AML/CFT Programme

Effective AML/CFT measures help stop criminals laundering the proceeds of drug offending, fraud, tax evasion and other crimes through a reporting entity’s business. They also make it easier for authorities to trace the proceeds of crime, so that the Police and other law enforcement agencies can prosecute offenders and seize illegally earned money and assets.

Watch AML/CFT Programme webinar

Link to full transcript of this video

Written policies, procedures and controls

A reporting entity’s written AML/CFT programme contains the policies, procedures and controls by which it is able to comply with its AML/CFT obligations. This document is the framework for a reporting entity to detect any ML/TF occurring through its business, and to effectively manage and mitigate the risk of them occurring. This is sometimes referred to as technical compliance.

Written AML/CFT policies, procedures and controls must be kept current, reviewed and updated at appropriate times to ensure they are effective. There should be version control documentation showing any amendments made.

An AML/CFT programme must contain policies, procedures and controls for:

  • Customer Due Diligence (CDD) requirements (based on the risk assessment)
  • Enhanced CDD (including source of funds or wealth verification, Politically Exposed Persons, the wire transfer provisions and new or developing technologies that may favour anonymity)
  • Monitoring and reviewing the AML/CFT programme
  • Monitoring for suspicion (including account monitoring and SAR reporting)
  • Prescribed transaction reporting
  • Record keeping
  • Staff training and vetting

Written AML/CFT Programme – Written PPCs– by % of reporting entities assessed.

A coloured bar chart depicting the required written policies, procedures and controls, and the outcomes of each from desk-based reviews. It demonstrates that the most compliant areas are monitoring for suspicion, record keeping and staff training and vetting with 67% of reporting entities being assessed as compliant in these areas. It also shows the least compliant area is prescribed transaction reporting, with 33% of reporting entities being assessed as non-compliant. A coloured bar chart depicting the required written policies, procedures and controls, and the outcomes of each from desk-based reviews. It demonstrates that the most compliant areas are monitoring for suspicion, record keeping and staff training and vetting with 67% of reporting entities being assessed as compliant in these areas. It also shows the least compliant area is prescribed transaction reporting, with 33% of reporting entities being assessed as non-compliant. A coloured bar chart depicting the required written policies, procedures and controls, and the outcomes of each from desk-based reviews. It demonstrates that the most compliant areas are monitoring for suspicion, record keeping and staff training and vetting with 67% of reporting entities being assessed as compliant in these areas. It also shows the least compliant area is prescribed transaction reporting, with 33% of reporting entities being assessed as non-compliant.
This chart summarises our findings of technical compliance with AML/CFT obligations from desk-based reviews.

Effectiveness of AML/CFT programme

To be able to comply with the Act, the written AML/CFT programme must be established, implemented and maintained in practice. This includes ensuring that all higher risk situations are identified (whether the customer, their transaction or activity), with increased CDD measures applied according to the level of risk.

Importantly, one of the requirements of the Act is prevention. If CDD cannot be conducted to the level required by the Act, a reporting entity must not carry out an occasional transaction for a customer or must not establish a business relationship with them. Any existing business relationship must be terminated. This includes situations where enhanced CDD is triggered and the reporting entity is unable to satisfactorily verify the source of funds or wealth of the customer.

Our key effectiveness observations

Compliance Officer:

This person is responsible for administering and maintaining the AML/CFT programme. The compliance officer must be a senior manager or must report to a senior manager. If the reporting entity has employees, the compliance officer must be an employee.

  • Almost all reporting entities, including in the new DNFBP sectors, have appointed a compliance officer.
  • Many written AML/CFT programmes clearly outline the purpose of this role, its responsibilities and reporting line, as well as identify other persons, departments or delegates with compliance responsibilities.
  • In practice however, some compliance officers lack understanding, knowledge or training of the ML/TF risks their business faces and of their AML/CFT obligations. Other compliance officers do not have sufficient influence to escalate AML/CFT issues, nor to ensure governance level support for the AML/CFT programme.
  • Where we identified significant or serious AML/CFT non-compliance, we often found the compliance officer to lack understanding of, commitment to, or resource to comply with, the reporting entity’s AML/CFT obligations.

