AML/CFT FAQs

Page last updated: 31 Jul 2019

Money laundering basics	What is money laundering? What is terrorist financing?
New Zealand’s AML/CFT regime	When did it all take effect? What are regulations, codes of practice and guidelines? What is a risk assessment? What is an AML/CFT programme? Is there a template available for the risk assessment and AML/CFT program? What is a designated business group (DBG)?
Supervisors	How do you know who is your supervisor? What happens if you come under two supervisors? Is there a register of reporting entities? What is a ministerial exemption?
Obligations	What obligations will be placed on firms? What are the record-keeping requirements for evidence of staff vetting performed?
Customer due diligence (CDD)	What is customer due diligence (CDD)? What is ongoing customer due diligence? What are politically exposed persons (PEPs)? What if someone doesn’t have a passport and they don’t drive? What happens if I take over an existing customer base? Do we have to identify a customer every time they put in $20,000? If a trust is a discretionary trust and the beneficiaries are not named, how do we do customer due diligence on beneficiaries? Will you be providing a list of politically exposed persons (PEPs)?
Verification	What if someone doesn't have a passport and they don't drive? If someone sets up a company and then asks you to set up an account providing a certificate of incorporation, is the Companies Office CDD enough? Can we use the IRD B2B messaging as a verification procedure for KiwiSaver? Can a financial adviser certify an original document? Can a reporting entity accept an electronic copy of documentation certified by a trusted referee under Part 2 of the Amended Identity Verification Code of Practice 2013?
AML/CFT compliance officer	Can one person be the compliance officer for a designated business group (DBG)? Can an AML officer be an external appointment? What level of seniority does the AML/CFT compliance officer have to hold?
Suspicious transaction reports (STR’s)	Is there a protection from breach of privacy under the Act for people who submit STRs? Should we inform on a client? Does every STR report need to go directly to the Police Financial Intelligence Unit and not through supervisors? Do we report suspicious persons?
Independent audit of risk assessment and AML/CFT programme	When exactly do I need to have my audit completed by? Why does the Act require an audit report to be done on a two-yearly basis? What period should my audit report cover? Does the FMA have a list of recommended auditors? How do I know if the auditor is suitably qualified to conduct the audit? How can I ensure the auditor is independent? What response can I expect from the FMA if my auditor identifies issues? Can I apply for an exemption from having an AML/CFT audit performed? Can I apply for an extension for an AML/CFT audit report? Do I need to have an audit performed if my business is being wound up within two years of my last audit?
Registered financial advisers (RFAs)	I am an RFA operating through a New Zealand registered company. I sell KiwiSaver and some other category 1 products, but these sales amount to as little as 2% of my business. Am I a reporting entity under the Act? I am an RFA employed by a company that sells category 1 and category 2 products. Am I a reporting entity? I am a ‘one man band’ RFA selling risk-based insurance and some category 1 products, mainly KiwiSaver. Am I a reporting entity? I am an RFA who sells some category 1 products through a company so I realise that I am a reporting entity under the Act. Do I have to prepare a risk assessment and AML programme for my whole business?
Trading transferable securities	I trade carbon credits for my own account as part of my business. Does this make me a reporting entity under the Act?
Issuers and participants in securities issues	I am an issuer of securities registered on the FSPR. Am I a reporting entity under the Act? I am an issuer of equity securities. The only financial service I provide in relation to the securities is to act as the issuer under section 5(i) of the FSP Act. Am I a reporting entity? I am an issuer of debt securities, am I a reporting entity? We have a special purpose vehicle SPV that issues debt securities in the ordinary course of business, on whom should it complete CDD? We have an SPV that issued debt securities before 30 June 2013, but has no intention of issuing further securities. Is it a reporting entity under the Act? If an issuer of securities has conducted CDD on the initial purchasers of their securities, do they have to conduct CDD on all subsequent people who purchase the securities in an independent secondary market? Are crowdfunding service providers and peer-to-peer lending service providers reporting entities?
Funds and fund managers	I am a fund manager, am I a reporting entity?
Investment companies	I run an investment company that invests funds on its own behalf. How could it be a reporting entity under paragraph (xi) of the definition of financial institution? We have a pooled investment vehicle structured as an investment company and a separate investment manager. The investment manager is a reporting entity under the Act, will the investment company also be a reporting entity? Our investment company is a reporting entity and has shares traded in the secondary market. Do we have to identify people who purchase shares in the secondary market?
Exclusions and exemptions	Can I rely on regulation 20 (exclusion: lawyers, etc) of the AML/CFT (Definitions) Regulations, as amended, if I undertake other relevant activities in addition to those described in regulation 20? Am I exempt from the AML/CFT Act under regulation 16 (relevant services provided to related entities) of the AML/CFT (Exemptions) Regulations, if my only customers are related entities?
Supervision in relation to AML/CFT	How does FMA supervise AML/CFT? Is it just the same as Australia?
Completing your annual AML/CFT report	General information about completing your annual AML/CFT report Specific information more relevant for advisers and adviser businesses How to submit your report

Money laundering basics

What is money laundering?

Money laundering describes the process by which criminals make ‘dirty’ money obtained from their criminal activities look legitimate, or 'clean'.

They aim to make this dirty money look like it has come from a legitimate source, and therefore difficult to connect with its criminal past. Once that is achieved, criminals can introduce their dirty money into the financial system undetected.

From there, the money can be transferred between bank accounts or financial products in New Zealand or abroad or used to purchase goods and services.

What is terrorist financing?

Terrorist financing is the financial support of terrorists or those who encourage, plan or engage in terrorism.

Terrorist financing may involve funds raised from legitimate sources, such as personal donations and profits from businesses and charitable organisations. It may also be drawn from criminal sources, such as the drug trade, the smuggling of weapons and other goods, fraud, kidnapping and extortion.

People who finance terrorism often use similar methods and tools to those used for money laundering.

New Zealand’s AML/CFT Regime

When did it all take effect?

The AML/CFT Act was passed in 2009 and came fully into effect on 30 June 2013.

The time period was intended to give reporting entities time to undertake their risk assessments and to plan and implement their systems and controls before requirements came into force.

What are regulations, codes of practice and guidelines?

