When the Risk-Based Approach Stops at Onboarding: DIA Highlights Monitoring Gaps Across DNFBPs

Elaine Ramsay
Mar 14
4 min read

In February 2026 the Department of Internal Affairs reported the findings of a review involving 30 Designated Non-Financial Businesses and Professions (DNFBPs).

The Department noted that while many reporting entities had risk assessments and AML/CFT programmes in place, most were not adequately implementing processes to monitor, examine and keep written findings for high-risk customers, activities or transactions.

Most DNFBPs sampled are not adequately implementing a process to monitor, examine and keep written findings for high-risk customers, activities or transactions.

DIA also signalled that monitoring of higher-risk situations is receiving increased supervisory attention during 2026.

For DNFBPs, the finding highlights a familiar implementation issue. Many firms have established the core elements of their AML/CFT framework, but the risk-based approach is not always carried through once the client relationship is underway.

Regulatory Signal

The Department’s observations suggest that most DNFBPs have implemented the structural components of the AML/CFT regime.

Typically this includes:

• a documented risk assessment

• an AML/CFT compliance programme

• customer due diligence procedures at onboarding

• a methodology for assigning customer risk ratings.

However, the review indicates that monitoring of higher-risk customers, activities and transactions is not consistently operationalised in practice.

This means that while risk may be identified at onboarding, the processes for examining and documenting higher-risk situations during the course of a relationship are not always clearly demonstrated.

DIA has noted that one way reporting entities may demonstrate compliance is by maintaining a register of high-risk customers, activities or transactions. Such a register records the reason for the examination, the findings of that examination, the actions taken and the outcome.

The purpose of such a record is not administrative. It provides evidence that monitoring and examination processes are being applied when risk increases.

The Legal Framework

The obligation to monitor customers and transactions is already embedded in the AML/CFT Act.

Section 31 requires reporting entities to conduct ongoing customer due diligence. This includes monitoring accounts and transactions and scrutinising activity to ensure it is consistent with what is known about the customer and the nature of the business relationship.

Where activity is examined, reporting entities must also keep written findings relating to that examination.

Section 57 further requires reporting entities to establish, implement and maintain an effective AML/CFT programme.

The AML/CFT Programme Guideline (October 2024), particularly paragraphs 115 and 116 and the accompanying Supervisors’ View, emphasises that higher-risk situations should trigger examination and documentation.

DIA’s February notice therefore does not introduce a new requirement.

Rather, it highlights weaknesses in how existing monitoring obligations are being implemented in practice.

Where Monitoring Often Breaks Down

Across DNFBP sectors, AML processes are often strongest at the point of onboarding.

Customer due diligence is completed, identity verification is obtained, and a risk rating is assigned to the customer or matter.

However, the monitoring requirement under section 31 is intended to operate throughout the business relationship.

Higher-risk situations can arise after onboarding for a variety of reasons, including:

• unusual or unexpected transaction activity

• changes in how transactions are funded

• the introduction of third-party parties into a transaction

• significant changes to ownership or control structures

• adverse media or other information emerging during the relationship.

In many cases staff may review such matters informally and satisfy themselves that the activity is legitimate.

However, if the examination and the reasoning behind the conclusion are not documented, it becomes difficult for the reporting entity to demonstrate that monitoring obligations have been met.

From a supervisory perspective, the issue is not whether the activity was considered internally, but whether the examination and findings can be evidenced.

What Supervisors Are Signalling

The Department’s findings suggest that monitoring is an area where the risk-based approach often weakens in practice.

Risk assessments and AML/CFT programmes may exist and onboarding procedures may be well established. However, the processes for examining higher-risk activity during the life of the relationship are not always clearly defined or consistently recorded.

This can lead to situations where:

• unusual activity is reviewed but not documented

• enhanced customer due diligence is not clearly triggered

• the reasoning behind a decision is not recorded

• consideration of suspicious activity reporting is not documented.

Where written findings are absent, reporting entities may find it difficult to demonstrate how risks were assessed and managed.

What This Means for DNFBPs in 2026

DIA has indicated that monitoring of higher-risk customers, activities and transactions is receiving increased supervisory attention.

During reviews and inspections, reporting entities may be asked to demonstrate:

• how higher-risk customers are monitored during the relationship

• what triggers examination of unusual or higher-risk activity

• where written findings are recorded

• how enhanced due diligence decisions are documented

• how suspicious activity reporting decisions are assessed.

Supervisory reviews increasingly involve asking reporting entities to walk through actual examples of higher-risk activity to understand how monitoring processes operate in practice.

For many DNFBPs, the challenge is not designing a monitoring framework. It is demonstrating that the framework described in the AML/CFT programme is actively used and documented in real situations.

Related Practical Guidance

This regulatory finding raises an important operational question for reporting entities: how should monitoring of higher-risk customers and transactions be implemented in practice?

