Gary Hughes provides a roadmap for navigating the Ministry of Justice AML/CFT Statutory Review

3 big picture issues with our AML legal framework

1. Should NZ stick with a discretionary risk-based approach, or prescribe more legal detail into key compliance obligations?
   • With so many high-level standards in the Act, flexibility is afforded to reporting entities how they achieve them. But that entails uncertainty and variances too. What is the right balance?
2. Should entities be required to do more to prevent criminal harm, as opposed to just reporting on it to the Police?
   • This might include having to freeze funds or halt transactions in some scenarios. Payments for online fraud, child abuse, terrorism, could be potentially intercepted earlier. But current law does not require that, and significant systems change would be needed.
3. Is it sensible and efficient to have so many regulators involved?
   • Besides the 4 core agencies (FIU, DIA, FMA, RBNZ) there is NZ Customs, MoJ, Inland Revenue, potentially MBIE and MFAT too.

A few new Regulatory Exemptions (phew)

1. New exemptions could be implemented for businesses or transactions which are demonstrably low risk. Many products could qualify for this.
   • But in other places, after criticism from FATF, exemptions might become harder to get or will be rolled back (e.g. pawnbrokers).
2. New exemption for Low Value Loan Providers, particularly where the lending is for social or charitable purposes.
   • Some relief for social lenders, charities, small finance companies, although no definition yet of what will be considered “low value”.
3. Exempt persons acting as a trustee or nominee where there is overlap.
   • Lawyers/accountants (termed ‘DNFBPs’) might welcome this, but it will be tightly controlled so a parent company/firm is regulated.

3 sectors potentially up for tougher Licensing/ Registration systems

1. Do we need to implement an AML-specific registration regime to meet international requirements ensuring all reporting entities are on it?
   • Registration is messy and inconsistent, with the Financial Service Providers Register not aligning completely with liaison lists of each Supervisor or the FIU requirement to register to use GoAML.
2. Should there be a licensing regime, which means passing suitability or ‘fit and proper person’ tests, not mere listing on a Register?
   • Is this to be in addition to the registration regime, or instead of? Full licensing systems are costly both for applicants and government to administer, and much more intrusive.
3. Money remitters, virtual asset service providers, and trust and company service providers are singled out for high risk licensing.
   • Some may welcome the legitimacy of being licensed; others fear it will make ‘de-banking’ easier and more likely to happen to them.

2 big calls for Real Estate Agents and property transactions

1. Requiring real estate agents to conduct Customer Due Diligence (“CDD”) on the purchaser as well as vendor in a property transaction.
   • FATF expectations are that purchasers will also face CDD, and property investments are increasingly seen in laundering cases.
2. Potential new controls over use of trust accounts and holding funds in trust, such as requiring CDD before refunding money to a third party.
   • Law firm trust accounts are seen as risky, as may realtor firms too.

Quite a few things likely to increase Compliance Cost

1. A potential levy on reporting entities, to pay for the AML Regime – ‘would you like to cough up for the privilege of being regulated?’
   • Introducing cost-recovery levies to pay for the operating costs of the regime (as in Australia) especially extended licensing regimes.
2. Extension of coverage into Charities and non-profit organisations, or greater volume of high-value dealer transactions (eg. cars, boats, art).
   • May be necessary to deal with terrorism finance risks, but needs clear limits on capture or many social interactions may be affected
3. Increasing the scope of Politically Exposed Persons (“PEP”) from just overseas persons, to include NZ domestic PEPs, and “associates” also.
   • Originally mooted back in 2009, this would be consistent with overseas norms, but NZ firms will more often find a PEP amongst their customer base, and may have to subscribe to databases.
4. Catching all international wire transfers, regardless of dollar amount.
   • The existing threshold of NZ$1000 may be lowered or removed, leading to more information collection and possibly reporting cost.

