By Kerry Grass, Principal Anti Money Laundering Consultants* The Anti-Money Laundering & Countering Financing of Terrorism Act 2009 (the Act) came into force on 1 July 2013. The Act requires financial service businesses to obtain independent audits within a two-year period. The first audits across the industry were due on 30 June 2015.
Audits Audits have two primary evaluations –
1. To determine whether the business has adequately documented risks.
2. To determine whether the business is operating with adequate policies, procedures and controls to manage and monitor risks.
The ‘risk’ that is being measured and managed is the likelihood of the business facilitating money laundering and/or the financing of terrorism. Evaluating Risk Risk evaluation is determined on an objective basis. When risk exposure is high, strengths of compliance procedures and controls must be adequately robust.
Controls must have -
1. Capability of monitoring risk
2. Evaluating risk exposure
3. Mitigating and managing residual risk.
4. Determining the strengths and effectiveness of the controls themselves.
Principles Based Framework
As principles based legislation the Act sets minimum criteria along with expected outcomes. It is less prescriptive on the method that businesses may take to achieve the desired outcomes.
This ‘principles based’ framework takes into consideration financial service businesses are varied in size and complexity. By providing a less prescription ‘road map’, businesses with a lower risk profile can expect to operate with reduced compliance resourcing and ongoing costs. Risk Assessment The risk assessment is required to focus on six primary areas –
1. The nature, size and complexity of business.
2. Customer types.
3. Products and services distributed.
4. Method of distributing the product or service.
5. Type of business relationships with financial institutions.
6. Geographies dealt with.
Inherent Risk Elements
To conduct an effective risk assessment businesses must have an understanding of the inherent elements that either increase or decrease the probability of money laundering and/or the financing of terrorism.
These inherent risk elements include –
1. Whether the business operates as a single business entity or is part of a group of businesses operating across various financial sectors.
2. The volume and value of transactions conducted on behalf of customers.
3. Whether customers are from one jurisdiction or from multiple jurisdictions. Whether jurisdictions present higher risk - a higher risk jurisdiction includes one that has unacceptable levels of corruption, operates with little AML CFT oversight or lacks an infrastructure to adequately support law and order.
4. Inherent risks in products or services include those that allow purchasing in physical cash or after acquiring the product, it can be readily converted to cash or cash equivalent. If the product can be accessed from offshore, provides opaque ownership, enables ease for ownership transferability, then risk exposure increases.
5. Customer risk considers whether the account is being operated by a private individual, sole trader, company, trust or other type of business structure. Whether the business is retail, commercial or wholesale are relative risk factors. Jurisdiction of business operations and incorporation, including management and ownership are also relevant. If the customer is trading on behalf of its own customer, further risks arise.
For these reasons the Act requires businesses to have knowledge of the ‘Nature and Purpose’ of the customer’s relationship.
6. Businesses that provide the ability for potential customers to open an account through an online or non face-to-face procedure need to apply a higher level of due diligence. Due diligence requires the establishment, on a reasonable basis, that the customer is who they say they are.
This is achieved by verifying the customer’s identity against reliable and independent sources.
Application of ‘Risk Based Approach’
To assist the interpretation of regulatory outcomes, the Act empowers AML Supervisors (the Department of Internal Affairs, the Financial Markets Authority and the Reserve Bank) to issue guidelines and Codes of Practice.
For small businesses operating with limited resourcing these Guidelines and Codes are particularly helpful. If businesses apply these Codes they reach a ‘safe harbour’. If they choose to opt out, notification to their AML Supervisor is required, including the establishment of ‘equally effective’ means to achieve the compliance objective.
Expected Outcomes Policies are expected to –
1. Establish policies and procedures based on the risk assessment.
2. Appoint an employee as an AML CFT compliance officer.
3. Include senior management in the AML CFT reporting structure.
4. Provide procedures and controls for –
a. Staff vetting.
b. Staff training.
c. Customer due diligence (identification and verification from independent and reliable sources).
d. Ongoing due diligence (customer profiling and account monitoring).
e. Reporting of suspicious transactions.
f. Record keeping (customer identity records, business records, transactions, risk assessments, programmes and audits).
g. Keeping written findings in relation to unusual or complex transactions.
h. Examining and keeping written findings relating to business with higher risk jurisdictions.
i. Preventing use of products and services that might favour anonymity.
j. Providing procedures for third party agents to conduct customer due diligence.
k. Monitoring and managing compliance with procedures, policies and controls.
Common failings
1. Measurement of inherent risks are not always well considered. Measurement should include a qualitative (objective approach) and a quantitative (number) scale.
2. Programmes omit procedures for evaluating the effectiveness of controls. Evaluation of controls can be through checklists, spot checks, recording breaches and active reporting.
3. Copies of identity documents should endorse that the original was sighted, by whom and dated. Copies should be readily interpreted – this includes the requirement to have English translation.
4. Certified documents should include the ‘capacity’ (authority) of the certifier. Procedures to follow are outlined in the relevant Code of Practice. This includes use of Trusted Referees. Trusted referees should not be linked to the underlying business transaction.
5. The Code of Practice for verifying customers is relevant to low and medium risk customers. Many businesses did not include additional requirements for higher risk customers.
6. When relying on third parties to conduct customer due diligence, clear written agreements should be in place to ensure the business and the third party agent understand their obligations. Agreements should include the procedures in place to ensure third party agents are reaching compliance expectations. Procedures should include more than self-reporting by the third party. The business should have capability of measuring the third party’s level of compliance.
7. Training registers should include the name of participants, topics covered, how the training was delivered, duration, whether an assessment was included and the next due date.
8. If a business holds insufficient knowledge to determine whether a transaction is unusual or suspicious, then it is likely they have not met the obligation of ensuring they know the Nature and Purpose of the customer’s underlying business relationship.
Milestone
The end of the auditing period marks a key milestone to New Zealand’s efforts to combat money laundering and financing of terrorism.
The strengthening of industry standards, coupled with improved regulatory oversight will have a direct and positive impact on New Zealand’s international reputation.
A
bout the Author Kerry Grass is a certified anti-money laundering specialist. She has worked in senior compliance positions with banks and held advisory roles with regulators, both domestically and internationally. Her company, Anti-Money Laundering Consultants Limited, specialises in providing compliance software to enable businesses to meet AML CFT obligations – www.amlcft.co.nz.
The post Anti-Money Laundering Compliance – How To Assess A Businesses Risk Profile appeared first on LawFuel New Zealand.