It also said Sharesies didn't obtain sufficient information to determine whether certain customers should be subject to enhanced due diligence, and complete identity verification for up to 7815 customers who had an account balance of more than $1000 as part of standard due diligence.
The regulator said Sharesies must obtain information from all its current customers to show their reasons for using the platform and amend its onboarding process to capture this information in the future.
Other requirements included developing and implementing a process to complete identity verification at the time of the account application and provide training to staff on these processes. It must also obtain sufficient information from all customers who used the word "trust" in the application process and complete enhanced customer due diligence if they are trusts – a requirement under the legislation.
A further requirement includes adequately verifying the identity of all the affected customers and restricting withdrawals or transfers until those checks are completed.
The requirements are standard practice for AML/CFT reporting entities in completing customer due diligence, including why the person is transacting with a firm.
FMA director of supervision James Greig said the regulator welcomed the way online investing platforms have opened up the investing landscape in New Zealand.
However, he added it was essential for fast-growing businesses to ensure their compliance processes and policies keep pace.
"We have made this warning public because Sharesies' contraventions appeared to be symptomatic of a business that has grown quickly without ensuring fully effective processes and controls were in place for AML and CFT," he said.
"Sharesies has built a significant customer base over a short period and we consider there is a risk of the business being susceptible to money laundering if it continues with current practices. We do not consider the contraventions were deliberate."
Greig said Sharesies is cooperating with the FMA and has taken steps to update and strengthen its practices.
Sharesies chair Alison Gerry said the problems were found following a routine review in February.
"What the FMA has identified is ways in which we need to strengthen our customer identification practice. As soon as we became aware of the concerns raised, we immediately put in place a work programme to address each of the issues outlined."
At the FMA's request, Gerry said Sharesies now includes specific questions about the nature and purpose for which a customer plans to use the platform, rather than relying on a statement in the terms agreed by the customer.
The company has also completed enhanced due diligence on a "very small number" of customers which have since been identified as a trust. Sharesies does not currently support or encourage use of the platform by trusts, Gerry said.
For the nearly 8000 customers requiring stronger identity linking, Sharesies said it has been in contact with all to establish a clearer link between them and their identity documentation.
"More than half of the relevant customers have now completed the identification process," Gerry said.
Sharesies has undertaken independent AML/CFT audits since its inception, the latest of which identified areas for improvement but considered these were not material, the company said.
"While Sharesies has seen rapid growth over the last year, we have consistently invested in our compliance function over the years, in terms of both technology and human resources," Gerry said.
The warning was issued under section 80 of the AML/CFT Act, in which the FMA may issue a formal warning if there are reasonable grounds to believe a firm has engaged in conduct that constitutes a civil liability act.
If the actions required are not taken, civil or criminal enforcement action may be taken and may result in civil penalties of up to $200,000, for an individual, and $2 million, in the case of a body corporate. Criminal penalties can also include two years' imprisonment or a fine of up to $300,000, in the case of an individual, and $5 million for a body corporate.
"New Zealand's anti-money laundering laws have been in place for some time now and are designed to thwart criminals and maintain integrity in our financial system. It's essential that firms have the appropriate systems and controls in place," Greig said.
A recent FMA survey highlighted the rising popularity of online trading platforms. Those who used one to buy their shares were significantly more likely to be aged between 25-39, in full-time employment, and have an annual personal income of $100,000 or more.