New Zealand’s Anti Money Laundering Act stipulates robust measures to keep financial misconduct at bay, yet the intricacies of AML compliance can leave organisations overwhelmed and confused. This article demystifies the AML/CFT Act, focusing on understanding the essential obligations of New Zealand entities.
By examining common reasons for compliance failures and providing strategies to meet your obligations, this piece will guide you through how you can confidently meet AML requirements. Whether you’re grappling with the nuances of the AML NZ framework or aiming to refine your strategies, this will help provide some answers.
Understanding the basics of New Zealand’s AML/CFT Act
Reporting entities across all sectors must continually carry out the AML requirements stated in the AML/CFT Act to ensure compliance. This includes, conducting customer due diligence, monitoring transactions, reporting suspicious activities, training staff, and maintaining meticulous records.
Understanding the role of AML/CFT supervisors, and the implications of failing to comply will also arm you with useful anti money laundering information. However, AML compliance in New Zealand goes far beyond simply ticking boxes or appeasing regulators. It involves developing an effective risk-based framework for your organisation, capable of detecting money laundering threats while ensuring the continued smooth running of your day-to-day business.
How to comply with NZ AML requirements
The upcoming sections shed light on each facet of your AML obligations, giving practical insights into preventing money laundering activities. Here we start with the cornerstone of any compliance activity – customer due diligence.
1. Ensure you carry out the right level of customer due diligence
Essentially when the AML/CFT Act refers to customer due diligence (CDD) it is referring to the process of collecting and verifying information on:
- The type of service being provided.
- The business relationship considering the nature and purpose of the transaction.
- The characteristics of the customer and the entity being used.
- The nature of the activity or transaction being undertaken and any potential red flags or risks that could indicate suspicion of money laundering or terrorist financing.
CDD must be carried out on your customer, the beneficial owner of your customer, any persons acting on behalf of your customer, and those with effective control over a customer.
To help prevent money laundering activity ensure you conduct your due diligence at the appropriate times and do so according to the level of risk identified. Generally speaking, the higher the risk, the higher level of CDD will be required to be undertaken, for example moving to enhanced CDD.
To help identify the level of activity you need to undertake, four types of CDD are outlined in the Act.
Simplified due diligence
Simplified due diligence can be applied to specific customer types. Generally it is for very low risk customers such as a government entity, public listed companies and the likes. A full list of entities can be found in Section 18(2) of the AML/CFT Act.
Standard due diligence
Standard due diligence is the most common level of due diligence for customers who have not been identified as high risk.
Enhanced due diligence
Carry out enhanced due diligence on customers identified as high risk, such as trusts, companies with nominee directors, shareholders, politically exposed persons (PEPs), and those where other red flags are evident.
Ongoing due diligence
Carry out ongoing CDD on higher risk customers, where there has been a material change in the customer’s business to ensure ongoing activities and/or transactions are consistent with the information and data you have previously acquired.
When is CDD required?
The Act states CDD must be carried out:
- If the reporting entity establishes a business relationship with a new customer.
- If a customer seeks to conduct an occasional transaction or activity through the reporting entity.
- If in relation to an existing customer, and according to the level of risk involved:
(i) there has been a material change in the nature or purpose of the business relationship; and
(ii) the reporting entity considers that it has insufficient information about the customer.
It is important to ensure you understand the level of risk your customer poses so you can carry out the appropriate level of CDD. In 2023 the Department of Internal Affairs (DIA) noted that some of their findings from entity reviews showed enhanced due diligence was not being conducted, or not conducted strongly enough to properly justify source of wealth/source of funds. In the updated CDD guidelines issued in June 2024 you are now required to determine and document when you require SoF versus SoW or if the risk is extreme you may require both.
Ensure you use increased measures and monitoring on customers identified as high risk when verifying customer’s details, beneficial ownership, details of key people involved in transactions, whether the transaction is consistent with what you know about the customer and source of wealth (SoW) and/or source of funds (SoF).
