Back to blog

Plugging the gaps in your AML programme

Supervisors’ tolerance for gaps in AML programmes shortens

On August 2021, the FMA issued its AML/CFT Monitoring Insight Report for 2018 to 2021. The Director of Supervision noted that the AML/CFT regime has now matured to such an extent that the FMA has less tolerance for AML non-compliance. In other words, businesses are expected to have a strong handle on meeting their AML/CFT obligations.

We can expect this view to be true for the other Supervisors: DIA and RBNZ.

During this time, there were 27 formal warnings issued under section 80 of the Act, three of which were made public.

The FMA also filed civil pecuniary penalty proceedings against the financial services organisation CLSA Premium NZ, which admitted to breaches in:

  • failure to conduct CDD
  • terminating an existing business relationship
  • reporting suspicious transactions/activities
  • keeping records

CLSA Premium NZ was ordered to pay a fine of $770,000 for breaches of the Act.

Common gaps in AML compliance programmes

In the report the FMA highlighted their findings on where businesses did well in AML compliance, and where practices were poor and needed some work. We've summarised these below and added our recommendations on how to plug the gaps.

  • Compliance Programmes

The FMA found Compliance Programmes were lacking in meeting the minimum requirements by either not including, or not adequately describing their policies, procedures, and controls.

Examples of this include:

    • Compliance Programmes that are spread out across multiple documents which are not cross-referenced
    • Programmes that are not specific to New Zealand legislation
    • Documents that are clearly drafted based on templates that do not apply to the business
    How to plug the gaps

    Get help in drafting and updating your Compliance Programme documents from AML Consultants who will make sure they are customised to your business and cover all relevant areas. Learn more about AML Consulting.

    Keep your Compliance Programme documentation in one central online location, so you and your team can access, update, and store them easily. Learn more about AML cloud-based software. 

  • Electronic Identity Verification (eIV)

When businesses use eIV they are expected to provide the following in their Compliance Programme:

    • A description of the forms of eIV methods that are considered reliable and independent, and in what circumstances they will be used for the purposes of ID verification;
    • An explanation of how the business has considered: accuracy, security, privacy, method of information collection, whether the electronic sources have incorporated a mechanism to determine the customer can be linked to the claimed identity, whether the information is maintained by a government body (e.g. DIA) or pursuant to legislation (e.g. a credit bureau), and if the information has been additionally verified from another reliable and independent source; and
    • An explanation of any additional methods that will be used by the business to supplement eIV or otherwise to mitigate any deficiencies in the verification process.
  • How to plug the gaps

    To fill this gap, you have to hunt down a lot of information. Our recommendation here is to talk to an AML Consultant about what you're currently using, and let them recommend the additional information around eIV that you need to add to your Compliance Programme. Discover the fastest way to complete eIV checks.

  • Risk Assessments

Risk Assessments were found to not cover all the required areas or were not being updated after changes within the business. The FMA clarified the expectation that Risk Assessments are to be reviewed at least annually.

Examples of poor Risk Assessment practices include:

    • Those that do not consider terrorism financing risks
    • Those that identify risks that are not relevant to the business

View your Sector Risk Assessment here (DIA), here (FMA), or here (RBNZ).

How to plug the gaps

Review your Sector Risk Assessment and make sure you are addressing only the relevant areas in your own Risk Assessment. Set yourself an annual calendar reminder to review your Risk Assessment. Did you know AMLHUB will remind you when this is due?

  • CDD obligations

For CDD obligations, businesses were rapped over the knuckles for not:

Other examples of unsatisfactory CDD practice are:

    • Accepting a certified copy of a certified copy of a passport
    • Accepting certified copies that are certified more than 3 months earlier
    • Not conducting verification of documents
    How to plug the gaps

    The best way to cover all bases in CDD is to follow best-practice workflows that take you step-by-step through the process. AMLHUB software has this built into the customer onboarding module, giving you the tools and showing you exactly what you need in order to complete CDD. Find out more.

  • Enhanced CDD

As we know, enhanced CDD should be done on high-risk customers. But some organisations were found to be side-stepping this requirement. Some examples of poor practices for EDD include:

    • Not determining a threshold for large investment that would trigger the requirements to conduct enhanced CDD
    • Not properly verifying source of funds/wealth information
    • Not completing enhanced CDD when required
    • Not conducting PEP checks at the time of onboarding
    • Not adhering to PEP policies, procedures, and controls when a customer is identified as a PEP

See the Enhanced CDD Guidance for more information.

  • How to plug the gaps

    Managing Enhanced CDD can be tricky, so it's important for Compliance Teams to understand its nuances and obligations, and how to do it properly. This is where EDD training will help you. See the training options are available.

  • Audits

In several instances, companies had failed to do, or complete on time, their audits. In addition, some businesses were failing to remediate prior period audit findings.

  • Record keeping

The FMA noted several instances of poor record keeping practices, especially on CDD, interactions with customers, CDD exemption, high risk customers, training, and vetting.

  • How to plug the gaps

    With AML if it's not written down, it didn't happen. So make sure you're keeping detailed records of all your AML activities. The easiest way is to centralise your document management and record keeping in one online location so you can see at a glance everything you've done (and auditors, too!). Learn how AMLHUB helps you do this.

  • Training

The FMA clarified the expectation that all those considered senior managers for the purposes of the Act including Board of Directors, Compliance Officers, and all staff with AML/CFT duties, are given appropriate training.

  • Staff turnover

When a business changes the Compliance Officer, the FMA expects to receive an email from the business with the contact details of the newly appointed person.

  • How to plug the gaps

    The easiest way to remember this requirement is to build it into the Compliance Officer onboarding process at your business. Make a note in their onboarding documentation, so even if you forget, they will remind you!

How does your business stack up?

If any of the above sound familiar to you, it would pay to take a closer look at how you’re managing your AML programme. With so many moving parts and areas to consider, having a strong system in place with controls and best-practice workflows is important to ensure you are keeping compliance standards high enough to cover your business risk.

Download the Action Checklist

Check that your compliance programme is up-to-date with the results of the AML/CFT Monitoring Insight Report using our handy Action Checklist. 

Get your copy below


Plug the gaps in your AML programme with AMLHUB

AMLHUB is cloud-based AML platform that makes it easy to achieve total AML compliance, without the worry you've left something undone.

Using AMLHUB you can manage all components of your AML programme in one easy online location, saving you the hassle of juggling multiple spreadsheets and documents.

Our best-practice AML workflows and controls drive up your compliance while driving down your business risk, admin time, and money spent on AML.


Learn more