Regulatory Findings Report Webinar Transcript

Hi everyone, and welcome to this Regulatory Findings Webinar. My name is Kariba and I am a Senior Advisor for our Engagement and Innovation team within the AML Group. Today, the purpose of this webinar is to highlight and bring to life the regulatory findings report which we published last month.

Hopefully those of you watching this video, know what the regulatory findings report is, but if you don’t, the report shares our findings for the 12 months ended 30 June 2019. Its intended to help you, the businesses we supervise, understand what our expectations are and how you can improve your systems and processes to comply with your AML/CFT obligations. We are aware that businesses want to comply, but maybe aren’t sure if what they are doing is meeting their supervisors’ expectations. This report, and webinar, is intended to help clarify that.

So, to kick us off, I want to set the scene and describe the Department’s approach when we conduct our compliance assessments is. Essentially, we take a targeted, risk-based approach to regulation. This means we use intelligence and risk-analysis, along with our knowledge and expertise, to target and prioritise interventions on the areas of greatest potential harm, or where we think we can maximise compliance. Now, before we get into discussing our regulatory findings, let’s look at what the Operations team does, and how they assess compliance.

A desk-based review (a DBR for short) is an assessment of the technical compliance of a business’ written risk assessment and AML/CFT programme. We will notify a business in writing that we need to review these documents to assess whether they comply with the Act. When we finish our review, we write a report that rates the business’ compliance and comments on what we find. An onsite inspection assesses the establishment, implementation and effectiveness of a business’ AML/CFT programme and may be undertaken following a desk-based review. An onsite is done at the business’ location and involves interviewing the compliance officer, inspecting practices and procedures, reviewing records and interviewing staff. It may take few hours or a few days, depending on the size of the business. After an onsite we will write a report detailing how well the business is implementing its AML/CFT programme and whether it is effective. Sometimes, a desk-based review or on-site inspection report may include recommendations and requirements to fix compliance faults or gaps. This could be done through a remediation plan, where we agree with the business on the steps they must take to become compliant.

So, now let’s move on to our findings. One thing we have stated in our regulatory findings report relates to having an effective risk assessment. What is a risk assessment, and why is it so important?

A risk assessment is the first step a business must take before developing its AML/CFT programme and involves identifying and assessing the inherent risks that business reasonably expects to face from money laundering and terrorism financing. It is important because a risk assessment that clearly demonstrates an understanding of the money laundering and terrorism financing risks that business faces due to its: nature, size and complexity; the types of customers it has; and the activities and transactions it undertakes, is more likely to lead to effective policies and procedures to combat money laundering and terrorism financing and to provide the business with a better understanding of how they could be used to launder money or finance terrorism.

By way of example, we contacted one of our Wellington reporting entities to do an OSI and requested their Risk Assessment and AML/CFT programme. They admitted didn’t have either of the documents. We gave them time to write their documents and they produced them based on a very generic template. During the onsite we detected that in practice they either don’t do what they outlined in the programme at all or were doing it very differently. This meant that the vulnerabilities, which they hadn’t been able to identify as they hadn’t done a risk assessment, were not mitigated. As a result, a lot of time was spent with the Department going backwards and forwards to try and increase compliance and understanding of their obligations.

If you are struggling with writing your documents, please get in touch with us before we request them for an onsite inspection or a desk-based review, as we can point you in the direction of specific guidelines that are designed to help you write your own documents.

We have started producing webinars, like this one, to help you meet your obligations. We have a webinar on our website that speaks directly to the risk assessment and what you need to consider, and a webinar on the AML/CFT programme and its minimum requirements. How to find them should be on your screen now.

The risk assessment nicely transitions into our next finding in the report which is the application of the AML/CFT documents in practice. We have found that a common factor across all sectors is a disconnect between the risk assessment and AML/CFT programme on the one hand, and the practical implementation of these documents on the other. Effectively, this means that despite having technically compliant documents, many businesses aren’t implementing the procedures, policies and controls in their programmes.

