For most New Zealand reporting entities, anti-money laundering (AML) issues show up in familiar ways. Processes that take longer than they should, decisions that vary from person to person, and compliance work that keeps getting revisited.
On their own, these issues can feel manageable. But together, they drive extra remediation work and place growing pressure on already limited compliance resources.
The real challenge is turning Anti-Money Laundering and Countering Financing of Terrorism (AML/CFT) requirements into processes that truly work - processes that suit the business needs, reflect its risk profile, and can be applied consistently day to day.
The gap between knowing what’s required, and applying the requirements in practice, is where many compliance officers and senior leaders start to feel the pressure.
Below are five common AML issues we regularly see across New Zealand organisations and what good practice looks like.
1. Governance and Compliance Culture Gaps
When AML doesn’t have clear ownership, oversight, and enforcement at a senior management level, it loses priority across the business. Support is there in theory, but day to day, AML slips into the background until something forces it back into focus.
This makes it more difficult for staff to perform consistently and apply confident judgment. An AML related question can get different answers depending on who’s asked, or how busy the week is, and compliance teams spend time clarifying decisions instead of getting on with their core work.
Over time these gaps lead to inconsistent outcomes which increases costs and operational strain. Building strong governance and a healthy compliance culture helps support timely and confident decision making to minimise this.
What good practice looks like?
- Assign the AML Compliance Officer (AMLCO) role to a senior staff member with the appropriate knowledge and experience, and the authority to influence decisions across the business. They should be able to confidently argue for, and implement, decisions and processes that streamline AML in the business.
- Ensure senior management supports their AMLCO and is regularly involved and updated on the state of AML in the business, not just when issues arise. This may be a quarterly report delivered at the management meeting, or special time carved out in the calendar for potential problems to be debated, and resources allocated for their resolution.
- Set clear expectations for how AML decisions should be made and escalated. Remit and ownership must be defined so employees have the confidence to know that they are responsible for certain tasks and outcomes. When issues arise outside these areas that can’t be resolved by the AMLCO, senior leaders need to be receptive and work with the team to resolve them in a timely manner.
2. Ineffective Training
Most organisations complete their AML training every year. The problem is that simply completing it doesn’t always translate into confidence.
Training gets done, certificates are filed, and then real world situations arrive that don’t look anything like the examples. When that happens, staff know the rules exist but aren’t always sure how to apply them in context.
The result is hesitation, time spent querying the AMLCO, delays, and often remediation. Staff may second-guess themselves or miss issues altogether. Compliance teams then often spend time undertaking remediation work, rather than improving the application of the compliance programme.
As the AML/CFT Act is updated and guidance is released, requirements for AML change. Training that isn’t refreshed regularly risks becoming obsolete. Small gaps start to appear, and pressure builds quietly across the business.
What good practice looks like:
- Training that is practical to the industry and business, role-specific, and reinforced throughout the year.
- Regular updates that reflect changes in legislation and supervisory expectations.
- Real-world examples and peer discussion to build confidence in decision making.
- Attending industry forums such as the AML Summit, to hear directly from Supervisors, learn from industry leaders and connect with other AMLCOs and AML admin facing similar challenges.
3. Reactive Compliance
AML programmes and policies should be kept current, so that they stand up to external review. But for many there is a familiar scramble when audit time rolls around. Documents have to be hunted down and reviewed in a rush, and teams work backwards to explain decisions that should have been clear at the time.
In this environment, AML becomes reactive. Issues are identified at the end, rather than being picked up through regular oversight and review. The focus is on completing tasks, not on spotting early warning signs through ongoing monitoring.
The impact goes beyond audits themselves. Time and effort are pulled into urgent remediation, senior management are drawn into operational detail, and the opportunity to address underlying issues is lost.
What good practice looks like:
- Regular risk-based reviews that surface issues early, not just at audit time.
- Setting time aside in the AML calendar for remediation.
- Having a clear action-plan when deficiencies are identified (e.g. training).
- Clear ownership for account monitoring and escalating emerging risks.
- Time and space for compliance teams to make improvements before issues escalate.
4. Outdated Risk Assessments
For some organisations, a Risk Assessment (RA) is one and done and then shelved – never to be revisited. As the business changes (with new customers or services), and as guidance is released, over time the business risk profile can shift quietly in the background.
When risk assessments don’t reflect how the business actually operates, the Compliance Programme is based on incomplete or inaccurate risk information that ultimately impacts day-to-day decisions. For example, Customer risk ratings may not accurately align with the level of Customer Due Diligence (CDD) being applied, Enhanced Due Diligence (EDD) can be triggered late or applied inconsistently, and transaction monitoring may not be undertaken in a manner that is proportionate to the level of risk.
This results in effort put into the wrong places. Low risk customers subject to unnecessary checks, while high risk activity doesn’t always receive the level of scrutiny it should. Eventually, this creates extra work to fix, and makes it harder to explain decisions during audits or when regulators take a closer look.
What good practice looks like:
- A Risk Assessment that is reviewed and updated at least every year to ensure risk ratings reflect current customer behaviour and activity, or when changes occur.
- The Risk Assessment directly informs CDD, EDD and transaction monitoring requirements.
- Any changes are documented, and the RA is versioned with copies retained.
5. Relying on Manual Processes
It’s human nature to fix what’s in front of us. In AML, that often means creating quick workarounds to keep things moving. A spreadsheet here, an email trail there, and before long, those workarounds become part of the process.
At low volumes, this can work well. As the business grows, it becomes harder to keep track. Information is duplicated, errors creep in, and small mistakes turn into repeated follow-up and clean-up work.
A common example is how identity documents are stored. Copies of passports, driver licenses and verification checks are often saved across shared folders, with naming conventions that only make sense to the person who set them up.
Over time, versions multiply, folders become crowded, and it’s no longer clear which documents are current. Compliance teams spend time searching and double checking, rather than focusing on risk and oversight.
What good practice looks like:
- One reliable source of customer and risk information, so staff are working from the same, up-to-date details.
- Processes that are clear, repeatable, supported by appropriate systems and scalable as the business grows.
- Using software like AMLHUB to centralise CDD and EDD records, reduce manual handling, and ad hoc storage methods.
Bringing it back to practical AML
Whether you’re just finding your feet in AML or have been working in it for years, these issues are likely to sound familiar. Most New Zealand reporting entities will recognise at least some of them in their own programmes. They don’t point to a lack of effort or intent, but they do reflect how complex legislations play out in real businesses over time.
The common theme in these issues is the gap between understanding what the rules require and applying them in a way that works for the business. When that gap widens, resources become costly, and more time is spent on remediation rather than strengthening the compliance programme.
Closing that gap means learning what good looks like in practice.
That’s the focus of the AML Summit. It’s an opportunity to hear from industry peers and gain practical insights you can take back to your organisation and implement straight away.
Shane Cox
Senior Consultant, CAMS, MSc
Shane is a Certified Anti-Money Laundering Specialist (CAMS) with extensive experience in compliance, risk management and financial technology. He has worked across the payments and finance sectors in roles that have developed his expertise in the practical implementation of AML/CFT obligations.
Shane holds a Master of Science degree in Strategic Management and Innovation. He undertakes audits as well as the development and enhancement of compliance documentation, with a focus on pragmatic solutions that balance regulatory requirements with business needs.