We’ve all heard about breaches of AML regulations from around the world and even a few from the big banks in New Zealand and Australia. These breaches can add up to some huge financial penalties for the businesses involved which seem way beyond the realm of most of us working in small to medium sized Kiwi businesses.
Let’s not kid ourselves though and start believing it’s only the big guys who are going to feel the impacts of breaching regulations. Authorities are issuing warnings to smaller businesses when necessary – it’s just not making national headlines.
We’ve been given long enough to get our AML ducks in a row and our time is up. Regulators will use every arsenal in their toolbox to ensure we meet our AML obligations so it’s time to make sure we get things right. And if we don’t, we face the risk of lengthy and difficult remediation actions, damage to reputation and unwanted fines.
The regulators at large
It was over ten years ago that the AML/CFT Act 2009 was passed into law and over eight years since the law came into effect in 2013.
The three regulators responsible for enforcing these laws are:
- The Reserve Bank of New Zealand (RBNZ) who are responsible for banks, non-bank deposit takers and life insurers.
- The Financial Markets Authority (FMA) who supervises financial service providers such as issuers of securities, trustee companies, futures dealers, brokers, financial advisers and collective investment schemes.
- The Department of Internal Affairs (DIA) who oversees compliance of casinos, non-deposit taking lenders, money changes, real estate agents, lawyers, accountants, conveyancers, and any other financial institution not supervised by the RBNZ or FMA.
We’ve been given time to learn and adapt to the law changes and implement compliance programmes and it’s not been an easy or simple process, but by now most of us have some AML practices in place designed to meet the requirements.
The risk is that after the initial burst of activity to meet the requirements we forget AML compliance is an ongoing process that takes ongoing effort. A lack of attention to monitoring and managing ongoing compliance will put businesses at risk of non-compliance at a time when regulators are becoming less tolerant of breaches and are increasingly using the law to enforce compliance.
What enforcement action can be served?
The regulators have a few choices when it comes to taking enforcement action.
Formal warnings
A formal warning notifies entities of where they have failed to comply with parts of the AML/CFT Act and what actions must be taken to ensure compliance with the Act.
A plan must be prepared by the entity detailing how and when it will complete actions outlined in the formal warning. Actions must be completed by the date agreed or set by the regulator. Failure to comply with a formal warning may result in enforcement action.
Enforceable undertakings
Enforceable undertakings are the specific steps an entity has to take to amend or correct deficiencies in its risk assessment and AML/CFT programme identified by the regulator.
Seek an injunction for the High Court
In the event an entity fails to meet the terms of the enforceable undertaking, the regulator may apply to the court for a court order directing the entity to comply with the enforceable undertaking.
Apply to the court for pecuniary penalties
The regulator may apply to the High Court to order a person to pay a pecuniary penalty.
For a civil liability act specified in section 78(b), (C), (d), or (g), the maximum penalty for an individual is $100,000 and for a body corporate or partnership it is $1,000,000.
For a civil liability act specified in section 78(a), (da), (e), or (f), the maximum penalty for an individual is $200,000 and for a body corporate or partnership it is $2,000,000.
Civil liability acts cover the fundamentals of the AML/CFT Act and include non-compliance activity such as, failure to adequately monitor accounts and transactions, failure to carry out customer due diligence, failure to adequately monitor accounts and transactions, and failure to implement or maintain an AML/CFT programme.
If the entity is considered to be acting knowingly or recklessly, they may also be convicted of a criminal offence and fined up to $5,000,000 if a business, $300,000 if an individual or face up to 2 years in prison.
These penalties will increasingly become a reality for businesses if they don’t have a robust AML compliance programme in place, as they will find it difficult to provide adequate remediation for any flaws identified in their AML programme quickly enough to satisfy the regulator.
Who is feeling the long arm of the regulators?
Banks, real estate property brokers, legal firms, insurers, investment companies and money remitters have all felt the weight of the law from regulators for not fully complying with AML regulations. And we can expect to see more enforcement activity from all three regulators as their expectation on entities to meet their AML obligations increase.
