Turning Monitoring into Practice: Aligning DNFBP Monitoring Processes with DIA Expectations

Elaine Ramsay
Mar 14
3 min read

Recent commentary from the Department of Internal Affairs has highlighted weaknesses in how Designated Non-Financial Businesses and Professions (DNFBPs) monitor higher-risk customers, activities and transactions.

In its February 2026 supervisory notice, DIA reported that while many reporting entities had risk assessments and AML/CFT programmes in place, most were not adequately implementing processes to monitor, examine and keep written findings for higher-risk situations.

For reporting entities, this finding does not introduce a new regulatory requirement. Rather, it reinforces obligations that already exist under the AML/CFT Act and the AML/CFT Programme Guideline.

The practical question for DNFBPs is therefore how monitoring processes should operate in a way that aligns with supervisory expectations.

What the AML/CFT Act requires

Monitoring obligations arise primarily under section 31 of the AML/CFT Act, which requires reporting entities to conduct ongoing customer due diligence.

This includes:

• monitoring accounts and transactions

• scrutinising activity to ensure it is consistent with what is known about the customer and the nature of the business relationship

• examining unusual or higher-risk activity

• keeping written findings relating to that examination.

Section 57 further requires reporting entities to establish, implement and maintain an effective AML/CFT programme.

DIA’s Programme Guideline (October 2024), particularly paragraphs 115 and 116 and the accompanying Supervisors’ View, emphasises that monitoring should be risk-based and that higher-risk situations should trigger examination and documentation.

The Department’s recent commentary suggests that while these obligations are generally understood, the processes for carrying them out are not always clearly implemented in practice.

What supervisors expect to see

DIA’s notice indicates that reporting entities should be able to demonstrate a clear process for:

Identifying higher-risk situations

Reporting entities should have defined triggers for when activity requires closer examination. These triggers should be linked to the reporting entity’s risk assessment and customer risk-rating framework.

Examples may include unusual transaction patterns, changes in transaction structures, the introduction of additional parties, or activity inconsistent with the expected nature of the relationship.

Examining the activity

Where higher-risk activity is identified, the reporting entity should examine the matter to determine whether it is consistent with what is known about the customer.

This examination may involve reviewing the customer file, considering the expected nature of the relationship, obtaining explanations or additional information from the customer, and reviewing relevant documentation.

The objective is to understand whether the activity can be reasonably explained within the context of the business relationship.

Recording written findings

A key issue identified in the Department’s review was the absence of written records explaining how higher-risk activity had been assessed.

Where activity is examined, reporting entities should record:

• the reason the activity was examined

• the information reviewed

• any additional enquiries made

• the conclusions reached

• any actions taken.

Recording the reasoning behind the decision is particularly important where the activity is ultimately assessed as legitimate.

Taking appropriate action

Depending on the outcome of the examination, the reporting entity may need to take additional steps.

These may include:

• applying enhanced customer due diligence

• updating the customer’s risk rating

• continuing to monitor the activity more closely

• considering whether suspicious activity reporting obligations are triggered.

The action taken should also be recorded.

Maintaining oversight of higher-risk situations

DIA has noted that one way to demonstrate that monitoring processes are operating effectively is to maintain a register of higher-risk customers, activities or transactions.

Such a register can help reporting entities maintain oversight of matters that have been examined and provide a clear record of monitoring activity across the business.

A monitoring register may record:

• the trigger for examination

• the findings of the review

• any actions taken

• the outcome.

The purpose of such a register is to demonstrate that monitoring processes are applied consistently and that higher-risk situations are being actively reviewed.

Demonstrating monitoring in practice

DIA has indicated that during reviews and inspections, reporting entities may be asked to demonstrate how monitoring processes operate in practice.

This often involves supervisors asking firms to walk through real examples of higher-risk activity, including how the activity was identified, examined and documented.

For DNFBPs, aligning with DIA’s expectations therefore requires more than describing monitoring processes in the AML/CFT programme.

Reporting entities must be able to show that monitoring obligations are actively applied, documented and capable of being demonstrated through actual cases.

A practical objective for reporting entities

Monitoring is the point at which the risk-based approach moves from documentation to operational decision-making.

A monitoring framework that aligns with DIA expectations should therefore ensure that when higher-risk situations arise they are:

• identified

• examined

• documented

• and appropriately escalated where necessary.

When these steps are consistently applied, reporting entities are better positioned to demonstrate that their AML/CFT programme is functioning effectively in practice.

Background:

This article follows our regulatory update examining DIA’s February 2026 findings on monitoring of higher-risk customers and transactions across DNFBPs.