The Act sets many obligations at a relatively high level. More detail is set out in the regulations, codes of practice and guidelines:

Regulations - These contain minimum standards and thresholds. They are mandatory and must be followed. The regulations also contain several exceptions to the obligations under the Act.

Codes of practice - These set out methods on how reporting entities can comply with their obligations. While not mandatory, they can provide a defense against charges of non-compliance (a 'safe-harbour'), if followed correctly. A reporting entity that fully complies with the code will be compliant with the relevant parts of the legislation. If a reporting entity decides to opt-out of all, or part of, the code, it is required to have provided written notification to its supervisor. This notification states that the reporting entity has opted out of compliance with all, or part of, the code, and intends to satisfy its obligations by some other equally effective means.

Guidelines - These outline other non-binding guidance from supervisors.

What is a risk assessment?

Reporting entities are required to assess the money laundering and financing of terrorism risk that they may reasonably expect to face in the course of their business.

In making this assessment, the Act requires a reporting entity to consider:

the nature, size and complexity of its business
the products and services it offers
the methods by which it delivers products and services to its customers
the types of customers it deals with
the countries it deals with
the institutions it deals with
any guidance material produced by supervisors
any other factors that are set out in regulations.

Reporting entities also need to consider whether any of their products involve new or developing technologies that may favour customer anonymity. The Act also specifies that reporting entities must consider particular activities, such as wire transfers and correspondent banking relationships.

Guidelines have been published to help reporting entities develop their own risk assessment. The Countries Assessment guideline will help you develop procedures on the assessment of risks associated with the countries you deal with, when you need to undertake this assessment and how to approach the assessment.

What is an AML/CFT programme?

An AML/CFT programme sets out a reporting entity's internal policies, procedures and controls to detect money laundering and financing of terrorism and to manage and mitigate the risk of it occurring. The programme must be in writing and be based on its risk assessment.

Certain elements of a programme are specifically required by the Act, including:

vetting senior managers and AML staff
training senior managers and AML staff
customer due diligence, including enhanced CDD and simplified CDD
reporting suspicious transactions
monitoring and record-keeping
monitoring and managing compliance with the AML/CFT programme.

Risk-based systems and controls should be based on the nature, size and complexity of a reporting entity's business, along with any money laundering and financing of terrorism risks it may face.

Read more about the AML/CFT programme.

Is there a template available for the risk assessment and AML/CFT programme?

Supervisors have not issued templates for risk assessments or AML/CFT programmes. This is because one size does not fit all. Each business is likely to have an odd policy or process that is unique to that business.

The guide for small financial adviser businesses has some examples that small financial adviser businesses may find useful.

What is a designated business group?

Entities that are eligible may choose to form a designated business group (DBG). This enables the entities to share a risk assessment and some, but importantly not all, aspects of their AML/CFT programmes.

Guidelines have been published to help reporting entities decide whether they are eligible to form a DBG. The DBG scope guideline outlines the obligations that may be shared by members of a DBG. The DBG formation guideline highlights the eligibility criteria and election process when forming or joining a DBG. It also explains the process for notifying an AML/CFT supervisor about the formation of, or change to, a DBG and provides the forms for doing so.

There will be occasions where the business of a DBG will be split between more than one supervisor. In these circumstances, supervisors will agree on who would be the best supervisor for the group. This may depend on where the majority of the DBG business lies.

Supervisors

How do you know who is your supervisor?

Section 130 of the AML/CFT Act explains what sectors each supervisor is responsible for. In addition, the FMA and the Department of Internal Affairs (DIA) have a list of their reporting entities on their respective websites. If in doubt get in touch with anyone of the supervisors and they will point you in the right direction.

What happens if you come under two supervisors?

The supervisors have a process in place for when this situation arises. Reporting entities will only have one supervisor. That supervisor can call upon another supervisor to assist where certain products or services offered by the reporting entity fall outside the leading supervisors area of expertise, for example, a reporting entity that offers both life insurance products and collective investment schemes. Contact the relevant supervisors so that this process can be implemented.

Is there a register of reporting entities?

There is not a register in a legal sense but we do keep lists. We get information from the FSPR, use open source searching and also learn of reporting entities from Fair Go. If you or any reporting entities you know aren't on the FSPR, let us know.

What is a ministerial exemption?

The Minister of Justice is empowered under section 157 to make exemptions from any or all of the provisions of the Act. Exemptions may be granted for businesses, transactions, products, services or customers and may be subject to conditions.

For more details visit the Ministry of Justice's website.

Obligations

What obligations are placed on firms?

Basic obligations imposed on reporting entities include:

assessing the money laundering and financing of terrorism risk that it may reasonably expect to face in the course of its business
establishing, implementing and maintaining an AML/CFT programme (procedures, policies and controls) to detect, manage and mitigate the risk of money laundering and the financing of terrorism
customer due diligence (CDD) (identification and verification of identity) and ongoing CDD
suspicious transaction reporting
record-keeping.

Reporting entities have considerable flexibility within the limits prescribed by the Act and Regulations, in how they meet their obligations.

What are the record-keeping requirements for evidence of staff vetting performed?

We expect reporting entities to keep records of the staff vetting they carry out under their AML/CFT programme. Consistent with the record-keeping obligations in Part 2 of the AML/CFT Act, we would expect these records to be kept for a period of at least 5 years after the relevant employment relationship ends. For other requirements of staff vetting please refer to Part 3 of the AML/CFT Programme Guideline (May 2018) released by the supervisors.

Customer due diligence (CDD)

What is CDD?

CDD involves:

a) gathering information about customer identity
b) verifying a customer's identity, to ensure the customer is who they say they are.

In most cases, reporting entities will also need to establish and verify the identity of any beneficial owner, meaning the individual who ultimately owns or controls the customer or on whose behalf a transaction is conducted.

CDD also involves establishing and verifying the identity of any person who acts on behalf of a customer.

The Amended Identity Verification Code of Practice 2013 sets out methods by which reporting entities can comply with their obligations to verify the name and date of birth of customers who have been assessed as low to medium risk. The code is not mandatory but provides a 'safe-harbour' if followed correctly. If a reporting entity decides to opt-out of this Code, it must adopt practices that are equally effective.

The Beneficial ownership guideline has been published to help reporting entities develop procedures on the verification of beneficial ownership.

What is ongoing CDD?

