Department of Internal Affairs v Qian DuoDuo Ltd
[2018] NZHC 1887
•27 July 2018
IN THE HIGH COURT OF NEW ZEALAND AUCKLAND REGISTRY
I TE KŌTI MATUA O AOTEAROA TĀMAKI MAKAURAU ROHE
CIV-2017-404-132
[2018] NZHC 1887
UNDER The Anti-Money Laundering and Countering Financing of Terrorism Act 2009 BETWEEN
DEPARTMENT OF INTERNAL AFFAIRS
Plaintiff
AND
QIAN DUODUO LIMITED
Defendant
Hearing: 9-10 April 2018 Appearances:
D G Johnstone and T Hu for Plaintiff M Chen and V S Cress for Defendant
Judgment:
27 July 2018
JUDGMENT OF POWELL J
This judgment was delivered by me on 27 July 2018 at 4.00 pm pursuant to R 11.5 of the High Court Rules
Registrar/Deputy Registrar Date:
Solicitors/Counsel:
Meredith Connell, Auckland Chen Palmer, Auckland
DEPARTMENT OF INTERNAL AFFAIRS v QIAN DUODUO LIMITED [2018] NZHC 1887 [27 July 2018]
TABLE OF CONTENTS
Introduction 1
Approach to Determining Civil Pecuniary Penalties 11
The maximum pecuniary penalties available in this case 16
Approach to setting penalties 25
Seriousness of QDD’s Civil Liability Acts / Setting the Starting Point 32
The Nature and Extent of QDD’s Civil Liability Acts 37
Effect of QDD’s Civil Liability Acts on the integrity and reputation
of the New Zealand financial system 62
Discussion – Effect on New Zealand financial system 64
The Circumstances in which QDD’s Civil Liability Acts Occurred 69
What were the Relevant Circumstances? QDD and its relationship
with Starfish and the DIA 79
Discussion – Relevant Circumstances 127
Whether QDD has Previously Engaged in Similar Conduct 139
Discussion – Previous Engagement in Similar Conduct? 140
Conclusion – Seriousness of Civil Liability Acts / Calculation
of Starting Point 144
Aggravating and Mitigating Factors Personal to QDD 148
Discussion – Aggravating and Mitigating Factors 151
Admission of Liability and Cooperation 156
Discussion – Admission / Cooperation 160
Totality Considerations 164
Decision 167
Introduction
[1] The defendant Qian DuoDuo Ltd (“QDD”) is a registered financial service provider on the Financial Services Provider Register for the purposes of “changing foreign currency” and “operating a money or value transfer service”.1 Because it undertakes those activities QDD is a financial institution and a reporting entity for the purposes of the Anti-Money Laundering and Countering Financing of Terrorism Act 2009 (“the AML Act”).2
[2] As a financial institution under the AML Act there is no dispute that QDD was required to undertake a wide range of anti-money laundering and countering financing of terrorism (“AML/CFT”) compliance activities. These included:
(a)appointing a compliance officer;3
(b)undertaking an assessment of the risk of money laundering and financing of terrorism expected to be faced in its business (“risk assessment”);4
(c)reviewing the risk assessment every two years or as requested to ensure it remains current, identifying any differences and make any changes necessary;5
(d)conducting customer due diligence (“CDD”) on customers, beneficial owners of customers, and any person acting on behalf of a customer;6
(e)conducting enhanced customer due diligence (“ECDD”) as required by s 22 of the Act, and in particular:
1 Financial Service Providers (Registration and Dispute Resolution) Act 2008.
2 Anti-Money Laundering and Countering Financing of Terrorism Act 2009, s 5 definition of financial institutions at (a)(iv) and (xiii).
3 Anti-Money Laundering and Countering Financing of Terrorism Act 2009, Section 56.
4 Section 58.
5 Section 59.
6 Section 11.
(i)where transactions were complex or unusually large in accordance with ss 23 and 24;7 and
(ii)in relation to wire transfers in accordance with ss 27 and 28,8
(f)carrying out ongoing CDD and account monitoring of every business relationship defined in s 5 of the Act as “… a business, professional, or commercial relationship between a reporting entity and a customer that has an element of duration or that is expected by the reporting entity, at the time when contact is established, to have an element of duration” in order to ensure the business relationship and transactions relating to it are consistent with the reporting entities knowledge about the customer and to identify any grounds for reporting a suspicious activity;9 and
(g)maintaining records in respect of every transaction so that transactions can be readily reconstructed for a period of at least five years after the completion of the transaction.10
[3] Although QDD appointed its director and sole shareholder Ye (Cathay) Hua as its compliance officer, and there is no dispute that no less than three risk assessments were completed, an investigation carried out by the Department of Internal Affairs (“the DIA”)11 from early 2015 established that QDD had breached its obligations under the AML Act in the following respects:
(a)Failures in respect of risk assessments (First Cause of Action) – the risk assessments carried out by QDD on 3 June 2013 (“First Risk Assessment”), 17 April 2014 (“Updated Risk Assessment”) and in May 2015 (“Second Risk Assessment”) did not accurately record the nature of QDD’s money remittance business including its business relationships, and in particular its relationship with six money remitters
7 Section 22(1)(c).
8 Section 22(3).
9 Section 31(2).
10 Section 49.
11 Pursuant to s 130(1)(c), the DIA is the AML/CFT supervisor charged with enforcing compliance with the AML Act.
(“the six money remitters”),12 and thereby failed to accurately identify the type of risks involved in QDD’s money remittance operations.
(b)Failure to undertake ECDD (Second Cause of Action) – QDD did not carry out ECDD notwithstanding that between 9 September 2014 and 12 May 2015 (“the relevant period”):
(i)it carried out 796 large or complex transactions with a total value of $120,701,467.59; and
(ii)it carried out 1,088 wire transfers with a total value of
$94,763,399.40.
(c)Failure to undertake ongoing CDD and account monitoring (Third Cause of Action) – QDD did not undertake ongoing CDD and account monitoring between the relevant period with a result that:
(i)1327 transactions totalling $136,172,825.78 were not subjected to adequate scrutiny via account monitoring or ongoing CDD;
(ii)QDD did not develop any reliable information relating to the business and risk profile of each of the six money remitters; and
(iii)QDD did not act in such a way as would have enabled it to identify any grounds for reporting suspicious transactions conducted by the six money remitters, as is contemplated by s 31(2)(b).
(d)Failure to keep adequate records (Fourth Cause of Action) – QDD did not keep adequate records in respect of the “bulk” of the 1,327 transactions during the relevant period, and the records that were kept:
12 Being DP International Finance Ltd, Mr Xiaolan Xiao and/or Ping An Finance (Group) New Zealand Co Ltd, Forex Brokers Ltd, Broadtrust Group Ltd, 21st Century International Ltd and Lan’s Enterprise Ltd.
(i)failed to reflect the parties to the transaction: in many cases, the transaction records kept by QDD only reflected either the identity of the party who paid the funds to QDD, or the identity of the party who QDD paid the funds to;
(ii)failed to reflect the nature of the transaction; and
(iii)failed to identify any person on whose behalf the transaction was made, or any beneficiary to the transaction.
[4] Although generally cooperative with the DIA investigation, QDD “inaccurately represented” the nature of its relationship with the six money remitters through the provision of third party agreements and training logs which were not only incorrectly dated but which suggested that QDD had “principal/agent” relationship with the six money remitters.
[5] As a result of the investigation the DIA has brought the present civil proceedings against QDD in which it has sought a “civil pecuniary penalty” in respect of each of the four breaches of QDD’s duties under the AML Act identified above, with each of the causes of action constituting a “civil liability act” in terms of s 78 of the Act.
[6] Following negotiations between the parties QDD admitted the causes of action pleaded by the DIA in the amended statement of claim, with the details as to what has been agreed set out in a detailed and comprehensive statement of agreed facts subsequently agreed by the parties which relevantly acknowledged that while the conduct of QDD had resulted in widespread breaches of the AML Act:
(a)no money laundering or financing of terrorism has been shown or is alleged to have actually occurred through QDD;
(b)QDD did not deliberately intend to breach the Act; and
(c)QDD misunderstood the definition of a wire transfer and accordingly its obligations under the Act.
[7] The hearing before me therefore proceeded in order to determine the appropriate penalty for the civil liability acts committed by QDD. Notwithstanding the statement of agreed facts, a number of issues remained in dispute including:
(a)the extent to which QDD was able to rely on the advice its AML/CFT consultants, Starfish Consulting Ltd (“Starfish”), and/or the DIA with regard to its AML/CFT compliance;
(b)the extent to which communication difficulties caused by Ms Hua’s poor English were relevant to the QDD’s AML/CFT compliance issues;
(c)the extent to which QDD’s liability was affected by the conduct of the DIA in undertaking its investigation; and
(d)whether and to what extent to which QDD mislead the DIA in relation to its relationship with the six money remitters.
[8] These issues formed the primary focus of the hearing before me, with three witnesses cross-examined on affidavits previously filed with the Court. For the DIA Robert Milnes and Claire Piper were cross-examined, followed by Ms Hua on behalf of QDD. Mr Milnes, a senior compliance officer who undertook the investigation of QDD on behalf of the DIA, was cross-examined in particular on his conduct of the investigation and his appreciation of Ms Hua’s English language skills. Ms Piper, an AML/CFT consultant, had provided AML/CFT consulting services to QDD on behalf of Starfish between September 2014 and July 2015, including drafting the Second Risk Assessment, third-party agreements with the six money remitters and assisting QDD in the initial phases of the DIA investigation. Both Mr Milnes and Ms Piper were primarily responding to Ms Hua’s evidence that QDD had relied on Starfish for AML/CFT compliance and QDD had been prejudiced by the way in which the DIA investigation proceeded.
[9] The issue for this Court is to determine the appropriate penalty for the civil liability acts committed by QDD, taking into account relevant aggravating and mitigating factors including those matters raised by both the DIA and QDD.
[10] The DIA seeks a civil pecuniary penalty in the sum of $2,496,000, with QDD submitting an appropriate penalty should be no more than $500,000.
Approach to Determining Civil Pecuniary Penalties
[11] As this Court noted in Department of Internal Affairs v Ping An Finance (Group) New Zealand Co Ltd (“Ping An”) the AML Act is the principal regulatory legislation governing its field and imposes onerous duties upon reporting entities in an effort to detect and deter money laundering and the financing of terrorism.13 The express statutory purposes are:14
(a)to detect and deter money laundering and the financing of terrorism;
(b)to maintain and enhance New Zealand’s international reputation by adopting, where appropriate in the New Zealand context, recommendations issued by the Financial Action Task Force; and
(c)to contribute to public confidence in the financial system.
[12] Part 3 of the AML Act provides both a civil and a criminal enforcement regime for non-compliance with the Act’s requirements.
[13] Several civil enforcement mechanisms are available to the relevant AML/CFT supervisors under subpart 2. On the application of a supervisor such as the DIA in this case, the High Court may grant a performance injunction,15 a restraining injunction,16 or order that a person pay a pecuniary penalty.17 Powers available to the relevant supervisor include issuing a formal warning18 or accepting an enforceable written undertaking.19
13 Department of Internal Affairs v Ping An Finance (Group) New Zealand Co Ltd [2017] NZHC 2363 [2018] 2 NZLR 552 [Ping An] at [17] and [23] - [25].
