The Cost of Deferral: How ASB's Six-Year Compliance Drift Produced New Zealand's Largest AML Penalty

When a broken system is flagged but not fixed, the passage of time doesn't reduce risk. It multiplies it.

Share
The Cost of Deferral: How ASB's Six-Year Compliance Drift Produced New Zealand's Largest AML Penalty

In June 2026, the High Court imposed a civil pecuniary penalty of NZ$6.731 million on ASB Bank Limited, the largest ever handed down by a New Zealand court under the Anti-Money Laundering and Countering Financing of Terrorism (AML/CFT) Act 2009. The penalty was not for facilitating money laundering. It was not for knowingly turning a blind eye to criminal proceeds. It was for something quieter, more insidious, and arguably more common: a failure to act quickly enough when the institution already knew it had a problem.

That distinction matters enormously for AML/CFT professionals. The ASB case is not a story of greed or corruption. It is a story of institutional inertia: decisions deferred, backlogs tolerated, and warnings not heeded with sufficient urgency. It is also a story about what happens when commercial priorities, however rationally justified in the moment, come to displace compliance obligations over time.


The System at the Centre: Predator

ASB's AML compliance problems were anchored in its automated transaction monitoring system, known internally as "Predator," supplied by vendor GBG Australia Pty Ltd. Predator used a rules-based approach to detect suspicious patterns across customer transactions, generating alerts for human review.

The system had known limitations from the outset. When ASB adopted Predator in 2013, PricewaterhouseCoopers was engaged to review its suitability. PwC noted that monitoring rules were likely to become more sophisticated than Predator could support over time. More complex requirements, including those for high-risk customers, politically exposed persons, and sanctions screening, were flagged as potentially beyond the system's capabilities (Vaughan, 2026).

That advisory observation from 2013 had not been resolved by 2019. In October 2019, Ernst & Young was engaged to review Predator's reconciliation processes and gave them a "marginal rating." A month later, an onsite inspection by the Reserve Bank of New Zealand identified that ASB's risk rating model had failed to appropriately categorise certain customers as high risk, meaning those customers were not receiving the ongoing due diligence they required (Vaughan, 2026).

The warnings were documented. They were understood. Yet the system continued.

The Backlog Builds

Between December 2019 and February 2024, ASB failed to resolve 120,771 standard priority transaction monitoring alerts within required timeframes. Those alerts related to transactions totalling approximately NZ$11.62 billion. A further 595 high-priority alerts, involving transactions of around NZ$492.7 million, were also resolved late, with an average resolution time of 46 days (Vaughan, 2026).

The numbers are striking. But what makes them significant for compliance practitioners is not their scale alone. It is the timeline.

ASB's senior management was aware of the backlog from at least December 2019. In February 2021, an executive strategy group placed plans for a transaction monitoring system upgrade on hold for 12 months, citing resource constraints and competing projects (Vaughan, 2026). That decision was defensible in isolation. It is less defensible as part of a pattern that extended for years.

The backlog was not disclosed to the Reserve Bank until February 2023, more than three years after internal awareness was established. The Reserve Bank launched its formal investigation in March 2024. ASB cleared the backlog on 8 February 2024, only after expanding its financial crime teams significantly and engaging multiple external consultants, including Deloitte NZ, Deloitte Touché Tohmatsu India, and later Emagine Consulting UK (Vaughan, 2026).


Foreign Trusts: The Hidden Exposure

Embedded within ASB's wider compliance failures was a particular vulnerability involving foreign trust customers.

From February 2021, ASB classified trusts domiciled outside New Zealand, and trusts with foreign beneficial owners, as high-risk customers. That classification was correct. Foreign trusts, which provide anonymity to beneficial owners through offshore asset structures, carry elevated money laundering risk and were subject to tightened New Zealand rules following the Panama Papers in 2016 (Vaughan, 2026).

The problem was that the classification did not translate into practice. ASB failed to conduct adequate ongoing customer due diligence on 2,624 foreign trust customers during a period in which they engaged in 655,115 transactions totalling approximately NZ$9.37 billion (Vaughan, 2026).

