The transaction monitoring rules were not operating correctly. The assurance testing was inadequate. The record-keeping did not meet legal requirements. And none of it had been working properly since at least 2020.
In May 2026, the Reserve Bank of New Zealand filed civil proceedings in the Wellington High Court against The Co-operative Bank under the AML/CFT Act 2009. The bank has admitted liability for all three causes of action. The parties have jointly recommended a penalty of $1.425 million NZD, with the final determination resting with the court.
It is the second AML civil action the Reserve Bank has filed in six months. The first, against ASB Bank in December 2025, resulted in a proposed penalty of $6.73 million across seven causes of action. New Zealand's regulators are sending a clear signal, and the sector is on notice.
What Actually Happened
The Co-operative Bank is a New Zealand bank with a mutual ownership structure, majority-owned by its customers. It is not a large institution by global standards. And the failures identified by the Reserve Bank were not the result of rogue conduct or deliberate circumvention. They were systemic gaps in the compliance program that went undetected and uncorrected for years.
The proceedings relate to three core areas of failure under the AML/CFT Act 2009. First, transaction monitoring rules that were not operating correctly, meaning the system designed to flag suspicious activity was not functioning as intended. Second, inadequate assurance testing of account and transaction monitoring, meaning the bank had no reliable way of knowing its monitoring was broken. Third, insufficient record-keeping in breach of statutory requirements.
As a direct result of those failures, the bank was unable to identify higher-risk transactions and customers, carry out timely enhanced due diligence, and maintain the records required by law. It is not alleged that the bank was itself involved in money laundering or the financing of terrorism. The action is about the adequacy of the compliance systems, not participation in financial crime.
"This action again reinforces that prolonged and systemic failures to meet core AML/CFT obligations are serious and unacceptable."
Angus McGregor, Acting Assistant Governor of Financial Stability, Reserve Bank of New Zealand, May 2026
The Reserve Bank was explicit about what it expects from all reporting entities going forward: appropriate systems and resources to actively monitor customer accounts and transactions, supported by fit-for-purpose testing and assurance. The word "prolonged" in McGregor's statement is doing significant work. These were not new failures. They had persisted for years before enforcement action was taken.
Three Failures the Reserve Bank Identified
Each of the three causes of action admitted by the Co-operative Bank reflects a distinct breakdown in the AML/CFT compliance lifecycle. Taken together, they describe a monitoring program that had stopped functioning at multiple levels simultaneously.
Transaction monitoring rules that were not operating correctly.
The rules configured to detect suspicious transactions were not working as designed. This is the most fundamental failure in an AML monitoring program: the system that is supposed to generate alerts was not doing so reliably. When monitoring rules fail silently, the institution has no visibility into what it is missing. Transactions that should have been flagged for review were not, and higher-risk activity went unidentified as a result.
Inadequate assurance testing of account and transaction monitoring.
A broken monitoring system is a serious problem. A broken monitoring system with no assurance process to detect it is a systemic failure. The Co-operative Bank lacked adequate testing to verify that its monitoring was functioning correctly. This meant that the underlying failures persisted from at least 2020 without detection or remediation. Assurance testing is not a compliance formality. It is the mechanism by which an institution confirms its controls are actually working, not just present on paper.
Insufficient record-keeping in breach of statutory requirements.
The AML/CFT Act 2009 imposes specific record-keeping obligations on reporting entities. Those records exist to support both the institution's own compliance program and the ability of regulators and law enforcement to reconstruct activity when needed. The bank's failure to maintain adequate records compounded the monitoring failures: not only was suspicious activity going undetected, but the audit trail that would allow retrospective analysis was also incomplete.
The Bigger Pattern
The Co-operative Bank case does not stand alone. In December 2025, the Reserve Bank filed civil proceedings against ASB Bank for AML/CFT failures dating back to at least December 2019. ASB admitted liability for all seven causes of action, including failures to maintain an adequate compliance program, conduct ongoing customer due diligence, report suspicious activities within required timeframes, conduct enhanced due diligence, and terminate business relationships as required. The jointly recommended penalty was $6.73 million.
