The Arrogance of Foster & Milroy

There is a particular type of non-compliance that keeps AML professionals up at night. Not the accidental oversight, not the under-resourced firm struggling to keep pace with regulatory change. It is the deliberate kind — where an entity knows its obligations, chooses to ignore them, and then actively resists scrutiny when investigators come knocking.

In April 2026, that scenario played out in a Hamilton courtroom when Foster & Milroy, a New Zealand law firm, pleaded guilty to criminal breaches of the Anti-Money Laundering and Countering Financing of Terrorism (AML/CFT) Act. The firm was fined NZ$60,000 — a figure modest in isolation, but significant in what it represents: the first criminal prosecution of a law firm for wilful obstruction of an AML/CFT supervisor in New Zealand (Department of Internal Affairs [DIA], 2026).

For lawyers, accountants, and fintechs working in compliance, this case is not just a news item. It is a lesson in the consequences of institutional arrogance, the psychology of defiance, and the role your vigilance plays in protecting a system that criminals actively seek to exploit.

What Happened: Three Years of Systemic Failure

Foster & Milroy's offending was not a one-off lapse. Between March 2022 and March 2025, the firm repeatedly failed to meet its legal obligations under the Act. The breaches, admitted in court, covered four distinct areas.

First, the firm failed to undertake a compliant risk assessment — the foundational document that every reporting entity under the AML/CFT Act must maintain to identify its exposure to money laundering and terrorism financing risks. Without this, there is no meaningful basis for any other compliance activity.

Second, Foster & Milroy failed to establish, implement, or maintain an AML/CFT compliance programme. This left no structured processes for customer due diligence or transaction monitoring. Clients could come and go — along with their funds — with no systematic scrutiny applied.

Third, the firm failed to maintain proper records. This is not a technical breach. Inadequate records hinder audits and suspicious activity reporting, and they make it functionally impossible to reconstruct what happened when investigators eventually arrive.

Fourth, and most seriously, Foster & Milroy wilfully obstructed the DIA investigators. The firm admitted wilfully obstructing an AML/CFT supervisor by refusing to respond to notices or providing only partial information.

This last point is the crux of the case. The first three failures might have been managed through civil enforcement — fines, compliance orders, remediation plans. The decision to obstruct investigators transformed a compliance failure into a criminal matter.

The Psychology of Defiance: When Arrogance Replaces Judgement

Why would a law firm — whose partners are officers of the court, bound by professional duties to uphold the law — choose to obstruct a regulatory investigation?

The answer, in most cases, lies not in overt criminality but in a particular form of professional arrogance. The belief that the rules do not quite apply with full force to a small firm. That regulatory notices can be managed with silence or selective responses. That a regulator will eventually lose interest and move on.

This mindset is more common than the profession likes to admit. Law firms, particularly smaller practices, can develop a sense of separateness from the bureaucratic compliance machinery that governs other sectors. They are sophisticated, legally trained, and accustomed to operating with autonomy. The AML/CFT Act, which brought legal professionals into its scope only from July 2018, can feel like an external imposition rather than a genuine professional obligation.

This is the trap. The decision to ignore notices and respond only partially to others was not passive neglect. It was an active choice — and one that the DIA characterised accordingly. DIA AML/CFT Director Serge Sablyak stated that the offending was "serious as it was prolonged, intentional and systemic."

The distinction matters. Prolonged means this was not a momentary lapse. Intentional means the firm knew what it was doing. Systemic means the failures were structural, not incidental. Together, those three words describe an institution that made a deliberate choice to operate outside its legal obligations for three years.

The Obstruction Typology: How Defiance Escalates Risk

For AML professionals, the obstruction element of this case deserves particular attention. It represents a distinct typology that compounds initial compliance failures in ways that can be difficult to reverse.

When an entity fails to maintain an AML programme, that is a compliance gap. When an entity then refuses to respond to regulatory notices, it signals something more troubling: either a fear of what the investigation will uncover, or a calculated bet that resistance will prove effective. Neither possibility is reassuring.

