Algorithmic Accountability

AI Model Governance for New Zealand Organisations

New Zealand has no prescribed model governance standard. The Financial Markets Authority and Reserve Bank of New Zealand expect sound model risk management, but the frameworks are yours to define. That regulatory gap is not freedom. It is exposure that grows with every artificial intelligence model your organisation deploys.

We build model governance programmes for New Zealand banks, insurers, and financial services businesses that satisfy regulatory expectations before those expectations become enforcement actions. We bring deep expertise in the Privacy Act 2020, the Conduct of Financial Institutions Act, and Treaty of Waitangi obligations to every engagement.

See Our Approach
Model governance dashboard showing validation status and drift monitoring

The Absence of Rules Is Not the Absence of Risk

Aotearoa New Zealand does not have a mandated model risk management standard equivalent to the US SR 11-7 or the EU AI Act model provisions. That means every organisation is writing its own rules, and the FMA is building its supervisory understanding of who gets it wrong first.

No Prescribed Standards, Growing Expectations

The FMA expects financial services organisations to manage model risk proportionately, but it has not published a model governance framework. Neither has the RBNZ. New Zealand's major banks (ANZ NZ, BNZ, Westpac NZ, ASB, and Kiwibank) all deploy AI models across credit, pricing, and risk functions, each with different governance maturity. Without a common standard, boards cannot benchmark their exposure or demonstrate adequate oversight under the Companies Act 1993.

Population Bias Exposure

Credit scoring, insurance pricing, and lending models trained on historical data carry embedded biases against Māori and Pacific populations. Under the Conduct of Financial Institutions Act, fair conduct obligations extend to algorithmic decisions. Under Te Tiriti o Waitangi, outcome equity is not optional. It is a constitutional expectation. Most New Zealand organisations have not tested their AI models for disparate impact across these populations, creating both compliance risk and harm to communities.

Converging Legal Obligations

Model inputs and outputs must comply with the Privacy Act 2020 and its 13 Information Privacy Principles. Model-driven decisions must not mislead under the Fair Trading Act 1986. The Conduct of Financial Institutions Act requires fair conduct in all customer dealings, including automated ones. Treaty of Waitangi obligations add a layer of cultural responsibility for models affecting Māori. Four separate legal frameworks, one model, zero coordinated compliance in most organisations.

Aligning Model Governance with New Zealand's Regulatory Direction

New Zealand's National AI Strategy, released in July 2025, adopted the OECD AI Principles as its foundation. Our model governance frameworks are built to satisfy these principles while addressing the specific obligations that New Zealand law already imposes.

OECD AI Principles in Practice

The OECD AI Principles call for transparency, explainability, robustness, and accountability in AI systems. New Zealand's adoption of these principles means organisations should expect future regulatory expectations to be built upon them. We embed these principles from the outset, ensuring your organisation is prepared as the regulatory landscape evolves.

  • Transparency requirements mapped to model documentation standards
  • Accountability frameworks aligned with Companies Act 1993 directors' duties
  • Robustness testing integrated with ongoing model monitoring

Māori Data Sovereignty in Model Development

Artificial intelligence models that process data about Māori engage Treaty of Waitangi obligations that have no equivalent in other jurisdictions. We integrate Māori data governance principles into model development and validation, drawing on Te Mana Raraunga frameworks to ensure cultural appropriateness and data sovereignty are respected throughout the model lifecycle.

  • Training data audits for cultural sensitivity and representation
  • Kaitiakitanga principles applied to data stewardship in AI models
  • Iwi engagement protocols for models affecting Māori communities

How We Build Model Governance for the NZ Market

A four-phase approach designed for a regulatory environment where the framework is yours to define, but the consequences of getting it wrong are not. We deliver practical governance that stands up to regulatory scrutiny.

01

Model Landscape Audit

We identify every model in your organisation, including credit decisioning, premium setting, fraud detection, algorithmic trading, customer segmentation, and anti-money laundering screening. We classify each by risk tier under a framework aligned with FMA expectations, map data lineage against Privacy Act 2020 requirements, and assess documentation completeness. Most New Zealand businesses discover 30-50% more models than they thought they had.

02

Framework Design

We construct your model risk management framework from first principles, drawing on international standards adapted for New Zealand's light-touch regulatory context. The framework addresses FMA conduct expectations, RBNZ prudential requirements, Privacy Act 2020 data handling obligations, CoFI fair conduct requirements, and Treaty of Waitangi considerations in a single coherent governance structure that supports innovation while managing risk.

