Desk-based audit under the AML/CFT Act
The Department of Internal Affairs (DIA) is the supervisor of lawyers under the Anti-Money Laundering and Countering Funding of Terrorism Act 2009.
As part of its supervisory role, the DIA may review a lawyer’s risk assessment and programme. Desk-based reviews can be carried out under sections 131 and 132 of the AML/CFT Act and are aimed to be completed within one month. Desk top reviews are not an assessment of the implementation or effectiveness of a practice’s AML/CFT programme - that would be carried out in an on-site inspection.
Section 58 of the Act requires a reporting entity to undertake a risk assessment of the risk of money laundering and the financing of terrorism that it may reasonably expect to face in the course of running its business.
Section 56 requires a reporting entity to establish, implement and maintain an AML/CFT programme to detect money laundering and financing of terrorism and to manage and mitigate the risk of money laundering or the financing of terrorism. Your AML/CFT programme must meet all the requirements specified in section 57 of the Act.
The programme review will assess compliance with:
- section 56, which states that a reporting entity must have an AML/CFT programme and an AML/CFT compliance officer;
- section 57, which sets out the minimum requirements for an AML/CFT programme; and
- section 58, which states that a reporting entity must undertake a risk assessment and sets out requirements for the risk assessment.
What will DIA consider?
DIA has said that attention will be paid to the following:
- AML/CFT compliance officer information;
- Risk Assessment;
- AML/CFT policies, procedures and controls;
- Independent Audit;
- Annual AML/CFT report; and
- any other relevant information.
When a practice is contacted by the DIA after having been selected for a desk-based review, the DIA will provide the practice with a documentation checklist that details the documents and records (under section 132(2)(a)) that it requires to sight. The documentation includes:
- copies of the practice’s AML/CFT policies and procedures;
- control documentation such as any external audit reports;
- Risk assessment documentation.
The DIA has indicated that it wishes to work in collaboration with law practices, which includes helping practices understand and meet their obligations. As part of the review, the DIA will be reviewing the above documentation to check policies and processes are in place for:
- ongoing Customer Due Diligence being undertaken;
- regular ‘account monitoring’ (for changes in client habits, etc);
- the reporting obligations being met, such as Suspicious Activity Reports and Prescribed Transaction Reports being filed where appropriate;
- an annual review/audit of the risk assessment and AML/CFT programme being undertaken in line with section 59;
- a training and compliance culture (needed to demonstrate the quality of the training, and records of that);
- an annual report being filed in line with section 60;
- the AML/CFT programme being discussed at partnership / director level (such as meeting minutes/board reports).
Risk assessments and compliance programmes
In relation to risk assessments and compliance programmes, a focus will be on whether the law firm has tailored these to the individual circumstances of the practice. This includes evidence of an analysis of the particular AML risks which are typically associated with the different services the firm is offering and a detailed break-down of a firm’s client base to identify risk in that regard (for example, identifying clients with cash intensive businesses or high risk industries or occupations, overly complex corporate structures, trusts and other legal arrangements which favour a degree of anonymity, or potentially politically exposed people (PEPs)).
It will assist the DIA if the risk assessment and programme documentation includes version control information reflecting the ‘living’ nature of the documents.
At the completion of the review the DIA will provide the practice with a report detailing its findings. The practice will be provided with the opportunity to correct any factual errors in the report. If non-compliance is found, the DIA may decide to work with the practice to remedy the non-compliance, or take enforcement action as set out in Part 3 of the Act.
All practices should already have the policies, procedures and risk assessment in place. If you wish to review your documentation in line with the requirements and any changes in the practice, guidance on what needs to be considered/included is available on the DIA website here.
The New Zealand Law Society has published a Practice Briefing Preparing for becoming a reporting entity under the AML/CFT Act.
Offences and Penalties
While the DIA has signalled it will be taking an educative approach in the first instance it is worth bearing in mind that it can be an offence under section 102 to wilfully obstruct an AML/CFT supervisor in the exercise of any power and an offence under section 103 to provide false or misleading information to an AML/CFT supervisor, knowing that information to be false or misleading in any material respect. The maximum penalty for committing these offences is 3 months imprisonment or a fine of up to $10,000 for an individual or a fine of up to $50,000 for a body corporate.
In a High Court decision relating to phase 1 of the legislation, Department of Internal Affairs v Qian DuoDuo Ltd  NZHC 1887, Qian DuoDuo was ordered to pay $356,000 to the DIA for:
- Failures in respect of risk assessments;
- Failure to undertake ECDD;
- Failure to undertake ongoing CDD and account monitoring; and
- Failure to keep adequate records
The judgment highlighted deficiencies in relying solely on external advice from a consultant that may not know or understand the business model that applies to your practice.
Lisa Attrill is the New Zealand Law Society's Inspectorate Manager.
Last updated on the 13th February 2019