Writing an AML/CFT Programme Webinar Transcript

Hi everyone

Welcome to the third webinar of a webinar series produced by DIA.

My name is Kariba and I am a Senior Advisor in our Engagement and Innovation Team within the AML Group.

Today’s webinar will be focusing on the how to write an AML/CFT programme, one of your obligations under the AML/CFT Act.

If you have any questions about writing an AML/CFT programme or if you have any questions which aren’t about the programme, please email us at amlcft@dia.govt.nz .

Let’s get started!

What is an AMLCFT programme?

It’s the next step after developing your risk assessment and it should be based off your risk assessment.

We have also produced a webinar on writing a risk assessment – if you would like to have a listen please visit the DIA website.

Your programme should contain procedures, policies and controls (we refer to these as PPCs) to manage the inherent risks identified in your risk assessment.

The procedure is the day to day operations - or the “how”.

For example, for standard CDD this could be the list of documents your business will accept as proof if identity. The policy is the expectation, standards and behaviours in your business or the “what”

For example, for standard CDD this would be the obligation to check for proof of identity and on which customers.

The control is the tools that management use in your business to ensure compliance or the “check” For example, for standard CDD every two months management could do a spot check on CDD records to check that correct identity documents were accepted.

You should also record what management would do if they found errors.

Your programme should be proportionate to the risks you have identified in your business.

This means, you should have developed detailed PPCs for areas of high risk and less time and resource should be spent in areas of low risk.

So why do you need an AML/CFT programme?

You need an AML/CFT programme to mitigate the identified ML/TF risks

Your programme should essentially be your businesses manual to meeting its AML/CFT obligations.

It should mean that any new member of staff should be able to pick it up and follow your AML/CFT procedures.

How do you write an AML/CFT Programme?

There is no template produced by AML/CFT supervisors for writing a programme.

However, there is plenty of guidance available on our website including "The AML/CFT Programme Guideline" and "The Risk Assessment and Programme Prompts and Notes."

While they are not templates they are essentially a framework which you can complete and fill out using the prompts to guide you.

As a reporting entity you have a number of obligations under the Act in relation to your programme.

These include:

  • That your programme must address the risk of ML/TF you face.
  • It must have AML/CFT PPCs you will use.
  • These must be adequate and effective.
  • It must be in writing and should include a description of how you will keep it up to date.
  • It must be based off you risk assessment.
  • You must review your programme to keep it up to date.
  • You must have it independently audited.

For more information on these, please refer to the guidelines.

Next we will go over the areas that the Act states you must have policies, procedures and controls for in your programme.

These are:

  • Staff vetting,
  • Staff training,
  • Customer Due Diligence (CDD) (including Enhanced CDD),
  • Ongoing CDD and account monitoring,
  • Suspicious Activity Reporting,
  • Prescribed Transaction Reporting,
  • Record keeping,
  • Managing risks,
  • Written findings,
  • Products that favour anonymity, and
  • Monitoring compliance.

These are also all the areas we will check against when we ask to review your documents.

Just a note, for businesses who are DNFBPs or who are captured because of the services they provide, remember that all your obligations, including these requirements, only relate to your captured services, not necessarily your whole business.

Let’s go into more detail on these minimum requirements

Vetting. Your programme must have vetting procedures, policies and controls for senior managers, your compliance officer and employees with AML/CFT duties

Vetting should be of a high standard and appropriate to the risks involved with the different types of roles.

It will help you to avoid hiring someone who may use or allow someone to use your business for ML/TF.

Your programme should include:

Your vetting procedure (reference check, police check, media check, PEP check).

You may already have vetting procedures for new staff that are appropriate for AML/CFT measures, be sure to include these in your programme;

How vetting is differentiated for senior managers, compliance officers and customer-facing roles;

How vetting is applied when there is a change in role, for example, if someone gets promoted from a non AML/CFT involved role to one with AML/CFT duties;

And how vetting is applied to temporary staff and/or contractors.

Please note, what staff vetting looks like if you are a sole practitioner will be very different.

If you are a sole practitioner, note this in your programme and say whether you intend to hire staff in the future.

If you don’t intend to hire anyone then state in your programme that this obligation is not applicable to your business.

