01 / Errors
Model errors and harm
Loan declines, insurance miscalculations, advice missteps. Regulators want to see detection, response, and remediation evidence.
AI governance for NZ banks, insurers, and fund managers under FMA and RBNZ scrutiny.
We work with New Zealand financial institutions on AI governance under the Financial Markets Authority's conduct expectations, RBNZ operational resilience standards, the Privacy Act 2020, the Conduct of Financial Institutions Act 2022, and AML/CFT Act obligations.
Built for
Bank boards · Chief risk officers · Heads of compliance · Model risk leads · AML/CFT teams
We work against: Privacy Act 2020 / CoFI Act 2022 / FMC Act fair dealing / AML/CFT Act / RBNZ resilience guidance / Te Tiriti o Waitangi / Companies Act 1993
What you walk away with.
Full engagement methodologyAI inventory and exposure map
Every model in lending, pricing, claims, monitoring, and onboarding catalogued and tied to a named accountable owner.
Mapped controls
Controls mapped against the 13 Privacy Principles, the CoFI fair conduct programme, RBNZ resilience guidance, and AML/CFT obligations.
Vendor concentration ledger
A documented view of foundation-model, cloud, and data dependencies across the bank, with contingency plans the RBNZ can read end to end.
Audit-ready evidence pack
A single evidence pack the FMA, RBNZ, the Office of the Privacy Commissioner, or an internal auditor can work through.
Four pressures stacking on the same board agenda.
New Zealand has no dedicated AI Act for financial services, but the obligations already in force cover lending, insurance, trading, and onboarding. The FMA and RBNZ have spent two years building their supervisory view of AI risk.
- 01In force
CoFI fair conduct extends to algorithmic decisions.
The Conduct of Financial Institutions Act 2022 requires fair conduct toward consumers and applies regardless of whether a person or a model made the decision. The Financial Markets Conduct Act fair-dealing provisions sit alongside it. Every AI-driven credit decision, automated insurance assessment, and chatbot interaction is in scope.
Build a CoFI-aligned AI programme - 02Active monitoring
Vendor concentration as systemic risk.
The RBNZ's "Rise of the Machines" analysis flagged vendor concentration as a financial-stability concern. When ANZ NZ, BNZ, Westpac NZ, ASB, and Kiwibank share a foundation model or cloud provider, a single failure cascades. Director duties under the Companies Act 1993 require this to be visible at the board, not buried in a procurement spreadsheet.
Third-party AI risk programme - 03In force
Privacy Act 2020 governs automated decisioning.
The 13 Information Privacy Principles cover training data, inference inputs, and outputs. IPP 12 imposes comparable-protection rules for offshore vendors processing NZ customer data. Customers have the right to know when an algorithm made the call and to query the basis. The Office of the Privacy Commissioner monitors AI adoption actively.
Privacy Act compliance for AI - 04Constitutional obligation
Te Tiriti reaches credit and pricing models.
AI used in lending, insurance pricing, and credit scoring affects Māori and Pacific customers. Te Tiriti o Waitangi creates obligations around equitable outcomes that international model templates ignore. Māori data sovereignty principles apply when data about Māori is processed by these systems, with kaitiakitanga as the operating norm.
Māori data governance for finance
The PolyGovern tracks that apply to financial services.
Three practice tracks, each tied to documented artefacts. Engagements typically run six to twelve weeks with a defined evidence pack at close.
Track A
Governance and strategy
Board-level oversight, AI policy, and operating models tied to CoFI fair conduct programmes and director duties under the Companies Act 1993.
Track B
Assessment and assurance
Independent evaluation of credit, pricing, monitoring, and onboarding AI against the FMA's customer-outcomes lens, with bias and fairness testing across NZ populations.
Track C
Compliance and advisory
Privacy Act 2020 alignment, AML/CFT screening governance, Treaty-aligned data practices, and leadership education on FMA and RBNZ expectations as they sharpen.
The risks the FMA and RBNZ are already watching.
Four areas where the FMA's 2024 cross-sector research and the RBNZ's "Rise of the Machines" analysis converge. These are not hypotheticals.
02 / Privacy
Data privacy exposure
Training data leakage, inadequate minimisation, opaque inference. The 13 Information Privacy Principles still apply at every step.
03 / Market
Market distortion
Correlated lending, synchronised pricing, herding strategies. The RBNZ monitors these systemic effects across NZ's financial sector.
04 / Vendor
Vendor concentration
A handful of providers serve most NZ banks and insurers. A single outage moves the system. Board-level oversight is expected.
What boards and chief risk officers ask first.
The FMA has not mandated AI governance. Why invest now?
The FMA has stated it expects financial innovations to be introduced responsibly. It has researched AI across banking, insurance, asset management, and financial advice. The OECD AI Principles that underpin New Zealand's National AI Strategy set explicit transparency, accountability, and fairness expectations. Institutions that wait for prescriptive rules face compressed timelines and higher remediation costs.
Does the CoFI Act apply to AI specifically?
The Conduct of Financial Institutions Act 2022 is technology-neutral. If an algorithm produces unfair outcomes for customers, the institution is responsible under CoFI regardless of whether the decision was made by a person or a model. The FMA has confirmed this interpretation.
What does the RBNZ expect on AI?
The Reserve Bank expects regulated entities to manage AI risks under existing prudential obligations: operational resilience for AI-dependent systems, model risk management for AI models, and vendor risk management for AI providers. Directors face liability under the Companies Act 1993 for inadequate oversight.
How do AML/CFT obligations interact with AI governance?
When AI performs customer due diligence, transaction monitoring, or suspicious-activity screening, it must be explainable, auditable, and subject to regular review under the AML/CFT Act. False-positive and false-negative rates both carry regulatory consequences.
Do smaller institutions need a formal programme?
Yes. Even Kiwibank-scale institutions use AI for credit decisioning, fraud detection, and customer service. We scale the programme to your footprint. A regional insurer's governance does not need to match a major bank's, but it does need to cover the same regulatory surfaces.
AI governance for your financial services organisation.
Book a conversation about your AI footprint, the obligations that apply today under the FMA, RBNZ, Privacy Act 2020, and AML/CFT Act, and how to build governance that prepares your institution for what comes next.