Ongoing CDD means regularly reviewing customer information and having systems to conduct account monitoring. Under section 31 of the Act ongoing CDD is required to ensure the ongoing business relationship is consistent with the reporting entity's knowledge about the customer's business and risk profile and to identify grounds for reporting any suspicious transaction. This is required for all customers, including existing customers.

What are PEPs?

Politically-exposed persons (PEPs) are individuals who, by virtue of their position in public life, may be vulnerable to corruption. The definition of a PEP can be found in Section 5 of the Act. The New Zealand legislation currently limits this concept to foreign PEPs, and does not include domestic PEPs, ie persons who hold or have held public offices in New Zealand. Reporting entities are required to give specific consideration to the risks involved with PEPs and should:

have procedures in place to determine whether a customer or a beneficial owner of a customer, is a PEP or a close associate of a PEP
obtain senior management approval for establishing or maintaining business relationships with PEPs
take reasonable measures to establish the source of wealth and source of funds of PEPs
conduct enhanced, ongoing monitoring of the business relationship.

What if someone doesn't have a passport and they don't drive?

There are many different types of documents that can be used under the Amended Identity Verification Code of Practice 2013 but there will always be some people, for example, the very young, who don't have the required identification documents. In order to comply with the code you will need to put in place exception handling procedures for these customers. Note that exception handling should only be used where the person genuinely does not hold the identification documents, not where they have just left them at home.

What happens if I take over an existing customer base?

If the customers are existing customers of the reporting entity, you aren't expected to do CDD on all of those customers right away, but you do need to review them periodically (ongoing customer due diligence) to make sure you have the correct information. You must obtain further CDD information if there is a material change in the nature or purpose of the business relationship, if you consider that you have insufficient CDD information, or if the information you hold is inconsistent with the customer's profile.

If the customers are not existing customers of the reporting entity, but are existing customers of another reporting entity that has conducted CDD, then you may be able to rely on the CDD completed by that other reporting entity, if you meet the requirements of sections 32, 33 or 34 of the Act. You will still need to complete ongoing CDD.

Do we have to identify a customer every time they put in $20,000?

No. Once you have accepted a customer as your client you will have obtained all of the required information about the customer, including the nature and purpose of the business relationship. Part of the nature and purpose of the business relationship extends to how much you will expect the customer to deposit with you, and how regularly. If the customer follows the given profile you do not need to conduct CDD for every deposit. However, it would be prudent to request more information from the customer if the customer's behaviour changes significantly.

If a trust is a discretionary trust and the beneficiaries are not named, how do we do CDD on beneficiaries?

Assuming none of the beneficiaries is a beneficial owner of the trust, you only need to record a description of each class or type of beneficiary. You do not have to create a list of potential beneficiaries.

For more detail on CDD for trust beneficiaries see regulation 6 of the AML/CFT (Requirements and Compliance) Regulations 2011.

Will you be providing a list of politically exposed persons (PEPs)?

No. There are a lot of existing sources of information and services that provide PEP checks. We understand that some industry bodies are looking at linking into these for their members.

Verification

If someone sets up a company and then asks you to set up an account providing a certificate of incorporation, is the Companies Office CDD enough?

Not on its own. The Companies Office does some CDD, but your obligations under the Act amount to a higher level of CDD than the Companies Office carries out.

Can we use the IRD B2B messaging as a verification procedure for KiwiSaver?

The IRD B2B messaging can be used in lieu of a statement issued by a government agency required in para 3(f) of the Amended Identity Verification Code of Practice 2013. This can only be used for KiwiSaver.

Can a financial adviser certify an original document?

No. Financial advisers cannot certify identity documents. The code of practice contains a list of trusted referees who can certify identity documents. A reporting entity does not have to comply with the provisions of a code of practice, but if they don't intend to comply they must notify their supervisor in writing in advance and must comply with the relevant obligation by an equally effective means.

Although a financial adviser is not a trusted referee under the code, a financial product provider may rely on a financial adviser, who is also a reporting entity, to conduct CDD on their behalf in accordance with the conditions set out in section 33 of the Act. Alternatively, they may appoint a person as an agent to conduct CDD on their behalf in accordance with section 34.

This is different from certifying identity documents as a trusted referee under the code.

The product provider remains responsible for the CDD conducted on their behalf unders33 or by an agent under s34.

Can a reporting entity accept an electronic copy of documentation certified by a trusted referee under part 2 of the Amended Identity Verification Code of Practice 2013?

This depends on whether the electronic copy of the document meets the requirements for an electronically signed document under section 22 of the Electronic Transactions Act 2002 (ETA). Fax or pdf scanned copy of the trusted referee's signature will not be sufficient for the purposes of the code and cannot be accepted in place of the trusted referee's original certification.

For practical reasons, reporting entities may start to set up a client's account based on a fax or scanned copy of certified documents, provided the originals are forwarded by post and are received before any transactions are undertaken. Alternatively, if a reporting entity chooses to rely on electronically certified documentation in accordance with the ETA, the reporting entity will need to ensure that the trusted referee's electronic signature reliably identifies the trusted referee and their approval of the original document.

Section 24 of the ETA provides an example of the type of electronic signature that would be presumed to be sufficiently reliable. Reporting entities are not obliged to accept documents signed by an electronic signature unless they choose to do so.

AML/CFT compliance officer

Can one person be the compliance officer for a designated business group?

Yes, provided that the person is employed by at least one of the DBG members he or she administers and maintains all of the members' AML policies, as well as reporting to a senior manager of each reporting entity that appointed him.

Can an AML Officer be an external appointment?

Only if a reporting entity has no employees.

What level of seniority does the AML/CFT compliance officer have to hold?

The AML/CFT compliance officer has to report to a senior manager of the reporting entity.

Suspicious transaction reports (STRs)

Is there protection from breach of privacy under the Act for people who submit STRs?

Yes, section 44 of the Act protects anyone who properly reports a suspicious transaction to the Police Financial Intelligence Unit.

Should we inform on a client?

Under the Act restrictions in the Privacy Act, legal professional privilege and other similar provisions do not extend to suspicious transactions. This is also the case under the Financial Transactions Reporting Act 1996. Under section 40 of the AML/CFT Act reporting entities must report STRs where there are reasonable grounds for suspicion.