When the Risk-Based Approach Stops at Onboarding: DIA Highlights Monitoring Gaps Across DNFBPs.

Recent commentary from the Department of Internal Affairs has highlighted weaknesses in how Designated Non-Financial Businesses and Professions (DNFBPs) monitor higher-risk customers, activities and transactions.

In its February 2026 supervisory notice, DIA reported that while many reporting entities had risk assessments and AML/CFT programmes in place, most were not adequately implementing processes to monitor, examine and keep written findings for higher-risk situations.

For reporting entities, this finding does not introduce a new regulatory requirement. Rather, it reinforces obligations that already exist under the AML/CFT Act and the AML/CFT Programme Guideline.

The practical question for DNFBPs is therefore how monitoring processes should operate in a way that aligns with supervisory expectations.

What the AML/CFT Act requires

Monitoring obligations arise primarily under section 31 of the AML/CFT Act, which requires reporting entities to conduct ongoing customer due diligence.

This includes:

• monitoring accounts and transactions

• scrutinising activity to ensure it is consistent with what is known about the customer and the nature of the business relationship

• examining unusual or higher-risk activity

• keeping written findings relating to that examination.

Section 57 further requires reporting entities to establish, implement and maintain an effective AML/CFT programme.

DIA’s Programme Guideline (October 2024), particularly paragraphs 115 and 116 and the accompanying Supervisors’ View, emphasises that monitoring should be risk-based and that higher-risk situations should trigger examination and documentation.

The Department’s recent commentary suggests that while these obligations are generally understood, the processes for carrying them out are not always clearly implemented in practice.

What supervisors expect to see

DIA’s notice indicates that reporting entities should be able to demonstrate a clear process for:

Identifying higher-risk situations

Reporting entities should have defined triggers for when activity requires closer examination. These triggers should be linked to the reporting entity’s risk assessment and customer risk-rating framework.

Examples may include unusual transaction patterns, changes in transaction structures, the introduction of additional parties, or activity inconsistent with the expected nature of the relationship.

Examining the activity

Where higher-risk activity is identified, the reporting entity should examine the matter to determine whether it is consistent with what is known about the customer.

This examination may involve reviewing the customer file, considering the expected nature of the relationship, obtaining explanations or additional information from the customer, and reviewing relevant documentation.

The objective is to understand whether the activity can be reasonably explained within the context of the business relationship.

Recording written findings

A key issue identified in the Department’s review was the absence of written records explaining how higher-risk activity had been assessed.

Where activity is examined, reporting entities should record:

• the reason the activity was examined

• the information reviewed

• any additional enquiries made

• the conclusions reached

• any actions taken.

Recording the reasoning behind the decision is particularly important where the activity is ultimately assessed as legitimate.

Taking appropriate action

Depending on the outcome of the examination, the reporting entity may need to take additional steps.

These may include:

• applying enhanced customer due diligence

• updating the customer’s risk rating

• continuing to monitor the activity more closely

• considering whether suspicious activity reporting obligations are triggered.

The action taken should also be recorded.

Maintaining oversight of higher-risk situations

DIA has noted that one way to demonstrate that monitoring processes are operating effectively is to maintain a register of higher-risk customers, activities or transactions.

Such a register can help reporting entities maintain oversight of matters that have been examined and provide a clear record of monitoring activity across the business.

A monitoring register may record:

• the trigger for examination

• the findings of the review

• any actions taken

• the outcome.

The purpose of such a register is to demonstrate that monitoring processes are applied consistently and that higher-risk situations are being actively reviewed.

Demonstrating monitoring in practice

DIA has indicated that during reviews and inspections, reporting entities may be asked to demonstrate how monitoring processes operate in practice.

This often involves supervisors asking firms to walk through real examples of higher-risk activity, including how the activity was identified, examined and documented.

For DNFBPs, aligning with DIA’s expectations therefore requires more than describing monitoring processes in the AML/CFT programme.

Reporting entities must be able to show that monitoring obligations are actively applied, documented and capable of being demonstrated through actual cases.

A practical objective for reporting entities

Monitoring is the point at which the risk-based approach moves from documentation to operational decision-making.

A monitoring framework that aligns with DIA expectations should therefore ensure that when higher-risk situations arise they are:

• identified

• examined

• documented

• and appropriately escalated where necessary.

When these steps are consistently applied, reporting entities are better positioned to demonstrate that their AML/CFT programme is functioning effectively in practice.

Background:

This article follows our regulatory update examining DIA’s February 2026 findings on monitoring of higher-risk customers and transactions across DNFBPs.

When the Risk-Based Approach Stops at Onboarding: DIA Highlights Monitoring Gaps Across DNFBPs.

Comments