Observations from recent AML/CFT audits – what have we learned?

Neil Russ and Tracy Owen, Russ + Associates

There are approximately 3500 “law firms” as defined in the Anti-Money Laundering and Countering Financing of Terrorism Act 2009 (the Act). Not all of them are subject to the Act, and most of those that are will have recently completed their first independent AML/CFT audit.

Over the last 12 months or so we have carried out numerous AML/CFT audits of different types of reporting entities, including law firms, accounting practices and managed trust companies.

Our independent AML/CFT audits of law firms, and our advisory work in relation to AML/CFT documentation, have shown that the legal profession is, in general, taking its AML/CFT responsibilities seriously and is making every effort to comply with the Act’s requirements.

Our audits have also revealed some reasonably common issues where law firms are failing to meet the standards required by the Act. We set out below a summary of three key issues we have identified, and how they can easily be addressed.

1.    Use of templates without sufficient modification

The Act requires each reporting entity to undertake an assessment of the risk of money laundering (ML) and the financing of terrorism (FT) that it may reasonably expect to face in the course of its business, and to put in place appropriate procedures, policies and controls (PPCs) to manage and mitigate those risks.

Templates can provide a useful starting point. However, as other commentators have already noted, they should not be adopted without customising them to meet the law firm’s specific circumstances. Adopting templates without sufficient modification can lead to compliance documents that are not appropriate for the law firm and its business.

For smaller law firms in particular, the use of templates has the potential to overly complicate the firm’s compliance systems.

In an AML/CFT context, it is important that any template is reviewed and modified so that the identified ML/FT risks are your law firm’s risks, and the PPCs are relevant to, and workable within, your firm’s business. Ask yourself: Do these documents reflect what my law firm does in practice? Can I integrate the Act’s requirements into my business to meet all of the information-gathering and verification requirements (AML/CFT, FATCA, CRS, Landonline, IRD, and so on) as efficiently as possible?

2.    Failure to consider all the items in sections 58(2) and 57(1) of the Act

Risk assessment – section 58(2)

The Act requires a reporting entity to have regard to seven matters when assessing the ML/FT risks that it may reasonably expect to face in the course of its business. These are:

(a)         the nature, size, and complexity of its business;

(b)         the products and services it offers;

(c)          the methods by which it delivers products and services to its customers;

(d)         the types of customers it deals with;

(e)         the countries it deals with;

(f)           the institutions it deals with; and

(g)         any applicable guidance material produced by AML/CFT supervisors or the Commissioner relating to risk assessments.

We frequently observed in the course of our audits that not all of these matters were considered by the law firm when drafting its risk assessment.

Your firm’s risk assessment must consider each of these matters separately, even if there is some overlap in the factors considered. For example, when considering “nature, size and complexity” client types and services offered may also be relevant.

This can be seen in the December 2019 Sector Risk Assessment produced by the DIA. It concludes that in relation to “nature, size and complexity” lawyers are “high-risk” because “client relationships can be complex and the identity of beneficial owners may not be clear [ie client type]. The ease of access to the legal sector, its wide geographic spread, the gatekeeper role it plays in accessing the financial sector [i.e. services offered] and the veneer of respectability it affords all compound ML/TF risk”.

Compliance programme - section 57(1)

A reporting entity’s compliance programme must contain adequate and effective PPCs for the matters set out in section 57(1). Not all compliance programmes we reviewed included PPCs for each of these matters. Most notable was a lack of PPCs for:

(a)         examining, and keeping written findings relating to:

(i)      complex or unusually large transactions;

(ii)     unusual patterns of transactions that have no apparent economic or visible lawful purpose; and

(iii)    any other activity that the law firm regards as being particularly likely by its nature to be related to ML or FT;

(b)         monitoring, examining, and keeping written findings relating to business relationships and transactions from or in countries that do not have or have insufficient AML/CFT systems in place, and having additional measures for dealing with or restricting dealings with such countries; and

(c)          preventing the use, for ML/FT, of products and transactions that might favour anonymity.

Examining, and keeping written findings for complex or unusually large transactions, unusual patterns of transactions and other activity likely to be related to ML/FT

We consider that this requirement applies to a law firm even if it does not have a trust account.

“Transaction” means any deposit, withdrawal, exchange, or transfer of funds and includes any payment made in satisfaction, in whole or in part, of any contractual or other legal obligation. Unlike the provisions relating to “prescribed transactions”, the requirement to examine and keep written findings for complex or unusually large transactions or unusual patterns of transactions is not limited by the words “conducted through the reporting entity”. Also, the requirement extends to other non-transactional activities that might be related to ML/FT.

It is important to set out in your compliance programme what “complex”, “unusually large” and “unusual pattern” mean in the context of your law firm. These terms can then be included in your compliance programme as triggers for further examination.

A written record of the examination and the conclusion reached must be retained. The Department of Internal Affairs recommends keeping a register of complex, unusually large and unusual patterns of transactions. In some compliance programmes we reviewed, reference was made to the “reporting suspicious activities” procedure in the firm’s compliance programme. This is also likely to be an appropriate way to comply with the requirements to “examine” and “keep written findings”.