By way of example, we recently conducted an on-site inspection of a law firm in Auckland. The law firms risk assessment and compliance programme were all technically excellent and the law firm was compliant in every respect. However, when we interviewed the compliance officer, we discovered that he was unaware of all of the firm’s obligations – for example the thresholds for prescribed transaction reporting and when a suspicious activity report was required. As the compliance officer, he was the one responsible for the implementation of the programme within that reporting entity and if he doesn’t understand the obligations then the firm will not by compliant in practice.

So what do we consider to be good practice and unsatisfactory practice in relation to the risk assessment?

Essentially what we consider to be good practice is where a business has thoroughly assessed the risks it faces from ML/TF and has then clearly reflected those risks in its risk assessment. The Act includes certain criteria that need to be covered in the risk assessment, so businesses need to ensure that they address those items at a minimum. As well as this, it is considered good practice if a business can show us that it is regularly reviewing and updating its risk assessment when needed. When we go and visit a business for an onsite inspection, we would expect the compliance officer to show their understanding of the risks the business faces as well as staff and senior managers being committed to their AML/CFT obligations.

We have also seen that some businesses carry out workshops with their staff to brainstorm the business’ ML/TF vulnerabilities and risks as part of creating or reviewing the risk assessment. What I mean by this is people from all levels of a business, senior management, managers and front line staff all get in a room and think about how the business could be vulnerable, thinking back to situations in the past where maybe they are seeing customer behaviours as suspicious or even a bit off for their typical customer. Businesses who have done workshops, or similar, have really benefited from a diverse group of people contributing to this discussion. If you would like to do a workshop similar to this, we have resources on our website, such as the “Keeping New Zealand in business for good” videos, which can help to engage staff and get them thinking about business vulnerabilities.

As an example, we did have a risk assessment we requested where the reporting entity presented a document which was in the name of a parent company, not based in New Zealand. This meant we were unable to review it, as it did not assess the risks of the New Zealand-based business. There was also no Designated Business Group, which meant that the risk assessment could not be shared among related companies. We agreed on a set time frame for the business to correct this and provide us with appropriate documentation to follow up and assess.

Now I will move on to what we consider to be good practice in relation to the AML/CFT programme.

What we consider to be good practice is a programme having clear policies, procedures and controls for all the minimum requirements. And when we visit, we would expect to see that these have been fully integrated into the business.

We also consider that staff training should be specified and dependent on staff roles. A business should also have a documented risk-escalation and reporting policy that states who is responsible for reporting SARs and PTRs, and who is responsible if that person is away.

An example of good practice – When we did compliance work on a law firm, its policies, procedures and controls in the programme showed direct correlation to the Risk Assessment, and the business was able to provide good evidence of staff training in relation to AML/CFT requirements, excellent CDD records (on the day of the inspection), and adequate transaction reporting to the NZ Police Financial Intelligence Unit using goAML.

The Regulatory Findings Report speaks to the use of templates and the Department has also talked a lot about them in the past. We definitely saw the use of generic templates increase with the onboarding of Phase 2 entities. While generic templates can be a useful starting point, as I mentioned before they need to be tailored to each individual business. The type of customers a business deals with, the type of work it conducts and the countries that are involved differ from business to business, and without a tailored risk assessment the risks associated with that business’s customers, products and services etc, are not being adequately assessed. And this means that these risks can’t be effectively mitigated using the programme.

Specifically, when law firms were onboarded the Law Society produced a template risk assessment and compliance programme to give lawyers a starting point and to assist them in becoming compliant. While many law firms have tailored this template to their individual circumstances, we have found some that have not. The legislation specifically states that businesses must undertake an assessment of ML/TF risk that they may reasonably expect to face in their business. By failing to tailor the template to their circumstances, these law firms are failing to comply with their obligations under the legislation.

The important take away for businesses regarding templates is that they can be an excellent starting point if you are new to all this, but to be compliant you need to adapt it to your particular circumstances. The Department is well-versed in all of the templates and we can tell straight away if they haven’t been tailored to a business.

And our final finding in the report talked to the most common areas of non-compliance. We observed that risk assessments have been too generic and not specific to the ML/TF risks the business faced. Often by using a template and then not catering it to the business. We also saw written documents that were incomplete and not covering all the relevant obligations including procedures for politically exposed persons, beneficial ownership checks, enhanced CDD, suspicious activity and prescribed transaction reporting.

