You can read the full document  here.

Summary:

• The document talks about the importance of reporting entities as the “first line of defence in protecting the financial system from criminal abuse.” It reminds reporting entities that the onus is on them to identify, mitigate and manage their ML/TF risks. This is why it is so important that you understand the risks associated with your services and to be able to implement procedures and controls to combat them. 
• Throughout the document the DIA reinforces a partnership approach with reporting entities. For example, they talk about their role of providing support to reporting entities to build the capabilities that enable them (DIA) to achieve their AML/CFT purpose and goals (which is essentially to create a financial system that is free from criminal abuse). Don’t be afraid to seek their advice for fear of exposing weaknesses – it will have the opposite effect as they will see that you are working towards a common goal.
• There is a reminder that reporting entities can expect the method and intensity of their interactions with DIA to vary based on ML/TF risk profiles. The focus will be placed on entities, sectors, activities or transactions where the risks are higher or evolving. Although they don’t specify, we think a good example of this is in the world of virtual assets which is an ever evolving ML/TF risk area. The key point to take away is that just because you have been chosen for a review by your supervisor does not necessarily mean that you have done anything wrong. However, it pays to keep on top of new information and update your documentation regularly just in case this happens.
• One of the trends the Strategi team have noticed over the past few years is that when one of the supervisors’ issues guidance the others usually take the same stance and are not far behind in releasing communications of their own. So whether the DIA is your supervisor or not, it is important to pay attention to what they are saying.

What happens in the case of non-compliance?

The document outlines what might happen if you haven’t got things right or have chosen not to comply. There are four enforcement actions that the DIA can take:

1. Issue a formal warning, which requires a reporting entity to take specified actions to ensure compliance with the AML/CFT Act.  
2. Issue an enforceable undertaking that details specific actions your reporting entity must take to ensure it is compliant with the AML/CFT Act. If DIA considers your reporting entity has breached an enforceable undertaking, they can apply to the Court for orders to require the reporting entity to comply with the undertaking or pay a penalty.  
3. Seek restraining or performance injunctions and/or civil penalties in the High Court.  
4. Undertake a criminal prosecution. 

The decision to undertake take enforcement action is not automatic, the supervisor will consider the circumstances of each case and  this usually includes:

• The nature of the non-compliance, e.g. the type and severity of the non-compliance, whether it is systemic, intentional, or an isolated/one-off breach.  
• The ML/TF risk associated with the reporting entity and whether you have implemented appropriate policies, procedures and controls to mitigate the risk .  
• Your reporting entity’s willingness and effort to comply, e.g. compliance history, level of engagement with DIA.  
• Whether the non-compliance was voluntarily reported by the reporting entity. 

The Strategi Compliance team are here to help so don’t hesitate to get in touch  if you have any questions or concerns about any of the points raised in the document, or around AML/CFT in general. This is not a cause for panic but a reminder that you do need to get your ducks in a row when it comes to your AML/CFT plans.