Legal Sector Regulatory Findings

21 July 2020

This article is a summary of the Department’s findings for the legal sector (law firms and sole practitioners) from its compliance assessments undertaken from January 2019 to January 2020.

Top 5 “compliant” areas

1. Compliance Officer

An area that lawyers are getting right is the compliance officer role. Under the Anti-Money Laundering and Countering Financing of Terrorism Act (the Act), a reporting entity must appoint a compliance officer. This is an important role as the compliance officer is responsible for administering and maintaining the AML/CFT programme.

We check that you have appointed someone to this role and look at whether they are an employee who reports to a senior manager. If you are a sole practitioner, we expect you to be the compliance officer in most situations.  

2. Risk-based customer due diligence

Your AML/CFT requirements are “risk-based”. This means you must assess the risk your business faces from money launderers and terrorism financiers in a written risk assessment. You must then apply procedures, policies, and controls to effectively manage your risks.

Customer due diligence (CDD), the process by which you understand your customers and understand the ML/TF risks they pose to your business, must also be risk-based. We found that this obligation is understood by the legal sector in its AML/CFT documents.

3. Regard to applicable guidance material

We found that most lawyers have considered guidance material produced by the AML/CFT supervisor and the Financial Intelligence Unit (FIU). This includes the New Zealand National Risk Assessment (PDF, 488KB, Police website) and the DNFBP Sector Risk Assessment (PDF, 1MB). These documents assist you to understand the types of money laundering or terrorism financing risks your business may face.

When undertaking a compliance review, we check to see if you have considered these documents in your risk assessment and in developing the policies and procedures for your AML/CFT programme.

4. Assessing the risk of your methods of delivery

When undertaking your risk assessment, you must have regard to the methods by which you deliver your products and services to your customers.

We found that the legal sector is sufficiently assessing the risk concerning their methods of delivery. For example, they consider the risks of dealing with customers face-to-face, non-face-to-face, and the use of agents and intermediaries.

5. Assessing the risk of your products and services

When undertaking your risk assessment, you must also have regard to the different products or services you offer.

We found that the legal sector is sufficiently assessing the risk concerning their products and services. For example, they are considering whether their services allow for anonymity, whether they could conceal an ultimate beneficial owner or the source of wealth or funds of their customer. 

Top 5 "non-compliant" areas

1. Examining and keeping written findings, and adopting additional measures, for dealing with countries with insufficient AML/CFT systems

An AML/CFT programme must contain procedures, policies, and controls for monitoring, examining, and keeping written findings relating to business relationships and transactions involving countries that do not have or have insufficient AML/CFT systems. Additional measures should also be implemented for dealing with or restricting dealings with such countries.

We found some lawyers are unsure how to determine which countries have insufficient AML/CFT systems or how to apply these requirements. In practice, the Financial Action Task Force (FATF) list of high-risk and other monitored (FATF website) jurisdictions should assist your AML/CFT programme relating to countries with insufficient AML/CFT systems.

That said, it is also important to note the money laundering and terrorism financing risks associated to a country are wider than whether it has insufficient AML/CFT systems. For example, it includes whether it has high levels of organised crime, bribery or corruption, or is known as a tax haven, or whether it borders a conflict zone or is associated with the production of or transnational shipment of illicit drugs. For more information on country risk, please refer to the Countries Assessment Guideline (PDF, 138KB).

2. Amended Identity Verification Code of Practice 2013 (IVCOP)

You may choose to comply with IVCOP when verifying the identity of a customer (that is a natural person). IVCOP provides a ‘safe harbour’ for the requirement to verify the name and date of birth of a customer assessed to be low or medium risk. Alternatively, you may decide not to comply with IVCOP and instead to adopt equally effective means to verify a customer’s identity. If so, you should consider whether to ‘opt-out’ of IVCOP by providing written notification to the Department.

When undertaking our compliance assessments, we consider whether you comply with IVCOP or have implemented equally effective means. If you use Part 1 or 2 of IVCOP, we check whether you have an exception handling procedure for a customer who is unable to satisfy the identity requirements. Make sure you document and keep records of how and why the customer was unable to comply and the process you followed. We also noticed that in some cases, lawyers have been using an exception handling procedure for when their customer has forgotten their identity documents, which is not compliant.