14 Anti-Money Laundering and Countering Financing of Terrorism Act 2009, s 3(1).
15 Section 85(1).
16 Section 87(1).
17 Section 90(1).
18 Section 80.
19 Section 81.
[14] The Court may order a pecuniary penalty under s 90 if it is satisfied that the reporting entity has engaged in conduct that constitutes a “civil liability act” as defined in s 78:20
78 Meaning of civil liability act
In this Part, a civil liability act occurs when a reporting entity fails to comply with any of the AML/CFT requirements, including, without limitation, when the reporting entity—
(a)fails to conduct customer due diligence as required by subpart 1 of Part 2:
(b)fails to adequately monitor accounts and transactions:
(c)enters into or continues a business relationship with a person who does not produce or provide satisfactory evidence of the person’s identity:
(d)enters into or continues a correspondent banking relationship with a shell bank:
(e)fails to keep records in accordance with the requirements of subpart 3 of Part 2:
(f)fails to establish, implement, or maintain an AML/CFT programme:
(g)fails to ensure that its branches and subsidiaries comply with the relevant AML/CFT requirements.
[15] The maximum pecuniary penalties available in the civil jurisdiction for civil liability acts (as opposed to fines upon conviction for knowing or reckless civil liability acts)21 are prescribed by ss 90(2) and (3), while s 90(4) identifies the factors to which the Court must have regard in determining the appropriate pecuniary penalty. The standard of proof in proceedings for a civil penalty is that applicable in civil proceedings; namely, on the balance of probabilities.
The maximum pecuniary penalties available in this case
[16] There is no dispute that a maximum pecuniary penalty is specified for three of the four civil liability acts at issue. The failure to undertake ECDD is provided for in
20 On 1 July 2017, a new subsection (da) was inserted by the Anti-Money Laundering and Countering Financing of Terrorism Amendment Act 2015.
21 Anti-Money Laundering and Countering Financing of Terrorism Act 2009, s 91.
s 78(a), the failure to undertake ongoing CDD and account monitoring in s 78(b), and the failure to keep adequate records in s 78(e), with the maximum penalties for body corporates like QDD fixed at $2 million, $1 million and $2 million respectively.22
[17] The situation is different with regard to QDD’s failures in respect of the risk assessments. While clearly a civil liability act, because it is not specifically mentioned in s 78 no maximum penalty is provided for in s 90(2)(b) or (3)(b). A similar issue arose in Ping An with regard to the civil liability act for failing to report a suspicious transaction. Toogood J observed:23
There can be no doubt that Parliament intended by s 90(1) that the Court should have the power to impose a pecuniary penalty for a civil liability act occurring when a reporting entity fails to comply with an unspecified AML/CFT requirement.24 What is highly unlikely, however, is that Parliament intended that the Court’s power should be unlimited, and it is difficult to see how the purposes of the Act would be served by reading the section in that way. The usual legislative approach where particular types of offending are included in a general offence provision is to provide maximum penalties for specified offences and a maximum to apply “in any other case”.25 The omission of a similar approach here is surprising. It is made all the more curious by the recent insertion of s 78(da)26 which adds to the list of specified civil liability acts the failure to report transactions in accordance with subpart 2A of Part 2 (dealing with the reporting of prescribed transactions as defined in s 5). By virtue of s 90(3)27, that civil liability act carries a maximum penalty of $2 million.
It may be, as Mr Johnstone suggests, that the omission is merely an oversight by the framers of the Act but, whatever the reason, the Court must adopt a principled approach to addressing it. Although the circumstances are different from those which confronted the Court of Appeal in the Northland Milk case, I consider on the basis of what that Court did there that this Court is required to take a practical approach which accords best with the legislative intention so far as it may be ascertained from the stated statutory purposes and from relevant provisions of the Act.28
22 Section 90(2)(b) and (3)(b).
23 Ping An, above n 15, at [82]-[83].
24 Section 78 provides that a civil liability act occurs when a reporting entity fails to comply with
any of the AML/CFT requirements.
25 See, for example, the Wildlife Act 1953, ss 56(5) and 65(3); the Fisheries Act 1996, s 186B(8); and the Crimes Act 1961, ss 310 and 311.
26 Anti-Money Laundering and Countering Financing of Terrorism Amendment Act 2017, s 11.
27 As amended by the Anti-Money Laundering and Countering Financing of Terrorism Amendment Act 2017, s 12.
28 Northland Milk Vendors Association Inc v Northern Milk Ltd [1988] 1 NZLR 530 (CA) at 537- 538.
[18]As a result Toogood J went on:29
Where the penalty for a civil liability act does not have a specified maximum, the Court should consider the extent to which the particular compliance failure undermines the statutory purposes and what would be an appropriate response. In the present case, the purposes of detecting and deterring money laundering and the financing of terrorism, and contributing to public confidence in the financial system,30 call for stern penalties for failures to comply with a fundamentally important requirement such as reporting suspicious transactions. That indicates that, if Parliament had enacted a maximum penalty, it would have been equivalent to the highest maxima provided by the Act.
I consider that a principled approach is to consider the nature and importance of an unspecified civil liability act in comparison to the nature and importance of the specified acts. Applying that approach to the failure of Ping An to comply with its obligation to report suspicious transactions, the higher maximum penalties provided in s 90(3) are the most appropriate guide. First, a failure to report suspicious transactions is as serious a failure to comply with the AML/CFT requirements as failing to conduct customer due diligence, failing to keep records, and failing to establish, implement or maintain an AML/CFT programme for each of which the prescribed maximum penalty is
$2 million. Second, it is clear that Parliament shares that view: s 92 of the Act provides that it is an offence to fail to report a suspicious transaction, the penalty for which, in the case of a body corporate, is a fine of up to $5 million.
[19] With reference to these principles it was Mr Johnstone’s submission that the civil pecuniary penalty for the failures in respect of the risk assessment “should be treated as in the order of $2 million”. In Mr Johnstone’s submission:
This particular compliance failure is fundamental: the risk assessment guides a reporting entity’s business practices. If the underlying risk assessment is incorrect, then whatever practices the assessment recommends, even if those practices are in fact carried out, are unlikely to mitigate properly the risk of harm flowing from that reporting entity’s business.
CDD is a fundamental obligation under the Act – sufficiently so, that Parliament has mandated that the maximum penalty for failing to conduct CDD as required by subpart 1 of Part 2 carries a higher maximum penalty of
$2 million. However, if the reporting entity’s ability to carry out the correct level of CDD obligations hinges almost entirely on undertaking the risk assessment correctly, then failure in relation to the underlying risk assessment should be seen as being equally egregious, if not more so, than compliance failures relating to CDD. Accordingly, the Department submits that, as a practical guideline, the maximum penalty for a failure to comply with s 58 should be treated as in the order of $2 million.
For all four civil liability acts, the notional total maximum penalty available is $7 million.
29 Ping An, above n 15, at [84]-[85] (footnotes omitted).
30 Anti Money Laundering and Countering Financing of Terrorism Act, ss 3(1)(a) and (b).
[20] Conversely Ms Chen submitted that Toogood J had “erred in law” in concluding that the requirement to report a suspicious transaction “would have been equivalent to the highest maxima provided by the Act”, and noted that outside of the civil pecuniary penalty regime failing to report a suspicious transaction was an offence for which a maximum penalty for a corporation was $5 million. In Ms Chen’s submission:
If the Court considers that a maximum penalty must be set because statutory silence must be interpreted as a gap the courts must fill, then a careful and conservative approach ought to be taken to the interpretation of statutory provisions that impose substantial penalties.
[21] There can be, as noted, no dispute that the failures in respect of the risk assessments are civil liability acts pursuant to s 78. In such circumstances, as Toogood J noted, s 90(1) of the Act makes it clear that this Court has jurisdiction to impose a pecuniary penalty for such an Act. I likewise agree with Toogood J that it is “highly unlikely … that Parliament intended that the Court’s power be unlimited” and that it is therefore desirable to identify a maximum penalty in line with the other civil liability acts for which a pecuniary penalty has been fixed in s 90(2) and (3). Furthermore unless a maximum penalty is specified it makes the subsequent task of assessing the conduct against the worst type of conduct difficult if not impossible as it does calculating the totality of the civil liability acts as I am required to do.
[22] Likewise, while failures in respect of risk assessments do not give rise to a specific criminal offence under the AML Act, in the event that this type of civil liability act was the result of conduct engaged in knowingly or recklessly,31 the maximum penalty for a body corporate is a fine of up to $5 million.32
[23] As a result I agree with Mr Johnstone that the obligation to undertake and periodically update risk assessments is fundamental to the operation of the Act and therefore clearly falls at the higher band of the pecuniary penalty regime, having more in common with the civil liability acts for which the $2 million pecuniary penalty has been specified, than those for which the maximum is $1 million. I therefore adopt a
31 Section 91.
32 Section 100(b).
maximum pecuniary penalty of $2 million for the failures in respect of the risk assessments.
[24]Accordingly in the present case QDD faces a maximum pecuniary penalty of
$7 million made up as follows:
(a)failures in respect of risk assessments – $2 million;
(b)failure to undertake ECDD – $2 million;
(c)failure to undertake ongoing CDD and account monitoring –
$1 million; and
(d)failure to keep adequate records – $2 million.
Approach to setting penalties
[25] Having identified the maximum penalties, I broadly adopt the approach utilised by Toogood J in Ping An based on the approach taken under the equivalent provisions in the Commence Act, but “tailored for the scheme of the … Act”. This requires:33
(a)Assessing the seriousness of the civil liability acts to select a starting point based on the seriousness of the non-compliance and the aggravating and mitigating factors relating to it.
(b)Next, considering aggravating and mitigating factors relating to the circumstances of the reporting entity, to determine whether these warrant imposition of a higher or lower penalty.
(c)Next, deducting from the starting point to reflect any admission of liability and/or co-operation with the authorities, especially in relation to others who have breached the Act.
33 Ping An, above n 15, at [88].
(d)Finally, taking into account totality considerations by looking at the number of separate breaches, ensuring there is no overlap between the penalties imposed for difference types of non-compliance, and considering whether the total penalty imposed fairly and adequately reflects the overall extent of non-compliance.
[26] With regards to the analysis necessary at the first stage in particular, s 90(4) of the AML Act outlines the considerations to which the Court must have regard in determining the appropriate pecuniary penalty:
(4)In determining an appropriate pecuniary penalty, the court must have regard to all relevant matters, including—
(a)the nature and extent of the civil liability act; and
(b)the likelihood, nature, and extent of any damage to the integrity or reputation of New Zealand’s financial system because of the civil liability act; and
(c)the circumstances in which the civil liability act occurred; and
(d)whether the person has previously been found by the court in proceedings under this Act to have engaged in any similar conduct.
[27] The DIA also submits that in addition to the four considerations specified, other relevant matters for consideration in the present case are:34
(a)the degree to which the conduct was initiated or condoned by officers or senior management within QDD;
(b)what steps were taken by QDD to ensure compliance with the Act, including formal policies and steps taken to educate its officers and employees; and
34 These were some of the relevant considerations taken into account by Logan J in the Federal Court of Australia in Australian Communications and Media Authority v Mobilegate Ltd (No 4) [2009] FCA 1225, (2009) 180 FCR 467 at [27] – [28], used in New Zealand in the pecuniary penalty context in Carter Holt Harvey Building Products Group Ltd v Commerce Commission (2001) 10 TCLR 247 (CA) at [46], and reflected in Telecom Corporation of New Zealand Ltd v Commerce Commission [2012] NZCA 344 at [13].
