By Marty Robinson
First, let me start with the bad news: You’ll flunk your external AML/CFT audit if you based your documents on the Law Society templates without injecting considerable critical analysis of your firm’s own specific situation, customising the templates accordingly and adding in the statutory requirements missing from the templates.
The Department of Internal Affairs said in its Regulatory Findings Report for 2018 – 2019, published in January, that:
“Some businesses, particularly within the legal and accounting sectors, have relied heavily on generic templates, and their measures do not reflect their individual businesses’ money laundering or financing terrorism risks.”
The report inevitably concluded that many firms failed to treat specific ML/TF risks stemming from their customers, services, transactions and other factors, and also pointed to a disconnect between the processes outlined in AML/CFT documents versus what businesses were doing in practice.
Small legal (and accounting) practices in particular have placed undue faith in documents that were assumed (although were never intended) to be complete solutions to complex and dynamic obligations in an area of law most were unfamiliar with.
This is understandable given the weighty compendium of interpretive guidance material from the supervisors and the Police Financial Intelligence Unit, not to mention the novelty of the regime’s risk-based decision-making and the need for practitioners to understand the Act’s geopolitical underpinnings including various methods and structures employed to launder funds or move terrorist financing.
The sheer size of the compliance task has been underestimated by many practitioners lacking the budget, staff or personal time to devote to even the domestic law and guidance material, let alone the international information the supervisors recommend is reviewed.
Recent experience of compliance activity and audits
It’s increasingly clear that firms who copied the generic templates without appropriate customisation have in many cases failed to properly understand or comply with their own documents. DIA compliance action and external auditors’ reports are routinely finding that law firms’ AML/CFT documents and systems, when based heavily on generic templates, are significantly less compliant than the firms assumed.
These issues, whether identified by auditors or firms themselves ahead of their 2020 audit, should ideally be fixed before the annual report is due in August 2020. This will ensure your firm’s annual reporting is a positive experience rather than one that leaves a fear of looming regulatory attention.
Law Society warnings over generic documentation
While the Law Society templates were rebranded ‘specimens’ and their disclaimers augmented in late 2018 (see “AML/CFT Compliance: Emerging Practical Issues” on the Law Society AML/CFT web pages), not everyone saw this, nor did they fully appreciate that generic templates or specimens cannot perform the legislatively required tasks of:
- assessing the firm’s specific money laundering (ML) and terrorism financing (TF) risks through a number of statutory lenses; then
- implementing customised processes accordingly to address those specific assessed risks.
The Law Society specimens lack some statutory requirements altogether and are light on others, requiring substantial additions to be fully compliant.
They were arguably a useful stepping off point, but it would be more apt to characterise them as an instruction manual (particularly the risk assessment) with some suggested compliance checklists rather than a ready-formed collection of compliant processes.
Typical small general practice firm
A small general practice with six staff recently had their documents inspected by the DIA, who returned a finding typical to those using the Law Society documents of:
- 11 areas of non-compliance;
- 12 of partial compliance (which could equally be termed partial failure);
- 8 areas of adequate compliance.
This degree of non-compliance came as an unpleasant surprise to the firm and cost extensive time and resource over several months on a remedial plan requiring two re-writes on a fixed schedule.
This is an increasingly common outcome both with DIA regulatory reviews and external audits.
The regulatory heat has also started to rise with the DIA recently undertaking its first criminal compliance prosecution for non-compliance with the AML/CFT Act (to be distinguished from money laundering prosecutions under the Crimes Act) and, in the legal sector, lawyer Andrew Simpson’s recent 13 convictions for money laundering in the context of an organised criminal group laundering drug criminal proceeds. Mr Simpson characterised his involvement as being initially naive (albeit with things “ramping up”) rather than any fully intended participation in the laundering operation.
So how can all this impending calamity possibly yield good news?
First, understanding how the DIA operates will help calm nerves and point to the best use of 2020 for your firm.
The supervisors take a targeted, risk-based, and responsive approach to their regulation as AML/CFT supervisors. They use risk analysis and intelligence to prioritise regulatory intervention where they can maximise compliance improvements and prevent the greatest potential harm. They seldom jump straight to the apex of the regulatory triangle of enforcement responses. Education and supportive engagement are their starting point.
While supervisor reviews of businesses’ AML/CFT regimes have a degree of randomness at the outset, they become more targeted as they accumulate more information about a sector and its participants.