03

Validation and Bias Testing

Independent validation of high-risk and material models, with specific bias detection across New Zealand demographic groups. We test for disparate impact on Māori, Pacific, and other populations using both statistical parity measures and outcome-based fairness metrics grounded in Te Tiriti o Waitangi principles. Validation reports are structured for board consumption, regulatory inquiry, and ISO 42001 compliance readiness.

04

Monitoring and Escalation

We design ongoing monitoring infrastructure that tracks model performance, data drift, and fairness metrics in production across all populations. Escalation protocols route material findings to appropriate governance forums. Revalidation triggers are defined so models are reassessed before failures compound, supporting both operational resilience and the continuous improvement approach that the OECD AI Principles demand.

What You Receive

Concrete deliverables, not advisory slide decks. Every engagement produces artefacts your governance team can implement, your board can review, and your regulators can examine. Our solutions are designed for practical use across your organisation.

FMA-Aligned Model Risk Framework

A complete model risk management policy and procedures suite designed for the New Zealand regulatory environment, structured to demonstrate sound governance to the FMA and RBNZ while satisfying OECD AI Principles requirements.

  • Model risk appetite statement aligned with board risk tolerance
  • Three-tier risk classification scheme
  • Development-to-retirement lifecycle procedures
  • Governance committee terms of reference

Bias Detection for NZ Populations

Structured bias testing tailored to Aotearoa New Zealand's demographic context, with specific analysis of model outcomes across Māori, Pacific, Asian, and other population groups, informed by both statistical rigour and Treaty of Waitangi outcome equity principles.

  • Disparate impact analysis by ethnicity
  • Training data representativeness assessment
  • Proxy variable identification and mitigation strategies
  • Te Tiriti outcome equity reporting for governance

Privacy Act Model Compliance

Assessment of model data flows against the Privacy Act 2020 and its 13 Information Privacy Principles, ensuring model inputs, processing, and outputs meet statutory requirements for compliance across the full model lifecycle.

  • Data collection purpose alignment (IPP 1-4)
  • Storage and security assessment (IPP 5)
  • Access and correction rights mapping (IPP 6-7)
  • Cross-border data transfer review (IPP 12)

Independent Model Validation Reports

Per-model validation documenting conceptual soundness, data quality, performance benchmarking, and fairness testing. Structured for board reporting, regulatory examination, and alignment with the Algorithm Charter for Aotearoa New Zealand.

  • Methodology and assumption review
  • Out-of-sample and out-of-time testing
  • Sensitivity and stress testing results
  • Findings, conditions, and remediation plan

Production Monitoring Design

Monitoring specifications for models in production, covering performance degradation, input drift, and ongoing fairness tracking across New Zealand populations to support continuous risk management.

  • Population stability index tracking
  • Characteristic stability monitoring
  • Fairness metric dashboards by ethnicity
  • Escalation triggers and revalidation rules

NZ Financial Services Model Coverage

Deep domain expertise across model types used by New Zealand banks, insurers, fund managers, and non-bank deposit takers. We understand the specific challenges that Aotearoa's market structure creates for model governance.

  • Credit decisioning and scoring models
  • Insurance premium-setting algorithms
  • Algorithmic trading and execution models
  • AML/CFT detection and monitoring models

Built for the NZ financial services landscape

Built for a Market Without a Rulebook

NZ Regulatory Fluency

We understand how the FMA, RBNZ, and Office of the Privacy Commissioner operate in practice, including their supervisory styles, their enforcement patterns, and where model risk sits on their priority lists. Our frameworks are designed for the New Zealand regulatory environment specifically, not adapted from offshore templates. When we build governance for organisations in Auckland, Wellington, or Christchurch, it reflects local regulatory expectations from the outset.

Treaty-Informed Bias Analysis

Model fairness in Aotearoa New Zealand requires analysis that goes beyond generic protected-class testing. We assess training data representativeness for Māori and Pacific populations, identify proxy variables that encode historical disadvantage, and measure outcome equity in ways that are meaningful under Te Tiriti o Waitangi obligations. This approach reflects Māori data sovereignty principles and ensures your models support equitable outcomes for all New Zealanders.

