In the know burning questions

AML/CFT News and updates

06 December 2022

You asked, we answered.

We’re committed to covering the questions and content that you want to read. If you don’t see your question below, keep your eyes peeled in future editions of In the know.

Should I include residual risks in my risk assessment?

It may be useful to assess your residual risk (the risk after your AML/CFT controls and mitigations) as part of your risk assessment; this is a business decision. If your risk assessment covers residual risk, you will need to document and demonstrate how you arrived at your residual risk ratings.

However, primarily we expect that your risk assessment deals with your inherent risks (the risks presented before you apply controls and mitigations).

For more information on risk assessments, please refer to the Risk Assessment Guideline (PDF, 153KB).

Can you please provide more detail with regards to organisations using generic templates?

We see reporting entities using untailored generic templates from time to time. You may have read about this Common areas of non-compliance here.

Templates have been provided to some reporting entities as a starting point to shape risk assessments and AML/CFT programmes. While a template can help structure your risk assessment or programme, it needs to be tailored to reflect your business’s particular ML/FT risks.

Generic content relating to the ML/FT risks associated with a sector, without consideration of that reporting entity’s business, will not comply with section 58 of the AML/CFT Act.

Can we verify identities over zoom/facetime without meeting clients in person? Does this comply with the provisions in the Identity Verification Code of Practice (IVCOP)?

We do not consider a purely visual human eye inspection on a video conference call (Zoom/Facetime) of a person holding their identity document sufficient to link the person to their claimed identity and satisfy the requirements of IVCOP.

However, there are various other ways that the “linking” provisions of IVCOP can be met without you having to meet your clients in person.

For more information on verifying client identities remotely, please refer to the Explanatory Note: Electronic Identity Verification Guideline (PDF, 342KB).

Can you please advise who we should contact if we believe our practice is no longer captured by the AML group?

If you believe you are no longer captured by the AML/CFT Act, we’re interested in hearing from you. Getting in touch is easy! Send an email to, and one of the team will be able to help.

This news item is provided for information purposes only and cannot be relied on as evidence of complying with the requirements of the AML/CFT Act. It does not constitute legal advice and cannot be relied on as such. If you do not fully understand your obligations under the Anti-Money Laundering and Countering Financing of Terrorism Act 2009, you should seek suitable professional or legal advice or contact your supervisor, the Department of Internal Affairs (DIA) at