Staff training and vetting:

Staff training and vetting of compliance officer, senior managers and other employees with AML/CFT related duties, must be effective.

Vetting ensures that frontline employees involved in AML/CFT duties, and other staff in a position to influence or override decisions, are suitable to be able to do so.

An effective AML/CFT training programme ensures that ML/TF risks and red flags are understood, and that the AML/CFT programme is implemented properly and effectively across the reporting entity. Not every employee needs to be an AML/CFT expert, but their training must be appropriate to their duties and level of involvement in delivering the AML/CFT programme.

  • Most reporting entities have comprehensive vetting and training procedures and controls set out in their written AML/CFT programmes. This includes provision for vetting and training registers, with controls to ensure that all requirements are met on an ongoing basis.
  • In practice however, some reporting entities are not fully complying with their vetting and training procedures. In some cases, registers are not used or kept up to date, and some staff with AML/CFT responsibilities have had limited training.
  • In other cases, training is delivered but it is entirely generic and lacks relevance or alignment to the reporting entity’s own ML/TF risks and other business processes.
Our findings – staff training and vetting
A coloured bar chart comparing compliance with the required written policies, procedures and controls for staff training and staff vetting assessed in a desk-based review (which assesses technical compliance) with the implementation of the written policies, procedures and controls assessed at an on-site inspection. This chart shows in both staff training and vetting, reporting entities are less compliant when implementing their written policies, procedures and controls when compared with technical compliance. A coloured bar chart comparing compliance with the required written policies, procedures and controls for staff training and staff vetting assessed in a desk-based review (which assesses technical compliance) with the implementation of the written policies, procedures and controls assessed at an on-site inspection. This chart shows in both staff training and vetting, reporting entities are less compliant when implementing their written policies, procedures and controls when compared with technical compliance. A coloured bar chart comparing compliance with the required written policies, procedures and controls for staff training and staff vetting assessed in a desk-based review (which assesses technical compliance) with the implementation of the written policies, procedures and controls assessed at an on-site inspection. This chart shows in both staff training and vetting, reporting entities are less compliant when implementing their written policies, procedures and controls when compared with technical compliance.

Standard customer due diligence:

Standard CDD is the level of CDD required for most customers in most circumstances. This requires a reporting entity to obtain and verify the identity of a new customer, and any beneficial owner or person acting on their behalf. Information must also be obtained regarding the nature and purpose of the proposed business relationship. This must be sufficient to determine whether the customer should be subject to enhanced CDD.

For individuals (assessed at low to medium risk), the supervisors have issued an Identity Verification Code of Practice (IVCOP) to verify name and date of birth. This is a suggested best practice that, if adhered to, provides a ‘safe harbour’ to comply with this requirement of the Act.

  • Most reporting entities have clearly set out policies and procedures for onboarding new customers. Almost all reporting entities state in their AML/CFT programmes that they have adopted IVCOP.
  • While most reporting entities have comprehensive onboarding and standard CDD policies, procedures and controls set out in their documents, we found that some do not strictly follow these in practice. This includes the requirement to obtain information regarding the nature and purpose of the business, which must be sufficient to assess whether enhanced CDD is required.
  • While almost all reporting entities have procedures in place to comply with IVCOP, we found that shortcuts are being taken. Examples include driver licences accepted as stand-alone identity documents or non-certified copies accepted without sighting the original document. For electronic identity verification, we found instances where reporting entities do not have a robust mechanism to ensure the person being dealt with online is the genuine holder of the identity they are claiming (and that is being verified).
Our findings – identifying customer requirements and IVCOP
A coloured bar chart comparing compliance with the required written policies, procedures and controls for identifying customer requirements and IVCOP assessed in a desk-based review (which assesses technical compliance) versus the implementation of the written policies, procedures and controls assessed at an on-site inspection. This chart shows in both identifying customer requirements and IVCOP, reporting entities are less compliant when implementing their written policies, procedures and controls compared with technical compliance. A coloured bar chart comparing compliance with the required written policies, procedures and controls for identifying customer requirements and IVCOP assessed in a desk-based review (which assesses technical compliance) versus the implementation of the written policies, procedures and controls assessed at an on-site inspection. This chart shows in both identifying customer requirements and IVCOP, reporting entities are less compliant when implementing their written policies, procedures and controls compared with technical compliance. A coloured bar chart comparing compliance with the required written policies, procedures and controls for identifying customer requirements and IVCOP assessed in a desk-based review (which assesses technical compliance) versus the implementation of the written policies, procedures and controls assessed at an on-site inspection. This chart shows in both identifying customer requirements and IVCOP, reporting entities are less compliant when implementing their written policies, procedures and controls compared with technical compliance.

