Institute of Certified NZ Bookkeepers

We have put together the below questions and answers to assist you on your  journey to creating an AML program for your business. 

The Association has been trying to gain further information on your behalf from the DIA around questions and queries that bookkeepers have had in relation to AML.  The DIA have been working through a list of queries we sent through on your behalf in relation to captured activities, and they have provided some fact sheets that they hope gives clarity as to whether or not you are captured for AML Supervision.  A factsheet about providing registered offices is now live on their website and can be found here.

Mike Stone from the DIA states “It is up to the reporting entity who has a full understanding of the facts (having read the available material) to make an assessment, decide on their status take and record their reasoning.  DIA, as an AML supervisor, may request a copy of the reasoning for a negative determination in future.”

If you do have further questions, please do contact them on 0800 257887 or email .

Question Answer
What date do bookkeepers fall into the regime? This is effective for accountants and bookkeepers from 1 October 2018
Who is my supervisor and how do I contact them? The Department of Internal Affairs (DIA) is the supervisor of Bookkeepers. You can subscribe to DIA’s AML/CFT newsletter to receive the latest news and updates. If you have any specific questions you can email DIA directly at
Do I need to register with the DIA? There is no statutory requirement to formally register with the DIA. The DIA will identify its regulated population using a number of tools eg “open source” searching
I am a Bookkeeper. Is my Bookkeeping Business automatically in scope of the regime? A Bookkeeper has obligations under the AML/CFT Act if it is a “reporting entity” under the Act. A business is a reporting entity if, in the ordinary course of business, it conducts one or more activities set out in the definition of “designated non-financial business or profession” (DNFBP) in section 5(1) of the Act. The activities are purposely high-level, broad and generic in language as they have to apply across multiple sectors. How these translate into accounting services is clarified in the Guideline: Bookkeepers and should help you work out if your business is a reporting entity. There is also a guide; Territorial Scope of the AML/CFT Act 2009 which is designed to assist businesses to determine whether they have obligations under the Act
What does “in the ordinary course of business” mean? There is an Interpreting ‘Ordinary Course of Business’ Guideline which explores the meaning of this phrase. Whether an activity is in your ordinary course of business is ultimately a question of judgment and depends on the nature of your business. There is no bright-line test to determine the answer, and that is because all businesses are different. The Guideline: Accountants suggests some relevant factors to take into consideration would be whether the activity:
  • Is normal or otherwise unremarkable
  • Is frequent
  • Is regular (meaning predictable, consistent)
  • Involves significant amounts of money
  • Is a source of income
  • Involves significant resources
  • Involves a service offered to customers
They are relative measures in the context of your particular business. It is likely that the activity is in the ordinary course of your business if one or more of these factors apply
What if I do some of these activities in my personal capacity (ie my volunteer work includes being the trustee of a local charitable trust)? The Guideline: Accountants clarifies that if you are conducting a captured activity in your personal capacity (as opposed to in your professional capacity) – then that is not captured by the Act
Is advice captured? The Guideline: Accountants clarifies that advice alone, even if it is in relation to a captured activity – in the absence of any actual captured activity – is not captured by the Act
Is acting as a trustee of a deceased person’s estate a captured activity? Being the trustee of a trust is a captured activity. A deceased person’s estate is considered a trust for AML purposes
Does payment of professional fees come under “managing client funds”? No. Receipt of professional fees is not captured by the Act.
Is being a joint signing authority with the client on their bank account a captured activity? The key determining factor is whether you have control over the flow of funds – if you do have control, the activity is captured. With joint signing authority, you are not controlling the funds, your client is.
My Bookkeeping Business provides a correspondence address to Inland Revenue (IR) for tax clients and provides a registered office for the Companies Office for some clients. Are these captured activities?