3. Examining and keeping written findings for large, complex and unusual patterns of transactions

Your AML/CFT programme must set out how you will examine and keep written findings relating to complex or unusually large transactions and unusual patterns of transactions that have no apparent or visible lawful purpose. This requirement also applies to any other activity that by its nature, may be related to money laundering or terrorism financing. What these areas of heightened risk look like for you, including what is “complex”, “unusually large” or an “unusual pattern”, will depend on your business.

Your first step to complying with this obligation is to identify your money laundering and terrorism financing risks in your risk assessment. Your findings need to be worked into your account monitoring procedures in your AML/CFT programme, with triggers for you to investigate or examine further. Part of this examination may be to conduct enhanced customer due diligence, requiring you to obtain and verify information regarding your customer’s source of funds or wealth.

The outcome of your examination should be recorded as your “written findings”. After looking into the activity or transactions, you may conclude that the activity was not suspicious. You should record this reasoning as part of your record-keeping. We recommend keeping a register of findings for large, complex or unusual patterns of transactions or other activities you have examined to meet this obligation. 

The process of identifying risks, through to examining, conducting additional customer due diligence if required, and keeping written findings, is an area in which some lawyers are not fully compliant. This may be because lawyers are seeing the various requirements of the Act as separate, whereas in fact, many of the obligations overlap and reinforce each other. It is important to consider how your processes for each obligation can work together, be manageable, and protect your business from misuse for money laundering or terrorism financing.

We found that lawyers are aware of this obligation, but they do not have procedures or controls to identify complex or unusual transactions or activities, investigate them or record their findings. We are also seeing highly complicated processes and procedures written into the AML/CFT programme and when we visit, there is no evidence to show the business is following its procedures.

This diagram below shows how different obligations can work together.

Interlocking parts of an arrow pointing left to right across the page: Identified risks > Account monitoring triggers > Examine and keep written findings > Enhanced customer due diligence > Suspicious activity report.

4. Prescribed transaction reporting (PTRs)

If a customer conducts a prescribed transaction through your business, you must report the transaction to the FIU using goAML. A prescribed transaction means a transaction conducted through your business that is an international wire transfer or a domestic physical cash transaction. The threshold for international wire transfers is $1,000 NZD and the threshold for cash transactions is $10,000 NZD. Your AML/CFT programme must also set out your procedures, policies, and controls for submitting PTRs to the FIU.

For many lawyers, PTRs may not be applicable. If you do not receive or send money overseas, or handle cash then you should state this in your AML/CFT programme. If it is not clear in your AML/CFT programme, or you only state what the requirement is, rather than how your business meets the requirement, then you may be assessed non-compliant. If PTRs do apply to your business, be sure to state who is responsible for submitting the PTR to the FIU using goAML and the reporting timeframe of 10 working days.

5. Reliance on third parties to undertake CDD

In some circumstances, you can rely on another reporting entity or an equivalent regulated person overseas to conduct CDD for you. Certain conditions must be met if you want to rely on this party to conduct CDD on your behalf. These conditions are:

  • They are a reporting entity in New Zealand or a person regulated for AML/CFT purposes in a country with sufficient AML/CFT systems and measures in place; and
  • They have a business relationship with the customer; and
  • They have conducted CDD to at least the standard required by the Act;
        • They have provided you with the relevant identity information before you have established a business relationship or conducted an occasional transaction or activity; and
        • They can provide relevant verification information on your request as soon as practicable but within five working days; and
  • They consent to conduct CDD and providing all relevant CDD information to you.

If you are relying on another reporting entity, you are still responsible for ensuring the CDD is conducted under the AML/CFT Act.

We found some lawyers are relying on others to conduct CDD but are not meeting all the above conditions. To be compliant, be sure to outline the conditions in your programme and keep records of how you are meeting these conditions.

Also, we have found that many lawyers will not address in their AML/CFT programme whether they are relying on others to conduct CDD. Alternatively, they state they may rely on others but do not go into detail on whether they do, nor how this works in practice. To be compliant, make sure to clearly state whether and how you rely on others to meet your CDD requirements. This is an area we are likely to review during our onsite inspections.

Where to get help

The Department’s website holds a dedicated page of information specifically for the legal sector. For more information on the areas covered in this article, please see:

You can find our informative webinars and short educational AML/CFT videos here: AML-CFT videos

If you have any questions, please email us at or call us on 0800 257 887.