Anti-Money Laundering
Consulting Services & Strategies

0 Items - Total: $0.00 CAD

FINTRAC Identification Guidance


On July 10th, 2019, the final amendments to Canada’s anti-money laundering (AML) regulations were published in the Canada Gazette.  One of the welcomed changes that came into force immediately upon publication was related to identification. On November 14th, 2019, FINTRAC published guidance related to “Methods to verify the identity of an individual and confirm the existence of a corporation or an entity other than a corporation.” This is good news considering the range of identification methods has been broadened, and a step forward in digital identification methods. The updated methods are designed to make it easier to identify customers that are not physically present.

As defined under the Proceeds of Crime (Money Laundering) and Terrorist Financing Regulations (PCMLTFR), reporting entities have to identify their customers in certain situations (specific information on when customers need to be identified is outlined in FINTRAC’s guidance on “When to identify individuals and confirm the existence of entities”). The identification guidance outlines ways to verify the identity of an individual, and how to identify corporations or entities other than corporations (such as a partnership).

Identification Methods For Individuals

There are three ways in which an individual can be identified:

  • Government-issued photo identification method;
  • Credit file method; and
  • Dual-process method.

Government-Issued Photo Identification Method

Under this method, an organization can use an authenticvalid and current government-issued photo identification document, issued by either a federal, provincial or territorial government in order to be used to verify the identity of an individual. Foreign government-issued photo identification can be accepted if it’s equivalent to a Canadian document such as those listed in the guidance.

The photo identification document used to verify identity must:

  • indicate the individual’s name;
  • include a photo of the individual;
  • include a unique identifying number; and
  • match the name and appearance of the individual being identified.

If a customer is physically present, an organization can authenticate an identification document by looking at the characteristics on the physical document such as security features.

If the customer is not physically present, the authentication of the identification document must be determined by using technology capable of assessing the document’s authenticity. The guidance makes it clear that it is not sufficient to view a person and an identification document through video conference or similar. Meaning, a selfie while holding your driver’s license is not sufficient for identification purposes.

Whatever method is selected by an organization, the process to authenticate a photo identification document, and how the organization will confirm that it is authentic, valid and current, must be documented.

Credit File Method

Under this method, an organization can use valid and current information from a Canadian credit file to identify an individual.

The Credit File must:

  • be from a Canadian credit bureau (credit files from foreign credit bureaus are not acceptable);
  • have been in existence for at least three years; and
  • match the name, address and date of birth that the individual provided.

To rely on a credit file, the search must be completed at the time an organization is verifying the individual’s identity, and can be completed via an automated system or the use of a third party vendor.

When using the Credit File method, organizations must keep a record of the following information:

  • the individual’s name;
  • the date they consulted or searched the credit file;
  • the name of the Canadian credit bureau or third party vendor holding the credit file; and
  • the individual’s credit file number.

The guidance clarifies that sometimes information found within the credit file may contain variations of the name or address provided by a customer. In these cases, it’s up to the organization to determine whether the information in the credit file is a match to the information collected from the individual.

Dual-Process Method

Under this method, an organization can use valid and current information from two reliable sources. Under the dual-process method, an organization can verify an individual’s identity by referring to any two of the following options:

  • information from a reliable source that includes the individual’s name and address;
  • information from a reliable source that includes the individual’s name and date of birth; or
  • information that includes the individual’s name and confirms that they have a deposit account, credit card or other loan account with a financial entity.

In order to qualify as reliable, the sources should be well-known and considered reputable. There must be two sources providing the information, and the information cannot come from the individual whose identity is being verified, nor can it come from the organization doing the verification. For example, reliable and independent sources can be the federal, provincial, territorial and municipal levels of government, crown corporations, financial entities or utility providers.

A Canadian credit file can be used as one of the two sources required to verify the identity of an individual. so long as the credit file has been in existence for at least six months.

The organization must keep a record of the following:

  • the individual’s name;
  • the date they verified the information;
  • the name of the two different sources that were used to verify the identity of the individual;
  • the type of information consulted (for example, utility statement, bank statement, marriage licence); and
  • the number associated with the information (for example, account number or if there is no account number, a number that is associated with the information, which could be a reference number or certificate number, etc.).

