New Zealand Law Society - AML/CFT compliance: Emerging practical issues

AML/CFT compliance: Emerging practical issues

This article is over 3 years old. More recent information on this subject may exist.

On 1 July 2018 many lawyers became reporting entities under the Anti-Money Laundering and Countering Financing of Terrorism (AML/CFT) Act 2009. Reporting entities are those who undertake ‘captured activities’ which includes activities listed in the definition of “designated non-financial business or profession” in section 5 of the Act.

If you are a reporting entity, at an organisational level, you are required to appoint an AML/CFT compliance officer, undertake assessment of the risk of money laundering and the financing of terrorism that the entity may reasonably expect to face in the course of its business, develop an AML/CFT programme, implement and follow that programme, file annual reports with the regulator/supervisor, periodically review your risk assessment and AML/CFT programme, and conduct an independent audit of your risk assessment and AML/CFT programme every two years. You must also vet all staff and give AML/CFT related training to all your partners, senior managers and the AML/CFT compliance officer.

At activity level, your obligations include, but are not limited to, risk assessment of client matters, understanding your customers, carrying out appropriate customer due diligence (CDD), to conduct ongoing CDD, maintain records, and file suspicious activity reports (SAR) with the Financial Intelligence Unit (FIU) of the New Zealand Police, subject to legal professional privilege: see section 42(2).

The New Zealand Law Society (NZLS) has published on its website AML/CFT compliance templates that reporting entities can adapt. Some of those documents have a disclaimer saying it is a sample document only which has been produced for NZLS to assist lawyers with AML/CFT compliance requirements; it is intended as a guide only and should be adapted to take into account a law firm’s particular circumstances including internal policies and procedures specific to the law firm; and it should not be relied on as definitive statement of AML/CFT legal requirements. To put this in context, I note two underlying aspects of the legislative framework: (i) there is no one-size-fits-all approach, and (ii) a “set and forget” approach is not appropriate. I discuss these aspects below.

There is no one-size-fit-all approach

An illustration of a clipboard

NZLS templates are helpful and could make it easier for some law firms to develop their AML/CFT documents. While those templates have been drafted as general guidance documents, for a busy sole practitioner or an under-resourced SME sized law firm, there may be a tendency to adopt those templates without appropriately customising them for their own practice. This may be inappropriate.

Section 58 states that before conducting CDD or establishing an AML/CFT programme, a reporting entity must first undertake an assessment of the risk of money laundering and the financing of terrorism that it may reasonably expect to face in the course of its business. The section does not require a reporting entity to consider factors related to its entire practice. The review will be in the context of the practice’s activities that fall within the provisions of the Act. The section requires a firm to consider its nature, size, the complexity of its business, the products and services it offers, the methods by which it delivers products and services to its customers. Then, it requires the reporting entity to consider the types of customers, the institutions and the countries it deals with. It is important that the AML/CFT risk assessment demonstrates the rationale that was used to assess the risk of facing money laundering or the financing of terrorism. This process can be tricky as you must choose appropriate criteria against which your firm will conduct the risk assessment.

Section 57 requires the reporting entity to develop an AML/CFT programme that is based on risk assessment and identifies several areas for establishing policies, procedures and controls. The reporting entity will have to decide what is relevant for its practice. So, each practice will need to adapt the NZLS template on AML/CFT programme to some extent.

A “set and forget” approach is not appropriate

Criminals continuously adapt their activity to avoid detection and circumvent preventative measures. In addition, the evolving nature of the legal profession and your practice and the changing characteristics of your clientele mean you cannot adopt a “set and forget” approach to preparing AML/CFT compliance documents.

Those documents are required by law to be reviewed on a regular basis to address emerging risks and changing circumstances of the practice that includes, but not limited to, understanding the customers, the institutions, and the countries the firm will have to deal with.

Appointment of a compliance officer

The AML/CFT compliance officer plays a crucial role in the firm. The person is responsible for administering your AML/CFT programme.

Section 56(3) states that in the case of a reporting entity that does not have employees, the reporting entity must appoint a person to act as its AML/CFT compliance officer.

There may be reasons why a sole practitioner may not wish to be self-appointed to that role. DIA Guideline says if you cannot fulfil that role, an external person must be appointed. You will need to think about how you will manage information subject to legal professional privilege and confidential information that will need to pass on to that external person. Is that possible at all without waiving legal professional privilege? I discuss this issue in more detail later in this article.

