DIA Warns Against Generic Risk Templates
AML Risk Assessments – New Zealand. On 20 October 2022, the Department of Internal Affairs provided the following warning – “many reporting entities continue to adopt a generic template without adequately amending it to reflect the money laundering and terrorism financing risks faced by its business. Generic content relating to the ML/TF risks associated with a sector, without consideration of that reporting entity’s business, will not comply with section 57 or 58 of the AML/CFT Act.”
Get Confidence with RegTech
AML Risk Assessment Technology
The cost of non-compliance
The AML business risk assessment is considered to be the core pillar of an AML/CFT Programme. If the AML risk assessment is ineffective, the entire AML/CFT compliance framework is compromised.
Due to the importance of an effective risk assessment, the New Zealand High Court received submissions from Government that the starting point for operating without an adequate AML/CFT business risk assessment should result in a maximum fine of $2,000,000!
The leading New Zealand case for determining pecuniary penalties for breaches of section 58 can be found in the High Court decision: Department of Internal Affairs v Qian DuoDuo Limited [2018] NZHC 1887.
In this particular case, the Crown Prosecutor guided the Court by stating:
This particular compliance failure is fundamental: the risk assessment guides a reporting entity’s business practices. If the underlying risk assessment is incorrect, then whatever practices the assessment recommends, even if those practices are in fact carried out, are unlikely to mitigate properly the risk of harm flowing from that reporting entity’s business.
CDD is a fundamental obligation under the Act – sufficiently so, that Parliament has mandated that the maximum penalty for failing to conduct CDD as required by subpart 1 of Part 2 carries a higher maximum penalty of $2 million. However, if the reporting entity’s ability to carry out the correct level of CDD obligations hinges almost entirely on undertaking the risk assessment correctly, then failure in relation to the underlying risk assessment should be seen as being equally egregious, if not more so, than compliance failures relating to CDD. Accordingly, the Department submits that, as a practical guideline, the maximum penalty for a failure to comply with s 58 should be treated in the order of $2 million.
In New Zealand the obligation of conducting an AML business risk assessment arises from section 58 of the Anti-Money Laundering and Countering Financing of Terrorism Act 2009 (the AML/CFT Act). Section 58 sets out that an AML/CFT business risk assessment must include analysis of key areas of business operations that create vulnerability to facilitating money laundering and/or terrorism financing. The key areas requiring analysis are:
· The nature, size and complexity of the business
· Customers (B2B and B2C)
· Products and Services
· Method of delivering products and services
· Geographies
There are further obligations including:
· The risk assessment must be in writing; and
· Describe how the business will ensure the assessment remains current; and
· Enable the business to determine the level of risk involved in relation to relevant obligations under the AML/CFT Act and regulations.
Subject matter expertise
Businesses operating without in-house expertise in the fields of AML/CFT and risk management, struggle to reach the threshold of regulatory effectiveness. It is these businesses that will gain greater benefits from utilising regulatory technology. Regulatory technology automatically performs strategic thinking by utilising algorithms.
Businesses with in-house expertise should still consider the benefits gained from regulatory technology (RegTech). RegTech significantly reduces labour intensive processes. By reducing labour intensive processes, operational costs are radically reduced. This allows business owners to invest its scarce resourcing back to core business activity.
Regulatory Effectiveness
Whatever approach a business takes, one thing is for certain: the outcome must be effective. The term ‘effective’ or ‘effectiveness’ appears 17 times in the AML/CFT Act.
In the context of an AML business risk assessment, ‘effectiveness’ must have an outcome of reasonably identifying those areas within the business that increases the risk of money laundering and terrorism financing occurring.
Get Confidence with Regulatory Technology
Since 2014, AML360 has been providing New Zealand businesses with an easy to use solution for completing a ML/FT business risk assessment. It works on a simple point and click function and does not require users to be an AML/CFT compliance professional.
Meeting Regulatory Expectation
The software is continuously updated to meet auditor recommendations and AML Supervisor guidelines. This ensures reporting entities have a level of regulatory certainty. In doing so, AML360’s RegTech solution offers regulatory effectiveness and importantly, it is affordable.
Should an auditor or AML Supervisor provide recommendations for enhancements, these features are added to the software at no additional costs to reporting entities. Users simply login, add additional detail, click Calculate – and the report is updated.
What makes AML360 different from generic assessments?
- Overall inherent risk.
- Separate risk level of the primary categories of (a) nature, size and complexity of business, (b) products and services, (c) customers / clients, (d) method of delivery, (e) geographies.
- The risk characteristics that influence each of the primary categories are also risk rated.
The resulting business risk report incorporates elements and characteristics that have been identified by AML Supervisors as increasing ML/FT risks. Each of the risk characteristics are explained in the report. Sector risks relevant to the business are also incorporated. Additionally, the AML Compliance Officer adds their own notations to ensure the report is fully informing on unique aspects of a reporting entity.