The DIA have been busy updating their compliance and enforcement documentation, as well as information on their approach to AML regulations, and the new publications are now available for us all to enjoy.
It’s not light reading but there are some important elements we need to take notice of as the updated information lays out key components to the DIA’s approach.
Here we break down some of the details.
The DIA’s approach explained
There are two key components to the approach: risk assessments and the Entity Risk Model (ERM).
1. Risk assessments
Risk Assessments sets out the ML/TF risk broadly in New Zealand, and in specific sectors. The National Risk Assessment, written by the Financial Intelligence Unit (FIU), assesses ML/TF risk NZ-wide. Sector risk assessments focus on the risks of each sector, which is written by the regulator for each sector.
While there are a number of captured entities, there are going to be some differences in ML/TF risk. The Risk Assessments, both sector-specific and NZ-wide, informs both the DIA’s regulatory assessments and the AML/CFT documentation of the reporting entities.
The ERM sits alongside the National and Sector Risk Assessments. The DIA utilises the ERM to assess the ML/TF risk of a reporting entity. This takes into consideration a few things:
The data provided by reporting entities in their Annual Report;
The types of products and services provided by the reporting entity;
Information received about reporting entities, such as information held by other government agencies or adverse media; and
The outcomes of regulatory assessments – such as desk-based reviews or onsite inspections.
This data informs how the DIA will undertake their regulatory assessments, and gives them information about the potential ML/TF risk within the business. This focuses regulatory assessments, so that they look into particular areas of risk relevant to the entity or the industry as a whole. Given that DIA regulates over 5,000 reporting entities, this information helps them focus their efforts into key areas of ML/TF risk.
What does this mean for reporting entities?
This can sound like the regulator is going to be knocking on your door while you’re reading this article! That is not the case, but it does mean there are a number of things you should be doing:
- Constantly update AML/CFT knowledge via training;
Review AML/CFT Risk Assessments and Compliance Programmes on a regular basis, either internally or with the help of a consultant; and
Ensure that your current procedures meet your obligations and work for your business, by running quality assurance checks.
It doesn’t quite stop there as there are additional elements that factor into undertaking regulatory assessments and enforcements. These include:
Trigger events: this may be adverse media, information or intelligence from other agencies, tip-offs, international AML/CFT events, or criminal activity.
Previous compliance engagement and activities – such as previous desk-based reviews or onsite inspections.
International trends or updates from entities such as FATF, or groups such as the Wolfsberg Group or Egmont Group.
These determine the monitoring activities for the regulator, enabling targeted and prioritised resourcing to maximise the outcomes on the reporting entity’s and sector’s AML/CFT compliance.
There is not a lot that will change for reporting entities that are already implementing a robust, risk-based approach to the prevention of anti-money laundering. What it does mean is that the regulators can, and will use regulatory tools that are fit for you as the reporting entity and your current state of compliance, so it will pay to ensure you are compliant rather than deal with any warnings, remediation or penalties.
If you’re not sure your compliance programme is up to scratch or would like some help deciphering the changes, please get in touch with one of our team of compliance experts.
DIA Approach to Regulation of AML and CFT