Financial Markets Authority v Clsa Premium New Zealand Limited
[2021] NZHC 2325
•6 September 2021
IN THE HIGH COURT OF NEW ZEALAND AUCKLAND REGISTRY
I TE KŌTI MATUA O AOTEAROA TĀMAKI MAKAURAU ROHE
CIV-2020-404-000920
[2021] NZHC 2325
UNDER the Anti-Money Laundering and Countering Financing of Terrorism Act 2009 BETWEEN
FINANCIAL MARKETS AUTHORITY
Plaintiff
AND
CLSA PREMIUM NEW ZEALAND LIMITED
Defendant
Hearing: 5 July 2021 Appearances:
S S McMullan and L N Wilson for Plaintiff
J S Cooper QC, I Rosic and S T Coupe for Defendant
Judgment:
6 September 2021
JUDGMENT OF EDWARDS J
This judgment was delivered by me on 2021 at am / pm pursuant to r 11.5 of the High Court Rules.
Registrar/Deputy Registrar
Solicitors/Counsel:
Meredith Connell (Office of the Crown Solicitor), Auckland Gilbert Walker, Auckland
J S Cooper QC, Auckland
FINANCIAL MARKETS AUTHORITY v CLSA PREMIUM NZ LTD [2021] NZHC 2325 [6 September 2021]
[1] CLSA Premium New Zealand Ltd is a licenced derivatives issuer. Prior to 5 December 2019, it was known as KVB Kunlun New Zealand Ltd (KVB) and is referred to as such in this judgment.
[2] KVB is a reporting entity under the Anti-Money Laundering and Countering Financing of Terrorism Act 2009 (Act).1 The Financial Markets Authority (FMA) is the supervisor responsible for enforcing compliance with the Act.2
[3] KVB has admitted non-compliance with the Act and consents to judgment being entered against it. This judgment is concerned with the penalty that should be imposed for that non-compliance.
[4] The admitted non-compliance relates to four civil liability acts3 committed between April 2015 and November 2018. Those four civil liability acts are:
(a)failure to conduct customer due diligence (CDD);
(b)failure to terminate existing business relationships when CDD could not be completed;
(c)failure to report suspicious transactions/activity; and
(d)failure to keep records.
[5] The FMA seeks a global penalty of $1.2m for all four breaches. KVB says a penalty of $420,000 is appropriate. The key differences between them relate to an assessment of the gravity of the breaches and the extent of overlap between each of the civil liability acts.
1 Anti-Money Laundering and Countering Financing of Terrorism Act 2009, s 5 definition of “reporting entity”.
2 Section 130(1)(b).
3 Section 78 defines “civil liability act”.
Agreed facts
[6] The factual basis for the civil liability acts is set out in a comprehensive agreed statement of facts dated 18 February 2021. What follows is a summary of the facts set out in that agreed statement.
[7] KVB provides derivatives trading services by enabling customers to undertake trades on retail trading platforms. KVB opens an account for a customer, who will deposit funds with KVB. Those funds are then made available for trading through KVB’s online platform.
[8] At the relevant times, the executive directors of KVB were Ms Zhang, Mr Huang, and Mr Liu. The non-executive independent directors were Mr Noakes and Mr Pearson. None of the directors are associated with KVB any longer.
[9] During the relevant period (2015 to 2018), KVB had a business relationship with between 21,000 and 37,000 customers each year. It undertook between 63,000 and 83,000 transactions annually, with a gross value of between NZD 228m and NZD 652m. Approximately 95 per cent of KVB’s customers were resident in, or had a connection with, China during this period. The remaining five per cent were predominantly Australian and New Zealand residents.
[10] As required by the Act, KVB had a risk assessment and an anti-money laundering and countering the financing of terrorism (AML/CFT) compliance programme. KVB completed its compliance programme on 1 May 2013. PricewaterhouseCoopers (PwC) subsequently reviewed the programme later that month and KVB amended the programme on 31 January 2014 to incorporate PwC’s recommendations.
[11] Later that year, on 20 June 2014, the FMA issued a formal warning to KVB, stating it had reasonable grounds to believe that KVB had engaged in conduct constituting a civil liability act under the Act.4 That warning related, amongst other things, to KVB’s compliance officer not being a KVB employee and the failure to
4 The warning was issued under s 80.
implement amendments to the risk assessment aspect of KVB’s compliance programme. The FMA required KVB to undertake a special audit of its risk assessment and AML/CFT programme.5
[12] KVB responded by engaging Grant Thornton to undertake a special audit. Grant Thornton’s report was issued in August 2014. Amendments were made to KVB’s compliance programme as a result. In late 2014, KVB represented to the FMA that it would demonstrate a strong risk and compliance culture.
