By Ros Morshead
I don’t imagine the angst I hear around the law firm traps in my world on AML/CFT (AML) is any different to anywhere else in the country. We seem to be bombarded with it from every corner, and it has been overwhelming for many. The Department of Internal Affairs (DIA) are the Phase 2 sector Supervisor under the Act, and their job is to ensure law firms and other Phase 2 entities comply with their statutory obligations. But nearly two years on from 1 July 2018, many are probably still grappling with properly implementing and embedding compliance programmes, crossing our fingers we aren’t selected for a desk-top audit, or hoping the DIA doesn’t knock on our office doors for an on-site audit any time soon. As it happened, my small firm was selected for a desk-top audit quite early into the start of the regime. This article discusses that warts and all experience, together with some other observations and points that I hope may be useful for others.
The desk-top audit notice arrives
So, back in October 2018, a five-page letter from the DIA landed in my inbox notifying a desk-top compliance programme audit to be submitted within two weeks. I was semi-confident of a favourable review, having spent a huge amount of un-billable time and effort customising my small firm’s compliance programme ahead of 1 July 2018. My laptop keys got bashed a bit harder than usual for a few days while I grumbled about the whole thing being entirely unfair and why they’d picked on me, a nobody from the provinces.
Our 40-odd page programme was duly submitted, but not without many more hours of tweaking and stressing. Job done I thought. Not so, said DIA. Two working-days before the 2018 Christmas break, back came a 49-page report that largely said our programme wasn’t up to scratch, and we’d have to re-submit. FORTY. NINE. PAGES. Part of the overall summary is reproduced in the panel on page 79. ‘Twas not a very merry Christmas.
By May 2019 we’d had a second round of ‘rejection’ (my word), and the stress had been hanging over my head like a sword of Damocles for eight months. The DIA’s review correspondence is voluminous, intimidating, overwhelming, and an additional stressor in itself. I did come to realise that the DIA aren’t completely heartless, and in fairness they are fully aware how their communications may perhaps be received. I was grateful the same review officer would make a personal and supportive follow-up call to discuss, ask if there were any queries about the points raised, and generally encouraged full and open dialogue enabling both parties to move toward achieving the goal of re-working what we already had to reach a compliant programme. I was confident we’d get there, and in the end we did.
AML and hidden costs to business
Even though we made it out the other side of a desk-top audit, in all honesty I’m just as pipped as everyone else having to deal with AML compliance obligations, and time and cost thereof to business on top of what is already a tightly regulated industry. In my view, nowhere is the real cost to business laid so bare as the Deloitte report commissioned by the Ministry of Justice in 2016 (Phase II Anti-money Laundering Reforms – Business Compliance Impacts) AML Phase 2. In that report, Deloitte undertook an initial Business Compliance Cost Study that essentially asked: ‘What would it cost Phase 2 industry sectors to meet their compliance implementation obligations?”
The results aren’t pretty. Deloitte estimated approximately 1572 lawyer and conveyancer entities with AML compliance obligations across the legal sector would spend between $16.1 million (low) to $80.9 million (high) in the first year alone creating, establishing, and implementing risk assessment programmes, policies, and procedures for the first time. That’s a sunk cost to each business of roughly between $10,000 to $51,000 relative to business size and complexity, just to get the thing off the ground. Deloitte further projected annual ongoing compliance and monitoring cost to the sector at between $14.3 million (low) to $59.6 million (high): an estimated $9,000 to $37,900 per reporting entity, per annum. Another sunk cost if you’re not careful, unless you’ve already put cost recovery plans in place (which you absolutely should – the Deloitte Report helpfully also estimates an ‘average cost per client’ on page 4).
Sadly, I believe the Deloitte figures are pretty much on the mark. That conclusion is reached after reflecting on the huge amount of time and effort setting up and implementing our voluminous compliance programme in the first place, the enormity of the desk-top audit and unbillable time out of the business dealing with programme remedial work in a short time frame.
Based on those experiences, it’s also my view that any firm who’s approached their compliance programme largely by dumping it on a support staff member, or had a consultant do it for you back in 2018, or where a firm’s only spent several hours on their compliance programme with direct and indirect costs of a couple of thousand dollars overall versus Deloitte’s numbers (relative to your business), will have seriously underestimated their obligations and simply won’t comply. The hidden cost and stress of inadequate preparation and attention will come back to bite at some inconvenient time in the future via a desk-top audit or on-site visit; or, worse, your firm being implicated in money laundering activities by some other means outside your day to day AML observance – a point I’ll come to shortly.
Why can’t NZLS and the DIA just sort it all out for us?
Look, I’m not here to vitriol or extol the virtues of any industry or regulatory bodies, but I do believe the New Zealand Law Society did a huge amount of work behind the scenes on our behalf pulling together various resources that were hard-won (and rightly so) out of the DIA. Despite wide criticism of NZLS and the DIA on the perceived ‘inadequacy’ of various compliance resource aids, it’s not either’s job to provide us a boiler-plate document that would effectively enable us to wave it about and exclaim “Hurrah Timmy, we comply!”. Logically, to do so would defeat the purpose of section 58 of the Act requiring each reporting entity firm to undertake a critical assessment of its own money laundering/financing terrorism exposure risks in so far as their own clients, services, transactions, and other factors are concerned. What I can tell you for a fact is that even though the NZLS resources and specimen documents are not anywhere enough to satisfy the expectations of the DIA without more, they ARE the base building blocks toward adapting and customising a compliant programme.