The DIA is generally more likely to request a copy of a law firm’s documents or pay you a compliance visit if your services or customers present higher ML/TF risks or you fail to assess and treat those risks appropriately or both.
Lack of compliance with administrative aspects of the regime may suggest non-compliance with substantive aspects. So be on time with your audit (where possible) and your annual report at a minimum. (DIA advised on 24 April that compliance action will not be taken against firms completing independent audits late, provided they can show good faith efforts to complete it and explain how COVID-19 derailed them. Audit can occur remotely where the firm and auditor can access the necessary information.)
If your annual report is late or defective, or discloses more non-compliance than other firms, you’ll naturally stand out as more likely to require intervention. Equally, a late audit may raise concerns.
Intervention usually starts with a ‘desk-based review’ where the DIA reviews your risk assessment and programme on paper for technical compliance. Typically, untailored Law Society specimens may indicate that a firm has not appropriately assessed its specific ML/TF risks and this may invite further attention as in the example above.
How quickly can this get dangerous?
High Court civil action and prosecution are not the next logical steps for the DIA when dealing with firms honestly trying to comply with the AML/CFT Act. Where a remedial plan was unsuccessful and the firm remained wilfully non-compliant, the DIA does have a range of enforcement tools it could use. But on past experience with Phase 1 entities, it seems highly likely that lawyers will not suffer anything worse than a formal warning any time soon. Such a warning simply warns the entity that sanctions may be imposed if areas of AML/CFT non-compliance are not addressed, and in all but the most egregious cases, they are. Depending on the seriousness of the non-compliance, the DIA has the power to publish the formal warning, in part to deter other entities in a similar situation.
Harder enforcement tools include enforceable undertakings, injunctions, civil pecuniary penalty applications (civil fines up to $2 million for entities or $200,000 for individuals) and, ultimately, criminal prosecution for compliance breaches.
The harder compliance responses could be used with Phase 2 entities in the more distant future but, given these responses have taken since 2013 to eventuate for the Phase 1 entities, it is a fair bet that lawyers have a good deal of time yet to mature in their compliance understanding and systems.
It may not necessarily take seven years like it has for Phase 1 entities to reach the top of the enforcement triangle. Arguably Phase 2 entities have benefitted from Phase 1 entities’ mistakes and regulatory lessons, which could shorten the time for expected compliance maturity to some degree.
But the point of this article is to steer you towards tackling deficiencies while it can still keep you off the supervisors’ radar.
Timing of external audits
Second, it’s useful to know how your external audit can be used to increase your picture of compliance. Here, timing is important.
Your auditor must rate your compliance with the Act’s various requirements and rate your policies, procedures and controls for their adequacy and effectiveness. They will generally recommend how you might fix any problems identified.
If you get your audit early, you’ll have plenty of time afterwards to address the identified issues before you report to the DIA on the results and implications of your audit in August.
If you get the remedial work done in time you won’t stand out as a compliance delinquent needing further attention. And that situation will probably endure beyond 2020 because:
- you’ll be seen as low risk by the supervisors; and
- your early and proactive approach to the remediation will have given you useful insights into the AML regime and the necessary time to make what many are finding time-consuming and wide-ranging repairs. This will engender better confidence and contentment with the regime, which the DIA’s Regulatory Findings Report correlated with higher quality compliance.
This will all put you in good stead going forward.
An even more proactive approach is to tackle your AML documents before getting the auditor in so that the audit highlights less remedial work to carry out before your annual report is due.
In this case, make sure to:
- consider the various guidance documents carefully;
- check you’ve covered all areas from sections 57 and 58 (the primary requirements for risk assessments and programmes); and
- ensure you’ve brought relevant parts of guidance across rather than obliquely referring to large swathes of information in external documents – which your staff probably won’t bother reading.
Some specifics to start with
The DIA said many firms’ AML documents were simply incomplete, failing to cover all relevant obligations, such as appropriate procedures for checking for politically exposed persons, beneficial ownership checks, enhanced CDD and reporting SARs and PTRs.
The Law Society documents for example omit staff training procedures (they just reiterate the legal requirement to have some), their references to PTR and SPR reporting simply refer the reader to generic guidance in the Lawyers and Conveyancers Guideline (as is the case with many key concepts that should really be in the Programme), they do not deal with exceptions policies (not to be confused with delayed CDD), and they omit reference to whether the entity will opt out of the Code of Practice. Enhanced CDD in particular is dealt with by referring reader to the generic LCG guidance and needs greater inclusion in a firm’s documents. And the Law Society’s Matter Risk Assessment Form (a sub-part of its compliance programme) leaves practitioners without clear guidance about when enhanced CDD is statutorily required, meaning many firms are under-complying – or in some cases over-complying due to their lack of clarity about when enhanced CDD is triggered).
