Customer Due Diligence: Companies Guideline - April 2024

1

AML/CFT Anti-money laundering and countering financing of terrorism Customer Due Diligence: Companies Guideline This guideline should be read together with the Beneficial Ownership and Enhanced Customer Due Diligence guidelines. April 2024

2 Introduction

1. This guideline is intended to support reporting entities1 to conduct customer due diligence (CDD) under the Anti-Money Laundering and Countering Financing of Terrorism (AML/CFT) Act 2009 (the Act) on their customers who are companies.
2. Both New Zealand based companies and overseas companies that carry on business in New Zealand are required to be registered on the New Zealand Companies Register. Companies can have complex ownership structures, as well as multiple beneficial owners (the individual(s) who ultimately owns or controls a company) and persons acting on behalf of the company.
3. Knowing who the customer is, verifying information provided and establishing their risk profile assists in protecting reporting entities from misuse. Developing a clear understanding of the underlying persons that own or control a company is a key part of this.
4. This guideline is based on the requirements of the Act and has been produced by the AML/CFT supervisors under section 132(2) of the Act. This guideline does not constitute legal advice.
5. Examples provided in this guideline are suggestions to help you meet your obligations under the Act. They are not exhaustive and are illustrative in nature.
6. Section 57(2) of the Act requires you to have regard to this guideline, it is important that you have read and taken this guideline into account when developing your AML/CFT programme. After reading this guideline, if you still do not understand any of your obligations you should contact your AML/CFT supervisor or seek legal advice. Customer due diligence
7. CDD is a cornerstone of your AML/CFT programme. CDD is the process through which you develop an understanding of your customers, and the money laundering and terrorism financing (ML/TF) risks they pose to your business.
8. You must conduct CDD when you establish a business relationship with a new customer requesting services that are captured by the Act, or when a customer seeks to conduct an occasional activity or an occasional transaction. You must also conduct CDD on an existing customer in certain circumstances.
9. The Act requires you to carry out CDD on: 2 a. your customer b. any “beneficial owner” of a customer c. any person acting on behalf of a customer 1 Within the meaning of section 5(1) of the Act. 2 This guideline does not cover CDD requirements for wire transfers, politically exposed persons, new or developing technologies or correspondent banking relationships.

3 10. The CDD process you follow (simplified, standard, or enhanced) is determined by the level of risk posed by your customer. Customers Simplified CDD 11. You can conduct simplified CDD on specific types of companies that are considered low risk for ML/TF. 3 12.This includes:4 • publicly listed companies and their subsidiaries • publicly listed overseas companies and their subsidiaries from low-risk jurisdictions • publicly listed issuers • state owned enterprises • crown entities 13.When simplified CDD applies, you need to record the full legal name of the company. You should record a brief explanation of how it qualifies for simplified CDD. You also need to collect information about the nature and purpose of your proposed business relationship with the company. Standard CDD 14.When standard CDD applies, you need to obtain the following identity information about a company: • full legal name • the company’s address or registered office • identity or registration number5 15.You must verify this information using documents, data or information issued by a reliable and independent source. You must take reasonable steps to verify the information.6 16.You also need to obtain information on the nature and purpose of the proposed business relationship between you and the company, and sufficient information to determine whether the company should be subject to enhanced CDD. 7 Any beneficial owner of a company 17.If you want to do business with a customer that is a company, you must identify and verify the identity of the company’s beneficial owner(s).8

3 Effective 1 June 2024, Regulation 12AA of the AML/CFT (Requirements and Compliance) Regulations 2011 states that enhanced CDD must be conducted if there are grounds to report a suspicious activity in circumstances otherwise eligible for simplified CDD. 4 See section 18(2) of the Act for the full list of who can qualify for simplified CDD. 5 Section 15 of the Act. 6 Section 16(1)(a) of the Act. 7 Section 17 of the Act. Refer also to the Enhanced Customer Due Diligence Guideline for more information. 8 There are some exceptions to this, including any company which qualifies for simplified CDD.

