Five things you can do now to prepare for the introduction of AML/CFT regulation
Plenty has been written about looming Anti-Money Laundering and Countering Financing of Terrorism (AML/CFT) regulation for lawyers, some of it quite anxious.
At present, lawyers must target 1 July 2018 to have a fully working compliance programme in place. With Parliamentary select committee hearings taking place at the time of writing, and with many submitters requesting more time, that date may yet be extended, but regardless, a lot of work will be required.
As a profession we can’t say we weren’t warned. In 2009, lawyers and other Designated Non-Financial Business or Professions (DNFBP) lobbied vigorously not to be caught in the new Anti-Money Laundering and Countering Financing of Terrorism Act. That approach worked, but concerns remained.
The Police Financial Intelligence Unit (FIU) has long believed that lawyers under-report suspicious transactions, and may be unwittingly complicit in more laundering activities than they realise. The Panama Papers highlighted risks in legal services for trusts and opaque corporate structures. But, despite all the new awareness and publicity around the 2009 Act, the average level of reports by lawyers to the FIU actually dropped, from 9.7 to 7 per year. For captured financial entities, reporting has increased by over 350%.
This article aims to share a few practical tips for lawyers embarking on the journey into this heavily regulated space. It does so from a perspective of advising and representing financial reporting entities since 2008, when the Act was still being shaped. Those entities have worked through initial AML anxiety, to get to business as usual.
My main theme is that AML for lawyers is quite manageable: the sky will not fall in July 2018, and we can learn a lot from how existing reporting entities have dealt with it to date. But preparing for it will take more time and documentation than you imagine, so start thinking about your system soon, and perhaps consider the following five elements in your approach.
1. Determine what you do that is in or out of scope
Coverage/capture turns upon s 5 in the Act, and a list of discrete activities that lawyers and firms may engage in. A firm that carries on one or more of those activities and does so “in the ordinary course of business” will become a reporting entity subject to the obligations of the Act.
Close analysis of s 5 is required, and sometimes the answer will not be obvious. For instance, litigation is generally not one of the covered services. But if holding client funds in trust account as security for costs, or if upon settling a case there are unusual/extended payment arrangements, it is likely that “managing client funds” in s 5 is engaged.
The AML Supervisors issued joint guidance in 2011 on how they apply the phrase “ordinary course of business”. That described a number of contextual factors which, considered together, may indicate an activity is in the ordinary course of business, if it is:
- Normal or otherwise unremarkable for the particular firm (e.g. indicated by its internal processes and marketing materials),
- Frequent or regular, involving significant amounts of money, or significant allocation of the firm’s resources,
- A source of revenue for the firm,
- A service that is offered/promoted to clients or third parties.
With AML coverage only applying to specified legal services, a full service firm will have to decide whether to carefully filter and select only those clients where it applies. It may end up more straightforward to apply it to all clients. For phase 1 reporting entities in July 2013, many banks and financial institutions offering a range of products found it administratively easier and less costly to simply on-board all new customers under an AML compliant system. Nobody welcomes voluntarily extending the scope of regulation, but one legal instruction can morph into another (captured) piece of work, and it can be complex for staff to determine at the outset which process might end up applying.
2. Decide who will own the AML function and learn the language
There is a broad choice in addressing compliance: develop the expertise and have lawyers or staff internally spend the time to implement changes, or outsource as much as possible to specialists with experience. One entails more billable time cost to the firm, the other more short-term financial cost.
Since each reporting entity must have an employee as Compliance Officer, who must report to senior management, and partners/directors ultimately will remain liable, developing some in-house knowledge makes sense. Not everything can (or should) be outsourced. Given the responsibility and risk, most firms should probably have a partner in that role.
Like any area of law or industry, AML is replete with jargon: DNFBP, STR, FIU, PTR, CDD, DBG, and don’t even get me started about POWBATICs. It is already a surprisingly complex regulatory regime, after only a few years. The Compliance Officer and others should take time to penetrate the acronyms and get to know the patchwork of important risk assessment documents, domestic regulations, and international materials that set out definitions, exemptions, thresholds, and related recommendations.
Published guidelines already exist from the Supervisors on some topics, including these examples below (although lawyers may find, with many written in 2010-11 and never updated, some appear surprisingly superficial):
- Identity Verification Code Of Practice,
- Guidelines on the Written Risk Assessment,
- Guidelines on developing an AML/CFT Programme,
- Interpreting “Ordinary Course Of Business”,
- Countries Risk Assessment Guideline,
- Designated Business Groups – two guidelines,
- Guideline for Audits,
- Interpreting the Territorial Scope of the Act,
- Beneficial Ownership Guidelines,
- Wire Transfer Guidelines.
3. Put the effort into your written Risk Assessment
Unlike some jurisdictions, New Zealand requires a written risk assessment to be prepared, as a first step and key platform for all AML compliance steps to follow.
The risk assessment must be tailored to the money laundering and terrorist financing risk that each firm is likely to face in its sphere of operations. It must be reviewed and updated regularly. It must be available for AML Supervisors to inspect on demand.
