AML/CFT Compliance: Introduction
This article provides an introductory definition of money laundering (ML) and financing of terrorism (FT) and a high-level presentation of what you need to consider to comply with New Zealand anti-money laundering and counter financing of terrorism (AML/CFT) legislation.
Money Laundering
ML is the process of concealing the source or the destination of funds derived from criminal activities, to make such funds appear legitimate. Typically, the ML process can be divided into three phases, which are presented below.
Placement is the physical disposal of cash or other assets derived from criminal activities. During this phase, the money launderer introduces the illicit proceeds into the financial system, i.e., by placing the funds into circulation through legitimate businesses, both domestically and internationally.
Layering is the separation of illicit proceeds from their source, which is done by converting the proceeds of crimes into other forms and creating complex layers of financial transactions to obscure the source, and ultimately the ownership, of the funds.
Integration is the re-entry of the (now laundered) funds into the economy in what appears to be legitimate businesses and transactions. Integration often means that the funds are used by criminals for legitimate reasons, for example, real estate, investments or purchase of luxury items.
Financing of terrorism
FT is the process by which terrorists fund their operations in order to perform terrorist acts. The techniques used to launder money and to fund terrorism are similar. This is because terrorists, like money launderers, need to disguise the link between their financial sources and themselves to continue to finance their terrorist activities, as much as possible, undisturbed.
Terrorism financing is generally described as having three stages:
Raising funds can be done in many different ways. For example, funds can be raised through legitimate sources, like wages or donations, or through criminal offending.
Transferring funds. Once raised, funds need to be moved to the place where they will be used, which often requires international transfers. This can be done by physically couriering cash or high-value commodities, moving funds through the international financial system, or alternative mechanisms for moving value, for example, hawala transfers and cryptocurrency.
Using funds. This is the stage in which terrorist groups use the funds to either commit terrorist acts or to fund ongoing operations, for example, funds could be sent to terrorist cells to buy weapons for a specific terroristic attack or to buy food and pay for accommodation.
Differences between ML and FT
New Zealand AML/CFT regime
Laundering money and financing terrorism are separate and distinct criminal offences. However, because many financial institutions and other businesses may be used by criminals for ML/FT, the international community has developed standards of AML/CFT compliance (see especially the Financial Action Task Force (FATF) Recommendations). In turn, countries have then developed legislations to apply such international principles to their domestic systems.
In 2009, the New Zealand Parliament passed the Anti-Money Laundering and Counter Financing of Terrorism Act (the Act), which aims to:
deter and detect ML/FT;
maintain and enhance New Zealand’s international reputation by adopting recommendations issued by the FATF; and
contribute to public confidence in the financial system.
The AML/CFT Act entered into force in 2013 and, since then, New Zealand reporting entities had to comply with its requirements. In particular, reporting entities must:
Appoint an AML/CFT compliance officer (AMLCO).
Conduct a risk assessment to identify and determine the ML/TF risks they may encounter in the course of their business (Risk Assessment).
Develop and implement a programme containing the procedures, policies, and controls used to manage and mitigate those risks (Compliance Programme).
Have their Risk Assessment and Compliance Programme audited every three years (Audit).
Prepare and submit an AML/CFT annual report (Annual Report) to their AML/CFT Supervisor.
AMLCO
Section 56 of the Act states that you must designate an employee (and if the reporting entity has no employees, a person) as an AMLCO to administer and maintain your organisation’s Compliance Programme. The AMLCO must report to a senior manager of the reporting entity.
FAQ 2 of the Department of Internal Affairs (DIA) further clarifies that for example, you may appoint an external person as an AMLCO if you are a sole practitioner who is not able to be the AMLCO yourself.
Risk Assessment
Section 58 of the Act states that you must first undertake an assessment of the ML/FT risks you may reasonably expect to face in the course of your business. In doing so, you are required to assess their inherent risk, meaning the risks that the reporting entity would face without any controls or mitigation in place.
Such Risk Assessment must be in writing, and it must have regard to the following:
nature, size, and complexity;
products and services;
delivery methods;
customers;
jurisdictional exposure; and
institutions.
Moreover, you must have regard to any applicable guidance material produced by the AML/CFT Supervisors or the Commissioner of Police relating to risk assessments. For example, depending on the relevant AML/CFT Supervisor, you should consider the following guidance:
National Risk Assessment – New Zealand Police
Designated Non-Financial Businesses and Professions and Casinos Sector Risk Assessment – DIA
Sector Risk Assessment – Financial Market Authority (FMA)
Sector Risk Assessment for Registered Banks, Non-Bank Deposit Takers and Life Insurers – Reserve Bank of New Zealand (RBNZ)
Risk Assessment Guideline – DIA, FMA and RBNZ
Compliance Programme
Once assessed your inherent risks, you must develop a Compliance Programme on the basis of the risk assessed. As defined in paragraph 28 of the AML/CFT Programme Guidelines, a Compliance Programme is required to set out policies, procedures, and controls necessary to detect and deter ML/TF and to manage and mitigate the risk of ML/FT occurring. Where:
Policies set out expectations, standards, and behaviours in the business.
Procedures set out the day-to-day operations of the business.
Controls are tools that management uses in the business to ensure compliance with policies and procedures.
Section 57 of the Act sets out the minimum requirements for Compliance Programmes, which are policies, procedures and controls for:
Vetting.
Training.
Customer due diligence, including enhanced and simplified customer due diligence, and outsourcing.
Reporting suspicious activities and prescribed transactions.
Record keeping, including keeping written findings for complex and unusual transactions, and dealing with countries with insufficient AML/CFT systems.
Manage and mitigate risks.
Preventing the use of products and transactions that might favour anonymity.
Monitoring and managing compliance.
Audit
Section 13 of the Anti-Money Laundering and Counter Financing of Terrorism (Requirements and Compliance) Amendment Regulations 2021 states that you need to have an external Audit every three years.
An auditor needs to be an independent person appointed by you and who is appropriately qualified to conduct the Audit (see paragraph 10 of the Audit Guideline).
An Audit is a review of your Compliance Programme and Risk Assessment. The auditor will assess both adequacy and effectiveness. Meaning, how compliant the AML/CFT regime is with the various obligations of the Act, and how well the practical application of the regime meets the obligations of the Act (see paragraph 36 of the Compliance Programme Guideline).
For further information, see our post on Audits here.
Annual Report
As per Section 60 of the Act, you must prepare an Annual Report on your AML/CFT compliance. The Annual Report needs to be in the prescribed form, this means that:
DIA reporting entities need to submit their Annual Report via AML Online.
FMA reporting entities need to submit their Annual Report via the FMA website.
RBNZ reporting entities need to contact their Supervisor (see here).
Annual Reports are due at the end of August each year. Each Supervisor has slightly different sets of questions for the Annual Reports, but in general, reporting entities can expect to be asked to provide information in relation to:
Their business’ details;
Number of clients and breakdown by type (e.g., individuals, companies, trusts, and politically exposed persons);
Number and value of transactions;
Services provided; and
Jurisdictional exposure.
For further information, see our post on Annual Reports here.
What’s next?
If you need any assistance with your Risk Assessment, Compliance Programme, Audit or Annual Report obligations, get in touch and we will be able to help.
