AI regulatory compliance built for New Zealand's existing law.
New Zealand has no AI-specific legislation. The Privacy Act 2020, Fair Trading Act 1986, Companies Act 1993 director duties, and sector regulators like the FMA and RBNZ all apply to artificial intelligence systems. We map what applies to your organisation and build defensible compliance.
Built for
What a compliance engagement produces.
Obligations register
A clear register of every NZ obligation that applies to your AI systems, what your organisation is doing today, and where the gaps sit.
Compliance framework
Structured programme with controls, policies, and processes mapped to your specific regulatory obligations and the OECD AI Principles.
Treaty-aware practice
Where Crown agencies and organisations using Māori data are concerned, controls grounded in kaitiakitanga and tino rangatiratanga.
Ongoing change monitoring
A change-monitoring process so your compliance evolves as NZ guidance matures, including the National AI Strategy and Privacy Commissioner positions.
The compliance challenge in a voluntary landscape.
Aotearoa's principles-based regulatory approach creates a different challenge than prescriptive regimes. The obligations exist. The boundaries are less defined. Catching up after a regulator asks costs more than building the framework first.
- 01In force
Existing laws, unclear application.
The Privacy Act 2020's 13 Information Privacy Principles apply to artificial intelligence. The Act was not written with machine learning in mind. The Fair Trading Act 1986 prohibits misleading conduct, and the boundary is unclear when an AI tool generates inaccurate output. Companies Act 1993 sections 131-138 require adequate risk management, and "adequate" is undefined for AI. NZ organisations face real obligations with limited regulatory guidance on how to satisfy them.
Privacy Act compliance guide - 02Multiple regulators
No coordinating AI regulator.
The Office of the Privacy Commissioner covers personal information. The FMA covers financial markets conduct. The RBNZ covers banking resilience. The Commerce Commission covers consumer protection. Medsafe covers medical devices. Each has its own technology governance expectations, none has published comprehensive AI-specific guidance, and no coordinating body exists. Organisations must piece together their own compliance picture.
Financial services governance - 03Constitutional obligation
Treaty obligations add complexity.
Crown agencies deploying AI must satisfy Te Tiriti o Waitangi principles: partnership, protection, and participation. These obligations have no direct equivalent in other jurisdictions. AI systems affecting Māori communities require equity assessment, Māori data governance grounded in kaitiakitanga, and in some cases meaningful consultation that respects tino rangatiratanga. These are legal and constitutional obligations, not optional best practices.
Māori data governance
Compliance requirements by sector.
Each sector faces a different combination of regulators and obligations. The starting point is mapping which apply to your specific AI systems.
Track A
Financial services
FMA conduct expectations (fair dealing for AI decisions, disclosure for robo-advice, board governance of technology risk, consumer outcome testing for AI pricing and underwriting). RBNZ operational resilience (critical function mapping, third-party concentration risk, business continuity for AI failures, outsourcing policy for offshore AI processing). Privacy Act 2020 (purpose limitation, breach procedures, cross-border disclosure under IPP 12). Companies Act 1993 director duties (reasonable care for AI risk oversight, board reporting, documented engagement with AI strategy).
Track B
Government & public sector
Public Service AI Framework compliance (risk classification and tiered governance, Algorithm Charter principles operationalised, transparency and public accountability, AI impact assessments for service delivery). Te Tiriti o Waitangi obligations (partnership through Māori engagement in AI design, protection via kaitiakitanga and Māori data sovereignty, participation through equity assessment, cultural impact assessment for AI affecting Māori communities).
Track C
Healthcare
Medsafe medical-device classification for AI diagnostic tools, WAND database registration, safety and performance evidence, post-market surveillance. Patient rights under the Code of Health and Disability Services Consumers' Rights, informed consent for AI-assisted clinical decisions, practitioner accountability, health equity assessment for AI impacting hauora Māori outcomes. HIPC 2020 cross-border transfer restrictions for offshore AI vendors processing health data.
How we build defensible AI regulatory compliance.
Four practice areas, each grounded in NZ-specific obligations rather than imported templates.
Regulatory obligations mapping
We audit your AI systems and map every applicable NZ obligation: Privacy Act 2020 principles, FMA and RBNZ expectations, Fair Trading Act 1986 requirements, Companies Act 1993 director duties, and Treaty of Waitangi obligations where they apply. The output is a clear register of what applies, what you do today, and where the gaps sit.
Compliance framework development
Structured compliance programme with controls, policies, and processes mapped to your regulatory obligations. Includes a regulatory change-monitoring process so your compliance evolves as NZ guidance matures, including alignment with the OECD AI Principles and the National AI Strategy.
Privacy Act 2020 AI assessment
Focused assessment of your AI systems against all 13 Information Privacy Principles. We identify where AI data handling creates privacy risk, map data flows including cross-border transfers under IPP 12, and establish the transparency and accuracy controls the Office of the Privacy Commissioner expects.
Ongoing regulatory advisory
Monthly or quarterly retainer providing regulatory monitoring, programme updates as NZ guidance evolves, Privacy Commissioner engagement preparation, and support for FMA and RBNZ interactions. Built for the period of rapid regulatory development your organisation is operating through.
Questions NZ organisations ask us.
If NZ has no AI-specific law, what exactly are we complying with?
Existing technology-neutral laws apply to AI. The Privacy Act 2020 governs personal information processing. The Fair Trading Act 1986 prohibits misleading and deceptive conduct, which can include AI-generated outputs presented as reliable. The Companies Act 1993 imposes director duties around adequate risk management. Sector regulators like the FMA and RBNZ set governance expectations for businesses in their jurisdictions. The Public Service AI Framework, Algorithm Charter, and OECD AI Principles apply to government agencies. Compliance means mapping these existing obligations to your specific AI use cases.
Are Treaty of Waitangi obligations legally binding for AI compliance?
For Crown agencies and public sector entities, yes. Te Tiriti principles are embedded in legislation including the Public Service Act 2020 and apply to decision-making systems including AI. For private sector organisations, Treaty obligations are less direct but may apply where you process Māori data, serve Māori communities, or receive government funding. The growing prominence of Māori data governance and kaitiakitanga principles means Treaty-aligned AI governance is increasingly expected across all sectors.
How does the Privacy Act 2020 apply to AI systems using offshore platforms?
Information Privacy Principle 12 restricts cross-border disclosure of personal information. When your organisation sends personal data to an offshore AI platform for processing, you must ensure the recipient is subject to comparable privacy protections, or the individual has authorised the disclosure. Most major AI platforms process data outside NZ, making IPP 12 compliance a practical necessity for virtually every organisation using commercial AI tools.
Should we wait for NZ AI legislation before investing in compliance?
No. Waiting creates three risks. Existing laws already apply and create liability today. When regulation arrives, organisations without established controls will face costly catch-up. Regulators like the FMA, RBNZ, and Office of the Privacy Commissioner are already signalling expectations through guidance and enforcement actions that do not require AI-specific law. Building compliance now reduces future remediation cost.
Understand your AI regulatory position today.
A compliance review maps every applicable NZ regulation to your AI systems and prioritises gaps by risk. Start with clarity so your organisation can move forward with confidence.