Since the introduction of the Anti-Money Laundering (AML) and Countering Financing of Terrorism (CFT) Act 2009, many New Zealand businesses have been brought into the act’s scope of influence in waves. Thus far, we’ve seen some financial institutions handed significant fines for non-compliance with the act, while other industries are now just coming out of their first audit cycle.
The possibility of these fines becoming more common is something that we all want to avoid, and that’s why we’ve written this article. Here at BDO, we’ve already seen a pattern of issues start to emerge. While failing to address these issues may not lead to immediate regulatory action or fines, continued non-compliance likely will, so it’s best to build a compliance program which precludes the possibility of these more prevalent pitfalls.
In several cases, these holes in your compliance program might not be obvious until after the audit has turned them up, but we’re here to help with remediation of these issues, too.
Issue 1: Lack of Self-Monitoring
Under Section 57 of the AML/CFT Act 2009 (Minimum Requirements for AML/CFT Programmes) you will find a list of key things that a reporting entity must do in order for their compliance programme to meet the standards of the act. Much of this relates to vetting and training of staff, customer due diligence, and keeping written findings on certain transactions. However, we’ve found that one point tends to get missed more frequently than the others: the requirement to self-monitor your compliance program.
Many reporting entities assume that so long as they are audited every two years, as laid out by the act, that covers this point. Unfortunately, it doesn’t. Monitoring the compliance program is something that needs to happen within the reporting entity, and it’s essentially an extra level of assurance that compliance is happening as it should. To many, this seems unnecessary, but the truth is there is more benefit to having a robust compliance monitoring plan in place than simply avoiding fines—it also helps you catch problems or blind spots in your program between audits.
This is ideal because it vastly improves the chances of a better audit result. In fact, there’s a relatively strong correlation between a lack of self-monitoring and audit findings.
But what should this look like? The concept is easy to grasp—compliance means implementing a plan to supervise transactions and supervising the plan itself—but how is this done in practice?
We have seen the best results come from a focus on Customer Due Diligence (CDD). This is the single biggest issue that we see when performing audits. CDD requirements can be complex and confusing – are you certain that your team fully compliant? Perhaps a periodic sample check is in order?
Beyond that, ensure that there are clear systems for tracking the completion of staff training, transactions reporting, and so on. Ultimately, each reporting entity has its own unique risks to be aware of, and these can differ from industry to industry.
Ensure that there are clear systems for completion and monitoring within your compliance framework.
Issue 2: Incomplete Customer Due Diligence
A core part of the act is Customer Due Diligence (CDD). It’s a broad and complex point, so it’s not surprising at all that many reporting entities are attempting to comply yet falling just short of the mark. Usually, there are only two or three areas where businesses fail to comply.
Identification Verification Code of Practice (IVCOP) Compliance
The first is issues around the use of IVCOP; the ‘Amended Identification Verification Code of Practice 2013’. IVCOP is the guidance documentation issued by the regulator, and it contains information like which forms of ID are acceptable to use as customer identification.
Most people understand that identification is important and do collect and record it, but don’t know, for example, that a driver’s licence alone isn’t enough. This is a common issue because it can be a major hurdle for customers; not many people carry around multiple forms of ID at all times, so it follows that many businesses settle for what they do have, which is typically a driver’s licence.
IVCOP also states that if originals can’t be used for ID, copies need to be certified. IVCOP clearly lays out what level of certification is needed, but most people don’t check whether these standards have been met when a document is received – this responsibility remains with the reporting entity. Simply put, if a copy isn’t certified in line with accepted standards, it’s authenticity can, and possibly should, be questioned.
Thankfully, there’s a remarkably easy way to minimise both these problems with IVCOP compliance to virtually nil: use electronic verification software. Third-party software exists which can scan identification automatically verify it with government agencies or departments, and then send you a verification report which can be relied upon for CDD purposes. Many of the available solutions can even biometrically link the identification in question to its owner using their device’s camera. It’s the best way to operate, bar none.
Additional requirements in your compliance framework
A lot of reporting entities add extra controls into their compliance program, and then forget about them because they’re not a requirement of the act. For instance, the act doesn’t require proof of a New Zealand bank account as a part of CDD, but your compliance framework might. Another is the decision to perform enhanced CDD on all customers, regardless of whether they qualify for standard and even simplified CDD.
It’s remarkably easy for these extra controls to slip through the cracks, so our advice is this; be selective. Many businesses need to add extra requirements to their compliance program. However, every additional rule is one more that must be followed, as the act treats a breach of these rules as a breach of the act itself.
Incomplete source of wealth information
This one is admittedly very tricky. In most cases, source of wealth is relatively straightforward. When you need to prove where a client’s wealth or funds have come from—as is often the case in real-estate transactions—payslips, work contract, or bank account information can all suffice. However, it’s unlikely that simple documentation such as this will suffice for unusual scenarios. In fact, it’s the non-standard situations that pose the greatest risk, and therefore need the most due diligence.
Think about it; someone making a $10M land purchase is unlikely to be on a monthly salary with easy to access financial information. We instead see a tendency for large purchases to be funded by things like stock portfolios, and this is where the difficulty arises. The reporting entity is expected to ensure that the math checks out—could this stock portfolio really be the sole source of wealth for this purchase? How would you find out?
This entire process is very subjective, and it can essentially differ from transaction to transaction. That’s why our advice here isn’t to try to implement a rigid set of rules around it. Instead, you need to train your staff to understand how these transactions work on a macro level.
It’s important that staff have guidance on this point, rather than a checklist to follow. They need to be experts themselves. Your business may benefit from some rules around what types of evidence are acceptable, but the rule of thumb here is that everyone involved in a transaction needs to know as much as they can about how to (independently) establish a clear and legal source of funds.
Issue 3: Lack of Flexibility
Instead of simply breaking the rule laid out in your compliance program, be sure to give your program wiggle room.
Finally, we often find a lack of flexibility in the compliance frameworks for reporting entities. Exceptions to policies and procedures can and do come up, but these need to be justified, well controlled, and handled transparently. Often, this is the root cause of many of the other issues we’ve already covered.
Let’s look at a common requirement for vetting new hires: “You must obtain a reference check from two places of employment over the past two years.” A rule like this might sound reasonable, but in practice, it won’t work all the time. What if the potential hire has only worked in one position over the last two years? What if this is their first job? What if they worked for you in the past for five years, left for one, and then returned—in such a case, you might even waive the whole interview process!
Instead of simply breaking the rule laid out in your compliance program, be sure to give your program wiggle room. You should try to avoid drafting any requirements that are automatically broken in some situations, but you can also create allowances for certain situations.
Of course, genuine exceptions to your framework will arise—the last example of a returning employee is a good example of something that you probably can’t plan for. However, you can’t handle every instance of this by just setting it to the side and calling it an exceptional case. Instead, you should include a process in your compliance program for these edge-cases.
What deems a case exceptional? Who is in charge of approving whether or not a case is exceptional? How are these cases documented and tracked? This is the sort of process you can point to after the fact to show that you are still complying, even if certain things fall outside your compliance framework. Without a process like this, you may as well not comply, and call it all exceptional!
Is your organisation facing complex AML issues? BDO can help.
We don’t just audit reporting entities under the AML/CFT Act 2009, we can also help you set up your compliance framework. We also help with remediation plans for fixing audit issues or regulator feedback, including helping to assign responsibility, and implement follow-up reviews.
Talk to BDO today about how you can manage your compliance with the act, and how remediation can help you turn an audit around. If you’re looking for help with another form of NZ audit or need further accounting services, reach out to our team today.