I agree with Marty Robinson (“Crunch Time for AML/CFT Regimes”, LawTalk 939, May 2020, pages 68-71) who writes that the DIA’s starting point when auditing and providing compliance programme feedback is education and supportive engagement. This accords with my experience that the DIA do actually want to help us meet our compliance obligations and will help where a firm is making genuine attempts to review and remediate their programme. I’d also add that Marty offers some useful comments on some areas the DIA are finding many firms are coming up short on with their compliance programmes. Some of those were our remediation points, too.
The paths to troubled waters: how many ways can we count thee …
In that article, Marty Robinson also posed the interesting question “How quickly can [non-compliance enforcement action] get dangerous?” – observing that the risk of more heavy-handed enforcement action by the DIA, if it ever got that far at all, is probably quite low in most circumstances (ergo you’re probably not going to get into big trouble any time soon). But the DIA in their role as Phase 2 sector supervisor are just one part of a much bigger picture, and lawyers should be careful to not get stuck in the process (focusing solely on their compliance documents) and overlook the overall purpose and intention of the Act – to prevent money laundering and terrorism financing. There are other agencies such as Police, Customs, Serious Fraud Office and IRD who continually investigate and monitor people and their associates for criminal and related money-laundering activity – and all those agencies have the ability to cast an incredibly wide net that could potentially end up on your door step. So if anybody in those agency nets turn out to be attached to you or your firm in some way, those people might very well get you implicated in money laundering activities well before the DIA is likely anywhere near a desk-top audit of your AML programme. If the recent high-profile prosecution of Auckland lawyer Andrew Simpson – who both enabled and facilitated money laundering activities through his firm for the Comancheros gang – doesn’t hammer home the big picture and how easy it is for anyone in the profession to get caught up in money laundering activities and allegations, then I don’t know what will.
The two-year independent audit is nigh…
An entire industry seems to have grown out of providers assisting with AML compliance and independent audits. Notably, the DIA do not endorse or approve providers, so we’re free to choose our own path for independent audits so long as there’s independence and some knowledge of the AML regime. I’ve heard a few numbers bandied around of audit fee estimates, and they’re unrealistic for many firms – even more so now with the business uncertainty around COVID-19. Yet there’s absolutely no reason why firms can’t team up with others of similar size and practice areas to come up with agreed audit processes and procedures between them using the DIA’s October 2019 Audit Guidelines. That’s how we’re approaching it, and are well along the road in that planning.
Concluding remarks
I’m not particularly happy about a regime that’s been foisted on us, and even less happy about the cost to my business. But after having been through the process and thinking differently about some of the scenarios that crop up in practice every day, I am confident we’re on the right track. I certainly hope that this article offers food for thought for those of you who may be thinking that your compliance programme could perhaps do with another review so you don’t inadvertently become the next Andrew Simpson.
Ros Morshead ros@lawbox.co.nz is a Director of Tauranga/Rotorua law firm Law Box.
| Risk Assessment | |
| s 58(2)(a) - Nature, size and complexity | Met |
| s 58(2)(b) - Products and services | Not Met |
| s 58(2)(c) - Methods of delivery | Partially Met |
| s 58(2)(d) - Types of customers | Not Met |
| s 58(2)(e) - Countries dealt with | Partially Met |
| s 58(2)(f) - Institutions dealt with | Not Met |
| s 58(2)(g) - Regard to guidance material | Not Met |
| s 58(3)(a)(c) - Identify risks faced in course of business | Partially Met |
| s 58(3)(b), s59(1) - Keeping risk assessment current | Partially Met |
| AML/CFT Programme | |
| s 56(2)-(4) - Compliance Officer | Met |
| s 57(1)(a) - Vetting | Met |
| s 57(1)(b) - Staff Training | Partially Met |
| s 57(1)(c) - Risk based customer due dilience (s 12) | Met |
| s 57(1)(c) - Identifying customer requirements (s 11(1)) | Met |
| s 57(1)(c) - Occasional activities or transactions | Met |
| s 57(1)(c) - Verifying identity before conducting business | Met |
| s 57(1)(c) - Ongoing CDD and account monitoring (s 31) | Partially Met |
| s 57(1)(c)(k) - Reliance on third parties | Not applicable |
| s 57(1)(j) - Determining Simplified or Enhanced CDD | Partially Met |
| s 57(1)(c) - Applying Enhanced CDD (s 22-25) | Partially Met |
| s 57(1)(c) - Politically Exposed Persons (s 26) | Partially Met |
| s 57(1)(i) - Technologies/products favouring anonymity | Partially Met |
| s 57(1)(c) - Wire transfer provisions (s 27-28) | Not Met |
| s 57(1)(da) - Prescribed transaction reporting | Not Met |
| s 57(1)(d) - Suspicious activity reporting | Partially Met |
| s 57(1)(e) - Record keeping | Met |
| s 57(1)(g) - Examining and keeping written findings — large - complex - unusual patterns of transactions | Met |
| s 57(1)(h) - Examining and keeping written findings — countries with insufficient AML or CFT systems | Partially Met |
| s 57(1)(l) - Monitoring compliance AMLCFT programme | Met |
| s 57(1)(2) - Regard to guidance material | Partially Met |
| s 59(1) - Review of AML/CFT programme | Partially Met |
| Independent Audit and Annual Report | |
| s 59(2) - Independent Audit | Not Met |
The DIA report on our programme