It begs the question – If the DIA conducted an on-site inspection of your AML/CFT programme what would they find? With the new regime having been in place since 2019 it is no surprise they are getting tough.
Another indicator came via the release of results of a review conducted by the DIA from January to April 2023. The review focused on law firms, accounting practices and real estate agents’ compliance with the independent audit requirements of section 59 of the AML/CFT Act.
The review sought to identify common areas for improvement across their independent audits and determine the appropriateness of actions taken to address them. The main concern reported by DIA was that (in some cases) they identified that reporting entities had taken limited or no steps to address areas for improvement identified by their independent auditor.
When it came to identifying common areas for improvement, the DIA found that there were four common areas across all three sectors:
1. Identification of new customers – a lack of clear policies, procedures, and controls to verify the identity of customers that do not align to the Identity Verification Code of Practice (IVCOP).
STRATEGI TIP: Think of IVCOP as providing a ‘safe harbour’ for your business. By aligning your policies, procedures, and controls with IVCOP you are far less likely to have any regulatory issues.
2. Politically Exposed Persons (PEPs) – weaknesses in procedures adopted for conducting PEP checks.
STRATEGI TIP: Remember you are obligated to conduct a PEP check on every new customer. The procedure you follow will depend on the customers risk profile, but it must be appropriate, and it must be recorded. Google searches may not properly uncover whether a client is a PEP or not. If you are intending to use Google searches, then document why this is as good as or better than the formal PEP checks undertaken using recommended databases. There are a number of really good third-party providers to assist you to identify PEPs plus assist with other aspects of CDD.
3. Risk assessments – a lack of analysis specific to identifying and mitigating risks posed by the reporting entity’s products and services, methods of delivery and the institutions that it interacts with.
STRATEGI TIP: The important point here is that your risk assessments must be personalised to your business – generic risk assessments won’t cut the mustard with the regulator.
4. Generic templates – the continued use of generic templates that have not been customised to the reporting entity’s risks, context, and business.
STRATEGI TIP: Make sure you customise any templates you purchase. If you want feedback about whether your templates have been personalised enough, let us know and our team can review and provide recommendations.
Advice like this from the DIA provides an opportunity to understand where you might need to make improvements (and lessen the likelihood of encountering issues down the track). Remember our team is here to help you from basic questions right through to a full assessment to get you on the road to compliance. Give us a call today.