New Zealand Law Society - AML/CFT risk assessment and implementation disconnect, says DIA

AML/CFT risk assessment and implementation disconnect, says DIA

This article is over 3 years old. More recent information on this subject may exist.

A disconnect between a business' risk assessment and AML/CFT programme, and how these documents are used in practice was a common factor observed by the Department of Internal Affairs in the year to 30 June 2019.

The department has released a Regulatory Findings Report for Anti-Money Laundering and Countering Financing of Terrorism for the year to 30 June 2019.

It says the report shares its regulatory findings for the businesses it supervises - which includes lawyers and conveyancers - to assist them to understand the DIA expectations, and how they can improve their systems and processes to comply with their AML/CFT obligations.

On the disconnect between assessment and practice, the report says the department inspected businesses with well-written documents that seemed "technically compliant" on paper, but when they were visited their procedure, policies and controls were seen not to be effectively implemented.

"Many businesses have adopted generic templates for their risk assessment and AML/CFT programme documents. In some circumstances, the content has been wholly generic and not specific to their business, types of customers, transactions or activities conducted," it says.

"While a template can be a useful starting point for a risk assessment or developing an AML/CFT programme, the Act requires the identification of the specific money laundering and financing terrorism risks that a particular business faces. The risk assessment must also enable the business to determine the level of risk in relation to its AML/CFT obligations. This means the risk assessment must be specific to the individual business’ circumstances, customers and activities. The risks must then be managed and mitigated through its AML/CFT programme."

Areas of non-compliance

The report identifies the most common areas of non-compliance in the year to 30 June 2019:

  • Risk assessments too generic and not specific to the money laundering and financing terrorism risks the business faced.
  • Written documents incomplete and not covering all the relevant obligations. These include a lack of procedures for politically exposed person (PEP) checking, beneficial ownership checks, enhanced customer due diligence, suspicious activity and prescribed transaction reporting.
  • The written AML/CFT programme documentation is technically compliant but not implemented effectively in practice.
  • Compliance officers’ inadequate understanding of their businesses’ money laundering and financing terrorism risks, and poor implementation of policies, procedures and controls in practice.
  • Customer due diligence (CDD) and Enhanced CDD not undertaken in accordance with the Act’s requirements.
  • The compliance officer does not have the required level of influence in the business to escalate issues and ensure governance level support for the AML/CFT programme.
  • Insufficient training and vetting of senior management, compliance officers and any staff member with AML/CFT duties.
  • AML/CFT risk assessment and programme documents not kept up to date, with no version control used.
Frequency of inspections

In the year to 30 June 2019 the department says it completed 149 desk-based reviews and 49 on-site inspections. These resulted in 60 remediation plans, as well as other regulatory action - including formal warnings and one enforceable undertaking.

Lawyer Listing for Bots