Reserve Bank of New Zealand AML/CFT Supervisor Workshop 2 October 2018

Reserve Bank of New Zealand AML/CFT Workshop 2 nd October 2018 Harbourside Function Venue, Wellington, New Zealand

AML/CFT in NZ’s banks

• ensuring the “sap” is clean Daryl Collins

3

4 Why we do what we do • Ensure criminals find it hard to financially benefit from their crimes • Stop terrorists in financing acts of terror • Sound and efficient financial system • Not because we like ticking boxes

5 Priorities

1. On-site visits
2. ‘Outreach’
3. Prescribed Transactions Reporting
4. Digital on-boarding of customers
5. Mutual evaluation

AML/CFT Compliance Culture Assessment

7 Background • RBNZ’s AML/CFT relationship model is underpinned by openness and transparency with reporting entities. • Policies, procedures and controls cannot be effective unless they are supported by a good compliance culture. The compliance culture of a reporting entity is a fundamental component of an effective AML/CFT programme. • AML/CFT Compliance Culture Assessment developed and used as part of RBNZ’s on-site programme. • Incorporate into RBNZ’s Risk Assessment Model-currently under review.

8 AML/CFT Risk Assessment Model High Medium Low • People • Processes • Systems and Technology • Governance & Oversight • On-site engagement • Attitude • Oversight • Consequence management • Reporting • Senior management priority • Communications • Response to audit findings • No material breaches or deficiencies • No material breaches, but a small number of minor deficiencies that require supervisory action • A reasonable number of deficiencies that require supervisory action. • A small number of material breaches and a reasonable number deficiencies that require supervisory action. • A large number of material breaches and deficiencies.Enforcement action taken. High Medium-High Medium Low-Medium Low Inherent Risk +/- Capability +/- Culture +/- Compliance Status = Overall Risk Profile Data sources: RBNZ Sector Risk Assessment and Annual Report data Data source: RBNZ Capability Assessment Data source: RBNZ Risk and Compliance Culture Assessment Data sources: • On-site reports • Desk based reviews DRAFT

9 Engagement with RBNZ Which of the following best describes the level of engagement experienced during the on-site?

1. A good level of AML/CFT awareness and engagement across various levels of the reporting entity.
2. Inconsistent levels of engagement experienced.
3. Poor levels of engagement, especially by senior management.

10 Engagement with RBNZ Which of the following best describes the reporting entity’s level of engagement with RBNZ?

1. The reporting entity proactively engages with RBNZ. Potential issues are always clearly communicated to RBNZ well in advance of compliance dates/RBNZ timeframes. A “no surprises” approach is evident.
2. Inconsistent levels of engagement experienced. Potential issues are sometimes communicated to RBNZ. Some concerns with transparency exist.
3. Poor levels of engagement with RBNZ. The reporting entity regularly does not meet compliance dates/RBNZ timeframes and provides no or limited notice to RBNZ. The reporting entity does not appear to be fully transparent with RBNZ.

11 AML/CFT Compliance Officer Which of the following best describes the reporting entity’s AML/CFT Compliance Officer?

1. Highly capable, knowledgeable and sufficiently empowered.
2. Some concerns with their capability and knowledge.
3. Inexperienced and incapable.

12 AML/CFT Compliance Officer Which of the following best describes the support provided to the reporting entity’s AML/CFT Compliance Officer?

1. Very supported and respected by senior management.
2. Some limited support provided and concerns regarding the AML/CFT Compliance Officer’s ability to influence the organisation and senior management.
3. No additional supported provided or not well respected. Clear key person risk.

13 Oversight of AML/CFT Programme Which of the following best describes the level of AML/CFT oversight by senior management?

1. AML/CFT matters are reported to senior committees/management on a regular basis. Issues are being appropriately escalated.
2. Limited level of reporting and oversight by senior management. Some statistics are reported to senior management but provide limited value from an oversight perspective.
3. No reporting or oversight by senior management.

14 Attitude Which of the following best describes the reporting entity’s attitude towards AML/CFT?

1. AML/CFT is considered to be important by most levels of the organisation. Achieving both compliance and mitigating risks are considered equally important.
2. AML/CFT is considered to have limited value, but acknowledges being compliant is important.
3. AML/CFT is considered to be a compliance burden and an inconvenience to customers and staff.

