Late last week, the Department of Internal Affairs (DIA):
- issued money laundering and terrorism financing (ML/TF) risk summary documents for law firms and accounting practices (Risk Summaries);
- commented on a review (Review) focusing on law firms, accounting practices and real estate agents’ compliance with the independent audit requirements of section 59 of the Anti-Money Laundering and Countering Financing of Terrorism Act 2009 (AML/CFT Act); and
- announced a formal warning (Warning) to Arizto Limited (Arizto), a real estate agent selling residential properties.
Who needs to read it and why?
Law firms, accounting practices, and real estate agents should read this, but it may also be of interest to other reporting entities, e.g. trust and company service providers.
The Risk Summaries illustrate many of the risks that law firms and accounting practices need to be aware of, while the Review identifies areas commonly in need of improvement in respect of audits. The Warning reinforces the importance of compliance, and the DIA’s stated approach to enforcement.
What does it cover?
Risk Summaries
The Risk Summaries target law firms and accounting practices, given their role as “gatekeepers” providing services that can be misused to get illicit funds into the financial system and their unique perspective on their customers.
They summarise the key ML/TF risks faced by these entities (which, in the DIA’s view, share a medium-high inherent risk level) and the red flags for suspicious activity that they should be alert to. These risks and red flags expressly do not operate in isolation, but rather need to be considered in totality.
Review
The Review was carried out by the DIA between January and April 2023, looking at 60 law firms, accounting practices, and real estate agents from across New Zealand and seeking to “identify common areas for improvement across their independent audits and determine the appropriateness of actions taken to address them”.
Of the number of areas identified as needing improvement, the DIA specifically sets out four that it found to be common, namely:
- “[a] lack of clear policies, procedures, and controls to verify the identity of [new] customers that do not align to the Identity Verification Code of Practice”;
- “[w]eaknesses in procedures adopted for conducting [Politically Exposed Persons] checks”;
- “[a] lack of analysis [in risk assessments] specific to identifying and mitigating risks posed by the reporting entity’s products and services, methods of delivery and the institutions that it interacts with”; and
- “the continued use of generic templates that have not been customised to the reporting entity’s risks, context, and business”.
The DIA noted with concern that some reporting entities had done little or nothing to address non-compliance or partial compliance identified in their audit reports, which falls short of the DIA’s expectations.
Warning
On 2 June 2023, the DIA issued a media release in respect of the Warning issued on 12 April 2023 to Arizto for “fail[ing] to meet their AML/CFT obligations relating to the establishment, implementation, and maintenance of an AML/CFT programme and fail[ing] to conduct customer due diligence as required by the AML/CFT Act”.
It calls for immediate action to rectify non-compliance, and indicates that there will be ongoing monitoring by the DIA while acknowledging that Arizto has since demonstrated commitment towards improvement.
In explaining its reasons for issuing the Warning, the DIA notes its “responsibility [as a supervisor] to act on non-compliance to contribute to a robust AML/CFT system and ensure New Zealanders can trust the integrity of the real estate sector in Aotearoa”.
As is usual for formal warnings, the DIA makes clear that there is no allegation of actual involvement in ML/TF. This is a crucial point to keep in mind when approaching compliance with the AML/CFT Act – the requirements relate to systems and processes to better combat ML/TF, but are distinct from any actual commission of ML/TF.
Our view
Law firms and accounting practices will no doubt find the appropriate Risk Summary a useful point of reference for understanding the ML/TF risks that they face, which is the crucial first step in setting up AML/CFT compliance systems. Without stepping through the detailed (but non-exhaustive) lists of risks and red flags here, we recommend that all law firms and accounting practices work through these summaries and ensure they are appropriate reflected in their own compliance documents.
The Review is a helpful prompt to reporting entities generally to ensure their approach to audits and how they address identified deficiencies is sufficiently proactive and effective. Audits provide tailored insight into compliance with the AML/CFT Act, and should never be ignored or treated as a box-ticking exercise.
Finally, the Warning serves as a reminder to all reporting entities on the importance of full compliance with the AML/CFT Act. As has often been stated, the AML/CFT regime is sufficiently mature now that the supervisors are openly willing to take a firmer approach to non-compliance. In particular, the DIA states that it will take “proportional action to address non-compliance, ranging from education and guidance to civil penalties and prosecution depending on the scale and significance of breaches”.
What next?
If you have any questions in relation to these DIA releases, or the AML/CFT regime more generally, please contact one of our experts.
This article was co-authored by Sam Short, a senior solicitor in our Financial Services team.