That is a substantial quantum of transactions involving high-risk customers passing through ASB's systems without the scrutiny the law required. As the Reserve Bank's counsel noted in court, almost 72 per cent of ASB's foreign trust customers had not been reviewed in connection with more than NZ$9 billion of transactions (Vaughan, 2026).

The foreign trust exposure is not a technical footnote. It goes to the heart of what transaction monitoring exists to achieve: ensuring that the customers a bank does business with, particularly those in high-risk categories, are subject to active, ongoing scrutiny rather than periodic, inadequate review.


The Typology: Institutional Drift as Compliance Failure

The ASB case represents a distinct money laundering typology. Unlike cases involving external criminals exploiting a bank, this one involves an institution gradually drifting away from the standard required to detect them.

This typology has three defining characteristics.

The first is early identification without proportionate response. ASB identified problems in its transaction monitoring system as far back as 2013 and had them formally flagged by external advisers in 2017, 2019, and 2020. Each identification was acknowledged. Each generated some response. None generated sufficient urgency to prevent years of cumulative under-compliance.

The second is resource rationalisation. ASB's lawyers acknowledged in court that the bank had taken steps in response to identified deficiencies but accepted it had not done enough quickly enough. The Reserve Bank's counsel argued the bank was "under-resourced because of commercial prioritisation of other matters" (Vaughan, 2026). ASB disputed the characterisation, but the outcome speaks for itself: a NZ$11 billion-plus backlog and years of under-reviewed transactions.

The third is delayed disclosure. Knowing about a problem is not the same as disclosing it. ASB's gap between internal awareness (December 2019) and disclosure to the Reserve Bank (February 2023) is among the most consequential aspects of this case. That delay denied New Zealand's intelligence and enforcement agencies the time-sensitive information they needed to detect and respond to potential money laundering activity.

Together, these characteristics describe a form of systemic complacency that is, in many ways, more dangerous than isolated misconduct. Isolated misconduct can be identified, contained, and remedied. Systemic complacency affects entire programmes, entire customer bases, and entire categories of risk, often for years before it surfaces.


The Human Element: Why Good Institutions Drift

Understanding how ASB reached this point requires an honest examination of the psychological and institutional dynamics that allow compliance drift to occur in large, well-resourced, and professionally managed organisations.

This was not a case driven by greed, addiction, or deliberate deception, the motivations that characterise many individual money laundering cases. What the ASB case illustrates is something more subtle: the way in which the felt urgency of compliance obligations can erode, gradually and almost imperceptibly, in a large institution under competing demands.

When an audit finding is made and logged, it feels like progress. When a remediation plan is created, it feels like action. When consultants are engaged, it feels like the problem is being addressed. None of these steps is wrong in itself. The danger lies in allowing them to substitute for the harder work of fundamental system remediation, particularly when that work requires significant resource, disrupts other priorities, and does not generate revenue.

There is also a psychological dimension to the scale of the problem. When a backlog of tens of thousands of alerts exists, the scale itself can become paralysing. It is easier, psychologically, to manage a backlog than to disclose it to a regulator, particularly if internal narratives hold that it will be resolved in due course.

That is not a comfort. It is a warning. The ASB case shows that regulators are no longer satisfied with assurances of eventual resolution. The AML/CFT Act has been in place for well over a decade. The Reserve Bank's acting Assistant Governor of Financial Stability, Angus McGregor, was unambiguous: systems and resourcing adequate for full compliance are now an expectation, not an aspiration (Radio New Zealand, 2026a).


What the Penalty Reflects and What It Does Not

The NZ$6.731 million penalty is the largest imposed under New Zealand's AML/CFT Act. It is also, as some observers have noted, modest relative to ASB's financial scale, equivalent to approximately 0.26 per cent of the bank's net profit after tax in the year to June 2025 (NZ Herald, 2026a).

That disproportion has not gone unnoticed. Associate Justice Minister Nicole McKee, in a Cabinet paper released alongside the penalty, acknowledged that current maximum penalties were "not sufficiently dissuasive for large businesses and may be seen as a 'cost of doing business'" (NZ Herald, 2026a). She signalled plans to introduce legislation to substantially increase penalties, including the possibility of fines set as multiples of commercial gain or as a proportion of turnover.

