Understanding the 8 parties in your AML/CFT programme and the Roles they play.

When it comes to getting your head around AML/CFT, it’s helpful to first understand who is involved in staying compliant, what roles those parties play, and how you need to engage with them.

There are 8 key parties and the importance of their role in your AML/CFT programme:

1. Reporting Entity

The Reporting Entity is you, and based on the nature of your business, you are required to implement, and actively manage an AML programme to meet the legislated requirements

Penalties for non-compliance can be severe and allow for criminal sanctions including imprisonment.

2. Your AML Staff – Vetting and Training

Under section 57(b) of the AML/CFT Act, Senior Managers, the Compliance Officer and all staff involved in AML/CFT duties must be trained in AML/CFT matters such as the following:

  • Relevant AML/CFT legislation and any changes to legislation.
  • Your organisations AML/CFT risks as identified during your Risk Assessment.
  • The current operation of your AML/CFT Programme, including reporting lines.
    • Understanding the reporting lines is important as a Reporting Entity must submit the Report with the Financial Intelligence Unit no later than three working days after forming the suspicion.
  • AML training should be provided at the start of employment, and then annually.

Your AML programme must also set out your procedures, policies and controls for vetting senior managers, your compliance officer and any other employees who will conduct AML/CFT duties.

The purpose of vetting is to avoid hiring a person who may themselves pose an AML/CFT risk. Vetting involves checking someone’s background to determine suitability for an AML position, making sure they are who they say they are, and checking that the information they have provided is correct.

3. Supervisor

Each set of Reporting Entities has a government department as Supervisor that sets detailed rules for how the AML/CFT legislation is to be implemented. They are also responsible for messaging and information, monitoring compliance, and prosecuting non-compliance.  You should keep up to date with the guidelines published by your supervisor.

The departments currently acting as AML/CFT Supervisors are as follows:

  • Department of Internal Affairs.
    • https://www.dia.govt.nz/diawebsite.nsf/wpg_URL/Services-Anti-Money-Laundering-Codes-of-Practice-and-Guidelines
  • Reserve Bank of New Zealand.
    • https://www.rbnz.govt.nz/regulation-and-supervision/anti-money-laundering/guidance-and-publications
  • Financial Markets Authority.


4. Compliance Officer

Section 56(2) of the AML/CFT Act dictates that an employee of your business must be nominated as the AML Compliance Officer. The AML Compliance Officer is responsible for administering and maintaining your AML/CFT Program, and is the key contact named with the AML/CFT Supervisor.

  • This role does not have to be a stand-alone position, but it should be filled by an employee person of strong character. It is essential for your AML/CFT programme to be successful this person has the on-going support of the organisation at the executive level, and the ability to report to that executive.
  • In the case of a reporting entity that does not have employees, the reporting entity must appoint a person to act as its AML/CFT compliance officer.

Annual AML/CFT report;

It is likely your Compliance Officer will be responsible for preparing your annual report on your risk assessment and AML/CFT programme to your supervisor. As per Section 60 the annual report must;

  • be in the prescribed form; and
  • take into account the results and implications of the audit required by section 59(2);
  • contain any information prescribed by regulations.
  • The reporting entity must provide the annual report to its AML/CFT supervisor at a time appointed by the AML/CFT supervisor.

5. AML Consultant

This role is optional; however, Section 58(1) requires your organisation to undertake an assessment of the risk your business may reasonably expect to face during its business.

  • The Risk Assessment must be in writing and will be a core company document going forward. This is your organisation’s guide in understanding and implementing your AML / CFT requirements within your business.
  • Your Risk Assessment should consider your current documentation, including staff contracts, client contracts, policy documents, and privacy policy.

You need to consider whether your organisation truly has the in-house capability to undertake your AML / CFT Risk Assessment, if not then this is why we suggest the AML Consultant.

At the bottom of this document you will require an Independent AML/CFT Auditor. The entity conducting that audit must be independent and must not have been involved in developing, establishing, implementing or maintaining the AML/CFT Programme.

There are several companies offering AML Consulting services.

6. Your AML/CFT Information Service

Once your AML/CFT programme is operational, you will need access to quality information. This is where Infolog can help.

Infolog provides dedicated AML/CFT services such as identity verification, location verification, Politically Exposed Persons (Pep’s), sanctions, sources of funds and wealth, and ongoing monitoring. Infolog also offers services to assist with your staff vetting.

