"Helping businesses prevent and deter financial crime through detection, prevention, and compliance. Specialising in AML/CFT (audit and advisory), fraud, anti-bribery, anti-corruption and sanctions advisory."
The spirit of the Act
Over the holidays if your mind starts to turn to 2021 it must surely turn to the much anticipated refresh of the Anti-Money Laundering and Countering Financing of Terrorism Act 2009 and supporting regulations. This presents an opportunity to right some of the wrongs, get some needed clarity, and to further enhance our legislation based on our learnings.
However, in order to improve regulations, we must first remind ourselves of the purposes of the Act and we must keep these purposes front of mind:
(a) To detect and deter money laundering and financial of terrorism;
(b) To maintain and enhance NZ’s international reputation;
(c) To contribute to public confidence in the financial system.
The wish list
So here is what am I putting on my Christmas wish list for 2021 regulatory change:
- Clear and plain language
- Public education campaign
- Impact assessment of changes
- NZ entity public register
- Licensing of remitters
- Code of practice update
1. Clear and plain language
There is a lot of ambiguity in certain sections of the AML/CFT Act. In section 31 of the Act, as shown below, there is ambiguity in the language used – what is meant by ‘regularly’? What is meant by ‘review’? This applies to section 14 as well – how does one distinguish ‘material change’ from an immaterial change? How does a reporting entity identify when they have ‘insufficient information’ about their customer? This ambiguity must be removed in order for reporting entities to understand and effectively comply with the Act.
Ongoing customer due diligence and account monitoring
When conducting ongoing customer due diligence and undertaking account monitoring, a reporting entity must do at least the following:
(a) regulatory review the customer’s account activity and transaction behaviour; and
(b) regularly review any customer information obtained under the CDD sections, or, in relation to an existing customer, any customer information the reporting entity holds about the customer; and
(c) anything prescribed by regulations.
When Standard CDD is Required
Section 14(c) – Circumstances when standard customer due diligence applies:
If, in relation to an existing customer, and according to the level of risk involved:
(i) There has been a material change in the nature or purpose or the business relationship; and
(ii) The reporting entity considers that it has insufficient information about the customer
2. Public education campaign
While there has been some good work by the various regulatory bodies to help the public understand the importance and requirements of NZ’s AML/CFT regime, this work needs to continue in order to get the public on-side with these changes.
3. Impact assessment
When making changes to the legislation it is important for law makers to understand the impact of those changes on reporting entities. Without understanding the cost, burden, and impact on law-abiding customers/clients there is a risk that the costs outweigh the rewards. There must be an understanding that by choosing one option over another means that limited funds for compliance may not be used as effectively as they can – such as truly targeting high ML/TF risk areas.
4. NZ entity public register
There should be a public register for New Zealand trusts, companies, and partnerships in order for these entities’ beneficial owners to be easily identified and verified.
5. Licensing of remitters
Banks, financial markets providers, corporate trustees and other entities trusted with money flow need to be licensed and be able to proactively demonstrate a certain level of care and due diligence for its clients and to encourage trust in the finance sector and the economy. So why not the remittance sector? This would certainly help banks get more comfort around banking them.
6. Code of Practice
While not technically part of the regulatory refresh I didn’t want to let an opportunity pass by to raise awareness of the challenges in the Code of Practice and hope that a refresh of the Code closely follows the refreshed regulations. Here are but a few of my thoughts:
- The Code of Practice seems to provide limited options for the verification of international customers. New Zealand reporting entities do business all over the world and those people may not travel and have a passport so options for verifying them under the Code are essentially nonexistent.
- While certification of identification documents must have been done in the past 3 months, other secondary documents only needs to be dated in the past 12 months. Anyone else confused?
- Perhaps we could remove the requirement for the statement around representing the identity of the person, shouldn’t we rather have it as a recommendation as this is the number one failing for certifications?
- Also, while I’m on a roll the certifier having to be outside of the transaction, what’s with that? Wouldn’t the lawyer acting for them or a trusted referee who also knows them be a better certifier than an outside person? If they are a trusted referee, then shouldn’t we do just that – trust them?