One of the activities set out in the definition of DNFBP in section 5(1) of the Act is “Providing a registered office or a business address, a correspondence address, or an administrative address for a company, or a partnership, or for any other legal person or arrangement, unless the office or address is provided solely as an ancillary service to the provision of other services (being services that do not constitute an activity listed in this subparagraph or subparagraphs (i), (ii), and (iv) to (vi))”.

If a Bookkeeper just provides an office or address to a client, then this is a captured activity. But if the provision of an office or address is ancillary to the provision of non-captured activities, then this is not a captured activity. However, the DIA is of the general view that:

  • Providing a correspondence address to IR for tax clients is not a captured activity because it is ancillary to preparation of tax returns which are non-captured activities.
  • Providing a registered office for the Companies Office for accounting clients is a captured activity because it believes it involves management of the company in a way that it is not just ancillary to non-captured activities.
There is a Bookkeeper down the road whose owners are not a member of ICNZB. They have stopped calling themselves bookkeepers and even changed their business name to remove the word ‘bookkeepers’. Does this mean they are outside the scope of the regime now? Absolutely not because it is an activity-based regime. A business is a reporting entity if, in the ordinary course of business, it conducts one or more activities set out in the definition of DNFBP in section 5(1) of the Act. If they are no longer holding themselves out to be Bookkeepers, but they carry out captured activities, then they fall within the definition of a “trust and company service provider” (TCSP) which is defined in section 5(1) of the Act as “a person (other than a law firm, a conveyancing practitioner, an incorporated conveyancing firm, an accounting practice, or a real estate agent) who carries out any of the activities described in paragraphs (a)(i) to (vi) of the definition of designated nonfinancial business or profession.” The regime is effective for TCSP earlier than it is for us, TCSP must be compliant from 1 July 2018.
I am a sole trading Bookkeeper. Does that mean I have to be the compliance officer?  You must designate an employee to be the compliance officer. The employee may be based overseas but must report to a senior manager of your business. If you are the only employee of your business, then you can be the compliance officer. If your business does not have employees, you must appoint a suitable person to act as a compliance officer or fulfil the role yourself. The compliance officer can carry out other duties not related to AML/CFT compliance. It does not have to be a standalone position.
Are compliance officers personally liable?

Compliance officers are not held personally liable if their reporting entity fails to comply with its obligations under the Act. However, compliance officers may receive a performance injunction under section 85 of the Act.

As individuals, compliance officers are also capable of committing offences under:

How do I go about producing a risk assessment?

The AML/CFT regime is risk-based, so resources can be targeted efficiently at high risk areas, reducing the cost of compliance for your business. It involves identifying and assessing the risks the business reasonably expects to face from ML/TF. You understand your business better than anyone else. Therefore, you are best placed to identify the risks your business faces from ML/FT, and to assess the likelihood and consequence of ML/FT occurring through your business. There is an AML/CFT Risk Assessment Guideline and an AML/CFT Risk Assessment and Programme: Prompts and Notes for DIA Reporting Entities (Prompts and Notes) that explain how you could assess the risk of ML/FT that your business reasonably expects to face.

Your risk assessment must:

  • be in writing;
  • include a description of how you will keep it up to date;
  • identify the ML/FT risks your business reasonably expects to face, having regard to the following factors in section 58(2) of the Act;
  • the nature, size and complexity of the business
  • the products and services it offers
  • the methods by which it delivers its products and services to its clients
  • the types of clients it deals with
  • the countries it deals with – for this there is a Countries Assessment Guideline - the institutions it deals with
  • enable you to determine the level of risk; and
  • enable you to prepare an AML/CFT programme in accordance with section 57 of the Act.

Subject to these mandatory requirements, you can choose to comply with section 58 of the Act in whatever way you think is appropriate for your business. The end result of your risk assessment will depend on the factors in section 58(2) of the Act. If your business is relatively small, with only lower risk clients and services, the risk-based regime means your risk assessment can be relatively short and simple.