Identification Methods For Organizations

The guidance details how to confirm the existence of a corporation, or an organization that is not a corporation. This can be done by referring to a paper or electronic record that was obtained from a source that is accessible to the public such as:

  • For corporations:
    • its certificate of incorporation;
    • a certificate of active corporate status;
    • a record that has to be filed annually under provincial securities legislation; or
    • any other record that confirms the corporation’s existence, such as the corporation’s published annual report.
  • For organizations that are not corporations:
    • a partnership agreement;
    • articles of association; or
    • any other record that confirms its existence as a legal entity.

If an organization refers to a publicly accessible electronic record to confirm the existence of a corporation or of an entity other than a corporation, a record must be retained including the corporation/entity’s registration number and the source of the electronic version of the record. If a paper record is used, a copy should be retained. At a minimum, for all organization types, an organization must collect and keep a record of the following:

  • their full legal name;
  • the organization’s structure;
  • the organization’s principal business;
  • the organization’s physical address; and
  • information about the organization’s directors and beneficial owners.

Other Identification Considerations

The guidance details how a domestic or foreign affiliate, an agent or a mandatary can be used to verify the identify of a customer. If this method is used, it is important for organizations to remember that, legally, they are responsible for verifying a customer’s identity, even though they are relying on someone else to do it. Organizations should obtain the identification information from the other entity and have a written agreement in place requiring the entity doing the identification to provide the identification verification as soon as feasible.

The guidance details how to identify children under 12 years of age (organizations must verify the identity of a parent, guardian, or tutor) and how to identify children between the ages of 12 and 15. For this age range, organizations can verify identity by using one of the prescribed methods to verify an individual’s identity and where not possible, relying on certain  information from the child’s parent, guardian, or tutor, and information that includes the child’s name and date of birth.

The guidance also reminds organizations that while the personal information that they are collecting is protected by the Personal Information Protection and Electronic Documents Act (PIPEDA), personal information that is required to be included in reporting to FINTRAC does not have to be disclosed to the Office of the Privacy Commissioner of Canada. It is important that organizations remember that safeguarding is a key consideration for all personal information collected in the normal course of business.


The most significant change for identification standards is related to the Government-Issued Photo Identification Method. A wording change from “original” to “authentic”, that was found in the prior version of the regulations, now allows for scanned copies of documentation, so long as it can be authenticated. It is noteworthy that the guidance gives clarity to all methods that can be used. Where further clarity is warranted, organizations can contact FINTRAC for a policy position related to the identification guidance. This can be done free of charge by emailing This can also be done on a no-names basis by a lawyer or consultant on your behalf.

We’re Here To Help

If you have questions related to the identification changes, or need help updating your identification processes, you can get in touch using the online form on our website, by emailing us at, or by calling us toll-free at 1-844-919-1623.

2019 AML Updates – Redlined Versions

The following red-lined versions have been created to reflect the changes to Canadian anti-money laundering (AML) regulations published in the Canada Gazette on July 10th, 2019.  A redlined version of the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA), reflecting the changes published in Bill C-97 which received Royal Assent on June 21, 2019, is also included below.

These documents are not official versions of the regulations. Official versions can be found on the Government of Canada’s Justice Laws Website.


Proceeds of Crime (Money Laundering) and Terrorist Financing Act

Please click the link below for a downloadable pdf file.



Proceeds of Crime (Money Laundering) and Terrorist Financing Regulations

Please click the links below for downloadable pdf files.


PCMLTFR_July_2019_Redlined_Schedules Removed

Proceeds of Crime (Money Laundering) and Terrorist Financing Suspicious Transaction Reporting Regulations

Please click the link below for a downloadable pdf file.


Proceeds of Crime (Money Laundering) and Terrorist Financing Registration Regulations

Please click the link below for a downloadable pdf file.


Proceeds of Crime (Money Laundering) and Terrorist Financing Administrative Monetary Penalties Regulations

Please click the link below for a downloadable pdf file.


Cross-Border Currency and Monetary Instruments Reporting Regulations

Please click the link below for a downloadable pdf file.



Need a Hand?

Whether you need to figure out if you’re a dealer in virtual currency, to put a compliance program in place, or to evaluate your existing compliance program, we can help. You can get in touch using our online form, by emailing, or by calling us toll-free at 1-844-919-1623.

Information Should Be Free!

Outlier has produced an open-source AML and CTF, and Privacy repositories of definitions, acronyms, and terminology that is free for whoever wants it.