[13] Further reviews of KVB’s compliance programme by KVB, and Grant Thornton, took place in 2015. No amendments were required. Updates to the compliance programme were made in 2016. The Board appointed a Risk, Audit and Compliance Committee (RACC) which was responsible for overseeing KVB’s compliance and internal control functions. That committee comprised the independent directors and one of the executive directors.
[14] Although the RACC had primary oversight over compliance matters, the parties agree that the executive directors nevertheless involved themselves in compliance related issues. The extent of that involvement saw two compliance managers employed by KVB leave their positions following disagreements between them and the directors of KVB regarding the extent of KVB’s compliance with its obligations under the Act. One of those employees was asked to resign by a director who told him KVB needed someone “bendier” as their head of compliance.6
[15] The FMA conducted an onsite inspection of KVB on 26 and 27 March 2018. The purpose of the inspection was to review compliance with the Act. On 1 May 2018, the FMA sent KVB a letter setting out its findings from the inspection. That letter identified, among other things, inadequacies in KVB’s transaction monitoring practices, and an under-resourced and inexperienced compliance team. The letter also
5 Required under s 59(2).
6 The director to whom this statement is attributed disputes that he made the statement and has sought to file an affidavit in this proceeding. For the purposes of the penalty hearing, the identity of the director making the statement is irrelevant. It only matters that a director did make the statement as alleged, and as recorded, in the agreed statement of facts. I have not had regard to the content of the affidavit in fixing the pecuniary penalty.
highlighted a lack of transparency and clarity in KVB’s CDD methodology, and poor record-keeping systems.
[16] A notice under s 132 of the Act was sent at the same time. That notice required KVB to produce certain records and documents. Two further notices were issued under s 25 of the Financial Markets Authority Act 2011 in May and July 2019, with a final s 25 notice issued on 19 November 2019.
[17] Some of the documents sought were provided by KVB. However, it was unable to respond in full because it could not get access to its records and customer information which were held by a third party. That third party refused to provide access to the documents. KVB’s parent company commenced litigation against the third party in Hong Kong and was successful in obtaining an order preventing the destruction of its records. Substantive proceedings were filed soon after and were not resolved as at the date of the hearing in this Court.
[18] The FMA issued legal proceedings on 23 June 2020. The four civil liability acts relate to transactions undertaken by 10 different customers, totalling approximately NZD 49.5m. Of this amount, approximately NZD 40.8m relates to deposits made by two customers.
[19] KVB accepts that it has not complied with its obligations under the Act and it has cooperated with the FMA to seek to resolve the proceeding.
Statutory framework
[20] The Act was passed in 2009 but did not come into force until 2013. Section 3 sets out the following purposes of the Act:
(a)to detect and deter money laundering and the financing of terrorism; and
(b)to maintain and enhance New Zealand’s international reputation by adopting, where appropriate in the New Zealand context, recommendations issued by the Financial Action Task Force; and
(c)to contribute to public confidence in the financial system.
[21] The Act imposes obligations on reporting entities. These were summarised by Toogood J in Department of Internal Affairs v Ping An Finance (Group) New Zealand Company Ltd (Ping An) as follows:7
(a)Subpart 1 addresses customer due diligence obligations which must be observed before a reporting entity can carry out a transaction for that customer, prescribing a hierarchy of standards (simplified, standard and enhanced) depending on the nature and circumstances of the customer.
(b)Subpart 2 places a statutory duty on a reporting entity to convey to the Commissioner of Police information that comes to its attention in respect of which it has reasonable grounds to suspect it may be relevant to the investigation or prosecution of money laundering, or the enforcement of the Misuse of Drugs Act 1975, the Terrorism Suppression Act 2002, the Proceeds of Crime Act 1991, or the Criminal Proceeds (Recovery) Act 2009.
(c)Subpart 3 specifies that reporting entities must keep records relating to every transaction, with strict requirements of details to allow the ready reconstruction of transactions and the identification and verification of the persons involved.
(d)Subpart 4 provides that every reporting entity must have a compliance programme and a compliance officer and sets minimum standards for such programmes.
[22] The specific obligations in relation to each of the four civil liability acts at issue in this case are considered further on in this judgment.
[23] Non-compliance with the Act’s requirements constitutes a “civil liability act”, as defined in s 78. Section 79 sets out the possible responses to a civil liability act. The imposition of a pecuniary penalty is the most serious of these responses.
