Independent AML/CFT Audit & Review
The AML/CFT Act 2009 requires all reporting entities to have their Risk Assessment and AML/CFT Programme audited every three years, or at any other time at the request of the supervisor. One AML is qualified to independently audit all reporting entities in Australia.
Internal review of your AML documentation with recommendations.
Internal review of your AML documentation, including some operational testing of processes with recommendations.
Statutory independent AML/CFT audit, including operational testing of processes, findings and recommendations by way of a formal report.
Statutory independent AML/CFT audit, including large operational testing of processes (scope tailored as needed) , findings and recommendations by way of a formal report and post-audit remediation review.
Audit Packages
Internal review of your AML documentation with recommendations.
- Desk-based review
- Recommendations
Internal review of your AML documentation, including some operational testing of processes with recommendations.
- Desk-based review
- Recommendations
- Testing of operational effectiveness (small sample)
Statutory independent AML/CFT audit, including operational testing of processes, findings and recommendations by way of a formal report.
- Desk-based review
- Recommendations
- Testing of operational effectiveness (large sample)
Statutory independent AML/CFT audit, including large operational testing of processes (scope tailored as needed) , findings and recommendations by way of a formal report and post-audit remediation review.
- Desk-based review
- Recommendations
- Testing of operational effectiveness (large tailored sample)
- Post-audit remediation
We’re qualified to audit all Phase 1 and 2 reporting entities.
Accounting
Financial Services
Law
Other Captured Sectors
Real Estate
Virtual Assets / Crypto
Independent AML/CFT Audit & Review FAQ
Money laundering describes the process by which criminals make ‘dirty’ money obtained from their criminal activities look legitimate, or 'clean'. They aim to make this dirty money look like it has come from a legitimate source, and therefore difficult to connect with its criminal past. Once that is achieved, criminals can introduce their dirty money into the financial system undetected. From there, the money can be transferred between bank accounts or financial products in New Zealand or abroad or used to purchase goods and services.
Terrorist financing is the financial support of terrorists or those who encourage, plan or engage in terrorism. Terrorist financing may involve funds raised from legitimate sources, such as personal donations and profits from businesses and charitable organisations. It may also be drawn from criminal sources, such as the drug trade, the smuggling of weapons and other goods, fraud, kidnapping and extortion. People who finance terrorism often use similar methods and tools to those used for money laundering.
Regulations - These contain minimum standards and thresholds. They are mandatory and must be followed. The regulations also contain several exceptions to the obligations under the Act. Codes of practice - These set out methods on how reporting entities can comply with their obligations. While not mandatory, they can provide a defense against charges of non-compliance (a 'safe-harbour'), if followed correctly. A reporting entity that fully complies with the code will be compliant with the relevant parts of the legislation. If a reporting entity decides to opt-out of all, or part of, the code, it is required to have provided written notification to its supervisor. This notification states that the reporting entity has opted out of compliance with all, or part of, the code, and intends to satisfy its obligations by some other equally effective means. Guidelines - These outline other non-binding guidance from supervisors.
Reporting entities are required to assess the money laundering and financing of terrorism risk that they may reasonably expect to face in the course of their business. In making this assessment, the AML/CFT Act requires a reporting entity to consider: the nature, size and complexity of its business the products and services it offers the methods by which it delivers products and services to its customers the types of customers it deals with the countries it deals with the institutions it deals with any guidance material produced by supervisors any other factors that are set out in regulations. Reporting entities also need to consider whether any of their products involve new or developing technologies that may favour customer anonymity. The AML/CFT Act also specifies that reporting entities must consider particular activities, such as wire transfers and correspondent banking relationships. Guidelines have been published to help reporting entities develop their own risk assessment. The Countries Assessment guideline will help you develop procedures on the assessment of risks associated with the countries you deal with, when you need to undertake this assessment and how to approach the assessment.