(c)whether there has been full and frank disclosure and cooperation with the DIA.
[28] While these factors are clearly relevant each stands to be considered within the framework set out in [25] and [26] above. Additional factors (a) and (b) above stand to be considered as part of the circumstances in which the civil liability acts were committed, in terms of s 90(4)(c) of the AML Act. This assumes significance as part of the first step, while the issue at (c) above will be addressed in terms of the aggravating and mitigating factors in the second step of the analysis.
[29] Similarly, as Toogood J recognised Ping An, while an overall assessment of totality is a useful final step of the analysis, s 74 of the AML Act means that totality issues are also required to be considered in the first step. Section 74(2) provides:
If a person is or may be liable to more than 1 civil penalty under this Part in respect of the same or substantially the same conduct, civil penalty proceedings may be brought against the person for more than 1 civil penalty, but the person may not be required to pay more than 1 civil penalty in respect of the same or substantially the same conduct.
[30] For example, while the DIA can bring proceedings for more than one civil penalty act, a reporting entity like QDD cannot be required “to pay more than [one] civil penalty in respect of the same or substantially the same conduct”. I am therefore satisfied the analysis of the seriousness of the civil liability acts in question requires an analysis as to whether there is an overlap between those civil liability acts, as part of the final step before the starting points are finalised, in order to avoid imposing a pecuniary penalty more than once for the same or substantially the same conduct. In Ping An Toogood J concluded the Court should “avoid penalising the reporting entity twice for what is essentially one type of default”,35 but on the facts concluded that while there was a degree of overlap and non-compliance, the particular conduct relied upon by the DIA in that case was discrete.36
35 At [110].
36 At [112].
[31] More broadly with regard to the purpose of pecuniary penalties Toogood J noted:37
In this case, the civil liability acts requiring the imposition of a penalty fall into several different categories, and there are a large number of separate compliance failures within each category. The proof of non-compliance under several separate causes of action necessitates the imposition of separate penalties for each category, reflecting the nature of the breaches within that category. That approach also provides comparability with other cases in which non-compliance may be established in only one category or in a different combination of categories. In the absence of decisions in other cases to provide guidance about what is reasonable, the maximum penalties for each category assume some importance.
It is important to recognise also that, while providing a broad framework, the analogy with the criminal sentencing process has its limitations. The application of a totality principle in determining appropriate pecuniary penalties for a number of different types of civil liability act cannot easily adopt the approach used in sentencing for criminal cases where an offender is sentenced to imprisonment for multiple offending. There the approach is to take the most serious of the offences and set an appropriate starting point based on the nature and circumstances of that offending. To that sentence, an uplift is applied to recognise the scale of the other offending and to reflect the seriousness of the offending overall. When it comes to imposing individual sentences for the each of the offences for which convictions have been entered, the sentence for the lead offence will usually be imprisonment for the term which has been determined to reflect the overall offending and the sentences for the other offences will be concurrent terms of imprisonment reflective of the seriousness of that particular offending.
An approach using concurrent terms of imprisonment is not readily adaptable to the assessment of pecuniary penalties where the financial penalties imposed for each civil liability act are necessarily cumulative. That suggests that the need to moderate the imposition of penalties on a basis which fairly and reasonably recognises the totality of the compliance failures may require a preliminary assessment of individual penalties, followed by an appropriate adjustment to each once the cumulative result of the preliminary determinations is known.
Another factor requiring caution in applying criminal sentencing principles is that the overriding objective of a pecuniary penalty is deterrence, including of other persons who might be tempted to breach the Act. Deterrence is only one of the relevant principles and purposes of sentencing, and not necessarily the primary consideration. Deterrence is achievable only if the penalties address the financial gain or incentive that was, or could reasonably have been, obtained from the breach of the Act. While AML/CFT supervisory investigations can unearth contraventions committed by both corporations and individuals, the costs associated with such efforts consume public resources which could be directed to achieve other ends. With that in mind, pecuniary penalties must “deter the unscrupulous from taking a calculated business risk” and their significance must be such that, “having regard to particular gains
37 At [89]-[94] (footnotes omitted).
which might be involved, it is in effect commercial suicide to seek those gains via contraventions”.
Pecuniary penalties are also intended to denounce misconduct. As the Law Commission said in its 2014 Report on Pecuniary Penalties:
Pecuniary penalties are primarily concerned with deterring illegal conduct. In general, it can be said that they differ from many criminal offences in this respect because, while the criminal law aims to deter, its greatest emphasis is generally on denunciation. However, this does not mean that pecuniary penalties have no denunciatory impact or purpose. Pecuniary penalties deter by the threat of punishment. They single out a person or entity as having breached the law and inflict a negative consequence. Their purpose is also therefore both deterrent and denunciatory.
For these reasons, the potential penalties under the Act are severe.
Seriousness of QDD’s Civil Liability Acts / Setting the Starting Point
[32] Overall, Mr Johnstone characterises QDD’s conduct as significant (though not complete) failures resulting from superficial, half-hearted compliance with the AML/CFT Act. In his submission it represents an attempt to do the minimum necessary to create the appearance of compliance, without actually complying.
[33] Mr Johnstone accepts QDD did not “deliberately intend” to breach the AML/CFT Act. However he submits that when all of the defaults are considered together, QDD was grossly negligent in respect of its legal obligations, if not reckless.
[34]Overall the DIA seeks a starting point of $2.6 million made up as follows:
(a)$900,000 (or 45 per cent of the maximum penalty) for failures in respect of risk assessments.
(b)$800,000 (or 40 per cent of the maximum penalty) for failure to undertake ECDD.
(c)$300,000 (or 30 per cent of the maximum penalty) for failure to undertake ongoing CDD and account monitoring, bearing in mind that QDD’s default in this respect flowed from its failure to identify the six money remitters as customers in the risk assessments.
(d)$600,000 (or 30 per cent of the maximum penalty) for failure to keep adequate records.
[35] In contrast Ms Chen characterises QDD’s behaviour as substantially less serious than that considered by Toogood J in Ping An. In her submission this is a case about the adequacy of QDD’s compliance only. Ms Chen emphasises that no money laundering or financing of terrorism has been shown or alleged to have occurred, QDD did not deliberately or intend to breach the AML Act, admitted the majority of the causes of action and cooperated with the DIA. She also submits there is substantial overlap between the second, third and fourth causes of action, and to the extent all civil liability acts flowed from the risk assessments in all causes of action.
[36] Ms Chen submits a starting point of $2.6 million is manifestly excessive with regard to the nature and seriousness of QDD’s civil liability acts. In all of the circumstances, she submits $1 million better reflects what occurred.
The Nature and Extent of QDD’s Civil Liability Acts
[37] There can be no doubt that on their face, the four civil liability acts accepted by QDD and detailed in the agreed statement of facts are serious and represent a significant degree of non-compliance with its AML/CFT obligations on the money remittance side of its business. As set out in the statement of agreed facts:
Risk assessments
The deficiencies in the Risk Assessments led to other admitted failures and contraventions during the relevant period.
During the relevant period the Risk Assessments were insufficient to enable QDD to identify its risks and therefore to adequately manage its risks by having processes that provided:
(a)sufficient operational capacity; and
(b)sufficient management oversight.
The presentation of the “third party agreements” to the Department was misleading, and misrepresented the reality of QDD’s relationships with the Six Money Remitters.
…
ECDD obligations
These contraventions involved a significant number of transactions that were unusually large or complex that QDD ought to have exercised special care and diligence in carrying out CDD.
Because of QDD’s failure to carry out ECDD as required, over $100m was moved through QDD when it did not know the source of those funds.
…
Wire transfer ECDD obligations
Because of QDD’s failure to carry out ECDD as required in respect of its wire transfers, almost $95m was moved electronically from China into New Zealand through QDD when it did not know enough information to trace the transactions back to the originator.
…
Account monitoring
Because of QDD’s failure to monitor accounts and perform ongoing CDD it was unable to identify any grounds for reporting suspicious transactions conducted by the six money remitters.
The breaches arose in circumstances where QDD did not deliberately intend to breach the Act.
Record keeping
The failure to keep records:
(a)significantly hinders the ability of the Department and other regulators to readily reconstruct each transaction carried out by QDD at any time;
(b)has actually hindered the ability of the Department to identify and reconstruct the transactions carried out by QDD, causing the Department to incur significant effort to identify how many transactions QDD carried out during the relevant period, and the parties to those transactions; and
(c)in some cases, the records kept by QDD were so poor that the Department has been unable to accurately reconstruct the entire transaction.
[38] Taken together the civil liability acts demonstrate an overall failure of QDD to comply with the AML/CFT regime whether at the overall level of risk analysis or at the level of individual transactions, and in particular in so far as it failed to record accurately its relationship with the six money remitters.
[39] These failures translated through to a significant number of transactions involving very large sums of money.
[40] However, in reaching a conclusion as to the nature and extent of the civil liability acts as I am required to do, six matters are particularly relevant.
[41] First, I note that in Ping An Toogood J recorded that Ping An had prepared documents concerning its obligations under the AML Act which amongst other things outlined “the Act’s requirements regarding CDD, reviewing transactions and record keeping”.38 In Toogood J’s view:39
That indicates Ping An was aware of its obligations. I infer that its non- compliance amounted to a calculated and contentious disregard for the AML/CFT requirements. That is a seriously aggravating feature of non- compliance.
[42] With respect to Toogood J, I do not draw the same conclusion with regard to the documents filed by QDD in respect of its obligations under the AML Act. Those documents and the extent to which QDD attempted to comply with its obligations under the AML Act are more appropriately considered in relation to the circumstances in which QDD’s civil liability acts occurred.40 Generally however, given the DIA specifically accepts that each of QDD’s civil liability acts arose in circumstances where QDD did not deliberately intend to breach the Act, I do not accept that the mere fact of filing documents either indicates QDD was aware of its obligations under the AML Act or that “its non-compliance amounted to a calculated and contentious disregard for the AML/CFT requirements”.
[43] Secondly, Mr Johnstone has submitted that notwithstanding the lack of intention on the part of QDD the civil liability acts were at the higher end of
38 At [106].
39 At [106].
40 See [69] – [138] below.
seriousness. This is because if the civil liability acts had been the result of intentional or reckless conduct on the part of QDD then QDD would have been subject to criminal prosecution in terms of s 91 of the AML Act, and not just liable for the pecuniary penalties. While Mr Johnstone’s submission is correct to a point, the DIA is not required to prosecute knowing or reckless breaches of civil liability acts as criminal offences even where the conduct is arguably intentional or reckless. And given there is a lower standard of proof required for establishing civil liability acts, the DIA may prefer to bring proceedings for civil penalties even where knowledge and/or recklessness is present. In addition the AML Act specifically provides for civil proceedings to continue once a criminal proceeding has been completed, with the only restriction being that a second penalty cannot be imposed for the same course of conduct. As a result it is likely that the upper range of pecuniary penalties that will be imposed will be in respect of intentional or reckless conduct notwithstanding the availability of criminal liability. I am therefore satisfied that far more serious examples of civil liability acts can be envisaged, and the fact QDD did not intend to breach the AML Act is therefore relevant to any assessment of the seriousness of the civil liability acts.