Approach to fixing a penalty
[24] Section 90 sets out the maximum pecuniary penalty for each of the civil liability acts. The maximum penalties relevant in this case are:
(a)failure to conduct CDD: $2m;
7 Department of Internal Affairs v Ping An Finance (Group) New Zealand Company Ltd [2017] NZHC 2363, [2018] 2 NZLR 552 [Ping An] at [21].
(b)failure to terminate existing business relationships when CDD could not be completed: $1m; and
(c)failure to keep records: $2m.
[25] There is no statutory maximum for failure to report suspicious transactions/ activity. In Ping An, Toogood J adopted a notional ceiling of $2m.8 It was set as a “practical guideline” but not as a court-legislated maximum.9 I adopt that approach.
[26] Section 90(4) provides that in determining the appropriate pecuniary penalty, the court must have regard to all relevant matters, including:
(a)the nature and extent of the civil liability act; and
(b)the likelihood, nature, and extent of any damage to the integrity or reputation of New Zealand’s financial system because of the civil liability act; and
(c)the circumstances in which the civil liability act occurred; and
(d)whether the person has previously been found by the court in proceedings under this Act to have engaged in any similar conduct.
[27] The approach to determining the quantum of a pecuniary penalty under the Act was set out in Ping An.10 It has been adopted in the four subsequent cases.11 Those steps are:
(a)Starting point. Assess the seriousness of the civil liability acts in order to set a starting point based on the seriousness of the non-compliance, and the aggravating and mitigating factors relating to it.
(b)Aggravating and mitigating factors. Consider aggravating and mitigating factors relating to the circumstances of the reporting entity,
8 Ping An, above n 7, at [86].
9 At [86].
10 At [88].
11 Department of Internal Affairs v Qian Duoduo Ltd [2018] NZHC 1887 [QDD]; Department of Internal Affairs v Jin Yuan Finance Ltd [2019] NZHC 2510 [Jin Yuan]; Department of Internal Affairs v OTT Trading Group Ltd [2020] NZHC 1663 [OTT]; and Reserve Bank of New Zealand v TSB Bank Ltd [2021] NZHC 2241 [RBNZ v TSB].
to determine whether these warrant imposition of a higher or lower penalty.
(c)Admissions and cooperation. Deduct from the starting point any admission of liability or cooperation with the authorities.
(d)Totality. Step back from the penalty and undertake a totality assessment by looking at the number of separate breaches to ensure there is no overlap between the penalties imposed for different types of non- compliance, and consider whether the total penalty imposed fairly and adequately reflects the overall extent of non-compliance.
[28] Other factors that may be relevant to the overall assessment include the extent to which the conduct was initiated or condoned by officers or senior management of the reporting entity, and whether steps were taken to ensure compliance with the Act, including policies and education of officers and employees.12
[29] Deterrence and denunciation are important principles in fixing a pecuniary principle. Toogood J in Ping An described deterrence as the “overriding objective”.13
[30] At the time of the hearing, there had been four decisions imposing pecuniary penalties under the Act.14 Muir J had regard to the penalties set in each of the four decisions in Financial Markets Authority v ANZ Bank New Zealand Ltd (FMA v ANZ).15 Although that case involved a different statutory regime, the parties are agreed that the Judge’s summary of the penalty orders made is nevertheless relevant to this case. The Judge characterised the various penalties as falling along the following scale:16
(a)between 50 and 70 per cent of the available maximum for conduct involving:
12 Ping An, above n 7, at [102]; and QDD, above n 11, at [27]–[28].
13 Ping An, above n 7, at [92].
14 Ping An, above n 7; QDD, above n 11; Jin Yuan, above n 11; and OTT, above n 11. .
15 Financial Markets Authority v ANZ Bank New Zealand Ltd [2021] NZHC 399.
16 At [80] (footnotes omitted).
(i)“serious, systemic deficiencies in complying with a multiplicity of obligations under the Act” in circumstances showing a disregard of the Act’s requirements.
(ii)long-term noncompliance with the Act, despite prior oversight and warnings from the Department of Internal Affairs and despite the company having had ample evidence that the transactions’ processed were suspicious.
(ii) “brazen” contraventions of the enhanced due diligence requirements occurring across a significant volume of transactions.
(b)between 25 and 33 per cent of the available maximum for conduct involving significant contraventions, but in circumstances which suggested that a defendant had made at least some attempt to comply with their obligations; and
(c)between 6 and 11 per cent of the available maximum for conduct involving inadvertent breaches by a company which was unaware that it was substantially noncompliant.
