RBNZ Outreach – June 2019: Evolution in Enforcement

1

RE Outreach Seminar – Evolution in Enforcement 4 & 7 June 2019 Reserve Bank of New Zealand AML/CFT Supervision Team

3 Overview • Today’s objective is to clearly communicate to our Reporting Entities (REs) upcoming changes in our supervisory approach. • Given the maturity of the AML/CFT Act 2009, our tolerance for REs missing the mark is reducing and as a result our appetite for taking formal enforcement action following breaches is increasing. • We continue to see inadequacies, particularly relating to AML/CFT Risk Assessments, and we consider more significant action is required to remedy this. • Our appetite for taking more formal enforcement action will increase on 1 September 2019.

4 History of AML/CFT in NZ (RBNZ lens) • 16 October 2009 – AML/CFT Act 2009 is passed into law. • September 2010 – RBNZ publishes AML/CFT responsibilities and approach. • 30 June 2013 – AML/CFT Act 2009 comes into effect. • March 2015 to December 2016 – Four formal warnings published by RBNZ. • Throughout 2017 and 2018 – Onsite inspections reveal more deficiencies than we would expect, particularly in the area of Risk Assessments. • 4 & 7 June 2019 – RBNZ communicates its reduced tolerance for breaches and deficiencies.

5 Changes to our key terms Material Breaches: The reporting entity has failed to meet the requirements of the AML/CFT Act and the implications of the failure are considered to be material from an outcome perspective. This will be referred to RBNZ’s Enforcement team, who will conduct an independent investigation of the material breach. Examples

1. For a significant portion of its customer base, a reporting entity has failed to take reasonable steps to determine whether those customers, or any beneficial owners, are Politically Exposed Persons.
2. For a significant portion of its customer base, a reporting entity has failed to conduct the required customer due diligence. Minor Breaches: The reporting entity has failed to meet the requirements of the AML/CFT Act but the implications of the failure are considered less than material from an outcome perspective. This may be referred to RBNZ’s Enforcement team. Remedial action will be required to achieve on-going compliance. Examples
3. A reporting entity has failed to submit its AML/CFT Annual Report by the due date, but submitted it within a short period after the due date.
4. During an on-site visit, RBNZ sample testing identified of a small number of customer files where address verification had not been effectively completed.

6 Changes to our key terms Deficiencies: Aspects of the reporting entity’s compliance with AML/CFT requirements that are considered inadequate by the supervisor. This may be referred to RBNZ’s Enforcement team. Remedial action will be required to achieve on-going compliance. Examples

1. A reporting entity has only implemented a basic vetting check (e.g. a reference check) as part of their vetting procedures. This control is not considered adequate.
2. A reporting entity has implemented account monitoring scenarios, but for some of these scenarios the threshold is not considered appropriate. Recommendations: RBNZ considers it good practice. These recommendations do not require action to be taken but it is advised. These are usually procedural type updates, enhancements or amendments to documentation. Recommendations will usually not require system changes. Examples
3. RBNZ recommends the ‘2nd line’ team within the reporting entity conduct thematic reviews of higher ML/TF risk areas or new/emerging areas of ML/TF risk.
4. RBNZ recommends the reporting entity undertake a risk based retrospective exercise for those staff employed before 30 June 2013 and conduct relevant vetting checks where appropriate.

7 Enforcement Action • There is a range of formal enforcement actions the RBNZ is able to take, granted under Part 3 of the AML/CFT Act. • This includes (but is not limited to); • Formal warnings (Previously used 4 times) • Enforceable undertakings (Previously used once) • Seek an injunction from the High Court (Yet to be used) • Apply to the court for pecuniary penalties (Yet to be used)

8 Statement of Enforcement From the Reserve Bank’s responsibilities and approach; (Reserve Bank of New Zealand: Bulletin, Vol. 73, No. 3, September 2010) “we are tasked with investigating the firms we supervise and enforcing compliance. To this end, the Act sets out a range of both civil and criminal sanctions for breaches of firms’ obligations. As part of our overall approach to AML supervision, we will be prepared to use appropriate sanctions against firms who are not meeting their legal obligations or not taking AML risk management seriously, and are falling short of the required standards. Not every breach of the Act will result in enforcement action and each specific breach will be judged on its individual merits. We intend developing an enforcement strategy that makes it clear that a firm will more likely face sanctions if there are significant and serious breaches; if a firm has been notified of breaches and failed to deal with them appropriately*; or if breaches are deliberate or reckless.” *Please consider this presentation as further notification regarding our enforcement approach, particularly in regards to Risk Assessments.

