15 – Business Law Newsletter

In this edition:

Are your AML/CFT and Risk Assessment Programmes fit for purpose?

Scope of the legislation

The Anti-Money Laundering and Countering Financing of Terrorism Act 2009 (AML/CFT Act) was put in place to introduce measures in New Zealand to guard against money laundering and the financing of terrorism.

It applies to Reporting Entities. Reporting Entities are defined widely within the AML/CFT Act, but it essentially covers organisations undertaking financial activity. As a result of the breadth of cover, there are three supervisors under the AML/CFT Act: the Reserve Bank; the Financial Markets Authority; and, the Department of Internal Affairs. Each supervisor is responsible for overseeing compliance for the different types of Reporting Entity.

The AML/CFT Act imposes extensive obligations on Reporting Entities, which include undertaking customer due diligence and requiring a high level of suspicious transactions surveillance. In order to meet these obligations a Reporting Entity must have a complying risk assessment programme in place. All Reporting Entities should already be doing this as well as implementing an AML/CFT programme.

Audit obligations

In addition, to ensure these programmes are sufficient, the AML/CFT Act requires a Reporting Entity to regularly review the programmes and to also have them audited every two years. The Reporting Entity’s supervisor may also require audits at any other time.

A Reporting Entity’s review (internal process) must:

  • ensure the programmes remain current; and
  • identify any deficiencies in the effectiveness of the programmes.

If deficiencies are identified, the Reporting Entity must make any necessary changes to its programmes.

Little detail on the audit requirements are contained in the AML/CFT Act. Given the limited detail, the three supervisors have published a guidance on what they expect from the audit. This guidance can be found here.

Who can audit?

What the AML/CFT Act does say is that the audit must be carried out by an independent person who is appropriately qualified to conduct the audit. In particular, the auditor must not have been involved in:

  • the establishment, implementation, or maintenance of the Reporting Entity’s AML/CFT programme; or
  • the undertaking of the Reporting Entity’s risk assessment.

Thus, the auditor must be someone new to the Reporting Entity’s programmes. There are no particular qualifications required by the AML/CFT Act, and the auditor does not have to be a chartered accountant or someone qualified to undertake financial audits. In our view, what is important is that the auditor understands and has experience with the AML/CFT Act and the requirements that the risk assessment and AML/CFT programmes must meet.

The guidance indicates that people with AML/CFT or relevant financial experience in the Reporting Entity’s sector might be suitably qualified. However, as the guidance state, the key point is that a Reporting Entity must be able to justify to its supervisor why the auditor is appropriately qualified.

Scope of audit

The only detail on the scope of the audit is a statement in the AML/CFT Act that the audit of the risk assessment is limited to an audit of whether the Reporting Entity’s risk assessment fulfils the requirements in section 58(3) of the AML/CFT Act.

The guidance provides some further detail. It contemplates that the auditor will provide a report setting out:

  • whether a Reporting Entity meets the minimum requirements for its AML/CFT risk assessment and AML/CFT programme;
  • whether the AML/CFT programme was adequate and effective throughout a specified period; and
  • if any changes are required.

Other matters

The AML/CFT Act also requires a Reporting Entity to provide a copy of the audit report to its supervisor on request. As noted in the guidance, the supervisor is also likely to assess the adequacy and robustness of your audit, so it is important that it is appropriate and sufficient.
The guidance also sets out its view on the various matters to consider when appointing an auditor, such as the level of assurance to be obtained from an audit. Reporting Entities should consult this guidance before selecting an auditor.

Getting help

Organising the right firm to undertake the audit is critical and Lane Neave can help. We have significant experience advising on the AML/CFT Act and have advised on a number of programmes. Our team can undertake an-in-depth assessment and either give you comfort that your programmes are appropriate and sufficient or make recommendations concerning areas where your programme may be failing under the legislative requirements, saving you from a headache later on.

If you want to find out more or organise an audit please get in touch with Claire Evans or Dr Maria A Pozza.

Article written by:

Claire Evans

Dr Maria A Pozza

view profile View profile

New Zealand Intelligence and Security Bill


The recently introduced New Zealand Intelligence and Security Bill (Bill) had its first reading in Parliament on 18 August 2016 and is currently with the Foreign Affairs, Defence and Trade Select Committee. The Bill was introduced as a response to the first independent review of the intelligence agencies (the Review). A copy of the Review, undertaken by Sir Michael Cullen and Dame Patsy Reddy, can be found here.

