AML Regulation nears: keep calm and carry on (but start soon)

[An abridged version of this article is in LAWTALK Magazine, July 2017 – Download PDF or you can view the article here] Plenty has been written about looming Anti-Money Laundering and Countering Financing of Terrorism (AML) regulation for lawyers, some of it quite anxious. At present, lawyers must target 1 July 2018 to have a fully working compliance programme in place.  With Parliamentary select committee hearings taking place at the time of writing, and with many submitters requesting more time, that date may yet be extended – we should know more when the select committee report emerges by 24 July 2017.  However, regardless of eventual ‘go-live’ date, a lot of work will be required for those new to the regime. As a profession we can’t say we weren’t warned.  In 2009, lawyers and other Designated Non-Financial Business or Professions (DNFBP) lobbied vigorously not to be caught in the new Anti-Money Laundering and Countering Financing of Terrorism Act (AML/CFT Act).  That approach worked, but concerns remained. The Police Financial Intelligence Unit (FIU) has long believed that lawyers under-report suspicious transactions, and may be unwittingly complicit in more laundering activities than they realise.  While the Financial Transactions Reporting Act 1996 has been around for two decades, it only contains low level reporting obligations, and in some parts of the profession there may have been low levels of awareness about how and when it affects lawyers. The Panama Papers highlighted risks in legal services for trusts and opaque corporate structures.  Lawyers may have been targeted because they were exempt, when ordinary businesses offering trust and company secretarial services were caught.  And, despite all the new awareness and publicity around the 2009 Act, the average level of reports by lawyers to the FIU actually dropped, from 9.7 to 7 per year. For captured financial entities, reporting has increased by over 350%. This article aims to share a few practical tips for lawyers embarking on the journey into this heavily regulated space. It does so from a perspective of advising and representing financial reporting entities since 2008, when the AML/CFT Act was still being shaped. Those entities have worked through initial AML anxiety, to get to business as usual. My main theme is that AML for lawyers is quite manageable: the sky will not fall in July 2018, and we can learn a lot from how existing reporting entities have dealt with it to date.  But preparing for it will take more time and documentation than you imagine, so start thinking about your system soon, and perhaps consider the following five elements in your approach.

1.       Determine what you do that is in or out of scope

Coverage/capture turns upon s 5 in the Act, and a list of discrete activities that lawyers and firms may engage in. A firm that carries on one or more of those activities and does so “in the ordinary course of business” will become a reporting entity subject to the obligations of the AML/CFT Act. Close analysis of s 5 is required, and sometimes the answer will not be obvious.  For instance, litigation is generally not one of the covered services. But if holding client funds in trust account as security for costs, or if upon settling a case there are unusual/extended payment arrangements, it is likely that “managing client funds” in s 5 is engaged. There is ongoing debate at select committee level about some of the finer detail in the wording of coverage, so it would pay to keep an eye on how this emerges in the final Bill to be passed. The AML Supervisors issued joint guidance in 2011 on how they apply the phrase “Ordinary Course of Business”. That described a number of contextual factors which, considered together, may indicate an activity is in the ordinary course of business, if it is:
  • Normal or otherwise unremarkable for the particular firm (e.g. indicated by its internal processes and marketing materials),
  • Frequent or regular, involving significant amounts of money, or significant allocation of the firm’s resources,
  • A source of revenue for the firm,
  • A service that is offered/promoted to clients or third parties.
With AML coverage only applying to specified legal services, a full service firm will have to decide whether to carefully filter and select only those clients where it applies. It may end up more straightforward to apply it to all clients.  For phase 1 reporting entities in July 2013, many banks and financial institutions offering a range of products found it administratively easier and less costly to simply on-board all new customers under an AML compliant system.  Nobody welcomes voluntarily extending the scope of regulation, but one legal instruction can morph into another (captured) piece of work, and it can be complex for staff to determine at the outset which process might end up applying.

