Identifying and understanding the ML/TF risks is the first step to being able to effectively counter them. This allows a reporting entity to focus its compliance resource on those customers, transactions, activities or circumstances where the ML/TF risk is higher.
A reporting entity is required to undertake a written assessment of the ML/TF risks it faces in its business. The risk assessment must also enable a reporting entity to determine the level of risk involved in relation to its obligations under the Act. This includes ensuring that its AML/CFT programme is equipped to detect the various situations in which it is necessary to examine the customer in more detail, including verifying their source of wealth or funds.
A risk assessment must be kept current, reviewed and updated at appropriate times to ensure it is effective. There should be version control documentation showing any amendments made.
Risk Assessments - Our key observations
Identifying the ML/TF risks faced:
- Overall, the quality of risk assessments is improving. For the DNFBP sectors, this reflects a further twelve months of being subject to the AML/CFT Act, and an increasing understanding of ML/TF risks and of a risk-based approach.
- While less evident than in last year’s findings, the use of generic risk assessment templates remains an issue for some reporting entities. Generic content relating to ML/TF threats and vulnerabilities can be useful as a starting point, but risk assessments must be specific to each reporting entity and the ML/TF risks that its business faces.
- In some circumstances, we found that ML/TF risks are documented, but without any rationale on how or when that risk occurs in the course of the reporting entity’s business.
- In other circumstances, risk assessments include significant descriptive content but lack methodology or risk ratings (high, medium or low) for each of the areas considered. This makes implementation of an effective AML/CFT programme and the risk-based allocation of compliance resource much more challenging.
Product and services:
- Many reporting entities clearly list and explain the products and services (captured by the Act) that they offer. This is often supported by qualitative and/or quantitative data regarding the reporting entity’s business.
- Many reporting entities also include a comprehensive assessment of the ML/TF vulnerabilities for each of their products and services. An inherent ML/TF risk rating is assigned to each, and, as a result, an aggregated risk rating for all products and services is calculated.
- Seen less frequently is analysis of the specific circumstances in which a product or service provided to a customer becomes higher risk (compared to when delivery of that product or service is only of medium or lower risk). This enables a reporting entity to determine which customer, which customer, and therefore their transactions or activities, require additional AML/CFT measures to be applied.
Guidance from FIU and the Department:
Many reporting entities use and reference applicable guidance material from the FIU and the Department when undertaking their risk assessment. This includes the New Zealand Police National Risk Assessment (NRA) and the relevant Sector Risk Assessment (SRA) for Financial Institutions or DNFBPs and casinos
However, in some circumstances there is no consideration of the extent to which the ML/TF threats, vulnerabilities and high-risk factors identified in the NRA or SRA are prevalent in the reporting entity’s business. The corresponding impact this has on the reporting entity’s ML/TF risks
In other circumstances, the threats, vulnerabilities and other high risk-factors in the NRA or SRA are acknowledged as applicable to the reporting entity’s business, but the overall risk rating for the business is still determined to be low. This occurs without explanation or rationale to support the low risk assessment
AML/CFT programme based on risk assessment:
- As reporting entities increase their understanding of their ML/TF risks and AML/CFT obligations, we found that risk assessments are increasingly being used to inform, implement and maintain AML/CFT programmes.
- However, in some circumstances, this has not occurred. We found a number of AML/CFT programmes that set out the prescriptive requirements of the Act in some detail, but there is minimal consideration of, or alignment to, the risks that the reporting entity has identified in its risk assessment.
- A significant number of reporting entities have relied on third parties, such as consultants, to undertake their risk assessments for them. While this may result in a robust and effective risk assessment, there are instances where neither the compliance officer nor other staff involved in AML/CFT duties adequately understand the ML/TF risks that were identified.
Risk Factors that must be considered
When undertaking a risk assessment, there are seven risk factors that must be considered.