When completing a desk-based review, we found the written AML/CFT programme was technically compliant but then when we visited, we found that it was not implemented effectively in practice. During an on-site, we would interview the compliance officer and find they had an inadequate understanding of their businesses’ money laundering and financing terrorism risks, and poor implementation of the policies, procedures and controls in practice. We also found that the compliance officer did not have enough influence in the business to effectively escalate issues and ensure governance-level support for the AML/CFT programme Customer due diligence (CDD) and Enhanced CDD were not being performed to the standard required by the Act.

Speaking of CDD, we talk about this as being a cornerstone of this Act. We had some good practice and unsatisfactory practice examples for CDD in the report – which I will elaborate on now. In terms of good practice: It is great when we see that information about the business relationship was recorded at the start of the relationship and was then updated regularly throughout the relationship. It’s also good when we see customer risk ratings determined at the start of the relationship and then used to work out the level of verification required and whether EDD is necessary. This also helps businesses to determine what the ongoing CDD obligations will look like. We like to see copies or scans of original CDD documents, with the staff member’s name and date of copying clearly recorded. And we like to see that controls are in place to ensure that if CDD can’t be done, the business relationship with the customer is terminated.

In terms of unsatisfactory practice: Well when we see no CDD being conducted whatsoever, that’s less than ideal. Also, when we find that trusts are being taken on as clients without enhanced CDD being conducted. Another thing that we don’t like to see is where copies of documents are not being kept. And where decisions relating to the level of CDD conducted and why, are not documented. As an example of good practice, when we visited one Wellington law firm we found them to be compliant with their CDD requirements. The business had decided to conduct CDD on all new clients, regardless of service provided. While the Department does not consider this as necessary, they had outlined why it was right for their business and this was documented within their programme, so staff knew how and when to conduct CDD. They maintained their risk-based approach by having policies, procedures and controls in place around when enhanced CDD was required.

Another area where we saw issues was staff training and vetting In terms of what we would expect to see for training, we saw one entity, on inspection held very thorough records of staff (and compliance officer) training. This included a training register of who, when and how often training and testing is undertaken by the staff. This also meant they knew when refresher training would be needed for the future.

If you are looking for resources to help you train your staff, our videos, as mentioned earlier, and our webinars can be great resources. Also remember to make sure you are training your staff in your businesses risks and vulnerabilities as well as your processes.

We also saw the risk assessment and programme documents not being kept up to date and no version control used. Our Wellington team once viewed a Risk Assessment and Programme that had been outsourced, received and placed in a drawer. They believed that just because they held one, they were complying with their obligations. Unfortunately, when we on-sited them, they were unable to locate the documents, and unsurprisingly they weren’t implementing their policies, procedures and controls.

In the report we also talk about record keeping and reporting to the NZ Police FIU. So, I will expand on the good practice and unsatisfactory practice we have seen in those areas.

For record keeping:

In terms of good practice – we have seen centralised record keeping in place for all AML related documents. For example, customer due diligence records.

In terms of what we consider unsatisfactory practice, we have seen no business relationship correspondence kept on record and no documentation or information could be easily provided to us when we visited.

For Reporting, we consider good practice to be that the business has registered for goAML and staff are trained in how to use it. If required, Prescribed Transaction Reports and good quality Suspicious Activity Reports (that is a lot of information given) are submitted within their required timeframes.

We are aware that not all of our supervised entities have registered for goAML. When undertaking our compliance work, this is something we will check with the FIU. It’s important for those who haven’t yet registered to register so you can submit PTRs and SARs to the FIU within your required timeframe.

To register, go to the FIU website, and click “reporting entities register” and register your organisation first, then you can register individuals under that organisation. You should be seeing how to do this on your screen now.

And that concludes this webinar on our regulatory findings. We hope you found it informative.

If you have any questions on the content of the report or webinar, or any questions about your obligations, please contact us on 0800 257 887 or email us on

Thanks for listening!