Enhanced customer due diligence:

Watch EDD webinar

Link to full transcript of this video

Enhanced CDD requires more sophisticated AML/CFT measures to be adopted in certain higher risk situations (including those identified in the risk assessment). There are different types of enhanced CDD. Depending on the situation, this means there are different requirements that must be met, including for:

1. Source of funds or wealth verification for higher risk customers/transactions/activities:

In some circumstances, it is necessary to obtain and verify information relating to the source of funds or wealth of the customer. When this type of enhanced CDD is triggered, a reporting entity is required to take reasonable steps to verify, according to the level of risk involved, the legitimacy of the customer’s money or assets.

This type of enhanced CDD may be required prior to an occasional transaction or activity being conducted, or prior to a business relationship being established. Alternatively, this type of enhanced CDD might be triggered within an established business relationship where the level of risk requires it. This includes if the customer seeks to conduct a complex, unusually large transaction or an unusual pattern of transactions with no apparent or visible economic or lawful purpose.

2. Politically Exposed Persons (PEPs)

Reporting entities must take steps to identify whether a customer is a PEP, obtain senior management approval to establish a business relationship with a PEP, and obtain and verify information regarding their source of funds or wealth.

3. Wire Transfers

The wire transfer provisions relate specifically to information that must be obtained and verified and accompany a transfer of funds by electronic means of NZ$1,000 and over. The relevant provisions are dependent on whether the reporting entity is an ordering, intermediary or beneficiary institution of a wire transfer. Ordering or beneficiary institutions of an international wire transfer must also submit a PTR to the FIU.

4. New or developing technologies that might favour anonymity

If customers, products or services are involved in new or developing technology that may favour anonymity, additional measures are required to mitigate the additional ML/TF risk.

  • Most reporting entities have written policies, procedures and controls covering the various types of enhanced CDD and the circumstances in which it is required.
  • At our inspections, we also found that most reporting entities understood that additional AML/CFT measures are required for higher risk customers or situations. They also understood that applying these additional measures when required is key to being able to effectively detect and deter ML/TF.
  • However, our inspections also found some instances of higher-risk customers, activities or transactions not being consistently identified, monitored or even looked for. When they were identified, information regarding the source of funds or wealth of the customer may have been obtained but was not always being verified from reliable and independent sources.
  • Some reporting entities were also confused about the difference between the enhanced CDD wire transfer provisions, and when they were required to verify the source of the customer’s funds or wealth. These are two different types of enhanced CDD. The wire transfer provisions only apply to a transfer of funds by electronic means.
Our findings – applying enhanced CDD, PEPs and wire transfer provisions
A coloured bar chart comparing compliance with the required written policies, procedures and controls for applying enhanced CDD, PEPs and wire transfer provisions assessed in a desk-based review (which assesses technical compliance) versus the implementation of the written policies, procedures and controls assessed at an on-site inspection. This chart shows in all the stated areas, reporting entities are less compliant when implementing their written policies, procedures and controls when compared with technical compliance. A coloured bar chart comparing compliance with the required written policies, procedures and controls for applying enhanced CDD, PEPs and wire transfer provisions assessed in a desk-based review (which assesses technical compliance) versus the implementation of the written policies, procedures and controls assessed at an on-site inspection. This chart shows in all the stated areas, reporting entities are less compliant when implementing their written policies, procedures and controls when compared with technical compliance. A coloured bar chart comparing compliance with the required written policies, procedures and controls for applying enhanced CDD, PEPs and wire transfer provisions assessed in a desk-based review (which assesses technical compliance) versus the implementation of the written policies, procedures and controls assessed at an on-site inspection. This chart shows in all the stated areas, reporting entities are less compliant when implementing their written policies, procedures and controls when compared with technical compliance.