Please feel free to provide contributions and/or feedback, as it would be greatly appreciated. We have already had three contributors!


About a year ago, we had a client who was interacting with the world of Anti-Money Laundering (AML) and Counter Terrorist Financing (CTF) for the first time. They were aggravated by the amount of jargon, acronyms, and uncommon uses of certain commonly understood terms. An example is, a business relationship. Those of you that are relatively familiar with the AML space know a business relationship doesn’t mean what the rest of the world thinks it means. In Canada, in the AML context, it means something very different.

A Helping Hand

At the time, they wished for a simple reference point where they could easily find the meaning for different terms. Unfortunately, this entails combing multiple locations, including FINTRAC’s website, plus the Act and Regulations themselves. To make a long story short, there is no easy way. Fed up, they (not so) gently suggested that we (Outlier) fix this. Their idea was creating a GitHub repository.

For those unfamiliar with GitHub, it is a web-based hosting service for version control. It is mostly used for computer code, but has also been used to write and edit books. It offers access control and several collaboration features. A GitHub repository is where the code and/or information is maintained for a specific project. This process is fairly simple to someone who is a coder with years of experience working with GitHub. For myself, this was not so simple. A year later, almost to the day, the repository is created, open and available to the public. There is no need to be scared, you are able to comment and make suggestions without knowing how to code at all. If you can’t figure out how to provide commentary in GitHub, send it to use via email at with the subject line “GitHub Feedback.”

The Power of Collaboration

The (not so) gentle nudge meshed well with one of Outlier’s core beliefs: that information should be free. By collecting the information, housing it in GitHub, and making it available to anyone, we are able to provide free information to everyone who wants it. By making information free and public, it gives others the opportunity to make suggestions, add content, and improve the quality of the information.

What Happens When We Work Together?

By sharing this open-source project with the world, we are looking to empower anyone willing to be empowered. From the client who is interacting with the world of AML for the first time. To the seasoned-veteran who is looking for helpful resources. To the person who wants to provide their customer with a helpful resource. Take the information and do what you wish with it. If you would like to attribute Outlier, awesome! If not, that’s ok too. Our only request is this should never be provided for a fee.

Have a Question?

If you looked at the resource and are curious about how to make a contribution, please feel free to contact us anytime. Contributions can include anything from corrections and suggestions, to the addition of different jurisdictional definitions, specifically the European perspective.

This is not a solicitation (but we do get this request often), should you want to provide a tip in BTC or ETH, our addresses are listed below.

To open a channel with our Lightning Node, our address is: 03acb418d5b88c0009cf07d31ec53d0486814bc77917c352bd7e952520edf7bf3c@

or you can use Tippin.Me.

bitcoin ethereum
33CdqJTw6jMWVBAveT9Ue3rPym8HPKKPow 0x03CDF23a2Eb070F2c79De5B2E6FB90671D3c70fE

FINTRAC Alert – Laundering the Proceeds of a Romance Scam

Quick Overview

On April 11th, 2019, FINTRAC published an Operational Alert issued in part with the Canadian Anti-Fraud Centre.  The information provided related to laundering the proceeds of romance scams and mass marketing fraud. The publication provided an explanation of what constitutes a romance scam, some common indicators that may be present and transaction patterns or flow of funds that may suggest fraud.

What Does it Mean?

The suspicious indicators provided by FINTRAC list circumstances or activities that might signal potential cases of individuals caught in a romance scam or the subject of a mass marketing fraud.  This does not mean that if one or more of the indicators are present that the transaction is definitely suspicious and must be reported to FINTRAC. It is meant to ensure that you are aware of the potential that suspicious activity may be taking place.  In that context, if you are involved in customer’s transactions, whether on the front lines or in back office, you must be aware of the indicators in the alert.  If you do encounter a transaction that may be considered unusual, you should attempt to collect additional information that will aid in the Compliance Officer’s decision to report it or clearly document why it was not considered suspicious. Where the Compliance Officer makes the decision to report the transaction to FINTRAC as suspicious, be sure to include “Project CHAMELEON” or “#CHAMELEON” in Part G—Description of suspicious activity in the STR. This will help to facilitate FINTRAC’s disclosure process.

What Now?