Does every STR report need to go directly to the Police Financial Intelligence Unit and not through supervisors?

STRs must go to the Police Financial Intelligence Unit, not to your supervisor. However, under section 41 of the Act, STRs must be signed by a person authorised by a reporting entity to sign them. This could mean that STRs will be sent to the Police Financial Intelligence Unit via compliance or AML officers rather than directly from the person generating the STR.

Do we report suspicious persons?

STRs do not merely relate to transactions either completed or attempted. The integral component of the STR is suspicion. It is therefore subjective and composed of many factors which may be relevant to include in an STR. These include the person sending or receiving the transaction; their behaviour; the time; the place; the amount; implausible sounding stories; the involvement of countries of interest; the transaction type; and the presence of recognised money laundering typologies.

Independent audit of risk assessment and AML/CFT programme

Refer to the following guides and reports for more information:

Guideline for audits of risk assessments and AML/CFT programmes - designed to help you manage the requirement to audit your AML/CFT risk assessment and AML/CFT programme
Getting the best outcome from your AML/CFT audit guide has a great deal of information regarding AML/CFT audits - including a comprehensive table to help businesses get value from their audit
Our AML/CFT monitoring reports - provide a general commentary on some of the audits we have examined

The FMA recently visited us to examine our AML/CFT compliance. Does that count as an AML/CFT audit?

No.

When exactly do I need to have my audit completed by?

That will depend on when the financial activities of your business were first captured under section 5 of the Act or additional regulations. Consider the examples below:

If your business was captured by the Act or regulations as at 30 June 2013, then it was due to be completed by 29 June 2015. This is regardless of when you formally implemented your AML/CFT compliance programme.
If you are a new business and your financial activities were captured by the Act or regulations at a later date then you have two years from that date to have your audit completed.
Thereafter, businesses have two years from the date of their last AML/CFT audit to have their next audit completed. For example, if your first audit report had a date of 29 June 2015, then your next audit report date should be no later than 29 June 2017.

Why does the Act require an audit report to be done on a two-yearly basis?

This is to ensure that reporting entities have, and will continue to have, robust systems and processes in place to detect and deter money laundering and the financing of terrorism.

What period should my audit report cover?

The audit report will provide an opinion by the auditor at a point in time. To support the opinion the auditor will examine evidence stretching back from the audit report date. Most likely, the period will cover the time between your last audit and your current audit.

Does the FMA have a list of recommended auditors?

We do not have a list of recommended auditors. The Act requires the auditor to be independent and suitably qualified – refer to our monitoring reports for more information on this.

Businesses offering AML/CFT audit services include:

AML/CFT specialist consultant firms and individuals
specialist regulatory compliance consultant firms and individuals
audit and accounting firms
other reporting entities.

How do I know if the auditor is suitably qualified to conduct the audit?

You should expect that your auditor has the required expertise of the Act and its regulations. Your audit will be more effective if your auditor understands your industry and has audit experience. It is imperative you are comfortable with the auditor you appoint as we may request you to provide evidence your auditor is appropriately qualified. Please refer to our monitoring reports.

How can I ensure the auditor is independent?

Your audit report should confirm the auditor’s independence and any other services they may have provided to you in addition to the audit. The Act states that the person who conducts the audit must be independent, and not involved in the development of a reporting entities AML/CFT risk assessment, or the establishment, implementation or maintenance of its programme. Please refer to our monitoring reports for more information on auditor independence. You should record your consideration of the auditor’s independence as we may ask you to provide this to us.

What response can I expect from the FMA if my auditor identifies issues?

We expect most reporting entities will have compliance issues until their AML/CFT programme matures. The audit is an opportunity to identify those issues and correct them. If there are significant issues identified we encourage you to engage with us early to discuss the matter and to review the actions you propose to take. If we select you for a monitoring visit, we are likely to request a copy of your remediation plan and check your progress. In cases where significant issues are appropriately addressed, we are unlikely to engage further.

Can I apply for an exemption from having an AML/CFT audit performed?

We are not in a position to grant a waiver or exemption from having an AML/CFT audit performed.

Can I apply for an extension for an AML/CFT audit report?

Except when we have brought forward your AML/CFT audit on request, we are unable to offer extensions.

Do I need to have an audit performed if my business is being wound up within two years of my last audit?

No. However, if there is some uncertainty when the business will close and it’s possible that it may extend beyond the two year period, we strongly recommend you have your audit completed. If your business is still a reporting entity after two years from your last audit, then you must have it completed.

Registered financial advisers

I am an RFA operating through a New Zealand registered company. I sell KiwiSaver and some other category 1 products (on the basis of a class service only and/or advice to wholesale clients only), but these sales amount to as little as 2% of my business. Am I a reporting entity?

If you are arranging for your clients to buy category 1 products then your New Zealand registered company is a reporting entity under the Act. The amount of products you sell is immaterial. It is also immaterial whether your clients are retail or wholesale clients. If you provide a purely advisory service to your clients and are not involved in the supply of category 1 products to your clients, then you will not be a reporting entity under the Act.

If you have an agreement with a product provider to sell their category 1 products and you assist your client in the purchase by either providing an application form, helping the customer complete the form, collecting the identity information, or sending the form to the provider, then you are arranging the sale and will be a reporting entity under the Act.

I am an RFA employed by a company that sells category 1 products (on the basis of a class service only and/or advice to wholesale clients only) and category 2 products. Am I a reporting entity?

If you are selling category 1 products, your employer is likely to be a reporting entity under regulation 16 of the Anti-Money Laundering and Countering Financing of Terrorism (Definitions) Regulations 2011. As an employee of that reporting entity, you will be required to follow the AML/CFT policies and procedures set out by your employer.

I am a 'one man band' RFA selling risk-based insurance and some category 1 products, mainly KiwiSaver (on the basis of a class service only/or advice to wholesale clients only). Am I a reporting entity?

If you are an individual who operates in your own name and not through a company or other unincorporated body, then you will not be a reporting entity under regulation 16. If you operate under the umbrella of a company or unincorporated body (including a partnership, joint venture or trust), then even if you are the only adviser, the company or unincorporated body will be a reporting entity and will be supervised by the FMA.