The contrast with Australia is instructive. In 2018, ASB's parent, Commonwealth Bank of Australia, was fined AUD$700 million for AML/CFT breaches. In 2024, SkyCity New Zealand was fined NZ$4.1 million for breaches comparable to those that attracted an AUD$67 million penalty against SkyCity Adelaide (NZ Herald, 2026a). The quantum of New Zealand's penalties has historically sat well below those of comparable jurisdictions, and the Government's reform agenda reflects that gap.

The ASB penalty is therefore best understood not as a conclusion but as a marker: the current high-water point in an enforcement trajectory that is clearly moving upward. That trajectory matters for every institution operating in New Zealand's AML/CFT landscape.


A Sector-Wide Pattern

ASB is not alone. The enforcement pattern across New Zealand's regulated sectors in recent years reveals a consistent theme: institutions of varying sizes and types have been found wanting in their AML/CFT programmes, often in similar ways.

TSB Bank was fined NZ$3.5 million in 2021, the first bank the Reserve Bank had taken to court under the AML/CFT Act (Vaughan, 2026). SkyCity Entertainment was fined NZ$4.16 million in 2024 for systemic failures including risk assessment deficiencies, account monitoring failures, and enhanced due diligence shortcomings (Department of Internal Affairs, 2024). Christchurch Casino was penalised NZ$5.06 million in late 2025 for breaches spanning five years (Radio New Zealand, 2025). Most recently, the Reserve Bank filed proceedings against The Co-operative Bank, with a recommended penalty of NZ$1.425 million (NZ Adviser, 2026).

The pattern is not coincidental. It reflects a regulatory approach that is becoming more systematic, more willing to litigate, and more focused on substantive compliance outcomes rather than the existence of documentation.


The Supervisory Transformation

The ASB case arrives at a pivotal moment in New Zealand's AML/CFT architecture. From 1 July 2026, the Department of Internal Affairs becomes the sole supervisor of the AML/CFT system, replacing the previous three-supervisor model that spanned the Reserve Bank, the Financial Markets Authority, and the Department of Internal Affairs itself (Ministry of Justice, 2026).

The move to a single supervisor is framed in the Government's National Strategy 2026–2030 as a shift towards a "truly risk-based" system, one that cuts unnecessary compliance burden for low-risk customers and transactions while sharpening scrutiny where risk is genuinely elevated (Beehive.govt.nz, 2026). The strategy also flags the development of new DIA investigation powers, updated codes of practice, and a new industry levy to fund the regime.

For AML/CFT professionals, the transition carries a clear message: a more unified, more coordinated supervisory model is likely to be a more capable one. Patterns that might previously have fallen between supervisory jurisdictions will be harder to miss. Entities that have relied on supervisory fragmentation, whether consciously or not, should anticipate closer scrutiny.


What This Means for Compliance Professionals

The ASB case offers several concrete lessons for lawyers, accountants, fintechs, and other reporting entities.

Documentation of known deficiencies is not a substitute for remediation. ASB had audit reports, consultant reviews, and regulatory correspondence dating back years. None of that documentation insulated it from enforcement action. The Act requires functional compliance, not filed evidence of intention.

Disclosure timelines matter. The gap between internal awareness of a problem and external disclosure to the supervisor is itself a compliance issue. AML/CFT professionals who become aware of material programme deficiencies should understand that delay carries its own risk, both regulatory and reputational.

System limitations are not self-executing defences. Predator's constraints were known from 2013 and flagged repeatedly. ASB's response to those constraints, extending the system's operational life whilst managing its limitations, was ultimately found inadequate. When a core compliance tool is demonstrably unfit for purpose, the obligation is to replace it, not to manage around it indefinitely.

Resource arguments require more than articulation. ASB's position, that AML projects could not all be delivered simultaneously and that accessing recognised expertise was a challenge, was not accepted as a sufficient explanation for years of under-compliance. Courts will assess outcomes, not intentions.


Why Your Work Matters

The ASB penalty may not involve a criminal case or a named perpetrator. But it is, in a direct sense, about the intelligence that New Zealand's law enforcement and security agencies depend on to detect and disrupt money laundering.