4 18.A beneficial owner is the individual(s) (i.e. a natural person(s)) who ultimately owns or controls the company. It is crucial to know who the beneficial owner(s) is so that you can make appropriate decisions about the level of ML/TF risk presented by the company. Refer to the Beneficial Ownership Guideline for further information. 19.You must identify all beneficial owners. For each beneficial owner of a company, you must obtain the individual’s full name, date of birth, address, and their relationship to the company (for example shareholder, director or CEO). You must then take reasonable steps, according to the level of ML/TF risk, to verify this information, so that you are satisfied who the beneficial owner is. You must also take reasonable steps to determine if the beneficial owner of the company is a politically exposed person.9 20.To identify the beneficial owner(s), you should establish and understand the company’s ownership and control structure. This includes identifying and examining any nominee director or shareholder arrangements that are in place (see paragraphs [22] to [25] below). The individual’s ownership or control may be indirect, for example through several layers of ownership. Where a shareholder (or director in other jurisdictions) or any other party holding a similar role is a legal person or arrangement, the beneficial owner(s) of that legal person or arrangement should be identified. 21.Where there are complex ownership structures with no reasonable explanation, you should consider the possibility that the structure is used to hide the beneficial owner(s), whether enhanced CDD should be conducted, and whether a suspicious activity report should be submitted. Nominee directors or nominee shareholders 22.The involvement (or otherwise) of a nominee director or a nominee shareholder in a company is an important consideration when assessing the level of ML/TF risk. 23.A nominee director or nominee shareholder is a person who must follow, or is accustomed to follow, the instructions or directions of another person who is not a director or shareholder of the company when carrying out their role.10 This other/instructing person is sometimes called a ‘shadow director’ or ‘silent partner’. This relationship can be informal (such as acting on the verbal instructions of a family member or a business associate), or formal (such as setting up a nominee director agreement with a professional intermediary such as a lawyer, accountant, or trust and company service provider). 24.Nominee director or nominee shareholder arrangements are sometimes used to protect or disguise a company’s beneficial owner(s). For example, a nominee director could make all their decisions on the instructions of an underlying third party, who in 9 Section 26 of the Act. 10 Note that ‘nominee director’ and ‘nominee shareholder” are not recognised terms used under the Companies Act 1993. However, these terms are defined for the purposes of the Act – refer Regulation 3 of the AML/CFT (Requirements and Compliance) Regulations 2011. Note also that these terms are used in some other countries, which will be relevant if you establish a business relationship with a customer that is an overseas company.

5 practice is the natural person with effective ownership or control of the company. In this circumstance, the underlying third party would be considered a beneficial owner of the company. 25.While there are legitimate reasons for the use of nominee directors or nominee shareholders, companies which have these arrangements also present a higher ML/TF risk. Nominee director or nominee shareholder arrangements can be misused to facilitate money laundering and other types of criminal offending. For example, criminals or terrorists can use nominees to obscure their involvement in a transaction or activity. Additional standard CDD requirements for companies 26.Effective 1 June 2024, Regulation 11 of the AML/CFT (Requirements and Compliance) Regulations 2011 introduces additional requirements when conducting standard CDD for a company. 27.This regulation formalises the information you are required to obtain and verify as part of standard CDD. 11 This is intended to assist you to understand the company’s legal structure(s), to accurately identify its beneficial owner(s) (refer paragraph [17] to [21] above) and in turn, assist to determine the level of risk associated with the company. 28.Under Regulation 11, you must obtain, and according to the level of risk verify, information relating to: • the company’s legal form and proof of existence; • the company’s ownership and control structure; • any powers that bind and regulate the company; and • the existence and name of any nominee directors or nominee shareholders.12 29.The AML/CFT supervisors consider that these requirements can be read in combination with each other. For example, information on the powers that bind and regulate the company can assist you to understand the company’s ownership and control structure. The powers that bind and regulate can also assist you to identify the beneficial owners and the basis on which they are a beneficial owner, whether through ownership and/or effective control (refer to paragraph [34] below). 30.The supervisors also consider that this regulation will assist you to meet the requirement in the Act to obtain sufficient information to determine whether the company should be subject to enhanced CDD (refer paragraph [16] above). 31.In practice, complying with the regulation can (and should) be aligned with your existing procedures, policies and controls (PPCs) in place to identify and verify the 11 Section 14(1) of the Act. 12Amended Regulation 11 - AML/CFT (Requirements and Compliance) Regulations 2011 (effective 1 June 2024). This extends existing requirements to obtain information and verify the existence and name of a nominee director or nominee shareholder (for a company).