9 https://www.rbnz.govt.nz/regulation-and-supervision/statements-of-approaches/statement-of-enforcement-approach

10 Formal Warnings Issued by RBNZ JP Morgan Chase bank N.A. New Zealand Branch (March 2015) …The RBNZ has reasonable grounds to believe that for a period of approximately four months in 2013, JPMNZ’s AML/CFT risk assessment did not fully meet all the requirements of section 58(3) of the Act. The Act requires a reporting entity’s AML/CFT programme to be based on its own risk assessment. As a result, a reporting entity’s risk assessment comprises the essential foundation of an adequate and effective AML/CFT programme. The RBNZ expects the risk assessment of every reporting entity that it supervises to comply with section 58 of the Act.

11 Formal Warnings Issued by RBNZ Kiwibank Limited (October 2015) …The RBNZ has reasonable grounds to believe that for various periods of time between 30 June 2013 and June 2014, Kiwibank did not fully meet all the requirements in respect to the following customer due diligence (CDD) obligations under the Act: • did not always conduct CDD on the beneficial owner of a new customer and any person acting on behalf of a new customer (as required under sections 14(a) and 11(1)(b) and (c)); • did not collect addresses of customers performing occasional transactions (as required under section 15(d)); • did not always conduct screening of politically exposed persons (as required under section 26); • did not always take reasonable steps to verify information relating to the source of funds or the wealth of the customer (as required under section 24(1)(b)); and • did not consider terminating customers’ accounts in response to its ongoing non-compliance with section 24(1)(b) (as required under section 37). As a result Kiwibank’s AML/CFT programme did not, during the specified period, fully include adequate and effective procedures, policies, and controls for complying with its CDD requirements as required by section 57(c).

12 Formal Warnings Issued by RBNZ TSB Bank Limited (November 2016) …The Reserve Bank has reasonable grounds to believe that between 30 June 2013 and 9 June 2016, TSB Bank was not reviewing and keeping up to date its AML/CFT risk assessment as required under section 59 of the Act, despite being advised it was required to do so by the Reserve Bank following an on-site review in 2013.

13 Formal Warnings Issued by RBNZ Aotearoa Credit Union (December 2016) …The Reserve Bank has reasonable grounds to believe that during the time period between 30 June 2013 and 2 February 2015, ACU did not meet the following obligations under the Act: • The obligation to conduct ongoing customer due diligence and account monitoring (section 31(2)); • The requirement to report suspicious transactions in the prescribed form, within three working days of a suspicion being formed (section 40); • The requirement to have adequate and effective procedures, policies and controls to monitor and manage compliance with the AML/CFT programme (section 57(l)); and • The obligation to comply with customer due diligence requirements, including ongoing customer due diligence and account monitoring (section 57(c)).

14 Risk Assessments

15 Between July 2015 & December 2018, 31 findings directly related to the Risk Assessment (Section 58) 0 1 2 3 4 5 6 7 Jul 15 -Dec 15 Jan 16 - Jun 16 Jul 16 - Dec 16 Jan 17 - Jun 17 Jul 17 - Dec 17 Jan 18 - Jun 18 Jul 18 - Dec 18

16 Risk Assessments – Common issues • Failure to adequately assess risk, including insufficient consideration given to; • customer types • jurisdictional risk • product risk etc. • Failure to clearly distinguish between inherent and residual risk • Failure to refer to correct supervisor/FIU guidance • Limited or no data used to arrive at conclusions

17 Comments we’ve made • Risk Assessment focuses on internal controls rather than assessment of ML/TF. • RBNZ considers RE’s methodology in identifying and determining its level of ML/TF risk is inadequate, ineffective and flawed. The Risk Assessment identifies the RE (a bank) as an inherently Low Risk reporting entity. • RBNZ notes that within its Risk Assessment RE has rated Trusts as having a medium level of inherent ML/TF risk. RBNZ does not consider that the RE has fully considered the risks associated with Trusts within its Risk Assessment. • RE Risk Assessment documents indicate that Family Trusts are rated as Low risk. RBNZ considers all Trusts to be a High risk to ML/FT. • Following a review of RE’s assessment of the ML/TF risk for the various products and services on offer, RBNZ found inconsistencies in how each product and service had been scored.