And remember, since June 2024 the AML/CFT Act requires you to collect additional information where you have grounds to report suspicious activity, or in certain cases relating to business relationships.
2. Don’t forget to submit prescribed transaction reports
Prescribed transaction reports (PTRs), are required for two types of transactions:
International Funds Transfers (IFTs) – an international wire transfer of NZD$1,000 or more where at least one bank (or financial institution) is in New Zealand, and at least one is in a different country.
Large Cash Transactions (LCTs) – a domestic, physical cash transactions (coins and printed money) involving NZD$10,000 or more.
For compliance, ensure reports are submitted to the Financial Intelligence Unit (FIU) using goAML or by automated file upload as soon as practicable, but not later than 10 working days after the transaction.
Reports must contain the following information:
- A description of the nature of the transaction.
- Transaction amount and currency.
- Date of transaction.
- Parties involved in the transaction.
- If applicable, the name of the facility through which the transaction was conducted, and any other facilities (whether or not provided by your business) directly involved in the transaction.
- Be signed by a person authorised by your business to sign prescribed transaction reports (unless the report is provided by electronic means other than an electronic copy of the signed report).
Ensure you keep copies of all PTRs submitted.
3. Know when to submit a suspicious activity report
It can be tricky to know when to submit a suspicious activity report (SAR), but if you have completed robust due diligence it should be easier to identify suspicious behaviour based on what you already know about your client and their activities.
If you become suspicious based on what you’re seeing from a customer, and you believe they are trying to use your business for illegal purposes, file a SAR.
You will need to file no later than three working days after you formed the suspicion and do this using goAML.
Details you will need to include when submitting your report are:
- Your business/branch address.
- Reasons for suspicion. Be detailed and include a description of the activity which triggered your suspicion, what your suspicion is, why you hold this view, and outline what role each party played in the scenario.
- Information on the client, such as address, date of birth, identity documents, contact details.
Failure to submit reports can have real consequences. In 2023 the DIA issued a formal warning to a New Zealand real estate company, stating they had concerns over the company’s failure to report suspicious activity on several of their listed properties.
So remember, submit your report if you have reasonable grounds to do so, and ensure you provide all the necessary information to make your report truly useful.
Submitting a SARs is more than a regulatory formality; it’s a proactive measure to safeguard your business and to support the prevention of crime in New Zealand.
Be sure to keep records of your rationale as to why to submit the SAR or alternatively if you make a risk based decision not to submit, document how you came to that decision.
Another important requirement is to ensure that there is no communication with your staff as to whether a SAR has been submitted. This is to ensure that the customer is not “tipped off” that a SAR was submitted.
4. Be diligent with record keeping
The Act states that; ‘in relation to every transaction that is conducted through a reporting entity, the reporting entity must keep those records that are reasonably necessary to enable that transaction to be readily reconstructed at any time.’
This may sound complicated but although it takes some discipline and organisational skills, it isn’t as complicated as it sounds. If you are carrying out due diligence properly, submitting SARs when required, and have your compliance programme in place, you will naturally have gathered many of the required records – it’s just a matter of ensuring you keep and store your records appropriately.
Records must include the following information and you must keep them for at least five years (unless you are required by other regulations to keep longer):
- Transaction and monitoring records
- Reports of suspicious activities
- Identity and verification records
- Risk assessment documents and AML/CFT programmes
- Audits
- Records that are relevant to the establishment of business relationships
It’s your role to ensure that these records are accessible and retrievable in a timely manner. Any discrepancies in this vital audit trail could expose your company to legal scrutiny and reputational damage, so you must manage this process diligently.
After five years of a customer disestablishing their relationship with you, it is a requirement to securely destroy your records, unless you legitimately require them for specified reasons, and/or the Police Commissioner has requested you keep them.
