New Zealand Law Firms AML/CFT Compliance Update

Much still to do and not much time in which to do it

Over the last few weeks Initialism has provided face to face AML/CFT information sessions to some 150 law firms across New Zealand.

These workshops took place in 14 regional centres from Auckland to Invercargill, providing participants with information and practical insights on how law firms can understand their Money Laundering (ML) and Terrorist Financing (TF) risks, implement effective AML/CFT Programmes, and achieve AML/CFT compliance.

Engaging directly with law firms has provided insight into the current level of preparedness of law firms to achieve AML/CFT compliance, and the challenges they face getting to grips with AML/CFT by the 1st July deadline.

The results of this engagement indicate a low level of preparedness and activity currently throughout the industry, and means there should be significant concern that law firms, who need to be compliant with the AML/CFT Act, will simply run out of time, and therefore New Zealand faces the prospect of potentially significant levels of non-compliance on the 1st July.


Firms demonstrate that they understand the Act, but are clearly finding it challenging to translate the obligations into practical and meaningful actions that achieve AML/CFT compliance and systematically address their compliance obligations.

There was thinly veiled criticism of AML/CFT advice which references financial institution compliance practices and suggestions that adoption of those practices will be sufficient for Phase 2 businesses, including law firms.  There is a growing appreciation amongst law firms that whilst the AML/CFT obligations are the same across Phase 1 and 2 entities, the approach to AML/CFT compliance in a number of areas may be very different.

The law firms also expressed concern about the level of guidance and support being given by industry bodies. Many had hoped for, and have been waiting for, material from industry bodies that they could simply adapt and adopt.  The reality, however, is that the material provided by industry bodies, due to the risk based nature of the obligations, falls short and in all reality would never have been able to deliver the “turn-key” compliance hoped for by the industry.

This now leaves many firms feeling that they are on their own in working out what is needed to be AML/CFT compliant, and realising there is very limited time to become AML/CFT compliant.  They are also beginning to realise that capacity within New Zealand AML/CFT practitioners to provide meaningful levels of support may be a limiting factor.

The majority of firms appear to be still in what they refer to as the “research” stage, trying to understand what AML/CFT compliance means to their firm and how they should approach becoming compliant.  Research by law firms has involved reading the Act and Guidance, and attending webinars and sessions, such as the information sessions offered by Initialism.

With only 3 months left to become AML/CFT compliant before the 1st July deadline, it is vitally important that law firms now move quickly and decisively to the “action” stage.


The first things to tackle in the “action” stage are appointing an AML Compliance Officer, completing the ML/TF Risk Assessment and developing their AML/CFT Programme.

Firms will also need sufficient time to understand and implement the changes to business’ processes required to be AML/CFT compliant, however they cannot start this important work before they have the basics of a ML/TF Risk Assessment and AML/CFT Programme in place.

It appears that only between 10 and 15 percent of law firms have made any substantive progress towards AML/CFT compliance.  The majority of these firms are just coming to grips with their ML/TF Risk Assessment, with some starting to look at developing an AML/CFT Programme for their firm.

Very few firms have started assessing how to adjust their business processes to effectively implement AML/CFT within their firm, and this will take time to ensure it is aligned to and can leverage as much as possible to existing business processes.

The current level of preparedness and activity creates a significant risk of non-compliance, as AML/CFT compliance activities, once identified, assessed and documented through the AML/CFT Programme, will take time to implement in order to become truly AML/CFT Act compliant.


The main issue for the majority of firms appears to be where to start.  Firms are still struggling to identify an appropriate approach, structure, or methodology that supports them working systematically towards understanding, documenting and mapping what obligations they face, and then working towards amending or refining business practices to achieve compliance.

This means that over the next three months firms will potentially need to devote significant resources away from billable work and towards compliance efforts in order to understand how to become compliant by the 1st July.

Many firms are wrestling particularly with the risk based approach to AML/CFT, and what implications it has for compliance activities they need to undertake.  Whilst law firms are experienced in handling complex and nuanced matters that can be subject to interpretation, some seem to struggle with a level of assumed complexity and the various moving parts of an AML/CFT risk based approach.

There is also confusion in some quarters about the various elements of ML/TF risk and how they interact with each other and what that means for the AML/CFT programme.

Identifying and putting in place a clear structure of methodology to assess ML/TF risk and apply the results as part of the AML/CFT Programme is vital as it is the foundation of a firm’s AML/CFT compliance efforts.

One of the other challenges appears to be when and how to conduct customer (client) due diligence.  Most law firms undertake a degree of client due diligence already, however what they should collect and when they should collect to be compliant with AML/CFT obligations are key considerations that many law firms are grappling with.

There is a clear understanding amongst law firms of the need to undertake customer due diligence before offering a service covered by the AML/CFT Act, but there is a degree of debate about at what point in the client engagement process the service is being offered – is it when first meeting the client to receive instructions or when substantive work is being undertaken?

It is important that firms work through this carefully, including deciding whether or not to undertake the same level of due diligence for all clients even if they are not currently using one of the services covered by the AML/CFT Act.  Poorly thought out outcomes could create exposure under the AML/CFT Act and/or contribute to a poor client experience.

Another challenge being focused on is when and how to do enhanced customer due diligence.  There appears to be real concern amongst law firms about how far they need to go to identify and verify the source of wealth and funds, and the impact of collecting and verifying the information required in the client engagement process, and ultimately the relationship with the client.

There also appears to be confusion regarding what being only part of a financial transactions value chain means for the collection and verification of source of wealth and source of income information.

Firms are also struggling to understand what ongoing customer due diligence means in the context of the transactional type relationship that law firms have with most of their clients.

The relationship law firms have with most of their clients is very different from the account type relationship financial institutions have with their customers.  Law firms need to work through when and how to undertake ongoing due diligence, and clearly understand when a client stops being a client and what to do should the client re-engage the firm.

As a result of this very different client/customer engagement model, monitoring of clients behaviour and activity for unusual activity which might be suspicious is also very different in the context of legal services compared to financial institutions.

Law firms therefore also need to spend time coming to grips with how to monitor client activity and what is monitored, which may be very different to the approaches used by financial institutions and therefore may require adaption and refinement to align with a law firm’s business.

The final issue law firms are struggling with is reporting suspicious activity and getting to grips with the nuances of unusual activity versus suspicious activity and how to handle the unusual activity within their firm, and what steps are needed to investigate the unusual to determine if it is suspicious.

Based on our experience of supporting the delivery of AML/CFT compliance to many non-financial and financial businesses globally, including New Zealand, the current level of preparedness of New Zealand law firms means that many firms, if they do not start soon, will really struggle to achieve AML/CFT compliance before the 1st July deadline.

None of the law firms we spoke to expressed a desire to breach the law or not adequately address their obligations under the Act. However, with the current limited understanding of where to even begin to convert the requirements of the Act into business aligned practices, and the restricted capacity of AML/CFT practitioners to support law firms at volume before the 1st July deadline, a real possibility exists of significant levels of non-compliance across the legal practitioner sector.

This should be of significant concern to the law firms, but also to the DIA who are tasked with the supervision of the legal sector’s compliance with the AML/CFT Act.

There is one simple message. If a law firm has not completed its ML/TF Risk Assessment and/or AML/CFT Programme, action is urgently needed now as time is not on their side.