[31] The judgment in Reserve Bank of New Zealand v TSB Bank Ltd (RBNZ v TSB) was delivered after the hearing and the parties did not have an opportunity to make submissions on it.17 A penalty of $3.5m was imposed in that case. The non- compliance arose under the Act but was different in kind to the civil liability acts in this case. The analysis regarding the quantum of discount for admissions and cooperation is of relevance, however, and is considered further at [86]–[88] of this judgment.
Starting point
[32] The FMA submits that the global starting point should be $1.5m, or 21 per cent of the available maximum of $7m, calculated as follows:
(a)failure to conduct CDD: $600,000;
(b)failure to terminate existing business relationships when CDD could not be completed: $100,000;
(c)failure to report suspicious transactions/activity: $250,000; and
17 RBNZ v TSB, above n 11.
(d)failure to keep records: $550,000
[33] The FMA submits that this global starting point is consistent with the second category in FMA v ANZ which relates to conduct involving “significant contraventions, but … at least some attempt to comply with … obligations.”
[34] KVB says that the overall starting point proposed by the FMA is too high. It says the breaches fall within, or slightly above, the third category of FMA v ANZ and the starting point should be no higher than $600,000, calculated as follows:
(a)failure to conduct CDD: $250,000;
(b)failure to terminate existing business relationships when CDD could not be completed: no separate penalty to be imposed as this civil liability act overlaps with the first;
(c)failure to report suspicious transactions/activity: $150,000; and
(d)failure to keep records: $200,000.
Failure to conduct customer due diligence
[35] A reporting entity is required to conduct CDD in the following circumstances:18
(a)if the reporting entity establishes a business relationship with a new customer:
(b)if a customer seeks to conduct an occasional transaction or activity through the reporting entity:
(c)if, in relation to an existing customer, and according to the level of risk involved,—
(i)there has been a material change in the nature or purpose of the business relationship; and
(ii)the reporting entity considers that it has insufficient information about the customer:
18 Anti-Money Laundering and Countering Financing of Terrorism Act, s 14.
(d)any other circumstances specified in subsection (2) or in regulations.
[36] Standard CDD requires a reporting entity to obtain verified information relating to the customer’s identity, the nature and purpose of the proposed business relationship, and sufficient information to determine whether the customer should be subject to enhanced CDD.19
[37] Enhanced CDD is required in a variety of circumstances. Relevantly, it is required whenever a customer seeks to conduct a transaction through the reporting entity which is complex, or unusually large, or is part of an unusual pattern of transactions that have no apparent or visible economic or lawful purpose.20 It is also required whenever a suspicious activity report must be filed.21 In addition to standard CDD, enhanced CDD requires verified information relating to the source of the customer’s funds or wealth.22 Enhanced CDD must be carried out before establishing a business relationship or conducting the occasional transaction or activity, except in certain circumstances which are not applicable to this case.23
[38] KVB admits failing to obtain standard CDD in relation to one customer in that it failed to obtain information regarding the nature and purpose of the proposed business relationship with that customer. The parties agree that this is an isolated breach.
[39] The more serious breaches relate to failures to undertake enhanced CDD in relation to 12 transactions undertaken by the 10 identified customers. The 12 transactions ranged in value from approximately NZD 277,000 to NZD 34.9m. The total value of the 12 transactions was NZD 49.5m, with NZD 40.8m relating to two customers.
[40] Standard CDD had been undertaken for these customers, and some requests were made in relation to some of the transactions (for example, source information was sought from five of the 10 customers). However, the failure to obtain any
19 Sections 15–17.
20 Section 22(1)(c). Ping An, above n 7, at [34].
21 Section 22A.
22 Section 23(1)(a).
23 Section 24(2) and (3).
evidence of source of wealth or source of funds for some of the transactions, and the inadequate information obtained when it was sought, is particularly concerning.
[41] The scale of the non-compliance is relevant to the gravity assessment. The breaches occurred in connection with 10 customers out of the 21,000 to 37,000 customers that KVB had each year. The total value of the non-compliant transactions (NZD 49.5m) is a fraction of the company’s annual transactions each year which had a gross value of up to NZD 652m per annum.
[42] Mr McMullan submits that the non-compliance is likely to be more widespread and the sample of customer files and transactions must be treated as representative of KVB’s overall compliance with the Act.
[43] That raises an issue about the process by which the non-compliant transactions were identified. The FMA identified half of the 10 customers as a result of information it received from third parties. The other five customers were selected from KVB’s October 2016 and June 2017 Unusual Transaction Reports provided to the FMA. The FMA did not have any reason to suspect there were compliance issues relating to those accounts at the time they were selected.