Two enforcement actions in six months, against two different institutions, for overlapping categories of failure. The Reserve Bank is not making isolated findings. It is describing a sector-wide compliance gap in transaction monitoring, assurance, and record-keeping that has persisted well beyond the point where "the Act is relatively new" could serve as a mitigating explanation. The AML/CFT Act 2009 has been in force for over a decade.
There is also a structural change on the horizon that compliance teams need to be aware of. From 1 July 2026, the Department of Internal Affairs becomes the single AML/CFT supervisor for all reporting entities in New Zealand, consolidating oversight currently split across the Reserve Bank, the DIA, and the Financial Markets Authority. The DIA has confirmed it is supportive of the Co-operative Bank action and will take carriage of the proceeding from that date. A new supervisor taking over an active enforcement portfolio is not a signal of reduced scrutiny.
What Functional AML/CFT Monitoring Looks Like
The Reserve Bank's enforcement record across both the ASB and Co-operative Bank cases is a practical checklist for what examiners will look for. Four areas consistently surface:
Transaction monitoring rules that are validated and maintained. Monitoring rules degrade over time. Customer behavior changes, product mixes shift, and rule logic that was calibrated for one risk environment becomes less effective in another. Rules need to be reviewed, tested, and updated on a regular cycle, not configured once and left to run. If your institution cannot demonstrate when its monitoring rules were last validated, that is a gap.
Assurance testing that actually tests whether monitoring is working. The Co-operative Bank's monitoring had not been operating correctly since at least 2020. That failure persisted because the assurance process did not catch it. Effective assurance testing goes beyond checking that the system is running. It verifies that the system is generating the alerts it should be generating, at the right thresholds, for the right transaction types. Sampling, back-testing, and independent review are all part of a functioning assurance framework.
Enhanced due diligence triggered on time and documented correctly. Both the ASB and Co-operative Bank cases involved failures to carry out timely enhanced due diligence on higher-risk customers and transactions. EDD is not a one-time onboarding task. It is a process that needs to be triggered by monitoring outputs, completed within defined timeframes, and documented in a way that can withstand regulatory scrutiny.
Record-keeping that meets statutory requirements and supports retrospective review. Complete, accurate, and retrievable records are a legal obligation and a practical necessity. When a regulator or law enforcement agency needs to reconstruct activity, the quality of an institution's records determines how that investigation proceeds. Gaps in records also make it harder for the institution itself to demonstrate compliance in an examination context.
The Sentinel Perspective
The Co-operative Bank case illustrates one of the most common and least visible compliance failures: monitoring that looks operational but is not actually functioning correctly, with no assurance layer to detect the gap. By the time an enforcement action arrives, the failure has already persisted for years.
Sentinel's continuous customer monitoring platform is designed to close exactly this type of gap. Rather than relying on periodic reviews or point-in-time screening, Sentinel monitors your customer base on an ongoing basis and generates alerts when new risk indicators emerge, whether through changes in customer behavior, updated sanctions data, or shifts in the broader risk environment.
For institutions operating under AML/CFT obligations in any jurisdiction, the question the Reserve Bank is asking is straightforward: are your monitoring systems actually working, and do you have the assurance processes in place to know if they stop? If the answer to either of those questions is uncertain, that is where the conversation with Sentinel starts.
See How Sentinel Supports Continuous AML/CFT Monitoring and Assurance
Request a demonstration tailored to your institution's compliance program and risk profile.
Official References
- Co-operative Bank Faces $1.4M Penalty Over AML Monitoring Failures — NZ Adviser, May 28, 2026
- ASB Admits AML Breaches as RBNZ Heads to High Court — NZ Adviser, December 15, 2025
- Reserve Bank of New Zealand — Official Website
- Anti-Money Laundering and Countering Financing of Terrorism Act 2009 — New Zealand Legislation
Truth Technologies provides AML, KYC, OFAC, and sanctions screening compliance solutions through the Sentinel platform. This post is published for informational purposes only and does not constitute legal advice. All facts are sourced from publicly available reporting and official regulatory sources linked above.
