On 14 October 2024 the Financial Markets Authority (FMA), the Reserve Bank of New Zealand (RBNZ), and the Department of Internal Affairs (DIA) together released an updated version of the AML/CFT Programme Guideline (Guideline). We have previously released initial comments on this, and set out more detail on it below.

Subsequently, on 23 October 2024 the Associate Minister of Justice released a statement that the Government intends to consolidate the anti-money laundering and countering financing of terrorism (AML/CFT) regime’s supervisory model into having a single supervisor, as well as introduce a levy funding model. This follows the announcement earlier this month of the wider AML/CFT reform work programme, and reflects the “second part” forecast there.

Who needs to read it? Why?

It is a core requirement under the AML/CFT regime to establish, implement, and maintain an AML/CFT compliance programme (Programme). The Guideline sets out in detail what the supervisors will expect such Programmes to cover – the Anti-Money Laundering and Countering Financing of Terrorism Act 2009 (AML/CFT Act) even requires reporting entities to “have regard to” guidance material like this in developing their programmes. Many reporting entities may be considering whether to update their Programmes for this Guideline (which we discuss more below).

The Associate Minister’s statement will be relevant to all reporting entities, especially those currently supervised by the FMA or the RBNZ who will be shifted to under the DIA. All reporting entities will be concerned to understand what levies they may be subject to, and on what basis those may be set.

What does it cover?

The Guideline

The Guideline itself describes this update as a “[c]omprehensive review”, having effectively re-written its content and more than doubled its length. While the immediate impetus for this update was clearly the regulations changes of 31 July 2023 and 1 June 2024 following the 2021-2022 Statutory Review of the regime (both of which we have previously discussed), the supervisors appear to have taken the opportunity for a more sweeping expansion.

The updated Guideline steps through in substantial detail not only the principles and aims underlying the Programme requirements but also a combination of statements of those requirements, discussions of how they intersect with other parts of the wider AML/CFT regime (including other guidance), and suggestions from the supervisors as to what reporting entities could or should address. We will not set out that detail comprehensively here, but will identify a number of key points that stand out.

As a general point, this Guideline has taken a new approach of visibly delineating what it considers to be the legal requirements from what are framed as supervisor views or suggestions.

Part 1: Establishing a Programme

• In essence, a Programme must take the conclusions of a reporting entity’s risk assessment and build out adequate and effective procedures (e.g. day-to-day operations), policies (e.g. expectations, standards, and behaviours), and controls (e.g. tools to ensure compliance with procedures and policies) (together PPCs) to respond to them.
• PPCs are expected to overlap to some degree, and reporting entities are afforded some flexibility in how to develop and implement them – e.g. in keeping them proportionate to size, complexity, and risk profile, and in deciding whether to include everything in a single consolidated document or split out components (e.g. different business units or products/services) into subsidiary documents.
• A template may be a useful starting point, but the substance of the PPCs needs to be tailored to the specific business or they risk noncompliance – while this was not stated in the previous version of the Guideline, it is a position that the supervisors have elsewhere indicated for some time.

Parts 2 and 3: CDD for new customers and ongoing business relationships

• Customer due diligence (CDD) is considered to be a “cornerstone” of a Programme – hence being the subject of almost a third of the Guideline.
• Programmes should either state that reporting entities do not conduct transactions or activities outside of business relationships (and set out controls to ensure that) or, if they do, set out procedures for identifying both linked operations/transactions that together meet those thresholds and transactions/activities that are sufficiently regular to instead be business relationships.
• Procedures for identifying persons seeking to conduct suspicious transactions outside of business relationships or occasional transactions should be aligned with those for detecting persons seeking to circumvent CDD requirements for occasional transactions.
• The supervisors “do not consider it necessary for [reporting entities] to review CDD information, activity or transaction behaviour in the absence of a risk-based reason or trigger for doing so” and, in particular, that “[reporting entities] are not expected to conduct ongoing reviews of customers that are clearly low risk, for example based on the product and service provided and/or a customer with a low-risk rating”.
• While higher-risk activity should be prioritised, all alerts flagged by ongoing CDD and account monitoring should ultimately be reviewed, and clear timeframes should be set for that review.
• The supervisors “consider that [reporting entities] only need to consider updating CDD information (as part of [their] ongoing CDD and account monitoring) when there is a risk-based reason or trigger for doing so” (e.g. a change in risk profile), and that any decisions made that updating CDD information is not required should be recorded on customers’ files.
• The supervisors “do not consider it necessary (nor consistent with a risk-based approach) that [reporting entities] regularly reverify a person’s biographical information if [they] have verified this previously”, unless there is cause for concern or a clear change (like a name change) – the expiry of identity documentation is called out specifically as not, in itself, reaching this threshold.
• Reporting entities should have risk-based PPCs in place to identify higher-risk transactions even if they fall under e.g. occasional transaction thresholds, which may include looking at customer behaviour while interacting with them.