6 existence of a nominee director, a nominee shareholder13 and in turn, the identity of the beneficial owner(s). 32.It may be necessary to include some additional questions as part of your onboarding process to comply with Regulation 11. However, for company types you are familiar with and onboard regularly (e.g. New Zealand incorporated companies), this does not need to be extensive (unless the level of risk requires it). 33.Obtaining required information – The first step is to ask for the information from the company. This could include asking direct questions (verbally or in writing) or by using yes/no tick box questions (for example on an application form). You should record the company’s responses in writing, including retaining any written correspondence you receive. You must obtain information on the following: • the company’s legal form and proof of existence: • the company’s ownership and control structure: • the powers that bind and regulate, this could be a company constitution or shareholders agreement (or equivalent): • the existence and name of any nominee director(s) or nominee shareholder(s): • the names, dates of birth and addresses of the beneficial owner(s) and their relationship to the company (refer paragraph [19] above): 34.You should also obtain information on the basis on which each person meets the definition of beneficial owner (i.e. their position/shareholding) and whether they meet the definition through ownership and/or effective control. Information relevant to this may include: • the number and names of any shareholders, their capital contribution, shareholding interest, distribution rights, voting rights and/or powers: • the number and names of any directors, their powers of management, powers to bind the company and/or voting rights: • (if applicable) whether there is a formal nominee agreement and the reasons for the nominee arrangement: 35.Verification requirements - You must take reasonable steps to verify the information you have obtained (as set out in paragraph [33] and [34] above) according to the level of risk involved. 36. Your PPCs for verifying the information should be based on the level of risk. For a company determined to be lower risk, the verification you undertake can be less extensive. However, if a company is higher risk, the extent of the verification you undertake must be robust. 14 37. In relation to the company’s legal form and proof of existence, ownership and control structure and any powers that bind and regulate the company, the verification must 13 Required since 9 July 2021 under current Regulation 11 of the AML/CFT (Requirements and Compliance) Regulations 2011. 14 There should be controls in your AML/CFT programme to ensure this occurs. This could include escalating decisions to a higher management level for sign off.

7 be on the basis of data, documents or information from a reliable and independent source. 15 In many circumstances, you may be able to utilise publicly available information, such as on a Companies Register. 38.In relation to the existence and name of any nominee director or nominee shareholder, you are only required to verify this using information, documents or data issued by a reliable source. It does not need to be independent. 16 You can therefore use information, documents or data issued by the company. This may include: • written confirmation from another director confirming the name of the nominee director. • written confirmation of any nominee relationship(s) (formal or informal). • a copy of a written agreement in place between any nominees and the person whose instructions or directions the nominee follows or is accustomed to follow. When is enhanced CDD required? 39.When your customer is a company, you must conduct enhanced CDD in specific circumstances: • if you are establishing a business relationship with a company, or the company seeks to conduct an occasional transaction or activity, and the company: o is a vehicle for holding personal assets o is a non-resident customer from a country that has insufficient AML/CFT systems or measures in place o has a nominee shareholder or shares in bearer form. 17 • if you are establishing a business relationship with a company that has one or more nominee directors. 18 • the company seeks to conduct a complex, unusually large or unusual pattern of transactions that have no apparent or visible economic or lawful purpose. 19 • you assess the company (based on your risk assessment, the situation and your standard CDD) to present a higher ML/TF risk. 20 • if the company is an existing customer or is conducting an occasional transaction or activity and a suspicious activity report (SAR) must be reported, as soon as practicable after you become aware you must report a SAR.21 In this circumstance, the supervisors' view is that conducting enhanced CDD prior to submitting the SAR would strengthen the quality and usefulness of the SAR. 22 40.When enhanced CDD applies, you must obtain and verify the same identity information as required by standard CDD. You must also obtain and verify, according to the level of risk, information about the source of funds or source of wealth (or both) 15 Regulation 11(3)(a) of the AML/CFT (Requirements and Compliance) Regulations 2011 16 Regulation 11(3)(b) of the AML/CFT (Requirements and Compliance) Regulations 2011 17 Sections 22(1)(a) and 22(1)(b) of the Act. 18 Regulation 12 of the AML/CFT (Requirements and Compliance) Regulations 2011. 19 Section 22(1)(c) of the Act. 20 Section 22(1)(d) of the Act. 21 Section 22A of the Act. 22 The supervisors acknowledge it may not always be practicable to complete enhanced CDD prior to submitting the SAR.

