New Zealand’s IVCOP is now published. Here’s what’s confirmed and what changed.

Updated June 2026. This article replaces our  December 2025 summary of the proposed changes.

 
New Zealand’s Identity Verification Code of Practice (IVCOP) is no longer a proposal. The Minister of Internal Affairs approved the new code by notice in the New Zealand Gazette on 28 May 2026. It commences on 1 July 2026. One part, covering how certified copies can be delivered, commences a year later on 1 July 2027.

We summarised the proposed changes during consultation. This is the update. It sets out what made it into the published code, what shifted between the discussion paper and the final version, and what reporting entities should do before 1 July.  It supersedes the Amended IVCOP 2013.

The short version: the published code is more flexible than the 2013 code it replaces, and in several places, more flexible than the consultation proposals suggested. If you keep verifying identity the way you do today, you are very likely still compliant.

The timeline is now fixed

• 1 July 2026: Most of the code applies from this date.
• 1 July 2027: The certified copy delivery provisions (paragraphs 1.4.3 to 1.4.5) commence here.

The Department of Internal Affairs (DIA) has confirmed that if you continue to accept the documents or use the electronic sources you currently rely on under the 2013 code, that remains compliant under the 2026 code. The only exception is the certified copy delivery requirements that begin on 1 July 2027.

There are now four pathways, not three

At the consultation, the DIA proposed keeping the three existing pathways unchanged. The published code adds a fourth. Verification through an accredited Digital Identity Services Trust Framework (DISTF) service is now a pathway in its own right. The four pathways are:

1. Face-to-face verification using physical documents
2. Verification through the Digital Identity Services Trust Framework (DISTF)
3. Other electronic identity verification (EIV) methods
4. Certified copies of identity documents

How First AML meets this: First AML verifies identity through the electronic and documentary pathways, not through the Digital Identity Services Trust Framework (DISTF). A reporting entity needs only one compliant pathway, and First AML provides it. 

First AML is compliant under the 2013 code and remains compliant under the 2026 code. 

Face-to-face documentary verification got easier, not harder

The proposals signalled stronger likeness expectations. The published code keeps a likeness check but is otherwise more permissive about documents.

• A visual comparison of the person to the photo on the document is required, but this creates no new record-keeping obligation.
• Overseas passports no longer need a signature.
• A New Zealand birth certificate no longer needs to be a full birth certificate.
• The Kiwi Access Card, alongside the 18+ Card, is recognised as a secondary or supporting photographic ID.
• The SuperGold Card (with photo) and the Total Mobility Card are explicitly allowed as secondary or supporting photographic ID.
• A document issued by a registered bank no longer needs a signature.

How First AML meets this: First AML supports document-based verification, including this broadened list of acceptable documents.  Users can create custom requirements to collect the new Kiwi Access and SuperGold cards. These changes widen what customers can present; they do not require any change to how First AML handles documents. 

Certification: The proposed tightening mostly did not happen

This is where the published code diverges most from the consultation. Several proposals that would have made certification harder did not survive.

• Validity extended to twelve months. The discussion paper proposed six months. The published code allows twelve.
• No “face-to-face impossible” test. The proposal would have limited certification to cases where meeting in person was genuinely impossible, with a recorded reason. That requirement is not in the published code.
• Delivery is opening up, not tightening. From 1 July 2027 a reporting entity may receive a certified copy in person, by post, or by other means including email. Where there are reasonable grounds to suspect a copy may not be genuine, the entity must have procedures that give enhanced assurance the person is the genuine holder. The code notes such grounds will likely arise where the customer is also high risk.
• Clear photo required. The photo on the certified copy must be clearly visible.
• Binding assurance. For copies presented face to face, compare the photo to the person. For copies received another way, the trusted referee must state that the document represents the identity of the named person.
• Trusted referees expanded. Officers of the Māori Land Court (Registrar or Regional Manager) can now act as trusted referees.
• Overseas customers. Copies must be certified by a person authorised by law to take statutory declarations in that country. The attestation statement requirement has been removed. Where there is no attestation, the entity must have risk-based controls for alternative binding assurance.

How First AML meets this: First AML supports certified copies as a verification method, including the extended twelve-month certification window. Nothing in First AML’s certified-copy handling changes on 1 July 2026. The only dated item is the delivery provisions that commence on 1 July 2027, and those broaden how copies can be received.

