1. Determine what you do that is in or out of scopeCoverage/capture turns upon s 5 in the Act, and a list of discrete activities that lawyers and firms may engage in. A firm that carries on one or more of those activities and does so “in the ordinary course of business” will become a reporting entity subject to the obligations of the AML/CFT Act. Close analysis of s 5 is required, and sometimes the answer will not be obvious. For instance, litigation is generally not one of the covered services. But if holding client funds in trust account as security for costs, or if upon settling a case there are unusual/extended payment arrangements, it is likely that “managing client funds” in s 5 is engaged. There is ongoing debate at select committee level about some of the finer detail in the wording of coverage, so it would pay to keep an eye on how this emerges in the final Bill to be passed. The AML Supervisors issued joint guidance in 2011 on how they apply the phrase “Ordinary Course of Business”. That described a number of contextual factors which, considered together, may indicate an activity is in the ordinary course of business, if it is:
- Normal or otherwise unremarkable for the particular firm (e.g. indicated by its internal processes and marketing materials),
- Frequent or regular, involving significant amounts of money, or significant allocation of the firm’s resources,
- A source of revenue for the firm,
- A service that is offered/promoted to clients or third parties.
2. Decide who will own the AML function and learn the languageThere is a broad choice in addressing compliance: develop the expertise and have lawyers or staff internally spend the time to implement changes, or outsource as much as possible to specialists with experience. One entails more billable time cost to the firm, the other more short-term financial cost. Also remember that a cheap, tick-the-box approach to documentation will be likely to earn more attention from the AML Supervisor, as they look for quality of analysis of your business, over quantity or flash graphs and tables. Since each reporting entity must have an employee as Compliance Officer, who must report to senior management, and partners/directors ultimately will remain liable, developing some in-house knowledge makes sense. Not everything can (or should) be outsourced in any event. Given the responsibility and risk, most firms should probably have a partner in that role. Like any area of law or industry, AML is replete with jargon: DNFBP, STR, FATF, FIU, PTR, CDD, DBG, and don’t even get me started about POWBATICs. It is already a surprisingly complex regulatory regime, after only a few years. The Compliance Officer and others should take time to penetrate the acronyms and get to know the patchwork of important risk assessment documents, domestic regulations, and international materials that set out definitions, exemptions, thresholds, and related recommendations. Time invested to learn the language and understand the context for why these materials are in place will help law firm partners and team members see more clearly how to address compliance, and to focus on what matters. Published guidelines already exist from the Supervisors on some topics, including these examples below (although lawyers used to detailed analysis may find, with many written in the early stages of the regime 2010-11 and never updated, some can appear surprisingly superficial):
- Identity Verification Code Of Practice
- Guidelines on the Written Risk Assessment
- Guidelines on developing an AML/CFT Programme
- Interpreting “Ordinary Course Of Business”
- Countries Risk Assessment Guideline
- Designated Business Groups – two guidelines
- Guideline for Audits
- Interpreting the Territorial Scope of the Act
- Beneficial Ownership Guidelines
- Wire Transfer Guidelines
3. Put the effort into your written Risk AssessmentUnlike some jurisdictions, New Zealand requires a written risk assessment to be prepared, as a first step and key platform for all AML compliance steps to follow. The risk assessment must be tailored to the money laundering and terrorist financing risk that each firm is likely to face in its sphere of operations. It must be reviewed and updated regularly. It must be available for AML Supervisors to inspect on demand. Don’t skimp on this step. If done thoroughly and well, the firm will better understand its idiosyncratic risk areas, and not waste time and money on compliance steps that are not targeted at the risks facing that particular firm, given its client-base and areas of practice. Section 58 of the AML/CFT Act details the specific requirements of the risk assessment. The aim of the exercise is to identify, list and assess all the possible risks of money laundering and financing of terrorism that a reporting entity may reasonably expect to face in the course of its business. A risk assessment must:
- be in writing (ie. a standalone written report);
- identify the risks faced by the reporting entity in the course of its business; and
- describe how the reporting entity will ensure that the assessment remains current and will enable it to determine the level of risk involved in relation to relevant obligations under the AML/CFT Act and regulations.
