Date posted: 16/10/2018 3 min read

AML and due diligence on existing clients

Debunking myths about conducting customer due diligence (CDD) on existing clients under the NZ AML/CFT Act.

In Brief

  • There is a common misconception that CDD must be performed on all existing clients within a set time-frame after 1 October 2018.
  • CDD is only required on existing clients in certain circumstances.
  • The timing of such CDD depends on the nature of the captured activity being provided.

Accounting practices in New Zealand that provide services that are captured activities under the AML/CFT Act are AML reporting entities. As such, you are required to perform customer due diligence (CDD) which involves obtaining and verifying the identity (name and date of birth) and address of clients. This can usually be achieved through obtaining a passport and utility bill.

The Act is very clear that this applies to all clients taken on from 1 October 2018 ("new clients"- see section 14(1)(a)). However its applicability to "existing clients"- those to whom you were providing captured activities to prior to 1 October 2018 - is somewhat less clear. As a result, we have received many questions on this.

Which existing clients need CDD?

CDD is required on an existing client if:

  1. According to the level of risk involved, there has been a material change in the nature or purpose of the business relationship and you hold insufficient information on that client (section 14(1)(c)); or
  2. You become aware that they are anonymous (section 14(2)); or
  3. If you submit a Suspicious Activity Report (SAR) on them (section 22A(2)).

In relation to number 1 – the three underlined bits are the criteria and have the following meanings:

  1. According to the level of risk involved – The DIA has clarified that its interpretation in the July 2015 edition of its enewsletter AML/CFT News still stands. Essentially if the client would be ordinarily be subject to enhanced CDD (see section 22 of the Act - e.g. trusts, PEPs etc but also when your client risk profiling indicates they are high risk), then that enhanced CDD must be carried out regardless of whether there has been a material change. If they would be subject to simplified or standard CDD then that CDD is only required when there is a material change (that is assuming insufficient information is held).
  2. Material change - paragraph 9 of the DIA's Risk Assessment Guideline defines this as ";an event, activity or situation that you identify that could change the level of ML/FT risk you encounter".;
  3. Insufficient information - means that you do not hold proof of identity and address documents on that client (highly likely given there has been no previous requirement to do so up until now).

In relation to number 2 - a client may be anonymous through an absence or paucity of information held (name, date of birth and address), or if obviously false information has been provided.

Timing of CDD on existing clients

In terms of when you need to conduct the enhanced CDD on your existing clients, it depends. It has to be conducted prior to providing the captured activities. So if the activities are continuous in nature (e.g. trustee services) then the CDD should have been completed before 1 October 2018. Otherwise it is just before you next provide the client with captured activities. 

There is a decision tree in the related downloads section below - this should assist you work out when CDD is required on an existing client.

Ongoing customer due diligence and account monitoring

All clients (including existing clients) must also be subject to ongoing CDD and account monitoring.

'Ongoing customer due diligence' requires you to regularly review any information you hold about a client (section 31(4)(b)). This means ensuring any identity and address information that you do hold on a client is up to date, and if not, obtaining new documents to verify any changes. This also assists with determining whether insufficient information is held.

'Account monitoring' requires you to regularly review the client's account activity and transaction behaviour (section 31(4)(a)). This terminology is very much geared towards financial service providers so can be ambiguous. For the accounting profession 'account' means 'client'. So this means observing your clients' requests, activities and behaviour and remaining alert for red flags and suspicious activities. This assists with determining whether there is a material change and the submission of SARs to the New Zealand Police Financial Intelligence Unit (FIU).

When conducting ongoing CDD and undertaking account monitoring, you must have regard to the level of CDD initially conducted and the level of risk involved (section 31(3)). This means there is scope to vary the nature, timing and extent of ongoing CDD and account monitoring according to the level of risk involved..