Get in touch 021 256 1641|


The answers to those burning AML/CFT questions.

I’m sure there is no money laundering and terrorist financing in my business, do I still need to comply?2017-06-21T18:26:24+12:00

Yes, if you are a reporting entity in New Zealand you need to comply.

You may be right that there is no ML/TF taking place in your business, but you’re probably wrong. The police have estimated that $1.5 billion is laundered in New Zealand every year.

Check our blog and Twitter feed to stay on top of the likely ways criminals are probably using your products and services right now.

What is a risk? How do I measure it? How do I control it?2017-06-23T11:00:17+12:00

The government has identified the risks specific for each sector. As a business you need to find out

  • Which sector are you in?
  • Who is your regulator / supervisor?
  • What risks has the supervisor identified for your type of business?

You need to complete a Risk Assessment for your business, addressing each risk as identified by your supervisor, and define how your business has identified and will address and manage that risk, and how you will document that you are addressing each individual risk in your daily workflow. This will be done through your risk assessment and establishing your programme.


Why Fiducia?2017-06-21T20:51:07+12:00

Fiducia innovates, and we provide products and services nobody else does. Fiducia has more options than your standard consulting firm

  • Fiducia templates
  • Fiducia strategic approach
  • Fiducia provides a package designed for governance to outline how AML/CFT compliance can enhance your commercial strategy rather than battling with compliance issues
  • Fiducia delivers its products digitally in a way that reduces cost for everybody
  • Fiducia transforms AML/CFT compliance from pain and struggle into a strategic benefit to the business
What is the strategic benefit?2017-06-21T20:52:11+12:00

The majority of NZ businesses believe in the values of the AML/CFT regime enforces on them, which mean that only those businesses who are upfront contributors get to do business with us.

By being on the ball with your compliance you can show your clients, your investors and everybody interested in your business or your product that you treat their money with integrity; criminals don’t deal with your company.

AML/CFT regulations are confusing. Working with Fiducia you will understand your compliance needs in a manner that results in a competitive advantage. You will reduce the long-term cost of AML/CFT compliance to your business; you will streamline your policies, procedures and controls for maximum efficiency and remove the blockages that hinder other companies.

What is the pain inflicted by AML/CFT?2017-06-23T11:01:31+12:00

Complying with AML/CFT regulations can be expensive. You need to

  • Analyze your current workflow
  • Assess how each step of your process is affected by AML/CFT compliance
  • Adapt large and small daily workflow tasks which affects your daily life
  • Add new tasks to your workflow
  • Employ a new staff member to deal with compliance, or the workload for existing team members will increase
  • Train your staff on all levels of what AML compliance means for their role

To create the documents required for compliance can cost you a lot of internal staff time, or you need to pay for advice that allows you to address the above challenges in an efficient manner.

At this stage, with AML/CFT compliance so new, the only way to find out how day-to-day running of your business is affected, is to either buy Fiducia templates or to hire Fiducia services to tell you.

What type of skill / knowledge is required to deal with AML/CFT compliance?2017-06-21T18:49:51+12:00

Compliance tasks cannot be added to the list of tasks for your receptionist or office administrator.

The compliance person has to have access to all data within the business, e.g. how many customers you have, who your customers are and what type of customers you have, how much the turnover is and what type of transactions you undertake. It also needs to be someone who can abdicate to the board or the senior management team for any resources for new projects that need to be launched.

It’s likely that your business will need new projects and resources dedicated specifically with AML/CFT compliance.

What level within the organization do you expect the compliance officer to be in?2017-06-21T18:52:14+12:00

Usually one of the C-suite officers will be appointed as compliance officers, most often it will be the CFO. They then delegate some of the compliance activities to team members. In some cases middle managers have been nominated as compliance officers; they then have strong reporting activities to the CFO type position.

If you can’t have both, you need somebody senior who delegates to somebody who knows the nitty-gritty, or you need somebody who is doing the nitty-gritty and can report directly to a senior manager. One of the requirements of The Act is that all compliance officers must report to someone senior in the business.

If you are very small, e.g. a one-man band, you are the senior manager and the compliance officer.

Can you tell me something about how often different tasks need to be completed? Are compliance tasks daily? Weekly? Monthly or annually?2017-06-21T20:45:09+12:00

The Risk Assessment needs to be updated annually, and / or as data within the Risk Assessment changes substantially. Most static and established organisations may only update their risk assessments once a year or following every independent audit.

Independent audits need to happen once every two years.

Programmes are set out to manage and mitigate the risks as identified in the Risk assessment. The Act requires that all programmes relate directly on the specific risks as identified in the Risk Assessment; the best procedures are useless if they don’t address the risks specific to YOUR business. Programmes contain three sections:

a)     Policies are the guiding umbrella principles by which the business commits to AML compliance; this relates to the board and the senior managers. Policies are designed to remain as static as the RA; you only need to update your policies if your risks change. The policies define ‘what are we going to do’.

b)    Procedures are specific and dynamic working documents; they are the step-by-step guidelines that illustrate to every person within the business how the policies will be undertaken. These procedures are dynamic; they may change monthly or they may remain static, they need to be written and stored in a manner that every member of the business can access, read and understand these procedures.