5. Understand your responsibilities when relying on third parties
Reliance on third parties or outsourcing compliance activities can be a sensible, cost saving solution which saves time, and mitigates risk. Don’t get too complacent however as you are still ultimately responsible for ensuring you are complying with the AML/CFT Act.
Reliance on member of designated business group
A designated business group (DBG) is when two or more businesses or people agree to share AML/CFT obligations such as customer due diligence processes, reporting, and the creation of risk assessment and compliance programmes. This can be a great way to create a consistent experience for your customers, and share the burden of AML key processes. However, understand that being part of a DBG doesn’t excuse you from fulfilling your AML responsibilities.
- As a member of a DBG you may rely on another member of the group to make prescribed transaction reports under this Act or regulations but you, and not the member of the designated business group you have relied on, is responsible for ensuring that it is complying with this Act and regulations.
- AML/CFT supervisors may require you to undertake your own risk assessment or develop your own AML/CFT programme if they believe the risk assessment or AML/CFT programme being relied on by you is not appropriate for your business.
Reliance on other reporting entities or persons in another country
In some circumstances, you may need to rely on another reporting entity or person to help conduct customer due diligence. If this is the case don’t forget you should still have done your own due diligence to ensure the reporting entity you are relying on is carrying out CDD in accordance with the Act.
Reliance on agents
As a reporting entity you may authorise a person or business to conduct CDD procedures for you. At tic company we help hundreds of entities with our AML outsourcing services, and it’s a great way for entities to safeguard their business and streamline AML obligations. As with reliance on any third party it is important to ensure whoever you outsource to is meeting the requirements of the Act and understand the right practices to put in place to fight money laundering. Tic company will provide quick turnaround results on CDD requests and personalised service to support you with more complex transactions.
6. Know your AML/CFT supervisors
There are currently three supervising agencies who enforce the AML/CFT Act. It was announced in November 2024 that this will transition to a single Supervisor (The Department of Internal Affairs) in 2026.
The Reserve Bank of New Zealand (RBNZ)
Supervises banks, life insurers and non-bank deposit takers.
Financial Markets Authority (FMA)
Supervises issuers of securities, trustee companies, futures dealers, collective investment schemes, brokers, and financial advisers.
Department of Internal Affairs (DIA)
Supervises casinos, non-deposit-taking lenders, money changers and any other financial institutions not supervised by the RBNZ or the FMA, as well as designated, non-financial businesses or professions and high-value dealers.
Their functions extend to investigating and ensuring that your AML/CFT programmes are robust and effective. To navigate compliance successfully, understanding the expectations and inspection processes of these AML/CFT supervisors will be a useful tool in your armour.
Consider the supervisors as your partners in combating financial crime, and should your business be subject to a Supervisory review, work with them to enhance the strength and efficiency of your anti money laundering strategies.
7. Ensure you have established the essentials
Establishing an effective AML/CFT compliance programme involves two key steps; 1) conducting a comprehensive risk assessment and; 2) ensuring you have business specific policies, procedures and controls to mitigate your ML/TF risk, and that your employees are well trained in compliance standards and practices.
Risk assessment
Before creating your compliance programme you will need to carry out a comprehensive risk assessment. This needs to be specific to your business which will inform you of the specific threats and vulnerabilities you might face, guiding the development of effective strategies to mitigate identified risks.
It’s essential to gather a detailed understanding of the nature, size and complexity of your business which could be attractive to money launderers, the types of products and services you offer, how you deliver these, the customers you deal with, and the countries you operate in, as all these factors can affect your risk profile.
Your assessment should include regular updates to reflect changes in the regulatory landscape or the operational aspects of your business. This proactive approach will help keep your risk management strategies both current and compliant.
Compliance programme
To comply with the anti money laundering Act reporting entities must establish, implement, and maintain a compliance programme that includes internal procedures, policies, and controls aimed to mitigate your ML/TF risks.
The compliance programme should include details of:
- Staff vetting and training of key employees; senior managers, the compliance manager, and any other employee engaged in AML/CFT activities.
