Supplying ID to comply with the Anti-Money Laundering and Countering Financing of Terrorism (AML/CFT) Act

Forums › ICT Policies and Regulation › Supplying ID to comply with the Anti-Money Laundering and Countering Financing of Terrorism (AML/CFT) Act

rhy7s

673 posts

Ultimate Geek
+1 received by user: 147

#319994 24-Jun-2025 12:06

Seeing more requests like the below that encourage insecure transmission of identity documents. For providers that don't use services like RealMe or Identity Check, are there options that give the client more control over their personal information in this process?

Ongoing Customer Due Diligence (OCDD) checks for existing customers. This process is essential ... to comply with the Anti-Money Laundering and Countering Financing of Terrorism (AML/CFT) Act, we kindly request your cooperation in providing the following details for Ongoing Customer Due Diligence purposes:

Proof of Identity (Name and Date of Birth):

The records on the Companies Office Register indicate there has been a change in the particulars of directorship and shareholding, as such we require an up-to-date valid copy of an official government-issued identification document (e.g., passport, driver’s license) that includes the full name and date of birth

freitasm

BDFL - Memuneh
80652 posts

Uber Geek
+1 received by user: 41036

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#3386614 24-Jun-2025 12:55

Can you go in person and have them take copies?

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

snj

305 posts

Ultimate Geek
+1 received by user: 221

#3386615 24-Jun-2025 13:02

The Real Me/DIA Identity Check services are probably the gold standard for this; second best are the third-party providers that hook into the Waka Kotahi (NZTA) & DIA APIs for checking addresses (car rego) and identity.

I think the problem is that section 16 of the AMLCFT Act probably puts the fear in some companies that it's best to keep a copy of documents (instead of just verifying that details match per s15), especially in case they've been duped by fakes - i.e. the documents are retained as proof they did their best effort.

If they insist on sending the copies over e-mail, I think these days it's appropriate to ask for an appropriate means of sending it encrypted so it's not laying in inboxes in the clear. (S/MIME; AES-256 Zip (with password sent via a separate mechanism); etc).

BlakJak

1330 posts

Uber Geek
+1 received by user: 735

Trusted

#3386693 24-Jun-2025 15:58

Privacy Act says information must be collected for a specified purpose and only retained for the purposes of this. Once they've established you are who you claim to be, i'd be questioning any need to retain that information - and that would include, in email accounts etc.

This may be useful, found with a Google Search: https://aml.dia.govt.nz/knowledge-hub/article/?id=033a9290-46c6-4047-bb7a-85dfdd457684

You can simply ask them to provide a detailed explanation of how they intend to store/process your personal information and make clear that you're not comfortable transmitting information in-the-clear or into systems that'll retain the information longer than necessary.
There's some DIA guidance here that may be worth a read: https://www.digital.govt.nz/standards-and-guidance/identity/identification-management/guidance/using-documents-as-evidence

No signature to see here, move along...

Stu1

1892 posts

Uber Geek
+1 received by user: 489

ID Verified

Subscriber

#3386809 24-Jun-2025 18:06

BlakJak:

Privacy Act says information must be collected for a specified purpose and only retained for the purposes of this. Once they've established you are who you claim to be, i'd be questioning any need to retain that information - and that would include, in email accounts etc.

This may be useful, found with a Google Search: https://aml.dia.govt.nz/knowledge-hub/article/?id=033a9290-46c6-4047-bb7a-85dfdd457684

You can simply ask them to provide a detailed explanation of how they intend to store/process your personal information and make clear that you're not comfortable transmitting information in-the-clear or into systems that'll retain the information longer than necessary.
There's some DIA guidance here that may be worth a read: https://www.digital.govt.nz/standards-and-guidance/identity/identification-management/guidance/using-documents-as-evidence

AML/CFT regulations trump the privacy act. The FMA are more up to date than DIA which has 2018 standards not the 2021 standards.

https://www.fma.govt.nz/assets/Guidance/AMLCFT-Customer-Due-Diligence-Companies.pdf

Handle9

11924 posts

Uber Geek
+1 received by user: 9675

Trusted

Lifetime subscriber

#3386812 24-Jun-2025 18:40

The problem with these checks is the companies administering them are a laughable clown show. I’m looking at you TSB Bank

mrdrifter

589 posts

Ultimate Geek
+1 received by user: 294

ID Verified

Trusted

#3386846 24-Jun-2025 20:32

Stu1:

AML/CFT regulations trump the privacy act....