In order to ensure familiarity for anyone who interacts with customers and their transactions, the list of FINTRAC’s indicators should be included in your ongoing AML compliance training program.  Furthermore, the indicators should also be included in your procedure manuals, allowing easy access to the information.  Finally, the indicators should be incorporated into your Risk Assessment documentation.  Specifically, when determining customer risk and the controls used to effectively mitigate potential risks.

We’ve made it easier for you to integrate this content into your program by putting the indicators in a Word document for you.

Need a Hand?

Outlier has taken the list of indicators provided by FINTRAC and formatted them into an easy to use Microsoft Word document, which can be found here.  This should allow companies to easily update their documentation and ensure they are sufficiently monitoring for potential instances of romance scams or mass marketing fraud. If you aren’t sure what to do with this information and would like some assistance, please feel free to contact us.

Meaningful Consent

Meaningful Consent

The Office of the Privacy Commissioner of Canada’s Guidelines for obtaining meaningful consent became effective on January 1, 2019. The new guideline builds on examining the current state of consent in Canada (see Background section below), and is meant to assist businesses in distinguishing between those things an organization “must do” to obtain meaningful consent, and those things an organization “should do” related to consent.

The guideline is comprised of seven guiding principles for obtaining meaningful consent. These are:

  1. Emphasize key elements (What personal information is being collected, with whom personal information is being shared, for what purposes personal information is collected, used or disclosed and risk of harm and other consequences);
  2. Allow individuals to control the level of detail they get and when;
  3. Provide individuals with clear options to say ‘yes’ or ‘no’;
  4. Be innovative and creative;
  5. Consider the consumer’s perspective;
  6. Make consent a dynamic and ongoing process; and
  7. Be accountable: Stand ready to demonstrate compliance.

Consent – Must Dos

The new guideline lists out the following things an organization must do in order to meet their obligations related to consent:

  1. Make privacy information readily available in complete form, while giving emphasis or bringing attention to the four key elements (What personal information is being collected, with sufficient precision for individuals to meaningfully understand what they are consenting to, with what parties personal information is being shared, for what purposes personal information is being collected, used or disclosed, in sufficient detail for individuals to meaningfully understand what they are consenting to and risks of harm and other consequences).
  1. Provide information in manageable and easily-accessible ways.
  2. Make available to individuals a clear and easily accessible choice for any collection, use or disclosure that is not necessary to provide the product or service.
  3. Consider the perspective of your consumers, to ensure consent processes are user-friendly and generally understandable.
  4. Obtain consent when making significant changes to privacy practices, including use of data for new purposes or disclosures to new third parties.
  5. Only collect, use or disclose personal information for purposes that a reasonable person would consider appropriate, under the circumstances.
  6. Allow individuals to withdraw consent (subject to legal or contractual restrictions).

There are also requirements related to the form of consent and consent for children under the age of 13. 


The new guideline builds on previous publications examining the current state of consent.

In May 2016, the Office of the Privacy Commissioner of Canada (OPC) published a discussion paper exploring potential enhancements to the Personal Information Protection and Electronic Documents Act (PIPEDA). The paper asked organizations, individuals and other interested parties to provide comments related to key issues and potential solutions to the consent model as currently formulated.

On June 15, 2017 the Office of the Privacy Commissioner of Canada (OPC) published a report on qualitative public opinion research conducted with Canadians on the issue of consent under the PIPEDA. The purpose of the research was to understand Canadians’ opinions, attitudes, and concerns with respect to consent.

It was noted that the question of consent became a recurring theme in discussions and emerged as the key measure used by participants for assessing what are acceptable or not acceptable uses of personal information by companies. There was widespread agreement among participants that consent implies both understanding and acceptance of terms and conditions related to the collection and use of their personal information.

On September 21, 2017, the OPC also published their Report on Consent in their 2016-17 Annual Report to Parliament. The report outlined recommendations to address consent challenges posed by the digital age.

