1. Legal and regulatory risks
Compliance burdens are growing for Not-For-Profits (NFPs) with more stringent and detailed regulatory requirements being introduced through new legislation (for example the Charities Amendment Act 2023, the Trusts Act 2019, and the Incorporated Societies Act 2022).
NFPs often need to balance compliance across different pieces of legislation, for example where they are both an incorporated society or charitable trust board and a registered charity.
NFPs must ensure that their legal and financial obligations are complied with, including filing financial reports on time, meeting auditing requirements, and following best practice policies that will not expose them to additional risks. This is especially relevant with the new requirements of the Incorporated Societies Act and the Charities Amendment Act.
Failure to meet legislative requirements can have serious potential consequences. Depending on the type of NFP, it may risk officer/trustee liability, loss of charity status, and/or de-registration.
What should your organisation do about it?
Officers/trustees and key personnel of NFPs must be aware of the structure of their entity and the legal and financial obligations that follow. Careful attention should be given to these obligations during drafting and amendment of governing documents, and officers/trustees should remain aware of their legal obligations and duties (for example trustee duties in respect of a charitable trust, and officer duties in respect of an incorporated society).
NFPs should have in place robust processes for keeping financial records, obtaining appropriate financial and legal advice (including an audit if required), and filing statements/returns on time.
2. Privacy and cybersecurity risks
NFPs often hold a large amount of personal information about their supporters as well as their own staff, members, and finances, some of which is likely to be sensitive in nature. Recent increases in phishing and cyber-attacks mean it is increasingly necessary for NFPs to maintain strong security protections and be vigilant about risk areas – both internally and in terms of any third parties they interact with.
The Privacy Act gives individual rights to access personal information held by organisations, such as NFPs, about them. Increasingly, other legislation adds additional information requirements, such as the Incorporated Societies Act 2022 which requires incorporated societies to retain personal information about their members and officers, and gives members rights to request access to society information.
What should your organisation do about it?
When it comes to protecting your data and privacy, prevention is key! It is vital to review your current processes to ensure that you have robust plans for privacy protection in place, including how to prevent and respond to privacy breaches or cyber-attacks.
Often organisations are not aware of privacy breaches or cyber-attacks until well after they have happened, which gives cybercriminals extra opportunity to cause harm and utilise the stolen data. It is essential that officers and employees are not only aware of the risks of poor privacy hygiene but also trained in how to recognise and respond to privacy breaches or cyber-attacks. Through regular training and maintaining robust protocols in the case of a breach or attack, NFPs can be keep on top of their compliance obligations and ensure that they safely handle personal information.
3. Governance failures
Governance failures relate to a wide span of operational and legal obligations undertaken by officers and personnel within a NFP organisation, and may include (among many other possibilities):
- breaches of trustee/officer obligations;
- financial mismanagement and/or poor financial decision-making;
- failure to identify and manage risks; and/or
- improper handling of conflicts of interest.
Failures within NFP governance can risk legal action against the organisation and potentially personal liability for trustees/officers. The NFP’s legal status may be at risk, as well as causing potentially serious damage to reputation.
What should your organisation do about it?
NFPs must ensure that any person in the position of governance or influence over the management and administration of the organisation is aware of and compliant with their legal obligations, including compliance with the organisation’s governing document.
Legislation applying to NFPs is increasingly seeking to define the scope of the ‘officer’ role to cover not only the governing group (e.g. the board or committee) but also other roles which exert influence over the organisation’s management. NFP governors must have a clear sense of who holds legal duties within the organisation, and how those duties are complied with.
4. Financial gain
A defining feature of a NFP is that financial gain is not a purpose for which the organisation exists. Prohibiting profit or personal gain of members, the people who run the organisation, and any other people is crucial to maintaining legal status (for example, incorporation as an incorporated society, and charity status). Failure to prevent financial gain can also damage the reputation of a NFP and have significant consequences for relationships with funders/sponsors, and the wider community.
What should your organisation do about it?
Ensure that the organisation’s governing document clearly prohibits profit or personal gain, and that the management and organisation of the NFP is carefully monitored by to prevent any financial gain other than what is permitted in the governing document or at law (e.g. honoraria, remuneration, paid staff).
5. Terrorism financing
NFPs are at risk of being abused to facilitate terrorism financing. This can occur in different ways depending on the nature of the NFP, for example being used to launder money, conceal proceeds of crime, or solicit false donations.
What should your organisation do about it?
Understand the risk of terrorism financing to your NFP. The extent of the risk will be impacted by the likely value of your NFP organisation’s activities to a terrorist entity, the type of activities your NFP carries out, where in the world it operates, and with whom it affiliates or partners. You should ensure that there are clear controls and processes in place to conduct ongoing risk assessments and appropriate due diligence (in line with New Zealand’s anti-money laundering legislation).
If you have any questions about the content of this article or would like further information, please contact a member of our not-for-profits & incorporated societies team.
Special thanks to Special Counsel Louisa Joblin for preparing this article.
Disclaimer: The content of this article is general in nature and not intended as a substitute for specific professional advice on any matter and should not be relied upon for that purpose.