New Zealand’s national security and well-being as a country is the focus of the Bill. The Prime Minister stated in introducing the Bill that he hoped it would allow “our [security and intelligence] Agencies [to] operate under legislation which enables them to be effective in an increasingly complex security environment, where we are confronted by growing numbers of cyber threats and the rise of terrorist groups”. A full copy of the Bill can be found here.

Key aspects of the Bill

The Bill is lengthy, with some 280 clauses. It replaces the four current Acts which govern the New Zealand Security Intelligence Service and the Government Communications Security Bureau (together the Intelligence Agencies) and amends a number of other Acts.

The key aspects of the Bill are to:

  1. make New Zealand’s intelligence and security sector more transparent and accountable;
  2. enable more effective cooperation and efficiency between the Intelligence Agencies by having the same shared powers, objectives and functions for both of them;
  3. strengthen the oversight of the Intelligence Agencies’ activities and functions;
  4. tighten the framework for the granting of warrants and introducing a single warranting framework;
  5. clarify the use of cover and assumed identities and immunities; and
  6. legislate for the role of the National Assessments Bureau (NAB) for the first time. The NAB is a part of the Department of the Prime Minister and Cabinet and provides impartial assessments and independent advice on events and developments which concern the national security and international relations of New Zealand.

In this article we do not intend to discuss all parts of the Bill, but instead focus on the powers of the Intelligence Agencies and their oversight.

Powers of the Intelligence Agencies – warrants

The key power granted to the Intelligence Agencies is to authorise them to carry out activities which would otherwise be considered unlawful in certain situations (ie interception of phone calls, searching of private premises and seizing of physical items). Such authorisations are given effect by way of intelligence warrants. The Bill proposes two types of warrants:

  • Type 1 warrants concern intelligence collection targeting a New Zealander and are secured by a ‘triple lock’, meaning that it requires authorisation by the Attorney-General and a Commissioner of Intelligence Warrants and are subject to review by the Inspector-General of Intelligence and Security. Urgent Type 1 warrants will be able to be authorised by just the Attorney-General, although the Chief Commissioner of Intelligence Warrants will be able to revoke any such warrant.
  • Type 2 warrants relate to intelligence collection targeting a non-New Zealander and requires authorisation by the Attorney-General and are also subject to review by the Inspector-General of Intelligence and Security.

The Bill allows warrants to target persons or classes of persons and allows for new purpose-based warrants for specific operational reasons. The Bill also allows Intelligence Agencies to request the assistance of the New Zealand Police, individuals or organisations, providing those who assist with the same immunities as an employee of an Intelligence Agency. The flexibility of this warranting regime was a recommendation of the Review.

Powers of the Intelligence Agencies – access to information

Currently the Intelligence Agencies obtain information from many sources and are largely exempt from the Privacy Act 1993. The Review stated that “we understand that the Intelligence Agencies’ exemption from the Privacy Act principles is generally interpreted as allowing them to access personal information held by other government agencies, but only on a case-by-case basis”.

The Bill proposes providing more rigour around that access. It does so by setting out the regime under which the Intelligence Agencies can access information, and the basis on which agencies can provide information to Intelligence Agencies.
Under the Bill, the Intelligence Agencies will have the power to access information which is sought to protect New Zealand from security threats. There will be two types of access, direct access to public sector databases and request access to any person (including individuals, businesses and government organisations) for personal and non-personal information.

Direct access

Direct access will be required to be by agreement with the government agency responsible for the database to be accessed. Such a direct access agreement must be entered into by the Minister responsible for the Intelligence Agency and the Minister responsible for the agency with the database.

The Bill sets out a regime (much like the information sharing agreement regime in the Privacy Act), that must be complied with before an agreement can be entered into. This requires the Ministers to have regard to certain matters (including that there are adequate safeguards to protect the privacy of individuals), that they consult with the Privacy Commissioner and the Inspector-General of Intelligence and Security, and that the agreements contain certain information (eg the mechanism by which the information is to be accessed). The agreements will be publicly available and must be reviewed every three years.