The Law Society’s “AML/CFT policies” document (also a sub-part of its compliance programme) says the DIA’s Guidelines for the Legal Sector can be found on the website of the Jersey Financial Services Commission (which is incorrect). The Law Society’s division of the AML Compliance Officer into the roles of MLCO and MLCO is another unnecessary result of copying northern hemisphere regime precedents.
Some key guidance to start with
Some of the most useful documents firms should read include the Lawyers and Conveyancers Guideline, the guidance on creating risk assessments and programmes, and the DIA’s Risk Assessment and Programme: Prompts and Notes document, all available on the DIA’s lawyer-specific AML page.
Your documents must do more than suggest you will follow what’s set out in those documents, as the specimens often do. That approach leaves the DIA and auditors wondering if you’ve properly considered how the generic guidance applies to your own situation and whether you actually link into those documents each time your documents refer you to them. Where relevant, provisions from the guidance need to be brought through into your own documents and customised to your specific services, clients and systems.
What to do
So to summarise, there is an annual report in August. You should will probably have had your auditor in by then. The annual report will take into account the results and implications of the audit.
You can either report back that you’ve fixed all the issues identified, or (even better) that you had a clear audit. (NB: This is very rare.)
The two suggested approaches then are to either get the auditor in quickly so you have plenty of time to address what may be extensive issues in their report, or proactively tackle the documents yourself while still getting an auditor early enough that you have sufficient time before August to address any remedial work you may have missed. Complicated AML/CFT obligations can significant take time to fix or get help with, so an early start is the best antidote to revelling in any compliance notoriety. And it will avoid bottlenecks.
Don’t be disheartened. Your first external audit may highlight a number of unseen problems. But a proactive approach in the run up to August will serve you best in the long run and give you greater confidence in a tricky new area that has caused many firms stress and confusion as the regime beds in for the legal profession.
But remember, the DIA will always start with education and engagement first, particularly where firms are obviously trying to comply. They understand and appreciate that adjusting business processes and coming up to speed with the AML/CFT Act do require a lot of change. And they routinely remind entities that, despite early difficulties, compliance does become common practice as business processes mature and embed.
Marty Robinson email@example.com co-authored The Anti-Money Laundering Regime: A Practical Guide (LexisNexis, 2018) and is a litigator specialising in financial crime cases. He advises reporting entities on a wide range of AML/CFT matters and conducts audits. He previously oversaw the Department of Internal Affair’s litigation and advised the DIA on AML/CFT enforcement cases and legislative amendments ahead of Phase 2.
New Zealand Law Society | Te Kahui Ture o Aotearoa comments
The Law Society agrees that specimen documents are a springboard for reporting entities to adapt to their own individual situation . The Law Society released complementary guidance in March 2018 to assist lawyers using specimen documents as part of preparing their compliance programmes and understanding their AML/CFT obligations. This guidance is a practical ‘How to use’ guide which emphasises the need for law firms to adapt any specimen to their individual circumstances and the need to draw on a range of sources in creating a compliance programme.
The guidance specifically says: “Lawyers must adapt any AML/CFT specimen documents to take into account their particular circumstances. The Department of Internal Affairs (DIA), as supervisor of the legal profession for AML/CFT purposes, emphasised the importance of this when it was consulted by NZLS about the specimen documents. The form and content of all AML/CFT compliance documents ultimately adopted by law firms must evidence a clear understanding of AML/CFT obligations and how they apply in the context of each specific legal practice. There is absolutely no ‘one size fits all’ approach to AML/CFT compliance”.
It is important to look at the context within which specimen documents are provided. The Law Society has promoted a range of helpful guidance to be used in conjunction with the specimen forms. This includes the DIA’s Risk Assessment and Programme: Notes and Prompts and a range of other resources including NZLS CLE Ltd webinars, topic guidance and a dedicated Panel of Friends.
In our experience, many firms have welcomed the assistance provided, and the specimen documents are just one piece of the support on offer. The Law Society engages regularly with the DIA on AML/CFT related concerns and works collaboratively to provide assistance and support to lawyers to ensure they are meeting their compliance obligations.