In 2019 the FMA Director of Regulation was already saying that:
“The FMA is requiring more entities to take remedial action following its monitoring. This is more likely now to be accompanied by formal enforcement action, as we expect reporting entities to understand and meet their obligations.”
Two years later as AML programmes mature this expectation continues and we can see more formal warnings, injunctions and penalties being delivered.
Key enforcement incidents
The FMA filed their first proceeding against a business (CLSAP) in June last year which has resulted in the High Court imposing civil penalties of $770,000 for anti-money laundering breaches. The FMA reported breaches as follows:
- Failures to conduct enhanced customer due diligence in relation to 12 transactions;
- Failure to conduct customer due diligence in relation to one customer;
- Failures to terminate existing business relationships when customer due diligence could not be completed;
- Failures to report suspicious transactions / activity on nine occasions; and
- Failure to keep records as required under the AML/CFT Act.
We also saw the FMA issue a formal warning to Sharesies in August, and in 2020 warnings were issued to Tiger Brokers as well as six private warnings to unnamed businesses.
Some of the failings these companies experience are centred around customer due diligence and know your customer (KYC), specifically:
- Obtaining adequate information about the nature and purpose of the proposed business;
- Adequately verifying identification documents;
- Obtaining sufficient information to determine whether enhanced customer due diligence is necessary; and
- Adequately conducting ongoing ongoing customer due diligence.
While every case is different, customer due diligence is something that with the right processes and procedures in place we can get right every time. To help avoid formal warnings or worse hefty fines ensure a robust AML compliance is in place and implemented along with an ongoing programme which reviews, updates and engages the whole team.
The FMA is not alone in taking proceedings to court as we saw RBNZ filing a case against TSB Bank in May which resulted in TSB being given a civil penalty of $3.5m for failure to comply with AML obligations. Westpac was also issued a warning by the RBNZ in August and have been given a series of actions which they are required to complete to ensure compliance with the Act going forward.
What about the DIA?
The DIA has also been recently active, taking enforcement action against Qian DuoDuo Limited in May as a result of suspected breaches, and took civil proceedings in July 2020 against two money remitters resulting in $7,585m in penalties.
Mike Stone, Director AML Group, Regulatory Services at the DIA stated:
“This judgment reflects the importance of monitoring customer transactions and undertaking enhanced customer due diligence where necessary to ensure funds are from legitimate sources.”
What can we do to avoid formal warnings?
The warnings that have been received by businesses in New Zealand show that much of the time we’re not actively trying to flout money laundering laws but rather we’re not being good enough at putting practices in place to meet initial and ongoing AML obligations.
Many of us put our best foot forward when the AML/CFT Act came into force and started to apply the necessary customer checks and recorded AML processes to help comply with regulations. However, that’s not enough. We need to ensure recorded processes are actually implemented, become part of our BAU activity and remain in effect ongoing.
4 steps to success
Take it seriously. It may not seem like it but there is a risk to not doing AML right. A risk to your business as deficiencies in your processes are uncovered, and a risk to facilitating criminal activity as you make it easier for criminals to launder their funds.
Apply best practice. All the time. Ensure you are conducting the right kind of due diligence on your customers and taking the correct steps to verify identity. Document the nature and purpose of the business with your customer and keep detailed records.
Quality assurance and update. AML doesn’t stand still. Actions need to be taken to review and maintain your AML/CFT programme. Ongoing due diligence will be required for some customers and you need to ensure processes are being followed correctly.
Implement. Having a well-documented AML programme is a great start but it’s not enough. Breathe life into your documents, ensure procedures are being put into practice, your teams are doing what they should and leaders in your business keep the programme alive and up to date.
Final thoughts
Remember, the regulators aren’t your enemy. They want to help with compliance – they have your best interests at heart so work with them, or if you need help to get your AML programme on track seek help from a qualified AML provider.
After 10+ years living with the AML/CFT Act our grace period is well and truly up, and we can expect regulators to take more formal enforcement actions if we can’t demonstrate our AML programmes are robust and meet all relevant AML obligations.
Read more from Alice Tregunna, in ‘remember that EIV is not CDD‘ to learn more about the regulators recent Explanatory Note on electronic identity verification.
Bob Blower 
Steven Zinsli 
