sign up log in
Want to go ad-free? Find out how, here.

Gary Hughes provides a roadmap for navigating the Ministry of Justice AML/CFT Statutory Review

Gary Hughes provides a roadmap for navigating the Ministry of Justice AML/CFT Statutory Review

In the first of a two part series looking at the review of our anti-money laundering rules, barrister Gary Hughes takes us through what some of the key issues are. 

By Gary Hughes

An important opportunity for rethinking the Anti-Money Laundering and Countering Financing of Terrorism Act 2009 is upon us, following the international Mutual Evaluation of New Zealand process earlier this year.

This Statutory Review 2021-22 is led by the Ministry of Justice (“MoJ”) and is a requirement that was baked into the Act in 2017 when amendments went through Parliament to turn lawyers, real estate agents, accountants and high-value asset dealers into newly-regulated reporting entities.

The MoJ last week released a significant Consultation Paper that outlines many areas of concern or potential confusion perceived to be present in our AML regime, as well as gaps identified since it took effect in 2013. Submissions are open till December 3.

What is the purpose of the Statutory Review?

It will be assessing the AML/CFT Act, Regulations made under it, and associated working parts of the overall AML regime (including Code of Practice and Exemptions process).

The objective is to consider what needs improvement or reform, and which parts are still fit for purpose. Ultimately, assessment will be made of the degree to which proposed changes to the legislation and its subsidiary parts will better meet the overall goals to curb money laundering and terrorist financing activities.

How to best navigate the Consultation Paper?

The Paper is detailed and lengthy, split into 6 main chapters, canvassing over 100 sub-topics, with a total of 380 questions inviting comment (plus 5 pages of extra “minor changes”). Hard to say it is not comprehensive.

But even with that depth, it largely has been compiled based on problems and questions raised by the MoJ, Police Financial Intelligence Unit (“FIU”), NZ Customs or one of the 3 Supervisors (DIA, FMA, RBNZ).

Questions often hint as to what those government agencies might like the proposed changes to be. Private sector reporting entities have yet to add their own numerous problem areas into the mix.

Reading the current proposals, they might feel a little one-sided so far. Often, there is limited explanation of the root cause of the problem and its potential magnitude, sometimes more a wish-list of new or expanded compliance burdens.

The MOJ also sets out these broad thematic questions, on top of the 380 specific points:

• How is the Act operating? Is it achieving its purposes? Are there any areas of risk that the Act does not appropriately deal with?

• What is working and what is not? Are there areas that are particularly challenging or costly to comply with? How can we alleviate some of those costs while also ensuring the effectiveness of the system?

• What could we do to improve the operation of the Act?

• Is there anything we need to do to “future proof” the Act and ensure it can respond to the modern and largely digital economy?

Of the 6 chapters, reporting entities may focus on Scope (who is covered, for what obligations), Supervision (enforcement powers/penalties) and Preventive Measures (nitty-gritty obligations). Some proposed changes are likely to be useful for all reporting entities, if they make obligations clearer in different parts of the AML/CFT Act.

However, more troubling could be many new changes that will create additional obligations or extra costs for businesses, or seek to deepen and widen catchment of the current AML regime.

In the table below, I identify several key things for specific sectors or areas of interest. These are of necessity selective and not exhaustive, just a summary of the potential changes that could become part of AML law.

Affected Persons / Area Key Proposed Changes, and Comments On Them

3 big picture issues with our AML legal framework

  1. Should NZ stick with a discretionary risk-based approach, or prescribe more legal detail into key compliance obligations?
    • With so many high-level standards in the Act, flexibility is afforded to reporting entities how they achieve them. But that entails uncertainty and variances too. What is the right balance?
  2. Should entities be required to do more to prevent criminal harm, as opposed to just reporting on it to the Police?
    • This might include having to freeze funds or halt transactions in some scenarios. Payments for online fraud, child abuse, terrorism, could be potentially intercepted earlier. But current law does not require that, and significant systems change would be needed.
  3. Is it sensible and efficient to have so many regulators involved?
    • Besides the 4 core agencies (FIU, DIA, FMA, RBNZ) there is NZ Customs, MoJ, Inland Revenue, potentially MBIE and MFAT too.