Ongoing customer due diligence, account monitoring and SAR reporting:

Ongoing CDD and account monitoring are to ensure that a business relationship and transactions relating to it are consistent with the reporting entity’s knowledge about the customer, their business and risk profile.

This is a risk-based regular review of the customer’s CDD information, account activity and transaction behaviour. This might also be the trigger to obtain and verify information regarding the source of funds or wealth of the customer (see enhanced CDD above). Ongoing CDD and account monitoring must also enable the reporting entity to identify any grounds for submitting a SAR.

Reviewing and monitoring customers, identifying higher risk activities and transactions, and distinguishing between those that are legitimate, compared to those that are suspicious and require a SAR, is key to an effective AML/CFT programme.

  • Most reporting entities understand and have AML/CFT programmes that set out policies, procedures and controls for ongoing CDD and account monitoring. Most reporting entities also understand and have procedures in place for SAR reporting.
  • However, in some circumstances, the ongoing CDD and account monitoring triggers for review are not risk-based, nor do they align with the reporting entity’s risk assessment.
  • In practice, some of our on-site inspections also found ongoing CDD and account monitoring procedures were applied less consistently than what had been presented in the written AML/CFT programme.
Our findings – SARs and ongoing CDD and account monitoring
A coloured bar chart comparing compliance with the required written policies, procedures and controls for suspicious activity reporting and ongoing CDD and account monitoring assessed in a desk-based review (which assesses technical compliance) versus the implementation of the written policies, procedures and controls assessed at an on-site inspection. This chart shows in both areas, reporting entities are less compliant when implementing their written policies, procedures and controls when compared with technical compliance. A coloured bar chart comparing compliance with the required written policies, procedures and controls for suspicious activity reporting and ongoing CDD and account monitoring assessed in a desk-based review (which assesses technical compliance) versus the implementation of the written policies, procedures and controls assessed at an on-site inspection. This chart shows in both areas, reporting entities are less compliant when implementing their written policies, procedures and controls when compared with technical compliance. A coloured bar chart comparing compliance with the required written policies, procedures and controls for suspicious activity reporting and ongoing CDD and account monitoring assessed in a desk-based review (which assesses technical compliance) versus the implementation of the written policies, procedures and controls assessed at an on-site inspection. This chart shows in both areas, reporting entities are less compliant when implementing their written policies, procedures and controls when compared with technical compliance.

Record keeping:

Record-keeping is an important part of an AML/CFT programme. It must enable customers to be readily identified at any time, and their transactions to be readily reconstructed at any time.

Records must be readily accessible and kept for a minimum of five years after a transaction, activity or wire transfer has been completed, or a business relationship has ended. In addition to records of transactions and activities, this includes:

