Which NZ industries need IPP3A compliance for lookups?

Any sector running credit checks, vehicle history searches, company director lookups, or tenant screening on individuals — including finance, automotive, real estate, recruitment, and insurance — must satisfy IPP3A when collecting from third parties.

Is DEIS a legal adviser?

No. DEIS is a compliance platform that records lookup pathways and evidence. Organisations should confirm legal positions with their counsel or the Office of the Privacy Commissioner where needed.

Accounting firms: privacy compliance in client due diligence

AML/CFT due diligence requirements mean accounting firms access third-party data regularly. Here is how to handle the privacy obligations.

accountingAMLdue diligenceCDDDEISdeis.nzNew ZealandPrivacy Act 2020

Frequently asked questions

What is the main takeaway from "Accounting firms: privacy compliance in client due diligence"?: AML/CFT due diligence requirements mean accounting firms access third-party data regularly. Here is how to handle the privacy obligations.
Which NZ industries need IPP3A compliance for lookups?: Any sector running credit checks, vehicle history searches, company director lookups, or tenant screening on individuals — including finance, automotive, real estate, recruitment, and insurance — must satisfy IPP3A when collecting from third parties.
Is DEIS a legal adviser?: No. DEIS is a compliance platform that records lookup pathways and evidence. Organisations should confirm legal positions with their counsel or the Office of the Privacy Commissioner where needed.

Accounting firms and financial advisors in New Zealand are reporting entities under the Anti-Money Laundering and Countering Financing of Terrorism (AML/CFT) Act 2009. This means they must conduct customer due diligence (CDD) — which often involves accessing third-party data sources.

The intersection of AML and privacy

AML/CFT due diligence typically involves:

Identity verification through third-party databases
Companies Office searches for beneficial ownership
Credit checks in some cases
PEP (Politically Exposed Person) screening through international databases

Each of these involves collecting personal information from third-party sources, triggering IPP3A.

The AML exception

The Privacy Act 2020 includes exceptions for legal obligations. Where AML/CFT legislation requires you to collect information from a third party, the IPP3A notification requirement may not apply. However, this exception should be used carefully:

It only applies to information that the AML/CFT Act actually requires you to collect.

Voluntary or "nice to have" checks that go beyond the legislative requirement are not covered.

You should document your reliance on the exception for each lookup.

Using DEIS for CDD

DEIS allows accounting firms to select the "legal obligation" exception pathway for AML-required lookups, with a recorded reference to the relevant AML/CFT provision. For voluntary lookups, the standard consent or notification pathways apply. This ensures your compliance evidence clearly distinguishes between mandatory and voluntary data collection.