A few new Regulatory Exemptions (phew)

  1. New exemptions could be implemented for businesses or transactions which are demonstrably low risk. Many products could qualify for this.
    • But in other places, after criticism from FATF, exemptions might become harder to get or will be rolled back (e.g. pawnbrokers).
  2. New exemption for Low Value Loan Providers, particularly where the lending is for social or charitable purposes.
    • Some relief for social lenders, charities, small finance companies, although no definition yet of what will be considered “low value”.
  3. Exempt persons acting as a trustee or nominee where there is overlap.
    • Lawyers/accountants (termed ‘DNFBPs’) might welcome this, but it will be tightly controlled so a parent company/firm is regulated.

3 sectors potentially up for tougher Licensing/ Registration systems

  1. Do we need to implement an AML-specific registration regime to meet international requirements ensuring all reporting entities are on it?
    • Registration is messy and inconsistent, with the Financial Service Providers Register not aligning completely with liaison lists of each Supervisor or the FIU requirement to register to use GoAML.
  2. Should there be a licensing regime, which means passing suitability or ‘fit and proper person’ tests, not mere listing on a Register?
    • Is this to be in addition to the registration regime, or instead of? Full licensing systems are costly both for applicants and government to administer, and much more intrusive.
  3. Money remitters, virtual asset service providers, and trust and company service providers are singled out for high risk licensing.
    • Some may welcome the legitimacy of being licensed; others fear it will make ‘de-banking’ easier and more likely to happen to them.

2 big calls for Real Estate Agents and property transactions

  1. Requiring real estate agents to conduct Customer Due Diligence (“CDD”) on the purchaser as well as vendor in a property transaction.
    • FATF expectations are that purchasers will also face CDD, and property investments are increasingly seen in laundering cases.
  2. Potential new controls over use of trust accounts and holding funds in trust, such as requiring CDD before refunding money to a third party.
    • Law firm trust accounts are seen as risky, as may realtor firms too.

Quite a few things likely to increase Compliance Cost

  1. A potential levy on reporting entities, to pay for the AML Regime – ‘would you like to cough up for the privilege of being regulated?’
    • Introducing cost-recovery levies to pay for the operating costs of the regime (as in Australia) especially extended licensing regimes.
  2. Extension of coverage into Charities and non-profit organisations, or greater volume of high-value dealer transactions (eg. cars, boats, art).
    • May be necessary to deal with terrorism finance risks, but needs clear limits on capture or many social interactions may be affected
  3. Increasing the scope of Politically Exposed Persons (“PEP”) from just overseas persons, to include NZ domestic PEPs, and “associates” also.
    • Originally mooted back in 2009, this would be consistent with overseas norms, but NZ firms will more often find a PEP amongst their customer base, and may have to subscribe to databases.
  4. Catching all international wire transfers, regardless of dollar amount.
    • The existing threshold of NZ$1000 may be lowered or removed, leading to more information collection and possibly reporting cost.

4 Risk areas for Directors, Senior Management, & Compliance Officers

(and their insurers)

  1. Widening the AML/CFT Act penalties which currently only apply to businesses themselves, not their directors or senior management.
    • Ultimately directors or senior managers make the decisions about how a business operates, so arguably penalties and enforcement should apply to them personally. But given the vagueness of AML compliance rules, this could lead to excessively strict duties.
  2. It could become mandatory that AML/CFT compliance officers be a person at the senior management level of the business.
    • At present, they must only “report to” senior management level.
  3. Confirm and clarify that compliance officers must be natural persons.
    • Some entities have appointed companies or outsourced incorrectly to ‘legal persons’ rather than to a real person.
  4. Should compliance officers be held responsible for failings, or protected from sanctions if acting in good faith?
    • Cases already exist where the officer was held accountable, but this may increase tension between compliance and profit motives.