Keep In Mind

Consent is one of the foundational elements of PIPEDA. To ensure your organization is always meeting requirements related to consent, you should be able to answer yes (and evidence) the following questions from the OPC’s PIPEDA Self-Assessment Tool related to consent, regardless of the types of products or services you offer:

  • You obtain customer consent for any collection, use or disclosure of personal information.
  • If you don’t obtain customer consent for the collection, use and disclosure of personal information, you have determined that it is not required under s.7 of PIPEDA.
  • You make reasonable efforts to ensure that clients and customers are notified of the purposes for which personal information will be used or disclosed.
  • You do not require clients and customers to consent to the collection, use or disclosure of personal information beyond what is necessary to fulfill explicitly specified and limited purposes as a condition of supplying a product or service.
  • You assess the purposes and limit the collection, use and disclosure of personal information when it is required as a condition for obtaining a product or service.
  • You obtain consent through lawful and fair means.
  • You allow a client or customer to withdraw consent at any time subject to legal or contractual restrictions and reasonable notice.
  • You inform clients and customers of the implication of the withdrawal of consent.
  • You consider the sensitivity and intended use of personal information, and the reasonable expectations of clients and customers in determining which form of consent (implied or expressed) you will accept for the collection, use and disclosure of personal information.

It is important to note that evidence of consent should be retained in a manner that is easily retrievable and easily sortable.  

We’re Here To Help

If you have questions about this new guideline regarding your consent obligations under PIPEDA, or compliance in general, please contact us.

Mandatory Breach Reporting under PIPEDA

Back in late 2017 we published an article on breach reportingOn November 1, 2018, the new provisions to the Personal Information Protection and Electronic Documents Act (PIPEDA) related to breach of security safeguards along with the Breach of Security Safeguards Regulations came into force.

The regulations require organizations to report to the Office of the Privacy Commissioner (OPC) and affected individuals, any breach of security safeguards involving personal information under its control, if it is reasonable to believe the breach creates a “real risk of significant harm”. Failure to report a breach is punishable by a fine of up to CAD 100,000.

On October 29, 2018, the OPC published the final guidance intended to assist organizations with the Breach of Security Safeguards Regulations. The guidance provides direction on how organizations can assess whether a breach creates a “real risk of significant harm” (the guidance provides a non-exhaustive list of the types of harm that will be considered significant) and provides a breach report form that organizations may use to report a breach to the OPC.

We’re Here To Help

If you have questions regarding how your organization will be impacted by these requirements, or any questions related to privacy legislation in general, please contact us.

Outlier Is Hiring

Outlier Solutions Inc. (Outlier) is hiring for the position of Admin Assistant, Office Co-ordinator & Jack and/or Jill of All Trades.

Start-Up Life

While Outlier has been operating successfully for five years, we are still in many ways a start-up. As we grow, we need to add a team member to get/keep us organized. We’re experts at documenting processes for our clients, but we haven’t always been great at documenting our own processes. This puts us at risk of missing things as we grow – which is an ironic problem for a risk management company, isn’t it? This will begin as a part-time position with the potential to grow into a full-time position. Hours and working location are flexible (meaning that if you need to pick up the kids, go to class, or just flat out need to take a day to get things done you’ll be able to schedule around it).

Our virtual office is based in Toronto and our core team resides in Hamilton, Oakville and Markham. We sometimes meet in Hamilton, and this is likely to be the most convenient place for our ideal candidate to be located. We are looking for someone that reasonably close to this geographic area. A driver’s license is not required but is an asset (for the right candidate, we’d consider covering the cost of getting licensed, but it does mean that we’ll also send you out on missions that involve driving).

In terms of culture, we’re super geeky. We don’t expect you to know everything about compliance, AML, etc…. but it’s helpful if you think this stuff is interesting because we talk about it. A lot.

Check us out before you apply:


  • Act as the first point of contact for all clients and communicate in a professional manner
  • Answer and direct external phone calls, emails, and contact forms
  • Open, sort and distribute incoming correspondence
  • Point person for maintenance, mailing, shipping, supplies, equipment, bills, and errands
  • Organize office operations and procedures
  • Manage proposals, quotations and invoices for prospective and existing clients
  • Proofread, edit and format reports/documents to ensure accuracy and brand coherence.
  • Prepare operational reports and schedules to ensure efficiency in the team
  • Create, maintain and update General Calendar
  • Assist with coordinating events and meet-ups
  • Manage social media accounts and other marketing related activities
  • Arrange and coordinate travel logistics.
  • Perform other duties and assist with special projects as required


  • Excellent project and time management skills
  • Excellent communication and interpersonal skills, including the ability to write and present information in a clear and concise manner to a variety of audiences
  • Superior organizational skills and excellent attention to detail and ability to multitask
  • Ability to work both independently and as part of a team in a fast-paced environment
  • Ability to work under stress and meet deadlines
  • Ability to think creatively and solve problems
  • Proficient computer skills, including Microsoft Office Suite (Word, PowerPoint, and Excel); scheduling appointments

Other Stuff:

Location: Position is home based with some in-office/in-person meeting requirements (including in-person training).

