NZ AML/CFT Act. Phase 2 changes and impacts

26 April, 2024

Starting June 1, 2024, New Zealand will enact the second phase of amendments to the Anti-Money Laundering and Countering Financing of Terrorism (AML/CFT) Act 2009. This second phase follows the first set of amendments that was enacted  in July 2023. The upcoming third phase will be enacted on June 1, 2025.

Let's dive into the significant updates regarding reporting entities' obligations under these new regulations. Reporting entities must ensure they have the necessary systems and procedures to comply with the updated obligations.

Risk Assessments

Reporting entities must review and revise their risk assessments to include emerging technologies, products, or delivery mechanisms before adopting them.

For example, if your firm recently replaced Google searches with an external screening tool to find adverse information on clients or related parties, you should update the relevant inquiry in your risk assessment template accordingly.

Customer Due Diligence Changes

Standard Due Diligence: Legal Persons (e.g. Private Companies) 

The information collection requirement for customers categorised as legal persons/arrangements is expanded under the new regulations. 

For legal persons like private companies or limited partnerships, reporting entities must collect and verify the following:

  • Legal form
  • Proof of existence
  • Ownership and control structure
  • Any governing powers and regulations
  • For companies: existence and names of nominee directors and shareholders
  • For limited partnerships: existence and names of nominee general partners
Standard Due Diligence: Legal Arrangements (e.g. Trusts)

For customers identified as legal arrangements such as trusts, reporting entities must collect and verify the following:

  • Legal form
  • Proof of existence
  • Ownership and control structure
  • Any governing powers and regulations
  • For trusts: identify the settlor(s) and any protector(s) of the trust

Verification Procedures 

Verification requirements vary based on the new information mandates. Reporting entities must authenticate details against documents, data, or information issued by a reliable and independent source. All other requirements must be verified against a reliable source.

This entails gathering official documents to validate the existence, legitimacy, ownership, and control of legal entities.

For example, for a private company, reporting entities could collect:

  • Company extract from the Companies Office or equivalent local registry- to show details of the company, business activities, registration number, registered address, directors and shareholders. 
  • Shareholding register - to show details of the shareholders if the legal entity is located in a jurisdiction with no public beneficial ownership information
  • Company constitution - to understand the rules, structures and regulations governing the company. 

For a trust, a reporting entity could collect:

  • A copy of the trust deed and any amendment deeds from the client - to understand the rules, structure, and regulations governing the trust and to identify the beneficial owners of the Trust.

For a limited partnership, a reporting entity could collect:

  • Limited partnership extract from the Limited Partnership register or equivalent local registry - to show details of the partnership, registration number, registered address, and general partner(s) information.
  • A copy of the limited partnership deed and any amendment deeds from the client - to understand the rules, structure, and regulations governing the trust and to identify the beneficial owners of the partnership.

Ongoing Customer Due Diligence (OCDD)

The new regulations require additional steps by reporting entities for ongoing due diligence. 

Reporting entities must review, update, and verify any changes in customer information based on the risk level of the customer and transaction. They should also assess the adequacy of the information collected for CDD and consider when it was last conducted.

The triggers for OCDD for a reporting entity may include:

  • Change in beneficial owners e.g. new director or shareholder >25% in a company, new trustees or appointors in a trust
  • Change in address jurisdiction to a higher-risk country e.g. moving address from New Zealand to Vietnam
  • Change in business activities to higher-risk activities e.g. business is now working with South African clients.

E.g. Your firm has OCDD alerts set for review every year for medium-risk clients. You are reviewing a NZ Company set at medium risk. During your review, you have identified that there is a new majority shareholder based in the Philippines (FATF High-Risk Country) and the current director has moved address. You will then need to verify the new beneficial owner, conduct EDD on the new shareholder and collect and verify the new address of the director.

Enhanced Due Diligence (EDD)

Differentiation between source of wealth or source of funds

Reporting entities are required to distinguish between when they should collect and verify a customer’s source of funds information, source of wealth information, or both.

This distinction should be outlined within the compliance program based on the reporting entity’s risk profile and exposure to money laundering risks.

E.g. Based on your reporting entity’s risk profile and exposure to money laundering risks, you may decide that source of wealth will be collected on all captured activities, however, for all conveyancing transactions you may decide that source of funds is more appropriate. 

Additional EDD Requirements

Additional EDD measures are prescribed if typical enhanced CDD measures are insufficient.

These include obtaining further information about a transaction, examining the purpose of a transaction, enhanced monitoring of a business relationship, and obtaining senior management approval.

Reporting entities could collect additional source of wealth/funds information by:

  • Expanding the time frame for already collected information e.g. collecting 6-12 months of bank statements VS 3 months of bank statements, past 3 years' financial statements for the entity
  • Asking for copies of annual returns, tax returns, and investment portfolio summaries 
  • Implementing stricter transaction monitoring controls for unexpected or large transactions.

Reliance within DBGs (Designated Business Groups)

A reporting entity within a designated business group may rely on another member's CDD procedures if they meet or exceed the standards required under the Act and its regulations.

For example, if a New Zealand-based real estate agency is part of an international franchise with offices in countries with equivalent AML requirements, reliance on those offices' CDD procedures may be possible.

Use of agents

Reporting entities who are using external agents to conduct CDD procedures and obtain any CDD information should update their compliance programmes to outline any procedures, policies, and controls relating to:

  •  Functions carried out by an agent of the reporting entity as part of the programme
  • Vetting agents who carry out functions of the reporting entity:
  • Training agents of the reporting entity on AML/CFT matters:
  • Maintaining a list of agents of the reporting entity acting in the AML/CFT programme.

Virtual assets

Virtual asset service providers (VASPs) safeguarding or administering virtual assets now face stricter AML requirements.

These regulations apply to transactions involving virtual assets of $1,000 or more. Virtual asset transfers are now defined as wire transfers under the AML Act.

Additional Reading

The 2023 Amendment Regulations in full can be found at the following links:

About First AML

First AML simplifies the entire anti-money laundering onboarding and compliance process. Its SaaS platform, Source, stands out as a leading solution for organisations with complex or international onboarding needs. It provides streamlined collaboration and ensures uniformity in all AML practices.

First AML transforms an otherwise complex and manual process into one that is simple, cost-effective, and compliant for businesses. By delivering efficiency and time savings, it protects reputations and enables companies to stay on the right side of history in the face of global threats.

Keen to find out more? Book a demo today! No time for a long demo? No problem. See what Source by First AML can do for your business in 2 minutes – watch the short demo here.