Guideline Updates

The anti-money laundering and counter terrorism financing (AML/CFT) Supervisors have released an updated version of the AML/CFT Programme Guideline. This post details the key takeaways from the updated guidelines. 

Transaction and Activity Monitoring

The Supervisors clarify that you can use either a manual or electronic system, or both, to monitor your customers’ transactions and activities. A business that conducts small numbers of transactions, or has a small customer base, may use a manual monitoring system. On the contrary, a larger reporting entity would need an electronic system or a combination of manual and electronic.

Your transaction/activity monitoring should be in line with your risks and mitigate the specific risks identified in your Risk Assessment. Your Compliance Programme should:

• set up rules and thresholds to identify high-risk activities;

• use the nature and purpose of the business relationship information to identify the risks of a certain activity/transaction;

• prioritise the review of higher-risk transactions/activities;

• manage when alerts are triggered multiple times;

• specify time-frames for review;

• detail how the monitoring is assessed (e.g., rate of suspicious activity detection, false positives and compliance with timeframes);

• detail how rules and thresholds are reviewed and updated; and

• detail how records are maintained.  

Ongoing Customer Due Diligence

You need to consider updating customer due diligence (CDD) information when there is a risk-based reason or trigger for doing so. For example, if you identify inconsistencies between CDD information you have previously obtained/verified and the customer’s transactions/activities. In this regard, the Supervisors clarify that you need to update your CDD information for both customers with whom you established a business relationship:

• after the entering into force of the AML/CFT Act (post-AML/CFT Act); and

• before the entering into force of the AML/CFT Act (pre-AML/CFT Act).

If you do not have a plan in place to collect CDD information on your pre-AML/CFT Act customers, this is a good time to start taking action, in particular, focusing on high-risk customers first.

It is important to note that the Supervisors do not consider it necessary that you regularly reverify a person’s biographical information if you have verified this previously (unless there are concerns regarding the person’s identity).

As per expired documents, these should not usually be accepted as a way to verify someone’s identity, at the time of onboarding a new customer, unless this is done on an exception basis. However, as the relationship with the customer goes on, their identity document will inevitably expire, and the Supervisors clarify that the expiry of an identity document does not in itself trigger a requirement to update a customer’s CDD information. 

Suspicious Activity Reports

You must submit a suspicious activity report (SAR) when there are reasonable grounds to suspect that a transaction, service, or inquiry, is or may be relevant to the investigation, enforcement or prosecution of crime. This includes if:

• a person seeks to conduct a transaction, but it is not ultimately conducted;

• you propose to provide a service to a person, but this does not occur; and

• you notice that any person (and not just your customer) gives you reasonable grounds to suspect their transaction/activity (e.g., third-party sending funds to you).

The requirement to submit a SAR is based on an objective test, i.e., where an objective observer would conclude that reasonable grounds for suspicion were known to you. In other words, it is no defence that you did not consider the transaction or activity to be suspicious.

If you have not done so already, you should register for goAML so you can report a SAR within the three working days deadline.

Privacy

Due to your AML/CFT obligations, you are holding many identity documents and other sensitive customers’ information. Therefore, you should consider how the Privacy Act impacts your day-to-day activities.

The Privacy Act governs how you collect, store, use and share your customers’ personal information. In particular, two key principles included in the Privacy Act state that:

• There must be reasonable safeguards in place to prevent loss, misuse or disclosure of personal information.

• You should not keep personal information for longer than it is required.

Therefore, it is important that once the required timeframe under the AML/CFT Act has expired for keeping a record, and unless there is a lawful reason to keep the documents, you should take all practicable steps to ensure that the record is destroyed.

Nonetheless, if the requirements of the Privacy Act and the AML/CFT Act do not fully align, AML/CFT requirements prevail over the requirements of the Privacy Act.

Customer Due Diligence Conducted by Another Reporting Entity

You may rely on the CDD conducted by another reporting entity or an equivalent entity overseas. When you do so, you need to ensure that the other reporting entity:

• has a business relationship with the customer;

• consents to conducting CDD procedures for you and to providing all relevant information to you; and

• conducts relevant CDD procedures to at least the standard required by the AML/CFT Act and regulations and provides you with all the relevant identity information before you establish the business relationship or conduct the occasional transaction or activity for the customer.

Consequently, you should have policies, procedures, and controls for satisfying yourself that the other reporting entity meets record-keeping requirements. The Supervisors clarify that if the other reporting entity:

• Is a New Zealand reporting entity, you already know they have obligations to meet the record-keeping requirements of the AML/CFT Act.

• Is in another country, you may need to establish if the entity is regulated for AML/CFT purposes (and if they have record-keeping obligations) by consulting open-source information or by requesting the entity to provide confirmation.

Compliance Culture

The Supervisors stress the importance of a strong AML/CFT compliance culture from the top. The directors and senior managers can demonstrate a strong AML/CFT compliance culture by engaging and showing a strong commitment to AML/CFT and actively promoting its importance throughout the business. This can include ensuring there is sufficient resourcing (people, technology and financial support) to meet AML/CFT obligations.

In addition, directors and senior managers should ensure that they are provided with robust, regular and transparent reporting on AML/CFT matters and that policies, procedures and controls align with the business’s overall strategy and risk appetite.

What’s next

Get in touch if you wish to discuss how the AML/CFT Programme Guideline affects your business.