The practical effect of obstruction is to deny regulators visibility into the nature and extent of underlying risk. Criminals target businesses they believe have weak systems they can exploit, and law firms are particularly vulnerable because they are trusted. When a firm refuses to engage with supervisors, the regulator cannot assess whether that vulnerability has already been exploited. Suspicious transactions may have passed through client accounts. Due diligence may not have been performed on high-risk clients. The full picture remains opaque.

This is why obstruction invariably triggers escalation — from civil enforcement to criminal prosecution, as occurred here. The DIA was explicit about this: "Where there is a pattern of non-compliance or deliberate attempts to obstruct or mislead, we take decisive action, whether through civil enforcement or criminal prosecution."

Foster & Milroy's partners likely understood that criminal prosecution carried consequences far beyond a financial penalty. Criminal convictions become matters of public record. They attract professional disciplinary scrutiny. They damage firm reputation in ways that no client communication can fully undo. The calculated decision to obstruct investigators — presumably intended to protect the firm — ultimately exposed it to far greater harm.

The Trust Exploitation Risk: Why Legal Professionals Are Targeted

The Foster & Milroy case did not involve any identified money laundering — no specific criminal proceeds, no identified predicate offence. The prosecution was for the compliance failures and the obstruction, not for facilitating crime. But this is precisely what makes the case instructive.

The danger of a law firm operating without AML controls is not hypothetical. It is structural. Lawyers remain a key frontline defence against financial crime — but also a prime target for exploitation. "Criminals with money laundering in mind target businesses they believe have weak systems they can exploit," said Sablyak.

Law firms handle property transactions, manage trust accounts, facilitate company formations, and act in complex commercial matters. Each of these service areas is a recognised money laundering vector. The property sector alone is consistently identified in New Zealand's national risk assessments as high-risk for criminal proceeds placement. A firm without customer due diligence processes, transaction monitoring, or suspicious activity reporting capability offers criminals exactly the access they seek — with the additional advantage of professional legitimacy.

The AML/CFT Act recognised this vulnerability when it was extended to legal professionals. The obligation is not bureaucratic box-ticking. It is a recognition that law firms occupy a structurally important position in New Zealand's financial crime defences. When one firm opts out, that position is weakened for everyone.

Small Firm, Large Consequence: The Scale Consideration

The court took into account Foster & Milroy's size and financial capacity in setting the penalty at NZ$60,000. This calibration is appropriate — the AML/CFT Act's penalty regime is designed to be proportionate, not punitive beyond deterrent effect.

But the small-firm context cuts both ways. Smaller firms often lack the compliance infrastructure, dedicated compliance officers, and systematic monitoring that larger practices maintain. This creates genuine capacity constraints. It also creates an environment where compliance can drift without internal challenge — no partner review process, no compliance committee, no audit function to flag accumulating failures.

This is the structural vulnerability that the Foster & Milroy case exposes most clearly. The firm's offending was not the product of a single bad decision but of a culture — or an absence of one — in which AML obligations were not treated as core professional duties.

For other small and mid-sized firms across New Zealand, Australia, and the UK, the case serves as a direct mirror. The obligations are the same regardless of headcount. The risk of criminal exploitation is, if anything, greater at smaller firms with less oversight. And, as this case demonstrates, regulators are increasingly willing to pursue criminal prosecution when civil enforcement fails to achieve compliance.

The Regulatory Signal: New Zealand's Enforcement is Maturing

The Foster & Milroy prosecution is part of a broader pattern of escalating AML enforcement in New Zealand's professional services sector. New Zealand's AML/CFT framework, updated post-Financial Action Task Force critiques, mandates rigorous controls for reporting entities like lawyers. The DIA has demonstrated consistent willingness to move from civil penalties to criminal prosecution where the conduct warrants it.

This trajectory mirrors international enforcement trends. In the UK, the Solicitors Regulation Authority has dramatically increased its enforcement activity against law firms for AML failures. In Australia, AUSTRAC's record-breaking penalties against major banks established that no institution — regardless of size or reputation — is beyond the reach of effective enforcement. New Zealand is following the same path at its own scale.

