Anti-Money Laundering and Countering Financing of Terrorism Act 2009

AML/CFT requirements and compliance - Customer due diligence - Reliance on third parties

36: Protection of personal information and designated business groups

You could also call this:

"Keeping Personal Info Safe When Sharing with Businesses"

Illustration for Anti-Money Laundering and Countering Financing of Terrorism Act 2009

When you share personal information with a group of businesses, it must be protected. You must follow the information privacy principles set out in section 22 of the Privacy Act 2020. This means you must keep the information safe and only use it for the right reasons. If you give information to another business in your group, you are still responsible for what happens to it. You can only use or share the information in certain ways, like for a suspicious activity report. You can share information with other businesses in your group, but not if it might cause problems in another country. You must agree in writing to follow the privacy principles if you are part of a business group. This is to ensure that personal information is protected and used correctly. You must be careful when sharing personal information to keep it safe and secure.

This text is automatically generated. It might be out of date or be missing some parts. Find out more about how we do this.

This page was last updated on 4 December 2025

View the original legislation for this page at https://legislation.govt.nz/act/public/1986/0120/latest/link.aspx?id=DLM2140883.

Topics:

Rights and equality > PrivacyMoney and consumer rights > Consumer protectionBusiness > Industry rules

35: Use of information obtained from third party conducting customer due diligence, or

"Using info from others to check customers and follow the law"

37: Prohibitions if customer due diligence not conducted, or

"No business with customers if you don't check who they are."

Part 2AML/CFT requirements and compliance
Customer due diligence: Reliance on third parties

36Protection of personal information and designated business groups

This section applies to personal information that is either—
identity or verification information received for the purposes of section 32(1)(a); or
information received for the purposes of section 32(1)(b).

Any information supplied by any member of a designated business group to another member of that group must be subject to privacy protections at least equivalent to those set out in information privacy principles 5 to 12 set out in section 22 of the Privacy Act 2020.
Each member of the designated business group must agree, in writing, to comply with information privacy principles 5 to 12 set out in section 22 of the Privacy Act 2020 or their equivalent if the member is resident overseas.
The entity that provides information to another member of its designated business group remains responsible for the use or disclosure of that information.
A reporting entity may use or disclose information to which this section applies only as follows:
it may use identity and verification information received for the purposes of section 32(1)(a) in a suspicious activity report:
it may disclose information for the purposes of section 32(1)(b) to another member of the designated business group unless such disclosure is likely to result in a suspicious activity report being filed in an overseas jurisdiction by the member to whom the information is disclosed.

Notes

Section 36(2): amended, on 1 December 2020, by section 217 of the Privacy Act 2020 (2020 No 31).
Section 36(3): amended, on 1 December 2020, by section 217 of the Privacy Act 2020 (2020 No 31).
Section 36(5)(a): amended, on 11 August 2017, by section 23(1) of the Anti-Money Laundering and Countering Financing of Terrorism Amendment Act 2017 (2017 No 35).
Section 36(5)(b): amended, on 11 August 2017, by section 23(2) of the Anti-Money Laundering and Countering Financing of Terrorism Amendment Act 2017 (2017 No 35).