Eight steps to AML/CFT Compliance in New Zealand

After the 2017 amendments to AML/CFT, we have created a shield methodology that provides 8 practical steps to understand AML/CFT compliance in the context of your business, in order to shield you against AML/CFT vulnerabilities and ensure compliance with NZ’s anti-money laundering legislation.

Here is a summary of the 8 practical steps to help you get started:

  1. Risk-based assessment

First step is you need to establish an AML/CFT risk assessment, which requires the active engagement of senior business personnel. Begin with a brainstorming session with the most senior company leaders, who understand the entire business processes and the uniqueness of the business with which must be reflected in any assessment process. A well thought out risk assessment will include consideration of only the most relevant inherent risk factors, so that you focus your efforts in the right places when developing your compliance programme and avoid running out of steam by taking on too much. This approach will in turn, maximize the effectiveness of the program and meet regulator expectations.


  1. Vetting and training

The next step is to review any existing policies or procedures you have in place for vetting staff. The decision around who is required to undergo employee vetting in an AML/CFT context involves identifying people who in the organisation can influence and/or override decisions around taking on new clients, signing off and approving work and monitoring compliance. The next step is to ensure you have adequate vetting for other employees who could pose a risk of using false identities and references to avoid identification of past criminal offending and who may use the business or allow their associates to use the business for money laundering purposes. The level of vetting required will depend on what you have identified in your risk assessment however as a minimum it will typically involve identity verification, identification of any past criminal convictions and a number of character references. The next step is to develop a training plan for all staff involved in AML/CFT activities.  The key to an effective training plan is ensuring the training is customised for each audience within the organisation so that it equips them to be aware of money laundering and terrorism financing risks and understand how they should respond when confronted with such risks. For senior management this normally involves at a minimum an overview of the legislation, the ML/TF risks and how the organisation is preparing itself to meet its obligations and identify and report suspicious transactions. For front line staff this might focus on the companies AML/CFT policies, procedures, controls, trends and techniques of ML/TF and how to identify suspicious behaviour.    


  1. KYC

The key to the effectiveness of any anti-money laundering operation is understanding your clients. As a minimum, you should have policies in place to assist staff in three areas: when KYC is required? what KYC measures are required? And, what documentation is required to satisfy the measures taken?  The “when” question depends whether you are establishing business relationships with new customers where it will always be required, versus, what should be done for existing customers, where it will depend. We suggest undertaking a very careful risk based review of your existing customers and putting them into one of three categories: well known to us, on-boarded in last 1-2 years and high risk customers based on business structure i.e. trusts and foreign companies. The KYC measures required for “well known to us” maybe less than for the other 2 categories, but keeping risk in mind will always ensure you are doing enough. The next step is to consider the documentation requirements, which are reasonably strict and will need to comply with the identity verification code of practice published by the regulators. We recommend reporting entities establish a list outlining standard documentation requirements for each customer type setting clear expectations as to what is satisfactory. That might include adverse media and PEP screening documentation and how to go about it, ensuring staff are not going through any irrelevant information or processes.


  1. Record keeping

Knowing what written and other records to keep and keeping them for the correct length of time will be crucial to being able to stand up under regulatory scrutiny when the time is required. In terms of written finings, we suggest keeping them on at least the following matters:

  • Complex or unusually large transactions;
  • Patterns of transactions that are unusual and have no apparent economic or visible lawful purpose;
  • Any other activity that BFS regards as being likely in its nature to be related to ML/FT; and
  • Business relationships and transactions from/in countries that have insufficient AML/CFT systems in place.

In terms of records, we suggest keeping records for at least 5 years from the date on which the relationship with the customer ends in regards to the following:

  • Customer profile documentation
  • Transaction records
  • Client verification/transaction information that carries a money laundering


  1. Suspicious transaction and activity reporting

What’s crucial to understand about suspicious transactions is what the regulator deems as suspicious, and how to apply red flag alerts to suspicious activity, such as third-party payments or large, one-off payments. You need to design a transaction analysis system that fits with the size and structure of the business and gives you the control you need in an easy-to-use way.  Start by creating a set of red flag rules to identify potentially ML/TF behaviour, but limit it to 20-30 rules at first, otherwise you will risk making the whole process overly complicated and too difficult to handle on an on-going basis. We normally recommend customers to cover four categories of rules: single transaction rules, customer rules, account rules, and supporting rules. Ideally there should be a balance between effectiveness and efficiency.


  1. PTR

Prescribed transaction reporting (PTR) requirements can be broken down into 6 categories: Understand the regulations, prepare the information, determine how to submit PTRs, develop your system, test your system and prepare your people. You need to work through each phase systematically and choose the reporting system that best suits your business, Submitting PTRs by entering data into the goAML online portal will be far more cost effective for a small 1-2 man operation whereas totally impractical for large scale legal or accounting practice where they will build system-to-system interfaces. If you are a phase 2 reporting entity and large, then you will need to start to develop this process or engage consultants who can do it for you reasonably quickly, so it is live in time for your implementation date next year.


  1. Review & Audit

If your organisation’s overall compliance requirements are significant enough, we recommend a periodic review of your AML/CFT programme is undertaken as part of a formalised compliance assurance framework.

The framework for AML purposes should include testing of key operational areas including:

  • Review of transactions and transaction monitoring findings to ensure sufficient detail is recorded when assessing transactions and appropriate investigation has occurred
  • Regular review of the training register to ensure all staff training has been appropriately recorded and ensure continued development/training is provided.
  • Regular review of KYC files to ensure documentation standards are met
  • Also, obtaining independent parties to perform regular reviews of company adherence to AML/CFT compliance policies.
  • Reports should be submitted on a regular basis to audit & compliance committees outlining assurance activities such as how many records have been examined, what the success rate is, what the common issues are in KYC documentation and actions taken to address issues and trends.


  1. Transactions that favour anonymity

This will be particularly important for organsiations that rely heavily within the online world, where anonymity poses a high risk of criminal activity. The first step is to identify what products and services you offer that might provide ML/TFs with a way to mask their identity or identity of recipients of their funds. This is because, without effective monitoring of these products and services, it can be difficult to know if the customer is how they say they are or permits other people to use and operate the services under their name, for example with real estate transactions, where family and associates of criminals have allowed them to use accounts in their name to purchase property. Once these products and services are identified you need to set out in your programme pro-active steps and controls you will take to detect and deter ML/TFs from using your services. Controls will include procedures to monitor transactions to detect anomalies in your knowledge of the clients business or checking the physical address provided by the client against the location(s) from where the client logs on and any other unusual transaction patterns.



Following this eight-step approach will allow you to proactively make a great start on developing your risk assessment and compliance programme and ensure you are meeting your AML/CFT compliance obligations. Put the effort and investment in up-front rather than encountering the significant stress, time and cost required battling a regulatory investigation. We’ve put this together to get you started on your AML/CFT journey and if you address each and every one of the eight steps in a methodical way you will be well on your way to meeting your compliance obligations and avoiding regulatory problems further down the line.