AML outsourcing companies can be a helpful addition to your compliance team by providing essential expertise to ensure your AML obligations are carried out in a fast, efficient and compliant manner.
Sounds great, but it’s not quite as simple as that.
For starters, there is no code of practice in New Zealand to regulate or assess the company you are entrusting to carry out your AML obligations. And outsourcing your obligations doesn’t mean you have outsourced your liability when the regulators come calling.
So while outsourcing can be a time saving, cost effective asset, it pays to dig a little before partnering with a company so you can be sure of exactly what you’re getting (and not getting) for your money.
Look behind the shiny curtain
Some marketing claims can be unintentionally misleading which can lead to some common misconceptions about what an AML outsourcing company can truly provide, and what this means for you as the reporting entity. Cutting through the marketing hyperbole and assessing the details of the service you will receive will help you get to the truth.
AML outsourcing misconceptions:
Identity verification can be done for tens or hundreds of countries
If you want to do it right, this statement is untrue. New requirements for electronic identification verification (eIDV) published by the FMA in July 2021 means you have to go back to source data when conducting eIDV checks in order for them to meet your compliance needs.
This just isn’t possible to do in all countries.
Technology can deal with all my customer due diligence (CDD) checks
Don’t fall for the technology dream. You cannot remove the human element when conducting customer due diligence.
Certainly, to make AML compliance affordable and efficient, it needs to be largely tech based and largely automated, but you still need a human to handle the exceptions and decision points. Otherwise you are at risk of moving into a purely rule-based system, which is contrary to the intentions of the risk based system implemented in New Zealand.
It is a fallacy to think otherwise.
You can reuse information models
Yes you can reuse information. Just be aware that doing this opens up entities to bad actors using fraudulent information, or to ID theft. If you don’t have constant checkpoints and robust monitoring of your client base there is little chance of detecting things going awry.
Money launderers look for the weakest link. If they know an entity doesn’t reach the same levels of scrutiny, and doesn’t monitor changes or relationships as well as others, they will direct attention to that entity as a point of least resistance.
Biometrics can handle all verification requirements
Biometrics can be used to help identify your customer (through ‘liveness’ and ‘likeness’ checking) and provide confirmation of identity information (by going back to the source data, such as the NZTA driver licence database or the DIAs passport data), but you will still need to match your customer to the identity claimed to ensure they are one and the same person.
The FMA states “Only an electronic source that incorporates biometric information or information which provides a level of confidence equal to biometric information enables an individual’s identity to be verified to a high level of confidence.”
These are just four of many misconceptions, so when choosing your AML provider look out for false or misleading promises, and choose a company that truly understands the right practices to put in place to fight money laundering.
What to look for in an outsourcing company?
As well as doing the usual business checks, examine whether the services provided will actually help ensure compliance. It is often assumed that compliance is guaranteed, but without any code of practice in place for outsourcing companies, not all will necessarily have the right skills, tools or expertise.
- How well does the business want to understand your company and the problems you are facing? Each entity is different, and this exercise should be more than just ticking a box.
- Be cautious of companies who say they are much cheaper and promise the world. Like most things in life, you get what you pay for. If they say they can do it cheaper, ask yourself why. Are you comparing like for like? Do they have the expertise and the required data levels to truly meet identity verification requirements?
- Talk to a few providers. Make sure they are a good fit for your company.
- Make sure deliverables are clearly outlined. How long will customer due diligence checks take? Will they be supplying you with the annual report data you need for your supervisor? Are the systems auditor ready?
- Ask if you can test the waters with a trial.
- Confirm what is done with your data. Ensure it isn’t held to ransom and is always available to you even if you move providers. Remember, you need access to records for 5 years after an entity stops being your client, and you also need to have enough information to recreate a transaction at any moment if called upon by the regulators or the Financial Intelligence Unit. For example, many eIDV providers purge data after 7 days so you need to maintain copies as well as records of verification checks and document your decision making.
Making these checks can take time, but in the long run the cost of remediation and brand damage is bigger than taking the time to get the right solution in place.
The secret to AML outsourcing success
Be vigilant, and wade through false promises to get to the truth before choosing a partner.
Despite any exaggerated claims to the contrary, you will still need to engage and take part in due diligence activities even with an outsourcing provider by your side, and technology (at least at the moment) can’t do it all.
It is you who will be liable if your AML activity doesn’t meet regulator’s expectations, so don’t assume everything has been done properly, review and confirm what the provider has actually done for you.
You understand your customer, their situation, history, and relationships better than anyone, so you will have a crucial understanding of any potential risks. Stay on top of things, stay close to the work being done, and run a quality assurance service alongside your outsourcing partner, or run your own QA checks.
By no means is it all marketing gloss or false promises out there, and intentions are good, but some misunderstandings about what is required to protect NZ from money launderers means we are leaving the door ajar – allowing us to be taken advantage of.
AML outsourcing companies are an important part of the AML landscape, and the number of entities using their services in NZ is increasing. Their expertise can be invaluable and the time and cost savings for entities are significant.
Just remember, it is prudent to examine any service or performance claims made by a provider before locking yourself in, check, compare, and make sure it’s fit for purpose. And, like any promises, if it’s too good to be true, it probably is.
To help keep on top of your CDD requirements, read our 7 point checklist to getting customer due diligence sorted.