- How you carry out, and comply with customer due diligence requirements, and how you determine what level of CDD is required. Differentiate in what circumstances you will obtain and verify information regarding a customer’s SoW, or SoF, or both.
- What steps you will take to verify beneficial ownership and control for Trusts, depending on the level of risk identified.
- What procedures you are going to use to identify nominee partners in Limited Partnerships, and how you are going to record and verify details.
- How you determine the risk level when forming a business relationship with a company, and how you determine the level of CDD required.
- What you do to identify ultimate ownership and effective control. How you identify any nominee company, directors, and shareholders and how you are going to capture those with full control and not just the nominee.
- Suspicious activity reporting.
- Prescribed transaction reporting
- Record keeping.
- What you do, and how you examine and keep written findings of unusual activity, complex or large transactions.
- How you monitor, manage, and keep written findings on business relationships with countries who do not have sufficient anti money laundering systems in place.
- What agents you use, (if any) and the functions they perform.
You must designate an employee, or appoint a person to act as an AML/CFT compliance officer to administer and maintain your AML/CFT programme.
8. AML Audits
Audits are an essential part of your AML obligations and the Act dictates you must have an independent audit carried out on your risk assessment and compliance programme every three years.
The DIA has previously noted the most common areas of non-compliance identified by auditors included:
- Assessing the type of customers and institutions dealt with
- Lack of staff training
- Failure to keep risk assessments current
- Identifying PEPs and determining when to carry out enhanced customer due diligence
- Examining and keeping records on large, complex, or unusual transactions
Avoid these common mistakes by:
- Ensuring your employees receive regular training, and know how to conduct customer due diligence effectively. Provide detailed guidance in your compliance programme.
- Scheduling regular reviews of your risk assessment documentation to ensure information on your products, services and types of clients remains accurate and current.
- Running PEP checks on all clients and ensuring you are always reviewing customers against up-to-date information and datasets.
- Knowing your customer and understanding what activity may be unusual for their profile.
- Keeping comprehensive records and always completing prescribed transaction reports for international wire transfers for $1,000 or more, and domestic physical cash transactions for $10,000 or more.
9. Annual reports
The AML/CFT Act states an annual report must:
- be in the prescribed form; and
- take into account the results and implications of your audit.
This means, depending on what type of entity you are, you will either need to complete your annual report using the DIA AML Online portal or the FMA Service portal.
Designated non-financial businesses and professionals should use the DIA portal, and financial institutions or casinos should use the FMA portal.
The portals open on 1 July every year and you will have until the end of August to complete.
The information you are required to provide will centre around:
- The type of business you do and how you service your customers.
- The types of customers you’ve onboarded, and how many.
- How much money is involved.
- The methods you use to carry out customer due diligence.
- Results from any audit you may have had, and what actions you have taken.
Following a robust, well-structured record keeping process throughout the year will support easy completion of the annual report.
For tic company customers the online portal is updated each July with summary data, in the format required, for inputting to the annual report.
Conclusion
Understanding and effectively implementing the AML requirements outlined in New Zealand’s AML/CFT Act is vital for not only meeting compliance obligations, but also to help safeguard NZ’s economic and financial wellbeing.
It requires you to engage in robust customer due diligence, rigorous transaction monitoring, and meticulous record keeping which can be challenging. To overcome some of these challenges, ensure you have implemented training as part of your team’s plan to meet obligations, and consider how adopting tech solutions and/or partnering with an outsourcing company like Tic may help you.
Take your understanding of the Anti Money Laundering Act to the next level
Here are a few resources to help you implement some of the AML requirements in this guide.
Enhanced due diligence – learn the key things to do when carrying out enhanced due diligence and how it is different from standard due diligence.
AML NZ updates 2024 – discover the latest updates required for compliance programmes.
Beneficial ownership – review the ins and outs of beneficial ownership and what has (and hasn’t) changed following the Financial Action Task Force changes.