AML/CFT: Market Intelligence, and R+A's Top Tips for Law Firms
1. DIA, FMA and the RBA consider that enough time has gone by and all reporting entities should now know what is expected of them regarding AML/CFT compliance. The tone is changing from an educative approach to compliance focussed.
2. Future education material provided by the supervisors will be emphasising sector red flags and other specific risks.
3. The supervisors will be using intelligence gathered from “various sources” to risk assess reporting entities and determine which entities they will focus on.
4. The DIA is reportedly stepping up the number of reviews conducted and is expected initially to focus on one or two areas of compliance (for example, Russia sanctions, and PEP checks). Unsatisfactory initial responses are likely to lead to DIA desk-based reviews and/or site visits. We expect that DIA will request a copy of a reporting entity’s most recent independent audit report as a helpful starting point for reviewing reporting entities. Best to have all identified issues in an audit report remediated prior to a DIA review commencing.
5. DIA is understood to have concerns about the use of generic templates that have not been adequately customised. Specific mention has been made of the NZLS template and that it is considered that, without amendment, it should be regarded as not fit for purpose. Reporting entities should consider their risk assessment documentation as first step.
6. Supervisors consider that choosing the right independent auditor is key. What does it mean to be ‘suitably qualified’? It is important the auditor understands the reporting entity’s business sector and business practices. It is possible that New Zealand could move to a more regulated approach in relation to independent auditors.
7. Reporting entities should ensure that independent audit recommendations are implemented in a timely manner. In addition to the possibility of a DIA review as mentioned above, it is likely that that the next independent audit will consider whether issues previously identified have been remediated. It is not a good look to have defects described as repeat findings.
8. Enhanced customer due diligence (CDD) is still an issue and attention needs to be paid to making adequate enquiries as to source of funds/source of wealth. It is not enough to simply ask a customer/client for their bank statement or to requesting a letter from their accountants.
9. Reporting entities should regularly review and update the risk assessment and compliance programme (using a form of version control on the face of the document) to take into account and capture changes in business practices and risks (for example, new business lines, different types of clients, different jurisdictions dealt with, changes in technology including blockchain/crypto, as well as case law developments and the latest supervisor recommendations.
10. AML/CFT training (and recording that training it) is vital. Training needs to be frequent and relevant -at least annual. Training should be appropriately targeted to senior managers, the compliance officer and finace staff and all other staff (within “other staff” there may be a case for more advanced training, specific to the risks, for some staff members, for example conveyancers).