Choosing an appropriately qualified auditor

Section 59B requires an audit to be carried out every two years by an independent person, appointed by the reporting entity, who is appropriately qualified to conduct an audit and that person must not have been involved in the establishment, implementation, or maintenance of the reporting entity’s AML/CFT programme.

For law firms the first audit will be due in July 2020. However, it will be prudent to have your first audit conducted earlier. It will be better to have any deficiencies in your AML/CFT compliance practices identified earlier than waiting for two years. This may give greater confidence to your Professional Indemnity insurer.

On the independence of the auditor, the DIA Guideline says a very large firm with a dedicated audit function would likely be able to show a sufficient degree of independence. It is implied in that statement that a small firm without an independent audit function may, in some cases, find it difficult to show the requisite degree of independence. Clearly that will be the case for a sole practitioner or small law firm.

On the appropriate qualification of the auditor, section 59B(2) says the auditor is not required to be a chartered accountant or qualified to undertake financial audits. However, considering the scheme and purpose of the Act, engaging an auditor with sound knowledge of white collar crimes and experienced in conducting criminal investigations would be immensely helpful. An auditor who understands the modus operandi of those persons the AML/CFT regime seeks to restrict will be in a better position to effectively advise on your risk reviews and redrafting your AML/CFT programme. FAQs published by the Financial Markets Authority state that your audit will be more effective if your auditor understands your industry and has audit experience.

Therefore, as a matter of prudence, good governance, and to avoid potential conflict of interest, my view is that it would be appropriate to outsource the reviews and audits of your practice’s risk assessment and AML/CFT programme to a law firm that has good knowledge of the legal profession, audit experience and expertise and understands AML/CFT law and its complexities.

A legal conundrum

Section 59B requires reporting entities to conduct an independent audit every two years. Ordinarily the auditor would expect sufficient information to be provided for them to discharge their duties. However, lawyers have a duty to protect client information subject to legal professional privilege and confidential information. Underlying the provision of legal services is an understanding that “the client must be sure that what he tells his lawyer in confidence will never be revealed without his consent” (R v Derby Magistrates’ Court, ex p B [1996] AC 487 at 507, confirmed in New Zealand by B v Auckland District Law Society [2004] 1 NZLR 326, [2003] UKPC 38).

Recognising the over-arching importance of the privilege, it is well established that Parliament may only abrogate legal professional privilege through the clearest of language. This principle was established in CIR v West-Walker [1954] NZLR 191 (CA) (see also Rosenberg v Jaine [1983] NZLR 1, (1983) 1 CRNZ 1 and B v Auckland District Law Society [2004] 1 NZLR 326, [2003] UKPC 38 (PC)). For example, when the Ministry of Justice audits legal aid lawyers, disclosure of privileged communication is permitted by section 109 of Legal Services Act 2011. Similarly, for lawyers’ trust account audits, NZLS Inspectorate has wide-ranging powers under the Lawyers and Conveyancers Act (Trust Account) Regulations 2008 to review trust accounts of practices and if necessary to communicate directly with clients of those practices. So, for those audits, legal professional privilege is a non-issue.

For the purpose of AML/CFT audits, there is no statutory provision that permits disclosure of information subject to legal professional privilege to an independent auditor. While I acknowledge that lawyers’ trust account records are excluded from the scope of ‘privileged communication’ for the purposes of the AML/CFT Act (section 42(2)), CDD and other AML/CFT compliance, documents may contain information subject to legal professional privilege.

The view that lawyers cannot disclose privileged communication to their independent auditor under the AML/CFT regime is supported by the fact that they are not required to disclose such information to FIU (section 40(4)) or even to their supervisor (sections 132(4) and 133(5)). So, why would the independent auditors be entitled to privileged information in the absence of a statutory provision? The privilege belongs to the client and may only be waived with the client’s express consent.

If the independent auditor does not have access to sufficient information they cannot give assurance to the supervisor that your SAR procedure meets all mandatory requirements. All they can do is to provide a Disclaimer of Opinion. That means, lawyers cannot really have a full-proof signed-off audit report from an independent auditor as your supervisor might like to see. The risk remains with the law firm.

Also, the risk of your independent auditor making a SAR to FIU under section 43 on information that they inadvertently come across during the course of their audit of your firm - which may have already been withheld by your firm under legal professional privilege - is serious. So, how do you overcome this conundrum?

