New Identity Verification Code of Practice and Enhanced CDD Guidance Released

Written By giulia dondoli

‍The Department of Internal Affairs (DIA) has released the updated Identity Verification Code of Practice (IVCOP) and revised guidance on enhanced customer due diligence (CDD).

While many aspects remain consistent with the previous version, several important changes and clarifications have been introduced.

Binding Assurance‍ ‍

Reporting entities must ensure that the person being verified is the person they claim to be. Acceptable methods of obtaining binding assurance include:

  • ‍Meeting the customer in person.

  • Using biometric technology.

  • Requiring the first credit into the customer's account or facility to come from an account held in the customer's name with a New Zealand-registered bank.

  • Digital Identity Services Trust Framework (DISTF) credentials can be used to satisfy both identity verification and binding assurance requirements. Strong Plus Binding Assurance is required for online verification, and Standard Plus Binding Assurance is required for in-person verification.

  • Obtaining certified copies where the trusted referee includes a statement confirming that the document relates to the identity of the named individual.

Where documents are certified overseas, and the certification does not contain a statement linking the document to the customer's claimed identity, reporting entities must have appropriate risk-based policies, procedures and controls to obtain binding assurance through alternative means.

‍Importantly, a video call alone is not sufficient to establish binding assurance under standard CDD. ‍

Certified Copies (Effective 1 July 2027)

Certified copies may be received in person, by post, or electronically. ‍

Where there are concerns about the authenticity of certified documents, reporting entities may wish to apply additional mitigation measures, such as:

  • Checking registers to confirm the certifier is an authorised trusted referee.

  • Contacting the trusted referee to confirm the certification.

  • Requiring original ‘wet-ink’ certified copies where there are concerns about potential tampering.

Reduced Verification for Legal Persons and Arrangements

A new reduced verification option has been introduced for certain legal persons and arrangements, including companies, trusts and limited partnerships. ‍

Where a client is a low- or medium-risk company, or another low-risk legal person/arrangement (such as a trust or limited partnership), and has two or more beneficial owners, reporting entities may choose to:

  • accept unverified copies of identity documents; and/or

  • use video conferencing to link an individual to their claimed identity.

Reporting entities wishing to use reduced verification must develop and maintain appropriate policies, procedures and controls.

Digital Identity Services Trust Framework

‍The updated IVCOP recognises the use of accredited DISTF services.‍ ‍

Verification of a customer's name and date of birth may be conducted either in person or online through an accredited DISTF provider. For a customer to be verified online, the DISTF service must provide:

  • Strong Plus Information Assurance, and

  • Strong Plus Binding Assurance.

For in-person verification, the threshold is lower. The DISTF service may provide:

  • Standard Plus Information Assurance, and

  • Standard Plus Binding Assurance,

‍provided it is also supported by a primary non-photographic identification document. ‍

Enhanced CDD on Trusts

‍Reporting entities must continue to obtain source of wealth and source of funds information for trusts when conducting enhanced CDD.‍ ‍

However, the updated guidance clarifies that verification of this information is not required where the reporting entity determines that standard CDD is sufficient. Examples include:

  • ‍The trust has been assessed as low risk.

  • The trust is a simple family trust whose only asset is a non-income-generating family home.

  • The trust has not yet acquired any assets.

Politically Exposed Person Screening

The DIA has clarified that politically exposed person (PEP) screening should be conducted using a risk-based approach.‍ ‍

For small reporting entities servicing a regional community, PEP checks can be 'minimal'. Entities with a higher likelihood of dealing with PEPs should implement more robust controls. For examples:‍ ‍

  • Conducting internet and media searches, particularly where customers or beneficial owners are connected to countries with elevated levels of corruption, bribery or organised crime.

  • Using third-party screening providers and commercial databases to identify PEPs.

What’s Next? ‍

Get in touch if you have any questions on how the new guidance may impact your business.

Contact
giulia dondoli
Next

AML/CFT Amendment Bills 2026