Blog Image


When was the last time your AML risk assessment and programme were reviewed?

Home Insights When was the last time your AML risk assessment and programme were reviewed?

Contributed by:

Contributed by: Will Irving and Samantha Knott

Published on:

Published on: April 05, 2019


FMA highlights need to regularly review AML risk assessments and programmes

When was the last time your AML risk assessment and programme were reviewed? Since then, have there been any changes to the nature, size or complexity of your business, the products and services you offer, the way you deliver those products and services, the types of customers you deal with, or the countries you deal with?

If so, it might be time for a refresh.

The FMA has released its Anti Money Laundering and Countering the Financing of Terrorism (AML/CFT) 2018 Annual Monitoring Report, which:

  • provides an overview of the FMA's recent monitoring activities; and
  • aims to assist reporting entities to understand requirements imposed by the AML/CFT Act 2009 and how to improve internal processes to ensure compliance.

The Report emphasises the need for the boards and management of reporting entities to ensure that their approach to AML/CFT obligations is organic. AML/CFT programmes and risk assessments must be periodically reviewed and updated if necessary.

The High Court case of DIA v Qian DuoDuo demonstrated the importance of a reporting entity having an AML/CFT Programme that aligns with the risks of its business. The company's AML/CFT programme set out a "summary of key risks", but did not identify any of the factors that ultimately saw the Court enter a civil pecuniary penalty against the company. Further, the company had a wire transfers policy but this was not apparently linked to the way in which the company was carrying out transactions as part of its money remittance business, nor did the programme refer to money remitters being engaged (which was a high-risk element of the company's business). Even though the company maintained a focus on compliance and engaged a (non-legal) advisor to guide its compliance, it was ordered to pay a $356,000 pecuniary penalty.

The Report is a clear signal that the FMA's expectations and enforcement activities have increased now that the Act has been operative for more than five years and a warning that public formal warnings may be coming:

We expect [reporting entities] to consider the findings and observations in this report and, where required, update their AML/CFT policies, procedures and controls to ensure compliance with their obligations. We will continue to investigate suspected non-compliance and take appropriate enforcement action consistent with the FMA's enforcement policy. This will include giving more consideration to publishing the outcomes of formal warnings we issue.

This is a continuation of the messaging that the FMA has now been sending for some time on AML/CFT compliance. For example, in June of last year, James Greig, head of supervision at the FMA was reported as saying:

The gloves are off around AML/CFT. This is absolutely an area where we have very little tolerance for non-compliance… we're signalling from the FMA point of view that we are going to be taking a stronger line. 

Other key points to note from the Report include the FMA's views that:

  • customer due diligence is problematic for reporting entities: monitoring systems are often not fit for purpose and there are deficiencies in electronic identity verification;
  • politically exposed persons checks are being done at on boarding but not on an ongoing basis (when required);
  • sanctions checks are often not performed or included in policies, procedures and controls;
  • supervisors must be informed of changes to a reporting entity's AML/CFT compliance officer; and
  • an increasing amount of reporting entities are being required by the FMA to take remedial action, which is now more likely to be accompanied by formal enforcement action.

A more in-depth analysis will be required to be certain of compliance with the Act and ensure that your business is not at risk of non-compliance. If you would like assistance in reviewing your AML/CFT Programme or risk assessment, or guidance in relation to any other points raised in the Report, please contact our AML/CFT team of experts.


This publication is intended only to provide a summary of the subject covered. It does not purport to be comprehensive or to provide legal advice. No person should act in reliance on any statement contained in this publication without first obtaining specific professional advice. If you require any advice or further information on the subject matter of this newsletter, please contact the partner/solicitor in the firm who normally advises you, or alternatively contact one of the partners listed below.

Talk to one of our experts:
Related Expertise