15 Attitude Which of the following best describes the reporting entity’s attitude towards RBNZ AML/CFT supervisors?

1. Open and transparent discussions during the on-site visit. Receptive and positive attitude towards feedback provided, including recommendations and good practice comments.
2. Some concerns with the level of openness and transparency displayed during the on-site visit. Some challenge to feedback provided in the closing meeting.
3. High level of resistance and challenge during the on-site visit.

16 Consequence management Which of the following best describes the reporting entity’s approach towards non-compliance?

1. Incidents of non-compliance are reported in a timely manner and appropriately remediated. Staff involved receive additional training or relevant sanction.
2. Incidents of non-compliance are reported, but not in a timely manner. Remediation is limited and there is a lack of additional training or follow-up for staff involved.
3. Incidents of non-compliance are not reported. No additional training or sanction imposed where misconduct or clear breaches have occurred.

17 Reporting Which of the following best describes the reporting entity’s culture in relation to suspicious transaction/activity reporting?

1. Staff understand the value and importance of reporting suspicious transactions/activity. No evidence of defensive filing to the Police Financial Intelligence Unit.
2. Some concerns over the level of reporting by frontline staff. Some evidence of defensive filing and minimal investigation conducted before submitting reports to the Police Financial Intelligence Unit.
3. No or very minimal reporting of suspicious transactions/activity by frontline staff or clear evidence of defensive filing of suspicious activity reports to the Police Financial Intelligence Unit.

18 Senior management priority Which of the following best describes the priority level of AML/CFT by senior management within the reporting entity?

1. AML/CFT is clearly a priority for senior management and are pro￾actively involved.
2. Some concerns over the level of priority given to AML/CFT by senior management. Senior management are generally reactive in relation to AML/CFT.
3. AML/CFT is not a priority for senior management and accountability is instead abdicated to middle and lower management.

19 Communications Which of the following best describes the level of communication on AML/CFT within the reporting entity?

1. Various aspects of AML/CFT are communicated to all relevant levels of the organisation on a regular basis.
2. Some AML/CFT communications are issued, however communications are ad-hoc and not issued to all relevant levels of the organisation.
3. AML/CFT communications are rare or non-existent.

20 Response to audit findings Which of the following best describes the reporting entity’s response to audit findings?

1. Approved funding to address audit findings and supported by senior management. Clear action owners and defined timeframes. Audit findings were a priority and addressed in a timely fashion.
2. Some audit findings were addressed, however a number remain outstanding or were not addressed.
3. Audit findings were not addressed or significantly delays to address audit findings. Limited appetite to address findings.

Update on Mutual Evaluation of New Zealand

22 Background • AML/CFT Act 2009 is underpinned by “recommendations” issued by the Financial Action Task Force. • New Zealand was previously assessed in 2009. Focus was on “technical compliance”. • Mutual Evaluation of New Zealand-March 2020. • Over 40 jurisdictions assessed. Each evaluation takes approximately 14 months and 8 years to complete a cycle.

23 What has been done so far? • Mutual Evaluation Working Group established. • New Zealand representation at FATF Plenary in Paris. • Mock Evaluation: 5-9 November 2018. • Learnings from other evaluations and jurisdictions.

24 What will the evaluation look like? • Technical compliance and Effectiveness questionnaires. • Various AML/CFT related statistics. • Assessor team of approximately 8 people. • Two weeks of interviews with relevant agencies-public and private sector.

25 Potential areas for supervisors and agencies to consider • Our multi-supervisory framework and consistency. • Terrorist financing. • Prosecutions and convictions (money laundering and non￾compliance). • Models for assessing risk.

26 What are the potential impacts? • Regular follow-up or Enhanced follow-up? • Legislative changes?

Key questions/topics submitted to RBNZ Leah Rivers, Olga Lagutina and Damian Henry

28 Nature and purpose of business relationship • The collection of meaningful nature and purpose information from a customer is vital for conducting effective transaction monitoring and identifying suspicious activity. • The level of nature and purpose information you should collect will vary depending on the complexity of the customer, and the risk the customer poses in terms of ML/TF.

29 Nature and purpose of business relationship The following are some examples of nature and purpose information you should consider when establishing a business relationship with a customer.  Why has customer decided to open a facility/service with your reporting entity?  What is the customer’s occupation or industry type?  What types of transactions does the customer expect to conduct through your reporting entity?  What is the customer’s expected value, volume and velocity of transactions?  Does the customer expect to receive transactions or funds from third parties?  Does the customer expect to send or receive transactions or funds from overseas?

