Recent case law from the High Court confirms that banks are best placed to review and manage their own risks under the Anti-Money Laundering and Countering Financing of Terrorism Act 2009.
The Ink Patch Money Transfer Ltd v The Reserve Bank of New Zealand [2022] NZHC 1340 was a judicial review of the Reserve Bank's actions (or alleged lack thereof) in respect of what the applicants considered the "blanket de-risking" of money remitters as customers by New Zealand banks.
While focussed on the specific areas of money remittance and the Reserve Bank's role and powers, the decision provides useful insight into the obligations of banks to manage their money laundering and terrorism financing risks. The theme throughout the judgment was that banks are best placed to assess and manage their AML/CFT risks, which is an exercise they should be doing on a case-by-case, rather than blanket, basis.
Background
The applicants were New Zealand registered money remittance providers servicing the Pacific Islands. They claimed that banks were closing money remitters' bank accounts and were refusing to open new accounts due to what the applicants considered to be blanket de-risking. In the applicants' view, the blanket de-risking was a result of banks' lower risk appetite and an "overly zealous view" of their AML/CFT obligations, which the Reserve Bank had failed to correct.
Class Exemption
The AML/CFT Act requires reporting entities (including both banks and money remitters) to carry out customer due diligence on their customers and the beneficial owners of those customers. The term "beneficial owner" has been interpreted broadly to include a "person on whose behalf a transaction is conducted", often referred to as a "POWBATIC".
The High Court confirmed that banks are exempt from carrying out CDD on beneficial owners of money remitter customers (ie POWBATICs/the money remitter's customers), to the extent that Part 6 of the 2018 Class Exemption applies. This Class Exemption exempts reporting entities from conducting CDD on beneficial owners of specified managing intermediaries (eg money remitters), provided a number of conditions are met. These conditions include obtaining written confirmation that the specified managing intermediary has an AML/CFT programme and conducts CDD in accordance with the AML/CFT Act (or foreign equivalent). A reporting entity, such as a bank, that wishes to rely on the exemption is not required to verify the specified managing intermediary's written confirmation, unless it has reasonable grounds to doubt its adequacy or veracity.
The concept of POWBATICs, and reporting entities' obligations in respect of them, has proven complex and controversial under the AML/CFT Act. This may be subject to future legislative reform, following the conclusion of the Ministry of Justice's statutory review of the AML/CFT Act on 30 June 2022. In its Consultation Document for the statutory review, the Ministry of Justice noted that the AML/CFT Act is inconsistent with FATF standards in this respect and suggested changes could be made to ensure that businesses do not have a direct obligation to obtain details, and verify the identity, of every underlying customer of their customer.
Assessing risk
The applicants in Ink Patch recognised that the requirement to conduct CDD on POWBATICs could justify the banks' understanding that they are required to go beyond their immediate CDD obligation in respect of their customer (a money remitter) and look further at the dealings between the money remitter and its customers. However, the applicants considered that the Class Exemption responded to this double-up in compliance. It followed, in the applicants' view, that the banks did not need to take it upon themselves to monitor compliance and detect offending.
The Court did not accept that view. The Court held:
it is up to the individual trading banks themselves to make an assessment as to whether they will accept any written confirmations provided as to AML/CFT compliance.
The Court accepted that notwithstanding the Class Exemption, banks are still required to have internal procedures, polices and controls for detecting money laundering and financing of terrorism, and for managing and mitigating risks that may arise throughout the relationship.
While the applicants suggested there was room for the Reserve Bank to clarify the impact of the Class Exemption in practice (ie by providing guidance that banks can accept written confirmation without further verification), the Court found it was not for the Reserve Bank to substitute its own assessments in place of the banks'.
The High Court reiterated that:
the banks are nevertheless still entitled to restrict dealings that they consider in accordance with their internal procedures, policies and controls and based on their required risk assessments, present AML/CFT risk.
The focus on the banks' ability to, in effect, set their own risk appetite and implement their own systems and controls was consistent throughout the judgment. For instance, in assessing the applicants' argument that the banks were not conducting themselves in a prudent manner, the High Court made clear that a bank's refusal to provide bank accounts to money remitters did not amount to the bank acting imprudently.
Further, the Court said:
Refusing to provide banking services following a risk-based assessment of the money remitters' AML/CFT risk in fact represents more careful compliance with AML/CFT Act obligations and may very well suggest a greater prudence on the part of the trading bank.
The Court also emphasised an earlier statement from the Reserve Bank that de-risking to avoid rather than manage and mitigate risks would be inconsistent with the intended effect of the AML/CFT Act.
Final thoughts
The AML/CFT regime is intended to place obligations on those best suited to consider the risks and activities of their customers.
The Reserve Bank made its position on blanket de-risking clear: banks are encouraged to follow a case-by-case risk-based approach on individual merits rather than a blanket prohibition. The Court summarised this position to say de-risking is neither encouraged nor appropriate.
It follows that banks should ensure that they have the appropriate systems and controls in place to assess, manage and mitigate any money laundering or financing of terrorism risks it may face. Those internal procedures, polices and controls should involve a risk-based and individual assessment of potential and existing customers.