4 Risk areas for Directors, Senior Management, & Compliance Officers

(and their insurers)

1. Widening the AML/CFT Act penalties which currently only apply to businesses themselves, not their directors or senior management.
   • Ultimately directors or senior managers make the decisions about how a business operates, so arguably penalties and enforcement should apply to them personally. But given the vagueness of AML compliance rules, this could lead to excessively strict duties.
2. It could become mandatory that AML/CFT compliance officers be a person at the senior management level of the business.
   • At present, they must only “report to” senior management level.
3. Confirm and clarify that compliance officers must be natural persons.
   • Some entities have appointed companies or outsourced incorrectly to ‘legal persons’ rather than to a real person.
4. Should compliance officers be held responsible for failings, or protected from sanctions if acting in good faith?
   • Cases already exist where the officer was held accountable, but this may increase tension between compliance and profit motives.

3 challenges for Banks & Financial Institutions

1. Should coverage turn upon being a ‘registered bank’ (like a ‘casino’) rather than individually defined current captured financial activities?
   • The Act captures services provided and activities carried out in a defined list. For large retail banks almost everything is captured already; for specialist or merchant banks that may not be so.
2. How to improve the current wire transfer/Prescribed Transactions Reporting interpretation mess?
   • Specific terminology and fields to be reported under a PTR are inconsistent with SWIFT messaging, and inconsistently applied.
3. What is the banking sector able to offer that would ameliorate the consequences of de-risking and financial exclusion?
   • De-banking and other unintended consequences are a major flaw in our AML regime, and make the FIU and DIA’s job harder. In the absence of RBNZ leadership, what can the industry itself suggest?

4 proposals for a tougher Enforcement and Penalty regime

1. Tougher penalty regime introduced for top end breaches/fines.
   • Is $2m or $5m (per breach) not seen as a high enough maximum? Some DIA cases have shown the Courts are quite willing to deliver multi-million dollar penalties, well above other regulatory regimes.
2. Supervisors being able to conduct on-site inspections at your house.
   • At present dwelling houses and marae are off limits – is this fair?
3. As well as fines and penalties Supervisors would like additional enforcement intervention tools - direct administrative fines for non- compliance, and powers for suspension or removal of a license.
   • Infringement Notices for small offences to be issued by Supervisor.
4. DIA to have the power to apply to liquidate a business to recover penalties or costs orders obtained in AML/CFT court proceedings.
   • FMA and RBNZ can do so, but DIA regulates a huge range of firms.

3 things aiming to bring order to the realm of Consultants, Auditors, and other Third-party Agents or Outsourcing providers

1. Introducing specific standards for audits and Auditors, clarifying role.
   • Ongoing issues with quality of an external audit, who conducts it and to what standards, have led to calls for it to be defined and regulated more explicitly, with rights for firms relying on audits.
2. Similarly, there are calls to licence or regulate the Consultants market.
   • a wide range of AML/CFT consultants have sprung up for reporting entities to use for compliance tasks. Some of the advice being given is of dubious value, and they could become regulated too.
3. Reliance on third party agents or outsourced suppliers of compliance services is also lacking in any clear standardisation.
   • Firms may outsource compliance work (especially CDD) to agents

appointed to carry out obligations on their behalf. No standards are set, so MoJ may introduce additional measures to regulate this

A series of important changes to Customer Due Diligence obligations

1. As a core compliance challenge, CDD may benefit from more clear definition of who is the Customer in most common scenarios.
   • Proposals to prescribe the Customer, as in Australian law, would simplify and ensure consistency in non-routine circumstances.
2. Altering the requirement to verify Customer Address
   • Specific changes may help the difficulties encountered trying to verify address against unreliable documents, or people moving.
3. New regulations (or Code of Practice) may clarify beneficial ownership but also require entities to obtain/verify the form of a legal person or legal arrangement, along with proof of existence, ultimate ownership and control structure. Some trusts could drop to Standard CDD rules.
   • FATF has urged stronger ultimate beneficial owner checks, but on the other hand a more graduated approach to trusts is welcome.
4. Ongoing CDD (and for pre-2013 existing customers) may be prescribed
   • New regulations could force entities to consider when CDD was last conducted, and the adequacy of the information, or go further and set a time-frame for an ongoing CDD refresh to be done.

