Doing your AML CFT Risk Assessment (AML/CFT)?

The key to your AML/CFT programme is the Risk Assessment. Under section 58 of the Act, you must assess your business for the risk of money laundering or terrorism financing.

Your Risk Assessment must be in writing.

It must then be used as the basis for your AML/CFT programme.

The Risk Assessment document must describe how the assessment will be kept up to date.

Your Risk Assessment must enable you to meet the relevant obligations under the Act and regulations, especially the obligations to conduct ‘customer due diligence’ and ‘ongoing customer due diligence.’

Effectively, you are required to segment your business operations and customers to create a set of risk profiles against which you will undertake a pre-set AML / CFT business process going forward.

When assessing your risks, you must identify aspects of the business that may be susceptible to AML/CFT. The next step is to consider each of the at-risk areas you have identified, analysing the likelihood that your business will be used for AML/CFT.

Each of the following areas must be considered:

The nature, size and complexity of its business.

The products and services it offers.

The way it delivers its products and services.

The types of customers it deals with.

The countries it deals with.

The institutions it deals with.

What your AML / CFT Programme will do

An AML/CFT Programme sets out the internal policies, procedures and controls necessary to detect money laundering and financing of terrorism and to manage and mitigate the risk of it occurring.

  • Policies set out expectations, standards and behaviours in a business.
  • Procedures are more detailed and set out day-to-day operations.
  • Controls are tools that management use to ensure the business complies with policies and procedures.

Minimum requirements of an AML/CFT Programme are set out in sections 56 and 57 of the AML/CFT Act and include:

  • Vetting and training senior managers, the compliance officer, and other relevant employees.
  • Customer Due Diligence.
  • Ongoing CDD and account monitoring – This is the Know Your Customer (KYC) element.
  • Examining and keeping findings related to money laundering or financing of terrorism.
  • Suspicious activity reporting.
  • Prescribed transaction reporting.
  • Record keeping.
  • Products and transactions that favour anonymity.
  • Managing and mitigating AML/CFT risk.
  • Ensuring compliance with the Programme.
  • Review and audit of the Programme.
Customer Due Diligence (CDD)

CDD is the process through which a reporting entity develops an understanding about its customers and the AML/CFT exposure they pose. It is the key aspect of the AML/CFT Programme, and involves gathering and verifying information about a customer’s identity, beneficial owners and any person acting on behalf of the customer. This is compulsory for all reporting entities captured by the legislation, with a variety of penalties for non-compliance. The legislation does allow for an agent to undertake the actual work, under the control and to the standards set by the reporting entity.

The three types of CDD are Simplified, Standard and Enhanced.

1. Simplified Customer Due Diligence is the lowest level of due diligence that can be completed on a customer. This is appropriate where there is little opportunity or risk of your services or customer becoming involved in money laundering or terrorist financing. Refer to Sections 18 to 21 of the Act. Where you are satisfied that a customer, product and services fall into Simplified Due Diligence criteria then your only requirement is to identify your customer. There is no requirement to verify your customer’s identity as you would with a standard or enhanced due diligence approach. However, the business relationship should be continually monitored for trigger events which may create a requirement for further due diligence in future.

2. Standard Customer Due Diligence is aimed at ensuring the business knows with whom it is doing business. Identity Verification (including Date of Birth), Evidence of Location and Ultimate Beneficial Owner (for corporate structures) are all required. Refer to Sections 14 to 17 of the Act.

3. Where this initial analysis indicates potential risk as defined in the Risk Profiles developed in initiating your programme EDD is required. Enhanced Customer Due Diligence (EDD) must be undertaken when on-boarding or undertaking unusual transactions for a prospect or customer. There are also specific entity types such as Trusts that require EDD standards to be applied. EDD looks at affiliations, jurisdictions, Source of Funds and Source of Wealth to ascertain the potential risk. Refer to Sections 22 to 25 of the Act.

Ongoing customer due diligence and account monitoring

Refer to Section 31 of the Act.
An essential part of the Act is the requirement that reporting entities regularly review information about the business relationship they have with their customers. They must determine when it may be necessary to collect further information, or update or verify existing CDD information.

How can Infolog help?
While ongoing due diligence may seem onerous, Infolog has several Notification services to help meet your requirements. This is a key area in any successful AML/CFT Programme. The relevant section is very specific and worth detailing in full.
(1) This section applies to a business relationship between a reporting entity and a customer.
(2) A reporting entity must conduct ongoing customer due diligence and undertake account monitoring in order to—
(a) ensure that the business relationship and the transactions relating to that business relationship are consistent with the reporting entity’s knowledge about the customer and the customer’s business and risk profile; and
(b) identify any grounds for reporting a suspicious activity under paragraph (b) of the definition of that term in section 39A.
(3) When conducting ongoing customer due diligence and undertaking account monitoring, the reporting entity must have regard to—
(a) the type of customer due diligence conducted when the business relationship with the customer was established; and
(b) the level of risk involved.
(4) When conducting ongoing customer due diligence and undertaking account monitoring, a reporting entity must do at least the following:
(a) regularly review the customer’s account activity and transaction behaviour; and
(b) regularly review any customer information obtained under sections 15, 17, 19, 21, 23, 25, 26, 27, 29, and 30, or, in relation to an existing customer, any customer information the reporting entity holds about the customer.

Financial Intelligence Unit (FIU) and reporting requirements

The New Zealand Financial Intelligence Unit (FIU) provides intelligence relating to suspicious transactions, money laundering, the financing of terrorism and other serious offences. The FIU fulfils the functions and exercises the powers of the Commissioner of Police as set out in the Act. It helps the New Zealand government fulfil its obligations to the inter-governmental Financial Action Task Force (FATF).
The FIU collects information in five main report types:

  • Suspicious Activity Reports (SAR) from 1 July 2018.
  • Suspicious Transaction Reports (STR).
  • Prescribed Transactions Reports (PTR).
  • Suspicious Property Reports (SPR).
  • Border Cash Reports (BCR).
  • Reports are submitted to the FIU using the goAML Web application.
As a rule, a suspicious transaction will generally be one that is inconsistent with the customer’s known activities and profile, or with the normal business expected for that type of client.
A Reporting Entity must identify any suspicious transactions and raise the appropriate report to the Police if it has reasonable grounds to suspect a transaction may relate to specified money-laundering or terrorism offending. Note the word ‘may.’
Reports must be provided to the Financial Intelligence Unit (“FIU”) no later than three working days after forming the suspicion.

Annual AML/CFT returns

A report must be lodged with your AML/CFT Supervisor each year in a specified format. The Annual Report contains questions about the following:

  • Organisational structure.
  • AML/CFT Risk Assessment.
  • AML/CFT programme.
  • Audit results of the Risk Assessment and programme.
  • Products and services.
  • Channels (methods of acceptance i.e. face-to-face or otherwise).
  • List of countries that non-resident customers reside.

The Infolog Portal contains several on-line Audit and Reporting functions to help you meet your requirements in this important area.