Compliance Services

AI Regulatory Compliance for New Zealand

New Zealand has no AI-specific legislation, but that does not mean no obligations exist. The Privacy Act 2020, Fair Trading Act, Companies Act 1993 director duties, and sector regulators like the FMA and RBNZ all apply to AI systems. We help you identify exactly what applies and build defensible compliance.

When regulation catches up to adoption, organisations with documented compliance programmes will be positioned to adapt. Those without them will be starting from zero.

View Sector Services
AI Regulatory Compliance Tracker Dashboard

The AI Regulatory Compliance Challenge in a Voluntary Landscape

NZ's principles-based regulatory approach creates a different compliance challenge than prescriptive regimes. The obligations exist, but the boundaries are less defined.

Existing Laws, Unclear Application

The Privacy Act 2020's 13 Information Privacy Principles apply to AI, but the Act was not written with machine learning in mind. The Fair Trading Act prohibits misleading conduct, but where does that boundary fall when an AI tool generates inaccurate output? Companies Act director duties require adequate risk management, but what constitutes "adequate" for AI? NZ organisations face real obligations with limited regulatory guidance on how to satisfy them.

Multiple Regulators, No AI Coordinator

The Privacy Commissioner covers personal information. The FMA covers financial markets conduct. The RBNZ covers banking resilience. The Commerce Commission covers consumer protection. Medsafe covers medical devices. Each has its own expectations for technology governance, none has published comprehensive AI-specific guidance, and there is no coordinating body for AI regulation. Organisations must piece together their own compliance picture.

Treaty Obligations Add Complexity

Crown agencies deploying AI must satisfy Te Tiriti o Waitangi principles: partnership, protection, and participation. This creates compliance obligations that have no direct equivalent in other jurisdictions. AI systems affecting Maori communities require equity assessment, data kaitiakitanga compliance, and in some cases meaningful consultation. These are legal and constitutional obligations, not optional best practices.

Compliance Requirements by Sector

Financial Services

FMA Conduct and Governance

  • Fair dealing assessment for AI-driven decisions affecting customers
  • Disclosure obligations for robo-advice and automated financial services
  • Board governance expectations for technology risk oversight
  • Consumer outcomes testing for AI pricing and underwriting models

RBNZ Operational Resilience

  • Critical function mapping for AI-dependent banking operations
  • Third-party AI vendor concentration risk assessment
  • Business continuity planning for AI system failures
  • Outsourcing policy compliance for offshore AI processing

Privacy Act 2020 for Financial AI

  • Purpose limitation mapping for customer data used in AI models
  • Notifiable privacy breach procedures for AI data incidents
  • Cross-border disclosure controls for offshore AI platforms

Companies Act Director Duties

  • Reasonable care and diligence for AI risk oversight
  • Board reporting frameworks for AI governance
  • Documenting director engagement with AI strategy and risk

Government and Public Sector

Public Service AI Framework Compliance

  • Risk classification and tiered governance requirements
  • Algorithm Charter principles operationalised for your agency
  • Transparency and public accountability mechanisms
  • AI impact assessments for public service delivery decisions

Te Tiriti o Waitangi Obligations

  • Partnership: meaningful Maori engagement in AI system design
  • Protection: data kaitiakitanga and Maori data sovereignty compliance
  • Participation: equity assessment and disparity impact analysis
  • Cultural impact assessment for AI affecting Maori communities

Healthcare

Medsafe and Clinical AI

  • Medical device classification assessment for AI diagnostic tools
  • WAND database registration and supplier notification obligations
  • Safety and performance evidence documentation
  • Post-market surveillance and adverse event reporting

Patient Rights and Professional Standards

  • Code of Health and Disability Services Consumers' Rights compliance
  • Informed consent procedures for AI-assisted clinical decisions
  • Professional accountability frameworks for practitioners using AI
  • Health equity assessment for AI impacting Maori health outcomes

How We Build Defensible Regulatory Compliance for AI

Regulatory Obligations Mapping

We audit your AI systems and map every applicable NZ obligation: Privacy Act principles, sector regulator expectations, Fair Trading Act requirements, Companies Act director duties, and where relevant, Treaty obligations. You receive a clear register of what applies, what you are currently doing, and where the gaps are.

$22,000 - $55,000 NZD

Regulatory Compliance Framework Development

Structured compliance programme with controls, policies, and processes mapped to your specific regulatory obligations. Includes a regulatory change monitoring process so your compliance posture evolves as NZ guidance matures. Designed to demonstrate governance maturity to regulators, auditors, and boards.

$40,000 - $120,000 NZD

Privacy Act AI Assessment

Focused assessment of your AI systems against all 13 Information Privacy Principles. Identifies where your AI data handling creates privacy risk, maps data flows including cross-border transfers under Principle 12, and establishes the transparency and accuracy controls the Privacy Commissioner expects.

$18,000 - $45,000 NZD

Ongoing Regulatory Compliance Advisory

Monthly or quarterly retainer providing continuous regulatory monitoring, compliance programme updates as NZ AI guidance evolves, Privacy Commissioner engagement preparation, and support for sector regulator interactions. Critical during this period of rapid regulatory development.

$4,000 - $18,000 NZD per month

Frequently Asked Questions

If NZ has no AI-specific law, what exactly are we complying with?

Existing technology-neutral laws apply to AI. The Privacy Act 2020 governs personal information processing. The Fair Trading Act prohibits misleading and deceptive conduct, which can include AI-generated outputs presented as reliable. The Companies Act 1993 imposes director duties around adequate risk management. Sector-specific regulators like the FMA and RBNZ set governance expectations. The Public Service AI Framework and Algorithm Charter apply to government agencies. Compliance means mapping these existing obligations to your specific AI use cases.

Are Treaty of Waitangi obligations legally binding for AI compliance?

For Crown agencies and public sector entities, yes. Te Tiriti principles are embedded in legislation including the Public Service Act 2020 and apply to decision-making systems including AI. For private sector organisations, Treaty obligations are less direct but may apply where you process Maori data, serve Maori communities, or receive government funding. The growing prominence of data kaitiakitanga principles means Treaty-aligned AI governance is increasingly expected across all sectors.

How does the Privacy Act 2020 apply to AI systems using offshore platforms?

Information Privacy Principle 12 restricts cross-border disclosure of personal information. When your organisation sends personal data to an offshore AI platform for processing, you must ensure the recipient is subject to comparable privacy protections or the individual has authorised the disclosure. Most major AI platforms process data outside NZ, making Principle 12 compliance a practical necessity for virtually every organisation using commercial AI tools.

Should we wait for NZ AI legislation before investing in compliance?

No. Waiting creates three risks. First, existing laws already apply and create liability today. Second, when regulation arrives, organisations without established governance will face costly catch-up. Third, regulators like the FMA and Privacy Commissioner are already signalling expectations through guidance and enforcement actions that do not require AI-specific law. Building compliance now demonstrates governance maturity and reduces future remediation cost.

Understand Your AI Regulatory Compliance Position Today

NZ's regulatory landscape is evolving. A compliance assessment identifies your current obligations, reveals gaps, and provides a prioritised action plan. Start with clarity.

Initial review maps all applicable NZ regulations to your AI systems and prioritises gaps by risk