[44] Thirdly, in terms of the nature of the civil liability acts and in particular the failure to undertake ECDD, is the acknowledgment recorded in the statement of agreed facts that QDD “misunderstood the definition of a “wire transfer”, and accordingly its obligations under the Act”. While ignorance of the law is not generally a mitigating factor, it is clear that the definition of wire transfer used in the AML Act is considerably wider than what would normally be understood:41
wire transfer—
(a)means a transaction carried out on behalf of a person (the originator) through a reporting entity by electronic means with a view to making an amount of money available to a beneficiary (who may also be the originator) at another reporting entity
…
41 Anti-Money Laundering and Countering Financing of Terrorism Act 2009, s 5.
[45] As Mr Milnes explained in cross-examination, the definition does not require any money to be transferred electronically, but rather if any part of the transaction was organised electronically and then it is a wire transfer. In QDD’s case many of the transactions that are the subject of the civil liability acts were organised utilising different electronic media including WeChat and/or Skype, and are therefore caught as wire transfers subject to ECDD in terms of the AML/CFT regime.
[46] Fourth, there appears to have been a genuine uncertainty in the AML/CFT regime with regard to who bears the obligation to complete CDD in transactions where other reporting entities have the direct contact with the end customer. The issue in so far as it related to QDD was articulated by its then solicitor, Gary Hughes of Wilson Harle, in the following terms:
3.The DIA’s primary concern is said to arise from “the AML/CFT procedures and practices that QDD has utilised within commercial relationships it has with a number of other New Zealand based money remitters …”
4.It might be helpful to immediately clarify that:
(a)QDD now only deals with one of those entities (DP);
(b)QDD only offered those services to third parties because they came to QDD and sought assistance as a direct result of having their bank accounts closed or restricted by mainstream banks. While QDD has been able to retain banking facilities, widespread de-banking of remitters has handicapped many others, despite the RBNZ's public statement on this issue.
5.Since the AML/CFT Act came into force, there have been differing views over whose obligation it is to complete CDD in transactions where other reporting entities have the direct contact with the end customer. Initially, like many other entities, QDD considered that only the money remitters themselves were QDD’s customers and not the customers of those customers. QDD’s original 2014 Risk Assessment (“RA”) and Compliance Programme (“CP”), prepared with the assistance of external consultants, did not therefore refer to these money remitters as agents and nor did those documents refer to those remitters’ customers as beneficial owners, on the basis that the services that QDD was providing were on behalf of those customers. QDD acted responsibly by employing external consultants to assist it to prepare this risk assessment and compliance programme. Further, an onsite inspection of QDD’s operations by the DIA in May 2014 described the risk assessment as adequately defining the nature, size and complexity of QDD’s, business, whilst recording that transactions with third party money remitters were occurring …
6.AML Solutions then completed an independent audit in September 2014 which highlighted that the third party agreement with DP in effect at that time needed to be improved. The audit did not record that the risk assessment was inadequate in any way.
7.Following AML Solutions’ audit and criticism of the third party agreement with DP, QDD made attempts to improve this area of its business. External consultants advised QDD that one way of ensuring the necessary COD took place was to enter into agency arrangements with the third party money remitters. Under these agreements, the third party agreed to onboard customers and undertake the CDD that QDD was required to complete under the Act on QDD’s behalf. Legal advice was not obtained regarding the legal status of the relationships or the draft “agency agreements”. The agency agreements were entered into to meet QDD’s obligations (as it understood them at the time) to perform CDD where it was paying a third party money remitter’s end customer directly. The consultant’s view appeared to proceed on the basis that QDD’s obligation to conduct CDD only arose in relation to customers and their directors and so forth, but not in relation to person’s on whose behalf a transaction was conducted or “Powbatics”.
8.There is an argument that this interpretation of the Act is correct, and that the only CDD obligations arising for QDD are in respect of the third party money remitter, unless it has direct contact with the money remitter’s customer, when that customer also becomes a customer of QDD. On this basis, QDD would be obliged to conduct CDD on the third party money remitters as its customers but no further CDD obligation would arise. That was QDD’s understanding at the time.
9.However, the Ministry of Justice and AML/CFT supervisors have interpreted the definition of “beneficial owner” in the Act to include, as a separate category of beneficial owner, people on whose behalf a transaction is being conducted or “Powbatics”. Now that QDD has been made aware of and understands this issue (which was still under consultation during the relevant period), QDD will operate according to the more recent guidance. We note that the ambiguity in the Act remains a live issue, and ultimately only a Court can confirm the correct interpretation.
10.Consistently with this understanding, during the period under investigation, QDD differentiated between transactions on the basis that its obligations to conduct CDD on the end customer only arose if QDD was dealing directly with the end customer but not where QDD was only dealing with the third party entity. Where QDD paid money out to the third party money remitters rather than directly to the customer of the third party entities, QDD treated those transactions as institutional. As the third party money remitters with whom QDD was transacting were all reporting entities with obligations to conduct CDD on their own customers, AML/CFT risk should have been adequately addressed (as the new class exemption for specified managing intermediaries recognises …).
11.A complicating factor is that the wording of the agency agreements was confusing because it appeared to suggest that the end customers
could not also be the third party money remitters’ customer. This may help to explain the confusion that your letter refers to around the third party money remitters’ understanding of the arrangements with QDD in relation to who was whose customer and what obligations each party had.
12.Since the preparation of QDD’s new risk assessment and compliance programme in May 2015, the class exemption in relation to managing intermediaries has come into force. The background papers to this exemption demonstrate that QDD and the third parties it entered into agreements with were not alone in their confusion over the extent of their CDD obligations. Indeed, the information sheet accompanying the exemption notice acknowledges that the current drafting of the definition of beneficial owner in the Act is ambiguous. We understand that QDD was not aware of and did not participate in the consultation over the exemption and nor was it aware of the background papers at the time.
13.The primary purpose of the class exemptions is expressed in the information sheet accompanying them as being “to reduce the compliance burden from multiple reporting entities in a chain of transactions having the same CDD obligations.” The information sheet also states that the exemption will ensure that the CDD obligations fall on the reporting entity best placed to identify the customer and its beneficial owners in any situation.
14.DP would fall within the definition of “specified managing intermediary” in the exemption notice, being a financial institution to which the AML/CFT Act applies. As long as QDD complies with the conditions set out in the exemption, QDD would no longer be required to conduct CDD on DP’s Powbatics. For QDD, this means that, once it has received written confirmation of the matters required by the exemption notice, it only needs to conduct CDD on the specified managing intermediaries themselves (DP) and any beneficial owners other than Powbatics.
15.Further assistance has been provided in the preparation of this response by the DIA’s most recent newsletter and the guidance material for informal money remitters which help to clarify the regulator’s approach to how the wire transfer provisions apply to a business like QDD’s.
~ 1
[47] The issue arises as a result of the definition of “beneficial owner” contained in s 5 of the Act:
beneficial owner means the individual who—
(a)has effective control of a customer or person on whose behalf a transaction is conducted; or
(b)owns a prescribed threshold of the customer or person on whose behalf a transaction is conducted
[48] As is recorded both in the Wilson Harle letter and the information sheet put out by the DIA referred to in the letter, which explained the managing intermediaries’ excemption (“the information sheet”), since the Act came into force there has been confusion about what the phrase “person on whose behalf a transaction is conducted (or “Powbatic”) means.
[49]The information sheet explains the Powbatic concept and its intended meaning:
It is intended to ensure reporting entities can identify who is behind a transaction … [and] focuses on individuals that are central to a transaction being conducted even where the transaction has been deliberately structured to avoid control or ownership of the customer but to retain the benefit of the transaction.
[50] But as the information sheet notes, difficulties with the definition have been highlighted by reporting entities, and the “current drafting is ambiguous”. Indeed as early as 2013 the Financial Markets Authority (“FMA”) published an initial consultation paper outlining the practical implications of this definition of beneficial owner in the managing intermediaries’ context. As explained in the information sheet that paper highlighted that:
… where there is a chain of financial institutions/schemes involved in providing a service to an underlying client (the customers of a customer and/or the natural persons who are the end customers), an underlying client may be the ‘natural person on whose behalf a transaction is conducted’ and therefore a ‘beneficial owner’. This means that all reporting entities in a chain of managing intermediaries will be obliged to determine whether such beneficial owners (who could be ‘central to the transaction’) exist and do CDD on those people, despite not meeting the threshold for actual or legal control or ownership.
[51] The information sheet goes on to note this may require a reporting entity to look through one or more financial institutions, with each reporting entity in the chain being required to do the same.
[52] The class exemption for managing intermediaries represents an acknowledgment of the inefficiency of this scheme. As the information sheet sets out, its primary purpose is to “reduce the compliance burden from multiple reporting entities in a chain of transactions having the same CDD obligations”, in doing so
ensuring the CDD obligations fall on the reporting entity best placed to identify the customers’ beneficial owners in any situation.
[53] The “specified managing intermediaries” exemption applies to reporting entities whose customers are “specified managing intermediaries”. Under the exemption as notified in July 2015, reporting entities are exempt from the requirement in s 11(1)(b) to do CDD on certain Powbatics. It is an acknowledgment that these entities have their own reporting obligations and will therefore have carried out the required CDD on their own customer base.
[54] As the Wilson Harle letter notes, the exemption has effectively demonstrated that QDD was not alone in its confusion over the extent to which it had CDD obligations when transacting with the third party money remitters. Moreover, had the exemption been in place during the relevant period, a majority of the civil liability acts for which QDD now faces a penalty, specifically the transactions between QDD and DP Finance International Ltd which collectively comprised all 1,088 wire transfer transactions undertaken in the relevant period totalling $94,763,399.40 and which formed a significant part of the total number of transactions between QDD and the six money remitters. In Ms Chen’s submission this means the “historical non- compliance” by QDD in the preceding months was “not objectively so serious”, particularly given that the DIA accepted in its 2 March 2016 response to the Wilson Harle letter, that at least some of QDD’s transactions with DP International Finance Ltd would come within the exemption:
For transactions where QDD is receiving funds from DP (on behalf of DP customers) to be paid out to or transmitted on by QDD as the beneficiary, QDD may rely on the Specified Managing Intermediaries Exemption.
[55] More broadly Wilson Harle advanced the managing intermediaries exemption as a reason for the DIA to not pursue a claim against QDD, or to consider its compliance failures as less serious:
Ms Hua understands that the class exemption notice did not come into force until July 2015 but, in our view, QDD was not alone in its approach to its CDD obligations. QDD’s genuine and reasonable attempts to comply with the Act prior to the exemption notice coming into effect (including by employing external advisers) should be taken into account by the DIA. We note that when consultation was undertaken with the industry on possible class exemptions
for managing intermediaries, the FMA recorded that where genuine and reasonable attempts to comply with the relevant obligations under the Act had been made, it would not take enforcement action for non compliance. We suggest, given the difficulties with interpretation of the relevant provisions, that this would be an appropriate approach for the DIA to take in the circumstances.
