The Anti-Money Laundering and Countering Financing of Terrorism Act 2009 (the AML/CFT Act) imposes several obligations if you operate a business that falls within the definition of a reporting entity. You will need:
a written risk assessment of the money laundering and financing of terrorism activity you could expect in the course of running your business
an anti-money laundering and countering financing of terrorism programme that includes procedures to detect, deter, manage and mitigate money laundering and the financing of terrorism and has:
A compliance officer appointed to administer and maintain your programme
Customer due diligence processes (CDD) based on your risk assessment including customer identification and verification of identity
Suspicious activity reporting (SAR), auditing and annual reporting systems and processes.
Complete a risk assessment
A risk assessment is the first step your business must take to comply with the AML/CFT Act.
This will enable you to develop a programme to mitigate this risk in a proportionate way.
Your AML/CFT supervisor expects that you will have a clear understanding of the ML/TF risks and vulnerabilities you face during the course of business.
We strongly recommend that you are familiar with the following documents before you undertake your risk assessment.
the methods by which you deliver products and services to your customers.
the types of customers you deal with
the countries you deal with
the institutions you deal with
any other applicable guidance material produced by the AML/CFT supervisors.
Put in place a compliance programme
The AML/CFT Act takes a risk-based approach to compliance.
Reporting entities (within the limits set by the AML/CFT Act and regulations) have some flexibility to determine the way in which they meet their obligations based on their risk assessment.
Once a risk assessment is completed, a business can then put in place an AML/CFT programme that minimises or mitigates these risks.
AML CFT Programme Guideline
The AML/CFT programme will set out your procedures, policies and controls for detecting, managing and mitigating the risk of money laundering, and the financing of terrorism your business may reasonably expect to face. The programme must be in writing and based on your risk assessment.
All reporting entities are required to prepare an annual report on their risk assessment and AML/CFT programme. Information from these reports will provide us with important information on the people and organisations we supervise, and help us:
understand the risk of money laundering and financing of terrorism activities in each reporting entity
ensure that information we have on our reporting entities is accurate and up-to-date
determine the best use of our AML/CFT resources.
Completing your annual report To complete the annual report, you will need your most recent financial year-end data.
We also recommend that you:
familiarise yourself with the questions set out in the regulations
How to submit your report The e-services portal is no longer available. If your AML/CFT return is outstanding or you need to resubmit it please contact us. We will provide you with a pdf that needs to be completed and emailed back to us.
Engage an independent and qualified auditor early – this is to ensure one is available to assist you.
Review and address issues in your risk assessment, AML/CFT compliance programme and supporting policies and procedures internally before the independent audit.
Refer to the guidelines and reports and our AML/CFT FAQs that detail specific information on what is necessary to complete your AML/CFT audit.
It will take time for your auditor to review your risk assessment, compliance programme, test supporting evidence and prepare an audit report. You should also allow sufficient time (sometimes up to several weeks) to review the audit findings, and agree with the final report.
Guideline for audits of risk assessments and AML/CFT programmes
This guideline is to help reporting entities manage the requirement to audit their AML/CFT risk assessment and AML/CFT programme, as required under section 59(2) of the AML/CFT Act.
Getting the best outcome from your AML/CFT audit guide
This information is intended to help our reporting entities get value from their AML/CFT Audit. Adopting all (or any) of these items in discussions with auditors is optional, but we believe that by considering these suggestions, reporting entities are more likely to achieve the best possible results from their audit.
This report provides a general commentary on some of the audits we have examined from the period from 1 July 2016 to 30 June 2018, which marked our fifth year of monitoring compliance with the AML/CFT Act. We focused on risk assessments being up to date and well-maintained; adequacy and effectiveness of policies, procedures and controls as per the AML/CFT programme; customer due diligence, ongoing customer due diligence and enhanced due diligence; governance and management oversight.
In the case of an international wire transfer, the first reporting entity to transfer funds, and the last reporting entity to receive funds, must do a PTR. We expect that a reporting entity that receives and/or passes on instructions from a client to do an international wire transfer, but does not actually transfer the funds, is not required to do a PTR. This means that international wire transfers carried out by a bank on behalf of another reporting entity will be reportable by the bank. If an international wire transfer is settled outside the banking system (for example if a reporting entity carries out a transaction on behalf of a client and as a result money is made available to a beneficiary at another entity in another jurisdiction) the reporting entity must submit a PTR.
Automated and manual reporting
Automated reporting applies to those entities submitting PTRs through the FIU xml schema. Reporting entities submitting automated reports are expected to provide PTRs as soon as they are able from 1 November 2017. However, reporting entities will not be considered non-compliant prior to the end of the transitional compliance period (1 July 2018).
Manually reporting applies to entities submitting reports one-by-one into the goAML web tool. Reporting entities submitting PTRs manually to the FIU are expected to report from 1 November 2017. PTRs will be used by FIU to help build an intelligence picture across the financial system. Please refer to the FIU website for more information. If you have any further questions please email us at email@example.com.