Your programme needs to have polices, procedures and controls for training on AML/CFT matters for senior managers, your compliance officer and any other staff with AML/CFT duties.

The purpose is to train those with AML/CFT duties, or those who have decision making authority, to ensure staff are aware of risks faced by you business.

Your programme should document the scope and nature of training including:

  • Training on the Act and regulations;
  • Your businesses PPCs and how to comply with your own programme;
  • Your risks as described in your risk assessment;
  • Trends on ML/TF; and
  • How to identify unusual activity.

You should keep record of training frequency as well as delivery and completion dates.

Before we talk about your AML/CFT programme and CDD please understand that CDD is one of the bigger obligations.

I won’t be able to go into how to conduct CDD on different customer types and beneficial owners today.

Our next webinar is scheduled to be on CDD so please keep an eye out on our website please let us know by emailing us at amlcft@dia.govt.nz and in our newsletters if you are interested.

Customer due diligence is a cornerstone of the AML/CFT system and you should therefore focus a significant amount of time and attention on this obligation and ensure adequate resourcing.

CDD is also something that we will pay particular attention to when reviewing your documents or checking their effectiveness at an onsite inspection.

CDD is where you develop an understanding about your customers and the ML/TF risks they may pose to your business.

It involves gathering and verifying information about your customers identity, beneficial owners and representatives.

Those seeking to launder money or finance terrorism generally try to avoid attracting attention by masking their identity and/or the illegal source of their funds.

If you have effective procedures, policies and controls to know who your customer is, it will make it more difficult for money launderers or financers of terrorism to conduct illegal transactions through your business.

There are three types of CDD set out in the Act:

  • Standard CDD;
  • Simplified CDD; and
  • Enhanced CDD.

Standard CDD is most likely to apply to most customers, especially those local to you – it involves the collection of identity information on the customer, beneficial owner and those acting on behalf and then the verification of that information.

Verification for beneficial owners or those acting on behalf is according to the level of risk.

You also need to collect information on the nature and purpose of the proposed business relationship between you and the customer and sufficient information to determine whether the customer needs enhanced CDD applied.

Enhanced CDD must be conducted in several specific situations as set out in the Act and must be conducted when you consider that the level of risk involved is such that EDD should apply.

As your programme is based off your risk assessment, you may have identified certain customers or certain situations where there is higher risk of ML/TF.

EDD requires the collection and verification of the same information as standard CDD as well as, according to the level of risk, the collection and verification of information relating to the source of wealth and source of funds of the customer.

Again, I would like to be able to talk more on this so please let us know if you would like a webinar specifically on Enhanced CDD.

The Amended Identity Verification Code of Practice (or IVCOP) produced by the AML/CFT Supervisors provides a “safe harbour” for the verification of a customer's (who is a natural person) name and date of birth.

By safe harbour we mean that if you follow the code you will be considered to be compliant with the Act’s requirements for standard CDD regarding name and date of birth verification. IVCOP provides for two ways of conducting identity verification via documents and electronically as well as the certification of documents.

Please note, something that is often missed by businesses is that IVCOP states you must have exception handling procedures in place for when customers are not able to meet the code.

For example, an elderly person who doesn’t have a passport and their driver’s licence is expired.

In this situation, your programme should dictate documents that you may accept that are not to code, and the procedures you have in place to mitigate any potential risks that arise.

E.g. maybe your programme states that in low risk situations where someone is unable to provide documents that are to code, you will accept expired documents and you will have your compliance officer sign off on your exception as an extra level of scrutiny.

So what does your AML/CFT programme need to cover for CDD?

It will need to outline:

  • How your business will address risks and its approach to conducting CDD.
  • In other words, did your risk assessment identify any high risk situations?
  • What captured services do you provide where you will need to conduct CDD on those customers?

Identifying a material change in the nature or purpose of a business relationship;

If you have existing customers who you provided services to before your business was captured under the Act you only need to conduct CDD on them if there has been a material change in the nature and purpose of the business relationship and you have insufficient information about them.

Your programme should outline what “material change” looks like to your businesses.

“Material change” is not defined in the Act however we consider it to mean “an event, activity or situation that you identify that could change the level of ML/TF risk you may encounter”.

