AML / CFT

Anti-money laundering and countering financing of terrorism

Risk Assessment
Guideline

               
About joint supervisory guidelines
Each Anti-Money Laundering and Countering Financing of Terrorism (AML/CFT)
supervisor is empowered to provide guidance to the reporting entities it supervises by
producing guidelines to assist them to comply with the AML/CFT Act and regulations.
Each AML/CFT supervisor will also co-operate with its domestic counterparts to
ensure the consistent, effective and efficient implementation of the AML/CFT Act.

The three AML/CFT supervisors consider that certain high-level principles (which each
supervisor will provide) will apply equally to all reporting entities. In such cases, joint
guidelines will be issued.

Each AML/CFT supervisor may also issue guidelines for specific reporting entities
where desirable. Reporting entities should consider all joint and specific guidelines
that apply to them.

What is this guideline for?

1. This guideline is designed to help reporting entities conduct a risk assessment, as
required under section 58 of the Anti-Money Laundering and Countering
Financing of Terrorism Act 2009 1 (AML/CFT Act).

2. A risk assessment is the first step a business must take before developing an anti-
money laundering and countering the financing of terrorism programme. It
involves identifying and assessing the risks the business reasonably expects to
face from money laundering and financing of terrorism. Once a risk assessment is
completed, a business can then put in place a programme that minimises or
mitigates these risks. Further guidance will be provided on the AML/CFT
programme at a later date.

3. Following this guideline is not mandatory. Reporting entities may choose to

comply with the AML/CFT Act using alternative methodologies.

Background
4. Organised crime and terrorism are global problems, with serious social, economic
and political impacts for every country in the world, including New Zealand.

5. Money laundering (ML) allows criminals to disguise the origins of their illicit funds
and then use these funds without raising suspicion.

6. Generally ML is a three step process involving:

 introducing illegally obtained money into the financial system (this step is called
“placement”);

1
http://www.legislation.govt.nz/act/public/2009/0035/latest/DLM2140720.html?search=ts_act_anti-
money_resel&p=1&sr=1

2
  disguising the audit trail so it is difficult to identify the original source of the
funds. This is often achieved by breaking funds up and moving them around in
a series of complex transactions (this step is called “layering”);
 transferring the now apparently legitimate funds into a form which they can be
used (this step is called “integration”). For more detailed information on ML/FT
refer to this website 2 .

7. The financing of terrorism (FT) involves similar techniques to ML, to avoid

detection by authorities and to protect the identity of those providing and receiving
the funds.

8. Measures that deter and/or detect ML/FT are an effective way to mitigate the
harm to society from crime and terrorism.

9. The AML/CFT Act was passed into New Zealand law on 16 October 2009. The
purposes of the Act are to:

a) detect and deter ML/FT; and

b) maintain and enhance New Zealand’s international reputation by adopting, where
appropriate in the New Zealand context, recommendations issued by the
Financial Action Task Force 3 (FATF); and
c) contribute to public confidence in the financial system.

Legal obligations relating to risk assessments

10. A business has obligations under the AML/CFT Act if it is a "reporting entity"
under the AML/CFT Act. A business is a reporting entity if, in the ordinary course
of business, it conducts one or more from a list of 13 financial activities set out
under section 5 of AML/CFT Act or it is a casino or a person or class of persons
declared by regulations to be a reporting entity. To work out if your business is a
reporting entity under the AML/CFT Act, refer to section 5 of the AML/CFT Act

11. Section 58 of the AML/CFT Act requires each reporting entity to assess the risk of
ML/FT it may reasonably expect to face in the course of its business. The
AML/CFT Act calls this a risk assessment.

12. Under section 58, a reporting entity must set out its risk assessment in writing,
and include a description of how this risk assessment will be kept up to date. Risk
assessments must enable reporting entities to determine the level of risk involved
in relation to relevant obligations under the AML/CFT Act (such as conducting
customer due diligence).

13. Reporting entities must use their risk assessment to develop their AML/CFT
programmes as set out in section 57 of the AML/CFT Act.

14. Reporting entities must review and audit their risk assessment as set out in
section 59 of the AML/CFT Act. Risk assessments must be independently audited

2
http://www.fatf-
gafi.org/document/29/0,3343,en_32250379_32235720_33659613_1_1_1_1,00.html#Whatismoneylaun
dering
3
http://www.fatf-gafi.org/pages/0,3417,en_32250379_32235720_1_1_1_1_1,00.html

3
 by an appropriately qualified person every two years, or at any other time at the
request of a reporting entity’s AML/CFT supervisor. Under section 60 reporting
entities must prepare an annual report on their risk assessment for their
supervisor.

15. It is not mandatory to adopt the process this guideline sets out for preparing a risk
assessment. As long as a reporting entity complies with its obligations under the
AML/CFT Act and any other applicable laws or regulations, it can choose the
method of risk assessment that best suits its business. For example, large
financial institutions are likely to have their own systems and methodology for
conducting a risk assessment.

