Privacy Policy

FIRMA Foreign Exchange Corporation (NZ) Ltd. (referred to as “FIRMA”, “we”, “our”, or “us”) is committed to safeguarding your personal information in adherence with the New Zealand Privacy Act 2020.

Firma is owned by OFX Group Limited, listed on the Australian Stock Exchange as OFX. OFX is a global company with offices and employees around the world. To offer our services to you, your information may be shared with other companies in the OFX group and be processed in accordance with the OFX Privacy Policy. When your information is transferred outside of New Zealand, we will treat your information with the same privacy principles as required under New Zealand law.

Personal information means any factual or subjective information about an identifiable individual, and can include an individual’s name, address, phone number, identifying number, financial information, etc.

Note that only your information as an individual is protected under New Zealand law. Our privacy policy, however, extends to both individuals and businesses, and other than the individual rights in Section 5 of this policy, which do not apply to a business, we protect business information in the same way as information on an individual.

This Privacy Policy describes how we collect information, how we use the information that we collect, who we share this information with, and the rights that you as an individual have over this information. This document also explains who to contact if you have any questions or concerns about your information.

  1. The Information that We Collect About You, and Why
  2. The Security of Your Information
  3. Disclosure of Your Information to Third Parties
  4. How Long We Keep Your Information
  5. Your Individual Rights
  6. Who to Contact

1. The Information that We Collect About You, and Why

We collect only the information that we need for the purposes of providing you with superior services. In order to collect your information, we will either ask for your permission, or make you aware that the information is required for legal or contractual reasons before providing you with our services. The information we collect includes:

Website Cookies

Our website,, uses cookies, which are small bits of information that are placed on your computer to help you experience our website better. For more information about our use of cookies and how they may affect your privacy, please consult our Cookie Policy.

Information from Our Website, Contact Details and Basic Information

You may choose to provide information about yourself by filling in a form on our website. This can include your name, email address, phone number, and address, as well as other information about you or your business.

We may also collect your business contact information through a third party, a referral, from your website, or directly from a personal meeting with you.

We use your information to determine how you might get the most benefit out of the products and services we have to offer. If we see that our products and services might be a fit for you, we will use your contact details to reach out to you and establish a business relationship.

The information that we initially collect is your business contact information. If, however, you have provided us with your personal contact information, we understand that you have provided us with the information only for the purposes of contacting you, and we will use it only for this purpose. If at any time, you change your mind and no longer want to hear about our products and services, you can ask that your information be removed from our contact list. More information on this can be found in Sections 5 and 6.

Your Preferences and Opinions

We want to understand your preferences and opinions to help serve you better. We may ask how and when you like to be contacted, the information that you would like to receive from us, your opinions on our products and services, and what you would like to see from us in the future. We will collect this information through direct dealings with you, via anonymous surveys, or through online forms. You can manage your preferences through our email preferences page. More information on this can be found in Sections 5 and 6.

Account Opening Information

In order to use our services, we need to collect and verify information about you in order to satisfy our legal obligations under The Anti-Money Laundering and Countering Financing of Terrorism (AML/CFT) Act and Regulations. These regulations include provisions to collect information on both organisations and individuals as well as verify this information using reliable sources.

For businesses, the information we collect can include registration documents, ownership information and general knowledge of your business operations.

The information we collect about you as an individual, will include personal information such as your legal name, home address, and date of birth occupation and phone number. We are required to collect your information if you set up an account for yourself, or if you are working on behalf of a business, such as being an owner, director, partner, or contact person for the business.

We may also require documents such as a copy of a valid driving license or passport to verify the information you have provided us.

The information that we collect will be mainly from you, however we will also collect information from other sources, such as from your website and government registries. 

As mentioned above, your information is required by us to fulfil a legal obligation. If you want to open an account with us, you will need to supply your information. We will use this information for recordkeeping purposes and to fulfil our legal requirements under the AML/CFT Act. We will also use this information to contact you about your account, to send you confirmations and contracts, to notify you if there are security concerns on your account, to resolve disputes, and to give you general information about your account.

