AML / CFT – financial crime law & compliance

This page provides a brief summary of the Anti-Money Laundering & Countering the Financing of Terrorism Act, its scope of coverage, and the main financial crime compliance obligations upon regulated reporting entities.

New Zealand has a modern and comprehensive set of laws to control money laundering and terrorism financing, including misconduct by firms obliged by law to detect and deter it.

There is increasing enforcement action taken against regulated businesses who fail in their compliance obligations to assist in the fight against financial crime. The highest penalties to date include NZ$5.29m plus Court costs against a small money remitter firm.

Gary is widely regarded as NZ’s most experienced AML lawyer, having worked in this complex area of regulation since 2007-8 (and before that in the UK).  See here for his AML/CFT, Fraud and Financial Misconduct case experience.

financial crime law compliance
What are the key laws affecting AML and CFT?

A holistic way to understand the AML regime is to characterise it as a tripartite legal system, with three inter-dependent elements:

Note that in 2022 the new Russia Sanctions Act and Regulations added new responsibilities upon AML reporting entities as ‘duty-holders’ as well.

During 2021/22 the AML/CFT Act 2009 is undergoing a major Statutory Review exercise, led by the Ministry of Justice.  You can find more background to this here.

Who are the AML-CFT Regulators?

New Zealand has 3 separate regulators (known as “Supervisors”) for different sectors and captured activities or services.  The wide range of businesses they supervise/regulate are known as “Reporting Entities”.

  • Financial Markets Authority — the FMA supervises issuers of securities, trustee companies, futures dealers, collective investment schemes, derivatives traders, stockbrokers, financial advisors.
  • Reserve Bank of New Zealand — the RBNZ regulates banks, life insurers, and non-bank deposit takers.
  • Department of Internal Affairs —the DIA is the largest of the Supervisors, regulating and enforcing casinos, non-deposit taking lenders, money changers/remitters, cash security firms, debt collection and factoring, financial leasing, payroll, safe deposit, tax pooling and non-bank credit card firms. Since 2017, it has been changed with also supervising professionals (accountants, lawyers, real estate agents) the horse racing industry TAB, and dealers in high-value goods such as vehicles, jewellery, artworks. The DIA is also default Supervisor of other Reporting Entities who do not neatly fit into a category that is elsewhere supervised.
What other government agencies are involved?

Besides the 3 Supervisors who cover the regulated private sector entities, the NZ Police Financial Intelligence Unit (“FIU”) is a vital agency in the regime.  The FIU is a part of the wider Police Financial Crime Group (“FCG”), which has three arms to it: the Financial Intelligence Unit, a total of 5 Asset Recovery Units, Money Laundering Team, and a headquarters group based in Wellington.

There is an AML/CFT national co-ordination committee, led by the Ministry of Justice which has organisational responsibility for the whole regime. Due to the multiple agencies with an interest in this area,  this has members/representatives from:

    • New Zealand Police
    • New Zealand Customs Service;
    • Inland Revenue Department; and
    • any other such persons as invited from time to time by the Ministry of Justice – e.g. government welfare/funding bodies such as the Ministry for Social Development (MSD) or the Accident Compensation Corporate (ACC).
Who is covered (ie. regulated) for AML-CFT purposes?

Whether a business is covered by the regime depends on whether it is a “reporting entity” as defined in the AML/CFT Act. In substance, that turns on the extent to which it engages in regulated services or activities. The system is mostly activity-based, rather than relying on the label used or category of licence that a particular business holds.

  • banks, life insurers, credit unions, and non-bank deposit taker lending firms or finance companies (supervised by RBNZ).
  • most other financial institutions including issuers of securities, trustee companies, futures and forex derivatives dealers, some virtual asset and cryptocurrency traders, collective investment schemes and fund managers, brokers and financial advisers (supervised by FMA).
  • as mentioned, the DIA has a very wide catchment including all of the ‘phase 2’ professional and high value dealer sectors, and most types of virtual asset service (crypto) providers.

The list below summarises the DIA’s main sub-sectors:

Designated non-financial business or professional:

― Accounting practices

― Law firms

― Conveyancers
― Real estate agents

― High value dealers in assets, jewellery, bullion/metals

― Casinos

― TAB New Zealand
― Trust and company service providers

Financial service providers not supervised by RBNZ or FMA:

― non-bank non-deposit taking lenders (finance companies)

― Money remitters
― Virtual asset service providers

― moneychangers
― payroll remitters
― debt collecting and factoring
― financial lessors
― safety deposit box providers
― non-bank credit card providers
― cash transporters
― tax poolers
― payment providers/networks.

If covered, what are the main legal obligations a reporting entity has?

There are many different legal requirements in what is a complex regulatory regime. But at a high level, here is a Top Ten of critical obligations under the AML/CFT Act:

  1. Carry out a risk assessment on current and potential customers, products/services and business partners.
  2. Establish, implement, maintain and regularly audit a set of AML/CFT compliance policies and procedures (known as a “compliance programme”).
  3. Appoint a person to act as an AML/CFT compliance officer whose responsibility is to administer the compliance programme.
  4. Set up processes to vet new staff and senior managers engaged in AML/CFT related duties (Including the Compliance Officer) and to train those persons on AML/CFT risks and related compliance matters.
  5. Ensure there are governance structures to keep senior management and directors of companies involved, so the compliance officer and compliance function is not left in a silo.
  6. Conduct Customer Due Diligence (CDD) measures before establishing new customer/client relationships or doing occasional transactions, including determining when more rigorous Enhanced CDD is required, and when Simplified CDD might be permitted.
  7. Regularly monitor customer activity (accounts and transactions), especially in relation to certain high-risk transactions or types of business relationships.
  8. Ensure a robust process exists to detect and then report suspicious activities, and other prescribed types of transactions (even if non suspicious) involving large cash transactions or international wire transfers, in a format prescribed to meet systematic reporting requirements to the Police FIU.
  9. Maintain full record keeping – in most cases, for 5 years after the end of a transaction or customer relationship;
  10. Arrange to carry out ongoing internal review, independent external audits, and annual reporting about the entity’s level of compliance with its AML/CFT compliance programme.

Please Note – this list above is a brief summary only, not a full list of obligations – always review the AML/CFT Act itself or contact Gary for legal advice.