[56] I agree. And, as Wilson Harle also pointed out, the Ministry of Justice and AML/CFT supervisors’ interpretation of “beneficial owners” as including Powbatics is merely an arguable interpretation:
We note that the ambiguity in the Act remains a live issue, and ultimately only a Court can confirm the correct interpretation.
[57] Overall I am satisfied that the level of latent ambiguity present in this part of the AML Act, subsequently recognised by the managing intermediaries exemption that came into force in July 2015, is relevant to my assessment of the nature and extent of the QDD’s civil liability acts.
[58] Fifth, in addition to these significant matters it is also clear that QDD’s ability to keep adequate records was affected by the unavailability of electronic records. Specifically QDD understood that records from WeChat and Skype were permanently available and only discovered in the course of the DIA investigation that those records could not be accessed after a certain period of time. While the reliance on the electronic media may appear naive for the purposes of maintaining adequate business records and, in the AML/CFT context, maintaining adequate records of transactions, it further reinforces the impression that QDD’s failure to maintain records was unintentional.
[59] Finally, in assessing the nature and extent of QDD’s civil liability acts it must be acknowledged that there is no evidence that they were the result of any attempt to maximise profit at the expense of compliance. While both parties have accepted that QDD benefited from its breaches of the Act by being able to offer customers a less rigorous AML/CFT compliance framework, there is no suggestion in the evidence that the lack of AML/CFT compliance was in any way used as a selling point, or indeed that its customers were ever aware that QDD was not complying with its AML/CFT
obligations. On the contrary as set out below,42 QDD itself was not aware until the DIA investigation that it was substantially non-compliant.
[60] The reality was that while “QDD operated a moderately sized, high volume business throughout the relevant period without a compliant risk assessment and without adequately performing customer due diligence or maintaining adequate transaction records”, the substantial revenue was not reflected in QDD’s net profit after tax which was:
(a)$37,388 for the financial year ending 31 March 2014;
(b)$259,745 for the financial year ending 31 March 2015; and
(c)$127,631 for the financial year ending 31 March 2016.
[61] Taking these various matters together I conclude that the nature and extent of QDD’s civil liability acts cumulatively stand at the lower end.
Effect of QDD’s Civil Liability Acts on the integrity and reputation of the New Zealand financial system
[62] Mr Johnstone submits this factor is a particularly concerning aspect of QDD’s conduct:
(a)The risk-based approach underpinning the AML/CFT regime depends on the reporting entity’s willingness to undertake a thorough risk assessment in good faith and with due care, as the DIA cannot monitor and correct each and every risk assessment.
(b)The failure to monitor accounts and provide ongoing CDD deprived QDD of the ability to accurately determine which transactions were unusual and therefore suspicious, and to report them, which in turn deprived law enforcement agencies of an important form of intelligence.
42 See [79] – [126] below.
(c)Without undertaking ECDD, QDD was vulnerable to being utilised for money laundering and financing of terrorism, and provided a safe forum for those activities to be carried out. Moreover, it hindered QDD’s ability to report suspicious transactions. This undermines the efficacy of the regime.
(d)Record keeping is the primary means by which the DIA is able to monitor a reporting entity’s compliance. Without it, criminals can enter transactions anonymously and the DIA is stripped of its ability to review the activity of a reporting entity like QDD.
[63] Mr Johnstone underlines that the damage in this case involves 796 high risk transactions and 1,088 wire transfers proceeding without adequate due diligence, 1327 total transactions not being subject to adequate account monitoring or ongoing CDD, and the DIA not being able to monitor QDD’s transactions and customers.
Discussion – Effect on New Zealand financial system
[64] Mr Johnstone’s submissions on this issue are similar to those he made in Ping An, which were accepted by Toogood J. Like the submissions in Ping An the DIA relies upon the potential or hypothetical consequences of the civil liability acts rather than identifying any actual damage to the integrity and reputation of the New Zealand financial system as a result of the civil liability acts committed by QDD.
[65] While the DIA’s submissions are fairly made, in contrast to the situation in Ping An it is accepted that QDD did not intend to breach the Act, and indeed for the reasons set out below appears to have been altogether unaware that it was so doing prior to the DIA investigation. This, coupled with the fact that there is no evidence of any actual money laundering or financing of terrorism arising as a result of the civil liability acts, make it difficult to see how the integrity and reputation of New Zealand’s financial system would have been effected to any significant degree.
[66] On the contrary the evidence shows that the documents supplied by QDD, including the three risk assessments, were closely scrutinised by the DIA. This resulted in a prompt and comprehensive investigation that has led to the present
proceedings. If anything therefore, the fact that QDD’s civil liability acts were addressed expeditiously suggests that the DIA takes its role as the AML/CFT supervisor seriously and that inadvertent non-compliant conduct of the type carried out by QDD will be discovered and corrected.
[67] Mr Johnstone rightly submits the AML Act is premised on each reporting entity carrying out its responsibilities; the DIA as an AML/CFT supervisor does not have the resources to investigate the operations of all reporting entities. But as this case shows, given the relative newness of the regime the DIA will naturally have to take a more proactive role until it has bedded in and reporting entities are clear on their obligations.
[68] Accordingly, although clearly a relevant consideration for the Court in setting a civil pecuniary penalty for QDD’s civil liability acts, I do not accept Mr Johnstone’s submissions on this issue and conclude it is of minimal significance in the present case.
The Circumstances in which QDD’s Civil Liability Acts Occurred
[69] This is the principal area of contention between the parties. It is on this point that the present case differs significantly from Ping An, as in that case no specific circumstances were identified to “mitigate or aggravate Ping An’s conduct”.43 In contrast there are three discrete circumstances Ms Chen submits reduce QDD’s culpability and should be taken into account in fixing the starting point for the civil liability acts:
(a)good faith reliance on advice from Starfish and the DIA;
(b)language difficulties, including the DIA’s failure to provide an interpreter; and
(c)uncertainty in the law.44
43 At [109].
44 This point has been addressed above, as a factor relevant to the nature and extent of the civil liability breach. Accordingly I do not address it here.
[70] In relation to the first and most significant factor, Ms Chen submits that at all times QDD was intending to act in compliance with the AML Act, and placed reliance both on an expert consultancy, Starfish, and the DIA, in order to achieve compliance.
[71] Ms Chen submits Starfish drafted QDD’s three risk assessments, and provided QDD with advice about what it had to do to comply with the AML/CFT regime which QDD implemented. Ms Chen submits the amount of money paid to Starfish, about
$49,000, is illustrative of the extent of reliance on its services. None of Starfish’s consultants identified flaws in the work or in QDD’s compliance. The failures in the risk assessments led to downstream breaches, namely an ability to identify risky transactions.
[72] She also submits QDD relied on the DIA’s feedback. A desk-based review of AML Act compliance was undertaken on 3 April 2014, and Ms Chen argues Ms Hua reasonably expected the DIA to raise any non-compliance issues with her.
[73] In response the DIA relies on the evidence of Ms Piper, to the effect that QDD engaged external consultants to appear as if it was complying, rather than in any genuine effort to comply with its obligations under the AML Act. Even if QDD’s view of the evidence is accepted, Mr Johnstone submits this factor is not relevant to starting point, and even if it is not, at most reliance amounts to the absence of an aggravating factor rather than a mitigating factor.
[74] Turning to the second circumstance, Ms Chen submits Ms Hua’s poor English was a significant factor which contributed to the power imbalance between the parties, and ultimately led to QDD being denied natural justice by the DIA as its investigation unfolded. QDD in particular relies on expert evidence from Professor James Hou-Fu Liu, a professor of psychology at Massey University, who explained how and why language and cultural barriers would have affected the investigation. Specifically, Ms Chen submits a key implication is while there were clear misunderstandings between QDD and the DIA, at no time was Ms Hua attempting to mislead the DIA.
[75] Ms Chen goes on to submit there was prejudice due to the DIA’s failure to provide an interpreter and that Ms Hua did not understand fundamental aspects of her
communication with the DIA including what the term “incriminate” means. Section 133(3) and (4) of the AML/CFT Act relevantly provides:
(3)A person is not required to answer a question asked by an AML/CFT supervisor under this section if the answer would or could incriminate the person.
(4)Before an AML/CFT supervisor requires a person to answer a question, the person must be informed of the right specified in subsection (3).
[76] Ms Chen links the failure to properly explain this concept to s 27 of the New Zealand Bill of Rights Act 1990 (“NZBORA”), namely the right to the observance of principles of natural justice, which she submits must be interpreted in light of the right not to be discriminated against, enshrined at s 19 as well as the rights of persons charged with an offence and to present a defence at ss 24(g) and 25(e).45
[77] The services of an interpreter were first offered in September 2015, a number of months after the DIA commenced its investigation with QDD. Ms Chen says once it was realised that information and evidence was being collected from Ms Hua which could incriminate her, s 133 of the AML Act applied and Ms Hua should have been offered an interpreter.
[78] In response Mr Johnstone for the DIA submits even if Ms Hua’s evidence about her English language ability is accepted, it did not impact on her ability to comply with the AML Act, and should not be treated as a mitigating factor. He argues QDD took part, of its own volition and for significant profit, in a high risk industry, in which the onus is on the reporting entity to make sure it can comply with legal requirements. In Mr Johnstone’s submission a lower standard of compliance is not acceptable merely because of language issues; indeed to maintain the integrity of the AML/CFT regime it cannot be.
45 She cites in particular the Court of Appeal’s decision in Attorney-General v Udompun [2005] 3 NZLR 204 (CA).
What were the Relevant Circumstances? QDD and its relationship with Starfish and the DIA
[79] It appears from the evidence provided to the Court that QDD and Starfish commenced their association in September 2012. In particular, on 21 September 2012 Starfish provided a proposal to provide AML/CFT consulting services at QDD’s request. Starfish set out its understanding of QDD’s requirements in the following terms:
[QDD] wish[es] to initiate a programme of work to assess the business impacts of the New Zealand AML/CFT Act, identify the material gaps in their current processes and assess the level of money laundering and terrorist financing (ML/TF) risks based on customer profiles, products and services, delivery channels and operating model.
This will enable [QDD] to:
·Assess ML/TF risks and record all the collected ML/TF data and risk scores as substantiation for audit, and AML/CFT supervisor requirements within our risk model
·Baseline an AML/CFT programme to manage and mitigate the compliance obligation gaps and risks identified
·Inform the Board and / or Senior Management on the current status of their ML/TF risk profile and to support and gain approval to proceed to initiate c comprehensive AML/CFT compliance programme.
[QDD] will require the completion of a series of tasks as the basis for commencing an AML/CFT programme. In order to understand the elements of their AML/CFT programme [QDD] will need to initially complete the following tasks.
The required tasks are:
Undertake a gap analysis against the regulatory obligations within the AML/CFT Act with which [QDD] will need to comply with and complete a Business Impact Assessment to understand the implications for their current operating model.
Undertake a full customer, product and services, and delivery channel risk assessment.
[80]Starfish then set out its approach:
Starfish has adopted a modular approach to assist reporting entities achieve AML/CFT regulatory compliance. This approach defines a number of work packages which when combined, results in a structured work programme to achieve full compliance with the requirements of the Act.