Most of the information that we send you will be about the operation of your account and is required for legal or contractual purposes. The exception to this is marketing material, which you can opt in or out of at any time.

If we are setting up an account for a business, and you are the contact for that business, we may ask you information about the owners or directors of the business. This information is for legal purposes under the AML/CFT Act. If these people are not otherwise contacts with us, we ask that you provide them with a copy of our privacy policy so that they are aware of how we protect their information. We will not use their information other than to fulfil our legal obligation under the act and regulations.

Banking Information

In order to process transactions for you, we will require general banking information such as the account owner, bank account number, account owner’s address, bank name, and banking Id (i.e. SWIFT code, Sort code).

The banking information that you provide may be your own, however may also be the information of the person you will be paying through us. When providing banking information that is not your own, we require that you share this privacy policy with that person so that they are aware of the privacy standards that we commit to, and can contact us if they have questions or concerns.

When we receive money from you, your bank will include a reference to your name, address, transaction reference and the bank that you used to perform the transaction. We collect this information as confirmation of your payment to us.

As per the AML/CFT Act, we are legally required to keep a record of your transaction information as well as a record of your payment instructions through Firma.

Credit Information

When you apply for certain products and services, such as high volume direct debits or zero deposit forward contracts, we will perform a credit check on you. This credit check ensures that we are not exposed to any financial risk when providing the product or service to you.

We may request financial information about your business, or perform a credit search using a reliable credit bureau. We will use this information to decide if these specific products and services can be offered to you.  As this information is specific to these products or services, we will let you know before we collect this information so you are aware of our use of your information for these purposes. At that time, you can decide if you want to go forward with your application for these products or services, or choose to stick with our other products and services that do not require credit information.

Incidental Information, Minors, and Special Categories of Information.

We will not ask for information about minors, and we ask that you do not supply information about minors to us. Individuals must be over 18 years of age to do business with Firma.

We will not request information that would not be necessary for you to do business with us, such as information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, health information or information concerning a person’s sex life or sexual orientation.

While Firma does not seek to collect the information described above, this information may be inadvertently captured through our interactions with you. For example, you may advise that you are feeling ill in the same email that you provide us with transaction instructions. Because we capture the email for recordkeeping purposes as it includes transaction details, we will have also inadvertently captured information about your health.

By agreeing to our privacy policy, you are agreeing that any incidental collection of this information is allowed, and you are aware that Firma will not use this information for any purpose other than store the information as part of our records. You are aware that unless we are legally required to, via a court ordered subpoena, we will not share this information with anyone.

In rare cases, we may inadvertently request personal information that we would otherwise not collect in normal business practices. For example, we may require the purpose of your transaction, or an invoice to support your transaction if it involves money going to a certain parts of the world. Let’s say that the purpose of your transaction is to pay for the medical bills for a child family member. If you provide that information to us, we would have collected information on a minor, information on that child’s health.

If we make a general request for information, we ask that you advise us that your answer could include personal information or information on a minor. We will then assess if we can satisfy our contractual or legal requirements in a different way, or if the information is necessary to facilitate your transaction request with us. If the information happens to be necessary, we will inform you. You can then make a choice to either provide us with the consent to process your information specifically for that transaction request, or you may choose to modify your transaction request with us.

2. The Security of Your Information

We protect your information from any accidental or unauthorised access, modification, or loss. This protection includes both physical and IT security measures, including the following:

Regular Risk Assessments

We conduct regular risk assessments, which means that we review the risks that your information could be accessed, modified or lost. A risk assessment will include research on new and emerging fraud and security risks, and how they may affect the security of your information.

Using this risk assessment, we then build security controls to ensure the protection of your information, against both current and future fraud and security risks.

Controls and Monitoring

We use up to date firewalls and IT infrastructure to ensure that your information is protected. These systems are monitored on a regular basis to ensure that if malicious activity or risks to your personal information are found, they are stopped before any damage is done.

Regular Testing

Not only are our IT systems tested on a regular basis, but our people are too. Fraud isn’t only about hacking systems. It is also about ‘hacking’ individuals by tricking them into providing access to secure systems.

