AML’s easy – said no one ever!
But maybe we are making it harder on ourselves than it needs to be. It doesn’t help having the big penalties weight of the supervisors on our backs and the unclear interpretations of the legislation and guidance. However, if we take a step back and ask ourselves “what is the intent of the legislation” maybe that might help.
The Act imposes duties on a variety of businesses to adopt measures designed to detect and deter money laundering and terrorism financing and to realise this with minimum cost by tailoring the framework to New Zealand’s broader financial system using a risk-based approach to provide businesses scope for assessing and responding to the risks of their particular operating environment.
I’ll pause while you compose yourselves – risk-based, detect, deter at minimum cost! I think most people have found minimum costs to be a very subjective term and far from accurate. And that’s just to put together the risk assessment and compliance programme, let alone the ongoing costs associated with being in the regime!
So, let’s take this step by step. After appointing the compliance officer, the first practical task under the Act is to assess the risks your business may reasonably expect to face in the course of its business. That’s the risks your business faces, not the industry, not all the red flags in the guidelines, not all the risks written into templates, just your risks associated with the services you provide that are captured given your operations. Your risk assessment has to be written and is to have regard to the legislated requirements, such as nature, size, complexity, products/services, methods of delivery, customer types and countries/institutions dealt with, given your particular circumstances. Each identified risk or vulnerability is accorded a “risk rating”. You are free to use whatever methodology you like; just be sure you can provide a rationale for your results.
So, if you have deep holes, dangerous currents and slippery rocks that’s what goes into your risk assessment. Not the fact that you’re at a rocky beach with waves.
As the DIA states “Regardless of the ML/FT risk ratings in the Phase 2 SRA [sector risk assessment], when reporting entities assess their own ML/FT risk they should consider what level of risk they are willing to accept, sometimes referred to as “risk appetite”.”
The next fundamental obligation if to implement adequate and effective policies, procedures and controls to address and mitigate the risks identified in your risk assessment. Again, there are mandatory aspects to be covered such as vetting, training, CDD etc and importantly clearly formed internal policies, procedures and controls for each of these.
You don’t have to reinvent the wheel either so if you already have an adequate vetting procedure, you can use that, you might also have adequate training procedures and records that can also be used. The Act is generally not prescriptive, it can’t be given its flexible risk-based approach.
But what you do need to do is if it is written into your programme then that’s what needs to happen – so don’t write in things that will just cause you problems with compliance further down the track. An example is doing CDD on all your existing clients. Because if you haven’t done it that will come up in your audit.
We see a lot of very long-winded assessments and programmes that have little relationship with the entity we are auditing. A lot of time and expense has gone into them for little reward. Keep them simple, relevant and once operational follow your procedures.