I am an RFA who sells some category 1 products through a company (on the basis of a class service only and/or advice to wholesale clients only) so realise that my company is a reporting entity under the Act. Do I have to prepare a risk assessment and AML/CFT programme for my whole business?

The risk assessment and AML/CFT programme only have to represent the part of your business that relates to the category 1 products you sell.

Trading transferable securities

I trade carbon credits for my own account as part of my business. Does this make me a reporting entity under the Act?

Carbon credits are not treated as securities for the purposes of the Act. This means that trading carbon credits will not make you a reporting entity under paragraph (vii) of the definition of 'financial institution'. You could still be a reporting entity if you invest funds in carbon credits on behalf of others or if you manage an individual or collective portfolio of carbon credits. It is also important to distinguish between carbon credits and derivatives linked to carbon credits. If you trade in derivatives linked to carbon credits then you will be a reporting entity under paragraph (vii) of the definition of 'financial institution'.

Issuers and participants in securities issues

I am an issuer of securities registered on the FSPR. Am I a reporting entity under the Act?

You are not automatically a reporting entity just because you are registered on the FSPR. You will be a reporting entity if you issue debt securities in the ordinary course of your business or if you participate in securities issues and provide financial services in relation to those issues. We have issued a guideline on issuers of securities and participants in issues to help you understand whether you are a reporting entity.

The provisions of the Financial Service Providers (Registration and Dispute Resolution) Act 2008 (FSP Act) that determine whether an entity should be registered on the FSPR are not identical to the provisions in the AML/CFT Act that deal with whether an entity is a reporting entity. Although the purposes of the AML/CFT Act and the FSP Act overlap, the FSP Act has a wider purpose.

Some issuers may, therefore, need to register on the FSPR even though they may not be reporting entities for Act purposes and conversely some entities may be reporting entities even though they are not required to register on the FSPR.

I am an issuer of equity securities. The only financial service I provide in relation to the securities is to act as the issuer under section 5(i) of the FSP Act. Am I a reporting entity?

You will only be a reporting entity entity if you are participating in securities issues and the provision of financial services related to those issues as defined under paragraph (viii) of the definition of financial institution or if you perform a financial service as defined in section 5 of the FSP Act, in addition to acting as an issuer of securities.

If you only act as an issuer of securities and do not provide other financial services such as being a promoter, manager, financial adviser, broker or underwriter, then you will not be a reporting entity under paragraph (viii) of the definition of financial institution. The guideline on issuers of securities and participants in issues has been published to help issuers understand whether they are reporting entities or not.

I am an issuer of debt securities, am I a reporting entity?

An issuer of retail debt securities falls into the category of 'accepting deposits or other repayable funds from the public' under paragraph (a)(i) of the definition of 'financial institution' in the AML/CFT Act. To decide whether you are a reporting entity, you must decide whether you issue debt securities to the public in the ordinary course of business. The 'Interpreting ordinary course of business guideline' can help.

If you have a separate company or SPV in your group structure whose primary purpose is to issue retail debt securities, then issuing debt securities to the public would usually be in the ordinary course of business for that SPV. If, however, the SPV has not issued debt securities for a significant period of time and has no intention to issue more, then you may decide the SPV does not issue debt securities to the public in the ordinary course of business. We cannot give definitive guidance on what 'a significant period of time' might be, because this will depend upon the nature of your business.

We have an SPV that issues debt securities in the ordinary course of business, on whom should it complete CDD?

A reporting entity, such as your SPV, must complete CDD on its customers, their beneficial owners and anyone acting on behalf of its customers. This CDD must be completed before the issuance of the debt securities. The customers of the SPV will be the people who purchase the debt securities directly from the SPV (primary market purchasers).

You would not normally need to complete ongoing CDD on people who may purchase your debt securities in the secondary market, because these people are not your customers and in most cases would not be beneficial owners of your customers.

We have an SPV that issued debt securities before 30 June 2013, but has no intention of issuing further securities. Is it a reporting entity under the AML/CFT Act?

No. We would expect that your SPV is not currently issuing debt securities in the ordinary course of business, even though some of its debt securities may still be traded in the secondary market. If however, there is an intention to issue further debt securities in the future, then the SPV will be a reporting entity. This would mean it would need to comply with the ongoing obligations under the Act such as appointing an AML/CFT officer, submitting an annual report and producing a risk assessment and AML/CFT programme.

Note that the analysis under the Act will not always be the same as that under the FSP Act, so an issuer may need to register on the FSPR even if it is not required to be a reporting entity for AML/CFT Act purposes.

If an issuer of securities has conducted CDD on the initial purchasers of their securities, do they have to conduct CDD on all subsequent people who purchase the securities in an independent secondary market?

No. The AML/CFT Act only requires a reporting entity to conduct CDD on customers; beneficial owners of customers; and people acting on behalf of a customer. An issuer of securities may be required to conduct CDD on the initial purchasers of its securities (for example if it is issuing debt securities, or issuing equity securities and providing financial services in relation to those equity securities, in the ordinary course of business) because those purchasers will be customers of the entity.

If someone purchases the securities in a secondary market that is independent of the reporting entity, and the entity does not have any other business relationship with the purchaser, then the purchaser does not become a customer simply by holding the securities. The reporting entity does not need to conduct CDD on that secondary market purchaser.

Where a reporting entity makes payments due under securities to a person who has purchased those securities in an independent secondary market, this will not in itself mean the purchaser is a customer of the reporting entity. Payments could include interest installments, dividends or a final redemption amount. These payments on their own will not trigger an obligation to conduct CDD on the purchaser.

However, if a reporting entity facilitates the purchase of its securities, or otherwise enters into a business relationship with the purchaser of those securities, then the purchaser would become a customer of the reporting entity. In these circumstances, the reporting entity should conduct CDD on the purchaser in accordance with the Act before entering into the business relationship unless an exemption applies.

Are crowdfunding platforms and peer-to-peer lending reporting entities?

Yes. Anyone who provides a crowdfunding platform or is a peer-to-peer lender, as defined in the Financial Markets Conduct (Phase 1) Regulations 2014 is participating in an issue of securities and providing a financial service in relation to those securities. This means they will be a 'financial institution' under section 5 of the Act and they are therefore reporting entities. They may also perform other financial activities that mean they fall within the definition of a financial institution, although this will not affect their obligations under the Act. All investors and issuers (or all lenders and borrowers in the peer-to-peer context) using their services will be their 'customers' for the purposes of the Act.