Turning Monitoring into Practice: A Practical Framework for DNFBPs.

Source: Department of Internal Affairs, Monitoring high-risk customers, supervisory notice published February 2026.

In February 2026 the Department of Internal Affairs reported the findings of a review involving 30 Designated Non-Financial Businesses and Professions (DNFBPs).

The Department noted that while many reporting entities had risk assessments and AML/CFT programmes in place, most were not adequately implementing processes to monitor, examine and keep written findings for high-risk customers, activities or transactions.

DIA also signalled that monitoring of higher-risk situations is receiving increased supervisory attention during 2026.

For DNFBPs, the finding highlights a familiar implementation issue. Many firms have established the core elements of their AML/CFT framework, but the risk-based approach is not always carried through once the client relationship is underway.

Regulatory Signal

The Department’s observations suggest that most DNFBPs have implemented the structural components of the AML/CFT regime.

Typically this includes:

• a documented risk assessment

• an AML/CFT compliance programme

• customer due diligence procedures at onboarding

• a methodology for assigning customer risk ratings.

However, the review indicates that monitoring of higher-risk customers, activities and transactions is not consistently operationalised in practice.

This means that while risk may be identified at onboarding, the processes for examining and documenting higher-risk situations during the course of a relationship are not always clearly demonstrated.

DIA has noted that one way reporting entities may demonstrate compliance is by maintaining a register of high-risk customers, activities or transactions. Such a register records the reason for the examination, the findings of that examination, the actions taken and the outcome.

The purpose of such a record is not administrative. It provides evidence that monitoring and examination processes are being applied when risk increases.

The Legal Framework

The obligation to monitor customers and transactions is already embedded in the AML/CFT Act.

Section 31 requires reporting entities to conduct ongoing customer due diligence. This includes monitoring accounts and transactions and scrutinising activity to ensure it is consistent with what is known about the customer and the nature of the business relationship.

Where activity is examined, reporting entities must also keep written findings relating to that examination.

Section 57 further requires reporting entities to establish, implement and maintain an effective AML/CFT programme.

The AML/CFT Programme Guideline (October 2024), particularly paragraphs 115 and 116 and the accompanying Supervisors’ View, emphasises that higher-risk situations should trigger examination and documentation.

DIA’s February notice therefore does not introduce a new requirement.

Rather, it highlights weaknesses in how existing monitoring obligations are being implemented in practice.

Where Monitoring Often Breaks Down

Across DNFBP sectors, AML processes are often strongest at the point of onboarding.

Customer due diligence is completed, identity verification is obtained, and a risk rating is assigned to the customer or matter.

However, the monitoring requirement under section 31 is intended to operate throughout the business relationship.

Higher-risk situations can arise after onboarding for a variety of reasons, including:

• unusual or unexpected transaction activity

• changes in how transactions are funded

• the introduction of third-party parties into a transaction

• significant changes to ownership or control structures

• adverse media or other information emerging during the relationship.

In many cases staff may review such matters informally and satisfy themselves that the activity is legitimate.

However, if the examination and the reasoning behind the conclusion are not documented, it becomes difficult for the reporting entity to demonstrate that monitoring obligations have been met.

From a supervisory perspective, the issue is not whether the activity was considered internally, but whether the examination and findings can be evidenced.

What Supervisors Are Signalling

The Department’s findings suggest that monitoring is an area where the risk-based approach often weakens in practice.

Risk assessments and AML/CFT programmes may exist and onboarding procedures may be well established. However, the processes for examining higher-risk activity during the life of the relationship are not always clearly defined or consistently recorded.

This can lead to situations where:

• unusual activity is reviewed but not documented

• enhanced customer due diligence is not clearly triggered

• the reasoning behind a decision is not recorded

• consideration of suspicious activity reporting is not documented.

Where written findings are absent, reporting entities may find it difficult to demonstrate how risks were assessed and managed.

What This Means for DNFBPs in 2026

DIA has indicated that monitoring of higher-risk customers, activities and transactions is receiving increased supervisory attention.

During reviews and inspections, reporting entities may be asked to demonstrate:

• how higher-risk customers are monitored during the relationship

• what triggers examination of unusual or higher-risk activity

• where written findings are recorded

• how enhanced due diligence decisions are documented

• how suspicious activity reporting decisions are assessed.

Supervisory reviews increasingly involve asking reporting entities to walk through actual examples of higher-risk activity to understand how monitoring processes operate in practice.

For many DNFBPs, the challenge is not designing a monitoring framework. It is demonstrating that the framework described in the AML/CFT programme is actively used and documented in real situations.

Related Practical Guidance

This regulatory finding raises an important operational question for reporting entities: how should monitoring of higher-risk customers and transactions be implemented in practice?

Turning Monitoring into Practice: A Practical Framework for DNFBPs.

Comments