The Anti-Money Laundering and Countering Financing of Terrorism regulatory regime (‘AML/CFT’) will fully come into effect on 30 June 2013. The regime sets out new procedures and standards for detecting and preventing the flow of ‘dirty money’ through legitimate channels.
This will not be news for larger financial institutions such as banks, which have been preparing for the new law for over two years. But if you operate a smaller firm, or you occasionally deal with financial transactions, you might be wondering whether the AML/CFT applies to you, and if it does what your obligations will be. This article will describe the ambit of the AML/CFT and briefly explain the core requirements it imposes.
The AML/CFT was enacted to bring New Zealand into line with our international obligations. Its enactment is a recognition that white collar crime can do serious harm to investment and borrowing confidence.
The AML/CFT uses a three tiered model comprising the 2009 Act plus various regulations and industry guidelines. There are three features to the AML/CFT which demonstrate it was designed to be cost effective for the finance sector. First, it is aimed at providing some flexibility through self-regulation. Second, it tends to focus on transactions rather than on institutions. Third, it adopts a ‘risk based’ approach, which is intended to allow for efficient allocation of resources and the minimisation of compliance costs.
The AML/CFT will apply to you (or your business) if you fall within the definition of a ‘reporting entity’. Most financial organisations fall within the definition. An individual or organisation will be considered a reporting entity if, in the ordinary course of business, it carries on one or more of a range of listed activities. By way of example, some of these activities include: accepting deposits, money exchange or transfer, investment fund management, undertaking financial guarantees, cash transport, payroll remittance etc. Most financial advisers and trust and company service providers are also caught by the legislation.
A number of persons are specifically excluded from the AML/CFT:
- lawyers and incorporated law firms;
- real estate agents;
- companies in liquidation;
- government departments; and
- certain low risk entities who undertake certain transactions or services (such as retailers).
Safety deposit box providers are exempt only if they provide the service to registered guests as accommodation providers. These so-called ‘non-financial entities’ will be subject to regulation in the future.
Requirements and compliance
During the consultation process for the AML/CFT, many in the finance sector expressed concern over compliance costs. Some of the proposed requirements, such as accurate record keeping, were already common practice. But other requirements would necessitate equipment purchases, and the development and implementation of new information technology and reporting systems. The government anticipates that the risk-based approach will ameliorate these concerns.
If the AML/CFT applies to you, it is important that you understand your responsibilities. Non-compliance entails a number of civil or criminal sanctions, and can hurt your standing in the market. Unlike in Australia, there won’t be an assisted compliance period or ‘compliance holiday’.
Customer identity verification/Customer due diligence
A new customer’s identity will need to be checked and verified with reference to valid forms of identification.
Guidelines have been published by supervisors on the identification process. The due diligence procedures are intended to eliminate anonymity by requiring reporting entities to confirm a customer’s identity. This includes where a customer uses a representative or a beneficial owner.
The level of due diligence required is dependent on the level of risk, assessed via an established framework (see below). If you already have a business relationship with a customer which is a public body, then the ‘simplified’ due diligence procedure will probably be sufficient. However, if you have a new customer that is a trust based outside of New Zealand, which is seeking to make a complex and unusually large transaction, this will most likely warrant ‘enhanced’ due diligence. So in the latter example, information about the source of the funds plus the name and the date of birth of each beneficiary of the trust would be required alongside the usual customer information relating to identity.
Suspicious transaction reporting
If you are involved in a transaction and you suspect on reasonable grounds that the transaction is criminal in nature, you are obliged to make a ‘suspicious transaction report’ (‘STR’).
There will be an electronic system in place for submitting reports. Reports can be submitted before or during the transaction, or even if a proposed transaction does not proceed. You do not need solid proof of criminality, your suspicion could be based (for example) on a customer purchasing a large variety of financial products and for no apparent reason.
You will be liable under the Act if you have reasonable grounds for suspicion but do not make a report. If your business has staff, you will need to set out guidelines on how and when they should prepare a report.
Risk assessment/Developing and maintaining an AML/CFT compliance programme
A reporting entity must have an AML/CFT compliance programme which comprises the policies, procedures and controls your business has in place for detecting and preventing money laundering, and generally complying with your AML/CFT obligations.
The programme must be based on a written risk assessment of your business. The risk assessment must include:
- an assessment of the aspects of your business which are vulnerable to money laundering; and
- a description of how you will ensure that your assessment remains current; and
- a method for determining the level of risk involved in relation to your AML/CFT obligations.
In assessing the risks your business faces, a range of factors should be considered. For example: do you deal a lot in cash? Do you provide fast money transfer with minimum formalities? Do you deal a lot with customers from countries with high rates of crime and corruption? If so, your AML/CFT programme would be tailored to reflect these inherently high risks. However, a small, low risk firm will only need a relatively simple and concise risk assessment and AML/CFT programme.
Once you have completed your risk assessment, you can prepare an AML/CFT programme. There are certain minimum requirements. You must have vetting procedures for senior managers and employees with AML/CFT related duties. These vetting procedures could include, for instance, criminal background checks. You must also provide training to familiarise staff with AML/CFT matters. And you must include how your obligations under the regime, from due diligence to record keeping, will be handled. A suitable person will need to act as an ‘AML/CFT compliance officer’ or you can fulfil the role yourself if you have no staff.
Record keeping/Annual reporting
Reporting entities have to submit annual reports to their supervisor, detailing how they are complying with their obligations.
There are also comprehensive requirements on record keeping. Most businesses will already keep detailed records on transactions. Where change might be necessary for records includes eliminating anonymity and keeping files on customer identity. You may be liable under the Act if your records are inadequate.
Even if your business is covered by the Act, some transactions are exempt from the AML/CFT, primarily because they are deemed inherently low risk: e.g. a number of insurance policies, reward schemes and gift vouchers. Many of the exempt transactions are not exempt per se, but are exempted from certain requirements.
Most of the due diligence requirements only apply to transactions outside of established business relationships that are $10,000 over more. The threshold for some high risk transactions is lower.
Reporting entities will be supervised by designated AML/CFT supervisors. When the AML/CFT Act was in Select Committee, it was noted that Australia has a single supervisory body, which is efficient for regulators and firms alike. Unfortunately, New Zealand has three supervisors. It is hoped that their jurisdictions will not overlap. For most financial organisations their designated supervisor will be the Financial Markets Authority. Life insurers, banks and non-bank deposit takers are covered by the Reserve Bank. The Department of Internal Affairs supervises non-deposit taking lenders, money changers and entities not falling under the supervision of the Reserve Bank or the Financial Markets Authority.
The level of risk your business poses will dictate how closely you will be scrutinised by your supervisor. The supervisors are also responsible for producing industry guidelines. The guidelines are non-mandatory but if you wish to ‘opt out’ of them, you must produce a suitable equivalent. Supervisors have a range of powers at their disposal, including conducting inspections and record audits.
This article can only hope to sketch the basics of what is a complex regulatory regime. If you believe that you or your firm may be subject to the regulations, you are strongly advised to seek legal advice or contact the relevant supervisory agency. The deadline for compliance is fast approaching.