There are two documents that inform your entity’s risk assessment:

  • National Risk Assessment 2018 – Produced by the New Zealand Police Financial Intelligence Unit, this provides an overview of the ML/FT risks affecting New Zealand as a whole.
  • Phase 2 Sector Risk Assessment – This identifies the ML/FT vulnerabilities that are specific to the accounting profession.
How do I go about establishing an AML/CFT programme?  

Once you have completed your risk assessment, you can prepare an AML/CFT programme that minimises or mitigates these risks in a proportionate way. It also serves as an operating manual of how your business will comply with its AML/CFT obligations. For example; it will set out what level of customer due diligence (CDD) you will apply to a new client. If your business is relatively small, with only lower risk clients and services, the risk-based regime means your AML/CFT programme can be relatively short and simple.

There is an AML/CFT Programme Guideline and an AML/CFT Risk Assessment and Programme: Prompts and Notes for DIA Reporting Entities (Prompts and Notes) that are designed to help reporting entities develop their AML/CFT programme. An AML/CFT programme sets out the internal policies, procedures and controls necessary to detect ML/FT. Your AML/CFT programme must contain policies, procedures and controls around:

  • Vetting staff
  • Training staff
  • Customer due diligence requirements (including ongoing customer due diligence and account monitoring)
  • Suspicious activity reporting
  • Prescribed transaction reporting
  • Written findings and record keeping
  • Monitoring, governance and oversight
  • Managing and mitigating risks

Subject to these mandatory requirements, you have flexibility to develop your AML/CFT programme based on your particular business. You have a certain amount of discretion to decide how to implement policies, procedures and controls that are suitable for your business. But this is subject to section 57 of the Act which requires such policies, procedures and controls to be adequate and effective.  The ML/FT risks in your business are not static. Criminals will modify their ML/FT methods to avoid detection and overcome measures you put in place to manage ML/FT risks. Under section 57(f) of the Act your AML/CFT programme must include policies, procedures and controls that continue to manage ML/FT risks identified in your risk assessment, any new products and services you may offer and new or emerging ML/FT methods.

The following sources will provide additional information about current ML/FT methods:

Who can audit my risk assessment and AML/CFT programme?

Section 59 of the Act requires a reporting entity to have its risk assessment and AML/CFT programme audited every two years (or at any other time at the request of the relevant AML/CFT supervisor).  Under Section 59B of the Act the audit must be carried out by an independent and appropriately qualified person. ‘Independent’ means the individual must not be involved in the development of the risk assessment, or the establishment, implementation or maintenance of the AML/CFT programme. So the person appointed to undertake the audit may be a member of your staff, provided they are adequately separated from the area of the business carrying out your AML/CFT risk assessment and AML/CFT programme. You may choose to appoint an external firm to undertake the audit. may put in place reciprocal audit arrangements with another accounting practice provided any conflicts of interest are managed appropriately.  ‘Qualified’ means the person has the relevant skills and experience to conduct the audit, including knowledge of the AML/CFT legislation. The person is not required to be a financial auditor.  The Act does not specify how these audits are conducted, eg it is silent on the level of assurance, but there is a Guideline for Audits of Risk Assessments and AML/CFT Programmes. The Act does not require the engagement to be conducted in accordance with the assurance standards issued by the External Reporting Board (XRB).

Is there a public register of AML auditors? Not currently, but we understand the DIA is exploring options for this.
Who do I need to conduct customer due diligence on? Section 11 of the Act requires customer due diligence (CDD) to be conducted on the following parties (if applicable):
  • The client; and
  • Any beneficial owner of a client; and
  • Any person acting on behalf of a client – for this there is a fact sheet.
Who is a “beneficial owner”?

 A beneficial owner is any individual (a natural person):

  • Who owns greater than 25% of the client; or
  • Who has effective control of the client; or
  • On whose behalf a transaction is conducted.