Cross-Statute Integration

AI models in NZ financial services sit at the intersection of the Privacy Act 2020, the Fair Trading Act 1986, the Conduct of Financial Institutions Act, and FMA and RBNZ prudential expectations. We build governance frameworks that address all four obligations in a single structure, eliminating the compliance gaps that emerge when each statute is addressed in isolation.

Technical Depth, Not Consulting Theatre

Our validators have hands-on experience building credit models, pricing algorithms, and trading systems. We assess model risk by examining code, data pipelines, and statistical methodology, not by reviewing documentation at arm's length. This technical depth means we address root causes rather than symptoms.

Model Governance in the New Zealand Context

Is model governance legally required in New Zealand?

There is no single statute that mandates a model governance framework. However, the obligation arises from multiple sources. The FMA expects licensed financial services providers to manage operational risks, which includes model risk. The RBNZ expects registered banks to demonstrate sound risk management practices. The Privacy Act 2020 requires that personal information used in automated decisions is handled lawfully under the 13 Information Privacy Principles. The Conduct of Financial Institutions Act requires fair conduct, which extends to algorithmic decision-making. Directors face personal liability under sections 131-138 of the Companies Act 1993 for failures of care and diligence. The practical consequence is that responsible organisations need robust model governance.

How do you test for bias against Māori and Pacific populations?

We apply multiple fairness metrics: demographic parity, equalised odds, and predictive parity across population groups. Beyond statistical tests, we examine training data for historical representation gaps, identify proxy variables (such as geographic postcode or employment type) that may encode ethnicity, and assess whether model outputs produce materially different outcomes for Māori and Pacific applicants compared to the general population. Where disparities are identified, we recommend specific mitigations ranging from feature exclusion to model recalibration. This approach honours both the OECD AI Principles of fairness and Māori data sovereignty principles that New Zealand's AI strategy recognises.

What does the Privacy Act 2020 require for models that process personal information?

Models that use personal information as inputs must comply with all 13 Information Privacy Principles. Information must be collected for a lawful purpose and that purpose must cover model use (IPP 1-4). Individuals have the right to know their information is being used in a model and to request correction (IPP 6-7). Information must not be kept longer than necessary (IPP 9). Disclosure to third parties, including offshore model vendors or cloud providers, must comply with IPP 11-12 requirements for cross-border data transfer. The Office of the Privacy Commissioner has indicated that automated decision-making using personal data is an area of increasing focus, and New Zealand businesses using AI should prepare accordingly.

How does the CoFI Act affect our AI models?

The Financial Markets (Conduct of Institutions) Amendment Act 2022 requires financial institutions to treat consumers fairly. Fair conduct obligations apply to all aspects of the consumer relationship, including decisions made by automated systems. If a credit model systematically produces worse outcomes for a demographic group, or an insurance pricing model uses factors that operate as proxies for protected characteristics, this may constitute a breach of fair conduct obligations. We include CoFI compliance assessment as a standard component of every model governance programme.

Our parent bank has an offshore model governance framework. Can we adopt it?

Many New Zealand banks operate frameworks inherited from Australian or global parents. These frameworks often address regulatory requirements that do not exist in New Zealand and miss the ones that do. A parent framework designed around offshore prudential standards will not address Privacy Act 2020 obligations, CoFI fair conduct requirements, Treaty of Waitangi considerations for Māori data governance, or bias risks specific to NZ populations. We recommend a gap analysis of your parent framework against NZ-specific requirements, followed by targeted adaptation rather than wholesale adoption. We can guide this process efficiently.

How does ISO 42001 relate to model governance in New Zealand?

ISO/IEC 42001:2023 is the international standard for AI management systems. It is available through Standards New Zealand and supported by Callaghan Innovation. While adoption is voluntary, ISO 42001 certification provides a structured approach to model governance that aligns with New Zealand's OECD AI Principles-based strategy. Our frameworks are designed to be ISO 42001 compatible, so organisations pursuing certification can build on existing governance investments rather than starting from scratch.

Start Your AI Model Governance Programme

Organisations that build robust model governance now will define industry practice in New Zealand. Those that wait will be measured against standards they had no hand in shaping. Our specialists are ready to help your team build governance that holds up under scrutiny.

Initial engagement includes model landscape audit, regulatory gap assessment, and bias risk scoping for NZ populations