Plugging the gaps in your AML programme

In the report the FMA highlighted their findings on where businesses did well in AML compliance, and where practices were poor and needed some work. We've summarised these below and added our recommendations on how to plug the gaps.

• Compliance Programmes

The FMA found Compliance Programmes were lacking in meeting the minimum requirements by either not including, or not adequately describing their policies, procedures, and controls.

Examples of this include:

• • Compliance Programmes that are spread out across multiple documents which are not cross-referenced
  • Programmes that are not specific to New Zealand legislation
  • Documents that are clearly drafted based on templates that do not apply to the business
  How to plug the gaps
  
  Get help in drafting and updating your Compliance Programme documents from AML Consultants who will make sure they are customised to your business and cover all relevant areas. Learn more about AML Consulting.
  
  Keep your Compliance Programme documentation in one central online location, so you and your team can access, update, and store them easily. Learn more about AML cloud-based software. 
  
  

• Electronic Identity Verification (eIV)

When businesses use eIV they are expected to provide the following in their Compliance Programme:

• • A description of the forms of eIV methods that are considered reliable and independent, and in what circumstances they will be used for the purposes of ID verification;
  • An explanation of how the business has considered: accuracy, security, privacy, method of information collection, whether the electronic sources have incorporated a mechanism to determine the customer can be linked to the claimed identity, whether the information is maintained by a government body (e.g. DIA) or pursuant to legislation (e.g. a credit bureau), and if the information has been additionally verified from another reliable and independent source; and
  • An explanation of any additional methods that will be used by the business to supplement eIV or otherwise to mitigate any deficiencies in the verification process.

• How to plug the gaps
  
  To fill this gap, you have to hunt down a lot of information. Our recommendation here is to talk to an AML Consultant about what you're currently using, and let them recommend the additional information around eIV that you need to add to your Compliance Programme. Discover the fastest way to complete eIV checks.
  
  

• Risk Assessments

Risk Assessments were found to not cover all the required areas or were not being updated after changes within the business. The FMA clarified the expectation that Risk Assessments are to be reviewed at least annually.

Examples of poor Risk Assessment practices include:

• • Those that do not consider terrorism financing risks
  • Those that identify risks that are not relevant to the business

View your Sector Risk Assessment here (DIA), here (FMA), or here (RBNZ).

How to plug the gaps

Review your Sector Risk Assessment and make sure you are addressing only the relevant areas in your own Risk Assessment. Set yourself an annual calendar reminder to review your Risk Assessment. Did you know AMLHUB will remind you when this is due?

• CDD obligations

For CDD obligations, businesses were rapped over the knuckles for not:

• • Obtaining sufficient information on nature and purpose of business relationships
  • Verifying beneficial ownership structures
  • Conducting verification of identity in line with the Amended Identity Verification Code of Practice 2013.

Other examples of unsatisfactory CDD practice are:

• • Accepting a certified copy of a certified copy of a passport
  • Accepting certified copies that are certified more than 3 months earlier
  • Not conducting verification of documents
  How to plug the gaps
  
  The best way to cover all bases in CDD is to follow best-practice workflows that take you step-by-step through the process. AMLHUB software has this built into the customer onboarding module, giving you the tools and showing you exactly what you need in order to complete CDD. Find out more.
  
  
• Enhanced CDD

As we know, enhanced CDD should be done on high-risk customers. But some organisations were found to be side-stepping this requirement. Some examples of poor practices for EDD include:

• • Not determining a threshold for large investment that would trigger the requirements to conduct enhanced CDD
  • Not properly verifying source of funds/wealth information
  • Not completing enhanced CDD when required
  • Not conducting PEP checks at the time of onboarding
  • Not adhering to PEP policies, procedures, and controls when a customer is identified as a PEP

See the Enhanced CDD Guidance for more information.

• How to plug the gaps
  
  Managing Enhanced CDD can be tricky, so it's important for Compliance Teams to understand its nuances and obligations, and how to do it properly. This is where EDD training will help you. See the training options are available.
  
  

• Audits

In several instances, companies had failed to do, or complete on time, their audits. In addition, some businesses were failing to remediate prior period audit findings.

• How to plug the gaps
  
  Your business needs an audit completed every three years, and it's easy to forget when this is due. Set yourself a calendar reminder to book this in. Did you know AMLHUB software makes it easy with built-in notifications? 
  
  

• Record keeping

The FMA noted several instances of poor record keeping practices, especially on CDD, interactions with customers, CDD exemption, high risk customers, training, and vetting.

• How to plug the gaps
  
  With AML if it's not written down, it didn't happen. So make sure you're keeping detailed records of all your AML activities. The easiest way is to centralise your document management and record keeping in one online location so you can see at a glance everything you've done (and auditors, too!). Learn how AMLHUB helps you do this.
  
  

• Training

The FMA clarified the expectation that all those considered senior managers for the purposes of the Act including Board of Directors, Compliance Officers, and all staff with AML/CFT duties, are given appropriate training.

• How to plug the gaps
  
  Meeting the training requirements is simple. View the range of training options available year-round, here, and book your team in.
  
  

• Staff turnover

When a business changes the Compliance Officer, the FMA expects to receive an email from the business with the contact details of the newly appointed person.

• How to plug the gaps
  
  The easiest way to remember this requirement is to build it into the Compliance Officer onboarding process at your business. Make a note in their onboarding documentation, so even if you forget, they will remind you!
  
  

How does your business stack up?

If any of the above sound familiar to you, it would pay to take a closer look at how you’re managing your AML programme. With so many moving parts and areas to consider, having a strong system in place with controls and best-practice workflows is important to ensure you are keeping compliance standards high enough to cover your business risk.

Plug the gaps in your AML programme with AMLHUB

AMLHUB is cloud-based AML platform that makes it easy to achieve total AML compliance, without the worry you've left something undone.

Using AMLHUB you can manage all components of your AML programme in one easy online location, saving you the hassle of juggling multiple spreadsheets and documents.

Our best-practice AML workflows and controls drive up your compliance while driving down your business risk, admin time, and money spent on AML.