AML/CFT regulations changes: a mixed bag for reporting entities

An array of updates to regulations under the AML/CFT Act were passed into law last week. The regulations will come into force in three stages:

• the first stage on 31 July 2023. These changes largely relate to relaxations or clarifications of the AML/CFT regime rather than the addition of new obligations, although there are some consequential changes which reporting entities will need to be across;

• the second stage on 1 June 2024. These changes largely add new compliance obligations for existing reporting entities; and

• the third stage on 1 June 2025. These will bring more limited changes than the first or second stage.

Overall, the changes are a mixed bag for reporting entities. While some of the changes are welcome, in other instances the amendments to regulations as passed are a step backwards from the Ministry of Justice's statutory review report, and even in some instances the earlier draft of the regulations.

Further, the Ministry has had to remove a number of changes that were proposed to be made by amendment of regulations on the basis that those changes require amendments to the Act itself.

Nevertheless, all reporting entities and businesses who currently rely on exemptions from the AML/CFT Act will need to be across how the changes affect them. For example, we expect that every reporting entity's AML/CFT programme will need to be updated in light of these changes, if not by 31 July 2023, then certainly by 1 June 2024. Given that the regulations as made include several key changes from the exposure drafts that were consulted on, we recommend that all affected parties review the new regulations closely to ensure they understand their obligations going forward.

31 July 2023 changes

Some of the key changes coming into force on 31 July 2023 are:

• Changes to the "beneficial owner" definition. Going forward, a "beneficial owner" will include a person with "ultimate ownership or control of the customer, whether directly or indirectly" and will include a person on whose behalf a transaction is conducted (POWBATIC) who is a customer of a customer only if that person also has ultimate ownership or control of the reporting entity's customer. We think that this is the single most important change for reporting entities in the regulatory package. It removes the suggestion that they must carry out customer due diligence (CDD) on all POWBATICs and should in many instances remove the need for a reporting entity to "look through" its customer to the person its customer is in turn providing services to when applying the Act.

• The change to the "beneficial owner" definition (in particular, the removal of the POWBATIC requirement in many circumstances) has resulted in some other consequential changes to existing regulations. In particular:

  • the existing exemption for trust accounts and client funds accounts will be revoked from 31 July 2023; and

  • the existing managing intermediaries exemptions will expire on a staged basis, with some aspects having an expiry date of 31 December 2023, and others an expiry date of 31 December 2024.

Reporting entities that currently rely on these exemptions should carefully consider whether any changes are required to their AML/CFT programme to reflect the revocations.

• Specific definitions of "customer" for reporting entities that are real estate agents, liquidators, executors or administrators of estates, nominee directors, nominee shareholders and trustees.

• Stored value instrument changes. The definition of stored value instruments has been updated to capture electronic or digital forms of stored value. A change has also been made that seeks to disapply the AML/CFT Act to the sale of multiple stored value instruments that are individually below the relevant monetary thresholds but collectively above them, and intended for different recipients. This change was previously scheduled to come into force on 1 June 2024, has been brought forward to 31 July 2023, which is good news for the issuers of stored value instruments. However, we still have concerns about the drafting of this amendment and are in touch with the Ministry to seek to ensure it operates as intended.

• Changes to clarify that a designated non-financial business or profession (DNFPB) (such as a law firm) making or receiving a wire transfer from or into its trust account held with another reporting entity (such as a bank) is not an ordering, beneficiary or intermediary institution under the AML/CFT Act, but that the DNFPB must nevertheless submit a prescribed transaction report containing the information it holds about the transfer.

• Changes to prescribe that, in certain places where the Act refers to "a country that has insufficient anti-money laundering and countering financing of terrorism systems or measures in place", this includes countries identified by the Financial Action Task Force as being a high-risk jurisdiction subject to a call for action. However, an important (and in our view unfortunate) change has been made between the draft and final form of the regulations. In draft, the language used was "means", with the result that reporting entities could rely solely on the Financial Action Task Force identification. It has now been changed to "includes", with the result that reporting entities may still need to consider if other countries meet this description. This language change undoes some of the benefit of the amendment.

1 June 2024 changes

Some of the key changes coming into force on 1 June 2024 are:

• Changes in relation to virtual assets. From 31 July 2023, a person who provides safekeeping or administration of virtual assets will be a financial institution under the AML/CFT Act. But the main virtual assets changes come into force on 1 June 2024, including:

  • treating virtual asset to virtual asset, and virtual asset to/from fiat currency, transfers as wire transfers;

  • treating virtual asset transactions of $1,000 or more outside a business relationship as occasional transactions; and

  • treating deposits, withdrawals, exchanges, or transfers of virtual assets as transactions for the purposes of the AML/CFT Act; and

  • treating all virtual asset transfers as international wire transfers (and therefore potentially subject to prescribed transaction reporting obligations) unless the reporting entity is satisfied that all the parties to the transfer are in New Zealand.

• Additional standard CDD requirements for legal persons and legal arrangements. These requirements have been drafted in very broad terms and reporting entities will need to carefully consider whether existing CDD processes remain adequate.

• Additional enhanced CDD requirements. A reporting entity carrying out enhanced due diligence will be required to carry out additional CDD measures before establishing, and during, the business relationship in certain circumstances. The additional measures may include: obtaining further information from the customer in relation to the transaction, examining the purpose of the transaction, monitoring the business relationship, or obtaining senior management approval for transactions. The Ministry has made two welcome changes to this amendment between the draft and the final version:

  • In the final version, it has been clarified that these additional measures will only be required if obtaining and verifying information as to the source of the funds or the wealth of the customer is not sufficient to manage and mitigate the ML/FT risk.

  • The draft version suggested that all of the additional measures might be required in all cases, whereas the final version is clear that the four identified additional measures are alternatives.

• Additional requirements where a reporting entity seeks to rely on another reporting entity (or person in another country) to conduct CDD.

• Additional AML/CFT programme requirements to address agents of the reporting entity and circumstances where the reporting entity will obtain and verify information relating to only one of the source of funds or the source of wealth, or both, of the customer.

• An obligation to carry out CDD where a customer seeks to conduct a transaction through the reporting entity that is both outside a business relationship and not an occasional transaction, and where there are grounds to file a suspicious activity report.

• A specific record keeping obligation in relation to PTRs.

1 June 2025 changes

The key change that will occur from 1 June 2025 is that all reporting entities will have a specific obligation to "risk rate" every customer on carrying out CDD at the commencement of the business relationship, and to update that risk rating as it undertakes ongoing CDD. Our experience in that most reporting entities do this already, so this should not be a significant change.

What's missing?

Changes previously announced but which have - for now - been removed from the regulatory package include:

• an exemption from the address verification requirement for reporting entities, which would have applied except when enhanced CDD was required;

• simplifying CDD requirements with respect to delegation by a senior manager of a customer;

• an extension of time for prescribed transaction reporting from 10 to 20 working days to account for possible technical difficulties in reporting systems;

• relaxing the processes that reporting entities must follow when conducting CDD on certain trusts; and

• enabling members of a designated business group to share a compliance officer.

Each of these changes would have provided regulatory relief to reporting entities, so there will be a sense of disappointment that they are not able to be advanced at this time. There is no timeframe associated with the legislative changes: all that is known is that Ministry officials are doing further policy work on the medium-term and long-term changes.

We will host a CPD seminar on these changes in Auckland and online on 31 July 2023. Keep an eye out for our invite, which will be sent out next week.