To ensure the AML/CFT requirements are fully understood and the impacts on the operating model are fully appreciate and documented, Starfish will apply the following modules from this programme to ensure the scope is fully covered and the deliverables are aligned:
Gap analysis of AML/CFT obligations
·Review obligations from the AML/CFT Act which are applicable to [QDD]
·Workshop with key management and operational staff to assess current level of readiness and follow up with structured interviews where further input is required
·Complete assessment template which highlights and risk ranks the identified gaps
·Document material gaps, and the business and customer impacts, with recommendations to address.
AML/CFT Risk methodology and Customer, Product and Delivery Channel risk assessment
·Provide relevant risk criteria to support customer, product and channel risk assessment
·Assess [QDD’s] customer base, product suite and channels for ML/TF vulnerabilities
·Workshop with key management and personnel to agree on risk profile for customers and products.
(emphasis added)
[81] Ms Hua signed the proposal on 25 September 2012. Work commenced with delivery of the contracted services being primarily provided by Martin Dilly, one of the Starfish consultants. A business impact analysis was completed by Mr Dilly around December 2012, followed by a AML/CFT risk assessment in February 2013. Not long after the risk assessment was completed a further contract appears to have been signed between QDD and Starfish, although the consulting services specified simply record that Starfish was “to provide AML/CFT consulting services”. Further work undertaken by Starfish at about this time included providing drafts of customer identification and verification policy and a suspicious transaction reporting policies which Starfish described as “the key policies QDD will need to have”.
[82] Although a business impact analysis and risk assessment had been drafted, as noted above in late 2012 and early 2013 respectively, these documents were not
apparently finalised and combined into a single document until 3 June 2013, when it took effect as the First Risk Assessment.46 The First Risk Assessment was prepared by Mr Dilly and begins:
[QDD] … requested that Starfish provide support and advisory services to support them in meeting their [AML/CFT] regulatory obligations.
Starfish has produced an AML/CFT obligations register and assisted in the undertaking of a high level review of those obligations against current business processes. A Money Laundering / Financing of Terrorism (ML / FT) risk assessment across the customers, products, channels and jurisdictions of [QDD] was performed in addition to a business impact and gap analysis across their operations. From there, Starfish has produced a high level implementation roadmap of individual work packages in order to inform [QDD]'s AML/CFT programme in response to their risk profile.
This report details the findings from the business impact and gap assessments and the results from the initial risk assessment undertaken for [QDD]. The procedures that Starfish performed do not constitute an assurance engagement in accordance with New Zealand Standards for Assurance Engagements, nor do they represent any form of audit under New Zealand Standards on Auditing and consequently, no assurance conclusion or audit opinion is provided.
The engagement considered the state of readiness of [QDD] across the seven major obligation groups within the AML/CFT Act being - ML/FT Risk Assessment; AML/CFT Programme; Customer Due Diligence (CDD); suspicious transaction monitoring and reporting; record keeping; staff training and vetting; and audit and reporting.
Each compliance obligation group was assessed across the following business impact areas; business strategy; customer experience; people and training; products and channels; systems and core applications; and, policies and processes. The assessment determined the level of readiness within PSDS to satisfy the AML/CFT regulatory obligations and what the key areas of impact were across the organisation.
(emphasis added)
[83] The methodology section of the first risk assessment described QDD and Starfish’s approach to the preparation of the risk assessment in the following terms:
[QDD] is committed to full participation in the AML/CFT regulatory reform process in a way that enhances the organisation’s own competitive positioning.
The Starfish approaches are well proven one which has been successfully used across multiple business impact engagements involving regulatory change. Each of the phases (1 – 4) completed in this engagement are detailed below.
46 See [3](a) above.
[84] The four phases described in the introduction were a business impact analysis, a gap/options analysis, a risk assessment and a “target solutions implementation roadmap”. The business impact analysis confirmed that Starfish had “considered [QDD’s] business strategy, processes, policies, systems and IT infrastructure and people and training from a customer, product, channel and location perspective”. As part of the risk assessment it confirmed QDD and Starfish had “categorised [QDD’s] business in terms of customer types, products, jurisdictions and channels”, although nowhere in the First Risk Assessment was there any description as to how QDD’s money remittance business actually worked. The most comprehensive description is contained in Appendix 2 – Business Impact Assessment Findings, which stated only:
[QDD] provides foreign exchange and telegraphic money transfer services to new customers into regular repeat customers. Single outlet based in Newmarket, Auckland employing four staff including owner. Telegraphic transfers only (no remittance agents).
[85] A number of limitations were identified with regard to AML Act requirements, with the intention that these would be resolved in the QDD AML/CFT programme to be drafted subsequently.
[86] Within a short time of the completion of the First Risk Assessment Mr Dilly left Starfish and was replaced by Laura Blade as the primary Starfish consultant working with QDD. Notwithstanding Mr Dilly’s departure, QDD’s commitment to compliance with the AML Act obligations was apparent from an email to Ms Blade on 20 June 2013 which advised:
It is nice to hear from you. I understand that you’ll replace Martin to help us on AML service. I bet Martin has told you what he did for us. What shall we do next to comply the AML/CFT requirements? Do we need to draft AML/CFT programme? If yes what’s your charge or how many hours work you need? Thanks.
[87] The contract with Starfish was extended again on 10 July 2013 and over the succeeding months Ms Blade worked with QDD to prepare an AML/CFT programme dated December 2013. This document appears to have been approved by QDD on 26 November 2013 after being drafted by Ms Blade. The AML/CFT programme reviewed the earlier risk assessment and business impact assessment and stated:
Overall the key areas impacted are those which have a high degree of both direct and indirect customer contact. [QDD] has established robust procedures that align with the assessed level of customer risk.
[88] The document then set out a “summary of key risks” which did not identify any of the (eventual) civil liability acts. Similarly, while a range of obligations under the AML Act were noted, including “complying with customer due diligence requirements (including ongoing customer due diligence account monitoring), record keeping, the need to examine and keep written findings relating to “complex or unusually large transactions” and determining when enhanced customer due diligence is required, these obligations do not seem to have ever been tied to what QDD actually did. For example, in relation to ECDD the issue was identified as being related to the treatment of politically exposed persons with the AML/CFT programme noting:
There were no other groups identified in the initial risk assessment which suggested the need for enhanced customer due diligence.
[89] Likewise in relation to third parties or agents the AML/CFT programme advised:
[QDD] do not currently employ the services of any third parties or agents to on-board customers.
[90] The failure of the AML/CFT programme to refer to the six money remitters in some form is difficult to understand given QDD’s New Zealand bank, Kiwibank, had on 26 November 2013 requested information from QDD as to its relationship with a number of the money remitters, a request QDD immediately passed on to Ms Blade.
[91] Similarly while a policy existed in relation to wire transfers, this was not apparently linked to the way in which transactions were being carried out by QDD as part of its money remittance business. Nor indeed did the AML/CFT programme appear to consider the definition of wire transfers, a problem also apparent with regard to ongoing CDD and account transaction monitoring. While noting that QDD had to examine and keep written findings in relation to “complex or unusually large transactions”, no definition was included in the programme as to what transactions may have been caught under either of those headings. Finally, in relation to record keeping, Starfish went on to advise that:
[QDD] keeps all transaction information for at least five years. This information can easily be extracted and includes all relevant information for the originator and beneficiary to be identified.
[92] Despite these shortcomings the AML/CFT programme was provided to the DIA on 26 March 2014. Not long after, on 3 April 2014, the DIA undertook a review of QDD. This appears to have been a desktop review undertaken by a DIA compliance officer, Paul Avery, and aimed to ensure that QDD met “the minimum requirements in relation to risk assessment and programme” as set out in the AML Act. The assessment carried out by Mr Avery noted that Ms Hua had been appointed as compliance officer and went on to assess the risk assessment and QDD’s AML/CFT programme. Both documents were assessed against a number of headings and although there were a number of partial passes with regard to the First Risk Assessment, there were no fail ratings, while QDD’s AML/CFT programme passed on every criteria by which was assessed including the application of ECDD, the procedures, policies and controls on undertaking ongoing account monitoring, and compliance with record keeping requirements.
“a change in bank policy regarding accounts associated with money remittance or money changing services”. Understandably, the immediate focus of both QDD and Ms Piper shifted to attempting to secure a new source of banking services for QDD in New Zealand and in particular, to prepare a proposal for Heartland Bank (for whom Ms Blade was by that time working), and Ms Blade became the liaison point for the proposal. The effort was ultimately successful and QDD was able to open an account at Heartland Bank on 24 December 2014.
[111] As a result of this change of focus no further work on implementing the audit results appears to have been completed prior to 1 April 2015, although Ms Hua had in the meantime enquired of Ms Piper how many compliance officers could be appointed by QDD.
[112] On 1 April 2015 Mr Milnes, accompanied by Sergeant O’Neill of the New Zealand Police, undertook an unannounced visit to QDD’s offices in Newmarket which initiated the DIA investigation that lead to the present proceedings. In his job sheet Senior Compliance Officer Milnes stated that the purpose of the visit on 1 April 2015 was:
To provide a reminder to remitters of their AML/CFT obligations, as well as an opportunity to discuss any AML/CFT related issues that they may have.
[113] After speaking to staff at QDD and being advised that Ms Hua was not present Mr Milnes and Sergeant O’Neill left the premises before returning and meeting with Ms Hua. After a discussion about QDD’s business the discussion turned to the AML Solutions audit which Ms Hua offered to provide to Mr Milnes, noting the issue identified by Mr Dilly about QDD use of a manual not software system.
[114] The next day the DIA issued a notice to Kiwibank to provide copies of QDD’s bank statements, with copies being provided by Kiwibank to the DIA on 7 April 2015.
[115] Mr Milnes subsequently gave notice to QDD on 17 April 2015 that the DIA would undertake an onsite inspection on 25 May 2015. The letter of 17 April 2015 advised QDD that the DIA was intending “to focus on the customer transactions,
customer due diligence and the record keeping procedures followed by [QDD]”. In addition QDD was advised:
During an inspection, an AML/CFT supervisor may require any employee, officer or agent of the reporting entity to answer questions relating to its records and documents and to provide any other information that the AML/CFT supervisor may reasonably require for the purpose of the inspection. A person is not required to answer a question asked by an AML/CFT supervisor under s 133 of the Act, if the answer would or could incriminate the person.
[116] At about this time QDD had agreed to a further proposal from Starfish “to rerun [the] risk assessment and update the relevant sections of the AML programme to ensure they reflect [QDD’s] current business operation model”. It is not clear when the proposal was accepted by QDD but it lead to the preparation of the Second Risk Assessment which was prepared by Starfish and provided to QDD on 21 May 2015, in Ms Piper’s words, “ready for [Ms Hua] to send to the DIA”. Although the Second Risk Assessment referred to five of the six money remitters it simply described them as agents and did not detail what the money remitters actually did, noting that there was “currently degrees of formality in the written arrangements between QDD and their agents, which may heighten the risk that CDD arrangements are not carried correctly”.
[117] Prior to the inspection on 25 May 2015 the DIA obtained QDD’s bank statements up to 11 May 2015 and QDD provided the DIA with the AML audit report (on 18 May 2015), the Second Risk Assessment (on 21 May 2015), QDD’s second AML/CFT programme which had also been drafted in the meantime and the audit follow up report (on 22 May 2015).