I suggest that one sensible way to address these issues is to instruct an auditor who is within a law firm which specialises in AML/CFT law and compliance. If you instruct another law firm and sufficiently bundle your audit instructions with instructions to get independent legal advice on AML/CFT, your already privileged information of your clients at the risk of inadvertent disclosure to FIU by your independent auditor under section 43 is protected by another layer of legal privilege. That gives effect to section 40(4) of the Act on legal privilege exclusion for filing SARs and covers your risk.

Penalties for inadequate or non-compliance

Inadequate or non-compliance with obligations imposed by the Act can give rise to significant business risks and legal issues.

The penalties for non-compliance in the case of an individual, are a term of imprisonment of not more than two years and/or a fine of up to $300,000. For a firm the penalty is a fine of up to $5 million. In addition, the Act also confers upon the court the power to order the imposition of pecuniary penalties.

In Department of Internal Affairs v Ping An Finance (Group) New Zealand Company Ltd [2017] NZHC 2363, a case decided under the AML/CFT Act in 2017, the High Court ordered the defendant to pay to the Crown $5.3 million for failing to conduct CDD, failing to adequately monitor accounts and transactions, entering into or continuing a business relationship with a person who does not produce or provide satisfactory evidence of the person’s identity, failing to keep records, and failing to report suspicious transactions.

More recently, in Department of Internal Affairs v Qian Duoduo Ltd [2018] NZHC 1887, the DIA was seeking $2.6 million from the defendant for failures in respect of risk assessments, failure to undertake CDD, failure to undertake ongoing CDD and account monitoring, and failure to keep adequate records.

So, for a law practice, failure to comply with the Act or inadequate compliance can give rise to serious consequences which may include punitive fines, reputational damage, disciplinary action, loss of practising certificate, loss or business and possible civil or criminal proceedings against one or more lawyers.

An ethical dilemma

The Act puts lawyers in an interesting position by requiring them to report any suspicious transactions unless it is “privileged communication” although the transaction is subject to confidential advice they have given.

Legal professional privilege does not extend to everything that legal professionals have a duty to keep confidential. Legal professional privilege protects only those confidential communications falling under either of the two heads of privilege – advice privilege or litigation privilege.

Rule 8.1 of the Lawyers Client Care and Conduct Rules 2008 states a lawyer’s duty of confidence commences from the time a person makes a disclosure to the lawyer in relation to a proposed retainer (whether or not a retainer eventuates) and the duty of confidence continues indefinitely after the person concerned has ceased to be the lawyer’s client. Leaving rules 2.4 and 8.2(a) aside, rule 8.2(d) provides that a lawyer is required to disclose confidential information if required by law. The AML/CFT Act requires lawyers to disclose suspicious transactions but only if the lawyer has reasonable grounds to suspect and if section 42(2) (definition of what is not privileged communication) applies.

It will be a balancing act between observing the provisions of the Act, protecting clients’ right to confidential advice, and maintaining privilege in respect of information that the lawyer believes on reasonable grounds to be a privileged communication. It is going to involve some important judgement calls and many of the medium sized and smaller law firms in particular will have to think seriously as to how to apply this in practice.

Compliance costs

A law firm may decide that on average the administrative cost of complying with AML/CFT obligations is $35 per client matter (which may be conservative) and the firm has 1,000 new matters every year. The firm will therefore charge $35,000 to clients and should receive this sum to meet compliance costs. If all firms decide to pass on the compliance costs to clients, there is a good chance that firms will have the resources to properly fulfil their obligations. If law firms overall determine not to pass on the administrative costs involved in compliance to clients, then I anticipate that there will be a greatly increased chance that firms will not fully comply with their obligations.

I urge firms to carefully think through and appropriately price the full cost of compliance. It is quite possible that in a mid-sized firm the responsible partner may spend up to 5% to 10% of their time overseeing compliance at a cost of say $50,000 per annum and the internal direct cost of staff compliance may easily be another $20,000 to $30,000 per annum when considering the training required, ongoing risk assessments, day to day compliance work and fulfilling audit requirements.

It is quite possible that a mid-sized firm may incur costs in excess of $80,000 per annum on AML/CFT compliance. Given the serious consequences for noncompliance I anticipate that many firms may decide that overall they will be able to save money and better ensure compliance if they outsource aspects of the compliance process and recoup this cost from clients through the appropriate charges.

Disclaimer: These figures are estimates and projections only, based on certain assumptions and conditions, and they should not be relied on as a basis for revising your legal fees or cost of any services you may wish to outsource.

Ismail Rasheed is the Director and Principal Solicitor of IR Legal, specialising in Immigration, Tax and AML/CFT laws.

Lawyer Listing for Bots