Don’t know? By 1 July 2018, you’re required to know, by law.
In less than four months time Phase 2 of the Anti-Money Laundering and Countering Financing of Terrorism (AML/CFT) Amendment Act comes into force and the legal sector needs to be fully compliant.
At a recent one day Anti-Money Laundering Conference in Auckland that offered insights for lawyers on how to interpret and comply with the new legal requirements, barrister Gary Hughes, one of New Zealand’s leading experts on money laundering and terrorism financing, led a session on the necessity and value of risk assessment.
Why a risk assessment is needed
He explained that the first step toward ensuring your firm is compliant begins with a thorough risk assessment, which is needed for several reasons.
Reputational, career and liability risks in conjunction with threats to our international reputation make compliance, starting with a risk assessment, essential for survival
The first of these was regulatory. We are living, Hughes says, in a new, tough regulatory environment. Falling short of requirements leaves a firm open to a range of new intrusive remedies and penalty options available to the supervisors and the police. As a powerful deterrent we already have some scary-looking examples overseas of non-compliant firms being taken to task. That, he says, is a fate that can be avoided!
Hughes says, a quality risk assessment can help to apply a law firm’s resources in the best possible way, in particular the places most vulnerable to an attack. A risk assessment will not only save your firm from the potential loss of money in fines for either non-compliance or inadequate compliance, but will also prevent it from the ignominy of becoming a test case!
The second reason to comply is that it helps to maintain and enhance New Zealand’s international reputation by adopting, where appropriate in the New Zealand context, recommendations issued by the Financial Action Task Force (FATF). That in turn will contribute to public confidence in the financial system as well as facilitating co-operation amongst reporting entities; AML/CFT supervisors; and various government agencies, in particular law enforcement and regulatory agencies.
Criminal influence and sophistication is growing. International connectivity brings new threats. Reputational, career and liability risks in conjunction with threats to our international reputation make compliance, starting with a risk assessment, essential for survival, says Hughes.
What’s a risk assessment?
While there’s no single right or cookie-cutter definition of exactly what a risk assessment is, Hughes says, there’s a guide within the Act.
Section 58 says a risk assessment must:
- be in writing;
- identify the risks faced by the reporting entity in the course of its business;
- describe how the reporting entity will ensure that the assessment remains current; and
- enable the reporting entity to determine the level of risk involved in relation to relevant obligations under the AML/CFT Act and regulations.
Section 58 also lists mandatory elements of possible money laundering or terrorism financing risks that must be considered and reported on. These are:
- The nature, size and complexity of a law firm’s business
- The services (and products) offered
- The service delivery methods and payment channels used
- An analysis of its client-base by type and demographic
- The countries dealt with
- The institutions dealt with
Thinking about financial crime risks
Hughes’ advice is to begin with the most obvious high level issues and then tailor your assessment carefully to your firm’s practice operations. He says while your obligations under the Act are mainly principle based, they also require you to reach a set standard. How you get there demands a bespoke response.
If someone wants to misuse services you offer, how would they go about it?
He suggests thinking like a bad guy to gain an insight as to where the risks might be. If someone wants to misuse services you offer (legal, transactional or documentary), how would they go about it? That will help, he says, identify where the loopholes are in your firm’s current processes.
What else will be in your risk assessment?
Aside from what’s required under Section 58, Hughes says a quality risk assessment will also include an over-arching policy statement, clear direction from management, a description of governance and, perhaps, a ‘risk appetite’ consideration. In addition, it will address cues from the Department of Internal Affair’s Sector Risk Assessment guides applicable to your legal services; have detailed schedules for the teams, departments, services, clients, delivery channels, institutions, referrers, countries you deal with; and a quantitative risk matrix.
The ongoing risk cycle
Once the risk assessment is complete it forms the foundation for the compliance program. To keep that current, the risk assessment must be reviewed regularly. It’s a living document, Hughes says.
Finally, the document must be accessible and coherent. That is it must be written in language that’s readily understood.
Where to from here?
Each reporting entity or firm is required to have a designated compliance officer. It’s that officer’s duty to oversee the running of the compliance program, which includes management of the risk assessment documents.
To perform the role well requires a level of understanding that embraces knowing how the whole system works – something beyond a template cookie-cutter tick box approach.
To meaningfully meet that need, Thomson Reuters NZ has commissioned Gary Hughes to write a series of practical modules for lawyers on AML compliance – AML/CFT Workflow and Guidance.