Every transaction monitoring alert that is not resolved in time is a window of opportunity for criminal activity that goes undetected. Every suspicious activity report filed late is information reaching intelligence agencies after it could have been acted upon. Every foreign trust customer not subject to adequate ongoing due diligence is a potential channel through which the proceeds of crime can move without scrutiny.

The Reserve Bank's McGregor put it plainly: non-compliance with transaction monitoring and reporting requirements "denies New Zealand intelligence agencies crucial time-sensitive information that is needed to detect and deter money laundering and terrorism financing from impacting New Zealand communities" (Radio New Zealand, 2026a).

That is not regulatory rhetoric. It is a description of a real-world consequence that flows directly from the kind of compliance drift that the ASB case represents.

Your role as an AML/CFT professional, whether in a bank, a law firm, an accounting practice, or a fintech, is to ensure that the systems and processes under your stewardship are not drifting in the same direction. That means not just identifying problems, but pursuing their resolution with the urgency the law requires. It means treating disclosure to the supervisor as a professional obligation rather than a last resort. And it means understanding that the value of your work is not measured in reports filed or checklists completed, but in the intelligence that reaches New Zealand's law enforcement community in time to make a difference.

The ASB case is a reminder that compliance is not a background function. It is, as the Reserve Bank has now demonstrated, a core institutional obligation enforced, when necessary, by the highest court in the country.


References

Beehive.govt.nz. (2026, February 13). National strategy launched to cut AML red tape and crack down on criminals. New Zealand Government. https://www.beehive.govt.nz/release/national-strategy-launched-cut-aml-red-tape-and-crack-down-criminals

Department of Internal Affairs. (2024). SkyCity Entertainment Group AML/CFT enforcement action. New Zealand Department of Internal Affairs. https://www.dia.govt.nz

Ministry of Justice. (2026). Tackling money laundering and terrorism financing. New Zealand Ministry of Justice. https://www.justice.govt.nz/justice-sector-policy/key-initiatives/aml-cft/

NZ Adviser. (2026, June 10). ASB's $6.7m fine is a warning shot: are your AML systems ready? NZ Adviser / MPAMAG. https://www.mpamag.com/nz/news/general/asbs-67m-fine-is-a-warning-shot-are-your-aml-systems-ready/578343

NZ Herald. (2026a, June 17). ASB fined $6.7m for unchecked transactions worth billions. Government to beef up anti-money laundering regime with tougher penalties. The New Zealand Herald. https://www.nzherald.co.nz/business/companies/banking-finance/asb-fined-67m-for-unchecked-transactions-worth-billions-government-to-beef-up-anti-money-laundering-regime-with-tougher-penalties/premium/UT3F5KSEIVDHDBUFWSBLL2M3BY/

Radio New Zealand. (2025, October 7). High Court agrees to $5m penalty for Christchurch Casino after Internal Affairs investigation. RNZ. https://www.rnz.co.nz/news/business/575165/high-court-agrees-to-5m-penalty-for-christchurch-casino-after-internal-affairs-investigation

Radio New Zealand. (2026a, June 10). ASB fined $6.73m for breaches of money laundering law. RNZ. https://www.rnz.co.nz/news/business/597803/asb-fined-6-point-73m-for-breaches-of-money-laundering-law

Radio New Zealand. (2026b, December 15). ASB agrees to $6.7 million penalty for anti-money laundering, countering financing terrorism rule breaches. RNZ. https://www.rnz.co.nz/news/business/581863/asb-agrees-to-6-point-7-million-penalty-for-anti-money-laundering-countering-financing-terrorism-rule-breaches

Reserve Bank of New Zealand. (2026, June 10). ASB Bank ordered to pay $6.731 million in largest AML/CFT penalty to date. RBNZ. https://www.rbnz.govt.nz/news-and-events/news/2026/06/asb-bank-ordered-to-pay-largest-aml-cft-penalty-to-date

Vaughan, G. (2026, March 27). Foreign trust monitoring failures related to $9.37 billion of transactions included in ASB's anti-money laundering non-compliance. interest.co.nz. https://www.interest.co.nz/banking/137820/foreign-trust-monitoring-failures-related-937-billion-transactions-included-asbs