Part 4: Reporting

• The Guideline emphasises the strict restrictions in the AML/CFT Act on disclosure around suspicious activity reports (SARs) and prescribed transaction reports, and reiterates what has been said in other guidance about good faith enhanced CDD not constituting “tipping of”.
• Emphasis is put on how SARs relate to suspicion of any criminal activity (not just money laundering or terrorism financing) and to any person (not just direct customers), and on how the short timeframe within which reports must be made means time and resource needs to be focussed on SAR PPCs.
• The Guideline also notes the express exclusion in the AML/CFT Act of privileged information from law firms’ SARs, but goes on to state that they may be required to make a new report if information ceases to be privileged.
• Programmes should detail who is responsible for authorising and submitting SARs (including procedures for when they are not available) and how the required reporting timeframe will be met, and how the non-disclosure requirements will be complied with (including limiting access to relevant information to the officers and employees that need to know).

Part 5: Record-keeping

• The Guideline notes the importance of record-keeping to law enforcement, and also calls out its importance for reporting entities themselves – both to allow effective implementation of AML/CFT obligations and to be able to demonstrate compliance and reasoning for decisions and findings.
• The Guideline also references case law (Department of Internal Affairs v OTT Trading Group Ltd) requiring records be kept in a form that is “immediately accessible”.
• The Guideline points out that both the AML/CFT requirements and the Privacy Act 2020 will apply to record-keeping and, where possible, these should be aligned, but the AML/CFT requirements will prevail if there is an inconsistency.
• It is important to ensure that record-keeping includes controls around access to sensitive or confidential customer information (for instance, around SARs).

Part 6: Reliance on third parties and outsourcing

• The Guideline confirms that reliance on third parties for CDD or other AML/CFT functions (or use of a third-party software solution, which is not technically reliance) does not shift responsibility or liability – a reporting entity is always responsible and liable for its own compliance.
• The requirement is to “obtain” CDD information – it is not sufficient for another entity being relied on to merely provide assurance that CDD has been conducted.
• Outsourced CDD cannot be viewed in isolation from other CDD (or wider AML/CFT) obligations, including those around reviewing and updating CDD information.
• Any use of a third party must be fully documented in Programmes, with appropriate PPCs for those functions.

Parts 7 and 8: Implementing and maintaining a Programme

• An effective Programme will emphasise (i) a strong governance structure and AML/CFT culture led from the top, (ii) effective PPCs for monitoring and managing compliance requirements (especially where technology and automated systems are used), (iii) processes to ensure all employees and systems operate in compliance with AML/CFT requirements, and (iv) appropriate AML/CFT training and vetting for those roles where it is appropriate.
• A Programme should be “dependent on, and should be directed at, [a reporting entity’s money laundering and terrorism financing] risks”. This confirms that risk assessment comes first and the Programme is a response to risk. 
• Vetting procedures can leverage other vetting/accreditation/licensing that persons may have gone through for other reasons (e.g. for a professional body).
• Reporting entities should typically review their Programmes at least annually to ensure they are up-to-date and identify any deficiencies for improvement, but they may need to review and update them in other situations (such as where their risks have evolved or their businesses have materially changed).
• Regular assurance activity (such as sampling or testing) of all parts of a Programme should be conducted, with the necessary extent depending on its size, complexity, and risks.

Associate Minister’s statement

Subsequently, the Associate Minister announced that Cabinet has approved a reform work programme to change the AML/CFT supervisory model and introduce a levy-based funding model. This policy announcement will require amending legislation before it can take effect. The Associate Minister has not indicated yet the timing or process to make those changes.

Once they are made, the DIA will supervise all reporting entities (including those currently under the FMA and the RBNZ), with the intention being to “improve the efficiency of the system, establish a more risk-based approach, and enable more timely provision of guidance and support”.

The changes will also introduce an industry levy to go towards funding the AML/CFT regime, with the intention being to “[design it] to ensure that costs are equitable and reasonable for the sector and will not place undue burden on small businesses”. The statement does not indicate how the levy will be set, whether it will apply at different rates to different classes of reporting entity, or how it will be collected at this stage.

Our view

The Guideline

Additional detail

It is clear that the Guideline is substantially more detailed than its previous version. Part of this is restatement of statute or case law rather than additional development – while it does lead to a longer document, there is much to be said for consolidating the various matters that reporting entities need to consider into a single document.

A notable improvement in the updated Guideline is the clear separation of distinct “supervisors’ view” and “check list” boxes. In theory, this should provide greater clarity around the actual effects of the Guideline – as one source of confusion with past guidance has been a blurring of the line between statements of law and supervisor interpretation.

However, we note that this distinction is not universally applied – there remain some parts of the Guideline’s text outside of those boxes that still appears to be supervisor statements about what reporting entities “should” do which go beyond the letter of the AML/CFT Act.

The Guideline’s repeated reference back to how Programmes and their components can and should be risk-based (i.e. proportionate to the risk faced) and need not prohibit higher-risk products/services/customers so long as that risk is identified, understood, and addressed, is positive. It is a welcome acknowledgement by the supervisors of the original legislative intent of how the New Zealand regime is meant to apply.