I don't believe that is a wholly accurate statement, as the privacy act is still binding on the organisation performing the AML verification steps and they should only be capturing the information for purposes of the verification. The act then states

"..the reporting entity must keep those records that are reasonably necessary to enable the nature of the evidence used for the purposes of that identification and verification to be readily identified at any time.(2)

Without limiting subsection (1), those records may comprise—

(a) a copy of the evidence so used; or

(b) if it is not practicable to retain that evidence, any information as is reasonably necessary to enable that evidence to be obtained."

If the organisation chooses to retain the copy of evidence as per (a) - all of the privacy act requirements still kick in and it needs to be stored correctly, securely, correctable etc... as per the principles. The organisation can't just keep them in email or on their desk and if audited point to the AML/CFT regs and say, 'see we have to keep them'.

AliExpress

Shop now on AliExpress (affiliate link).

Stu1

1892 posts

Uber Geek
+1 received by user: 489

ID Verified

Subscriber

#3386854 24-Jun-2025 21:03

mrdrifter:

Stu1:

AML/CFT regulations trump the privacy act....

I don't believe that is a wholly accurate statement, as the privacy act is still binding on the organisation performing the AML verification steps and they should only be capturing the information for purposes of the verification. The act then states

"..the reporting entity must keep those records that are reasonably necessary to enable the nature of the evidence used for the purposes of that identification and verification to be readily identified at any time.(2)

Without limiting subsection (1), those records may comprise—

(a) a copy of the evidence so used; or (b) if it is not practicable to retain that evidence, any information as is reasonably necessary to enable that evidence to be obtained."

If the organisation chooses to retain the copy of evidence as per (a) - all of the privacy act requirements still kick in and it needs to be stored correctly, securely, correctable etc... as per the principles. The organisation can't just keep them in email or on their desk and if audited point to the AML/CFT regs and say, 'see we have to keep them'.

The AML/CFT Act takes priority over the Privacy Act. This means businesses (reporting entities) can collect, use, and share personal information as required under AML/CFT rules, even if that would normally go against privacy laws. It also allows businesses to keep customer records for longer than they otherwise would. Regulators often ask for evidence of customer due diligence going back five years or more which can be well beyond the original retention period intended under the Privacy Act. We even have to black out sensitive information if the customer requests their customer file . It has gone way too far, but in saying that NZ now has sophisticated cartels so need to be tougher on financial and economic crime

Stu1

1892 posts

Uber Geek
+1 received by user: 489

ID Verified

Subscriber

#3386859 24-Jun-2025 21:18

rhy7s:

Seeing more requests like the below that encourage insecure transmission of identity documents. For providers that don't use services like RealMe or Identity Check, are there options that give the client more control over their personal information in this process?

Ongoing Customer Due Diligence (OCDD) checks for existing customers. This process is essential ... to comply with the Anti-Money Laundering and Countering Financing of Terrorism (AML/CFT) Act, we kindly request your cooperation in providing the following details for Ongoing Customer Due Diligence purposes:

Proof of Identity (Name and Date of Birth):

The records on the Companies Office Register indicate there has been a change in the particulars of directorship and shareholding, as such we require an up-to-date valid copy of an official government-issued identification document (e.g., passport, driver’s license) that includes the full name and date of birth

What changed? A change in Director shouldn’t trigger OCDD unless there has been a change in benificial ownership or control of 25 % or more . I know some banks cannot always calculate the % of ownership of the company structure so to be safe they send out the OCDD request anyway .

snj

305 posts

Ultimate Geek
+1 received by user: 221

#3386886 24-Jun-2025 23:22

Stu1:

The AML/CFT Act takes priority over the Privacy Act. This means businesses (reporting entities) can collect, use, and share personal information as required under AML/CFT rules, even if that would normally go against privacy laws. It also allows businesses to keep customer records for longer than they otherwise would. Regulators often ask for evidence of customer due diligence going back five years or more which can be well beyond the original retention period intended under the Privacy Act. We even have to black out sensitive information if the customer requests their customer file . It has gone way too far, but in saying that NZ now has sophisticated cartels so need to be tougher on financial and economic crime

Yeah, this is the scenario I was thinking of when I made the comment about s16 of the AMLCFL Act. I actually stopped looking after that part, but s50 (Obligation to keep identity and verification records) is the relevant bit to support this argument.

