Section 58 of the Act requires each reporting entity to assess the risk it may reasonably expect to face of money laundering and financing of terrorism in the course of its business. The Act calls this a risk assessment.
The Act takes a risk-based approach to compliance. Reporting entities (within the limits set by the Act and regulations) have some flexibility to determine the way in which they meet their obligations based on their risk assessment. Once a risk assessment is completed, a business can then put in place an AML/CFT programme that minimises or mitigates these risks. See the AML/CFT programme guideline.
The AML/CFT programme will set out your procedures, policies and controls for detecting, managing and mitigating the risk of money laundering, and the financing of terrorism your business may reasonably expect to face. The programme must be in writing and based on your risk assessment.
Annual Reports obligation
All reporting entities are required to prepare an annual report on their risk assessment and AML/CFT programme. Information from these reports will provide us with important information on the people and organisations we supervise, and help us:
understand the risk of money laundering and financing of terrorism activities in each reporting entity
ensure that information we have on our reporting entities is accurate and up-to-date
Each reporting entity must ensure its risk assessment and AML/CFT programme are audited every 2 years or at any other time at the request of the FMA. We may also request a copy of any audit report. You do not need to submit your audit report to us unless we request to see it.
How to get started
Engage an independent and qualified auditor early – this is to ensure one is available to assist you.
Review and address issues in your risk assessment, AML/CFT compliance programme and supporting policies and procedures internally before the independent audit.
Refer to the guidelines and reports and our FAQs that detail specific information on what is necessary to complete your AML/CFT audit.
It will take time for your auditor to review your risk assessment, compliance programme, test supporting evidence and prepare an audit report. You should also allow sufficient time (sometimes up to several weeks) to review the audit findings, and agree with the final report.