AI model governance for FMA and RBNZ scrutiny.
New Zealand has no prescribed model governance standard. The FMA and RBNZ expect sound model risk management, but the frameworks are yours to define. We build model governance programmes aligned to the Privacy Act 2020, CoFI Act, and Treaty of Waitangi obligations.
Built for
What you walk away with.
MethodologyFMA-aligned model risk framework
A complete model risk management policy and procedures suite structured to demonstrate sound governance to the FMA and RBNZ while satisfying OECD AI Principles requirements.
Treaty-aware bias detection
Structured bias testing across Māori, Pacific, Asian, and other population groups, informed by both statistical rigour and Treaty of Waitangi outcome equity principles.
Privacy Act model compliance
Assessment of model data flows against the Privacy Act 2020 and its 13 information privacy principles, ensuring model inputs, processing, and outputs meet statutory requirements.
Independent validation reports
Per-model validation documenting conceptual soundness, data quality, performance benchmarking, and fairness testing. Structured for board reporting, regulatory examination, and Algorithm Charter alignment.
The absence of rules is not the absence of risk.
Aotearoa New Zealand does not have a mandated model risk management standard equivalent to the US SR 11-7 or the EU AI Act model provisions. Every organisation is writing its own rules, and the FMA is building its supervisory understanding of who gets it wrong first.
- 01No standard
No prescribed standards, growing expectations.
The FMA expects financial services organisations to manage model risk proportionately, but it has not published a model governance framework. Neither has the RBNZ. New Zealand's major banks (ANZ NZ, BNZ, Westpac NZ, ASB, and Kiwibank) all deploy AI models across credit, pricing, and risk functions, each with different governance maturity. Without a common standard, boards cannot benchmark their exposure under the Companies Act 1993.
- 02Disparate impact
Population bias exposure.
Credit scoring, insurance pricing, and lending models trained on historical data carry embedded biases against Māori and Pacific populations. Under the Conduct of Financial Institutions Act, fair conduct obligations extend to algorithmic decisions. Under Te Tiriti o Waitangi, outcome equity is not optional. Most New Zealand organisations have not tested their AI models for disparate impact across these populations.
- 03Four statutes
Converging legal obligations.
Model inputs and outputs must comply with the Privacy Act 2020 and its 13 information privacy principles. Model-driven decisions must not mislead under the Fair Trading Act 1986. The Conduct of Financial Institutions Act requires fair conduct in all customer dealings, including automated ones. Treaty of Waitangi obligations add a layer of cultural responsibility for models affecting Māori. Four separate legal frameworks, one model, zero coordinated compliance in most organisations.
Aligning model governance with NZ's regulatory direction.
New Zealand's National AI Strategy, released in July 2025, adopted the OECD AI Principles as its foundation. Our model governance frameworks satisfy these principles while addressing the specific obligations that New Zealand law already imposes.
OECD AI Principles in practice
The OECD AI Principles call for transparency, explainability, robustness, and accountability in AI systems. New Zealand's adoption of these principles means organisations should expect future regulatory expectations to be built upon them.
- · Transparency requirements mapped to model documentation standards
- · Accountability frameworks aligned with Companies Act 1993 directors' duties
- · Robustness testing integrated with ongoing model monitoring
Māori data sovereignty in model development
AI models that process data about Māori engage Treaty of Waitangi obligations that have no equivalent in other jurisdictions. We integrate Māori data governance principles into model development and validation, drawing on Te Mana Raraunga frameworks.
- · Training data audits for cultural sensitivity and representation
- · Kaitiakitanga principles applied to data stewardship in AI models
- · Iwi engagement protocols for models affecting Māori communities
How we build model governance for the NZ market.
A four-phase approach designed for a regulatory environment where the framework is yours to define, but the consequences of getting it wrong are not.
01
Model landscape audit
We identify every model in your organisation, including credit decisioning, premium setting, fraud detection, algorithmic trading, customer segmentation, and anti-money laundering screening. We classify each by risk tier under a framework aligned with FMA expectations, map data lineage against Privacy Act 2020 requirements, and assess documentation completeness. Most NZ businesses discover 30 to 50% more models than they thought they had.
02
Framework design
We construct your model risk management framework from first principles, drawing on international standards adapted for New Zealand's light-touch regulatory context. The framework addresses FMA conduct expectations, RBNZ prudential requirements, Privacy Act 2020 data handling obligations, CoFI fair conduct requirements, and Treaty of Waitangi considerations in a single coherent governance structure.
03
Validation and bias testing
Independent validation of high-risk and material models, with specific bias detection across New Zealand demographic groups. We test for disparate impact on Māori, Pacific, and other populations using both statistical parity measures and outcome-based fairness metrics grounded in Te Tiriti o Waitangi principles. Validation reports are structured for board consumption, regulatory inquiry, and ISO 42001 compliance readiness.
04
Monitoring and escalation
We design ongoing monitoring infrastructure that tracks model performance, data drift, and fairness metrics in production across all populations. Escalation protocols route material findings to appropriate governance forums. Revalidation triggers are defined so models are reassessed before failures compound, supporting both operational resilience and the continuous improvement approach the OECD AI Principles demand.
What you receive.
Concrete deliverables, not advisory slide decks. Every engagement produces artefacts your governance team can implement, your board can review, and your regulators can examine.
FMA-aligned model risk framework
A complete model risk management policy and procedures suite designed for the NZ regulatory environment. Includes a model risk appetite statement aligned with board risk tolerance, a three-tier risk classification scheme, development-to-retirement lifecycle procedures, and governance committee terms of reference.