[44] Using samples to measure the extent of non-compliance is a valid investigative technique. I accept that it is unrealistic to expect the FMA to interrogate every file held by a reporting entity. However, the number of files selected, and the process by which they were identified, is not adequate to treat the 10 customer files as representative of overall compliance. That does not mean, however, that it can be concluded that KVB was compliant in relation to all but a small handful of transactions. There is no evidence adduced by KVB to suggest that is the case.
[45] If gravity were assessed solely on scale, then KVB’s non-compliance would be significantly less serious than the comparator cases. In Ping An, there was a failure to perform CDD in 1,569, out of 1,588, transactions worth $105.4m, and a failure to undertake enhanced CDD in 519 transactions. In Department of Internal Affairs v Qian Duoduo Ltd (QDD), the failures to carry out enhanced CDD was in relation to 796 transactions worth $120.7m. In Department of Internal Affairs v Jin Yuan Finance
Ltd (Jin Yuan), the failures related to 55,097 transactions worth $278.5m. In Department of Internal Affairs v OTT Trading Group Ltd (OTT), despite $196m worth of transactions occurring during the relevant period, one of the reporting entities never undertook enhanced CDD.
[46] However, the number and value of the non-compliant transactions are not the only factors to be taken into account in assessing the seriousness of the breach. The wider circumstances in which the breach occurred are also relevant.
[47] Those circumstances include the fact that KVB had an AML/CFT assessment and compliance programme, AML/CFT policies, dedicated compliance officers and staff, and a subcommittee overseeing compliance with the Act. That makes KVB’s non-compliance with CDD requirements less serious than if it had none of these measures in place. However, the mitigating effect of those features is tempered by the following:
(a)KVB had previously received a formal warning in June 2014 from the FMA in relation to its AML/CFT programme. Despite improvements being made, a further letter sent from the FMA on 1 May 2018 identified various compliance issues including a lack of transparency and clarity in KVB’s due diligence methodology.
(b)The effectiveness of the RACC was also diminished by the executive directors involving themselves in matters of compliance. This interference included:
(i)A direction in June 2017 to suspend collecting information from customers on the source of wealth and source of funds while a decision was taken on the threshold which would trigger the requirement for enhanced CDD. Significantly, the business continued in the meantime.
(ii)One of the directors interfering directly with the account opening procedure for one of the customers by making
representations as to the bona fides of the source of the customer’s funds or wealth.
(c)The resignation of two compliance managers over the relevant period due to disagreements between them and directors of KVB. The statement from one of the directors that a “bendier” compliance officer was required is particularly concerning.
(d)The correspondence chain for one customer indicates that, in the face of customer refusal to provide the information sought, KVB was willing to accept inadequate information, including objectively suspicious information, so to retain that customer’s business.
[48] Taken together these features suggest that KVB’s due diligence non- compliance was not inadvertent; did not arise out of any misunderstanding as to its obligations; or occur as a result of erroneous advice. If the extremely high value nature of two of the transactions (totalling NZD 40.8m) is added to the mix, then there is a clear inference that CDD requirements were subordinated to the continuation of KVB’s relationship with high worth customers.
[49] This makes KVB’s non-compliance more serious than in QDD, despite the larger number and value of non-compliant transactions in that case. In QDD, Powell J found that the reporting entity had not intended to breach the Act, did not intend to maximise profit over compliance, and was acting in reliance on AML/CFT advisor recommendations at the time.24 I consider a starting point substantially higher than the $175,000 adopted in that case for a failure to undertake enhanced CDD is warranted in this case.
[50] However, KVB’s non-compliance was not as serious as Ping An, Jin Yuan, or OTT. All those cases involved a greater volume of transactions, worth a higher value, and factors that indicated a complete disregard for compliance obligations. A starting point substantially less than the starting points adopted in those cases (between $1.3m and $1.4m) is warranted.
24 QDD, above n 11, at [59], [65] and [134].
[51] Due diligence is the cornerstone of the AML/CFT regime. As Lang J observed in OTT, it is only through due diligence that the AML/CFT regime is able to safeguard New Zealand’s reputation in financial communities.25 Taking into account the nature and circumstances of KVB’s non-compliance, I adopt a starting point of $400,000.
Failure to terminate existing business relationships when customer due diligence could not be completed
[52] Section 37 places a prohibition on establishing or continuing an existing business relationship, or carrying out occasional transactions if adequate CDD cannot be completed. The maximum penalty prescribed by the Act is $1m.
[53] The FMA submits that a starting point of $100,000 should be adopted for this civil liability act. KVB says no penalty should be imposed as the conduct that underpins this civil liability act is the same conduct underpinning the failure to conduct CDD.
