AML/CFT July Newsletter
In this Newsletter:
- AML Update
- Are certified copies of trust deeds required?
- Ongoing CDD requirements for Phase 2
- First audit timing recommendations for Phase 2
- In the News
- Compliance Officer Training Courses
1. AML Update
AML/CFT Phase 2 is well underway with the Law Firms and Conveyancers going live from 1 July. AML Solutions has been actively involved with more than 100 Law Firms with some firms being more complex with respect to determining areas of captured activities.
As a result, we encourage all Compliance Officers to spend time understanding their Risk Assessment documents and make time to review information in the document after a few months of operation. We do believe a high percentage of Law Firms have taken minimal steps to become compliant and as a result their regulator – the DIA – will be busy.
Accountants are required to be compliant from 1 October 2018, and Real Estate from 1 January 2019. AML Solutions is actively working with both sectors.
We do encourage all Phase 1 entities to plan ahead for 2018 and 2019 AML Audits. If you would like to discuss any future audit requirements, please enquire here.
Questions from the recent AML SUMMIT
The following questions were the most popular questions at the recent AML Summit Conference. If you have a question you would like answered, please respond here.
2. Do we need to get certified copies of trust deeds?
The answer from the AML Supervisors on the day was that this is a risk-based decision for the reporting entity, that is, it is not mandatory, however, you may consider requiring it where there are any doubts around the veracity of the supplied documents.
Exceptions under the Amended Identity Verification Code of Practice 2013 (IVCOP)
There were a number of related questions around dealing with exceptions under the IVCOP so we have set out a few key clarification points below.
The IVCOP allows for exceptions and acting outside of the IVCOP as follows:
- The IVCOP states that a reporting entity should have an exception process for dealing with customers who cannot meet the requirements of the IVCOP (e.g. the customer does not have current identity documents in the right combinations under the IVCOP).
- Where you are going to act outside of the IVCOP (e.g. take different documents or different combinations of documents as part of its usual CDD process), you are expected to notify your AML Supervisor setting out how you consider your proposed process to verify identity is equally effective as the IVCOP.
While 1. tends to suggest use of the process for one-off exceptions (whereas 2 is for acting outside the IVCOP generally), we have seen entities use this to accommodate ‘standing exceptions’ e.g. for elderly customers who do not maintain current passports or driver licences. This is handled by putting the approval level for such exceptions at a lower level (e.g. manager) instead of an AML/CFT Compliance Officer (AMLCO) level. This prevents the AMLCO being swamped with common, lower risk exceptions, however, they should still maintain oversight of this process through assurance.
Where there are any questions around whether your process fits into 1 or 2 above, you can contact your AML/CFT Supervisor to discuss. Don’t worry – they are all very friendly.
It is important to note that the exception process under the IVCOP cannot be used to exempt yourself from the CDD obligations of the AML/CFT Act – e.g. you could not use such a process to decide you were not going to verify certain beneficial owners because they do not have readily available identity documents. You could, however, determine how you might otherwise verify them using methods otherwise than in the IVCOP.
3. Is there a requirement to perform ongoing customer due diligence (OCDD) for phase 2 entities as is expected for Phase 1?
The OCDD requirements under s31 of the AML/CFT Act also apply to Phase 2. How Phase 2 entities meet these obligations will be different, however, reflecting the nature of the captured activities provided by these entities.
Section 31 requires reporting entities to review the customer’s account activity and transaction behaviour to:
- ensure that the business relationship and the transactions relating to that business relationship are consistent with the reporting entity’s knowledge about the customer and the customer’s business and risk profile; and
- identify any grounds for reporting a suspicious activity.
Phase 1 entities will often maintain accounts or facilities for customers where they are holding funds for an extended period and where multiple transactions may occur through that account/facility (that is, often continuous, ongoing contact with the customer). This will mean monitoring transactions as they occur but also reviewing accounts on a periodic basis (including confirming customer details). This may trigger an update of, or collection of additional, customer due diligence (CDD) (including enhanced CDD where necessary).
Activities provided by Phase 2 entities on the other hand are often matter- or transaction-based. As such, much of the interaction with clients is on ad hoc or ‘as needed’ basis. Reporting entities will likely focus their OCDD requirements around these interactions including checking and updating CDD information when a client comes back for another captured activity. We would not expect that many Phase 2 reporting entities are contacting clients between these interactions to update CDD information.
Each reporting entity will need to consider how these OCDD requirements are met in practice given the nature and risk of their business.
4. Is the first audit due two years from now for Phase Two firms?
Phase 2 entities will have to have their first audits within two years of “going live” – law firms will need to have their first audits by 1 July 2020, accounting firms by 1 October 2020 and so on. You do not need to leave it for the full two years to undertake the first audit however. We strongly encourage entities to consider going earlier for the first audit as:
- it will pick up any deficiencies or gaps in the design of the AML programme which can then be addressed, rather than potentially being in breach of the AML/CFT Act for an extended period; and
- in our experience, most entities tend to leave it close to two years for the audit meaning that there is massive demand at certain times making it less likely that you will be able to get an auditor to undertake the audit and therefore risk breaching the audit requirement.
Take the opportunity to speak to your proposed auditor about when the busy times are for these services and try to get off cycle with other Phase 2 reporting entities and the busy periods for Phase 1 entities. We would usually recommend leaving at least a few months after go-live to allow an appropriate population of clients to sample from. That said, the optimal approach is to have the risk assessment and compliance programme audited earlier (testing the adequacy of the programme you have put in place) and then completing the sampling and testing later on in the audit period (testing the effectiveness of your programme).
Please note that the above is meant as general guidance and reporting entities should contact their AML Supervisor for guidance on any specific matters.
In The News
Auckland finance firm, director, worker charged with laundering Edward Gong’s hidden NZ millions
An Auckland finance firm, its director and an office worker are facing charges over allegedly laundering more than $53 million belonging to a Chinese businessman who denies running a $200m pyramid scheme from Canada.