Electronic identity verification: one reliable source can now be enough

The proposals hinted at reduced duplication for government sources and growing use of NFC passport chips. The published code delivers both.

• A single reliable source can now be sufficient. The DIA Confirmation Service, an equivalent overseas government source, or an embedded e-passport microchip can each be used as a single reliable and independent source. There is no longer a need for a second corroborating electronic source. A separate linking mechanism for binding assurance is still required.
• RealMe. A verified RealMe identity works as a single source for both information and binding assurance.
• Driver Check. The NZTA Waka Kotahi Driver Check can be used, but still needs a second corroborating source plus a linking mechanism.
• E-passport NFC is in. The embedded microchip is explicitly recognised, with authenticity validated using the issuing state’s public key. This matters most for overseas customers and anyone without a New Zealand identity document.

How First AML meets this: First AML does not rely on single-source verification. It verifies a customer’s name and date of birth from a reliable and independent electronic source (e.g., a government ID database), combined with a separate linking mechanism, forming a corroborated approach that was compliant under the 2013 IVCOP. 

Single-source verification is a new option under the 2026 code, not a requirement. As First AML’s method was compliant under the 2013 code, the DIA’s continuity confirmation means it remains compliant under the 2026 code. 

DISTF is a pathway in its own right

At the consultation, the proposal referenced verifying to “Level 3” (remote) and “Level 2” (in person). The published code uses the NZ Identification Standards language instead.

• In person or online: A DISTF-accredited service that provides name and date of birth to a Strong Plus level of both Information Assurance and Binding Assurance.
• In person only: A DISTF service at Standard Plus level for both, supported by one of the primary non-photographic documents, such as a birth or citizenship certificate.

How First AML meets this: First AML is not currently pursuing DISTF accreditation. DISTF is a new, optional pathway, not a mandatory one. First AML continues to verify identity through the electronic and documentary pathways, which were compliant under the 2013 IVCOP and remain compliant under the 2026 code. You do not need a DISTF-accredited service to stay compliant when verifying through First AML. 

Beneficial owners and persons acting on behalf: a risk-based reduction

The consultation floated several options for persons acting on behalf, ranging from no change to removing IVCOP requirements entirely. The published code takes a tiered, risk-based route. Reduced verification steps are allowed for a beneficial owner or person acting on behalf where the customer:

• is a legal person or legal arrangement;
• is rated low or medium risk; and
• has two or more beneficial owners, or is eligible for simplified CDD.

To use reduced steps you need risk-based procedures, policies and controls that set out what the reduced steps are and when they apply. Examples include a lesser standard of physical documents, a lesser DISTF assurance level, uncertified copies by email, or video conferencing to link a person to their identity. Reduced steps are not allowed where there are grounds to report suspicious activity.

How First AML meets this: First AML lets you configure and apply reduced verification steps for eligible low and medium risk entities, and records the procedures and decisions behind them. That is what the code requires before the reduction can be used. 

High-risk customers, wire transfers and exceptions

• The code now applies to high-risk customers, not just low and medium risk.
• Identity verification for a wire transfer originator does not need to be repeated for the same customer unless there are reasonable grounds to doubt the earlier verification.
• Reporting entities must have exception handling procedures for people who cannot meet the requirements, for example for financial inclusion, children and young adults, people with disabilities, or older people. A standard process for common exceptions is explicitly allowed.

How First AML meets this: First AML applies identity verification across all risk ratings, including high risk, and logs every verification, exception and decision. That record supports both your exception handling and any supervisor review . 

What has changed between the IVCOP 2013 and the newly published code

What this means for First AML customers

Because the published code keeps the verification pathways First AML already uses, electronic identity verification from a reliable and independent source, document-based verification, certified copies, and configurable risk-based steps for beneficial owners, continuing to verify through First AML remains compliant from 1 July 2026. 

The one item to diarise is the certified copy delivery provisions commencing 1 July 2027, which broaden how copies can be received rather than restrict them. We are aligning our configuration options and guidance to the new code ahead of commencement.

What to do before 1 July

• Confirm your AML/CFT programme references the 2026 code and documents the pathways you rely on.
• Review your EIV configuration to take advantage of single-source verification where appropriate.
• Define and document reduced verification steps for eligible beneficial owners and persons acting on behalf.
• Diarise the 1 July 2027 certified copy delivery provisions.
• Confirm your exception handling procedures cover financial inclusion and vulnerable customers.

Additional Resources

Department of Internal Affairs: AML/CFT and the IVCOP