The Context
On 24 July 2025, the U.S. State Department announced a $7 million reward for information on Sim Hyon-Sop, a North Korean national. Simultaneously, the Department of Justice filed to seize $7.74 million in laundered funds linked to his network. This is not a one-off crime story. It is a case study in how a state-level actor systematically weaponises the global financial system. Sim’s network—using tobacco smuggling, cryptocurrency theft, and fraudulent IT work—generated hundreds of millions annually for Pyongyang’s weapons programmes. The U.S. response was a coordinated strike by State, Justice, and Treasury. This matters because the money flowed through correspondent banks and payment channels. If it can happen for North Korea, it can happen through any node in the financial web where compliance is a cost centre, not a control.
The Risk
Your exposure is not to North Korean sanctions. It is to the systemic failure that allowed this. For a New Zealand Director, the liability is twofold. First, under the Companies Act 1993, Section 131 imposes a duty to act in good faith and in the best interests of the company. Knowingly or negligently allowing the company to be used as a conduit for illicit finance is a clear breach. Second, the Anti-Money Laundering and Countering Financing of Terrorism Act 2009 places explicit obligations on reporting entities. A failure in customer due diligence or transaction monitoring that facilitates sanctions evasion may trigger civil penalties and, in cases of gross negligence, criminal liability for senior managers. The U.S. action shows they will follow the money trail to its endpoints. If your bank’s correspondent relationship or your fintech’s payment gateway was the weak link, you face not just reputational ruin but personal prosecution.
The Control
Treat sanctions compliance as a strategic intelligence function, not a tick-box audit. You must map your entire transaction ecosystem—correspondent banks, third-party payment processors, major clients—and pressure-test the controls at each hand-off point. Assume your adversaries are as sophisticated as a nation-state. Your compliance team needs the budget and authority to deploy behavioural analytics and network mapping tools that look for patterns, not just named entities. The board’s role is to demand evidence that the system works under attack, not just during an audit.
The Challenge
These are the critical questions you should be raising at the board table:
|
|
When was the last time we independently validated the sanctions screening and transaction monitoring controls of our key correspondent banking partners, and what were the findings? |
|
|
Do our current AML/CFT resources and technology stack assume a lone criminal actor, or a well-resourced, state-sponsored network capable of obfuscating transactions across multiple jurisdictions? |
|
|
What is our executive’s and board’s personal exposure if we are named in a foreign civil forfeiture action like the U.S. DOJ’s $7.74 million claim, and how is that risk mitigated? |