3 challenges for Banks & Financial Institutions

  1. Should coverage turn upon being a ‘registered bank’ (like a ‘casino’) rather than individually defined current captured financial activities?
    • The Act captures services provided and activities carried out in a defined list. For large retail banks almost everything is captured already; for specialist or merchant banks that may not be so.
  2. How to improve the current wire transfer/Prescribed Transactions Reporting interpretation mess?
    • Specific terminology and fields to be reported under a PTR are inconsistent with SWIFT messaging, and inconsistently applied.
  3. What is the banking sector able to offer that would ameliorate the consequences of de-risking and financial exclusion?
    • De-banking and other unintended consequences are a major flaw in our AML regime, and make the FIU and DIA’s job harder. In the absence of RBNZ leadership, what can the industry itself suggest?

4 proposals for a tougher Enforcement and Penalty regime

  1. Tougher penalty regime introduced for top end breaches/fines.
    • Is $2m or $5m (per breach) not seen as a high enough maximum? Some DIA cases have shown the Courts are quite willing to deliver multi-million dollar penalties, well above other regulatory regimes.
  2. Supervisors being able to conduct on-site inspections at your house.
    • At present dwelling houses and marae are off limits – is this fair?
  3. As well as fines and penalties Supervisors would like additional enforcement intervention tools - direct administrative fines for non- compliance, and powers for suspension or removal of a license.
    • Infringement Notices for small offences to be issued by Supervisor.
  4. DIA to have the power to apply to liquidate a business to recover penalties or costs orders obtained in AML/CFT court proceedings.
    • FMA and RBNZ can do so, but DIA regulates a huge range of firms.

3 things aiming to bring order to the realm of Consultants, Auditors, and other Third-party Agents or Outsourcing providers

  1. Introducing specific standards for audits and Auditors, clarifying role.
    • Ongoing issues with quality of an external audit, who conducts it and to what standards, have led to calls for it to be defined and regulated more explicitly, with rights for firms relying on audits.
  2. Similarly, there are calls to licence or regulate the Consultants market.
    • a wide range of AML/CFT consultants have sprung up for reporting entities to use for compliance tasks. Some of the advice being given is of dubious value, and they could become regulated too.
  3. Reliance on third party agents or outsourced suppliers of compliance services is also lacking in any clear standardisation.
    • Firms may outsource compliance work (especially CDD) to agents

appointed to carry out obligations on their behalf. No standards are set, so MoJ may introduce additional measures to regulate this

A series of important changes to Customer Due Diligence obligations

  1. As a core compliance challenge, CDD may benefit from more clear definition of who is the Customer in most common scenarios.
    • Proposals to prescribe the Customer, as in Australian law, would simplify and ensure consistency in non-routine circumstances.
  2. Altering the requirement to verify Customer Address
    • Specific changes may help the difficulties encountered trying to verify address against unreliable documents, or people moving.
  3. New regulations (or Code of Practice) may clarify beneficial ownership but also require entities to obtain/verify the form of a legal person or legal arrangement, along with proof of existence, ultimate ownership and control structure. Some trusts could drop to Standard CDD rules.
    • FATF has urged stronger ultimate beneficial owner checks, but on the other hand a more graduated approach to trusts is welcome.
  4. Ongoing CDD (and for pre-2013 existing customers) may be prescribed
    • New regulations could force entities to consider when CDD was last conducted, and the adequacy of the information, or go further and set a time-frame for an ongoing CDD refresh to be done.

2 topics that may stir up the Accountancy profession

  1. Include acting as a Company Secretary (or Partner) as captured activity
    • A perceived risk is people with control/influence over a corporate.
  2. Coverage for various bookkeepers and agents who process invoices, as well as tax agents or those preparing annual accounts/tax statements.
    • Said to be needed as part of a renewed push against trade-based money laundering, but with extensive compliance cost, and the potential to unnecessarily increase IRD’s role and ambit.