Job Type: Part-time

Salary: 18$/hour

Experience: 2 years

Language: English fluently, French is an asset

How to Apply:

Please upload a CV and/or resume with a cover letter telling us, in your own words, why you think there is a good fit here.

All submissions received by close of business (5 pm ET) on September 19th will be considered.

While we’re grateful for all interest, only candidates selected for an interview will be contacted following submissions.

Why rich people don’t just open a bank…


It can be tough to open and maintain a bank account as a crypto-business. A policy of “derisking” (when banks avoid conducting business with customers perceived as being higher risk) leaves many crypto-businesses (and other MSBs) ill-served by the existing banking system.

A not-uncommon response to this reality (i.e. we’ve had this conversation enough times to deem it worthy of a blog post) is some variation of: “I’m a rich person! Why don’t I just open a bank?”

No doubt, this impulse comes from the admirably entrepreneurial spirit of our community. There’s a problem (lack of access to banking services), so let’s solve it.

But if you don’t have a background in compliance or banking and think that you’re “just” going to magically open your dream-crypto-paradise-bank… We’re here to advise you to slow your roll. We’re not saying you can’t do it… but here are some things you should consider. Knowledge is power.

Sidenote: We’re Canadian and these notes refer to Canadian processes. There are likely to be some differences in other countries, but we won’t know what they are. If you want to know, do the research. Let us know what you find if it’s interesting.

Opening a bank is expensive.

While you may think you have the cash to spare, opening a bank is expensive, and probably more expensive than you expect, both in terms of what you need to have in reserve, and what you’ll spend initially. We’ve heard the figure of $50m buy-in—which, by the way, does not guarantee you a charter.

You will spend money for years before you serve customers.

If you’re curious about where all those millions could possibly go, you’re going to get friendly* with an army of consultants, lawyers, and accountants over the next few years. (*And by friendly, we mean pay a lot of money to).

The process of getting issued a charter is lengthy (if you don’t believe us, you may enjoy perusing the 27-page long PDF guide from OFSI on the subject) and getting this process right means your investment will be whittled away by hiring people who can help navigate you through this labyrinth. You’ll also be spending money on employees, by the way, for years before you’ll ever have the privilege of serving a customer. Years. Plural.

Your team will spend a long time pleasing regulators before you’re operational.

Yes, even though you won’t be permitted to have customers for a long time, you will still need to assemble a team that can put together all of the elements of a bank into place. Your team will spend all of their time implementing processes, demonstrating to the regulator(s) that they’ve done so, and then tweaking these processes as the regulators require or request (in these instances, a request is really a politely stated requirement). If it’s any comfort, your employees will certainly be kept busy, even without customers.

You’re probably not going to be the CEO…

Despite making the decision to open a bank, you will likely not become the bank’s CEO, or even its COO. Senior management positions at banks require regulatory approval. Regulators are looking for you to have had a long history, at a senior level, in a bank or other federally regulated financial institution

… or even on the Board of Directors.

As with senior management positions, seats on the Board of Directors require regulatory approval. Even if you successfully jump through all the hoops required to start your bank, you will likely end up with little to no say in how it is ultimately run.

Well That’s Awkward!

There’s a noble sentiment behind the desire to “just open a bank” and solve the problems you see in the current banking system. But, the risks, effort, and returns are seldom well understood. In essence, opening a bank means making a substantial investment (in both time and money) in something that may one day become an asset (but may not). You can own the bank, but will likely not run it, despite the multi-year multi-million commitment you make. Even if you’re a wealthy investor with patient money, we’d suggest that you ought to be really passionate about setting up a bank if you want to embark upon this kind of endeavour.

What can you do instead?

So, if you’re not going to start a bank but are still frustrated by the banking system as it currently stands—what can you do instead?