  • CDD verification records.
  • Records relevant to the establishment of, or obtained during the course of, a business relationship. This includes information received regarding the nature and purpose of the relationship and the activities undertaken for a customer. For example, notes or written findings that staff members have made and correspondence with the customer (including by email or online messaging).
  • Records relating to risk assessments, AML/CFT programmes and independent audits.
  • Most reporting entities have comprehensive record keeping procedures and controls set out in their written AML/CFT programmes. This includes ensuring retention of records and how they will be stored (whether hard copy or electronically). This also includes ongoing controls to ensure that all CDD requirements are met before transactions or activities for the customer can be processed.
  • In practice, we found some reporting entities to be less effective than their written record keeping provisions presented. CDD and transaction records were not always readily accessible, and it took time to locate and collate the different types of record that we sought to inspect.
  • In a smaller number of cases, some records could not be located at all. When this occurred, it primarily related to notes and written findings made by staff documenting their examination of a customer’s circumstances and the level of ML/TF risk. In a few instances, business correspondence between the customer and the reporting entity could not be readily obtained.
Our findings – record keeping
A coloured bar chart comparing compliance with the required written policies, procedures and controls for record keeping assessed in a desk-based review (which assesses technical compliance) versus the implementation of the written policies, procedures and controls assessed at an on-site inspection. This chart shows that reporting entities are less compliant when implementing their written policies, procedures and controls when compared with technical compliance. A coloured bar chart comparing compliance with the required written policies, procedures and controls for record keeping assessed in a desk-based review (which assesses technical compliance) versus the implementation of the written policies, procedures and controls assessed at an on-site inspection. This chart shows that reporting entities are less compliant when implementing their written policies, procedures and controls when compared with technical compliance. A coloured bar chart comparing compliance with the required written policies, procedures and controls for record keeping assessed in a desk-based review (which assesses technical compliance) versus the implementation of the written policies, procedures and controls assessed at an on-site inspection. This chart shows that reporting entities are less compliant when implementing their written policies, procedures and controls when compared with technical compliance.

Monitoring, managing compliance with and reviewing AML/CFT programme:

Effective oversight and monitoring must be in place to ensure ongoing compliance with AML/CFT obligations. This requires policies, procedures and controls to ensure that all staff and systems adhere to all AML/CFT requirements. This also requires regular review and update to AML/CFT programmes, including keeping it current, identifying any deficiencies and remediating adverse findings from internal review or independent audit.

  • Most reporting entities have comprehensive monitoring, managing and review procedures and controls set out in their written AML/CFT programmes.
  • In practice, we found that some reporting entities were not complying with their own written procedures. Or, alternatively, records were not being kept of the monitoring, assurance or review steps that had been taken.
  • At some smaller reporting entities, we found that the policies, procedures and controls set out in AML/CFT programmes were overly bureaucratic and burdensome for an entity of limited size and complexity. So much so, that adhering to them all was unrealistic and potentially detrimental to the effective risk-based implementation of other AML/CFT obligations.
Our findings – monitoring compliance and review of AML/CFT programme
A coloured bar chart comparing compliance with the required written policies, procedures and controls for suspicious activity reporting and ongoing CDD and account monitoring assessed in a desk-based review (which assesses technical compliance) versus the implementation of the written policies, procedures and controls assessed at an on-site inspection. This chart shows in both areas, reporting entities are less compliant when implementing their written policies, procedures and controls when compared with technical compliance. A coloured bar chart comparing compliance with the required written policies, procedures and controls for suspicious activity reporting and ongoing CDD and account monitoring assessed in a desk-based review (which assesses technical compliance) versus the implementation of the written policies, procedures and controls assessed at an on-site inspection. This chart shows in both areas, reporting entities are less compliant when implementing their written policies, procedures and controls when compared with technical compliance. A coloured bar chart comparing compliance with the required written policies, procedures and controls for suspicious activity reporting and ongoing CDD and account monitoring assessed in a desk-based review (which assesses technical compliance) versus the implementation of the written policies, procedures and controls assessed at an on-site inspection. This chart shows in both areas, reporting entities are less compliant when implementing their written policies, procedures and controls when compared with technical compliance.

Sector specific observations

While many of our findings were common across multiple sectors we supervise, we also observed some specific trends in the following sectors. This includes both good practice and areas for improvement.