What customer information/documents you require in order to conduct CDD and how you will verify this information;

For standard CDD this may be certain documents from IVCOP, but don’t forget to also include how you will obtain and verify address information.

How you have incorporated CDD into your account opening process, including determining whether simplified CDD or EDD is appropriate;

How you will carry out EDD including how you will obtain and verify source of wealth and source of funds information. Be sure to define what source or wealth and funds mean so you and your staff understand and can obtain appropriate documents.

How you will establish whether someone is a Politically Exposed Person (PEP)

Your programme should describe how you will define, identify and deal with customers who are PEPs.

For example, how you use the services of commercial PEP list provider, how your senior management will approve establishing or continuing business relationships with PEPs, and how you will manage and mitigate the ML/TF risks associated with PEPs.

Staff understand the definition of beneficial owner and how your CDD processes will identify your customers’ beneficial owner.

A beneficial owner means a natural persons, an individual, who has effective control over a customer or who owns more than 25% of the customer.

You need to complete due diligence on beneficial owners of your customer so being able to identify beneficial owners will be very important.

Ongoing CDD and account monitoring –

Ongoing CDD requires you to review information about the business relationship you have with your customers.

Account monitoring involves reviewing account activity and transaction behaviour.

Ongoing CDD:

Is required by the Act as part of your broader CDD obligations.

How this is carried out should be covered in your programme.

You should consider:

Reviewing CDD when customer risk ratings increase or if they are identified as a PEP after being on-boarded or the nature and purpose of their business changes;

Whether submission of SARs or PTRs impacts the risk of the customer and therefore ongoing CDD;

Whether customer activity is consistent with your knowledge of the nature and purpose of the business relationship;

How ongoing CDD applies to material changes in business relationships.

Account monitoring, can sometimes be called transaction monitoring or activity monitoring.

You can monitor accounts using a manual or electronic system to review the transactions and activities that occur and detect patterns or unusual behaviour.

Your account monitoring requirements will be shaped by the factors considered in your risk assessment.

For some businesses, a manual system will be sufficient but not for others.

For example, if you process a large number of transactions, or have a large customer base, a manual system may not allow you to adequately or effectively monitor transactions or activity.

You should consider in your programme whether there will be thresholds and scenarios that should be picked up through account monitoring and scrutiny applied.

In other words, are there certain situations you should be alerted to?

When these come up, what is your escalation process?

Make sure your detail these in your programme.

Ultimately, your ongoing CDD and account monitoring should allow you to identify any inconsistencies between what you know about your customer and the transactions and activities they conduct.

To do this you should consider what you know about the customer’s use of your products and services as well as the risk rating for the customer type according to your risk assessment.

You should also consider the type of CDD undertaken when the business relationship was established and your current assessment of the level of risk involved.

These factors will help you to identify grounds for suspicious activity reporting.

Speaking of suspicious activity reporting, next we will be talking about SARs.

If you are a Phase 1 business, make sure you have updated your programme from STR to SAR which was a change made 1 July 2018.

Submitting SARs is an important part of you programme.

Just like CDD, you should focus a significant amount of time and attention on this topic and ensure adequate and effective resourcing.

We will closely review your SAR procedures, policies and controls.

Your obligations for SARs are:

You must report suspicious activity to the FIU via the goAML system as soon as practicable, but no later than three working days after forming your suspicion.

The requirement to submit a report arises when facts and observations objectively give reasonable grounds for suspicion.

Your programme may include:

  • How your staff will determine if there are grounds for a SAR;
  • How you will complete, authorise and forward SARs to the FIU;
  • Which roles within your business have responsibility for authorising and forwarding SARs to the FIU including whose role it is to submit, and who can submit if that person is away;
  • How you will meet the three-working-day timeframe for submitting SARs;
  • How you will ensure there is no “tipping off” in regards to SARs - You must not disclose
  • SAR-related information with anyone who is not required to have access to the SAR.
  • You must not inform your customer that you are submitting an SAR about them.
  • How legal privilege, if relevant to you, will operate with SARs.
  • Depending on the type of services you provide, you may have to submit PTRs.
  • If so, you will need to understand what a PTR is and when to submit it.

