Resources
Strategi has a number of resources clients can access that will help them meet their AML/CFT obligations.
Frequently asked questions
How should we do Politically Exposed Person (PEP) checks?
Either subscribe to a software solution which undertakes PEP and identity verification checks or place your business with a third party that provides you with a document confirming it will complete this work for you. For more information on PEPs see Strategi’s Guidance Notes section.
How should we verify the address of a non-NZ resident client?
When certifying an individual with a foreign address, copies of international identification and addresses provided by the client must be certified by a person authorised by law in the client’s country to take statutory declarations or equivalent. The trusted referee must not be a person involved in the transaction or business requiring certification.
Can I certify a client’s Customer Due Diligence (CDD) document?
No. The Amended Identity Verification Code of Practice 2013 contains a list of trusted referees who can certify identity documents. See our article below on AML/CFT document certification vs document verification.
As a part of conducting customer due diligence under the AML/CFT Act 2009, most reporting entities follow the customer identity verification requirements prescribed by the respective product providers. These meet the requirements contained in the Amended Identity Verification Code of Practice 2013 (IVCOP 2013). Reporting entities can:
- undertake document verification face-to-face with a client, or
- rely on copies of the documents provided by the client, which have been certified by a trusted referee (as listed in the IVCOP 2013), or
- undertake electronic verification of a client’s name, date of birth and address, using credit check tools or identification check tools.
Face-to-face document verification occurs when the client presents an original document to a staff member of the reporting entity, the staff member photocopies that document, and then confirms in writing that the copy is an exact replica of the original.
However, when some reporting entities attest documents obtained from clients in a face-to-face situation, they incorrectly use the word ‘certify’ in the attestation wording. Typically the attestation wording is along the lines below:
“I hereby certify that this is a true and correct copy of the original document.”
The IVCOP 2013 states that only trusted referees can undertake document certification. Trusted referees are those individuals who hold certain occupations prescribed by the IVCOP 2013 (for example a Justice of the Peace, Notary Public, registered medical doctor, registered teacher, MPs, etc. Please refer to the IVCOP 2013 for a full list of trusted referees.) It is likely some reporting entity staff members may also hold certain occupations prescribed by the IVCOP 2013, however when undertaking face-to-face document verification for AML / CFT purposes, staff members holding the above occupations should not use the word ‘certify’ but use the suggested wording, because these staff members are involved in the transactions.
Solution
To meet the requirements of the IVCOP 2013, avoid the use of the word ‘certify’ when attesting documents. Below are two suggested wordings:
1. I have sighted the original and confirm that this is a true copy.
I have sighted the original and confirm this is a true copy.
Jack Saw
Jack Saw Ltd
6 January 2018.
2. I have sighted the original and verify that this is a true copy.
I have sighted the original and verify that this is a true copy.
Jack Saw
Jack Saw Ltd
6 January 2018.
If you are using the word ‘certify’ when undertaking face-to-face document verification then you should immediately change to using one of the sample formats above.
For further information please contact the Strategi Compliance team.
As an auditor, can you use the word ‘breach’?
Yes. Auditors can use terms such as ‘breach’ to describe observed non-compliance with the Anti-Money Laundering and Countering Financing of Terrorism Act 2009 (the Act) or the Amended Identity Verification Code of Practice 2013 (the Code).
Auditors use several terms to explain their findings and to indicate the seriousness of the finding. The important takeout is the finding itself and the action you need to take – not the words used to describe it.
If I correct the breaches/non-compliance identified in the audit report, can you remove the relevant observations?
No. The audit is a systematic check on your AML/CFT risk assessment and programme during a specific period of time. Your report considers whether, during the audit period:
- the minimum requirements for an AML/CFT risk assessment and programme were met;
- the AML/CFT programme was adequate and effective throughout; and
- whether any changes were required to the AML/CFT risk assessment and programme.
We appreciate that many reporting entities have some apprehension about the audit. However, the purpose is not to catch you out or trip you up. It is an opportunity to identify any issues and to give you the opportunity to correct those issues before your next audit. Our findings simply provide suggestions (where needed), on how to improve your compliance with the AML/CFT Act 2009.
What are the consequences if my audit report reveals one or more breaches of the AML/CFT Act 2009?
A breach can be thought of in the same way as a complaint – it is an opportunity to learn and to improve. Remedying any breaches will help you to minimise the money laundering and financing of terrorism risks faced by your business.
If your AML/CFT supervisor requests the audit report, any issues identified in it may be discussed with you. It is likely that in many cases the supervisor will be more interested in what has been done to address a breach, than in the breach itself. Therefore, it is prudent to act on the recommendations as soon as you have received the audit report.
If you do not remedy an identified breach/non-compliance you may be subject to one or more sanctions or penalties as described in the AML/CFT Act 2009.
What is the difference between a ‘breach’ observation and a ‘best practice’ observation?
A ‘breach’ describes any area of non-compliance with the AML/CFT Act 2009, or the Amended Identity Verification Code 2013. Immediate action should be taken to address breaches of the Act.
A ‘best practice’ observation describes an area where Strategi Compliance recommends the reporting entity improves its documentation, so it is more complete. A best practice observation is not a breach of the law or Code – it is simply a recommendation on how an area could be improved. The recommendation is usually based on guidance (written or verbal) from a supervisor, the Financial Intelligence Unit (FIU), or findings from various reports such as Sector Risk Assessments/National Risk Assessments.
What should I do once I receive the final audit report?
Strategi Compliance recommends that when the final audit report is received, reporting entities should:
- undertake any appropriate remedial action recommended by the auditor and review and update the AML/CFT risk assessment and programme;
- include the audit report in a formal report to the board/senior management, and
- keep the audit report on file for five years (a record keeping obligation under the AML/CFT Act 2009).