Non-Bank Non-Deposits Taking Lenders (NBNDTLs)

Good practices

Products and services are well-explained in risk assessment and analysed in relation to ML/TF risks.

CDD procedures are well documented within the AML/CFT programme. In practice, on-boarding processes consider source of wealth/funds of the customer and repayment schedules (aligning with lending criteria).

Areas for improvement

In practice, some NBNDTLs have only implemented limited procedures and controls for staff training, monitoring and identifying higher risk repayments and reporting suspicious activity.

Intermediaries and agents are not trained to identify suspicious activity, with limited training from the reporting entity in relation to AML/CFT matters.

Written AML/CFT Programme – Technical compliance by % of reporting entities assessed

A coloured bar chart depicting the non-bank non-deposit taking lender (NBNDTL) sector’s compliance with required written policies, procedures and controls as assessed in desk-based reviews. This chart demonstrates that the NBNDTL sector is most compliant in prescribed transaction reporting. They are least compliant in enhanced customer due diligence. A coloured bar chart depicting the non-bank non-deposit taking lender (NBNDTL) sector’s compliance with required written policies, procedures and controls as assessed in desk-based reviews. This chart demonstrates that the NBNDTL sector is most compliant in prescribed transaction reporting. They are least compliant in enhanced customer due diligence. A coloured bar chart depicting the non-bank non-deposit taking lender (NBNDTL) sector’s compliance with required written policies, procedures and controls as assessed in desk-based reviews. This chart demonstrates that the NBNDTL sector is most compliant in prescribed transaction reporting. They are least compliant in enhanced customer due diligence.
NBNDTL – a chart showing the sector’s technical compliance with AML/CFT programme obligations.

Accountants

Good practices

Most accountants have AML/CFT programmes that cover the range of AML/CFT obligations, including account monitoring and SAR reporting.

Improving understanding of ML/TF risks, AML/CFT obligations and requirements of a risk-based approach.

While number of SARs submitted by accountants to the FIU is still relatively low, there have been some submitted of high quality containing valuable intelligence.

Areas for improvement

Using generic templates, resulting in broad risk assessments not specific to their individual business, and AML/CFT programmes not tailored to their circumstances.

While AML/CFT documents state that IVCOP is being followed, in practice, some accountants are not complying with IVCOP.

Written AML/CFT Programme – Technical compliance by % of reporting entities assessed

A coloured bar chart depicting the accountancy sector’s compliance with required written policies, procedures and controls as assessed in desk-based reviews. This chart demonstrates that the accountancy sector is most compliant in record keeping. They are least compliant in enhanced CDD. A coloured bar chart depicting the accountancy sector’s compliance with required written policies, procedures and controls as assessed in desk-based reviews. This chart demonstrates that the accountancy sector is most compliant in record keeping. They are least compliant in enhanced CDD. A coloured bar chart depicting the accountancy sector’s compliance with required written policies, procedures and controls as assessed in desk-based reviews. This chart demonstrates that the accountancy sector is most compliant in record keeping. They are least compliant in enhanced CDD.
Accountants – a chart showing the sector’s technical compliance with AML/CFT programme obligations.

Law firms and Conveyancers

Good practices

Some law firms and conveyancers have comprehensive AML/CFT programmes that cover the range of AML/CFT obligations, including CDD, account monitoring and SAR reporting.

While number of SARs submitted by law firms to the FIU is still relatively low, there have been some submitted of a high quality containing valuable intelligence.

Compliance officer role is understood, and duties well documented in AML/CFT programme.

Improving understanding of ML/TF risks, AML/CFT obligations and requirements of a risk-based approach.

Areas for improvement

Using generic templates, resulting in broad risk assessments not specific to the individual business, and AML/CFT programmes not tailored to their circumstances.

In some circumstances, not all AML/CFT requirements are fully documented in written AML/CFT programmes.

In some instances, resistance to complying with the AML/CFT Act.

Some law firms are not submitting PTRs when an ordering or beneficiary institution of an international wire transfer.