- the nature, size, and complexity of its business;
- the products and services it offers;
- the methods by which it delivers products and services to its customers;
- the types of customers it deals with;
- the countries it deals with;
- the institutions it deals with;
- any applicable guidance material produced by AML/CFT Supervisors or the Police, relating to risk assessments; and
- any other factors that may be provided for in regulations.
4. Leverage off what you already doMost lawyers from experience develop a keen sense of clients who are risky or less than trustworthy, particularly around the credit risk of not being paid! And many systems within a firm can be re-deployed with an AML focus – client/matter opening processes being an obvious place to start. So try to fine-tune those senses and systems into high quality Customer Due Diligence (CDD) processes. Think about the history of your firm and practice areas. What was it that led to disquiet about a particular client or transaction? Was a transaction aborted or changed unexpectedly? Did the client’s peculiar instructions play out in a way that did not make commercial or economic sense? Refine and document those instincts into possible risk factors. Generally, CDD will not be retrospective, meaning it does not require all existing clients to be verified according to specific legal standards. But upon the law coming into force CDD will typically apply to new client relationships or instructions captured by s 5. Some law firms already have matter opening forms or aspects of their client care and terms of engagement process that smartly and seamlessly gather the minimum information required for standard CDD. That includes the client’s full name; date of birth; if not the end client, that person’s relationship to them; address or registered office; company identifier or registration number; and other information. Obtaining information is one thing, moving on to verifying that, especially for trusts, and collecting additional details depending on the level of risk in certain situations, is much more challenging. But simple steps like obtaining copies of passports and utility bills at the outset can be worked into terms of engagement letters without fuss.
5. Get used to a more intimate regulator relationshipLawyers should get accustomed to having a closer relationship with a proactive regulator. While the NZLS Lawyers Complaints Service is an effective regulatory arm, it is largely reactive to complaints. The Department of Internal Affairs (DIA) will more regularly supervise and proactively monitor what lawyers are up to in the AML area. Lawyers will have several contact points with the AML authorities. These include having to: complete and file an annual report to the DIA (some information demanded is fairly intrusive and time-consuming to compile); and every two years, or as requested by the DIA, engaging an independent expert to audit the AML risk assessment and compliance programme (to ensure the firm is actually doing all the good things it says in the programme it will do); and potentially respond to a random supervisory check (a visit to offices, or request for compliance documents). There is also the interfacing with the FIU’s online system (goAML) to report suspicious transactions/activities and prescribed cash or wire transfer transactions. This IT system is known amongst existing entities as being a challenging platform, and not one that is especially user-friendly. It can be time consuming and frustrating to get used to its quirks. However, the FIU do run training sessions (without charge), which are recommended. Suspicious transaction reports are among the most difficult judgement calls to make. Having to decide to report on a client, and for what aspects or activities, will go against the grain of fundamental training for many lawyers. But it is a key output of the whole AML regime. Whether we like it or not, intelligence gathering and reporting to the FIU is core to the system. Put bluntly, professions are now joining financial firms called to act, in effect, as the deputised eyes and ears of the Police. But try to see the bigger picture: this is not just a compliance chore, but might one day provide a missing detail of financial intelligence to help break a meth-ring, or pre-empt a terrorist threat in our cities. To encourage reports and to reassure reporting entities, s 44 of the Act affords protection against civil, criminal or disciplinary proceedings, unless the disclosure in the report is made in bad faith. It is disappointing, in my view, that the New Zealand Law Society in its submission dated 20 April 2017 to the select committee (para 8.1-8.2), argues against this sensible protective clause. Most lawyers may be unaware that NZLS wishes to have the ability as regulator of the profession to take disciplinary action against lawyers if they disclose privileged material to police in the course of trying to comply with new obligations to report suspicious activity. Plainly, reporting decisions cannot be taken lightly, and competing tensions will lead a Compliance Officer to be pulled in different directions. But it is hard to see any benefit to the profession in NZLS seeking to sharpen those tensions and erode the protection other reporting entities have. It also leads to negative outcomes for the AML regime – potential reluctance or disincentive to make suspicious reports.
AML Regulation nears: keep calm and carry on (but start soon)