2.       Decide who will own the AML function and learn the language

There is a broad choice in addressing compliance: develop the expertise and have lawyers or staff internally spend the time to implement changes, or outsource as much as possible to specialists with experience.  One entails more billable time cost to the firm, the other more short-term financial cost.  Also remember that a cheap, tick-the-box approach to documentation will be likely to earn more attention from the AML Supervisor, as they look for quality of analysis of your business, over quantity or flash graphs and tables. Since each reporting entity must have an employee as Compliance Officer, who must report to senior management, and partners/directors ultimately will remain liable, developing some in-house knowledge makes sense. Not everything can (or should) be outsourced in any event. Given the responsibility and risk, most firms should probably have a partner in that role. Like any area of law or industry, AML is replete with jargon: DNFBP, STR, FATF, FIU, PTR, CDD, DBG, and don’t even get me started about POWBATICs.  It is already a surprisingly complex regulatory regime, after only a few years.  The Compliance Officer and others should take time to penetrate the acronyms and get to know the patchwork of important risk assessment documents, domestic regulations, and international materials that set out definitions, exemptions, thresholds, and related recommendations.  Time invested to learn the language and understand the context for why these materials are in place will help law firm partners and team members see more clearly how to address compliance, and to focus on what matters. Published guidelines already exist from the Supervisors on some topics, including these examples below (although lawyers used to detailed analysis may find, with many written in the early stages of the regime 2010-11 and never updated, some can appear surprisingly superficial):
  • Identity Verification Code Of Practice
  • Guidelines on the Written Risk Assessment
  • Guidelines on developing an AML/CFT Programme
  • Interpreting “Ordinary Course Of Business”
  • Countries Risk Assessment Guideline
  • Designated Business Groups – two guidelines
  • Guideline for Audits
  • Interpreting the Territorial Scope of the Act
  • Beneficial Ownership Guidelines
  • Wire Transfer Guidelines

3.       Put the effort into your written Risk Assessment

Unlike some jurisdictions, New Zealand requires a written risk assessment to be prepared, as a first step and key platform for all AML compliance steps to follow. The risk assessment must be tailored to the money laundering and terrorist financing risk that each firm is likely to face in its sphere of operations.  It must be reviewed and updated regularly. It must be available for AML Supervisors to inspect on demand. Don’t skimp on this step.  If done thoroughly and well, the firm will better understand its idiosyncratic risk areas, and not waste time and money on compliance steps that are not targeted at the risks facing that particular firm, given its client-base and areas of practice. Section 58 of the AML/CFT Act details the specific requirements of the risk assessment.  The aim of the exercise is to identify, list and assess all the possible risks of money laundering and financing of terrorism that a reporting entity may reasonably expect to face in the course of its business.  A risk assessment must:
  • be in writing (ie. a standalone written report);
  • identify the risks faced by the reporting entity in the course of its business; and
  • describe how the reporting entity will ensure that the assessment remains current and will enable it to determine the level of risk involved in relation to relevant obligations under the AML/CFT Act and regulations.
The Supervisor’s expectation when entities are thinking about criminal risk of clients or third parties misusing legal services and legal processes, is that you will assess risk as if you do not yet have any controls or mitigating steps in place.  This we call the “raw risk” or “gross risk” affecting a firm. It can lead to artificiality, and exaggeration of what the risks really are in day-to-day business operations. But that is what is currently required.  Those helpful process controls that tame some of the risk are then supposed to be described (and beefed-up) in your compliance programme documents instead.  However, my suggestion to help lawyers get a sense of balance, is to work with a list of your existing controls in mind and separately list them out, but try to assess risk initially as if in a vacuum, before later bringing any controls into play. In preparing the written report, the reporting entity must have regard to criteria listed in s 58(2):
  • the nature, size, and complexity of its business;
  • the products and services it offers;
  • the methods by which it delivers products and services to its customers;
  • the types of customers it deals with;
  • the countries it deals with;
  • the institutions it deals with;
  • any applicable guidance material produced by AML/CFT Supervisors or the Police, relating to risk assessments; and
  • any other factors that may be provided for in regulations.
Each of those main risk dimensions needs to be addressed, as per s 58(2), in a separate section of the written document. Not all may be relevant to each firm – if not, explain why.  But each of the types of legal products/service offered, types of client, service delivery/distribution to them, referrers and institutions dealt with, and geographic/country risk, can vary considerably depending on the firm’s own practice.  This is why it should be a bespoke exercise, not one of simply ticking through a template. To take geographic/country risk dimension as an example, many sources exist to determine whether a client located overseas should be placed in a higher risk category. It may not be only overseas clients, but recent migrants, or local agents representing offshore parties.  A firm may need to include an assessment of another country’s AML law, whether a client’s own offshore business is regulated for AML purposes, and whether the jurisdiction is otherwise high risk. High risk could be due to war/conflict history, international or UN sanctions, embargoes or similar measures, having supporters of terrorism, significant levels of corruption, human trafficking, tax haven status or a raft of other matters. The international policy makers and regional bodies have useful guidance material on this, which is often updated, especially as the political risk factors in a region can change rapidly.  At the time of writing, previously respectable oil-baron state Qatar stands accused by its neighbours of funding ISIS terrorism, in paying large ransoms to recover human hostages.

