The Financial Markets Authority (FMA) have introduced something new that will impact your AML/CFT compliance regime; a cyber-resilience framework for financial service providers.

In its report issued in July 2019, the FMA say that this framework must be implanted by the financial institutions it regulates – if the FMA is your AML/CFT supervisor, that means you must create and maintain a cyber-resilience something. If you are supervised by the Department of Internal Affairs (DIA) or Reserve Bank of New Zealand (RBNZ), you can expect similar requirements on the horizon.

Here, we break down how the FMA’s report is related to AML/CFT typologies you must be aware of, and suggest how you can integrate this into your existing AML/CFT compliance regime.

As you know, AML/CFT compliance is an ever-shifting game, and we’re here to keep you in it.


Cyber Resilience and Cyber Crime Typologies

Cyber crime is criminal activity that involves the internet and the electronic devices that allow criminals to misuse it for illicit purposes.

We regularly advise our clients to expressly consider cybercrime typologies in their AML/CFT Risk Assessments– remember typologies are the methods and tactics criminals and terrorists may use to carry out money laundering or terrorist financing activities;

In what specific ways could your business be vulnerable to these cyber crime typologies? Think about the ways your staff, customers, and suppliers could carry out these activities – how would you identify that this has happened? How likely is this to happen and how serious would it be if it did happen?

We then advise our clients to explain and record the ways in which they manage and mitigate those cyber crime risks in their AML/CFT Programme;

Who is responsible for identifying cyber crime activities taking place in your business? How are those people equipped to recognise and manage these activities if they do take place? Who is the director and/or senior manager responsible for managing a cyber crime attack?

What The FMA Requires

The following is a summary of the actions the FMA now requires its reporting entities to take in order to demonstrate compliance with its cyber-resilience framework:

  • Report incidents and use and guidance resources through CERT NZ and New Zealand’s National Cyber Security Centre (NCSC);
  • Include an assessment of cyber crime risks in existing risk management regime; for many businesses their existing AML/CFT Risk Assessment provides a natural home for this analysis;
  • Ensure there is a basic response and recovery plan in place that incorporates both protection and detection measures;
  • Confirm cyber crime risk analysis and management plan is overseen by and visible to governance and/or senior management staff, in line with the Institute of Directors’ Cyber Risk Practice Guide;
  • Seek to integrate a “recognised cybersecurity framework to assist with planning, prioritising and managing” cyber crime risks. The FMA provides the example of The National Institute of Standards and Technology (NIST).

If you need help intergrating cyber crime risks in your AML/CFT Risk Assessment, call Claire on 021 256 1641.

Connect with Claire on LinkedIn.