An AML/CFT programme sets out a reporting entity's internal policies, procedures and controls to detect money laundering and financing of terrorism and to manage and mitigate the risk of it occurring. The programme must be in writing and be based on its risk assessment. Certain elements of a programme are specifically required by the Act, including: vetting senior managers and AML staff training senior managers and AML staff customer due diligence, including enhanced CDD and simplified CDD suspicious activity reporting monitoring and record-keeping monitoring and managing compliance with the AML/CFT programme. Risk-based systems and controls should be based on the nature, size and complexity of a reporting entity's business, along with any money laundering and financing of terrorism risks it may face.
Three years is the default timeframe only – The Supervisor will notify you if your audit is required more or less frequently than the default timeframe, or at any other time when requested under section 59(2) of the AML/CFT Act.
The AML/CFT Act requires that: An independent audit must be conducted every 3 years (or earlier if required by your supervisor). The auditor must be independent and appropriately qualified to conduct the audit. This does not necessarily mean the person has to be a chartered accountant or qualified to undertake financial audits. The auditor must not have been involved in the establishment, implementation or maintenance of the reporting entity’s AML/CFT programme; or the undertaking of the reporting entity’s risk assessment. An AML/CFT audit does not have to meet auditing and assurance standards set by the External Reporting Board (XRB). Your independent audit is a systematic check of your risk assessment and programme by an independent and suitably qualified person. It should advise whether: you meet the minimum requirements for your risk assessment and programme; your programme was adequate and effective throughout the specified period; and whether any changes are required.
Section 56(2) of the Anti-Money Laundering and Countering Financing of Terrorism Act 2009 (AML/CFT Act) stipulates that a reporting entity must designate an employee as a Compliance Officer to administer and maintain its AML/CFT programme.
Politically-exposed persons (PEPs) are individuals who, by virtue of their position in public life, may be vulnerable to corruption. The definition of a PEP can be found in Section 5 of the AML/CFT Act. The New Zealand legislation currently limits this concept to foreign PEPs, and does not include domestic PEPs, ie persons who hold or have held public offices in New Zealand. Reporting entities are required to give specific consideration to the risks involved with PEPs and should: have procedures in place to determine whether a customer or a beneficial owner of a customer, is a PEP or a close associate of a PEP obtain senior management approval for establishing or maintaining business relationships with PEPs take reasonable measures to establish the source of wealth and source of funds of PEPs conduct enhanced, ongoing monitoring of the business relationship.
Entities that are eligible may choose to form a designated business group (DBG). This enables the entities to share a risk assessment and some, but importantly not all, aspects of their AML/CFT programmes. Guidelines have been published to help reporting entities decide whether they are eligible to form a DBG. The DBG scope guideline outlines the obligations that may be shared by members of a DBG. The DBG formation guideline highlights the eligibility criteria and election process when forming or joining a DBG. It also explains the process for notifying an AML/CFT supervisor about the formation of, or change to, a DBG and provides the forms for doing so. There will be occasions where the business of a DBG will be split between more than one supervisor. In these circumstances, supervisors will agree on who would be the best supervisor for the group. This may depend on where the majority of the DBG business lies.
CDD involves: a) gathering information about customer identity b) verifying a customer's identity, to ensure the customer is who they say they are. In most cases, reporting entities will also need to establish and verify the identity of any beneficial owner, meaning the individual who ultimately owns or controls the customer or on whose behalf a transaction is conducted. CDD also involves establishing and verifying the identity of any person who acts on behalf of a customer.
Ongoing CDD means regularly reviewing customer information and having systems to conduct account monitoring. Under section 31 of the AML/CFT Act ongoing CDD is required to ensure the ongoing business relationship is consistent with the reporting entity's knowledge about the customer's business and risk profile and to identify grounds for reporting any suspicious transaction. This is required for all customers, including existing customers.
When undertaking standard CDD, you must obtain: (a) the person’s full name; and (b) the person’s date of birth; and (c) if the person is not the customer, the person’s relationship to the customer; and (d) the person’s address or registered office; and (e) the person’s company identifier or registration number; and (f) any information prescribed by regulations.You must do this for your customer, any beneficial owner of your customer and any person acting on behalf of your customer. For your customer, you must then take reasonable steps to verify this information to be satisfied it is correct. You must also, according to the level of risk involved, take reasonable steps to verify the identity of any beneficial owners, and to verify the identity and authority of any person acting on behalf of your customer.