Each of these factors impacts on the ML/TF risks that the reporting entity faces in different ways, and the level of those risks. It is important to understand that these risk factors do not operate in isolation, but in combination with each other. Where there are higher risks identified across two or more factors, the level of ML/TF risk compounds.
|The nature, size and complexity of the reporting entity’s business||
The nature, size and complexity of a reporting entity’s business impacts significantly on its susceptibility to ML/TF.
For example, because a large business is less likely to know its customers personally, it could offer a greater degree of anonymity than a small business. Likewise, a business that conducts complex transactions across international jurisdictions could offer greater opportunities to money launderers than a purely domestic business.
|The products and services offered||
Similarly, some products and services are more susceptible to ML/TF than others. Considerations include:
Understanding the ML/TF vulnerabilities associated with each product and service offered and being able to identify the circumstances when it is most at risk of being misused (i.e. the red flags) is a critical component of an effective risk-based AML/CFT programme.
|The methods by which products and services are delivered||
The ways that customers are on-boarded and the methods by which products and services are delivered also affects the level of risk of ML/TF.
Considerations include whether products and services are delivered online, are available from overseas, or have non-face-to-face or indirect relationships involving agents or intermediaries. All these factors increase the ML/TF risk.
|The types of customers dealt with||
Certain types of customer pose an increased ML/TF risk than others.
To “Know Your Customer” (KYC) and understand why they are using a reporting entity’s service is another critical component of being able to differentiate between legitimate customers, versus those that could be engaged in ML/TF or other criminal activity.
|The countries dealt with||
Any other countries being dealt with also impacts on a reporting entity’s ML/TF risks, and the level of those risks.
Considerations include whether a country:
|The institutions dealt with||
Any financial institutions, as well as other types of institutions, involved with, or used by, the reporting entity in the course of conducting business impact on its ML/TF risks.
Some institutions present more risk than others. This may be due to the nature of their industry or their association, or the types of business relationships that they have. Higher-risk entities such as banks, money remitters and DNFBPs are vulnerable to exploitation for ML/TF purposes and can represent risk to the business.
Of note, any financial institution that is unregulated or any shell company is a high-risk institution that may be used for ML/TF purposes or operated by criminals to disguise beneficial ownership.
|Any applicable guidance material relating to risk assessments produced by the AML/CFT supervisor or FIU.||The NRA and relevant SRA assess the ML/TF threats, vulnerabilities and other high-risk factors prevalent in New Zealand and the various Financial Institution or DNFBP sectors. Consideration of these documents when undertaking a risk assessment enables a reporting entity to better identify and understand the types of ML/TF risks that it may face.|
Assessment of required risk factors
Overall, the three risk assessment factors we found to be most often compliant are having regard to the products and services offered, the nature, size and complexity of the business and applicable guidance material produced by the Department and FIU.
The two risk assessment factors we found most frequently non-compliant were having regard to the institutions dealt with and the countries dealt with. Some commonly identified deficiencies are outlined below:
|Required factors||Unsatisfactory practices observed|
|Institutions dealt with||
Listing the institutions dealt with but not considering or rating the ML/TF risk of each institution.
Institutions are considered as a group rather than separate institutions. For example, “Intermediaries overseas” rather than “Law firm X in Country Y”. Or “Banks” instead of “ABC Bank”. Or “Other Money Remitters” rather than “Money Remitters D, E and F”.
Assessing institutions that are reporting entities themselves as low risk simply because they are regulated by an AML supervisor.
Failing to consider open source information, such as adverse news, when assessing the risk associated with the institutions dealt with.
|Countries dealt with||
Restricting analysis to whether a country is on the FATF lists of countries with strategic AML/CFT deficiencies (also known as the “grey” and “black” lists). The risk assessment does not consider broader country risk factors (such as levels of corruption, organised crime, tax haven or links to the production or transnational shipment of illicit drugs).
Listing the countries dealt with and assigning a risk score for each country, but only limited consideration of the extent and ways that the reporting entity actually deals with these countries.
No consideration (qualitative or otherwise) of how the risks associated with the different countries actually impact on the reporting entity’s business and its ML/TF risks, and the corresponding level of those risks.