Don’t skimp on this step. If done thoroughly and well, the firm will better understand its idiosyncratic risk areas, and not waste time and money on compliance steps that are not targeted at the risks facing that particular firm, given its client-base and areas of practice.
There are several risk dimensions to be addressed, as per s 58(2) of the Act. Each of the types of legal products/service offered, types of client, service delivery/distribution to them, referrers and institutions dealt with, and geographic/country risk, will all vary depending on the firm’s own practice.
Taking geographic/country risk dimension as an example, many sources exist to determine whether a client located overseas should be in a higher risk category. It may not be only overseas clients, but recent migrants, or local agents representing offshore parties. A firm may need to include an assessment of another country’s AML law, whether a client’s own business is regulated for AML purposes, and whether the jurisdiction is otherwise high risk – due to war or conflict history, international sanctions, embargoes or similar measures, having supporters of terrorism, significant levels of corruption, human trafficking, tax haven status or a raft of other matters.
4. Leverage off what you already do
Most lawyers from experience develop a keen sense of clients who are risky or less than trustworthy, particularly around the credit risk of not being paid! And many systems within a firm can be re-deployed with an AML focus – client/matter opening processes being an obvious place. So try to fine-tune those senses and systems into high quality Customer Due Diligence (CDD) processes. Generally, CDD will not be retrospective, meaning it does not require all existing clients to be verified according to specific legal standards. But upon the law coming into force CDD will typically apply to new client relationships or instructions captured by s 5.
Some law firms already have matter opening forms or aspects of their client care and terms of engagement process that smartly and seamlessly gather the minimum information required for standard CDD. That includes the client’s full name; date of birth; if not the end client, that person’s relationship to them; address or registered office; company identifier or registration number; and other information.
Obtaining information is one thing, moving on to verifying that, especially for trusts, and collecting additional details depending on the level of risk in certain situations, is more challenging. But simple steps like obtaining copies of passports and utility bills at the outset can be worked into terms of engagement letters without fuss.
5. Get used to a more intimate regulator relationship
Lawyers should get accustomed to having a closer relationship with a proactive regulator. While the NZLS Lawyers Complaints Service is an effective regulatory arm, it is largely reactive to complaints. The Department of Internal Affairs (DIA) will more regularly supervise and proactively monitor what lawyers are up to in the AML area.
Lawyers will have several contact points with the AML authorities. These include having to complete and file an annual report to the DIA (some information demanded is fairly intrusive and time-consuming to compile); and every two years, or as requested by the DIA, engaging an independent expert to audit the AML risk assessment and compliance programme (to ensure they are actually doing all the good things the firm says in the programme it will do); and potentially respond to a random supervisory check (a visit to offices, or request for compliance documents). There is also the interfacing with the FIU’s online system (goAML) to report suspicious transactions/activities and prescribed cash or wire transfer transactions. This IT system is notorious amongst existing entities as being challenging, and not especially user-friendly.
Suspicious transaction reports are among the most difficult judgement calls to make. Having to decide to report on a client, and for what aspects or activities, will go against the grain of fundamental training for many lawyers. But it is a key output of the whole AML regime. Whether we like it or not, intelligence gathering and reporting to the FIU is core to the system. Put bluntly, professions are now joining financial firms called to act, in effect, as the deputised eyes and ears of the Police.
To encourage reports and to reassure reporting entities, s 44 of the Act affords protection against civil, criminal or disciplinary proceedings, unless the disclosure in the report is made in bad faith. It is disappointing, in my view, that the New Zealand Law Society in its submission dated 20 April 2017 to the select committee (para 8.1-8.2), argues against this sensible protective clause. Most lawyers may be unaware that NZLS wishes to have the ability as regulator of the profession to take disciplinary action against lawyers if they disclose privileged material to police in the course of trying to comply with new obligations to report suspicious activity.
Plainly, reporting decisions cannot be taken lightly, and competing tensions will lead a Compliance Officer to be pulled in different directions. But it is hard to see any benefit to the profession in NZLS seeking to sharpen those tensions and erode the protection other entities have. It also leads to negative outcomes for the AML regime – potential reluctance or disincentive to make suspicious reports.
Gary Hughes firstname.lastname@example.org is a barrister at Akarana Chambers, specialising in regulatory investigations and proceedings, including AML, competition and financial services regulation.
New Zealand Law Society responds
NZLS submitted that a lawyer should potentially be subject to disciplinary proceedings if, in a situation other than in bad faith, a lawyer provides privileged material either negligently or without taking due care. It has taken that view in its consumer protection role so that a client whose privileged material may have been disclosed when it should not have been may have a remedy. In turn this will enhance the reputation of the profession and the oft-quoted extract from Bolton v The Law Society  2 All ER 486 that a client must be able to trust their lawyer to the ends of the earth. This helps preserve the sanctity of legal professional privilege and will encourage lawyers to ensure that they take appropriate care to only disclose privileged material when required to do so. NZLS expects that the vast majority of lawyers would do so in any event.
Last updated on the 30th June 2017