Breaches of AML/CFT laws results in serious consequences

The Anti-Money Laundering and Countering Financing of Terrorism (AML/CFT) regime has been in the public spotlight over the last few years, be it as a result of the recent changes to the regime, or investigations of reporting entities by the regulators.  

The heavily publicised settlement between casino operator SkyCity Casino Management Limited (SkyCity) and the Department of Internal Affairs (DIA) is an example of this and of the serious consequences of non-compliance with the AML/CFT regime.

Background and the decision

Under the Anti-Money Laundering and Countering Financing of Terrorism Act 2009 (Act), all casinos in New Zealand are required to meet a range of regulatory obligations to detect and deter money laundering and the financing of terrorism.

In May of this year, SkyCity reached a settlement with the DIA following an investigation it began in February 2024 over SkyCity’s alleged breaches of the AML/CFT regime.

DIA’s investigation focused on SkyCity’s AML/CFT compliance relating primarily to its international business customers and found systemic non-compliance and breaches of its obligations relating to risk management, establishing, implementing, and maintaining an AML/CFT compliance programme, the monitoring of accounts and transactions, conducting compliant enhanced customer due diligence, and terminating existing business relationships when required. These failures spanned between February 2018 and March 2023.

The settlement included an admission of guilt by SkyCity relating to the above largely historical breaches and a penalty of NZ$4.16 million. The agreement was subject to approval of High Court, which was granted on 26 September 2024. The High Court ordered SkyCity to pay the agreed penalty and also pay the DIA’s legal costs.

The statement of claim shows that in the lead up to the 2024 investigation, the DIA engaged with SkyCity on a number of occasions. Most notably the DIA reviewed SkyCity’s AML systems in 2014 but noted that the review did not constitute an audit and could not be relied upon to detect non-compliance. There were on-site inspections in 2019, 2021 and 2022. Arguably there was not enough follow through by the DIA on these prior occasions.

Other breaches

In addition to the above settlement, earlier this year SkyCity also agreed a near NZ$74 million settlement with the Australian AML/CFT regulator – the Australian Transaction Reports and Analysis Centre (Austrac) for breaches of the Australian AML/CFT laws at its Adelaide casino. It was likely on the back of the Austrac’s investigation that the DIA commenced a detailed review of SkyCity’s compliance with New Zealand’s AML/CFT regime. SkyCity Auckland admitted to Austrac that 24 out of the 59 suspects identified in Austrac’s legal action into SkyCity Adelaide were also customers of SkyCity Auckland, likely forcing the DIA to act on this side of the Tasman.

SkyCity’s inadequate risk management systems also brought about a temporary suspension of its SkyCity Auckland casino license during the year, resulting in a five day casino closure for alleged breaches of the host responsibility code.

2024 has not been a very good year for SkyCity.

SkyCity’s transformation programme 

Per a NZX market release dated 18 July 2024 in relation to the breaches of the host responsibility code, SkyCity has been undertaking several actions to lift its performance in both the AML/CFT and host responsibility areas and to strengthen risk management across the SkyCity Group. This has been an ongoing effort as part of a multi-year transformation programme that commenced in 2021. Measures include:

• • Refreshing its board with specialist risk expertise directors;
  • Creating a dedicated Board Risk and Compliance Committee to oversee AML/CFT, host responsibility, risk, and other compliance obligations;
  • Creating a dedicated Board of Transformation Sub-Committee to oversee and monitor the transformation programme;
  • Adopting three lines of accountability control framework;
  • Appointing a Group Chief Risk Officer;
  • Significantly enhancing and investing in internal AML/CFT resourcing and capability, processes, and systems, including development of enhanced transactional monitoring capabilities; and
  • Continuing to increase capacity in financial crime, risk and compliance and host responsibility teams, rollout of staff training programmes for frontline staff and so on.

The measures that SkyCity implemented were either too late or did not go far enough to prevent the historical breaches of the AML/CFT regime during the relevant period (between 2018 and 2023). However, if and when they are fully implemented, they ought to make a significant difference going forward.

What this means for directors of reporting entities

The SkyCity’s settlements with the New Zealand and Australian AML/CFT regulators show that the consequences of non-compliance can be serious, including payment of hefty penalties and legal fees, costs to upgrade internal structures, systems and processes, reputational damage, drop in share price, loss of revenue and the risk of other regulators closing in.

The settlements should serve as timely reminders for directors to consider whether their systems and processes are up to date or require review.

Directors should ensure they don’t take too much comfort from the regulators’ inspections and any lack of follow-through. Instead, they should make sure they have robust processes in place, including regular audits conducted by external, independent auditors who specialise in AML/CFT audits.

As we noted recently, we predict a treadmill of further amendments to the Act and the AML/CFT regime over the next few years. The latest announcement has been made on 22 October 2024, in which the Associate Justice Minister Nicole McKee confirmed that the Cabinet had approved an AML/CFT reform work programme that would change the supervisor structure that monitors AML/CFT compliance and introduce a new funding model for the system.

Australia currently has the Austrac as a sole regulator, but in New Zealand, the Reserve Bank of NZ, Financial Markets Authority, and the DIA supervise different parts of the AML/CFT system. Under the proposal, the DIA would become the main supervisor for AML/CFT in New Zealand. 

To navigate these changes effectively and maintain compliance, it is crucial for directors of reporting entities to stay updated on the latest developments and seek advice where necessary.