How the AML and CFT Regime Works in Practice

Risk based approach, real world expectations, and daily application

Once the purpose of New Zealand’s AML and CFT regime is understood, the next challenge is practical. How does this system actually operate in real reporting entities, with limited time, competing priorities, and imperfect information.

This is where AML often feels hardest. Not because the intent is unclear, but because translating that intent into daily practice requires judgement.

The risk based approach

At the centre of New Zealand’s AML framework is the risk based approach. This means reporting entities are not expected to treat every customer, transaction, or activity the same way. Instead, they are required to identify where the risk of money laundering or terrorism financing is higher, and to apply stronger controls in those areas.

This flexibility is deliberate. It recognises that a small local reporting entity does not face the same risks as a large financial institution, and that not all services carry equal exposure.

In practice, this starts with a risk assessment. This document sets out how a reporting entity understands its own risk profile, based on factors such as customer types, services offered, delivery channels, and geographic exposure. It is not meant to be theoretical. It is meant to reflect how the reporting entity actually operates.

A good risk assessment is not static. It evolves as services change, client bases shift, and external risks emerge.

From assessment to programme

The AML CFT programme flows directly from the risk assessment. If the assessment identifies higher risk in certain areas, the programme must show how those risks are mitigated.

This is where many reporting entities struggle. The programme is not a policy document designed to sit on a shelf. It is meant to guide daily behaviour. It should explain how customer due diligence is conducted, how ongoing monitoring occurs, how staff escalate concerns, and how reporting obligations are met.

Supervisors expect alignment. If a risk is identified in the assessment but not addressed in the programme, that gap matters.

Customer due diligence in the real world

Customer due diligence is often where AML becomes most visible. Identity verification, understanding ownership and control, and establishing the purpose of a relationship are all core requirements.

In practice, this is rarely straightforward. Information may be incomplete. Structures may be layered. Clients may not understand why questions are being asked.

The regime does not expect perfection. It expects reasonable steps, proportionate to risk, supported by evidence. What matters most is not that every answer is neat, but that judgement is applied thoughtfully and documented clearly.

This is where professional skill matters. AML is not a mechanical exercise. It relies on understanding context, asking the right questions, and recognising when something does not quite fit.

Ongoing monitoring and reporting

AML obligations do not end once a customer is onboarded. Ongoing monitoring is required to ensure that activity remains consistent with what is known about the customer.

This does not mean constant surveillance. It means awareness. Recognising when behaviour changes. Questioning anomalies. Escalating concerns when necessary.

Reporting obligations sit within this framework. Prescribed transaction reports and suspicious activity reports are not punitive tools. They are intelligence mechanisms. They allow patterns to be identified across the system, beyond what any single reporting entity can see.

Importantly, the obligation to report is triggered by suspicion, not certainty. Reporting entities are not expected to investigate crime. They are expected to share concerns when thresholds are met.

Judgement, not box ticking

One of the most challenging aspects of AML is that it resists simple checklists. Two situations may look similar on paper but require different responses in practice.

This is why documentation matters so much. When decisions are questioned, regulators are not asking whether every call was perfect. They are asking whether decisions were reasoned, risk informed, and consistent with the reporting entity’s own framework.

Good AML practice is visible in the quality of thinking, not just the volume of forms completed.

Living with uncertainty

AML work involves uncertainty. Information is incomplete. Risks are probabilistic. Outcomes are rarely binary. The regime accepts this reality. What it does not accept is disengagement. Doing nothing because something feels complex is not an option. Nor is treating AML as a purely administrative function detached from real business activity.

In practice, AML works best when it is integrated into how reporting entities already think about risk, ethics, and responsibility.

From purpose to practice

Understanding how the AML and CFT regime works in practice helps bridge the gap between values and action. It shows that AML is not an abstract concept imposed from outside, but a framework that relies on informed judgement exercised every day by people within reporting entities.

The final piece of the picture is authority. Why these obligations are enforceable, how supervision operates, and what happens when expectations are not met.

That is where we turn next.

To understand why these obligations carry legal weight, and how supervision and enforcement support the regime, read The Laws That Give the AML and CFT Regime Its Effect.