Accounting firms: privacy compliance in client due diligence

Accounting firms and financial advisors in New Zealand are reporting entities under the Anti-Money Laundering and Countering Financing of Terrorism (AML/CFT) Act 2009. This means they must conduct customer due diligence (CDD) — which often involves accessing third-party data sources.

The intersection of AML and privacy

AML/CFT due diligence typically involves:

• Identity verification through third-party databases
• Companies Office searches for beneficial ownership
• Credit checks in some cases
• PEP (Politically Exposed Person) screening through international databases

Each of these involves collecting personal information from third-party sources, triggering IPP3A.

The AML exception

The Privacy Act 2020 includes exceptions for legal obligations. Where AML/CFT legislation requires you to collect information from a third party, the IPP3A notification requirement may not apply. However, this exception should be used carefully:

• It only applies to information that the AML/CFT Act actually requires you to collect.

• Voluntary or "nice to have" checks that go beyond the legislative requirement are not covered.

• You should document your reliance on the exception for each lookup.

Using DEIS for CDD

DEIS allows accounting firms to select the "legal obligation" exception pathway for AML-required lookups, with a recorded reference to the relevant AML/CFT provision. For voluntary lookups, the standard consent or notification pathways apply. This ensures your compliance evidence clearly distinguishes between mandatory and voluntary data collection.