For AML professionals advising legal sector clients, the message is unambiguous. The days of treating AML compliance as an optional overlay on legal practice are over. The DIA has the powers, the appetite, and now the precedent to prosecute criminal non-compliance. A guilty plea to criminal charges is a reputational event of a different order from a civil penalty.

What Good Looks Like: The Compliance Framework That Protects

The four failures admitted by Foster & Milroy describe, in reverse, the minimum compliance architecture that every law firm must maintain.

A compliant risk assessment identifies the specific money laundering and terrorism financing risks the firm faces — by client type, service area, geographic exposure, and delivery channel. For a Hamilton general practice, those risks will differ from an Auckland commercial firm, but they are never zero.

An AML/CFT programme translates the risk assessment into operational processes: customer due diligence at onboarding, enhanced due diligence for higher-risk clients, ongoing transaction monitoring, and suspicious activity reporting procedures. Without this programme, there is no systematic mechanism for identifying the unusual transaction or the client whose source of funds does not withstand scrutiny.

Proper records provide the audit trail that makes both internal review and regulatory supervision possible. They are not an administrative luxury. They are the evidentiary foundation for every compliance decision the firm makes.

And engagement with supervisors — responding fully and promptly to regulatory notices — is not merely a legal obligation. It is the professional behaviour expected of partners who are, by virtue of their admission to the bar, officers of the court.

Why Your Work Matters

Foster & Milroy's case is, at one level, about a small Hamilton law firm that chose defiance over compliance and paid a criminal penalty for it. At another level, it is about something more fundamental.

Every law firm, accountancy practice, and fintech that maintains robust AML controls makes it harder for criminals to find the weak link they need. The criminal playbook depends on identifying the gaps — the firm that skips customer due diligence, the conveyancer who does not question the source of funds, the remittance business that looks the other way. Your professional vigilance directly narrows the space in which that playbook operates.

Criminals leverage trust by using law firms' broad range of services to conceal the proceeds of their offending. Disrupting that exploitation requires institutions that take their gatekeeping role seriously — not as an imposition, but as a core professional duty that protects clients, communities, and the integrity of the financial system.

The Foster & Milroy case demonstrates that deliberate non-compliance carries real consequences. It also demonstrates that regulators are watching, have the tools to act, and will use them. For the AML professionals who make that enforcement possible — through suspicious activity reports, through compliance programmes that actually work, through the unglamorous daily work of due diligence — this case is a reminder that your role in the system is indispensable.

The gateway that a compliant law firm represents is one that criminals cannot easily exploit. Keeping that gate closed is, ultimately, what this work is for.

References

Department of Internal Affairs. (2026, April 24). Law firm fined for anti-money laundering breaches [Press release]. https://www.dia.govt.nz/press.nsf/d77da9b523f12931cc256ac5000d19b6/53e91e5c6be46ae2cc258de2007bd611!OpenDocument

1News. (2026, April 24). Hamilton law firm admits anti-money laundering breaches. https://www.1news.co.nz/2026/04/24/hamilton-law-firm-admits-anti-money-laundering-breaches/

LawFuel. (2026, April 24). Hamilton law firm fined $60K for AML breaches and obstruction. https://www.lawfuel.com/hamilton-law-firm-fined-60k-for-aml-breaches-and-obstruction/

Law News. (2026, April 24). Law firm pinged for AML/CFT breaches. https://lawnews.nz/misc/law-firm-pinged-for-aml-cft-breaches/

BusinessDesk. (2026, April 24). Hamilton law firm fined for money laundering offences. https://businessdesk.co.nz/article/law-regulation/hamilton-law-firm-fined-for-money-laundering-offences

Scoop. (2026, April 24). Law firm fined for anti-money laundering breaches. https://www.scoop.co.nz/stories/AK2604/S00581/law-firm-fined-for-anti-money-laundering-breaches.htm