5 crunchy issues for FinTech, Cryptocurrency and Virtual Asset Service Providers (“VASP”)

  1. Ensuring coverage for all types of VASPs, including wallet providers.
    • FATF guidance changes rapidly in FinTech fields (with more due at its Oct. 2021 plenary meeting) so timely to define who is caught.
  2. Setting specific thresholds for occasional transactions for VASPS.
    • Thresholds for transfers outside of an account wallet/relationship could be set at $1,500 for FATF standards, or $1,000 as per existing thresholds for financial institutions wire transfers/forex.
  3. Current Regulation on Stored Value Instruments may be tightened
    • This could extend capture to non-tangible stores of value and digital instruments (e.g. NFTs) that may sit outside the regime.
  4. Extension to capture online marketplaces and internet auctioneers?
    • Targeting auctions that are currently exempt, TradeMe, platforms.
  5. Full licensing proposed for higher risk digital financial activity (above).

5 extra obligations for Money remitter or value transfer (“MVTS”) agents/service providers

  1. Forcing money transfer firms to take responsibility for their agents.
    • Regulations to explicitly require MVTS providers to manage and monitor agents for their AML compliance (incl. vetting & training).
  2. Express requirement to list all of agents in its compliance programme.
    • Many, if not most reputable MVTS networks keep a list already.
  3. Controls upon use of master agent/sub-agents structures.
    • Some firms try to organise in a way that leaves it unclear which player/structure is the reporting entity - all entities may be caught.
  4. Stricter definitions for reporting of PTRs and SARs, where informal or complex remitters may not be captured by existing definitions.
    • Treating MVTS as “intermediary institutions”, along with lower thresholds below $1000 could increase compliance work.
  5. Full licensing proposed as a higher risk sector (onerous for small firms).

3 things that will challenge Privacy & Data Protection principles

  1. Should the private sector (big banks or those invited into the FCPN) be allowed to share more data? Is the growing volume of customer personal information adequately protected for privacy purposes?
    • Control at FIU or government level should limit data sharing risk. And a statutory timeframe for deletion of stored data would help.
  2. Do we want the FIU telling entities (under s 143) to proactively share or monitor certain customer data on an ongoing basis?
    • At present an entity initiates reports when it sees something suspicious, but the FIU may prefer continuous unprompted updates about active investigative matters.
  3. Is it wise to give all govt. departments direct access to FIU databases?
    • Increased misuse of data matching and employee risk seems high.

3 big questions for the

Insurance sector

  1. Should general insurance (non-life) business be covered?
    • This issue was debated back in 2009; now it returns. Insurance fraud as a predicate offence for money laundering is one concern.
  2. Life insurance policies (or investment-related insurance products) that allow early surrender/withdrawal may need CDD on PEPs/beneficiaries
    • FATF recommendations say these are potentially risky policies, and the beneficiaries should be identified and verified.
  3. Will there be an expansion of professional negligence or D&O risk?
    • Those changes above for Senior Managers and for Consultants will amplify the risk of being sued – affecting decisions whether to write, or exclude from, indemnity insurance business lines.

4 topics for Lawyers to worry about

  1. Change to the “in the ordinary course of business” coverage wording
    • Many DNFBPs rely on this; MoJ wants to bring clarity but possibly by aiming to catch more one-off activities/instructions.
  2. Criminal defence lawyers – should they be captured and not exempt?
    • Major ramifications for legal privilege and the right to fair defence.
  3. Proposals to redefine “managing client funds”, “professional fees”, and “giving instructions” interpretative parts for scope of coverage.
    • As key triggers for law firm capture, these are crying out for clarity.
  4. Should law firms/DNFBPS file PTRs even when a bank already has?
    • The FIU sees gaps in its data but more compliance work will result.

NOTE: this is a news article, not legal advice; specific advice for your situation should always be sought.

*Gary Hughes, barrister at Akarana Chambers, specialises in regulatory investigations and cases, especially involving Commerce Commission, FMA, SFO, Police FIU and AML/CFT supervisors. Hughes is a member of the MoJ Industry Advisory Group on this statutory review project. He is Chair of the International Bar Association AML & Sanctions committee, Advisory Director to ACAMS (Australasia chapter), and an internationally-recognised AML/CFT expert.

