If the AML risk assessment is ineffective, the entire AML/CFT compliance framework is compromised and regulatory risk increases.
Due to the importance of an effective risk assessment, the New Zealand High Court received submissions from the DIA that the starting point for operating without an adequate AML/CFT business risk assessment should result in a maximum fine of $2,000,000!
The leading New Zealand case for determining pecuniary penalties for breaches of section 58 can be found in the High Court decision: Department of Internal Affairs v Qian DuoDuo Limited [2018] NZHC 1887. In guiding the Court the Crown Prosecutor advised:
This particular compliance failure is fundamental: the risk assessment guides a reporting entity’s business practices. If the underlying risk assessment is incorrect, then whatever practices the assessment recommends, even if those practices are in fact carried out, are unlikely to mitigate properly the risk of harm flowing from that reporting entity’s business.
CDD is a fundamental obligation under the Act – sufficiently so, that Parliament has mandated that the maximum penalty for failing to conduct CDD as required by subpart 1 of Part 2 carries a higher maximum penalty of $2 million. However, if the reporting entity’s ability to carry out the correct level of CDD obligations hinges almost entirely on undertaking the risk assessment correctly, then failure in relation to the underlying risk assessment should be seen as being equally egregious, if not more so, than compliance failures relating to CDD. Accordingly, the Department submits that, as a practical guideline, the maximum penalty for a failure to comply with s 58 should be treated in the order of $2 million.