2 topics that may stir up the Accountancy profession

1. Include acting as a Company Secretary (or Partner) as captured activity
   • A perceived risk is people with control/influence over a corporate.
2. Coverage for various bookkeepers and agents who process invoices, as well as tax agents or those preparing annual accounts/tax statements.
   • Said to be needed as part of a renewed push against trade-based money laundering, but with extensive compliance cost, and the potential to unnecessarily increase IRD’s role and ambit.

5 crunchy issues for FinTech, Cryptocurrency and Virtual Asset Service Providers (“VASP”)

1. Ensuring coverage for all types of VASPs, including wallet providers.
   • FATF guidance changes rapidly in FinTech fields (with more due at its Oct. 2021 plenary meeting) so timely to define who is caught.
2. Setting specific thresholds for occasional transactions for VASPS.
   • Thresholds for transfers outside of an account wallet/relationship could be set at $1,500 for FATF standards, or $1,000 as per existing thresholds for financial institutions wire transfers/forex.
3. Current Regulation on Stored Value Instruments may be tightened
   • This could extend capture to non-tangible stores of value and digital instruments (e.g. NFTs) that may sit outside the regime.
4. Extension to capture online marketplaces and internet auctioneers?
   • Targeting auctions that are currently exempt, TradeMe, platforms.
5. Full licensing proposed for higher risk digital financial activity (above).

5 extra obligations for Money remitter or value transfer (“MVTS”) agents/service providers

1. Forcing money transfer firms to take responsibility for their agents.
   • Regulations to explicitly require MVTS providers to manage and monitor agents for their AML compliance (incl. vetting & training).
2. Express requirement to list all of agents in its compliance programme.
   • Many, if not most reputable MVTS networks keep a list already.
3. Controls upon use of master agent/sub-agents structures.
   • Some firms try to organise in a way that leaves it unclear which player/structure is the reporting entity - all entities may be caught.
4. Stricter definitions for reporting of PTRs and SARs, where informal or complex remitters may not be captured by existing definitions.
   • Treating MVTS as “intermediary institutions”, along with lower thresholds below $1000 could increase compliance work.
5. Full licensing proposed as a higher risk sector (onerous for small firms).

3 things that will challenge Privacy & Data Protection principles

1. Should the private sector (big banks or those invited into the FCPN) be allowed to share more data? Is the growing volume of customer personal information adequately protected for privacy purposes?
   • Control at FIU or government level should limit data sharing risk. And a statutory timeframe for deletion of stored data would help.
2. Do we want the FIU telling entities (under s 143) to proactively share or monitor certain customer data on an ongoing basis?
   • At present an entity initiates reports when it sees something suspicious, but the FIU may prefer continuous unprompted updates about active investigative matters.
3. Is it wise to give all govt. departments direct access to FIU databases?
   • Increased misuse of data matching and employee risk seems high.

3 big questions for the

Insurance sector

1. Should general insurance (non-life) business be covered?
   • This issue was debated back in 2009; now it returns. Insurance fraud as a predicate offence for money laundering is one concern.
2. Life insurance policies (or investment-related insurance products) that allow early surrender/withdrawal may need CDD on PEPs/beneficiaries
   • FATF recommendations say these are potentially risky policies, and the beneficiaries should be identified and verified.
3. Will there be an expansion of professional negligence or D&O risk?
   • Those changes above for Senior Managers and for Consultants will amplify the risk of being sued – affecting decisions whether to write, or exclude from, indemnity insurance business lines.

4 topics for Lawyers to worry about

1. Change to the “in the ordinary course of business” coverage wording
   • Many DNFBPs rely on this; MoJ wants to bring clarity but possibly by aiming to catch more one-off activities/instructions.
2. Criminal defence lawyers – should they be captured and not exempt?
   • Major ramifications for legal privilege and the right to fair defence.
3. Proposals to redefine “managing client funds”, “professional fees”, and “giving instructions” interpretative parts for scope of coverage.
   • As key triggers for law firm capture, these are crying out for clarity.
4. Should law firms/DNFBPS file PTRs even when a bank already has?
   • The FIU sees gaps in its data but more compliance work will result.