This comes from the definition of “beneficial owner” in section 5(1) of the Act, and the ‘prescribed threshold’ can be found in Regulation 5 of the AML/CFT (Definitions) Regulations 2011. A beneficial owner is an individual who satisfies any one element, or any combination of the three elements. There may be more than one beneficial owner associated with your client. The Beneficial Ownership Guideline is designed to assist reporting entities in meeting the requirement to perform CDD on the beneficial owners of a client.

What do I need to obtain for CDD? For standard CDD, section 15 of the Act requires the following identity information to be obtained and verified for each relevant party:
  • Full name
  • Date of birth
  • Relationship to the client
  • Nature and purpose of the proposed business relationship
  • Address or registered office
  • If it is a company, its business number (NZBN)
Verification involves confirming that information against documents, data or information obtained from a reliable and independent source. The Amended Identity Verification Code of Practice 2013 provides a suggested best practice (and safe harbour) for conducting name and date of birth identity verification on natural persons that have been assessed to be low to medium risk. It does not prescribe the way in which reporting entities can conduct verification of a client’s address. You may also wish to refer to the Amended Identity Verification Code of Practice – Explanatory Note.
When would I need to undertake enhanced CDD?  There are three levels of CCD, standard, simplified and enhanced. There are some clients that a reporting entity must conduct enhanced CDD on in accordance with Section 22(1) of the Act. These include, but are not limited to:
  • A trust or another vehicle for holding personal assets.
  • A non-resident client from a country that has insufficient anti-money laundering and countering financing of terrorism systems or measures in place.
  • A company with nominee shareholders or shares in bearer form.
  • A politically exposed person (PEP).
  • When a reporting entity considers that the level of risk involved is such that enhanced CDD should apply.
What is a PEP? A PEP is defined in Section 5(1) of the Act as an individual who holds or has held a prominent public function in any overseas country at any time in the preceding 12 months, including immediate family members and close associates of such individuals.
With a trust, who do I need to conduct CDD on?
  • The client – the trust itself.
  • Any beneficial owner of the trust – any individual who has effective control over the trust, specific trust property, or with the power to amend the trust deed, or remove or appoint trustees such as a protector.
  • The person acting on behalf of the trust – this may be a trustee. If it is a corporate trustee, you need to identify the individual representing the corporate trustee.  Section 22 of the Act requires reporting entities to conduct enhanced CDD on trusts. This involves gathering further information on source of funds or wealth of the trust. This usually involves the settlor – the person who put the assets into the trust (unless it was a nominal amount). In addition, section 23(2) of the Act requires you to obtain:
  • If the trust is a discretionary trust, a charitable trust, or a trust that has more than ten
  • beneficiaries – a description of the class or type of beneficiary.
  • If the trust is a charitable trust – a description of the objects of the trust.
  • For all other trusts – the name and date of birth of each beneficiary of the trust.
  • For more information, there is a CDD Fact Sheet: Trusts.
With a trust, do I need to verify the identity of the beneficiaries?  No. A per section 23(2) of the Act you only need to obtain it (ie from the trust deed). Paragraph 68 of the Enhanced Customer Due Diligence Guideline confirms there is no requirement to verify the name and date of birth of trust beneficiaries.
Which clients can I do simplified CDD on? Section 18(2) of the Act outlines the types of clients a reporting entity may conduct simplified CDD on.  These include, but are not limited to: NZX listed issuers, crown entities, government departments, local authorities, registered banks and licensed insurers. 
Do I need to do CDD on all clients? You are only required to conduct CDD on clients to whom you provide captured activities. It is a business decision to extend CDD to all clients.
Do I need to go back and do CDD on all my existing clients?

No, the regime is to be applied prospectively. CDD is only required on an existing client if:

  • The client’s risk profile indicates they would be subject to enhanced CDD (ie they are high risk); or
  • The client’s risk profile indicates they would be subject to simplified or standard CDD, there has been a “material change” in the nature or purpose of the business relationship and you do not hold verified identification documents on that client (section 14(1)(c) of the Act); or
  • You become aware that they are anonymous (section 14(2) of the Act); or
  • You submit a suspicious activity report (SAR) on them (section 22A of the Act).

