Financial Services & Fintech
Clients don't forgive a breach the way they forgive a bad year
FMA-ready security support for NZ financial services firms and fintechs — built around the 72-hour reporting clock, the customer query that becomes an incident, and the board minute that needs a name beside cyber risk.
Sector Reality
The question a customer or insurer asks before the deal
It rarely starts with a breach. It starts with an FMA thematic reviewer asking how client data travels between the FAP and the admin partner
Waiting costs more under an FMA or AML/CFT review. A client-data question becomes a formal FMA finding. A correspondent-bank questionnaire becomes a widened exclusion. An RBNZ query becomes a parent-company problem. Each one lands with a deadline that was achievable three months before the reviewer called
Common Pressure Points
Where the questions cluster before the deal lands
Where the FAP licence, the AML/CFT obligation, and the audit committee all ask for the same piece of evidence in different formats
When FMA asks who owns cyber risk, can you name one person without pausing?
FMA and RBNZ now expect boards to actively own cyber — not to have delegated it, not to have 'IT looking at it.' When the inspector asks who reviews cyber risk and how often, the answer is meant to be one name and one date. Firms with one clear owner and a standing review cadence don't end up in that conversation. The others do.
72 hours to report. Most firms have never tested what reporting looks like
The reporting clock starts the moment the incident is known, not the moment someone writes the notification. Firms without a tested process spend the first three hours arguing about whether it qualifies, and the next twelve trying to get the right people in the same conversation. The deadline doesn't move for you.
A customer queries a transaction. The log shows a staff login from a device no one recognises
Customer queries happen every day. But when the audit log shows a login at 2am from a laptop no one can place, the conversation turns from 'customer service' into 'incident' into 'regulatory disclosure' in the same morning. Firms with a written incident plan move through those three conversations calmly. Firms without one spend the day writing the plan instead.
A cyber incident in your anti-money-laundering system creates two regulators, not one
AML/CFT duties and cyber risk aren't separate problems. Your identity checks, transaction monitoring, and suspicious-activity reporting all sit on top of technology that can fail or be compromised. When something breaks in that stack, FMA and the Department of Internal Affairs end up in the same email thread — and they don't coordinate for you.
Standards That Apply
The evidence that ends the questionnaire loop
Common obligations and buyer expectations
Relevant Services
First month: baseline, ownership, and one piece of evidence
The first move: an AML/CFT-aligned control baseline, a tested client-data handling map, and one piece of evidence for the next FMA thematic or correspondent-bank review
Stop Guessing When A Buyer Asks How Secure You Are
See where the business is exposed, what matters first, and what should be fixed before the next review, buyer question, or renewal lands.
Track The Suppliers That Could Expose The Business
Track supplier security risk in one place so onboarding, renewals, and exceptions stop living in scattered emails and spreadsheets.
See what an auditor will ask for before they ask
See how ready you are for audit and assemble the evidence before the auditor, customer, or assessor starts the clock.
Stop Rebuilding The Same Evidence For Every Standard
Stop rebuilding the same evidence for every buyer, framework, and audit request by showing where one control can satisfy more than one demand.
Run The First Hour Of An Incident Without Winging It
Give the team a usable response plan for the incidents most likely to hurt the business, before the first real incident hits.
Catch privacy risk before the project launches
Work out whether a project creates privacy risk before launch, with clear decisions, mitigations, and evidence you can stand behind.
Questions We Hear
The questions every discovery call opens with
We're a small firm — can we justify the cost of security support? +
NCSC reported $7.8 million in quarterly cyber-incident losses in Q1 2025, up 14.7% quarter-on-quarter. FMA and RBNZ now require 72-hour incident reporting, and operational-resilience enforcement keeps intensifying. Support starts from $1,750 a month — less than the cost of a single FMA compliance finding.
Our IT team already handles security — isn't that sufficient? +
Your IT team manages your technology stack. But FMA expects boards and senior management to demonstrate active oversight of cyber risk — and that's not an IT function. Risk registers, board reporting, mapping to FMA guidance and AML/CFT obligations, vendor risk, and incident response planning sit above your IT team's remit.
We haven't been targeted — why invest in security now? +
FMA scrutiny is intensifying regardless of whether you've been attacked. During inspections, FMA evaluates how cyber risk is owned — not just your technical controls. Firms without clear ownership, evidence, and a regular review cycle sit exposed. And with financial data commanding premium prices on criminal marketplaces, the question isn't whether you're a target — it's whether you'd know if you'd already been compromised.
Does this help with FMA compliance specifically? +
Yes. Our work is structured around exactly what FMA looks at during reviews — board-level cyber risk reporting, the evidence trail, and the policy documentation that demonstrates active oversight. The specific elements the regulator assesses when they ask about operational resilience.
What Usually Happens Next
Tighten the evidence and ownership before the next review finds the gap for you
If FMA scrutiny, partner due diligence, or customer data risk is already active, we'll help you decide what needs to be documented, reported, and owned first — so the next conversation is calmer and better evidenced.