Bias detection for NZ populations
Structured bias testing tailored to Aotearoa's demographic context. Disparate impact analysis by ethnicity, training data representativeness assessment, proxy variable identification and mitigation strategies, and Te Tiriti outcome equity reporting for governance.
Privacy Act model compliance
Assessment of model data flows against the Privacy Act 2020. Data collection purpose alignment (IPP 1-4), storage and security assessment (IPP 5), access and correction rights mapping (IPP 6-7), and cross-border data transfer review (IPP 12).
Independent model validation reports
Per-model validation documenting conceptual soundness, data quality, performance benchmarking, and fairness testing. Methodology and assumption review, out-of-sample and out-of-time testing, sensitivity and stress testing results, and findings with remediation plan. Structured for board reporting, regulatory examination, and Algorithm Charter alignment.
Production monitoring design
Monitoring specifications for models in production: population stability index tracking, characteristic stability monitoring, fairness metric dashboards by ethnicity, and escalation triggers and revalidation rules.
NZ financial services model coverage
Deep domain expertise across model types used by NZ banks, insurers, fund managers, and non-bank deposit takers. Credit decisioning and scoring models, insurance premium-setting algorithms, algorithmic trading and execution models, and AML/CFT detection and monitoring models. Built for the NZ financial services landscape.
Built for a market without a rulebook.
We assess model risk by examining code, data pipelines, and statistical methodology, not by reviewing documentation at arm's length.
NZ regulatory fluency
We understand how the FMA, RBNZ, and Office of the Privacy Commissioner operate in practice, including their supervisory styles, enforcement patterns, and where model risk sits on their priority lists. Frameworks are designed for the New Zealand regulatory environment specifically.
Treaty-informed bias analysis
Model fairness in Aotearoa requires analysis that goes beyond generic protected-class testing. We assess training data representativeness for Māori and Pacific populations, identify proxy variables that encode historical disadvantage, and measure outcome equity in ways that are meaningful under Te Tiriti o Waitangi obligations.
Cross-statute integration
AI models in NZ financial services sit at the intersection of the Privacy Act 2020, the Fair Trading Act 1986, the Conduct of Financial Institutions Act, and FMA and RBNZ prudential expectations. We build governance frameworks that address all four obligations in a single structure.
Technical depth
Our validators have hands-on experience building credit models, pricing algorithms, and trading systems. This technical depth means we address root causes rather than symptoms.
Model governance in the New Zealand context.
Is model governance legally required in New Zealand?
There is no single statute that mandates a model governance framework. However, the obligation arises from multiple sources. The FMA expects licensed financial services providers to manage operational risks. The RBNZ expects registered banks to demonstrate sound risk management practices. The Privacy Act 2020 requires that personal information used in automated decisions is handled lawfully under the 13 information privacy principles. The Conduct of Financial Institutions Act requires fair conduct, which extends to algorithmic decision-making. Directors face personal liability under sections 131-138 of the Companies Act 1993.
How do you test for bias against Māori and Pacific populations?
We apply multiple fairness metrics: demographic parity, equalised odds, and predictive parity across population groups. Beyond statistical tests, we examine training data for historical representation gaps, identify proxy variables (such as geographic postcode or employment type) that may encode ethnicity, and assess whether model outputs produce materially different outcomes for Māori and Pacific applicants compared to the general population. This approach honours both the OECD AI Principles of fairness and Māori data sovereignty principles.
What does the Privacy Act 2020 require for models that process personal information?
Models that use personal information as inputs must comply with all 13 information privacy principles. Information must be collected for a lawful purpose and that purpose must cover model use (IPP 1-4). Individuals have the right to know their information is being used in a model and to request correction (IPP 6-7). Information must not be kept longer than necessary (IPP 9). Disclosure to third parties, including offshore model vendors or cloud providers, must comply with IPP 11-12 requirements for cross-border data transfer.
How does the CoFI Act affect our AI models?
The Financial Markets (Conduct of Institutions) Amendment Act 2022 requires financial institutions to treat consumers fairly. Fair conduct obligations apply to all aspects of the consumer relationship, including decisions made by automated systems. If a credit model systematically produces worse outcomes for a demographic group, or an insurance pricing model uses factors that operate as proxies for protected characteristics, this may constitute a breach of fair conduct obligations.
Our parent bank has an offshore model governance framework. Can we adopt it?
Many NZ banks operate frameworks inherited from Australian or global parents. These frameworks address regulatory requirements that do not exist in New Zealand and miss the ones that do. A parent framework designed around offshore prudential standards will not address Privacy Act 2020 obligations, CoFI fair conduct requirements, Treaty of Waitangi considerations for Māori data governance, or bias risks specific to NZ populations. We recommend a gap analysis of your parent framework against NZ-specific requirements, followed by targeted adaptation.
How does ISO 42001 relate to model governance in New Zealand?
ISO/IEC 42001:2023 is the international standard for AI management systems. It is available through Standards New Zealand and supported by Callaghan Innovation. While adoption is voluntary, ISO 42001 certification provides a structured approach to model governance that aligns with New Zealand's OECD AI Principles-based strategy. Our frameworks are designed to be ISO 42001 compatible.
Start your AI model governance programme.
Organisations that build disciplined model governance now will define industry practice in New Zealand. Those that wait will be measured against standards they had no hand in shaping. Our specialists are ready to help your team build governance that holds up under scrutiny.