Stephen Drain, Partner in Forensic Services at PwC Auckland New Zealand, discusses the need for law firms to have a dynamic Anti-Money Laundering Risk Assessment in order to ensure adequate compliance with the Anti-Money Laundering and Countering Financing of Terrorism Act, which has applied to lawyers since 1 July 2018.
Back in March with four months to go until lawyers were set to be captured by the provisions of the AML/CFT Act [i] we were saying, “Get it right or pay the price”. Now that 1 July 2018 has been and gone the message should still resonate. Based on experience from when the current regime was first introduced in 2013, there will still be lots of work to be done by lawyers to be fully compliant. In fact, the nature of the legislation is that it requires constant attention to remain compliant.
If you have been involved with helping your firm with its AML/CFT set-up, you should know that your first step is to complete your Risk Assessment. Section 58 of the Act prescribes that before conducting customer due diligence (CDD) or establishing an AML/CFT Programme, a Reporting Entity must complete an assessment of the risks of money-laundering and financing of terrorism that it may reasonably expect to face in the course of its business (Risk Assessment).
When we mention this to clients who are already advanced on their AML/CFT journey the response is typically “Yes, we’ve completed that, all sorted” or similar. Sometimes we are told, “Yes we’ve done that but really just for compliance, we don’t need to refer to that much at all”.
There is a real regulatory risk if the Risk Assessment is just a document “kept on the shelf”.
Section 58 requires the Risk Assessment to be in writing. Good to know I guess! However, it also requires the Risk Assessment to identity risks, describe how the reporting entity will ensure that it remains current, and enable the reporting entity to determine the level of risk.
With five years of AML Compliance experience with the financial sector, we’ve noticed some common themes that will equally apply to lawyers:
Are you appropriately determining the level of risk for each service?
The New Zealand AML regime is partially “risk based”, meaning that there is scope to increase or reduce the level of activities in your Programme such as CDD and Account Monitoring, depending on the risk. If, based on your Risk Assessment, a particular service offering is rated by you as “low risk” (all other things being equal such as the home country of the client) then adopting the minimum requirements of the Act might well suffice. Conversely, a high-risk rating for a service is likely to require additional CDD measures.
Have you ensured that all the relevant services you offer are included in your Risk Assessment?
There must be a process for your firm to capture all products and services including changes and enable the relevant risks to feed into the CDD process.
Are you capturing new and innovative service offerings?
Your firm is likely encouraging innovative solutions which individual partners can offer clients. How are you keeping track of those services and ensuring that every new offering is put through the AML/CFT Risk Assessment?
Take the Blockchain for example. Alex Sims, an associate professor in Commercial Law at The University of Auckland’s Business School, says that Blockchain technology will advance to internet levels in less than five years. This will bring material changes to the way finance and law operates. One day soon, you’re quite likely going to need to consider Blockchain technology and its products in your Risk Assessment.
Under the watch of your AML Compliance Officer, law firms will want to ensure that they have a suitable process to capture new products or services, and then appropriately assess them for money-laundering and financing of terrorism risk. This process should also remove redundant offerings from the Risk Assessment.
Are you keeping your Risk Assessment current?
This is partially answered by keeping a track of new service offerings, but we often see updates attended to immediately prior to an audit. This often means that no one has turned their mind to the document for two years[ii]. As AML Auditors, we will ask the same question that the AML Supervisor is likely to ask: Was the Risk Assessment current throughout the period?
With risk ratings, comes a note of caution: taking a short cut and rating a service as high-risk and then requiring enhanced CDD, without properly considering the risks when a lower risk rating could have applied, puts additional pressure on lawyers in on-boarding clients. In our experience, such an approach often leads to short cuts – “it’s not really high risk so we won’t do the enhanced CDD” – with disappointment at Audit time when failures in procedures when tested against the Programme are identified.
As the Reserve Bank noted in one warning to a Reporting Entity for not maintaining its Risk Assessment “a reporting entity’s risk assessment comprises the essential foundation of an adequate and effective AML/CFT programme”.
Having a dynamic Risk Assessment that feeds risks properly considered and on time into CDD and other processes, is key to ensuring adequate compliance without overdoing it.
Stephen Drain, leads PwC’s Forensic Services team, specialising in the prevention, detection and response to economic crime particularly fraud, corruption and money laundering. He has led and investigated a wide range of financial crimes from initial investigation to final proceedings and is experienced in working discretely with boards and senior leaders to help them meet a range of challenges including suspected fraud, probity concerns and regulatory investigations. Stephen leads the firm’s Anti-money laundering (AML) practice which offers a full range of AML services including assisting clients to design and implement risk-assessments and programmes in accordance with the Anti-money Laundering and Countering the Financing of Terrorism (AML/CFT) Act, conducting AML/CFT Audits (pursuant to 59 of the AML/CFT Act) and Reviews, and developing and delivering relevant training.
Stephen’s early career was in the New Zealand Police and after qualifying as a detective he moved to the Serious Fraud Office (SFO) initially as an investigator and later Supervising Senior (Investigations). After leaving the SFO, Stephen had two senior roles in leadership development, and joined PwC in 2012. Stephen is PwC Consulting’s People and Culture Partner. Stephen leads an Authentic Leadership development practice at PwC and has a personal leadership blog. His qualifications, education and professional associations are: Master of Business Administration, The University of Auckland; Post Graduate Diploma in Business (Finance), The University of Auckland; Member Institute of Directors in New Zealand; Chartered member Human Resources Institute of New Zealand (with specialisation in Development, Training and Learning). Contact Stephen at stephen.c.drain@nz.pwc.com
[i] Anti-Money Laundering and Countering Financing of Terrorism Act 2009
[ii] Reporting Entities are required to have an Audit of the Entities’ Risk Assessment and Programme conducted every two years or when required by the AML/CFT Supervisor