Your obligations for PTRs are:

A PTR will need to be submitted for large physical cash transactions of NZ$10,000 and over.

And for international wire transfers of NZ$1,000 and over.

PTRs submitted to FIU within 10 working days

Include in your AML/CFT Programme:

  • What a physical cash transaction is- physical cash here means a transaction involving physical currency (i.e. actual coin or printed money not cheques);
  • Understand what international wire transfer is;
  • Understand what an ordering and beneficiary institution is.
  • An ordering institution is the business who is instructed to transfer funds to a another by electronic means.
  • A beneficiary instruction is the business who receives the wire transfer and then makes the funds available to the beneficiary.
  • An ordering institution of a wire transfer must identify and verify the identity of the originator of a wire transfer.
  • Relevant information (which differs depending whether it is a domestic or international wire transfer) must be transmitted to the next reporting entity in the chain, and in turn, through to the Beneficiary Institution.

The Beneficiary Institution therefore has visibility of who is sending money to its client.

If a Beneficiary Institution does not receive the required information with a wire transfer, it is required to use appropriate risk based procedures for handling its receipt of those funds and consider whether the wire transfer constitutes a suspicious activity.

Both the ordering and beneficiary institution must submit a PTR.

You will also need to put who’s role it is to submit PTRs and who will take over if that person is away in your AML/CFT programme.

Record keeping. You must keep adequate records as part of your obligations under the Act.

This will enable you to operate your AML/CFT programme effectively and enable it to be audited independently and reviewed by us.

You must keep your records for at least five years.

After five years records can be destroyed unless there is a lawful reason why they should be retained e.g. other compliance obligations.

Records must either be kept in written form in English or be readily accessible and readily convertible into written form in English.

The records you need to keep are: Transaction records sufficient to enable the transactions to be fully reconstructed at any time;

Any reports of suspicious activities you have made;

Identity and verification evidence;

Risk assessments, AML/CFT programmes and audits.

Information relevnt to the establishment of a business relationship including the nature and purpose.

Business correspondence (e.g. email) with a customer during the course of a business relationship relating to activities and transactions undertaken.

Basically everything to do with AML/CFT!


Your record-keeping policy and procedures should describe how you manage the retention of your records – for example, how and where you will store your records and whether they will be in hard or softcopy.

How you will manage the destruction of your records after 5 years.

If you do not keep your records in English, then your programme must set out how the records can be easily readily converted into English.

Manage and mitigating risks.

The ML/TF risks in your business are not static.

Money launderers and financers of terrorism will modify their ML/TF methods to avoid measures you put in place to manage and mitigate ML/TF risks.

Your programme must include details on how you will continue to manage and mitigate ML/TF risks identified in your risk assessment.

This also applies to risks associated with any new products and services you may offer and new or emerging ML/TF methods.

There are sources available to provide additional information about current ML/TF methods:

The National Risk Assessment and FIU guidance material; Sector Risk Assessments and guidance on the website of your relevant AML/CFT supervisor; AML/CFT supervisor newsletters and publications sent to your compliance officer; and the Financial Action Task Force website Examining and keeping written findings.

You must examine and keep written findings relating to:

  • Complex or usually large transactions; and
  • Usual patterns of transactions that have no apparent economic or visible lawful purpose; and
  • Any other activity that you regard as being likely to be related to ML/TF; and
  • Business relationships and transactions from or in countries that do not have or have insufficient AML/CFT systems.

What these “complex” “unusually large” or “unusual patterns” look like will depend on your business.

What is unusual to one business, may be normal practice for another.

It is good idea to define these areas and work them into your account monitoring procedures as “triggers” or red flags for you to look into further.

In other words, the examining part of this obligation.

What the outcome of your examining on this activity is, will be your “written findings”.

After inquiries or further examination you may conclude the unusual pattern or transaction is not suspicious.

You will need to record this reasoning and keep record as part of your record keeping obligations.

One way to do this is to have a written findings register with reference to the date and customer identifier number.

Alternatively, after examination you may conclude that this was suspicious and you file an SAR within three working days of forming this suspicion and keep record of that report.

Sometimes I like to think of account monitoring and ongoing CDD, examining and keeping written findings and suspicious activity reporting as one chain of events.