An “existing client” is a client to whom you were providing captured activities prior to 1 October 2018.  However, the Department of Internal Affairs (DIA) believes that a best-practice approach is to conduct CDD on existing clients on a systematic basis based on the client’s risk profile, regardless of whether there is a material change or not.

If you provide a client that would be subject to enhanced CDD (circumstances in section 22(1) of the Act) with continuous captured activities (eg you act as a trustee of a trust), then you will need to ensure this CDD is conducted prior to 1 October 2018. Otherwise you will need to conduct CDD prior to next providing the client with captured activities

What is a “material change”? “Material change” is defined in paragraph 9 of the Risk Assessment Guideline as “an event, activity or situation that you identify that could change the level of ML/TF risk you encounter”.
What is an “occasional transaction or activity”? An “occasional transaction” is a cash transaction of $10,000 or more that occurs outside of a business relationship. This comes from the definition of “occasional transaction” in section 5(1) of the Act, and the ‘applicable threshold value’ can be found in Regulation 10 of the AML/CFT (Definitions) Regulations 2011. An “occasional activity” is defined in section 5(1) of the Act as the provision of one of the activities described in the definition of DNFBP that occurs outside of a business relationship.
Do I need to update my CDD on a regular basis?

Section 31 of the Act contains requirements around ‘ongoing customer due diligence’ and ‘account monitoring’.

‘Ongoing customer due diligence’ requires you to regularly review any information you hold about the client (section 31(4)(b)). This means ensuring any identity information that you do hold on a client is up to date, and if not, obtaining new identity documents to verify any changes. This assists with determining whether insufficient information is held.

‘Account monitoring’ requires you to regularly review the client’s account activity and transaction behaviour (section 31(4)(a)). This terminology is very much geared towards financial service providers so can be ambiguous. For professional service providers this means observing your clients’ requests, activities and behaviour and remaining alert for red flags and suspicious activities. This assists with determining whether there is a “material change” and the submission of SARs to the New Zealand Police Financial Intelligence Unit (FIU). 