We regularly test both our systems and people to ensure that the controls that we place to protect your information are sound, and the people that are involved in those controls are well informed and aware of our security measures over your information.

Our People

Our employees go through vigorous security checks in order to work for us. We ensure that they do not have any criminal history and can be trusted with your information. As an additional measure, your information can only be viewed by employees who specifically require access to your information in order to provide services to you, or by employees who are in security or regulatory reporting roles.

A few of the ways we control access to your information is through measures such as swipe cards to access our offices, passwords to open our computers, further passwords to open applications on those computers, and limits on access according to job function.

3. Disclosure of Your Information to Third Parties

We will not share your information with any third party, other than what is necessary to perform a service that you have requested or for our own internal business needs. We will share your information in the following circumstances:

To Communicate With You

When we reach out to you for surveys, e-newsletters, or similar emails, we may use a third party provider (software or other service) to facilitate that service. The third parties that we use are under contract so that they do not use your information for their own purposes and do not share your information further. We also do regular checks to make sure that the third party adheres to security protocols designed to protect your information.

To Keep Your Information Up to Date

We may use a third party service to provide us with updates about your business, for example if you have changed addresses, your website, or other business information. In order to do so, we need to provide the third party with your basic details, and they will update our records accordingly, based on public information about your business. When we do so, we ensure that the third party is under contract, and not able to use your information for any other reason.

To Facilitate Your Transactions

If you request a payment through us, we will need to share your information with our banking partners in order to facilitate your request. 

When we process your information, we may also use third party software programs to do so. This includes software used for business operations, fraud prevention, client management, customer service, security, and other important functions to make your transactions safe, secure, and timely.

Similar to the services we use to communicate with you, the third parties that we use to facilitate your transactions are also under contract so that they do not use your information for their own purposes, do not share your information further, and hold your information securely.

To Offer Other Services

Some of the products and services that we offer to you, may be provided by one of Firma’s partners as opposed to being provided by Firma directly. If this occurs, we will notify you of this relationship and you will have the option of accepting or declining this offer. If you accept the offer, the personal information that you provide to Firma’s partner will be the responsibility of the partner, and bound by their privacy policy.

To Verify Your Identity

We verify the information you provide to us on our set up forms for fraud prevention purposes. We don’t want to open up an account for someone pretending to be you, and relying on false information. We are also obligated to verify your identity by the AML/CFT Act.

In order to verify your information as an individual, we will provide your information to a third party credit reporting agency who will use your credit records to tell us if the information we supplied to them is correct or not.

We verify the information about your business by reviewing your business filings and other registry documents. This does not include any sharing of your information with these registries.

Anti-Money Laundering, Sanctions Screening, and Risk Management

New Zealand economic sanctions require that business do not facilitate business with countries, businesses, or individuals listed on New Zealand sanctions lists. We screen all clients and parties to a transaction against known sanctioned individuals, and consider other areas of risk and compliance when processing transactions. In order to fulfil this requirement, we may share your name, date of birth and address information with a third party provider, who specialises in these services.

To Give you Credit

Some of our products and services require us to assess your credit risk to us. If you apply for any of these products or services, we will pull a credit report on your business, which involves us sharing your business and contact details to do so.

You may make a request for us not to pull a credit report on your business, however this may impact the transaction limits that we can supply you with.

For Legal Reasons

We must provide information to law enforcement or regulatory authorities where we are required to do so. We may also share your information with our own lawyers if it is necessary to solve a dispute.


You may have been referred to us by an affiliate. An affiliate is someone who has an agreement with us, where they let us know about companies that would likely benefit from our products and services. In exchange, we may provide them with an incentive for doing so.

If you were referred to us by an affiliate, and they are promised an incentive in return by us, they will get a breakdown of the number of clients that they have referred to us, as well a total number of transactions they have done. This breakdown is not client specific and will not include your name or identifiable details, however if the affiliate only has one referral, they could infer your transaction amounts and frequency through us.

For Our Own Statistics

We may share your information with a third party service provider in order to get statistical data on our client base. We do this to understand what kind of clients appreciate our services, and to determine if we are serving you in the way we intend to. When we do this, we ensure that the service provider is under contract and is not allowed to use your information for other purposes.

