Canadian reporting entities are required to conduct and document an effectiveness review at least every two years. This review must consider the completeness and effectiveness of the anti money laundering (AML) and counter terrorist financing (CTF) compliance program and include operational testing (testing what the organization is actually doing). For larger institutions, this is generally done as part of audit related testing. For federally regulated financial institutions (banks, trust companies, insurance companies, etc.) there is a requirement for the testing to be independent. For smaller companies that aren’t designated as federally regulated financial institutions, effectiveness reviews may be performed by staff members, consultants or by another organization. Deciding who should perform the review and what to spend can be challenging. No matter which option you choose for your business, your reviewer should be qualified and the final report should be comprehensive and signed-off by your management team within 30 days of the date that you receive the final version.
What Should The Report Look Like?
A comprehensive report means that the report tests both your documented program (policies, procedures, risk assessment and training). This means that the reviewer must read your documentation and comment on whether or not it meets the requirements for your business. Your operations (what you actually do) must also be tested. This should include customer identification, recordkeeping and FINTRAC reporting. The report should be specific about what testing was completed and how testing was conducted. The reviewer should be someone that understands Canadian AML and CTF requirements.
The report should be focused on facts; namely whether or not you’ve met the requirements. If requirements are not met, the report should be specific about what is missing. The final report should be a formal document that provides complete information to the reader. Your management team’s sign-off on the contents of the report must be documented. This can be in meeting minutes or in a simple document like this one.
Choosing A Reviewer
The reviewer that you choose will depend on your resources that you have, including your budget. It’s important to remember that no matter how much or how little you spend or the size of your business, the requirements are exactly the same. The reviewer should be someone that understands Canadian AML compliance requirements for your reporting entity type. If possible, it should not be a person that is directly involved in your compliance or operations.
Accountants and Consultants
There are a number of accounting and consulting firms (including Outlier) that can complete reviews. The price ranges will generally vary depending on the size of your business, the complexity of your business model, the size of the firm and the experience of the reviewer. If you are hiring a consultant to conduct your review, check out our guide to negotiating consulting agreements. You should ask the reviewers that you are considering:
- If they have conducted reviews for your reporting entity type before?
- If FINTRAC or any other regulator has had negative findings related to any of the reviews that have been conducted?
- Who will be working on your review?
- What references (especially from similar business types) the reviewer can provide?
- What the review process looks like? (Here you’re checking to be certain that the reviewer will be testing both your program and operations.)
Pros: You have a choice of reviewers (including reviewers with experience conducting reviews) and the ability to hire independent firms (not involved in your compliance program design or operations).
Cons: This is likely to be the most expensive option.
Colleagues & Competitors
You may choose to have a review conducted by a colleague or competitor. This option can work well if the companies have good relationships and are not concerned about sharing information that includes customer information. It is relatively common in some industries for Compliance Officers to have reciprocal agreements that allow them to perform reviews for one another. If you choose to have a review conducted by a colleague or competitor, you will want to consider:
- The confidentiality of your information, including customer information. Your agreement should contain a clause that states that this information will only be used for the purpose of the review and will not be shared within the colleague or competitor’s company.
- The experience of the reviewer (in particular if they have not previously conducted a review).
- Whether the reviewer’s company will allow them to conduct a review for a colleague or competitor.
- Who will be compensated for the review (you don’t want to get in a dispute with your reviewer and their employer over who should be paid and how).
Pros: The reviewer is likely to be familiar with the business processes and requirements that apply to your reporting entity types and there is the potential to conduct reviews for one another (reciprocal agreements) at little to no cost.
Cons: The reviewer may have less experience in conducting reviews and you may be reluctant to share business and customer information (required to complete testing) with a competitor.
You & Your Staff
You may choose to conduct a review internally, either on your own or with assistance from other staff members. This will require you to take a step back from your day-to-day work and consider it from a fresh perspective, which can be challenging. The larger your company is, the more likely it is that regulators and banking service providers will expect your review to be independent. However, as the least costly option, it can be worth considering if you are squeezed from a budget perspective and have the right experience to conduct the review and reporting on your own.
Pros: You know your company’s business model and requirements well and this option is likely the least costly.
Cons: You are directly involved in the company’s compliance program and operations, which may be viewed by a regulator or banking service provider as having the potential to bias your findings.
After Your Review
Your review should serve as a guide to help you improve your AML and CTF compliance program. It can be helpful to keep records of each finding, and the changes that you’ve made after the review. It’s important to remember that the review is a snapshot of your compliance at a particular point in time. Your reviewer cannot go back and change their findings based on changes that you’ve made after the review is complete. If you’ve made significant changes to your program or operations following a review, it can be useful to have a follow up review conducted (or to conduct your own internal testing) to demonstrate that the changes that you’ve made are working as expected.
Need a Hand?
Outlier has developed on-demand model documents for reporting entities. Our AML Compliance Review documents include:
- Working papers to record the testing as it takes place
- A report template to help you summarize your findings
- A guide for the reviewer that explains how to use the documents
You can buy these documents on this website under each reporting entity type. If the documents are not available for your reporting entity type yet, or you are looking for a consultant to conduct your review, please contact us.