[54] In support of KVB’s position, Ms Cooper QC submits that the requirements in s 37 flow directly from the Act’s CDD requirements. She says that it is the failure in relation to CDD that leads to a failure to terminate. She also places reliance on s 74(2) of the Act:
74 One penalty only rule
…
(2)If a person is or may be liable to more than 1 civil penalty under this Part in respect of the same or substantially the same conduct, civil penalty proceedings may be brought against the person for more than 1 civil penalty, but the person may not be required to pay more than 1 civil penalty in respect of the same or substantially the same conduct.
[55] Ms Cooper emphasises that the one penalty rule does not require the conduct to be exactly the same, but only substantially the same. She says that the conduct underpinning the first and second civil liability acts meets this threshold.
25 OTT, above n 11, at [61].
[56] This argument was accepted and applied in Jin Yuan.26 Woolford J adopted starting points of $1.3m for failing to conduct CDD, and $500,000 for entering into or continuing a business relationship where there was unsatisfactory evidence of identity. However, based on the one penalty rule in s 74, the Judge found the penalties would be conflated because they related to much the same conduct.27 The total effective penalty for both breaches was therefore set at $1.3m.
[57] I agree with Ms Cooper that the two obligations are clearly linked. One follows the other. It is difficult to see how there could be a breach of the CDD requirements, if the business relationship was immediately terminated in compliance with s 37. On the other hand, the nature of the obligation imposed on the reporting entity is different. The CDD requirements oblige reporting entities to obtain certain information; the s 37 requirement obliges the reporting entity to terminate a relationship. Each obligation is provided for in a separate statutory provision and non- compliance constitutes a separate civil liability act for which there is a distinct statutory penalty. That all suggests that the conduct or act underpinning the statutory obligation is different.
[58] The distinction is exemplified by considering the difference in culpability between a customer relationship that is terminated one month after it should have been, and one that is terminated a year down the track. The longer a customer relationship is allowed to continue where there has been inadequate CDD, the greater the AML/CFT risk. That difference in culpability suggests that the nature of the conduct underpinning s 37 is not always the same, or substantially the same, as the conduct underpinning the CDD requirements may require separate recognition by way of separate penalty. Ultimately, the decision to apply the one penalty only rule, and the extent of the conflation of penalties, will necessarily be a fact-specific exercise.
[59] In this case, the failure to terminate the relationship meant that further substantial transactions were undertaken on at least two occasions, some of which were also suspicious. On both these occasions, the relationships should have been
26 Jin Yuan, above n 11. The one penalty only rule was also applied in QDD, above n 11. However,
QDD is of limited assistance in this case due to the different civil liability acts involved.
27 Jin Yuan, above n 11, at [41].
terminated six months earlier. Although there is substantial overlap in the failure to undertake CDD, I consider a separate and distinct penalty is required to mark that particular conduct.
[60] Assessed on a standalone basis, I would have imposed a penalty of $150,000 for this breach. But, given the interrelationship with the failure to conduct CDD, I adopt $50,000 as the starting point for this civil liability act.
Failure to report suspicious transactions/activity
[61] The Act requires reports to be made in a specified form within three working days of forming the requisite suspicion.28 The touchstone for the reporting requirement is a “suspicious activity”, which incorporates the more limited definition of a “suspicious transaction” which existed prior to the amendment to the Act in 11 August 2017.29
[62] A suspicious activity is where a person conducts or seeks to conduct a transaction through a reporting entity, and the reporting entity has reasonable grounds to suspect that the transaction or proposed transaction may be relevant to the investigation or prosecution of any person for money laundering, or for a criminal offence, or relevant to the enforcement of certain prescribed statutes.
[63] The requirement was triggered in KVB’s case because the transactions were conducted through KVB, and it had reasonable grounds to suspect the transactions were relevant to a qualifying investigation or offence.
[64] KVB breached this requirement on nine occasions. On six of those occasions, a suspicious activity report was not forwarded at all. Late reports were filed on three separate occasions: 13, 114, and 175 days late respectively.
[65] The requirement to file a report within the prescribed timeframes is central to the detection and deterrence of money laundering and terrorism funding. Reports filed after the three-day timeframe make detection more difficult. The failure to file any
28 Anti-Money Laundering and Countering Financing of Terrorism Act, s 40(3).
29 Section 39A.
reports at all, and the filing of reports more than 100 days late, are serious breaches of the Act’s requirements.
[66] Aggravating that breach is the fact that one of the executive directors at the time tried to prevent a suspicious activity report being made on at least one occasion. That related to deposits made by one customer totalling USD 23.5m. Although a report was eventually filed (114 days late), the director’s conduct elevates the seriousness of KVB’s non-compliance.