[118] The 25 May 2015 onsite inspection was undertaken by Mr Milnes and Mr Holmes. Their respective job sheets record that upon arrival at QDD they meet with Ms Hua and her husband Joshua Qian. Mr Milnes recorded once again giving the warning against self-incrimination that had been contained in the letter of 17 April 2015 and proceeded to ask Ms Hua a range of questions including questions about the six money remitters, as well as a number of specific transactions. He then noted:
As it is getting close to 10 am, and her staff have arrived, I advised Hua that I am going to review the information I have and that I will make a written
request to her in the next couple of days regarding the further information and CDD records I would like to review specifically. I advised that whilst there is some positive feedback today, relating to their new system for example, there also appear to be some issues around the arrangements they have in place with their agents.
[119] The following day Mr Milnes issued a notice under s 132(2)(a) of the AML Act requesting copies of “all agency agreements” signed between QDD and the six money remitters as well as copies of all transaction records relating to 17 specific transactions. The information was specified to be provided by 10 June 2015.
[120] On 29 May 2015 Ms Hua emailed Mr Milnes the signed third party agreements between QDD and the six money remitters together with the specific transaction information required. The third party agreements were all dated between October and November 2014, although in fact only one of the agreements, that with DP International Finance Ltd, had been signed in November 2014, the rest being signed in May 2015 (at around the time they were requested by the DIA).
[121] Upon receipt Mr Milnes issued a further notice on 2 June 2015, this time requesting the following documents by 16 June 2015:
·Copy of the document referred to as ‘Appendix A’ in [QDD’s] Third Party agreements with DP International Finance Limited, Broadtrust Group Limited, Xiao Xiaolan, LAN’s Enterprise Limited, Forex Brokers Limited and 21st Century International Limited.
·Copy of AML/CFT log entries, or any other records, relating to [QDD’s] six monthly review of the processes of Broadtrust Group, LAN’s Enterprise Limited and Xiao Xiaolan. …
·Copy of training register (and any associated training manuals) for all AML/CFT training that has been provided by [QDD] to DP International Finance Limited, Broadtrust Group Limited, Xiao Xiaolan, LAN’s Enterprise Limited, Forex Brokers Limited and 21st Century International Limited.
·Further information as outlined on the attached notice relating to the 17 previously specified transactions (as per my communication on 26 May 2015). Please note that it is the customers of [QDD] (and your agents) that we seek to identify (as per the terms of your third party agreements and the obligations of the AML/CFT Act). Copies of transaction records and standard and enhanced CDD for all customers is required.
[122] QDD responded on 25 or 26 June 2015, providing information about customer identification verification policy together with a series of documents headed training logs, which purported to show training carried out by QDD in late 2014 for the six money remitters pursuant to the third party agreements.
[123] The receipt of the further information with regard to the six money remitters resulted in the DIA issuing notices to each of the six money remitters with regard to their third party agreements with QDD. The DIA subsequently held meetings with each of the six money remitters. As a result of the information obtained on 21 August 2015 the DIA requested evidence from QDD as to the dates on which the third party agreements were signed.
[124] As the DIA investigation unfolded Ms Piper appears to have been substantially responsible for preparing the QDD responses including forwarding copies of the third party agreements for the money remitters in the form she prepared. It was only on 9 July 2015, after the DIA had issued its second notice to QDD, that Ms Piper recommended via email QDD engage a lawyer, and not long afterwards, on 24 August 2015, following the third notice issued by the DIA that John Coey (who appears to have been the principal of Starfish) advised QDD that Starfish could no longer assist QDD.
[125] A response to the request for further information about the signing of the third party agreements was therefore provided by QDD’s then solicitor which resulted in further correspondence between the solicitor and the DIA on the issue. In the course of the correspondence on 7 September 2015 the DIA requested an interview with Ms Hua and on 10 September 2015 offered to provide an interpreter for the interview, setting out the DIA’s concerns and listing the questions to be put to Ms Hua.
[126] It was only on 24 November 2015 that QDD’s second firm of solicitors confirmed to the DIA that the third party agreements were not signed on the dates recorded in the third party agreements but had been signed in May 2015 and backdated to the dates shown in the agreements.
Discussion – Relevant Circumstances
[127] It is beyond any doubt QDD relied heavily on Starfish to ensure AML/CFT compliance and there is no indication that at any point it did not follow Starfish’s recommendations.
[128] Throughout the relationship, which lasted between September 2012 and September 2015, there is no indication given by Starfish that it was at any time not able to receive the information it needed to carry out the work it had contracted to do for QDD. On the contrary there is some indication that the Starfish consultants working with QDD genuinely believed QDD was AML/CFT compliant evidenced by Ms Blade’s apparent support in opening an account for QDD with Heartland Bank after she had left Starfish. Likewise, the available evidence suggests QDD was genuine in working with Starfish in order to achieve AML/CFT compliance. This is not surprising. In 2012 QDD was faced with the commencement of a technical and complicated compliance framework, for which compliance was mandatory. Even at that stage it would have been apparent that QDD was in a relatively high risk industry. Furthermore, the nature of the impending AML/CFT regime did not and does not lend itself to stock solutions. As a result, given Ms Hua’s limited command of English it was unlikely QDD could have complied with the AMLAct regime without assistance.
[129] Without exception, each document drafted by Starfish confirmed substantive compliance by QDD with the AML/CFT regime, with the level of compliance increasing over time. As has been noted throughout the summary the documentation prepared by Starfish repeatedly emphasised the robust nature of its risk assessment processes in a manner expressly designed to give confidence to QDD. The impression given by Starfish to QDD was only reinforced by the DIA, and in particular the feedback it provided to QDD following the desktop review on 3 April 2014, and the onsite inspection on 27 May 2014. Based on all of these documents I accept entirely Ms Hua’s statement made in cross-examination that she thought QDD was “on track”.
[130] When the relationship between QDD and Starfish is considered in its entirety it can be seen that Ms Piper was only involved in the last, albeit critical, period following the AML Solutions audit in September 2014. Accordingly while in her
evidence Ms Piper suggested that she “was being asked to create AML/CFT policies, procedures and controls to ‘shore up’ [Ms Hua’s] desired course of action, rather than assisting in adapting her business to the new reality of AML/CFT compliance requirements” that is simply not borne out on the evidence before me. In addition to lacking any contemporaneous documentary support for this statement or indeed the other assertions in her affidavit, she was in any event in no position to comment on the period until her own involvement with QDD had commenced around September 2014, as it is beyond dispute that Starfish had been heavily and meaningfully engaged with QDD in the earlier period.
[131] There is simply nothing whatsoever in the evidence before the Court to suggest that prior to the DIA investigation, at which time the limitations in QDD’s substantive AML/CFT compliance became rapidly apparent, QDD was not genuine in its stated desire to meet its obligations under the AML/CFT regime or that QDD was not totally dependent on Starfish to enable that to occur, and on the contrary it is difficult to see what else QDD could have possibly done once it had agreed to the guided by Starfish.
[132] Indeed, despite receiving the audit from Mr Dilly at AML Solutions which did raise issues with QDD’s manual systems and the relationship of QDD with third parties, Starfish, through Ms Piper, continued to draft documents indicating that QDD was substantively compliant with its AML/CFT obligations.48
[133] Unfortunately for QDD, despite the thoroughness implied by the Starfish risk assessment approach and methodology noted throughout the documents Starfish prepared for QDD, a close analysis of those documents reveals that none of the Starfish consultants working with QDD, from Mr Dilly to Ms Piper, appeared to have any real understanding of QDD’s business model, how the business actually worked, how records were kept and, in particular, the role of the six money remitters, in terms of QDD’s obligations within the AML Act framework. Instead Starfish’s approach appears to have been predominantly process driven in the absence of any detailed understanding of QDD’s business, notwithstanding the September 2012 proposal, and the statements in the introductions to the various risk assessments highlighted above.
48 In fact, by that stage the “relevant period” during which three of the four civil liability acts occurred had commenced.
As a result, there was no evident discussion concerning QDD’s relationship with the various money remitters. Moreover, the references to obligations to undertake ECDD focused on “politically exposed persons” rather than large or complex transactions, and while there are references to wire transfers this appears to relate to transactions with Western Union rather than the dealings with the six money remitters that fell within the broad definition of wire transfers contained in the AML Act.
[134] Taken together I have no hesitation concluding that QDD’s reliance upon Starfish, backed up by what QDD was told by the DIA following the desktop review and inspection in 2014, provides critical context to the civil liability acts, and substantially reduces QDD’s culpability for those acts arising out of the deficiencies in its risk assessments, obligations to undertake ECDD, failures in respect of CDD and account monitoring, and record-keeping.
[135] In this respect QDD’s reliance upon Starfish and the DIA falls into quite a different category than reliance upon legal advice by parties in proceedings under the Commerce Act 1986.49 The Commerce Act regime generally involves a determination as to whether a chosen course of conduct will breach the Act if it is undertaken. In contrast the AML Act regime provides a mandatory overlay on existing businesses. A business like QDD cannot avoid having to deal with the AML Act if it wishes to continue with its existing lawful business. Having decided it needed help to comply with the regime, QDD choose to get help from Starfish. The advice it received was therefore not legal advice as to whether it could proceed in a certain way, but was to ensure that it could continue to trade in compliance with the AML/CFT regime. Ultimately the issue here where liability has been accepted by QDD is not whether Starfish gave legal advice or even whether it was accurate, but whether given the advice it provided to QDD it was reasonable for QDD to conclude it was doing everything it could do to comply with its AML/CFT obligations.
[136] Having concluded that QDD’s culpability is at the lowest level, I am not satisfied that the conduct of the investigation by the DIA which was also challenged
49 For example see Commerce Commission v Bayley Real Estate Limited [2016] NZHC 1493 at [18].
by QDD gives rise to any other issues relevant to my assessment of the circumstances in which the civil liability acts occurred.
[137] In particular, having reviewed the DIA investigation it is clear that nothing in the circumstances of the investigation gave rise to any issues. The civil liability acts are admitted. It is difficult to see how the NZBORA can have any application in this case, given there is no challenge to admissibility of any of the material provided by QDD to DIA or otherwise obtained by the DIA in the course of its investigation, and there is no resulting factual dispute over the nature and extent of the civil liability acts by QDD. The reality is that nothing in the DIA investigation in any way caused or otherwise induced the civil liability acts. Specifically the investigation only commenced in the last month of the relevant period, with most of the investigation, including the issues around the third party agreements, taking place after the end of the relevant period.
[138] As a result the issues raised by Ms Chen with regard to the conduct of the investigation including any communication difficulties are simply irrelevant to the circumstances of the civil liability acts.
Whether QDD has Previously Engaged in Similar Conduct
[139] Ms Chen submits a discount of 15 per cent is warranted for QDD’s lack of history previously contravening the AML Act or indeed any legislation in this jurisdiction or elsewhere. She submits that in Ping An Toogood J erred in not giving credit for the company’s clean record. In her submission the statutory language at s 90(4)(d) is clear that consideration must be given to whether the person has previously been found by a court to have engaged in similar conduct. She adds the duration of the breach is not relevant when this factor is being weighed. In any event, she submits duration of breach should only disentitle historically compliant parties where the breach was intentional. As QDD’s civil liability acts were not, she contends a discount is appropriate.
