As one of the largest AML/CFT auditors in New Zealand we regularly see AML/CFT documents that are far more complicated than they need to be. The most common example is where an over-the-top template has been purchased and then shoehorned, no matter the size or type of the business. These templates often specify processes that are unnecessary and overly complex making it less likely that processes will be followed.
The problem is that if you don’t follow your outlined AML/CFT programme you will be at risk of a negative audit finding as you are required by law to follow the programme you put in place. Effective AML/CFT programmes are built upon the legal requirements and your specific AML/CFT risk assessment. If the programme doesn’t reflect what you actually do, then you need to change it (provided you remain compliant with the law), so it reflects both what you do, and when you do it.
Common examples of unnecessarily onerous programmes we have seen include:
Specification of quarterly or six-monthly reviews of the AML/CFT risk assessment and programme.
It’s fine to review more frequently than annually if your business is rapidly changing. But, if your business is fairly static, then don’t burden yourself with unnecessarily frequent reviews that you constantly fail to undertake.
A training programme that is too ambitious and over-the-top.
What often happens here is that the training never takes place because it’s too onerous. You need to ensure all relevant staff are appropriately trained, but you don’t need to build a massive programme in the hope it will impress the AML/CFT supervisors.
Overly complex vetting.
Some vetting programmes are extremely complex, including saying they will personally meet the clients, will undertake loads of checks such as police and politically exposed person checks– and then don’t do them. Build a vetting programme that meets the law and is relevant to your business (electronic verification is the way to go).
Overly complex account monitoring and customer due diligence for small companies.
Again, if it’s too complex, compliance with the processes will fall by the wayside.
Key tips to make sure you’re on the right path
The key to meeting and staying compliant is to ensure that you follow the good ‘Policies, Processes and Controls’ (PPC) rule. When developing each of these the following general points are a good place to start.
Do you have AML/CFT policies that:
- Meet the legal requirements of the Act?
- Meet the expectations of your AML/CFT supervisor?
- Will mitigate the money laundering and terrorism financing risks you have identified for your business?
When developing your AML/CFT processes ask yourself:
- Do they meet the objectives of your policies?
- Are they necessary and realistically achievable?
- Are they legally compliant?
Is there an internal system in place that regularly checks that your processes are:
- Completed as described in your AML/CFT programme?
- Meeting the expectations of your AML/CFT supervisor? (This is important as legislative and regulation changes have happened regularly since the regime began).
- Recording all errors to ensure processes can be updated and improved?
Act now on audit findings
Audits are a regulatory requirement aimed at identifying issues so reporting entities can improve their processes and comply with the law. Our advice is to take any negative feedback as a positive as it gives your business an opportunity to review and improve.
Auditors are expected to make what needs to be done clear to reporting entities, so if there’s anything you’re unsure about make sure you ask them. The AML/CFT supervisors recently advised that they expect reporting entities to take prompt action to remediate audit findings. If this applies to your business you should put it at the top of your list and remember that my team are here to help if you need it.
Read more about how to succeed with AML compliance with Alice Tregunna in ‘Your time is up: AML fines & penalties will become more commonplace in NZ if we don’t raise our game‘.