The Privacy Commissioner has initially indicated that in relation to its oversight of the direct access agreements it will be looking for proportionate access, good record keeping and audit, and sound policies around the retention of the data accessed.  The Privacy Commissioner in submissions on the Bill has also asked for more guidance to be included in the Bill as to the matters to which he should have regard.

Request access

Under the Bill, the Intelligence Agencies will be able to request information from anyone. However, there will be no obligation on that person to provide the information. To compel the provision of information would have to be done under the warrant regime. As is the case at present, any person receiving a request for information will need to make its own decision as to whether or not to provide the information. Confidentiality obligations will be an obvious consideration in this regard. In the case of personal information held by an agency, the agency’s obligations under the Privacy Act must also be considered.

The Bill proposes an amendment to the Privacy Act to set out the basis on which agencies can provide personal information to the Intelligence Agencies, whether in response to a request or of its own volition. It does this by expanding the exceptions in the Privacy Act’s principles on use and disclosure of personal information so that agencies holding personal information will be able to use personal information in a manner requested by intelligence organisations or disclosure it to them where, in each case, the agency believes, on reasonable grounds, that doing so “is necessary to enable an intelligence organisation to perform any of its statutory functions”.

This test of necessity will become an important touchstone in any agency’s decision to provide personal information following a request to do so from either of the Intelligence Agencies. Of course other points may also need to be considered, such as any obligation of confidence that the agency owes to the individual and the agency is not required to release the information merely because it is requested. Agencies should have internal processes in place to enable decisions on requests to be made in an informed manner.


Greater oversight of the Intelligence Agencies is also at the forefront of the Bill’s objectives. Independent oversight is required to ensure that the Intelligence Agencies are acting in a manner consistent with the law and New Zealand’s democratic values. It does this by increasing the reach of the Privacy Act to the Intelligence Agencies and by continuing the oversight of the Intelligence Agencies by Parliament’s Intelligence and Security Committee (ISC) and the Inspector-General of Intelligence and Security (IGIS).

Currently, only the Privacy Act’s principles on access to and correction of information and use of unique identifiers apply to the Intelligence Agencies. The Bill proposes making all of the Privacy Act’s principles, other than 2 (collect from the individual directly), 3 (tell the individual about the collection) and 4(b) (do not collect in a manner that is unfair or unreasonable), apply to the Intelligence Agencies.

The ISC and the IGIS will act as the two main overseeing bodies of the Intelligence Agencies:

  • The ISC is a Parliamentary oversight committee with the purpose of examining effectiveness and efficiency of Intelligence Agencies as well as budgetary and policy matters. Its member numbers will increase from the current five to between five and seven.
  • The IGIS on the other hand is the statutory body that provides oversight and review of the Intelligence Agencies, whilst being responsible for reviewing issues of legality and propriety, including but not limited to compliance with human rights and privacy obligations.

The ISC can request that the IGIS inquire into any matter about the intelligence and security agencies’ compliance with the law and propriety of their activities, whilst ensuring that the independence between the IGIS and the Intelligence Agencies is preserved. As a further measure, the IGIS may also review the propriety and implementation of all warrants of its own motion.

Progress through Parliament

The Bill is set to establish a robust and consistent framework for the operation of the Intelligence Agencies throughout New Zealand. The Privacy Commissioner and others made many submissions on the Bill during the Select Committee stage which recently closed.  At this stage, we do not know what changes will result to the Bill, but note that the Select Committee has until February next year to report back on the submissions and its recommendations for the Bill.  We will monitor progress of the Bill through Parliament once that report is released.

Article written by:

Graeme Crombie

Danita Ferreira

view profile View profile

Business Law Team

If you have any queries in respect of the above, or any other business law issues, please contact a member of Lane Neave’s Business Law Team:

Andrew Logie Partner view profile
Gerard Dale partner view profile
Claire Evans Partner view profile
Graeme Crombie Partner view profile
Anna Ryan Partner view profile
Joelle Grace Partner view profile
Elizabeth Neazor Associate view profile
Peter Orpin Special Counsel view profile
Jacob Nutt Senior Solicitor view profile
Danita Ferreira Senior Solicitor view profile
Lynda Fitchett Facilities and Support Manager view profile

Disclaimer: The content of these articles are general in nature and not intended as a substitute for specific professional advice on any matter and should not be relied upon for that purpose.