Naughty or nice
Whilst the following are all important aspects of complying with the AML/CFT Act, there are
certain refinements that can be made to secure them a position on the Nice list:
Prescribed Transaction Reporting (PTR)
A prescribed transaction is an international wire transfer of $1,000 or more conducted through a reporting entity or a domestic physical cash transaction of a value equal to or above $10,000.
- Banks alone have spent approximately NZD 20 million on PTR and most of this cost was associated with setting thresholds for transactions such as International Funds Transfers (IFTs) and Large Cash Transactions (LCTs). On the other hand, however, the removal of these thresholds would likely result in the same cost being incurred again.
- While PTRs are intended to add further transparency to the financial system, improving the detection and disruption of organised crime, is the PTR scope too broad? There have been in my opinion some unintended scenarios that technically must be reported but don’t add a lot of value from an intelligence perspective.
Enhanced Due Diligence (EDD) on Suspicious Activity Reports (SARs) and on all trusts
The higher level nature of Enhanced Due Diligence (EDD) poses the risk of ‘tipping off’. It is
such a fine line between asking for information around certain transactions in order to
meet source of funds obligations, potentially exiting in order to manage risk appetite, and
between the tipping off of provisions which carry criminal penalties.
- EDD on SARs: Reporting entities are immediately in breach when they fail to obtain EDD on these transactions, however there is a tension with tipping off. On the other hand, if one is truly suspicious, you are then unlikely to received the information required to complete enhanced CDD. Maybe the solution is to remove this as a legal requirement but encourage it as best practice?
- EDD on Trusts: Whilst we acknowledge that trusts do pose a higher risk, there are so many other entity types that are not called out specifically. It should also be recognised that the NZ environment allows an excess of trusts so many legitimate customers may be disproportionately impacted. Perhaps we could focus on higher risk trusts?
Currently address verification is required for all entities where standard due diligence and above is required, how about just conducting address verification on individuals/entities that require enhanced due diligence? Returning to my earlier statements on understanding the impact versus reward. We live more and more in a digital world where physical address verification is getting harder and harder.
Let’s bring ministerial exemptions into the legislation to ensure that they always remain
current and are easy to find in one simple location – that would be on the nice list. On the naughty list is the wording on the specified and licensed intermediaries exemptions, these are a nightmare to navigate.
The importance of monitoring
Regulatory mandated audits every three years are beneficial in many ways but relying solely on only auditing in this time period makes way for a variety of issues. In the event that you have been doing something that doesn’t meet good practice or worse, that your methods are simply wrong, then three years of remediation is a lot harder than two years and more so one year.
The absence of an audit requires that there must be very robust compliance monitoring in place to retain proper due diligence practices, this monitoring having focus on some higher risk entities.
While on the subject of audits, there should always be a follow-up with the auditor to ensure that the actions completed to resolve the audit issues have been completed to the standard expected by the auditor, otherwise you could end up with repeat audit issues which are not beneficial to the reporting entity.
Politically Exposed Persons (PEPs)
“Politically-Exposed Persons” (PEPs) are individuals who, by virtue of their position in
public life, may be vulnerable to corruption. The New Zealand legislation currently limits
this concept to foreign PEPs, and does not include domestic (New Zealand-based) PEPs.
- Should domestic (NZ) PEPs be included?
- What timeframe should reporting entities adhere to when determining whether a customer is a PEP or not? Should this be before boarding or ‘as soon as practicable’ as stated in the Act?
- Also, what is meant by ‘as soon as practicable’??
For more information on AML/CFT regulations and compliance, read ‘The Essential Guide to Enhanced Customer Due Diligence in NZ‘.
About the author
Director of Paula Milne Consulting Limited, Paula Milne has experience as the Head of AML & Sanctions Compliance at ASB Bank, as well as spending time as Head of Compliance/Op Risk and Financial Crime at ANZ Bank.