Monitoring, examining, and keeping written findings, and having additional measures for dealing with countries that do not have or have insufficient AML/CFT systems in place

To meet this requirement, we consider that a law firm’s compliance programme should include a process that covers the following:

(a)         The law firm will consider if the client or transaction is from a country that does not have or has insufficient AML/CFT systems in place. For this purpose the DIA recommends checking the Financial Action Task Force (FATF) list of high-risk and other monitored jurisdictions, which can be found on the FATF website.[1]

(b)         If yes, the law firm will examine if there is anything suspicious about the business relationship or transaction and keep a written record of the examination undertaken and the conclusion reached. Again, it may be appropriate for the “reporting suspicious activities” procedure to be activated.

(c)          The law firm will take the additional measures set out in its programme for dealing with or restricting dealings with clients from such countries. These additional measures will depend on the law firm but may include a blanket prohibition on acting for clients from such countries or requiring the approval of the Board or senior compliance partner before acting.

(d)         The steps the firm will take to monitor the relevant client. The compliance programme must have a section on “on-going CDD and account monitoring” and it may be appropriate to refer to the provisions on monitoring high-risk clients set out in that section.

Preventing the use, for ML/FT, of products and transactions that might favour anonymity

Section 22 sets out when a reporting entity must carry out enhanced CDD. It includes where a law firm establishes a business relationship with a client that involves new or developing technologies, or new or developing products, that might favour anonymity.

In these circumstances, enhanced CDD must be carried out in accordance with section 30 (and not sections 23 and 24) of the Act. Section 30 requires the law firm to carry out standard CDD and to “take any additional measures that may be needed to mitigate and manage the risk of new or developing technologies, or new or developing products, that might favour anonymity from being used in the commission of a money laundering offence or for the financing of terrorism”. The additional measures a law firm may take depend on the law firm and may include understanding more fully the new or developing technology or products or treating the client as a high-risk client and taking additional or more sophisticated measures to verify the client’s identity.

It seems to us that section 57(1)(i) has a different focus. It requires the law firm to include in its compliance programme information about how the law firm will respond when faced with products and transactions that might favour anonymity. For example, what steps will the firm take when it receives an email via an encrypted mail service provider or is asked to accept crypto currency in payment of its fees?

4.    No, and incomplete, PEP checking procedures

The Act requires a law firm’s compliance programme to contain adequate and effective “procedures”. Procedures set out “how” my law firm meets that requirement.

A lack of procedure for checking if an individual is a “politically exposed person” (PEP) was an area of non-compliance we identified in our independent audits. It was also identified as an area of non-compliance by the Department of Internal Affairs in its Regulatory Findings Report.[2]

It is not enough for the compliance programme to state “We will carry out enhanced CDD where we determine that a client is a PEP”. The compliance programme should set out how the law firm will determine if a client or beneficial owner is a PEP. The actual procedure to identify if someone is a PEP will depend on the particular circumstances of the law firm and its ML/FT risks.

What is clear is that your law firm cannot rely on self-declarations by clients, although asking a client if they or a member of their immediate family are PEPs may be a useful starting point. The procedure may also involve checking publicly available websites or using a commercial provider of PEP checking services. Whatever the steps, they should be set out in your firm’s compliance programme.

It is important to note that an individual may be a PEP even if they are resident in New Zealand. The definition of PEP includes a spouse, partner, child, child’s spouse or partner, and parent of an individual who holds or has held in the previous 12 months one of the prominent public functions set out in the definition. This captures an individual living in New Zealand whose child is the ambassador in an overseas country, for example.

Conclusion

Law firms need to ensure that their risk assessment and compliance programme are regularly reviewed. An independent audit is a useful trigger event for a review, and it should pick up any material deficiencies in the effectiveness of the risk assessment and the compliance programme.[3]  

Based on the audits we have carried out, we recommend that as part of your next review, you ask yourself: Does the risk assessment address the specific matters in sections 58(2) in the context of my law firm’s business? Does the compliance programme address each of the matters in section 57(1)? Are the PPCs set out in the compliance programme relevant to my law firm? Does the compliance programme set out how my firm will comply day-to-day with each of the matters in section 57(1)? Is there a process for checking PEPs? Do the documents reflect what my law firm does in practice?

Law firms should also consider taking the opportunity in the post-audit period of getting specialist help to refine their risk assessment and compliance programme, if they are unclear about the best way of improving their next audit outcome, or if the Department of Internal Affairs has begun a desk-top audit or on-site review.


[1] Countries not on this list may still be considered “high-risk”. Country risk is considered as part of the firm’s risk assessment and is a different but overlapping obligation. A firm is likely to apply increased or more sophisticated measures as part of its identity verification procedures when undertaking CDD on clients from or connected to such high-risk countries.

[2] Regulatory Findings Report 2018-2019

[3] Other trigger events may be the release of new guidance issued by the Department of Internal Affairs.  Updated guidance on enhanced CDD was released on 18 September 2020.

Neil Russ