A $60,000 Fine with a Bigger Message for Law Firms

A Hamilton law firm has been fined $60,000 after pleading guilty to criminal breaches of the AML/CFT Act.

The Department of Internal Affairs said Foster & Milroy failed to undertake a compliant risk assessment, failed to establish, implement or maintain an AML/CFT programme, failed to maintain proper records, and wilfully obstructed the AML/CFT supervisor.

DIA described the offending as serious, prolonged, intentional and systemic.

That is the part law firms should pay attention to.

This was not presented as a one off mistake or a technical gap in a policy document. The issue was that core AML/CFT obligations were not being met over a sustained period. The firm also failed to properly respond to the supervisor’s notices.

For law firms, the lesson is simple. AML/CFT compliance cannot just exist on paper. A risk assessment needs to reflect the work the firm actually does. The programme needs to show how those risks are managed. Records need to show what happened, what was considered and why decisions were made.

When those records are missing, it becomes very difficult to show that the firm’s AML/CFT framework is working in practice.

The obstruction finding is also significant. A weak or outdated AML/CFT programme can be fixed. Poor records can be improved. But failing to properly engage with the supervisor moves the issue into a different space. It becomes a governance issue, not just a compliance one.

Law firms occupy a position of trust. They deal with property, trusts, companies, estates, relationship property and client funds. These are ordinary legal services, but they can also be attractive to criminals looking to move, disguise or give legitimacy to funds.

That is why the AML/CFT framework matters.

The size of the fine may not be the biggest feature of this case. The bigger message is that DIA will look at the whole picture: whether the firm understood its risks, whether the programme was actually maintained, whether records were kept, and whether the firm engaged properly when the supervisor asked questions.

For law firms, this is a timely reminder to check the basics.

• Is the risk assessment current?

• Does the AML/CFT programme match the firm’s actual work?

• Are CDD decisions, risk ratings, EDD decisions and written findings properly recorded?

• Are DIA requests escalated and tracked?

• Do partners understand that AML/CFT responsibility cannot simply be left to one person?

AML/CFT compliance does not have to be overcomplicated, but it does have to be real.

A policy that is not implemented will not protect the firm.

A risk assessment that is out of date will not explain the firm’s current exposure.

A decision that is not recorded may be difficult to defend later.

And silence, when the supervisor is asking questions, can make a bad situation much worse.

The Foster & Milroy case is a reminder that AML/CFT compliance is not just about having the right documents. It is about being able to show that the firm’s systems are working when it matters.

Source: Department of Internal Affairs media release, 24 April 2026.