Funds and fund managers

I am a fund manager. Am I a reporting entity under the AML/CFT Act?

In most fund structures we would expect the fund manager to be a reporting entity. The fund manager is likely to be 'managing individual or collective portfolios' (under paragraph (a)(ix) of the definition of a financial institution) and/or 'investing, administering, or managing funds or money on behalf of other persons' (under paragraph (a)(xi) of the definition of a financial institution).

In some fund structures, such as venture capital funds or property investment structures using an investment company, there may not be a fund manager conducting the activities described in paragraphs (ix) or (xi) of the definition of financial institution. It may be difficult to identify an individual entity that is conducting these financial activities.

In these circumstances, you should consider whether the fund structure as a whole could be considered to be a legal arrangement under which the financial activities are conducted. It is useful to look at this from the investor's point of view to understand whether they would consider that they are receiving the services described in paragraphs (ix) or (xi). If the investor is receiving these financial services from the fund, then the fund entity that interacts with the investor would be a reporting entity.

Investment companies

I run an investment company that invests funds on its own behalf. How could it be a reporting entity under paragraph (xi) of the definition of financial institution?

You should consider the substance of your activities, rather than the legal form adopted. An investment company may be considered to be 'investing, administering, or managing funds or money on behalf of other persons' where, in substance, the investment activities are being conducted for the benefit of and in the interests of the underlying equity investors.

The fact that a company is investing funds for its own benefit does not prevent the conclusion that it is also investing funds for the benefit of its investors. A company that has the 'look and feel' of a fund or pooled investment vehicle is also likely to be a reporting entity under paragraph (ix) of the definition of financial institution ('managing individual or collective portfolios').

This does not mean that all companies that invest in and manage assets will be reporting entities. The vast majority of companies will not be reporting entities under paragraphs (ix) or (xi) and there is effectively a presumption that companies are not acting as a fund or pooled investment vehicle for their ordinary shareholders, but if a company has the look and feel of a fund or pooled investment vehicle then it will be a reporting entity.

At one end of the spectrum, there are companies who actively manage assets as part of a non-investment business, for example, power generation companies and milk producers. These types of companies would not be considered to be managing a portfolio for the purposes of the Act or undertaking their investments on behalf of their equity investors.

At the other end of the spectrum are investment companies that passively invest as a look-through vehicle for investors. These types of companies would be considered to be investing on behalf of their investors, and may also be managing a portfolio for the purposes of the Act. They would, therefore, be reporting entities.

Most companies will fall somewhere between the two ends of this spectrum, but only companies that 'look and feel' like a fund or pooled investment vehicle are intended to be reporting entities under these paragraphs. There is no single determining factor, but factors that may be relevant include:

The legal form of the relationship between an investor and the relevant entity and whether the rights, benefits and AML/CFT risks are analogous to an investment in a fund or other pooled investment vehicle
Whether there is a recognisable investment strategy for investing in a portfolio of assets
The employment structure of the entity, for example, are the majority of individuals employed in assessing potential investments and divestments and related administrative roles?
The reasonable perceptions of investors, i.e. whether they would consider themselves to be investing in an asset class or portfolio, rather than investing in a business
The way the company describes and/or markets itself, for example, references to the opportunity to make an investment in its portfolio
The nature of any assets invested in by the company. For example, are assets independent and unrelated or are they integral parts of a wider business?
Whether the way in which assets are held is similar to the way a fund or other pooled investment vehicle would be expected to hold assets
The active or passive nature of activities undertaken by the company in relation to its assets
The number of independent assets held
The frequency with which new equity funds are raised
The frequency of acquisition and divestment of assets

Other factors may also be relevant. If in doubt please contact us at aml@fma.govt.nz to discuss.

We have a pooled investment vehicle structured as an investment company and a separate investment manager. The investment manager is a reporting entity under the AML/CFT Act, will the investment company also be a reporting entity?

Each individual entity needs to be assessed against the definition of 'reporting entity' in the Act. Although you should consider each part of the definition of 'financial institution paragraphs (viii), (ix) and/or (xi) may be most relevant. If you determine that your investment manager is conducting all relevant activities, rather than the investment company, then the investment manager will be a reporting entity and the investment company may not be a reporting entity.

However, this does not mean that the reporting entity can avoid conducting customer due diligence on the investors in your pooled investment vehicle. The investment company would be considered to be the facility through which the investment manager is conducting the activities and these activities would be considered to be conducted on behalf of the investors (see previous question and answer). The investors would, therefore, be 'customers' of the investment manager for the purposes of the Act.

Our investment company is a reporting entity and has shares traded in the secondary market. Do we have to identify people who purchase the shares in the secondary market?

We would not usually expect reporting entities to complete ongoing customer due diligence on people who may purchase their securities in the secondary market. Secondary market purchasers are not customers of the reporting entity and in most cases would not be beneficial owners of customers.

If the reporting entity is on notice that the original person who purchased the securities in the primary market was actually acting on behalf of a subsequent investor, then the subsequent investor will be a 'beneficial owner' under the Act and the reporting entity must conduct customer due diligence on that beneficial owner, but we would not normally expect this to be the case.

Exclusions and exemptions

Can I rely on regulation 20 (exclusion: lawyers, etc) of the AML/CFT (Definitions) Regulations, as amended, if I undertake other relevant activities in addition to those described in regulation 20?

Yes, you may rely on regulation 20 to the extent that you carry out a relevant service in the ordinary course of one of the businesses listed in regulation 20. The inclusion of the word 'only' in paragraph 1 of the regulation is not intended to prevent reporting entities from obtaining the benefit of this regulation if they carry out other activities caught within the scope of the Act. If a reporting entity carries out other activities caught within the scope of the Act, then it's obligations will still apply to those other activities.

Am I exempt from the AML/CFT Act under regulation 16 (relevant services provided to related entities) of the AML/CFT (Exemptions) Regulations, if my only customers are related entities?

Regulation 16 of the exemptions regulations apply when 'the recipient of the service' is related to the person that provides the financial service. In most cases, this will mean that a person is exempt from the Act if their only customers are related entities, however, in some cases the recipient of service will be a third party who may have no contractual link to the person providing the service.