The procedures specify ‘how are we going to implement the policies’.

c)     Controls specify how certain people within your organization measure whether the procedures are working and align to the policies. How these controls are implemented depends on your business; you might have internal audits, you might have weekly reviews of your customer files, you might have monthly reporting up to the board, it depends on each individual business.

Fiducia templates will outline the different options. Controls can only be decided upon once the policies and procedures are in place.

External Audits2017-06-21T20:50:09+12:00

Businesses contract an auditor to obtain findings of compliance. The business can negotiate the auditor the level of assurance they need. Under The Act you are required to

  • Rectify any failings
  • Provide the audit to your regulator / supervisor when requested.

The auditor checks that

  • The business meets the minimum requirements of The Act.
  • Your Risk Assessment and Programme documents follow all they need to as specified in the Sector Risk Assessment and your business Risk Assessment.
  • You have appropriately recorded risk assessment.
  • The programme has policy, procedures and controls that are sound and meet the minimum requirements as outlined in The Act.
  • How effective those AML requirements are in the context of your business. For example, the procedures are in place, yet they are not actually implemented as the auditor can see by checking individual files. In this case the procedure was not effective because it wasn’t carried out.
  • Are the procedures implemented in a manner that they meet the spirit of The Act?
  • Can you stay compliant by the way you carry out your specified procedures.
Implementation and remediation2017-06-21T20:46:50+12:00

What we have seen particularly with smaller companies is that they create high quality documentation and then they don’t use them. The auditor or the regulator / supervisor comment that ‘your documents look good but you’re not bringing them to life’. They are not applied to the processes within the organization.

You will be assessed on how your day-to-day work reflects what is in the documents.


The remediation process starts when an auditor identifies problems you need to fix and / or a regulator (your supervisor) does a review and states that you are not compliant.

Fiducia than reviews your programmes; we analyse your policies, procedures and controls; we check that your documentation works as it is supposed to, and then we identify the blockages. What do you need to do to address the issues as identified by the auditor / regulator? What can we do to improve the systems and procedures?

What do I do if we’ve failed our independent audit or have some findings to fix?2017-06-21T18:34:15+12:00

You are required to fix any deficiencies identified by your independent AMLCFT audit. You’ll need to disclose in the annual report to your supervisor whether your independent AML/CFT audit identified any problems and the steps you’ve taken to fix them.

The best thing to do is make a plan of attack; prioritise the most important actions to take, estimate how long they will take and how much they might costs, and what external assistance you need.

As always, document and record all of the work you do to address your audit findings, and give us a call if we can help.

I’ve received a letter from my supervisor telling me we’re not meeting our requirements, what should I do?2017-06-21T18:35:38+12:00

It’s important you take this seriously and act quickly to protect you and your business from an escalating problem.

Each of the New Zealand supervisors are, in our experience, constructive and eager to see your business’ approach to AML/CFT succeed.

I know we need to improve our AML/CFT compliance but my board and senior management tell me we have no budget for it. What should I do?2017-06-21T18:40:21+12:00

We know that AML/CFT compliance can feel like it’s adding cost without adding benefit to your business.

  • Non compliance can be hideously expensive if fines, criminal or civil prosecutions of your board and senior management, and negative media exposure are the result.
  • Fiducia has options
  • Make direct contact with your supervisor. We know that they are aware of the costs associated with AML/CFT compliance and are working to reduce them.
I have a really small budget for AML/CFT compliance but I need help, what can you provide me?2017-06-21T21:22:03+12:00

We know compliance can feel expensive. Believe us, non-compliance will be much, much more expensive.

We’ve got a few options for you:

  • Check out our DIY AML/CFT Templates. You can access the best of what our team of consultants do, without any of the consulting fees;
  • Purchase a Support Package which gives you personal access and coaching from one of our team members, to use for advice, reviews, and problem solving;
  • Seek a consulting engagement with us. By the time you add up the time you’ll spend, the risks you’re taking, and the stress you’re experiencing, it might be much cheaper for us to do the heavy lifting for you. Get in touch.
As a small business owner, how much time do I need to dedicate to set up for AML compliance?2017-06-21T21:05:39+12:00

Fiducia templates allow you to control the time required to complete your RA and programmes. Starting from scratch you can complete the basic requirements and create the documents within 40 working hours. This timeframe does not include the time required to implement those new structures and train your staff in new work flow processes.

With Fiducia templates you can contract Fiducia consulting time in 5-hour blocks. This means we advise you on how to complete the documents, we review documents for you and answer any questions.

If you think you might need 10 hours of support, you might be better off purchasing a consulting package; that way Fiducia does all the heavy lifting and does all the work for you. You give Fiducia the information, and we will create the RA, the programme with policies, procedures and controls and we train you and your staff on how to implement the changes and adjust the daily workflow.