Reviewing trust account activity monthly for trust account management purposes, but not considering ML/TF risk in the transactions while doing so (or at any other time).

Written AML/CFT Programme – Technical compliance by % of reporting entities assessed

A coloured bar chart depicting the legal sector’s compliance with required written policies, procedures and controls as assessed in desk-based reviews. This chart demonstrates that the legal sector is most compliant in record keeping. They are least compliant in enhanced CDD. A coloured bar chart depicting the legal sector’s compliance with required written policies, procedures and controls as assessed in desk-based reviews. This chart demonstrates that the legal sector is most compliant in record keeping. They are least compliant in enhanced CDD. A coloured bar chart depicting the legal sector’s compliance with required written policies, procedures and controls as assessed in desk-based reviews. This chart demonstrates that the legal sector is most compliant in record keeping. They are least compliant in enhanced CDD.
Law firms and conveyancers – a chart showing the sector’s technical compliance with AML/CFT programme obligations.

Real Estate Agents

Good practices

Comprehensive written AML/CFT programmes that cover all AML/CFT obligations. This reflects significant level of preparedness across most of the real estate sector, including investing in third party assistance and AML/CFT infrastructure.

Staff training programmes for front-line staff are in place, which is being documented, reviewed and updated.

While number of SARs submitted by real estate agents to the FIU is still low, there have been some submitted of high quality containing valuable intelligence.

Areas for improvement

Challenges remain understanding ownership structures of customers that are legal persons or arrangement, including identifying beneficial ownership and source of funds/wealth.

Awareness and consideration of ML/TF risks associated with buyers, despite no direct obligation to undertake CDD on buyers in most circumstances.

Written AML/CFT Programme – Technical compliance by % of reporting entities assessed

A coloured bar chart depicting the real estate sector’s compliance with required written policies, procedures and controls as assessed in desk-based reviews. This chart demonstrates that the accountancy sector is most compliant in record keeping. They are least compliant in enhanced CDD. A coloured bar chart depicting the real estate sector’s compliance with required written policies, procedures and controls as assessed in desk-based reviews. This chart demonstrates that the accountancy sector is most compliant in record keeping. They are least compliant in enhanced CDD. A coloured bar chart depicting the real estate sector’s compliance with required written policies, procedures and controls as assessed in desk-based reviews. This chart demonstrates that the accountancy sector is most compliant in record keeping. They are least compliant in enhanced CDD.
Real Estate Agents – a chart showing the sector’s technical compliance with AML/CFT programme obligations.

Money remitters

Good practices

Improving understanding and practice of standard customer due diligence requirements.

Improved compliance after adverse findings by the Department and subsequent remediation plan.

Most money remitters are submitting PTRs for international wire transfers and large cash transactions.

Areas for improvement

Account monitoring procedures not always mitigating identified risks. In some instances, unreasonably high thresholds are applied to trigger the identification and verification of source of funds/wealth, including for high value cash transactions.

In other instances, high-risk occasional cash transactions requiring enhanced CDD are identified, but enhanced CDD is not conducted. The transaction is then processed (rather than being refused as is required by s37 of the Act).

Procedural failures in practice to document written findings, suspicious activity, and the collection of information on the source of wealth or source of funds.

Insufficient record keeping in relation to informal or hawala money transfers, with business correspondence (including email or online messaging chat records) not always readily accessible.

Staff members demonstrating limited understanding of ML/TF risks or AML/CFT obligations.

Written AML/CFT Programme – Technical compliance by % of reporting entities assessed

A coloured bar chart depicting the money remitter sector’s compliance with required written policies, procedures and controls as assessed in desk-based reviews. This chart demonstrates that the money remitter sector is most compliant in monitoring for suspicion. They are least compliant in enhanced CDD. A coloured bar chart depicting the money remitter sector’s compliance with required written policies, procedures and controls as assessed in desk-based reviews. This chart demonstrates that the money remitter sector is most compliant in monitoring for suspicion. They are least compliant in enhanced CDD. A coloured bar chart depicting the money remitter sector’s compliance with required written policies, procedures and controls as assessed in desk-based reviews. This chart demonstrates that the money remitter sector is most compliant in monitoring for suspicion. They are least compliant in enhanced CDD.
Money remitters – a chart showing the sector’s technical compliance with AML/CFT programme obligations.