If a non-related person is the recipient of your financial service, then you will be a reporting entity. It is useful to look at this from the investor's point of view to understand whether they would consider they are receiving financial services as described in the definition of financial institution in section 5 of the Act.

Supervision in relation to AML/CFT

How does the FMA supervise AML/CFT?

FMA is committed to a risk-based approach in countering money laundering and terrorist financing. This means we allocate our resources and efforts to the areas where we perceive the greatest threat to our statutory objectives, in order to:

detect and deter money laundering and the financing of terrorism
maintain and enhance New Zealand's international reputation by adopting, where appropriate in the New Zealand context, recommendations issued by the Financial Action Task Force
contribute to public confidence in the financial system.

Criminals are increasingly flexible and innovative in their efforts to launder money and attempt to avoid detection. It is therefore important that our anti-money laundering responses are flexible, proportionate and cost-effective. These are the main characteristics of a risk-based AML/CFT regime.

Is it the same as Australia?

No. One of the policy drivers behind the legislation was trans-Tasman integration, but only where it is appropriate for New Zealand. The detail in the legislation and the Government's approach differs in a number of areas, so it is imperative that reporting entities fully understand their obligations under the New Zealand regime.

Completing your annual AML/CFT report

Click on any of the topics below to find answers about completing your annual AML/CFT report. If you can't find the answers you're are looking for please email us at aml@fma.govt.nz

Topics

General information

Specific information more relevant for advisers and adviser businesses

How to submit your report

General information

Why do I need to submit an annual AML/CFT report?

All reporting entities (as defined in the Act) must prepare an annual report on their risk assessment and compliance programme under section 60 of the Act. This needs to be in the format set out in Schedule 2 of the Anti-Money Laundering and Countering Financing of Terrorism (Requirements and Compliance) Regulations 2011 and must be submitted to the relevant AML/CFT supervisor. A list of AML/CFT supervisors can be found here. Information from these reports provides us with important information on AML/CFT reporting entities and will help us:

understand the risk of money laundering and financing of terrorism activities in each reporting entity
ensure that information we have on our reporting entities is accurate and up-to-date
determine the best use of our resources.

When can I submit my annual AML/CFT report?

You must submit your report between Monday 1 July - Friday 31 August 2019. The dates are fixed because the information included in the report must include data up to, and including 30 June 2019.

What does the annual AML/CFT report cover?

The covers five broad topics:

Part 1 – Business contact details and organisation structure
Part 2 – AML/CFT risk assessment and AML/CFT programme
Part 3 – Products and services, customers and channels
Part 4 – AML/CFT supervisor-specific questions
Part 5 – Compliance with exemptions

Schedule 2 of the AML/CFT (Requirements and Compliance) Regulations 2011 determines the content for the annual AML/CFT report.

PLEASE NOTE: For questions 6.2.1 up to and including 6.2.74, the total percentage (%) should add up to 100%.

Can I submit a handwritten report or create my own annual AML/CFT report, based on the user guide or some other template?

No. We cannot accept reports based on individually designed templates. Submissions must only be made by completing and submitting our annual AML/CFT report submission form 2019. See the instructions above about how to open and complete it.

Can I use a template provided by another supervisor (or anyone else) to complete my annual AML/CFT report?

No. You should use the template provided by your own supervisor. If we are your supervisor then submissions must be made using our annual AML/CFT report submission form 2019. See the instructions above about how to open and complete it.

As a reminder, we supervise: issuers of securities, licensed supervisors, fund managers, brokers and custodians, financial advisers, derivatives issuers, DIMS providers and peer to peer lending and equity crowdfunding service providers.

What happens if I don't submit an annual AML/CFT report?

If you do not submit a report, compliance action may be taken against you.

What happens if I supply false or misleading information?

Penalties may apply if false or misleading information is supplied.

Am I exempt from submitting an annual AML/CFT report?

If you have a full exemption from the AML/CFT Act, you do not need to submit a report. If you have a partial exemption, you may be required to submit a report.

If you do not know whether you need to submit a report, please contact us at aml@fma.govt.nz

Does each member of a designated business group (DBG) need to complete a separate annual AML/CFT form?

Yes. Each member of a DBG must complete a separate annual AML/CFT form, except as noted in Part Two (Questions 4-5) for reporting entities that are eligible members of a DBG.

If you are a member of a DBG, you may allow another member to answer Part Two on your behalf. However, please note that you are responsible for the information provided. If you are eligible, use the space provided in Part Two to specify this, together with the legal name and registered number of the member answering Part Two on your behalf. Then leave this part blank and go to Part Three. You are required to answer all other parts of the form.

What happens if my reporting entity doesn't have an FSP number do I still need to complete a report?

You are required to have an FSP number to complete the report.

I am registered on the FSPR to provide a number of financial services, but do not currently provide any. Do I still need to complete an annual AML/CFT report?

You are not a reporting entity unless you carry on some activity that falls within the definition of 'reporting entity' in section 5 of the AML/CFT Act. This includes activities that have been declared by regulations for people to be reporting entities. If you are not a reporting entity, then you do not need to complete a report.

I am overseas for an extended period of time so will have difficulty completing my AML/CFT annual report. May I have an extension beyond 31 August 2019 to complete the report?

FMA is not able to grant any extensions.

I sold my reporting entity 'entity 1'? that was in scope for AML/CFT purposes - a few months ago to a separate reporting entity 'entity 2'. Entity 2 is in scope for AML/CFT and will complete an annual AML/CFT report.

Do I still need to complete an annual AML/CFT report for entity 1?

Reporting entities are required to submit a report. It does not matter whether the ownership of a reporting entity has changed. This means that entity 1 is still required to submit a report even though the ownership has been transferred. The new management of entity 1 will be responsible for making sure it submits its annual report based on the business it has conducted over the year.

When entity 2 completes its annual AML/CFT report, should it also include all of entity 1s business (ie for the full year regardless of when ownership passed)?

There is no requirement for entity 2 to include entity 1's business in entity 2's report. Each reporting entity can submit its own report. However, if it is more convenient, entity 2 could include all of entity 1's business within entity 2's report - in which case entity 1 would not need to complete a separate report.

Also what if entity 1 had simply stopped trading or stopped undertaking any financial activities which would bring it into the scope of the Act after 1 July 2018 but before 30 June 2019?