Discussion – Previous Engagement in Similar Conduct?
[140]This factor is clearly of little significance in the present case.
[141] On its face the factor set out in s 90(4)(d) is very specific, even more specific than whether or not QDD had a clean record: it focuses on whether it has been found by a Court to be engaged in similar conduct previously. QDD has not been, but it should be noted that not only is the AML/CFT regime still bedding in, QDD actually has the, perhaps somewhat dubious, distinction along with Ping An of being the first reporting entity to have been brought before the Court for this type of conduct.
[142] Furthermore, the admissions contained in the agreed statement of facts make it clear that because of the failures in respect of the risk assessments QDD in fact has never been compliant with its obligations under the AML Act. It is therefore difficult to see on what principled basis the type of additional discount advocated by Ms Chen could be justified.
[143] I therefore find this factor to be neutral in my determination of the starting point.
Conclusion – Seriousness of Civil Liability Acts / Calculation of Starting Point
[144] For the reasons set out above, in particular the nature and extent of the civil liability acts and the relevant circumstances, I am satisfied that QDD’s liability is at the lowest end. Given that general conclusion, and noting in particular my assessment that the civil liability acts have not had any substantive effect on New Zealand’s financial system, I conclude the conduct reflected in the four civil liability acts does not require the imposition of a significant deterrent penalty on QDD. This is not a case where there is a need to “deter the unscrupulous from taking a calculated business risk”. As a result given QDD thought it had taken steps to do everything possible to comply with its AML / CFT obligation the imposition of a significant deterrent penalty would be wrong in principle.
[145] Taking all factors relating to the civil liability acts into account I conclude that if considered separately, the starting point for each of the civil liability acts would be as follows:
(a) Failures in respect of risk assessments $225,000 (b)
Failure to undertake ECDD
$175,000
(c)
Failure to undertake ongoing CDD and account monitoring
$100,000
(d)
Failure to keep adequate records
$120,000
$620,000
[146] As discussed at [29] above, s 74(2) of the AML Act prescribes that while civil penalty proceedings may be brought against a person for more than one civil penalty, that person “may not be required to pay more than one civil penalty in respect of the same or substantially the same conduct”. As a result it is necessary to adjust these starting points to avoid penalising QDD for the same conduct. This exercise is achieved in criminal sentencing by picking the lead charge and uplifting for other offending committed at the same time to reflect the totality of the offending.50
[147] An overlap has already been acknowledged by Mr Johnstone between the failures in respect of the risk assessments and the failure to undertake ECDD.51 As well, it is clear from the summary above it was the failure of the risk assessments carried out by Starfish on behalf of QDD to identify the role of the six money remitters that lead directly to the failure to carry out ECDD, CDD and ongoing monitoring in respect of those entities. I therefore accept that the starting points for the failures in respect of risk assessments, ECDD, and CDD and ongoing monitoring civil liability acts should be reduced to a total sum of $300,000 to avoid penalising what is substantially the same conduct. As a result the final adjusted starting points are as follows:
50 R v Barker CA57/01, 30 July 2001, endorsed in R v Xie [2007] 2 NZLR 240 (CA).
51 See [34](c) above.
(a)Failures in respect of risk assessments / Failure to $300,000 undertake ECDD / Failure to undertake ongoing
CDD and account monitoring
(b)Failure to keep adequate records $120,000
$420,000
Aggravating and Mitigating Factors Personal to QDD
[148]No personal mitigating factors have been identified.
[149] The one aggravating factor for which the DIA seeks uplift is in respect of what it terms misleading conduct during the investigation carried out by Mr Milnes. Mr Johnstone submits a 20 per cent uplift on starting point is warranted for QDD’s failure to completely cooperate with the DIA, and its misleading behaviour. He submits that when QDD provided the DIA with six “third party agreements” relating to the six money remitters, it inaccurately represented they were signed on the dates printed on them, only to later acknowledge they were signed later. He also says it misleadingly represented in the Second Risk Assessment that it had a principal-agent relationship with the six money remitters. He submits the deception was only retracted in November 2015 after investigations had been carried out and Ms Hua confronted.
[150] Ms Chen responds that with the exception of one of the remitters, Ms Hua was of the view all the six money remitters were customers. She adds the agreements were prepared by Starfish, and backdated as a result of QDD’s understanding that the relevant date was when its business relationship started. As such she submits there was no attempt to mislead and this should not be treated as an aggravating factor.
Discussion – Aggravating and Mitigating Factors
[151] Having reviewed the evidence carefully I am satisfied that QDD’s behaviour on this issue can only be construed as clearly misleading.
[152] As is clear from both the statement of agreed facts and the summary set out above, the issue of the six money remitters was simply never addressed by QDD or Starfish in terms of QDD’s AML/CFT compliance until questions were raised in the AML Solutions audit report in September 2014 which had considered the “third party payment agreement” between QDD and DP International Finance Ltd signed on 4 September 2014. This resulted in the AML Solutions recommendation, contained in the audit, that the “third party agreement” needed to be reviewed. It fell to Ms Piper to draft an amended agreement.52 It is not clear, even after the cross-examination of Ms Hua and Ms Piper, why Ms Piper characterised the relationship between QDD and DP International Finance Ltd as one of agency, and the resulting agreement drafted by Ms Piper clearly did not reflect the relationship between DP International Finance Ltd and QDD. It is also not clear to what extent Ms Piper saw herself drafting the agreement between QDD and DP International Finance Ltd as a template for QDD’s relationship with the other money remitters, although it is clear she knew ultimately that all the money remitters had proceeded to sign documents in the form dated by her as these were included in material Ms Piper collated to be sent to the DIA on behalf of QDD.
[153] While there is a clear issue as to the provenance of the agreements, that is not relevant to the present issue, which is whether there should be an uplift for the fact that the third party agreements (apart from that pertaining to DP International Finance Ltd) were signed and backdated and training logs were created retrospectively for training in accordance with the agreements only after the investigation had begun and the relevant documentation was requested by the DIA.53 Having considered the evidence available I conclude that to arrange for the execution and backdating of the third party agreements and to create the training logs can only be construed as an attempt to mislead the DIA at that point. An uplift is accordingly warranted.
[154] The question then turns to what is an appropriate uplift in the circumstances. While percentage uplifts are often used in criminal sentencing, in a situation like the present where the financial penalties are already significant I am not satisfied that an uplift of via a significant percentage as sought by Mr Johnstone is warranted or
52 See [109](a) above.
53 See [120] - [126] above.
appropriate. Having reviewed the evidence of QDD’s conduct and the DIA investigation it is apparent that the attempt to mislead did not affect in any way the nature or extent of the civil liability acts committed by QDD. On the contrary, it constituted only a small part of the wider picture and was not otherwise representative of QDD’s overall conduct in the course of the DIA investigation. The statement of agreed facts indeed relevantly records:
QDD has cooperated with the Department in relation to this proceeding.
[155] In the circumstances I therefore conclude that a discrete addition to the overall pecuniary penalty in the sum of $25,000 is an appropriate reflection of the seriousness of the attempt to mislead the DIA in the course of the investigation.
Admission of Liability and Cooperation
[156] The parties are agreed a discount is appropriate for QDD’s admission of liability.
[157] The issue is how much and whether this should be combined with any further discount for either cooperation and/or steps taken by QDD to achieve compliance with the AML/CFT regime since the DIA investigation. With regard to the latter the DIA does not dispute that steps have been taken by QDD to ensure compliance with the AML/CFT regime in the future and accepts some discount is appropriate. The DIA position is however that these steps came only after a lengthy investigation and should be considered together with a discount for QDD’s admission of liability, with a total discount of 20 per cent.
[158] Ms Chen adds that QDD has continued to take steps to comply since the civil liability acts. Overall, she submits a discount of 15 per cent is warranted for some additional compliance efforts, in addition to a 20 per cent discount for admission of liability.54 She submits QDD’s cooperation included:
54 She refers to a number of decisions in which discounts of up to 50 per cent were applied for a combination of these factors, often along with no previous contravening conduct: Commerce Commission v EGL Inc HC Auckland CIV-2010-404-5474, 16 December 2010; Commerce Commission v Lodge Real Estate Ltd [2016] NZHC 1494; Commerce Commission v Alstom
(a)getting legal advice when QDD’s compliance consultants said any further involvement from Starfish would cause more harm;
(b)continuing to engage with the DIA through lawyers thereafter;
(c)providing in the letter from Ms Hua’s lawyers dated 24 November 2014 to the DIA a detailed response to the DIA’s questions;
(d)agreeing a statement of agreed facts with the DIA so that a hearing on penalty only was required; and
(e)not taking steps to challenge the freezing order on QDD’s bank account despite disputing the context of Mr Milne’s 2016 affidavit and despite inconvenience.
[159] More generally, Ms Chen points to Ms Hua’s willingness to meet with the DIA at an early stage, and that given the confusion and English-language difficulties, admissions were made at the earliest opportunity. She says had an interpreter been provided earlier, QDD would have been able to cooperate at an earlier stage.
Discussion – Admission / Cooperation
[160] There is no dispute that QDD should be entitled to an overall discount of at least 20 per cent; the issue is whether there should be an additional discount to separately recognise QDD’s cooperation with the investigation and the steps it has taken since the investigation to ensure AML/CFT compliance.
[161] Having considered the issue I am satisfied that a total discount of 20 per cent is appropriate to cover QDD’s admission of liability, cooperation and subsequent steps to ensure compliance.
[162] In particular I am satisfied that QDD’s admission of liability was substantive. Not only has QDD comprehensively acknowledged the scope of its conduct with
Holdings SA [2009] NZCCLR 22 (HC); Commerce Commission v Bayley Corporation Ltd [2016] NZHC 1493.
regard to the civil liability acts, the admission also reflects substantive cooperation to get to that point as noted in the statement of agreed facts. On the other hand, substantive compliance was what was required by the AML Act in any event and the starting points for the civil liability acts I have adopted have already taken into account the circumstances of the non-compliance.
[163]I therefore conclude an overall discount of 20 per cent discount is appropriate.
Totality Considerations
[164] As will be apparent I have already adjusted the starting points for each of the civil liability acts to reflect the requirement in s 74(2) of the AML Act that the same or substantially the same conduct should not result in more than one penalty.
[165]Taking the adjusted cumulative starting points of $420,000 and adding the
$25,000 uplift for QDD’s attempt to mislead the DIA during the investigation, I arrived at a sub total of $445,000. When the 20 per cent discount for QDD’s admission of liability and cooperation is applied the final pecuniary penalty for the four civil liability acts is $356,000.
[166] For the reasons set out in this judgment I am satisfied that the final pecuniary penalty of $356,000 fairly reflects the seriousness of the civil liability acts at issue in this case and no further adjustment is required to account for overlaps between the civil liability acts, nor is any other adjustment required for totality.
Decision
[167]QDD is to pay to the DIA a pecuniary penalty in the sum of $356,000.
[168] As this is a civil proceeding the DIA is entitled to costs on a 2B basis, including second counsel. In the event that any issues arise when calculating the costs and/or disbursements, I will determine the issue following the filing of memorandum.
Powell J
14
5
0