What you will find in this guideline

16. You understand your business better than anyone else. Therefore, you are best
placed to identify the risks your business faces from ML/FT, to assess the
likelihood of ML/FT occurring through your business and to develop appropriate
strategies to manage and control these risks.

17. This guide is designed to help your business comply with its obligations under
section 58 of the AML/CFT Act by explaining how you could assess the risk of
ML/FT that your business could reasonably be expected to face.

18. This guideline is in four parts:

i. Assessing the risk

ii. Applying a risk assessment
iii. Review and audit of a risk assessment
iv. Additional resources to help conduct a risk assessment

Assessing the risk

19. Assessing the risk involves:

i. Identifying aspects of your business that may be susceptible to ML/FT; then

ii. considering each of the at-risk areas you have identified, analysing the
likelihood that your business will be used for ML/FT.

Identifying aspects of your business that may be susceptible to ML/FT

20. When a reporting entity is identifying aspects of its business that make it
susceptible to ML/FT, section 58 of the AML/CFT Act requires the reporting entity
to consider all of the following:

 the nature, size and complexity of its business;

 the products and services it offers;
 the way it delivers its products and services;
 the types of customers it deals with;
 the countries it deals with; and
 the institutions it deals with.

4
21. Reporting entities are also legally obliged to consider any applicable guidance
material produced by their AML/CFT supervisor or the Commissioner of Police
relating to risk assessments and any other factors that may be provided for in
regulations. 4

22. We recommend a comprehensive and well-structured approach to assessing the

extent to which each of the above factors would make your business susceptible
to ML/FT.

23. Below is a more detailed explanation of the factors set out in section 58. Overall,
we recommend that reporting entities carefully consider any aspect of their
business that makes it easier for customers to disguise their identity or the origin
of their funds.

The nature, size and complexity of your business

24. The size and complexity of a business plays an important role in how attractive or
susceptible it is for ML/FT.

25. For example, because a large business is less likely to know its customers
personally, it could offer a greater degree of anonymity than a small business.
Likewise, a business that conducts complex transactions across international
jurisdictions could offer greater opportunities to money launderers than a purely
domestic business.

The products and services your business offers

26. Some products and services are attractive for ML/FT. When considering whether
the products and services your business offers could be susceptible or attractive
for ML/FT, we recommend you consider issues such as:

 Does the product allow payments to third parties? Using third parties to mask
the illegal origins of the funds is a known method of ML/FT.
 Does the product commonly involve receipt or payment in cash? FATF’s 2010
Threat Assessment 5 indicates that a significant proportion of ML/FT involves
cash.
 Does the product allow customer anonymity? In order to evade detection by law
enforcement authorities, criminals will seek out products that permit their
identity to remain unknown.
 Does your business offer any products or services that have been identified in
National or Sector Risk Assessments as higher risk?
 Does your business only offer low-risk superannuation products?

27. FATF, the Asia Pacific Group on Money Laundering (APG), and the New Zealand
Police Financial Intelligence Unit (FIU) publish a list of methods and trends that
have been known to be used for ML/FT. We recommend that you read this list
closely to stay up-to-date with ML/FT methods 6 .

4
There is nothing specific in Regulations at this time. Future regulations could specify factors that you
must consider when you assess your ML/FT risk
5
http://www.fatf-gafi.org/dataoecd/48/10/45724350.pdf
6
http://www.apgml.org/frameworks/

5
The way your business delivers its products and services

28. The way your business delivers its products and services affects its susceptibility
or attractiveness for ML/FT.

For example:

 Does your business have non-face-to-face customers (via post, telephone,

internet, etc)? Internet based securities trading accounts, for example, pose
particular challenges for verifying the identity of the account holder.
 Does your business have indirect relationships with customers (via
intermediaries, pooled accounts, etc)?

The types of customers your business deals with

29. Some categories of customers pose a higher risk of ML/FT including:

 customers involved in occasional or one-off transactions above a certain

threshold;
 customers who use complex business structures that offer no apparent financial
benefits;
 customers who are Politically Exposed Persons (PEPs). Please refer to the
definition in section 5 of the AML/CFT Act to understand the types of individuals
who are considered to be PEPs;
 customers involved in cash-intensive businesses, who may be used by
criminals to mask illegally obtained funds;
 customers involved in businesses with high levels of corruption (e.g. arms
dealing);
 customers whose origin of wealth and/or source of funds cannot be easily
verified or where the audit trail appears to be broken and/or unnecessarily
layered;
 customers who conduct business through or are introduced by "gatekeepers"
such as accountants, lawyers, or other professionals;
 customers who are non-profit organisations; and
 customers of a type that have been identified in National or Sector Risk
Assessments as higher risk.