TCSPs

Good practices

Strong understanding of the ML/TF risks associated with the products and services provided, and corresponding AML/CFT obligations. This reflects most TCSPs being subject to the AML/CFT Act since 2013.

Areas for improvement

Despite understanding of ML/TF risks and the AML/CFT requirements that must be applied, the overall level of SAR reporting from the TCSP sector remains low.

Written AML/CFT Programme – Technical compliance by % of reporting entities assessed

A coloured bar chart depicting the TCSP sector’s compliance with required written policies, procedures and controls as assessed in desk-based reviews. This chart demonstrates that the TCSP sector is most compliant in record keeping. They are least compliant in CDD. A coloured bar chart depicting the TCSP sector’s compliance with required written policies, procedures and controls as assessed in desk-based reviews. This chart demonstrates that the TCSP sector is most compliant in record keeping. They are least compliant in CDD. A coloured bar chart depicting the TCSP sector’s compliance with required written policies, procedures and controls as assessed in desk-based reviews. This chart demonstrates that the TCSP sector is most compliant in record keeping. They are least compliant in CDD.
TCSPs – a chart showing the sector’s technical compliance with AML/CFT programme obligations.

VASPs

Good practices

Use of the Department’s guidance materials for developing risk assessment and AML/CFT programme.

Proactively contact the Department to be enrolled as a reporting entity and ask for assistance when needed.

Improving understanding of ML/TF risks relating to the VASP sector, and corresponding AML/CFT obligations.

Areas for improvement

Electronic identity verification not compliant with Part 3 of IVCOP.

Some risk assessments fail to identify all countries dealt with and assess ML/TF risks associated with those countries. In other cases, only generic customer types used.

Failure to identify the source of products/services provided (e.g. bitcoin network).

Challenges remain regarding the requirement to manage and mitigate the ML/TF risks associated with new or developing technologies or products that might favour anonymity.

Written AML/CFT Programme – Technical compliance by % of reporting entities assessed

A coloured bar chart depicting the VASP sector’s compliance with required written policies, procedures and controls as assessed in desk-based reviews. This chart demonstrates that the VASP sector is most compliant in prescribed transaction reporting, record keeping and staff training and vetting. They are least compliant in CDD. A coloured bar chart depicting the VASP sector’s compliance with required written policies, procedures and controls as assessed in desk-based reviews. This chart demonstrates that the VASP sector is most compliant in prescribed transaction reporting, record keeping and staff training and vetting. They are least compliant in CDD. A coloured bar chart depicting the VASP sector’s compliance with required written policies, procedures and controls as assessed in desk-based reviews. This chart demonstrates that the VASP sector is most compliant in prescribed transaction reporting, record keeping and staff training and vetting. They are least compliant in CDD.
VASPs – a chart showing the sector’s technical compliance with AML/CFT programme obligations.

High Value Dealers (HVDs)

Good practices

Many businesses dealing in the specified items (including motor vehicles) have implemented a policy of not accepting cash of NZ$10,000 and over (including for related transactions). This means that no AML/CFT obligations are incurred. Procedures are in place to ensure that frontline staff adhere to this policy.

Areas for improvement

Failure to notify the Department that the HVD deals in cash transactions of NZ$10,000 and over, and not registering with the FIU for goAML to be able to report PTRs.

Some HVDs are unaware that they have an obligation to submit a PTR when dealing in high value goods with cash over $10,000 and are therefore not reporting the transactions as required.

Note: HVDs have fewer obligations than other reporting entities. AML/CFT obligations only apply to cash transactions (or related transactions) of NZ$10,000 and over.