30 Current typologies  Use of Cryptocurrency  Use of Dark Web  Cash is still king  Co-mingling into Cash Intensive Businesses  Third Party/Nominee Ownership  Overseas Transactions  Encrypted Devices  Use of Professionals

31 Q: There has been mixed messaging regarding PEP checks, with some of it appearing to be inconsistent with the Act. Can RBNZ give clear expectations, is Google and other trace tools acceptable?  Self-declaration forms and Google searches are not adequate  Open source databases maintained by U.N. and CIA can sometimes be used for low risk customers. However, it is not effective in identifying PEP relatives and close associates.  Cost effective solutions available on the market – charge per search.  Record-keeping – evidence of PEP screening must be on file even if screening returned no results.

32 Q: Does the RBNZ have a view on expectations of external auditors of entities? Would AML/CFT Supervisors consider some form of registration /acceptance process for external parties?  No plans to introduce a register of authorised/approved AML/CFT auditors.  Awaiting outcome of AUSTRAC’s Authorised External Auditors Policy review.  Engagement with auditors postponed till next year  REs must do own due diligence when choosing a provider:  ensure the auditor is independent and appropriately qualified.  consider the auditor’s AML/CFT expertise as well as the sector knowledge.  discuss and agree the scope, deliverables and other expectations with the auditor.  understand and agree on the methodology the auditor uses to determine the adequacy and effectiveness of your RA and AML/CFT programme.

33 Q: What are the expectations when there is a clash between different pieces of legislation, i.e. AML and KiwiSaver, and we are unable to complete ECDD but we also cannot exit a customer?  Where the AML/CFT legislation conflicts with Kiwisaver legislation, RBNZ does not expect business relationships to be terminated.  Ministry of Justice advised of conflict with Kiwisaver legislation.  KiwiSaver is a low risk product for ML/TF. Red flags  Large KiwiSaver contributions shortly before reaching retirement age.  Customer transfers KiwiSaver to another provider when asked for additional customer due diligence information.  Increase of KiwiSaver contributions, particularly lump-sum contributions out of alignment with known customer profile.

34 Any insights since Prescribed Transactions Reporting post-1 July?

1. The Police FIU expect IFTs to be ‘from account’, ‘to account’, however a significant number of reports don’t follow this structure e.g. Person￾Account or Person-Person.
2. IFTs are being reported with cash components, either as the destination funds type, source funds type, or both. The Police FIU would generally expect IFTs to use electronically held funds.
3. IFTs are being reported with “Unknown” provided as either the destination country, source country, or both.
4. IFTs are being reported with ‘New Zealand’ on both the ‘from’ and ‘to’ sides of the transaction.
5. An area of focus during on-sites, particularly on-going system assurance.

35 Any insights since Prescribed Transactions Reporting post-1 July? 6. Actual volumes are generally consistent with anticipated volumes from PTR Compliance Planning templates. 7. Banks not providing originating bank account information for inward IFTs (where DIA reporting entities are considered the beneficiary institution and have the reporting obligation). Key messages  Considerable effort and investment by reporting entities. Complex and constant changes.  The quality of reporting from the testing environment to production has decreased for some reporting entities.  On-going system assurance, no coding errors.

36 Any insights from the change to “Suspicious activity” reporting? • Since 1 July, 80 specific ‘Suspicious Activity Reports’ have been submitted. • Vast majority submitted by registered banks. • Good quality reports and limited rejections. • Suspected of tax evasion the most common description selected.

37 On-going CDD and existing customers Background • Some inconsistencies and ambiguous terms in AML/CFT Act regarding existing customers. • RBNZ has requested that Section 31 be included within scope of next statutory review of AML/CFT Act.

38 On-going CDD and existing customers • RBNZ considers priority should be given to the following areas:  Reviewing and updating (if required) CDD information for higher risk customers.  Reviewing existing customers who have a material change/trigger and become higher risk.  Existing customers where no identity verification is available.  Existing customers where there are suspicions of money laundering or terrorist financing.

39 On-going CDD and existing customers Good practice – but not a requirement • Review and update CDD verification where there is a face-to-face interaction with any customer. • Refresh identification documents if expired. • Obtain copies/images of identification documents where only a description was previously obtained. • Have a plan to review all existing customers and obtain up to date identification documents.