Mergers and Acquisitions

It is possible that Firma could buy, merge with, or be bought by another company. Prior to a merger or acquisition, we may need to share your information with the interested party and their advisors. This is done to determine the value of our assets prior to the merger or acquisition.

If the merger or acquisition is successful, your information will be transferred to the new owner/company. Your information will continue to be bound by this privacy agreement until it is updated or amended.

4. How Long We Keep Your Information

If you are our client, we are legally required to retain your information for 5 years from the date of your last transaction with us. If you set up an account but did not conduct a transaction, we keep your information for 5 years from the date your account was set up. In some instances, for example due to a dispute, law enforcement request, or to protect our interests, we may hold your information for longer than 5 years.

If you are not our client, you will have provided us with your information for contact and marketing purposes. You may remove your consent at any time, and we will remove your information from our systems.

You may want to request that we do not use your information for our marketing to you, instead of requesting us to remove your information completely. That way, we can have a record of your contact details, along with a record of your request for no contact.  If you ask us to delete your information completely, then we will not have either record and may accidentally contact you in the future if we come across your contact information on the internet or elsewhere.

5. Your Individual Rights

To Update or Correct Your Information

We want to make sure that we have correct information about you. If you see that something is inaccurate, reach out to us through your contact with Firma and let us know. We will then update our records to make sure that your information is corrected. 

We may ask for additional documents to verify the information you are supplying. This is part of our obligations under the AML/CFT Act to verify the information that you provide to us. If you are unable to provide the documents we request, we may need to delay the update of your information until you are able to provide us with them.

To Request a Copy of Your Information

We will let you know if we have any of your information and we will provide you with a copy of the information that we have collected about you. You can request all of your information, or you can be specific with your request. You can request this by reaching out to your contact with us, or by sending us an email to [email protected]. If you use our email, we will then reach out to you to explain our process for sending your information.

In short, though, we will first need to verify that the person making the request is you. We don’t want to provide your information to anyone that requests it. We will verify that it is you, by either requesting a copy of an identification document or asking you a series of questions that only you would know.

Once we have verified that it is you, we will need time to process your request. It may take up to 20 working days to process your request. If we are having unforeseen issues, and need more time, we will let you know and provide you with the timeframe for completing your request.

Limitations on Requesting Your Information

We have no problem with facilitating most requests to provide you with your information, however we reserve the right to charge a reasonable fee for repeated, or excessive requests. For example, if you request for all of your information to be provided once a month, each month, even though your information will not have changed, we will calculate the cost of doing so for the second and subsequent requests and ask that you provide a payment for this service.

To Withdraw Consent and Delete Your Information

You may withdraw your consent for us to use your information at any time. This means that you do not want your information used by us in any way. With that said, we will need to retain records of your information as part of our obligations under the AML/CFT Act where applicable.

Withdrawing consent to use your information will mean that we can no longer offer our products and services to you, as your information is contractually and legally required to be able to offer our services.

Where we do not have a legal reason to hold your information, we will then make efforts to remove your information from our records. If we cannot do so for legal reasons, we will let you know, as well as provide you with the date in the future when your information can be deleted.

To Opt Out

As opposed to removing your consent altogether, you have the option of removing your consent from specific products and services that we have to offer. For example, if you no longer want us to email you our newsletter, you can opt out at any time, while continuing to benefit from our other products and services.

To ask about this option, talk to your contact with us, and we will make the effort to provide you with exactly the products and services that you want.

Your Right to Lodge a Complaint

Privacy law adherence in New Zealand is regulated by the Privacy Commissioner. We ask that if you are dissatisfied with our services, you first reach out to us via our information in Section 6. If you are still dissatisfied, you may report a concern with the Privacy Commissioner via the information on their website

6. Who to Contact

If you have any questions or would like to contact us to make a request about your information, we ask that your first contact be with your regular contact with Firma. Otherwise, you can contact us via the information below:

Email: [email protected]


Attn: Privacy Officer

FIRMA Foreign Exchange Corporation (NZ) Ltd.

Level 7, 16 Kingston Street

Auckland Central, Auckland 1010