Frankly, we need grassroots pressure to change the system we have. It’s important for us to have discussions with the gatekeepers (regulators, traditional banking institutions) for crypto business to get access to banking services. Part of the burden of being in this space is taking the time to educate those who control access to the resources we need. We’ve found that often even people with responsibility for developing policy related to bitcoin and other virtual currencies or tokens don’t fully understand it (and therefore its risk implications). While it may be frustrating to explain that it is possible to buy a fraction of a bitcoin to someone who we really think ought to understand this already, the more we can normalize crypto within the system, the more access we can hope to gain.

And while it can be difficult to speak out if you are a business who has been refused a bank account (or had your account shut down), we’d encourage you to share your experiences of trying to find banking services. Make a complaint to the institution. Share your story with the media (even if you don’t name the FI) or contact your political representatives. You can also, at the moment, contribute your feedback on the draft legislation on AML Regulations for “Virtual Currencies.” (See this blog post for more on how to do that). Exert pressure on the existing players.

But, of course… if you’ve decided you are passionate enough (and deep-pocketed enough) to start a truly crypto-friendly bank: more power to you and definitely let us know how you get on.

We’re Here To Help

If you have questions about virtual currency and regulation in Canada, or regulation in Canada in general, please contact us.

The new 5th EU AML Directive

Coming into force by January 2020.

The new 5th EU AML Directive followed the 4th EU AML Directive quite soon, driven by the rise of digital currencies, and following the scandal of the Panama and Paradise Papers. It has only been two years since the last EU AML Directive came into force, and the EU wants to reassure its citizens and businesses that they are at the forefront of developing financial crime issues.

This article should not be considered advice (legal, tax or otherwise). That said, any of the content shared here may be used and shared freely – you don’t need our permission. While we’d love for content that we’ve written to be attributed to us, we believe that it’s more important to get reliable information into the hands of community members (meaning that if you punk content that we wrote, we may think you’re a jerk but we’re not sending an army of lawyers).

So, what are the new main changes then?

The update takes aim at:

  1. Improving transparency on the real owners of companies and trusts by establishing beneficial ownership registers;
  2. Virtual currencies are now in scope of regulation for obliged entities;
  3. The anonymous use of E-Money products such as prepaid cards are now limited; and
  4. High-risk third countries due diligence check on transactions.

Other features include enhanced co-operation and information sharing among all EU Financial Intelligence Units to make data more accessible. The FIUs would also obtain more powers under the 5th AML Directive prior to filing for a request for information.

Centralised bank and payment account registers are to be set up and access would also be granted to FIU’s for easier information sharing.

It is fair to say that the full impact of the new Directive will not yet be known. However, firms are encouraged to prepare accordingly for these upcoming changes.

For the full text of the Directive and Factsheet please peruse the European Commission website here:

Need a Hand?

If you have questions about the 5th EU AML Directive, or AML & CTF compliance generally, please feel free to contact us.



AML Changes For The Real Estate Sector

Here We Go Again! Canada’s Proposed AML Changes for Real Estate Developers, Brokers and Sales Representatives


On June 9th, 2018, draft amendments to the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA) and its enacted regulations (there are five separate regulations that we’re going to collectively call regulations here for simplicity’s sake). This article is intended to give a high-level summary of the proposed amendments as they relate to the real estate industry.

This article should not be considered advice (legal, tax or otherwise). That said, any of the content shared here may be used and shared freely – you don’t need our permission. While we’d love for content that we’ve written to be attributed to us, we believe that it’s more important to get reliable information into the hands of community members (meaning that if you punk content that we wrote, we may think you’re a jerk but we’re not sending an army of lawyers).

Finally, we want to encourage the community to discuss the proposed changes and submit meaningful feedback for policy makers. The comment period for this draft is 90 days. After this, the Department of Finance takes the feedback to the bat cave and drafts a final version of the amendments. From the time that the final version is published, the draft indicates that there will be 12 months of transition to comply with the new requirements.

What does this mean for my business?

While there are quite a number of proposed changes (the draft is about 200 pages in length), some are likely to have more of an impact on for real estate developers, brokers and sales representatives than others. We’ve summarized the changes that we expect to have the most impact below. Remember these are just proposed changes so there is no need to update your compliance material just yet.

What’s New?

Virtual Currency:

While there are not many proposed amendments that will introduce new requirements for real estate developers, brokers and sales representatives the draft regulations introduce reporting requirements for the receipt of CAD 10,000 or more of virtual currency. These basically are the same as large cash reporting obligations and will require reporting entities to maintain a large virtual currency transaction record.