[67] Counsel agree that KVB’s conduct is not as serious as the breaches in Ping An and Jin Yuan. In Ping An, the reporting entity failed to file a single report in circumstances where 173 should have been filed. In Jin Yuan, the reporting entity forwarded 32 suspicious activity reports out of 25,988 transactions that occurred over the relevant period. There were also attempts to conceal certain accounts from the supervisor in that case. Penalties of $1.3m were imposed in each case for those breaches.
[68] The FMA submits that a starting point of $250,000 should be adopted for this breach. KVB seeks a starting point no higher than $150,000. Having regard to the principle of deterrence, I adopt a starting point of $200,000, being 10 per cent of the notional maximum of $2m.
Failure to keep records
[69] Record keeping is central to the Act’s purpose. Subpart 3 of pt 2 of the Act prescribes the way in which reporting entities are required to maintain records obtained for the purpose of compliance with the Act.
[70]Specifically, KVB was required to keep for five years:
(a)records reasonably necessary to enable every transaction that is conducted through it to be readily reconstructed at any time;30
30 Anti-Money Laundering and Countering Financing of Terrorism Act, s 49.
(b)records that enable the nature of the evidence used for CDD and verification to be readily identified at any time after a business relationship has terminated;31 and
(c)copies of reports made of suspicious activities.32
[71] Together, the requirements in subpt 3 require reporting entities to maintain records in such a way as to enable them to be viewed immediately on request, or within a reasonable time having regard to the request. That interpretation was endorsed in OTT, with Lang J finding that any “other interpretation would severely hamper the [supervisor’s] ability to monitor compliance with other aspects of the regime”.33
[72] KVB has some, but not all, of the records required to enable transactions undertaken prior to August 2019 to be reconstructed at any time. Similarly, it has some, but not all, records that were reasonably necessary to enable the nature of the evidence used for customer identification (including the customer’s source of funds and/or wealth) and verification to be readily identified at any time. Significantly, KVB does not have any copies of reports of suspicious activities made between 11 August 2017 and August 2019.
[73] I agree with Mr McMullan’s submission that KVB’s failure to maintain its records in such a way as to enable them to be viewed immediately on request, or within a reasonable time, represents a serious failure of its obligations under the Act. The lack of understanding about how its own records are stored aggravates that failure.
[74] KVB accepts the non-compliance in this area but says the failures are due to a third-party service provider refusing to provide access to its own records. KVB has been forced to commence legal proceedings in Hong Kong in an effort to get them returned (as discussed at [17] of this judgment).
[75] Reporting entities must ensure that arrangements with third parties allow them to meet their obligations under the Act. To that extent, KVB must take responsibility
31 Section 50.
32 Section 49A.
33 OTT, above n 11, at [78].
for its state of affairs. Nevertheless, the fact that the non-compliance is due to the acts of a third party, and all reasonable steps have been taken to obtain the documents, including filing legal proceedings, mitigates KVB’s non-compliance to some extent.
[76] These circumstances make KVB’s non-compliance less serious than in OTT. In that case, while both reporting entities did not entirely fail to keep the records required by the Act, no records at all were available for certain periods. Lang J adopted a starting point of $500,000 to reflect these factors and the degree of overlap with breaches of other obligations. I consider a starting point less than $500,000 is warranted in this case. But I also consider the breaches to be more serious than the unintentional breaches in QDD warranting a higher starting point than the $120,000 adopted in that case.
[77] Standing back and considering the circumstances of this civil liability act in its entirety, I adopt a starting point of $350,000.
Aggravating and mitigating factors
[78] The parties agree that there are no aggravating factors particular to KVB which require an uplift to the starting point.
Previous good character
[79] KVB says it should get a discount for previous good character given it has not previously been found by a Court to have engaged in similar conduct.
[80] Section 90(4)(d) of the Act requires a court to take into account whether a reporting entity has previously been found “by a court in proceedings under this Act” to have engaged in any similar conduct. Previous proceedings against a reporting entity for similar conduct would be an aggravating factor in determining penalty. But it does not follow that the absence of prior proceedings means a discount for previous good character is available.
[81] In this case, KVB was issued a formal warning on 20 June 2014, and it was also required to undertake a special audit of its risk assessment and AML/CFT
programme. Although the non-compliance highlighted in that notice was different in kind to the current civil liability acts, the fact of the notice is indicative of a sub- standard approach to compliance with the Act prior to the issue of this proceeding.
