FMA and DIA issue reminder about outsourcing CDD to third parties
The Financial Markets Authority (FMA) and the Department of Internal Affairs (DIA) have together released a guidance note for reporting entities that rely on third-party agents to conduct anti-money laundering and countering financing of terrorism (AML/CFT) customer due diligence (CDD) processes on their behalf.
Who needs to read it? Why?
This note will be of interest to all reporting entities that make use of the Anti-Money Laundering and Countering Financing of Terrorism Act 2009 (AML/CFT Act)’s agency reliance provision. However, the supervisors’ comments should be kept in mind by reporting entities using any of the AML/CFT Act’s reliance provisions, or even (as discussed below) other reliance on agents for AML/CFT purposes.
What does it cover?
One of the obligations the AML/CFT Act imposes on reporting entities is to conduct CDD. This includes identifying, and verifying the identification of, their customers, their customers’ beneficial owners, and persons acting on behalf of their customers, as well as conducting ongoing CDD and undertaking account monitoring on their customers.
The AML/CFT Act allows reporting entities to rely on certain third parties in respect of specific obligations. Most relevantly, section 34 allows reliance on agents to conduct CDD procedures. While this provision refers to CDD procedures generally, in practice this mostly relates to onboarding – ongoing CDD and account monitoring require a visibility of the reporting entity-customer business relationship in operation that a third party likely does not have.
The core message from the FMA and DIA is that reliance alone is not compliance. A reporting entity cannot engage an agent and assume this will deal with all of its AML/CFT compliance obligations. The relying entity remains responsible for its own compliance obligations (discussed further below), and in practice must have robust and active oversight of any agents to ensure their activities are up to the required standard.
Further, CDD obligations extend beyond onboarding, and AML/CFT obligations extend beyond CDD. The FMA and DIA are emphatic that reporting entities cannot consider outsourced obligations in isolation from their other obligations, and generally must remain active participants in their own compliance.
While the other forms of reliance under the AML/CFT Act state expressly that the relying entity remains responsible for its own compliance, the agency reliance provision does not. The general law of agency imposes that responsibility regardless, but the FMA and DIA in this release have set out in no uncertain terms that it is also the case for agency reliance.
It is worth noting that use of an agent under the AML/CFT regime is not necessarily confined to CDD. This is not stated in the AML/CFT Act, but is a matter of general agency law and is recognised (on page 42) in the Ministry of Justice (Ministry)’s consultation document on the Statutory Review of the AML/CFT Act (which we have discussed in a previous release). The points raised by the FMA and DIA will be similarly applicable to these forms of reliance.
We consider that third-party providers can offer a useful service to reporting entities, allowing the outsourcing of some technical and procedural components to specialists that may bring greater expertise and efficiency. This can be of benefit to individual reporting entities and the wider AML/CFT ecosystem.
That said, we concur that it is crucial reporting entities understand the application of their compliance obligations. Misunderstanding the reliance provisions and assuming responsibility can be abdicated is a dangerous and untenable position for a reporting entity to be in, and can compromise the efforts of the AML/CFT regime more generally to detect and deter money laundering and the financing of terrorism.
The clarity and emphasis provided by the FMA and DIA here should help dispel these misunderstandings and ensure reporting entities understand what is required of them.
At the same time, the FMA and DIA comments make clear the importance of the Ministry’s Statutory Review of the AML/CFT Act looking at some form of external quality assurance or even licensing for third-party service providers. Smaller reporting entities are often not well placed to assess the capability of those they are required to rely on, precisely because they do not have internally the expertise they are seeking from the service provider. Despite the official date for submissions on that point having passed, if this is important to your organisation you may still want to contact the Ministry.
If you have any questions in relation to this guidance note, reliance on third parties under the AML/CFT regime, or the regime more generally, please contact one of our experts.