Basically, they have to keep some records and while keeping notes of type of documents, expiry dates and at least partial ID numbers are likely enough (and records against when they were systematically checked which I presume is what the third-party services provide) probably is enough, I cannot blame a company for erring on the side of caution. It's just if they do, it's their responsibility to ensure that they're kept safe and secure (i.e. not in an open s3 bucket...).

Stu1

1892 posts

Uber Geek
+1 received by user: 489

ID Verified

Subscriber

#3386915 25-Jun-2025 09:22

snj:

Stu1:

The AML/CFT Act takes priority over the Privacy Act. This means businesses (reporting entities) can collect, use, and share personal information as required under AML/CFT rules, even if that would normally go against privacy laws. It also allows businesses to keep customer records for longer than they otherwise would. Regulators often ask for evidence of customer due diligence going back five years or more which can be well beyond the original retention period intended under the Privacy Act. We even have to black out sensitive information if the customer requests their customer file . It has gone way too far, but in saying that NZ now has sophisticated cartels so need to be tougher on financial and economic crime

Yeah, this is the scenario I was thinking of when I made the comment about s16 of the AMLCFL Act. I actually stopped looking after that part, but s50 (Obligation to keep identity and verification records) is the relevant bit to support this argument.

Basically, they have to keep some records and while keeping notes of type of documents, expiry dates and at least partial ID numbers are likely enough (and records against when they were systematically checked which I presume is what the third-party services provide) probably is enough, I cannot blame a company for erring on the side of caution. It's just if they do, it's their responsibility to ensure that they're kept safe and secure (i.e. not in an open s3 bucket...).

its a massive remediation exercise for the banks , they have to uplift to the 2021 CDD standards. some of the old signing authorities for accounts never had any ID captured and just had the words personally known written as the ID. Banks used to know their customers by their first names.

rhy7s

673 posts

Ultimate Geek
+1 received by user: 147

#3386932 25-Jun-2025 10:13

Stu1:

rhy7s:

Seeing more requests like the below that encourage insecure transmission of identity documents. For providers that don't use services like RealMe or Identity Check, are there options that give the client more control over their personal information in this process?

Ongoing Customer Due Diligence (OCDD) checks for existing customers. This process is essential ... to comply with the Anti-Money Laundering and Countering Financing of Terrorism (AML/CFT) Act, we kindly request your cooperation in providing the following details for Ongoing Customer Due Diligence purposes:

Proof of Identity (Name and Date of Birth):

The records on the Companies Office Register indicate there has been a change in the particulars of directorship and shareholding, as such we require an up-to-date valid copy of an official government-issued identification document (e.g., passport, driver’s license) that includes the full name and date of birth

What changed? A change in Director shouldn’t trigger OCDD unless there has been a change in benificial ownership or control of 25 % or more . I know some banks cannot always calculate the % of ownership of the company structure so to be safe they send out the OCDD request anyway .

The shareholding percentage changed a few years back, and is different to when we were onboarded (when they were operating as a different entity).

Lego

Shop now for Lego sets and other gifts (affiliate link).

Stu1

1892 posts

Uber Geek
+1 received by user: 489

ID Verified

Subscriber

#3386934 25-Jun-2025 10:29

rhy7s:

Stu1:

rhy7s:

Seeing more requests like the below that encourage insecure transmission of identity documents. For providers that don't use services like RealMe or Identity Check, are there options that give the client more control over their personal information in this process?

Ongoing Customer Due Diligence (OCDD) checks for existing customers. This process is essential ... to comply with the Anti-Money Laundering and Countering Financing of Terrorism (AML/CFT) Act, we kindly request your cooperation in providing the following details for Ongoing Customer Due Diligence purposes:

Proof of Identity (Name and Date of Birth):

The records on the Companies Office Register indicate there has been a change in the particulars of directorship and shareholding, as such we require an up-to-date valid copy of an official government-issued identification document (e.g., passport, driver’s license) that includes the full name and date of birth

What changed? A change in Director shouldn’t trigger OCDD unless there has been a change in benificial ownership or control of 25 % or more . I know some banks cannot always calculate the % of ownership of the company structure so to be safe they send out the OCDD request anyway .

The shareholding percentage changed a few years back, and is different to when we were onboarded (when they were operating as a different entity).

More than likely the bank have picked it up now as part of uplifting their accounts to the new standard or your account has come up for its normal periodic account review. In the future it should trigger at the point of the change if you inform them . Or if you don’t inform them, the bank will send you an account review to check your details , yearly if high risk , low or medium risk between 3 and 5 years depending on the policy . They have some cool formulas to calculate the clients risk rating .