The requirements for reporting and recordkeeping for virtual currency will be very similar to cash reporting requirements.

What existing requirements are changing?

24-hour rule:

The draft regulations clarify that multiple transactions performed by or on behalf of the same customer or entity within a 24-hour period are considered a single transaction for reporting purposes when they total CAD 10,000 or more. Only one report would need to be submitted to capture all transactions that aggregate to CAD 10,000 or more. For real estate developers, brokers and sales representatives this would apply to recipient of cash deposits. Specifically, this will apply to large cash transactions or CAD 10,000 or more. 


The draft regulations replace the word “original” with “authentic” and states that a document used for verification of identity must be “authentic, valid and current. This would allow for scanned copies of documentation and/or for software that can authenticate identification documents to be used for the dual process method for real estate developers, brokers and sales representatives that identify clients in a non-face-to-face manner. Another change, related to measures for verifying identity, is that the word “verify” has been replaced with “confirm” and “ascertain” has been replaced with confirm. What this will mean exactly is still unclear (FINTRAC will need to provide more guidance once the final amendments are released). We are hopeful that it will allow for easier customer identification – especially for customers outside of Canada.


There have been some changes to the details that must be recorded in records that real estate broker or sales representative must maintain. In particular, the draft regulations add the requirement that information records must contain details of every person or entity for which they act as an agent or mandatary in respect of the purchase or sale of real property. Under the existing regulations information related to the person or entity purchasing real estate only.

Risk Assessment:

Under current regulations, reporting entities are required to assess the risks associated with its business and develop a risk assessment specific to your situation. For real estate developers, brokers and sales representatives a risk assessment must address the following four areas:

  • Products, services, and delivery channels (to better reflect the reality of the real estate sector, this workbook will now only refer to services and delivery channels);
  • Geography;
  • Clients and business relationships; and
  • Other relevant factors

A proposed amendment would require all reporting entities to assess the risk related the use of new technologies, before they are implemented.  This has been a best practice since the requirement to conduct a risk assessment came into force, but this change would make this a formal requirement.

Suspicious Transaction Reporting:

Under current regulations if a reporting entity has reasonable grounds to suspect that a transaction or attempted transaction is related to money laundering or terrorist financing, a report must be submitted to FINTRAC within 30 days of the date that a fact was discovered that caused the suspicion. The revised regulations add to this requirement by stating:

The person or entity shall send the report to the Centre within three days after the day on which measures taken by them enable them to establish that there are reasonable grounds to suspect that the transaction or attempted transaction is related to the commission of a money laundering offence or a terrorist activity financing offence.

This would require reports to be submitted to FINTRAC within three days after the reporting entity conducts an analysis that established reasonable grounds for suspicion.


The draft regulations introduce changes to reporting schedules, requiring more detailed information to be filed with FINTRAC then previously was required. This is in addition to including information that is marked as optional, if a reporting entity has the information. As it relates real estate developers, brokers and sales representatives these changes will impact attempted suspicious and suspicious transaction reporting, terrorist property reporting and large cash reporting. Some of the additional proposed data fields are:

  • every reference number that is connected to the transaction,
  • every other known detail that identifies the receipt (of cash for large cash transactions),
  • type of device used by person who makes request online,
  • number that identifies device,
  • internet protocol address (IP address) used by device,
  • person’s user name, and
  • date and time of person’s online session in which request is made.

Such changes may be onerous for reporting entities, especially for transactions that are conducted online.


Under current regulation, if real estate developers, brokers and sales representatives use agents, mandataries or other persons to act on their behalf, they must develop and maintain a written, ongoing compliance training program for those agents, mandataries or other persons. The draft regulations introduces an additional requirement in which there must be a documented plan for the ongoing compliance training program and delivering of that the training.

What’s Next?

If you’ve read this far, congratulations and thank you!

We hope that you will contribute your thoughts and comments. You can do this by contacting the Department of Finance directly. Their representative on this file is:

Lynn Hemmings
Acting Director General
Financial Systems Division
Financial Sector Policy Branch
Department of Finance
90 Elgin Street
Ottawa, Ontario
K1A 0G5

If you would like assistance drafting a submission, or have questions that you would like Outlier to answer, please get in touch!

Return to Blog Listing