If entity 1 has conducted activities that make it a 'reporting entity' (as defined in section 5 of the AML/CFT Act) at any point during the year, then it will need to complete a report.

Specific information more relevant for advisers and adviser businesses

See our quick guide "how to complete your annual AML/CFT report" to help small financial adviser businesses.

I am an AFA qualified to give advice for category 1 products but do not currently do so. I have no investment clients (KiwiSaver or other types of category 1 products). I work solely in the life, income, trauma, health and disability markets. Can you tell me if I am obliged to prepare an annual report?

The products you advise on do not require you to be an Authorised Financial Adviser (AFA) (even though you are qualified as one). Therefore, Regulation 16 of the Anti-Money Laundering and Countering Financing of Terrorism (Definitions) Regulations 2011 does not apply to you. This means you are not a reporting entity (unless you undertake some other activity that falls within the definition of 'reporting entity' in section 5 of the AML/CFT Act). If you are not a reporting entity, then you do not need to complete a report.

For further information please refer to Guide for small financial adviser businesses.

I am an advisory business that is only a reporting entity under the AML/CFT Act because of regulation 16 of the 'Definitions' regulations. I don't ever receive client money or client property. Do I answer 'zero' for question 6.1 of the annual AML/CFT report?

No. We don't believe a 'zero' response is correct. We are aware that some advisers have taken the view that, where no client money or client property goes through their own accounts, they have not "settled" any transactions themselves and therefore should submit "zero" for the number of transactions and "zero" for the value of transactions in question 6.1. However, we do not believe this is the correct interpretation of the relevant provisions.

One of the advantages of providing us your report is that it is an efficient method of providing us with useful information on the AML/CFT risks faced by your entity without the necessity for direct contact with FMA. A 'zero' response will result in a lack of information to risk-assess the reporting entity. We may need to approach the adviser at a later date with a specific request for records, documents, or information under section 132 of the AML/CFT Act. We will take into account information we receive under the AFA information return (if applicable) when determining whether a request under section 132 is necessary.

Advisers are also reminded of their record-keeping obligations under section 49 of the Act and of their record-keeping obligations under the Code of Professional Conduct, which are additional to the section 49 requirements. We recommend adviser businesses put in place a system or process so the information requested can be provided easily for these reports.

When counting the number of transactions for the purposes of question 6.1 do adviser businesses only need to count new lump sum business?

No, a transaction includes any new arrangement where financial products are brought, sold or transferred. Each time an adviser helps arrange these transactions there is a small risk the adviser could be used to assist money laundering or terrorist financing.

To estimate the number of transactions for question 6.1 advisers should:

(A) Estimate the total number of new lump sum business transactions arranged in the year.
(B) Estimate the total number of new regular payment arrangements (or other non-lump sum deposits) set up in the year.
(C) Estimate the total number of new withdrawals arranged for clients (either lump sum withdrawals or new regular withdrawal arrangements) in the year.
(D) Estimate the total number of times the adviser has arranged for clients to transfer between financial products.

The estimates for (A), (B), (C) and (D) should be added together to get the estimate of the total number of transactions. We acknowledge that it may be more difficult to estimate the number of certain types of transaction, in which case you may choose to use the free text field in Part 6 of the report to describe how the estimate was reached. For example, if you can estimate (A), (B) and (C) to a reasonably high level of confidence, but your estimate of (D) is much less certain, then you can provide the separate details and say how you estimated each in the free text field in Part 6 of the form.

When counting the value of transactions for the purposes of question 6.1 what do adviser businesses need to count?

To estimate the value of transactions for question 6.1 advisers should:

(A) Estimate the total value of new lump sum business transactions arranged in the year.
(B) Estimate the total value of new regular payment arrangements (or other non-lump sum deposits) set up in the year - You do not need to count regular payments that were set up in a previous reporting period unless you have arranged for the payments to be changed within the reporting period. Where new regular payments have been set up within the reporting period, please estimate the annual value of the regular payments (even if the regular payments were only effective for a part of the year).
(C) Estimate the total value of new withdrawals arranged for clients (either lump sum withdrawals or the annual value of new regular withdrawal arrangements) in the year.(D) Estimate the total value of transfers of financial products arranged for clients during the year. For example, a transfer of $1000 from ABC Limited to XYZ Limited arranged by the adviser would count as $1000.

The estimates for (A), (B), (C) and (D) should be added together to get the estimate of the total value of transactions. We acknowledge that it may be more difficult to estimate the number of certain types of transaction, in which case you may choose to use the free text field in Part 6 of the form to describe how the estimate was reached.

I haven't kept count of the number or value of transactions in the way requested by question 6.1. Can I estimate the answer?

Yes. In determining the value and number of transactions during the year you only need to provide an estimate. This means we expect the submissions to be based on an approximate calculation or judgment of the value or number, rather than necessarily being an exact count of transactions and values.

When estimating the value of transactions for the purposes of question 6.1, should adviser businesses use the value of the transactions to their business or use the total value of the transactions themselves?

Use the total value of the transactions themselves, i.e. the value of the settlement between the client and other reporting entity.

Should an adviser business count transactions for the purposes of question 6.1 if the adviser gave financial advice to the client to do something, but didn't otherwise assist in arranging the transaction?

No. Advisers only need to estimate transactions where they have arranged for another reporting entity to provide a transaction.

How to submit your report

Login from Monday 1 July to our e-services portal by clicking on www2.e-services.fma.govt.nz/. If clicking on the link does not take you to the portal please copy or type the link on your browser and open it.
Click 'Login' at the top right corner of the screen.
On the next screen in the white box, type in your RealMe^® login details. If this is the first time you have logged into our new online system, you will be asked to create a new profile which includes your name, email address and phone number.
On the next screen click on ‘All Forms’, then select ‘AML/CFT Annual Report’. This will take you through to the start of the questions.

Can I save my responses and go back to complete them at a later date?

Yes. You can save your report and go back into it at any time. When completing the form, we recommend you regularly save your responses.

Need help?

If you experience any problems submitting your report or if you need help, please email us at aml@fma.govt.nz or call us on 0800 434 567.

This information does not constitute legal advice. Please consult the relevant statute and regulations and seek independent advice if necessary.