For example….

First, you may pick up something unusual from your account monitoring.

This is then escalated.

As part of this process, the transaction is looked into by the compliance officer.

They consider whether they think the transaction makes sense for what the business knows of the customer and the nature and purpose of the business relationship.

The transaction appears to be somewhat out of the ordinary for the customer but the compliance officer is not yet suspicious of the transaction.

However, they do think there is an increased risk and so decide to conduct EDD on the customer.

This is recorded on the customer’s file.

They ask for source of funds for the transaction.

The customer gives inconsistent information and so the compliance officer is suspicious and submits an SAR within 3 working days.

Of course this is just one example.

Another compliance officer may be suspicious much earlier.

Or maybe the customer immediately gives source of funds information and so no suspicion is formed.

Whatever your process is, if should be outlined in your programme.

AML/CFT programme:

As I said already your programme should define the areas you need to keep written findings on (also include these in your account monitoring procedures).

Remember to reference or use your risk assessment for this as well as it is likely you have already identified high risk situations or red flags State which countries have no or ineffective AML/CFT measures.

This is different to when you had to determine the risk of the countries you deal with in your risk assessment.

Countries with no or ineffective AML/CFT measures are published on the FATF website and this obligation only relates to those specific countries.

On the FATF website these countries are referred to as "high-risk and other monitored jurisdictions".

You may not have any dealings with these countries, but if you do, your programme should outline that you will need to examine and keep written findings on them.

Escalation process – if there is an unusually large, complex transaction or an unusual pattern of transactions then you will need to state what the escalation process is.

Maybe it is picked up through your account monitoring and then passed on to your compliance officer to examine.

Examination process – what the examination process will look like.

Will the compliance officer get in touch with the customer to ask questions?

Will EDD be conducted?

Recording your findings – how you will record your findings.

Will there be a register?

Will it be against the customer file?

The Act requires your programme to set out how you will prevent the use, for ML/TF, of products, services, transactions and activities that might favour anonymity.

Money launderers and financers of terrorism seek new ways to mask their identity or the identity of the recipients of their funds.

This makes products, services, transactions and activities that favour anonymity or enable obscured beneficial ownership particularly attractive for ML/TF.

Additional EDD measures may be required to prevent ML/TF through products and services that favour anonymity – for example, products that permit online transactions that conceal or disguise beneficial ownership.

This is because, without effective account monitoring, it can be difficult to ensure that the account holder does not permit another person to operate the account.

If you offer products or services that favour anonymity, your programme must have adequate and effective procedures, policies and controls to detect and deter their use to launder money or finance terrorism.

For instance, according to the level of risk involved, you should monitor transactions and activities to detect patterns of behaviour that are inconsistent with your knowledge of your customer, and the nature and purpose of the business relationship.


Do you have products or services or delivery methods that favour anonymity?

How will you deal with new or developing technologies or products that favour anonymity.

Do you have customers that are involved with products or technologies that favour anonymity.

How will you deal with products sourced via third parties or intermediaries.

Lastly, your programme must have procedures, policies and controls that set out how your business will monitor and manage compliance with the programme.

Effective oversight and monitoring must be in place to ensure continued AML/CFT compliance.

For instance, you should have procedures, policies and controls covering: the role of internal and external audits and reviews.

For example, you may wish to do spot checks on your own CDD every few months as an internal audit.

You should also speak to your external audit obligation, when your next audit is due and who with.

Also detail how often you will review your programme to ensure it is up to date.

You should also cover the role of management information tools, how you access and incorporate guidance material in your risk assessment and programme, how your compliance officer maintains their AML/CFT awareness (e.g. attending training events), and how you will incorporate the findings of supervisory interactions and audits into your AML/CFT regime.

You should actively monitor your AML/CFT compliance functions (preferably with senior management involvement).

If you identify instances of non-compliance, you should take immediate steps to rectify the situation.

That’s the conclusion on the AML/CFT programme webinar.

If you still have any questions please email us at amlcft@dia.govt.nz or call us on 0800 257 887.

Let us know what other webinar topics you would like us to complete by emailing us or filling out our online survey on our website under the webinar tab.