4.       Leverage off what you already do

Most lawyers from experience develop a keen sense of clients who are risky or less than trustworthy, particularly around the credit risk of not being paid!  And many systems within a firm can be re-deployed with an AML focus – client/matter opening processes being an obvious place to start. So try to fine-tune those senses and systems into high quality Customer Due Diligence (CDD) processes. Think about the history of your firm and practice areas.  What was it that led to disquiet about a particular client or transaction?  Was a transaction aborted or changed unexpectedly? Did the client’s peculiar instructions play out in a way that did not make commercial or economic sense? Refine and document those instincts into possible risk factors. Generally, CDD will not be retrospective, meaning it does not require all existing clients to be verified according to specific legal standards.  But upon the law coming into force CDD will typically apply to new client relationships or instructions captured by s 5. Some law firms already have matter opening forms or aspects of their client care and terms of engagement process that smartly and seamlessly gather the minimum information required for standard CDD. That includes the client’s full name; date of birth; if not the end client, that person’s relationship to them; address or registered office; company identifier or registration number; and other information.   Obtaining information is one thing, moving on to verifying that, especially for trusts, and collecting additional details depending on the level of risk in certain situations, is much more challenging.  But simple steps like obtaining copies of passports and utility bills at the outset can be worked into terms of engagement letters without fuss.

5.       Get used to a more intimate regulator relationship

Lawyers should get accustomed to having a closer relationship with a proactive regulator. While the NZLS Lawyers Complaints Service is an effective regulatory arm, it is largely reactive to complaints.  The Department of Internal Affairs (DIA) will more regularly supervise and proactively monitor what lawyers are up to in the AML area. Lawyers will have several contact points with the AML authorities.  These include having to: complete and file an annual report to the DIA (some information demanded is fairly intrusive and time-consuming to compile); and every two years, or as requested by the DIA, engaging an independent expert to audit the AML risk assessment and compliance programme (to ensure the firm is actually doing all the good things it says in the programme it will do); and potentially respond to a random supervisory check (a visit to offices, or request for compliance documents).  There is also the interfacing with the FIU’s online system (goAML) to report suspicious transactions/activities and prescribed cash or wire transfer transactions. This IT system is known amongst existing entities as being a challenging platform, and not one that is especially user-friendly. It can be time consuming and frustrating to get used to its quirks.  However, the FIU do run training sessions (without charge), which are recommended. Suspicious transaction reports are among the most difficult judgement calls to make.  Having to decide to report on a client, and for what aspects or activities, will go against the grain of fundamental training for many lawyers. But it is a key output of the whole AML regime. Whether we like it or not, intelligence gathering and reporting to the FIU is core to the system. Put bluntly, professions are now joining financial firms called to act, in effect, as the deputised eyes and ears of the Police.  But try to see the bigger picture: this is not just a compliance chore, but might one day provide a missing detail of financial intelligence to help break a meth-ring, or pre-empt a terrorist threat in our cities. To encourage reports and to reassure reporting entities, s 44 of the Act affords protection against civil, criminal or disciplinary proceedings, unless the disclosure in the report is made in bad faith. It is disappointing, in my view, that the New Zealand Law Society in its submission dated 20 April 2017 to the select committee (para 8.1-8.2), argues against this sensible protective clause. Most lawyers may be unaware that NZLS wishes to have the ability as regulator of the profession to take disciplinary action against lawyers if they disclose privileged material to police in the course of trying to comply with new obligations to report suspicious activity. Plainly, reporting decisions cannot be taken lightly, and competing tensions will lead a Compliance Officer to be pulled in different directions. But it is hard to see any benefit to the profession in NZLS seeking to sharpen those tensions and erode the protection other reporting entities have.  It also leads to negative outcomes for the AML regime – potential reluctance or disincentive to make suspicious reports.
AML Regulation nears: keep calm and carry on (but start soon)