However, there is a risk that the greater length and detail of the Guideline could be taken as prescriptive – this will ultimately come down to how the supervisors approach Programmes that diverge from some of their suggestions (in other words, drawing the line between best practice and technical compliance).

Programme update expectations

It is not yet clear exactly what the supervisors’ expectations around updating Programmes to reflect the Guideline are. The Guideline itself refers to at least an annual review, but notes that a review and update may be required in other circumstances – how this interacts with changes to guidance that does not relate directly to the level of risk is not specifically addressed.

Many reporting entities may have recently updated their Programmes to incorporate the new legal requirements that commenced earlier this year, and so may not have a scheduled update (absent further changes to legal requirements or risk) lined up for some time.

Our view is that the issuing of the new Guideline should not require additional updating of Programmes until the next scheduled (or otherwise triggered) review. Otherwise, the effect of the Guideline would be to impose significant additional compliance costs on reporting entities – and, as has been clear from various statements by the Associate Minister, reducing the administrative burden on (particularly smaller) reporting entities is a priority.
However, if a reporting entity does carry out a review and update following the publication of the Guideline, we consider it will likely be expected that the updated Guideline will be incorporated.

Future-proofing

The Guideline references the risk-rating requirement that comes into force on 1 June 2025, although the use of the present tense implies the supervisors are looking to build this in ahead of time.

Similarly, the Guideline also references proliferation financing when describing the activities that the AML/CFT regime seeks to combat. It explicitly recognises that this is not a formal part of the regime in itself, but also identifies that there may be links and even some overlap. Given the Statutory Review recommended incorporating proliferation financing into the AML/CFT regime in some form, we expect the supervisors intended this mention to pre-emptively start to build this in.

Associate Minister’s statement

This statement of the Associate Minister, together with the one earlier this month (which related to the wider AML/CFT reform work programme and the two bills currently undergoing development), is an encouraging sign of the AML/CFT regime receiving Ministerial attention.

Supervisory model

The move to a single-supervisor model has been a subject of debate since before the AML/CFT regime kicked off. It should allow for more consistent and timely guidance, without the need to have wording agreed on by multiple entities that sit in different regulatory contexts with respect to their supervised pool and have differed in their approaches in some places.

Our preference would be for a standalone agency, similar to AUSTRAC in Australia. One question which we have is whether the governance arrangements of the DIA’s AML/CFT function will be sufficiently robust. The FMA and the RBNZ are an independent Crown entity and a statutory corporation respectively, with corporate-style board governance. By contrast, the DIA is a core government department with many functions, headed by a Department Chief Executive and reporting to a Responsible Minister. It may be questioned whether this is ideal for a regulatory supervisor.

However, the DIA does have experience from its supervision of over half the current reporting entities (by number), which means it is best placed of the existing supervisors to consolidate responsibilities. Building up the DIA to have the capability and resourcing to be the sole supervisor will take some effort, but once that is established there should be some clear efficiency and effectiveness benefits.

Levy model

A levy model would allow greater resourcing of the AML/CFT regime without needing to compete for more public funds, but will need to be balanced with its increase to the costs of compliance. Care will need to be taken in setting the amounts of the levy and exactly where they fall. 

The Associate Minister has also referred to “cost recovery principles” but it is, at this stage, not clear precisely what principles would be applied and how suitable checks and balances would be maintained so that the levy power does not simply amount to revenue-gathering without reference to the efficiency of the governmental activities which it funds.

The Treasury has issued, most recently in 2017, “Guidelines for Setting Charges in the Public Sector”, and the Office of the Auditor-General also has a set of guidelines on cost recovery. We also refer to the Productivity Commission’s 2017 “Report on Regulatory Institutions and Practices” to which the Treasury guidelines are a response. The Treasury guidelines acknowledge the importance of users and the public being assured that government agencies are managing their costs efficiently and effectively, and taking appropriate consideration of principles such as transparency and accountability. We would expect that the DIA should be able to demonstrate to levy payers that the fees are fair and reasonable and that there are appropriate constraints on charging practices.

As the Statutory Review noted, the regime is primarily a matter of public good and law enforcement, and should mostly be funded by central government (and therefore taxpayers).

Speed of reform

While the direction of travel for these changes is not necessarily surprising, the speed with which they have been decided on and proposed is. The Statutory Review merely recommended exploring whether an alternative supervisory model would be beneficial, while also recommending that a hybrid funding model be introduced subject to further consultation – so there has been a rapid leap ahead for both matters without that consultation taking place, but particularly for the supervisory model where a further substantive decision has clearly been made.

What next?

The timing of the reforms announced by the Associate Minister in her statement is not yet clear. We would expect that there would be consultation and likely a Select Committee process in relation to the required amending legislation. Even after legislation has been enacted, it may take some time to build out the system changes to function in practice. However, we recommend reporting entities consider now whether they may wish to make submissions in that process, as it is clear the Associate Minister intends to move as quickly as possible.

If you have any questions in relation to the updated Guideline or the Associate Minister’s statement, the wider AML/CFT reforms, or the AML/CFT regime more generally, please contact one of our experts.

This article was co-authored by Sam Short, a Senior Solicitor in our Financial Services team.