Delayed initial CDD explained: verifying customers after you start

In most cases, New Zealand's AML/CFT supervisors expect you to complete customer due diligence (CDD) before providing a designated service, which makes sense because you should know who you’re dealing with before you begin.

However, there are limited situations where you can start providing a service first and complete verification shortly after, as long as you move quickly, manage the risk carefully, and stay within strict regulatory boundaries.

The core requirements

Under NZ's AML/CFT Act 2009, you can only delay CDD if you can justify two things: 

1. Completing verification before you start would interrupt normal business practice in a way that is genuinely unavoidable
2. The risks of money laundering or terrorism financing are effectively managed while verification is pending

Both conditions must be met. If either does not apply, you should complete verification before the relationship begins.

It is also worth noting that delayed CDD only applies to the verification step. You must still collect all required identity information upfront - the delay only covers the step of confirming that information is correct.

Your AML/CFT programme must clearly set out when delayed verification is permitted and how risks will be managed in the meantime. Failing to verify customers as soon as practicable can expose you to penalties under the Act.

What delayed CDD actually involves

Delaying CDD does not mean skipping it; it means collecting customer information upfront and verifying it shortly afterwards.

In practice, this means you may begin the relationship with a customer, but you must complete verification promptly and be able to demonstrate that you acted as quickly as reasonably possible.

When delayed CDD is allowed

General services in New Zealand
You can begin providing a service after collecting KYC information but before verifying it, provided that verification is completed as soon as practical.

While verification is pending, you must effectively manage the risks of ML/TF. For financial institutions such as banks, this means using transaction limitations and account monitoring. For other reporting entities such as lawyers, accountants, or real estate agents, the Act allows other appropriate risk management procedures that achieve the same effect.

Real estate transactions
A real estate agency must conduct CDD on its own client, any beneficial owner of that client, and any person acting on behalf of that client. In a typical sale, this means the listing agency conducts CDD on the vendor before carrying out further real estate agency work once the agency agreement is fully signed. A purchaser will generally only need to be verified by the agency if the purchaser is also the agency’s client, for example under a buyer agency agreement, or if another AML/CFT trigger applies, such as the purchaser conducting an occasional transaction through the agency.

Overseas services
If your business has branches or subsidiaries operating in another country, the Act requires those branches and subsidiaries to apply measures broadly equivalent to New Zealand's AML/CFT requirements, to the extent permitted by local law. If local law does not allow this, you must notify your AML/CFT supervisor and take additional steps to manage the risk.

When you should not delay CDD

Delaying CDD is not appropriate if there is a reasonable chance that you will be unable to verify the customer later, or if delaying creates an opportunity for the customer to misuse your service before their identity is confirmed. This is particularly relevant in situations where funds or assets can be moved quickly or where the customer’s identity is critical from the outset.

If you cannot complete CDD at all, the Act is clear: you must not establish the business relationship, and if one already exists, you must end it. You should also consider whether to make a suspicious activity report.

Managing the risk

While CDD is pending, your policies and procedures should address how you will limit what a customer can do until verification is complete, consistent with your obligations to effectively manage money laundering and terrorism financing risks.

Those policies should also address what happens if a customer cannot be verified, including how any funds would be returned. This is a matter of good practice and risk management, and your AML/CFT programme should document your approach clearly.

When delaying CDD makes sense

The New Zealand AML/CFT supervisors provide practical examples where delayed CDD may be justified, including:

• Onboarding customers remotely where immediate verification is not possible
• Auctions where bidders cannot be verified in advance
• Emergency situations such as natural disasters or domestic violence cases
• Visa applicants needing to open accounts before approval
• Genuinely time-sensitive financial transactions where pricing changes rapidly

The common theme across these scenarios is that the delay is necessary and unavoidable, not simply a matter of convenience.

Key takeaway

Delayed CDD is not a shortcut, but a tightly controlled exception that allows you to begin a customer relationship while completing verification shortly afterwards. To use it correctly, you must still collect all required information upfront, complete verification within strict timeframes, limit what the customer can do in the meantime, and clearly document why the delay was justified.

In plain terms: you can start the relationship before verification is complete, but you must treat verification as an urgent priority, not an afterthought.