Infolog has been working in the AML/CFT area for several years with banks and finance clients. We have developed products that are simple to use, cost-effective, and fast.

  • Delivery of our verification services can be via our portal or via API so as to seamlessly integrate into your business processes.

In on-boarding new clients, it is important to ensure the customer experience comes first and the process is as simple as it can lawfully be.

  • Infolog Identity Plus, combines many of our data services into an easy to read one-page review to on-board your clients. Refer to the Customer Due Diligence Sections 11 and 15 of the Act.
  • Section 50 of the Act imposes an ‘Obligation to keep identity and verification’ records used to verify the identity of a person. Infolog maintains a secure encrypted environment to store these records.
  • Ongoing Customer Due Diligence (Monitoring) is also one of the requirements as per Section 31 of the Act. Infolog’s Notification services do exactly this and are an important aspect to help you meet these ongoing requirements. Notifications are free to set with a small charge only when a change of interest occurs on one of your entities.
  • AML Reporting Entities are also obliged to conduct a review and audit of their risk assessment and AML/CFT programmes every two years, or when required by their AML/CFT supervisor. See sections 59 through 60. Infolog’s inbuilt audit and reporting functions provide exportable reports that greatly assist clients meet these audit requirements.
  • Section 56(2) of the Act requires an employee of your business to be nominated as your AML Compliance Officer. They are responsible for administering and maintaining the AML/CFT Programme. Again, the inbuilt Infolog audit and reporting functions will provide assistance to your Compliance Officer in this critical role.
  • The Infolog Portal’s online training modules can also assist you under Section 57(b) of the Act, which stipulates that Senior Managers, the Compliance Officer and all staff involved in AML/CFT duties must be trained in AML/CFT matters.
  • Information management and compliance outside the Act it is also important as there are many other legislative and compliance requirements which cannot be ignored concerning access, viewing and retention of information. (Privacy Act, and the Electronic Identity Verification Act 2012 and the Identity Information Confirmation Act 2012.) Non-compliance is not an option.
  • The structure and controls provided to clients via the Infolog Portal also help the you meet obligations imposed relating to the control and access to certain search services, maintaining an audit trail, and training of staff who access these services.

7. The Financial Intelligence Unit (FIU) – your reporting requirements.

All AML reporting entities who identify any suspicious activities or transactions must file the appropriate report to The Financial Intelligence Unit (FIU).

The FIU is a specialised unit within the New Zealand Police tasked with collecting, analysing and disseminating all financial intelligence relating to suspicious transactions or activities, money laundering and the financing of terrorism.

FIU utilise the goAML application which was developed by the United Nations Office on Drugs and Crime (UNODC) for Financial Intelligence Units worldwide to counter Terrorist Financing and Money Laundering. https://fiu.police.govt.nz/Home

The FIU collects information in five main report types:

  • Suspicious Activity Reports (SAR) from 1 July 2018.
  • Suspicious Transaction Reports (STR).
  • Prescribed Transactions Reports (PTR).
  • Suspicious Property Reports (SPR).
  • Border Cash Reports (BCR).

Each Reporting Entity will require a GoAML account as these reports are submitted to the FIU via the goAML Web application:  http://www.police.govt.nz/advice/businesses-and-organisations/fiu/goaml

As a general rule, a suspicious transaction will be one that is inconsistent with the customer’s known activities and profile or with the normal business expected for that type of client.

  • A Reporting Entity must identify any suspicious activity or transactions and raise the appropriate Report to the Police if it has reasonable grounds to suspect a transaction may relate to specified money-laundering or terrorism offending.
  • A Reporting Entity must submit the Report with the Financial Intelligence Unit no later than three working days after forming the suspicion.

8. Independent AML/CFT Auditor

Your Risk Assessment document and AML/CFT Programmes must be independently audited every two years, or when requested by your AML/CFT Supervisor.

Refer to Sections 59 or 59A. The person conducting the audit must be independent and must not have been involved in developing, establishing, implementing or maintaining the AML/CFT Programme.

An Independent AML/CFT Audit is a written report to:

  • Ensure that the risk assessment and AML/CFT programme are up to date
  • Your AML/CFT programme was adequate and effective throughout a specified period.
  • Identify and report any deficiencies in the effectiveness of the risk assessment and the AML/CFT programme.
  • A reporting entity must provide a copy of any audit to its AML/CFT supervisor on request.

The auditor needs to have the relevant skills or experience to conduct the audit, and you must be able to justify the qualifications of your auditor.