8 of the company. Effective 1 June 2024 additional enhanced CDD measures may also be required.23 41.Refer to the Enhanced Customer Due Diligence Guideline for further information. Any person acting on behalf of a company 42.You must also identify and verify the identity of any person acting on behalf of a company, and their authority to act. A person is acting on behalf of a company if they are authorised to carry out transactions or other activities with you on the company’s behalf. This includes persons such as an accountant or another person able to transact on the business account. 43.You must obtain the person’s full name, date of birth and address (if an individual), full name, entity identifier or registration number, address or registered office (if not an individual), and the person’s relationship to the company. In some circumstances, this person may also be a beneficial owner of the company. In other circumstances, this may be an additional person that you must conduct CDD on. When entities are appointed, you also need to identify the individual(s) representing the entity. Identification and verification of all such individuals must be to the extent required by the Act. 44.When a company is a customer with whom you have an existing business relationship, you must identify the identity of any new person acting on behalf of the company. This applies when you have previously conducted CDD on the company. You must obtain the full name and date of birth of the new person acting on behalf of the company, and their relationship to the company.24 45.You must take reasonable steps, according to the level of ML/TF risk, to verify the information you have obtained, so that you are satisfied who the person is and that they have authority to act. 46.Refer to the Acting on behalf of a customer factsheet and Beneficial ownership guideline for further information. AML/CFT programme 47.Your procedures, policies, and controls for CDD must be documented in your AML/CFT programme. This should include how your business will determine the applicable level of CDD required, and what you will do if you are unable to conduct CDD. 23 Regulation 12AB of the AML/CFT (Requirements and Compliance) Regulations 2011. 24 Section 18(3) of the Act. Note also Part 19 of the AML/CFT Class Exemptions Notice 2018. This provides an exemption from the requirement to conduct CDD (under s18(3) of the Act) on a person acting on behalf of a customer by electronic means, subject to certain conditions and a written agreement between the reporting entity and the customer.

9 Version History April 2013 Original version July 2019 Reviewed with no changes made. October 2022 Full revised version. The additions to the guideline reflect regulation changes that expand the types of companies that qualify for simplified CDD and require CDD for nominee directors. Minor changes have been made to the guideline to reflect the enhanced CDD guideline. The remaining changes are not substantial and have been made for reasons of clarity. April 2024 Updated following new regulation effective 1 June 2024 with additional standard CDD requirements for legal persons. Disclaimer: This guideline has been produced by the AML/CFT supervisors under section 132(2)(c) of the Act. It is intended to assist reporting entities to understand their customer due diligence obligations under the Act for their customers who are companies. This guideline does not constitute legal advice. Where AML/CFT Guidelines are referenced, they can be accessed at the following websites: Department of Internal Affairs http://bit.ly/2gQ3Iev Reserve Bank of New Zealand http://bit.ly/2n6RYdp Financial Markets Authority https://bit.ly/3fjcKlD