Compliance Services

AI Regulatory Compliance for New Zealand

New Zealand has no AI-specific legislation, but that does not mean no obligations exist. The Privacy Act 2020, Fair Trading Act 1986, Companies Act 1993 director duties, and sector regulators like the FMA and RBNZ all apply to artificial intelligence systems. We help your organisation identify exactly what applies and build defensible compliance.

When regulation catches up to adoption, organisations with documented compliance programmes will be positioned to adapt. Those without them will be starting from zero. We close that gap.

View Sector Services
AI Regulatory Compliance Tracker Dashboard

The AI Regulatory Compliance Challenge in a Voluntary Landscape

Aotearoa's principles-based regulatory approach creates a different compliance challenge than prescriptive regimes. The obligations exist, but the boundaries are less defined, demanding an approach that anticipates rather than reacts.

Existing Laws, Unclear Application

The Privacy Act 2020's 13 Information Privacy Principles apply to artificial intelligence, but the Act was not written with machine learning in mind. The Fair Trading Act 1986 prohibits misleading conduct, but where does that boundary fall when an AI tool generates inaccurate output? Companies Act 1993 director duties require adequate risk management, but what constitutes "adequate" for AI? NZ organisations face real obligations with limited regulatory guidance on how to satisfy them.

Multiple Regulators, No AI Coordinator

The Office of the Privacy Commissioner covers personal information. The FMA covers financial markets conduct. The RBNZ covers banking resilience. The Commerce Commission covers consumer protection. Medsafe covers medical devices. Each has its own expectations for technology governance, none has published comprehensive AI-specific guidance, and there is no coordinating body. Organisations must piece together their own compliance picture.

Treaty Obligations Add Complexity

Crown agencies deploying AI must satisfy Te Tiriti o Waitangi principles: partnership, protection, and participation. This creates compliance obligations that have no direct equivalent in other jurisdictions. AI systems affecting Māori communities require equity assessment, Māori data governance grounded in kaitiakitanga, and in some cases meaningful consultation that respects tino rangatiratanga. These are legal and constitutional obligations, not optional best practices.

Compliance Requirements by Sector

Financial Services

FMA Conduct and Governance

  • Fair dealing assessment for AI-driven decisions affecting customers
  • Disclosure obligations for robo-advice and automated financial services
  • Board governance expectations for technology risk oversight
  • Consumer outcomes testing for AI pricing and underwriting models

RBNZ Operational Resilience

  • Critical function mapping for AI-dependent banking operations
  • Third-party AI vendor concentration risk assessment
  • Business continuity planning for AI system failures
  • Outsourcing policy compliance for offshore AI processing

Privacy Act 2020 for Financial AI

  • Purpose limitation mapping for customer data used in AI models
  • Notifiable privacy breach procedures for AI data incidents
  • Cross-border disclosure controls for offshore AI platforms

Companies Act Director Duties

  • Reasonable care and diligence for AI risk oversight
  • Board reporting frameworks for AI governance
  • Documenting director engagement with AI strategy and risk

Government and Public Sector

Public Service AI Framework Compliance

  • Risk classification and tiered governance requirements
  • Algorithm Charter principles operationalised for your agency
  • Transparency and public accountability mechanisms
  • AI impact assessments for public service delivery decisions

Te Tiriti o Waitangi Obligations

  • Partnership: meaningful Māori engagement in AI system design
  • Protection: data kaitiakitanga and Māori data sovereignty compliance
  • Participation: equity assessment and disparity impact analysis
  • Cultural impact assessment for AI affecting Māori communities

Healthcare

Medsafe and Clinical AI

  • Medical device classification assessment for AI diagnostic tools
  • WAND database registration and supplier notification obligations
  • Safety and performance evidence documentation
  • Post-market surveillance and adverse event reporting

Patient Rights and Professional Standards

  • Code of Health and Disability Services Consumers' Rights compliance
  • Informed consent procedures for AI-assisted clinical decisions
  • Professional accountability frameworks for practitioners using AI
  • Health equity assessment for AI impacting Māori health outcomes

How We Build Defensible AI Regulatory Compliance

Regulatory Obligations Mapping

We audit your AI systems and map every applicable NZ obligation: Privacy Act 2020 principles, FMA and RBNZ expectations, Fair Trading Act 1986 requirements, Companies Act 1993 director duties, and where relevant, Treaty of Waitangi obligations. You receive a clear register of what applies, what your organisation is currently doing, and where the gaps are.

Regulatory Compliance Framework Development

Structured compliance programme with controls, policies, and processes mapped to your specific regulatory obligations. Includes a regulatory change monitoring process so your compliance evolves as NZ guidance matures, including alignment with the OECD AI Principles and the National AI Strategy.

Privacy Act 2020 AI Assessment

Focused assessment of your AI systems against all 13 Information Privacy Principles. We identify where your AI data handling creates privacy risk, map data flows including cross-border transfers under Principle 12, and establish the transparency and accuracy controls the Office of the Privacy Commissioner expects.

Ongoing Regulatory Compliance Advisory

Monthly or quarterly retainer providing continuous regulatory monitoring, compliance programme updates as NZ AI guidance evolves, Privacy Commissioner engagement preparation, and support for FMA and RBNZ interactions. We keep your organisation ahead of the curve during this period of rapid regulatory development.

Frequently Asked Questions

If NZ has no AI-specific law, what exactly are we complying with?

Existing technology-neutral laws apply to AI. The Privacy Act 2020 governs personal information processing. The Fair Trading Act 1986 prohibits misleading and deceptive conduct, which can include AI-generated outputs presented as reliable. The Companies Act 1993 imposes director duties around adequate risk management. Sector-specific regulators like the FMA and RBNZ set governance expectations for businesses in their jurisdictions. The Public Service AI Framework, Algorithm Charter, and OECD AI Principles apply to government agencies. Compliance means mapping these existing obligations to your specific AI use cases.

Are Treaty of Waitangi obligations legally binding for AI compliance?

For Crown agencies and public sector entities, yes. Te Tiriti principles are embedded in legislation including the Public Service Act 2020 and apply to decision-making systems including AI. For private sector organisations, Treaty of Waitangi obligations are less direct but may apply where you process Māori data, serve Māori communities, or receive government funding. The growing prominence of Māori data governance and kaitiakitanga principles means Treaty-aligned AI governance is increasingly expected across all sectors in Aotearoa.

How does the Privacy Act 2020 apply to AI systems using offshore platforms?

Information Privacy Principle 12 restricts cross-border disclosure of personal information. When your organisation sends personal data to an offshore AI platform for processing, you must ensure the recipient is subject to comparable privacy protections or the individual has authorised the disclosure. Most major AI platforms process data outside NZ, making Principle 12 compliance a practical necessity for virtually every organisation using commercial AI tools.

Should we wait for NZ AI legislation before investing in compliance?

No. Waiting creates three risks. First, existing laws already apply and create liability today. Second, when regulation arrives, organisations without established controls will face costly catch-up. Third, regulators like the FMA, RBNZ, and Office of the Privacy Commissioner are already signalling expectations through guidance and enforcement actions that do not require AI-specific law. Building compliance now reduces future remediation cost.

Understand Your AI Regulatory Compliance Position Today

Aotearoa's regulatory landscape is evolving. A compliance assessment identifies your current obligations, reveals gaps, and provides a prioritised action plan. Start with clarity so your organisation can move forward with confidence.

Initial review maps all applicable NZ regulations to your AI systems and prioritises gaps by risk