We welcome your comments below. If you are not already registered, please register to comment.

Remember we welcome robust, respectful and insightful debate. We don't welcome abusive or defamatory comments and will de-register those repeatedly making such comments. Our current comment policy is here.


There is no stomach in political circles to address money laundering here hence no progress .


No spine either


Agree. John Key always comes to mind when I think of this subject - I don't know why, but there must be something that makes me think that way. But I'm probably wrong.


Just ban Bitcoin and Crypto currencies and more than half the money laundering will be gone and with it, fake welfare beneficiaries hiding their assets in Crypto.


Your such a nob

Bitcoin and Co. benefit from the Pandora Papers

But what positive things can you take away from the Pandora Papers for the crypto space? It is one thing above all – transparency. While the offshore webs of the super-rich are difficult to look through for regulatory authorities, with Bitcoin all transactions are stored in the network. Everyone can see it. With the help of on-chain tracking programs, with a little hard work you can track every payment. In addition, the KYC requirements of most crypto providers nowadays meet international standards. From this point of view, the fear of some regulators that cryptocurrencies would bring offshore methods for everyone is simply wrong. What rich people have achieved with the help of offshore companies and dodgy banks cannot be replicated by the simple average citizen using cryptocurrencies.


Have things moved on since…

"They might cash out a small amount, but more likely they'll keep it there, for use in the criminal underworld."


LOL, the majority of money laundering occurs in US dollars and is facilitated by banks like HSBC, who get let off with a small fine (small relative to the profits they make). None of these bankers ever get sent to prison.


Thanks for trying to explain the possible effects of the AML/CFT reviews, but as an ordinary mug trying to manage a modest investment portfolio on a daily basis, I am afraid you left me far behind amongst the many initialisms and  acronyms. But I suspect from what little I understand and from my investing experiences to date, that the powers that be would like to draw me deeper into their regulatory net!

Using age old sage advice to spread possible risks, I am constantly faced with having to prove I am me...even from banks I have been depositing funds in for several decades. And having a favourite charitable investment society driven out of business because of crippling fees levied by the FMA...presumably trying to protect me from my own foolishness, I regard the FMA as just another gummit bureaucracy more interested in funding it's own comfort.

Amongst any review, I would hope the reviewers (hopefully arms length from the many agencies gaining funding from AML requirements) conduct a cost/benefit study on just how many crooks have been caught relative the multitude of costs levied on both institutions and investing individuals.

Perhaps they might also explain to me why it took some six months for my wife to obtain authority to bank the weekly offerings of a small church with the same major bank she had been doing the same thing for the past 20 years. Did they imagine she was banking drug money?

It seems quite plain to me that small depositors should come under some scheme that readily enables one to start and stop new deposits with regular financial institutions without having to provide reems of supporting evidence...much of which to my eyes at least  is, "crooked investing 1001" to any reasonably intelligent would be money launderer.

This current nonsense, if costed carefully must be in the tens of millions of dollars of private effort to invest ones own monies according to individual decision.

Finally I hope someone might give thought to the effect of these regulatory regimes on the general terms of loss of self confidence, financial resilience, etc., where the result might be competent individuals just give up and allow their private affairs to be operated by "experts", or even worse by the "grey cardies" safe in their Wellington bureaucracies.


Lets not forget that every website eventually gets hacked (Twitch TV sold in 2014 for almost 1B USD, got hacked on the 6th Oct revealing massive amounts of private info), and the constant demand to hold and manage ID exposes consumers to privacy risks, ironically allowing criminals to use your info to commit laundering.

Zero knowledge systems like Rabodirects hardware key is a lot safer than "collecting and checking IDs", and even opening an account in someone elses name seems pretty easy as financial mainstream institutes do nothing to verify if I've stolen the ID I'm uploading to their web portal.