[82] It is true that the conduct the subject of the notice was not determined by a Court, but nor was it challenged by KVB at the time. Indeed, the agreed statement of facts indicates that KVB responded by engaging Grant Thornton to undertake a special audit and, in late 2014, it represented to the FMA that it would demonstrate a strong risk and compliance culture. That representation was not realised, however, as the current proceedings show.
[83] A discount for previous good character cannot be justified in light of that prior history and I decline to apply one.
Admissions of liability and cooperation
[84] The parties agree that KVB has engaged constructively, resolved allegations against it and cooperated in reaching agreement relating to the factual basis for the breaches.
[85] Mr McMullan proposes a discount of 20 per cent but submits that a discount of no more than 25 per cent is available in reliance on the Supreme Court’s decision in Hessell v R.34 That case concerns discounts for guilty pleas in the criminal field. Ms Cooper submits that Hessell is not relevant and the line of cases under the Commerce Act, where discounts of 30 per cent or more are applied for admissions of liability and cooperation, provide better guidance in this area.
[86] In RBNZ v TSB, Mallon J referred to principles arising out of both Hessell and other civil regulatory cases (including those under the Commerce Act) in determining the quantum of discount to apply in that case.35 I follow Mallon J’s approach. That means that all principles are relevant and there is no cap at 25 per cent.
34 Hessell v R [2010] NZSC 135, [2011] 1 NZLR 607.
35 See RBNZ v TSB, above n 11, at [48]–[52].
[87] The application of a discount recognises the savings in time and resource in avoiding a disputed hearing and reflects the public interest in that approach. Discounts of 25, 20 and 15 per cent were applied in RBNZ v TSB, QDD and Jin Yuan, respectively. I consider this case to fall somewhere between RBNZ v TSB and QDD. In the former, the 25 per cent discount reflected the reporting entity’s full cooperation, including agreement with the supervisor on the appropriate penalty. In the latter, there was agreement on everything but the penalty. And, as noted by Mallon J, the fact that the defendant had inaccurately represented the nature of its relationship with six money remitters meant that the cooperation was not as full as it was in RBNZ v TSB.36
[88] In this case there has been an admission of liability, agreement to the statement of facts, and cooperation with the FMA. The only matter not agreed is the penalty, but there is no suggestion that KVB has made misrepresentations or misled the FMA. In light of the discounts applied in QDD and RBNZ v TSB, I apply a discount of 23 per cent for admissions of liability and cooperation.
Subsequent improvements in compliance
[89] KVB has undertaken significant steps to strengthen its compliance with the Act and other regulatory obligations. They include:
(a)revisions to its AML/CFT programme and risk assessment which have been audited by a third party;
(b)hiring compliance staff who have completed AML/CFT training;
(c)putting in place new IT service arrangements; and
(d)installing an entirely new board of directors, including two new independent non-executive directors.
36 RBNZ v TSB, above n 11 at [46].
[90] These steps do not, in and of themselves, warrant a separate discount. As Powell J observed in QDD, substantive compliance was what was required by the Act in any event.37
[91] However, as Ms Cooper submits, these steps indicate that KVB’s admissions and cooperation with the FMA are genuine and not merely designed to secure a lesser penalty. To that end, these subsequent steps bolster the application of a 23 per cent discount.
Totality
[92] The result of the above analysis is a pecuniary penalty of $770,000, constructed as follows:
(a)global starting point: $1,000,000 comprising:
(i)failure to conduct CDD: $400,000 (20 per cent of maximum penalty);
(ii)failure to terminate existing business relationships when CDD could not be completed: $50,000 (five per cent of maximum penalty);
(iii)failure to report suspicious transactions/activity: $200,000 (10 per cent of maximum penalty);
(iv)failure to keep records: $350,000 (17.5 per cent of maximum penalty);
(b)discount of 23 per cent for admissions and cooperation.
[93] The global starting point already accounts for the overlap between the first and second civil liability acts. I do not consider a further adjustment to any of the starting points is required.
37 QDD, above n 11, at [162].
[94] A penalty of $770,000 represents 11 per cent of the available maximum. This places KVB’s conduct at the very top of the third category of the scale set out in FMA v ANZ. Given the scale, nature and circumstances of KVB’s non-compliance, I am satisfied that this penalty accurately reflects the gravity of the breaches and reflects the principles of deterrence and denouncement. A further adjustment for totality purposes is not required.
Result
[95] Judgment is entered against the defendant for the four civil liability acts and a pecuniary penalty of $770,000 is imposed.
[96]By consent, the FMA is awarded costs on a scale 2B basis.
Edwards J
4
7
1