30. Categories of customers whose features may indicate a lower risk include:

 customers who are employed and receive a regular source of income from a
known source (e.g. salaried persons, pensioners, benefit recipients); and
 customers with a long-term and active business relationship with the firm.

The countries your business deals with

31. There is no universally agreed definition for a high risk country, but consider:
 countries subject to United Nations sanctions 7 embargoes or similar measures;
 countries identified by credible sources such as the FATF as lacking adequate
AML controls; 8

7
http://www.un.org/sc/committees/index.shtml
8
http://www.fatf-gafi.org/document/31/0,3343,en_32250379_32236992_46237087_1_1_1_1,00.html

6
  countries identified by credible sources as supporting FT;
 countries identified by credible sources as having significant levels of
corruption;
 countries that are tax havens; and
 countries that are associated with drug production and/or trans-shipment.

The institutions your business deals with

32. Does your business deal with other financial institutions which are either
unregulated, shell companies or shell banks? Such institutions are more likely to
be used for ML/FT or could be operated by criminals for ML/FT.

Other factors to consider when identifying aspects of your business that may be
susceptible to ML/FT:

33. Section 22 of the AML/CFT Act sets out circumstances where every reporting
entity must conduct enhanced customer due diligence. Section 18 of the
AML/CFT Act provides circumstances where simplified customer due diligence
applies. These two sections of the AML/CFT Act are a useful reference point for
the types of situations which may be considered to present a high or low risk of
ML/FT.

34. Sections 26 to 30 of the AML/CFT Act set out special steps reporting entities must
take in relation to PEPs, wire transfers, correspondent banking and new
technologies. This information should assist you when identifying high risk areas
of your business.

35. The National Risk Assessment 9 published by the FIU and the Sector Risk
Assessment prepared by your AML/CFT supervisor are also useful sources of
information when identifying how your business could be used for ML/FT. You
should also consider the emerging trends that are signalled by the FIU when
identifying risks in your business.

36. Detailed information on current ML/FT methods is available on the FATF

website 10 . This website also has links to other internet pages that you could refer
to when assessing the risk your business could be reasonably expected to face.

Assessing the likelihood of your business being used for ML/FT

37. In this step the aim is to rate the likelihood that the aspects of your business that
you have identified as susceptible to ML/FT could result in ML/FT.

38. This involves considering each aspect you have identified, together with your
business experience, information published by regulators and international
organisations such as FATF.

39. You should allow for all the different situations which currently arise in your
business (or is likely to arise in the foreseeable future, e.g. from proposed new

9
National Risk Assessment Primary Document http://www.justice.govt.nz/policy/criminal-justice/aml-
and-cft/20110308-NRA-2010-Primary-Document-FINAL.pdf
National Risk Assessment Support Document http://www.justice.govt.nz/policy/criminal-justice/aml-and-
cft/20110308-NRA-2010-Support-Document-FINAL.pdf
10
http://www.fatf-gafi.org/pages/0,2987,en_32250379_32235720_1_1_1_1_1,00.html

7
 products, services or customer types). For example, a long-standing, well known
customer from a high-risk country may pose a lower risk than a new customer
from this country.

40. If your business decides to use the methodology suggested above, you could start
this assessment with each of the different types of customer that your business
has (e.g. individuals, trusts, charities, companies). If your business deals with
individuals, the first aspect of your business you could consider is in which
countries you offer your services to individuals. Next you could consider the types
of products and services you offer individuals.

41. The end result of this step will be a likelihood rating for each of the at-risk areas of
your business. For example, you could rate each area as either highly likely,
likely, possible or unlikely to be used for ML/FT. These ratings will allow your
business to apply the appropriate standard of customer due diligence in your
AML/CFT programme.

42. This likelihood rating could correspond to:

Very unlikely Possible Likely Very likely

There is very little There is a small There is a There is a high
chance of ML/FT chance of ML/FT moderate chance chance of ML/FT
occurring in this occurring in this of ML/FT occurring in this
area of your area of your occurring in this area of your
business. business area of your business
(perhaps 1% of business (perhaps 20% of
such (perhaps 10% of such
transactions). such transactions).
transactions).

43. Applying this methodology, for example, could mean that if you have identified
overseas customers as an higher risk area, then the likelihood of one of these
customers using your business for ML/FT will depend on factors such as whether:

 The customer is from a country that is considered high risk (for example
because they have (i) high instances of illegal drug trafficking or (ii)
weak/inadequate AML/CFT legislation);
 The customer is new or existing;
 The customer is a PEP from a country that is internationally known for high
corruption rates amongst government officials/politicians;
 The products that your business offers this customer could be used to transfer
funds or derivatives across borders; and
 Your business offers this customer the opportunity to conduct transactions
through alternative trading platforms through Internet based trading accounts.