18 Comments we’ve made • RBNZ considers that RE’s Risk Assessment methodology of combining inherent and residual risk is inadequate. RBNZ considers RE’s assessment of being a medium ML/TF risk reporting entity to be incorrect. RBNZ considers RE to be an inherently high ML/TF risk reporting entity because it is a retail bank and presents a number of ML/TF vulnerabilities. • RBNZ considers that RE’s Risk Assessment is only partially adequate, as it does not comply with sections 58(2)(g) and 58(3)(a) and has not been kept current in accordance with section 59(1)(a). • RE’s Risk Assessment at times does not clearly distinguish between inherent and residual risk. As a result of this, the ratings of some of the customer types and products/services within RE’s Risk Assessment in some instances are inconsistent with RBNZ’s AML/CFT Sector Risk Assessment 2017. • RE’s Risk Assessment does not have sufficient regard to RBNZ’s Sector Risk Assessment and the risk assessment methodology used does not take into account the ML and TF risks that are specific for New Zealand. RE’s Risk Assessment does not include an assessment of terrorism financing risk.

19 Minimum Requirements • Your Risk Assessment is expected to determine the level of inherent ML/TF risk faced by your business, as advised in the SRA. You may choose to include residual risk as well. • Your Risk Assessment must consider the guidance published by the supervisors and the FIU (S58(2)(g)). If there is no evidence that you have reviewed the appropriate guidance this may be considered a breach. To satisfactorily demonstrate that you have reviewed the appropriate guidance you can match your risk ratings to the SRA/NRA, or provide comments to explain any discrepancies.

20 Minimum Requirements • Your Risk Assessment should be clear and easy to read. If it contains too much technical language, then it might be difficult for its audience to understand, reducing its adequacy. • Your Risk Assessment and Programme needs to be reviewed, as well as audited, every two years. The review period is not prescribed by the AML/CFT Act, however we consider best practice to be a review following (and therefore incorporating any findings from) your Section 59 Audit. You should organise yourself in such a way that this is completed every two years (i.e. within 24 months from the last one).

21 Guidance • In meeting the requirements of the Act, the guidance you should be currently considering includes: • National Risk Assessment 2018 (FIU) • Sector Risk Assessment 2017 (RBNZ) • Triple-branded guidance documents (available on our website) • Relevant FIU reports & other guidance • This presentation (available on our website)

22 Summary and next steps

23 Drivers of an enforcement referral • Material breaches – All material breaches will be considered for enforcement. • Too many minor breaches or deficiencies – Multiple small issues can be symptomatic of a larger underlying issue. • Repeated infringements and/or failure to act on Supervisor actions.

24 Where to from here? • We expect that following this outreach, entities will review their Risk Assessment to ensure it meets the required standard. • In coming years, the RBNZ will continue to outline thematic findings from their prior onsite reviews and may identify further areas for increased scrutiny. • For example, recent on-site inspections have also identified regular weaknesses relating to Section 57(1)(l); Monitoring and managing compliance.

25 Other Messages

26 Inconsistent Interpretation • We occasionally hear from RE’s that there are concerns of inconsistent interpretation across the three Supervisors (RBNZ, DIA & FMA). • Areas of inconsistency are discussed at the Sector Supervisor Forum on a fortnightly basis, with a view to ensuring a consistent approach is agreed and applied across the Supervisors. • We want to hear about it. Please let us know if you come across or hear of an inconsistency. • There is a difference between an inconsistent approach and inconsistent interpretation; • Supervisors will often take a different approach, given the nature, size and risk associated with their sector. • However, supervisors should interpret the Act in a consistent way.

27 What to expect – Mutual Evaluation FATF On-site: 2 – 20 March 2020 The FATF Secretariat indicated they would likely meet with four or five banks (a mixture of ones with Australian parents, domestic banks, global presence, those who have been required to complete some remediation) as well as some NBDTs and life insurers. Interviewees need to be open and honest and talk about ‘the good, the bad and the ugly’. There will be a focus on trusts in New Zealand including onboarding trusts. Other potential focus areas include: company formation agents, sanctions screening, correspondent banking, debanking, crypto currency businesses, and terrorism financing. They have also indicated questions will be asked on standard items such as CDD, PEPs, Beneficial Ownership, and SAR obligations. Interviews with public and private sector agencies will mostly focus on what happens on a day-to￾day/operational basis. E.g. Can you please explain how you conduct an on-site or what is the process when you on-board a customer that is a trust? You will need to have the right people in the room – not necessarily the CRO/AMLCO – but the person/people who actually do the task under review.

28 Feedback / Questions? Email: amlcft@rbnz.govt.nz Attention: Chris Dawson We will collate your questions and provide feedback at the next available opportunity