Can I outsource CCD? Section 34 of the Act permits you to authorise another person or business to act as your agent to carry out CDD, or to get the necessary information from clients. However, you are still legally responsible for ensuring the CDD meets the required standard. “Agent” is not defined in the Act; instead, the ordinary principles of agency law apply.
Can I rely on another reporting entity’s CDD?
Section 33 of the Act permits a reporting entity to rely on another reporting entity in New Zealand or a person in another country that has sufficient AML/CFT systems and measures in place and who is regulated for AML/CFT purposes. There are some conditions that must be met though in order for this to happen. The other New Zealand reporting entity or overseas person must:
  • Already have a relationship with your client.
  • Consent to conducting CDD for you and providing all relevant information to you.
  • Have conducted CDD in accordance with the New Zealand AML/CFT Act.
  • Provide the relevant identity information to you before you establish a business relationship or conduct an occasional transaction or activity.
  • Provide the relevant verification information to you within five working days of the request. However, you are still legally responsible for ensuring the CDD meets the required standard (that is unless the reporting entity being relied on is an “approved entity” – see below). Another way is to form a designated business group (DBG).
What is an “approved entity”? Section 33(3A) of the Act enables a business to rely on an “approved entity” for CDD. There are not currently any prescribed approved entities. Therefore the option of relying on an approved entity has not yet been made operational and is not available for use by reporting entities.
What is a prescribed transaction?  A prescribed transaction is one of the following made through the reporting entity:
  • A domestic physical cash transaction of $10,000 or more; or
  • An international wire transfer of $1,000 or more where the reporting entity is the ordering or beneficiary institution, and the other entity is located outside New Zealand.
This comes from the definition of “prescribed transaction” in section 5(1) of the Act, and the ‘applicable threshold value’ for a wire transfer and a domestic cash transaction can be found in Regulation 6 of the AML/CFT (Prescribed Transactions Reporting) Regulations 2016. For more information see the Wire Transfers Guidance
I was told the prescribed transactions reporting requirements come into force on 1 November 2017. Do I need to comply from this date? This is a new requirement for Phase 1 reporting entities and this is the effective date for Phase 1 reporting entities. For accounting practices, these obligations will commence on 1 October 2018 – the same date as all the other obligations.
What data is required to go in a prescribed transaction report? The information requirements for Prescribed Transaction Reports (PTRs) are set out in Schedule 2 of the AML/CFT (Prescribed Transactions Reporting) Regulations 2016.
What is a suspicious activity? A suspicious activity is defined in section 39A of the Act and is an activity where the reporting entity has reasonable grounds to suspect that the transaction or proposed transaction, the service or proposed service, or the inquiry, as the case may be, is or may be relevant to:
  • The investigation or prosecution of any person for a money laundering offence; or
  • The enforcement of the Misuse of Drugs Act 1975; or
  • The enforcement of the Terrorism Suppression Act 2002; or
  • The enforcement of the Proceeds of Crime Act 1991 or the Criminal Proceeds (Recovery) Act 2009; or
  • The investigation of prosecution of an offence (within the meaning of section 243(1) of the Crimes Act 1961 – “an offence (or any offence described as a crime) that is punishable under New Zealand law, including any act, wherever committed, that would be an offence in New Zealand if committed in New Zealand).”
What information do I need for a suspicious activity report? The form and content of a suspicious activity report is prescribed in Schedule 1 of the AML/CFT (Requirements and Compliance) Amendment Regulations 2017.
How do I submit a suspicious activity report or a prescribed transaction report? Suspicious activity reports (SAR) and prescribed transaction reports (PTR) are submitted to the FIU through the online portal; goAML. So firstly you will need to register with goAML. There are a number of guidance documents that can help:
What is the timeframe for reporting a suspicious activity? Under section 40 of the Act a reporting entity must report a suspicious activity as soon as practicable, but no later than three working days after forming its suspicion
Do I have to tell my client that I am submitting a suspicious activity report? No, this is commonly referred to as “tipping off”. You should only disclose such information to these listed in section 46 of the Act. Unlawful disclosure is an offence under section 94 of the Act.
What happens if I come across a suspicious activity but my business is not a reporting entity? If your business is not a reporting entity, then it is not obliged to report suspicious activities. However, if you wish you can make a report about the activity directly to the NZ Police or to Crimestoppers.
What is in the annual report?  The form and content of the annual report is prescribed in Schedule 2A of the AML/CFT (Requirements and Compliance) Amendment Regulations 2017. There is also a Phase 2 User Guide: Annual AML/CFT Report by DNFBPs. To submit your annual report you use the secure electronic uploading facility provided on the DIA website, which will be available for new reporting entities prior to the first report being due.
When is the first annual report due? Annual reports in respect of the period 1 July—30 June must be submitted to the DIA by 31 August each year. For bookkeepers the first annual report will be for the 9 months from 1 October 2018 to 30 June 2019 and due 31 August 2019. You should start collecting the information required from when you become subject to the Act.
What are the consequences for non-compliance? The DIA’s approach to regulation is to provide support and guidance to its sectors in the first instance. This is consistent with the risk-based approach that Financial Action Taskforce (FATF) expects supervisors to apply, in that the DIA’s interactions with a reporting entity should reflect the level of ML/TF risk that entity has. Body corporates and individuals face different penalty levels for each type of offence. For example, the penalties in section 105 of the Act are a fine of up to $5 million for body corporates, whereas individuals could face a term of imprisonment of not more than 2 years and/or a fine of up to $300,000.