All steps in the module have been updated:

• [RA1] Step 1. Understand the interrelationship between the risk assessment and compliance programme, and the place of each
• [RA2] Step 2. Have regard to RA guidance material and regulations
• [RA3] Step 3. Understand that the RA (and the CP) is a vitally important risk management and mitigation tool
• [RA4] Step 4. Drafting the RA — introductory parts
• [RA5] Step 5. Linking between the RA and CP
• [RA6] Step 6. Addressing the first key risk dimension — nature, size and complexity risk
• [RA7] Step 7. Addressing the second key risk dimension — services/products risk
• [RA8] Step 8. Dissecting the legal services risk dimension in other ways
• [RA9] Step 9. Addressing the third key risk dimension — client risk
• [RA10] Step 10. Addressing the fourth key risk dimension — delivery method risk
• [RA11] Step 11. Addressing the fifth key risk dimension — country risk
• [RA12] Step 12. Addressing the sixth key risk dimension — institution/referrer risk
• [RA13] Step 13. Evaluating the six key risk dimensions — pulling it all together
• [RA14] Step 14. Rounding off the RA — further considerations
• [RA15] Step 15. Completing and maintaining the RA

The nature and significance of risk assessments (RAs) in New Zealand’s AML/CFT regime is outlined in the following extract from Step 1:

RA1.2   The RA — nature and requirements

The first and probably more important of the two substantive reports is the RA. Unlike some other jurisdictions, New Zealand requires a stand-alone written RA to be prepared, as a first step and key platform for all the AML/CFT compliance steps to follow.

Put simply, this RA is a business report, perhaps around 15–20 pages for a small or boutique firm (although there is no set or “correct” length). The report must be tailored to the specific money laundering (ML) and terrorist financing (TF) risk that each firm is likely to face in its own unique sphere of operations. It must also be reviewed and updated regularly, and kept available for the AML/CFT supervisor’s staff (and the firm’s external auditor) when they wish to inspect.

If the RA has gaps or errors, this can prove costly, because the compliance processes that follow on from it may be misdirected or poorly executed. You have to identify a risk properly in order to be able to take steps to mitigate it. Almost all the civil enforcement court cases taken so far by supervisors under the Anti-Money Laundering and Countering Financing of Terrorism Act 2009 have included some allegation of failure to conduct a proper or complete RA. For instance, Mallon J in Reserve Bank of New Zealand v TSB Bank Ltd [2021] NZHC 2241 said that a RA is:

• “a pre-requisite for establishing an AML/CFT programme and conducting CDD” (at [79]); and
• “a fundamental first step required by the Act” (at [92]).

In the circumstances of that case, where a RA was completely overlooked (unintentionally) for one department or business unit (“a specific failure, albeit of a key component of the Act’s requirements” (at [93])), a civil penalty of $1 million was appropriate for that aspect of non-compliance by a large bank.

Section 58 of the AMLCFTA 2009 details the specific legal requirements of the RA. In particular, before conducting client due diligence (CDD) (i.e. before entering a new client relationship for captured services after 1 July 2018) and before establishing a CP, a reporting entity must first undertake a RA. That means examining “the risk of money laundering and the financing of terrorism … that it may reasonably expect to face in the course of its business” (s 58(1)).

It is important that all practice areas, departments and branches of a law firm’s operations are included in the RA. It must consider risks in relation to all aspects of the business, including revisiting and adding parts to the RA whenever a new branch or service area is opened. The TSB Bank case mentioned above was one where a large bank had conducted an RA for its banking operations, but not for its local real estate agency business unit in Taranaki. The agreed penalty decision records (at [91], footnote omitted):

“The parties consider that the failure to conduct a risk assessment for an aspect of TSB’s business is comparable in seriousness to failing to update and maintain a risk assessment and the maximum [penalty] of $2 million should apply.”

For the full update and all 10 modules, see Gary Hughes Anti-Money Laundering Workflows (online ed, Thomson Reuters) on Westlaw New Zealand.