Working with Fiducia for a standard Risk Assessment programme requires a maximum of 8-10 hours of your own time, but spread over a 6 – 8 week timeframe to completion. This includes 3 – 5 hours of Fiducia consulting time and a 3-hour workshop for your staff. This means that within a maximum of 15 hours of your own time your RA and programmes will be in place and all your staff will know how to comply with those new regulations.

Faster completion time with Fiducia consulting is available at a higher rate, allowing for fast completion with minimum time input from your own resources.

If we’re a really small business and have really low risks, can we just comply with part of the AML/CFT requirements?2017-06-21T21:07:32+12:00

Short answer, no. If you’re a reporting entity in New Zealand, all of the requirements apply. Unless you qualify for a Ministerial Exemption, there is very little room to opt out of your obligations.

However, Fiducia’s Risk Assessment and Programme methodologies allow you to very specifically identify and target your ML/TF vulnerabilities so that you do only that which you need to, while meeting all of your AML/CFT requirements. Have a look here.

I am a lawyer; I know I need to do something, what is it that I need to do?2017-06-21T21:07:16+12:00

DIA is the supervisor / regulator for lawyers. DIA has put out a sector risk assessment specifying the risks they are worried about for lawyers.

You need to create a RA that addresses the vulnerabilities specified in the Sector Risk Assessment created by your regulator, DIA.

The DIA Sector Risk Assessment is in one document; it will be updated within the next few weeks and an updated link will be available on our website.

The AML/CFT regime since 2013 has been for financial institutions only. Can these documents and procedures be used for lawyers?2017-06-21T21:07:01+12:00

Fiducia provides different templates for every sector. The Fiducia templates designed for lawyers contain guidance and point you to the sections of The Act that apply specifically to lawyers. These templates allow lawyers to fulfil their AML/CFT requirements.

If you buy the templates for lawyers, you will have access to all the documents and links that connect you to all guidance that is currently available from various sources.

As a lawyer not familiar with AML/CFT regulations, what are the pitfalls Fiducia can stop me from falling into?2017-06-21T21:07:08+12:00

The AML/CFT regime has been operating since 2013 in NZ. Yet there is no set format for a RA, you can do it however you want, yet you must cover the fundamental areas as specified in the act.

Fiducia has been involved with all regulators since 2013; our team knows the best practice ways for regulators to sign off on the RA.

Are you already working with lawyers?2017-06-21T21:06:53+12:00

We are currently working with CFOs of large law firms who have realized the competitive advantage available to those businesses who address the AML/CFT challenges head on. So far we have not been working with smaller law firms, as they don’t yet know the pain that will be inflicted upon them.

As a small law firm, do I need any more than templates?2017-06-21T21:06:43+12:00

The templates will give you the basic knowledge you need to reach a minimum standard of compliance.

What we have found with phase 1 clients is that they want to get the basics on the way first, and then they hire Fiducia to increase efficiency and to reduce the cost of compliance.

It depends on the capacity within your organization. Often smaller firms don’t have the person within their existing staff who is skilled enough to create the documentation, as they have never dealt with these types of regulation before. You can create the documents from scratch or you can purchase Fiducia templates.

As a small / medium sized law firm, do you expect I need to employ additional staff?2017-06-21T21:06:32+12:00

That is a distinct possibility and ties in with the need for extra resources to deal with compliance. You might be able to find someone who’s general job it is to manage the rules in your business; that person’s job is going to get bigger.

Every RE needs a dedicated AML/CFT compliance officer who holds civil and criminal liability under the Act; there are international examples of compliance officers being fined or jailed, this has not happened in NZ yet.

The compliance officer role needs to be assigned to a person within the business who holds power, as the role holds the ultimate responsibility to uphold all of the requirements. The compliance officer needs to

  • Know the business
  • Be senior
  • Have access to senior levels of the organization to communicate what needs to be done
  • Be trained in all aspects of AML/CFT compliance

Every business will require a compliance officer who spends a minimum of 50 {37bdd4c223d4a7cf5f55956567c78ad3335a9798c1f68f1890044a4577de9da9} of their time on AML/CFT compliance.

A set of templates for lawyers, is that the same for a small firm as it is for a large practice?2017-06-21T21:06:17+12:00

The templates and requirements are the same, but there are different levels of complexity. Fiducia templates are designed to be as streamlined and simple as possible but they can be extended to be as complex as needed. The compliance principles are the same irrespective of how big you are.

Does that mean that if I’m a sole trader compliance is easier?2017-06-21T21:06:10+12:00

The complexity of compliance is more tied to type of business and the level of risk than it is to the size of the business. Your Risk Assessment identifies the specific money laundering risks of your business and thus determine its complexity.

Compliance related administrative tasks apply to all businesses, irrespective of the risk level. The policies and procedures contained in the Fiducia Programme outline each of those administrative tasks.

Tasks will be easier when you’re smaller, because if two people sit within one office you can easily talk to each other. If you are part of a nationwide organization communication and administrative tasks will become more complex