ASB Penalty: When AML Controls Fail in Practice
- Elaine Ramsay

- Jun 24
- 2 min read
ASB has been ordered to pay $6.731 million, the largest AML/CFT penalty imposed in New Zealand to date, after admitting seven breaches of the AML/CFT Act.
Much of the media coverage has understandably focused on the size of the penalty and the billions of dollars in transactions involved. However, for AML practitioners, the more important lesson lies elsewhere.
The Court found that ASB's AML/CFT programme and transaction monitoring systems were inadequate for a prolonged period. This is an important distinction. Compliance failures do not always arise because a reporting entity has no policies or procedures. More often, they arise because controls are inadequately designed, inadequately implemented, or allowed to deteriorate over time.
The case raises a question that every AML Compliance Officer should be asking:
How do we know our controls are actually working?
Most reporting entities have a risk assessment. Most have a compliance programme. Most have documented procedures. The challenge is demonstrating that the controls described in those documents are operating effectively in practice.
The real warning from the ASB case is not that deficiencies existed. It is that they persisted for years.
That should prompt reporting entities to look beyond policies and ask:
Which controls are most critical to managing our AML/CFT risks?
How often are those controls tested?
What management information is reviewed to identify emerging issues?
How quickly would we know if a control began to fail?
Once identified, how quickly would the issue be escalated and remediated?
The most effective AML/CFT programmes are not those that never identify weaknesses. They are the ones that identify weaknesses early, escalate them appropriately, and address them before they become systemic failures.
For AML practitioners, that may be the most important lesson from the ASB case. The question is not whether your compliance programme exists.
The question is whether your organisation would know if it stopped working.





Comments