44. Carrying on with the example, if your business has existing customers from
countries that are known to have high instances of illegal drug trafficking and you
offer these customers complex, internet-based financial products (that do not
require face-to-face contact), then you would probably rate the likelihood of your
business being used for ML/FT by those customers as “very likely”.
45. Your AML/CFT programme (about which we will provide further guidance in due
course) should then address this high risk with appropriate control measures.

8
46. Alternatively, if your business only has overseas customers that are expatriate
New Zealanders living in England, and the only products offered to them are
superannuation packages, then these customers are very unlikely to be able to
launder money or finance terror through your business, and therefore pose a low
risk.

47. We recommend that when assessing the likelihood of your business being used
for ML/FT, your current AML/CFT controls (if any) are not taken into account. This
is because your new AML/CFT programme should include current as well as new
measures to prevent ML/FT. (If you take your current AML/CFT controls (if any)
into account when conducting the risk assessment it may prove difficult to factor
them into your new AML/CFT programme.)

Applying a risk assessment

48. A reporting entity’s risk assessment must enable it to prepare a comprehensive
AML/CFT programme. It must enable the reporting entity to meet its relevant
obligations under the AML/CFT Act and AML/CFT Regulations, especially its
obligations to conduct customer due diligence and ongoing customer due
diligence. Please refer to sections 14, 18, 22 and 31 of the AML/CFT Act.

Review and audit of a risk assessment

Reviewing a risk assessment
49. Section 58 of the AML/CFT Act requires a reporting entity to describe how its risk
assessment will remain current. This could be achieved by a reporting entity
stating in its risk assessment how it will stay up-to-date with ML/FT methods, and
how it will factor any relevant changes in international ML/FT trends into its risk
assessment.

50. Section 59 of the AML/CFT Act requires a reporting entity to review its risk
assessment to:
 ensure it is current; and
 identify any deficiencies in the effectiveness of the risk assessment; and
 make any changes to the risk assessment identified as being necessary in this
process.

Auditing of risk assessments

51. Under section 59(2) of the AML/CFT Act, a reporting entity must ensure that its
risk assessment is audited every two years, or at any other time at the request of
its AML/CFT supervisor.

Who can audit my risk assessment?

52. Section 59 of the AML/CFT also states that the auditor must be appropriately
qualified to conduct the audit. This does not necessarily mean that the person has
to be a Chartered Accountant or qualified to undertake financial audits. It does
mean that the person has relevant skills or experience to conduct the

9
 assessment. (For example, people with AML/CFT or relevant financial experience
might be suitably qualified.) A reporting entity must be able to justify to its
supervisor how its auditor is appropriately qualified.

The audit should be conducted by an independent person

53. Section 59 of the AML/CFT further provides that the person who conducts this
audit must be independent, and not involved in the development of a reporting
entity’s risk assessment, or the establishment, implementation or maintenance of
its AML/CFT programme.

54. The person appointed to undertake the audit may be a member of your staff,
provided he/she is adequately separated from the area of your business carrying
out the activities described in section 59(5).

55. Similarly, a reporting entity may choose to appoint an external firm to undertake
both the audit, and the activities described in section 59(5), provided it has first
satisfied itself that there are appropriate separation and conflict of interest
arrangements in place in that external firm to meet the requirements of 59(5), and
that the reporting entity reviews this decision whenever appropriate under 59(2).

Additional resources to help you conduct your risk

assessment
56. Information available at the sites listed below may assist your business in
conducting its risk assessment:

 NZ Police FIU National Risk Assessment;

 AML/CFT Supervisors’ Sector Risk Assessments;
 Financial Action Task Force;
 The Asia/Pacific Group on Money Laundering (APG);
 Australian Transaction Reports and Analysis Centre;
 Joint Money Laundering Reporting Group.

57. The APG has identified 22 known methods of ML/FT. Because ML/FT methods
are always evolving, it is possible that you may come across methods that are not
on the list below:

i. Association with corruption

ii. Currency exchanges/cash conversion
iii. Cash couriers/currency smuggling
iv. Structuring (smurfing)
v. Use of credit cards, cheques, promissory notes etc.
vi. Purchase of portable valuable commodities
vii. Purchase of valuable assets
viii. Commodity exchanges (barter)
ix. Use of wire transfers
x. Underground banking/alternative remittance services
xi. Trade based ML/FT
xii. Gaming activities
xiii. Abuse of non-profit organisations

10
 xiv. Investment in capital markets
xv. Mingling (business investment)
xvi. Use of shell companies/corporations
xvii. Use of offshore banks/businesses
xviii. Use of nominees, trusts, family members or third parties etc.
xix. Use of foreign bank accounts
xx. Identify fraud/false identification
xxi. Use of "gatekeeper" professional services
xxii. New payment technologies.

11