Legal Sector Regulatory Findings


Department of Internal Affairs logo

This article is a summary of the Department’s findings for the legal sector (law firms and sole practitioners) from its compliance assessments undertaken from January 2019 to January 2020.


Top 5 “compliant” areas 

  • Compliance Officers 

An area that lawyers are getting right is the compliance officer role. Under the Anti-Money Laundering and Countering Financing of Terrorism Act (the Act), a reporting entity must appoint a compliance officer. This is an important role as the compliance officer is responsible for administering and maintaining the AML/CFT programme.


The DIA check that you have appointed someone to this role and look at whether they are an employee who reports to a senior manager. If you are self-employed, they expect you to be the compliance officer in most situations. 

  • Risk-based customer due diligence

Your AML/CFT requirements are “risk-based”. This means you must assess the risk your business faces from money launderers and terrorism financiers in a written risk assessment. You must then apply procedures, policies, and controls to effectively manage your risks.


Customer due diligence (CDD), the process by which you understand your customers and understand the ML/TF risks they pose to your business, must also be risk-based. The DIA found that this obligation is understood by the legal sector in its AML/CFT documents.

  • Regard to applicable guidance material

The DIA found that most lawyers have considered guidance material produced by the AML/CFT supervisor and the Financial Intelligence Unit (FIU). This includes the New Zealand National Risk Assessment and the DNFBP Sector Risk Assessment. These documents assist you to understand the types of money laundering or terrorism financing risks your business may face.


When undertaking a compliance review, checks are conducted to see if you have considered these documents in your risk assessment and in developing the policies and procedures for your AML/CFT programme.

  • Assessing the risk of your methods of delivery

When undertaking your risk assessment, you must have regard to the methods by which you deliver your products and services to your customers.


The DIA found that the legal sector is sufficiently assessing the risk concerning their methods of delivery. For example, reporting entities consider the risks of dealing with customers face-to-face, non-face-to-face, and the use of agents and intermediaries.

  • Assessing the risk of your products and services

When undertaking your risk assessment, you must also have regard to the different products or services you offer.


The DIA found that the legal sector is sufficiently assessing the risk concerning their products and services. For example, reporting entities are considering whether their services allow for anonymity, whether they could conceal an ultimate beneficial owner or the source of wealth or funds of their customer.


Top 5 “non-compliant” areas 

  • Examining and keeping written findings, and adopting additional measures, for dealing with countries with insufficient AML/CFT systems

An AML/CFT programme must contain procedures, policies, and controls for monitoring, examining, and keeping written findings relating to business relationships and transactions involving countries that do not have or have insufficient AML/CFT systems. Additional measures should also be implemented for dealing with or restricting dealings with such countries.


It was found that some lawyers are unsure how to determine which countries have insufficient AML/CFT systems or how to apply these requirements. In practice, the Financial Action Task Force (FATF) list of high-risk and other monitored jurisdictions should assist your AML/CFT programme relating to countries with insufficient AML/CFT systems.