justification, documentation, impact assessments and new consent and security controls [3] [4].
1. How AML law currently requires identity verification: the legal baseline
The AML/CFT Act and the AML/CFT Supervisory Framework require reporting entities across banking, legal, conveyancing, virtual asset services and other sectors to collect and verify identity information as part of CDD, appoint compliance officers and maintain identity procedures for onboarding and ongoing monitoring [1] [5]. Practical guidance from supervisors and explanatory notes make clear that electronic identity verification (EIV) — where identity is verified remotely — is acceptable but must meet two components and often needs corroboration, and that at the time of FMA guidance only a RealMe®-verified identity met the highest standard for some EIV requirements [6]. Supervisors have updated guidance over time (including during COVID or on expired passports) to reflect risk‑based approaches and acceptable documentary and electronic methods [2].
2. How biometrics are already used in AML onboarding today
Banks and reporting entities have increasingly adopted biometric tools — selfie‑to‑ID matching, live video and facial recognition — to prevent fraud, improve customer conversion and satisfy remote‑verification demands while complying with AML rules [7] [8]. Technology vendors and some firms emphasise that biometric matching for AML is used only to verify identity and not to infer sensitive attributes, and that existing privacy controls align with best practice [8] [9]. The DIA and supervisors still require organisations to satisfy identity verification standards and handle remote checks within the legal framework for CDD [5] [6].
3. What the Biometric Processing Privacy Code changes — key obligations
The Biometric Processing Privacy Code 2025 imposes specific, stricter rules for biometric processing that modify Information Privacy Principles for biometrics, mandating proportionality tests, privacy impact assessments, accuracy and data‑quality controls, encryption and audit logging, limitations on inference (no gender/ethnicity profiling) and extra disclosure and retention rules [3] [4] [10]. It requires organisations to assess alternatives to biometrics, consider cultural impacts (notably for Māori), update privacy policies and vendor contracts, and document necessity and proportionality for each biometric use [4] [11].
4. How AML onboarding practices will need to change in practice
Reporting entities that rely on selfie‑to‑document matching or automated biometric EIV will need to demonstrate that biometric processing is necessary and proportionate to the AML risk mitigated, run PIAs, offer alternatives where appropriate, tighten consent and disclosure language, adapt retention and deletion policies, and harden technical safeguards and vendor oversight — steps supervisors and legal advisers now recommend [11] [4] [8]. Firms that previously treated biometric checks as a straightforward compliance convenience will face additional administrative and legal workflows before onboarding can proceed, and must align those workflows with AML supervisors’ expectations about evidence, linking transactions to identities and ongoing monitoring [6] [5].
5. Tensions, trade‑offs and stakeholder perspectives
Privacy advocates and the Privacy Commissioner emphasise protecting sensitive biometric data and preventing discriminatory outcomes, pressing for proportionality and cultural impact assessment especially for Māori [4] [12]. Industry groups and identity‑technology vendors stress that biometrics materially reduce fraud and onboarding friction and say many providers already meet the Code’s controls, framing changes as implementation work rather than prohibition [8] [9]. Regulators sit between these poles: AML supervisors still demand robust identity verification to counter money‑laundering risks, while the Privacy Commissioner requires tighter safeguards for the methods used [1] [3].
6. What reporting entities must do next and where reporting is thin
Immediate practical steps signalled across legal and advisory sources include mapping biometric uses, conducting PIAs, updating consent and EIV wording, reviewing vendor contracts, and strengthening security and retention protocols — all while ensuring identity processes continue to meet AML/CFT evidence standards [11] [4] [6]. Available reporting documents these obligations and suggested compliance steps, but public sources here do not fully enumerate supervisory enforcement thresholds or how supervisors will reconcile competing AML and biometric privacy obligations in contested cases; those specifics remain matters for regulators and future guidance [2] [3].