Anti-Money Laundering
Consulting Services & Strategies

0 Items - Total: $0.00 CAD

FINTRAC Identification Guidance

Background

On July 10th, 2019, the final amendments to Canada’s anti-money laundering (AML) regulations were published in the Canada Gazette.  One of the welcomed changes that came into force immediately upon publication was related to identification. On November 14th, 2019, FINTRAC published guidance related to “Methods to verify the identity of an individual and confirm the existence of a corporation or an entity other than a corporation.” This is good news considering the range of identification methods has been broadened, and a step forward in digital identification methods. The updated methods are designed to make it easier to identify customers that are not physically present.

As defined under the Proceeds of Crime (Money Laundering) and Terrorist Financing Regulations (PCMLTFR), reporting entities have to identify their customers in certain situations (specific information on when customers need to be identified is outlined in FINTRAC’s guidance on “When to identify individuals and confirm the existence of entities”). The identification guidance outlines ways to verify the identity of an individual, and how to identify corporations or entities other than corporations (such as a partnership).

Identification Methods For Individuals

There are three ways in which an individual can be identified:

  • Government-issued photo identification method;
  • Credit file method; and
  • Dual-process method.

Government-Issued Photo Identification Method

Under this method, an organization can use an authenticvalid and current government-issued photo identification document, issued by either a federal, provincial or territorial government in order to be used to verify the identity of an individual. Foreign government-issued photo identification can be accepted if it’s equivalent to a Canadian document such as those listed in the guidance.

The photo identification document used to verify identity must:

  • indicate the individual’s name;
  • include a photo of the individual;
  • include a unique identifying number; and
  • match the name and appearance of the individual being identified.

If a customer is physically present, an organization can authenticate an identification document by looking at the characteristics on the physical document such as security features.

If the customer is not physically present, the authentication of the identification document must be determined by using technology capable of assessing the document’s authenticity. The guidance makes it clear that it is not sufficient to view a person and an identification document through video conference or similar. Meaning, a selfie while holding your driver’s license is not sufficient for identification purposes.

Whatever method is selected by an organization, the process to authenticate a photo identification document, and how the organization will confirm that it is authentic, valid and current, must be documented.

Credit File Method

Under this method, an organization can use valid and current information from a Canadian credit file to identify an individual.

The Credit File must:

  • be from a Canadian credit bureau (credit files from foreign credit bureaus are not acceptable);
  • have been in existence for at least three years; and
  • match the name, address and date of birth that the individual provided.

To rely on a credit file, the search must be completed at the time an organization is verifying the individual’s identity, and can be completed via an automated system or the use of a third party vendor.

When using the Credit File method, organizations must keep a record of the following information:

  • the individual’s name;
  • the date they consulted or searched the credit file;
  • the name of the Canadian credit bureau or third party vendor holding the credit file; and
  • the individual’s credit file number.

The guidance clarifies that sometimes information found within the credit file may contain variations of the name or address provided by a customer. In these cases, it’s up to the organization to determine whether the information in the credit file is a match to the information collected from the individual.

Dual-Process Method

Under this method, an organization can use valid and current information from two reliable sources. Under the dual-process method, an organization can verify an individual’s identity by referring to any two of the following options:

  • information from a reliable source that includes the individual’s name and address;
  • information from a reliable source that includes the individual’s name and date of birth; or
  • information that includes the individual’s name and confirms that they have a deposit account, credit card or other loan account with a financial entity.

In order to qualify as reliable, the sources should be well-known and considered reputable. There must be two sources providing the information, and the information cannot come from the individual whose identity is being verified, nor can it come from the organization doing the verification. For example, reliable and independent sources can be the federal, provincial, territorial and municipal levels of government, crown corporations, financial entities or utility providers.

A Canadian credit file can be used as one of the two sources required to verify the identity of an individual. so long as the credit file has been in existence for at least six months.

The organization must keep a record of the following:

  • the individual’s name;
  • the date they verified the information;
  • the name of the two different sources that were used to verify the identity of the individual;
  • the type of information consulted (for example, utility statement, bank statement, marriage licence); and
  • the number associated with the information (for example, account number or if there is no account number, a number that is associated with the information, which could be a reference number or certificate number, etc.).

Identification Methods For Organizations

The guidance details how to confirm the existence of a corporation, or an organization that is not a corporation. This can be done by referring to a paper or electronic record that was obtained from a source that is accessible to the public such as:

  • For corporations:
    • its certificate of incorporation;
    • a certificate of active corporate status;
    • a record that has to be filed annually under provincial securities legislation; or
    • any other record that confirms the corporation’s existence, such as the corporation’s published annual report.
  • For organizations that are not corporations:
    • a partnership agreement;
    • articles of association; or
    • any other record that confirms its existence as a legal entity.

If an organization refers to a publicly accessible electronic record to confirm the existence of a corporation or of an entity other than a corporation, a record must be retained including the corporation/entity’s registration number and the source of the electronic version of the record. If a paper record is used, a copy should be retained. At a minimum, for all organization types, an organization must collect and keep a record of the following:

  • their full legal name;
  • the organization’s structure;
  • the organization’s principal business;
  • the organization’s physical address; and
  • information about the organization’s directors and beneficial owners.

Other Identification Considerations

The guidance details how a domestic or foreign affiliate, an agent or a mandatary can be used to verify the identify of a customer. If this method is used, it is important for organizations to remember that, legally, they are responsible for verifying a customer’s identity, even though they are relying on someone else to do it. Organizations should obtain the identification information from the other entity and have a written agreement in place requiring the entity doing the identification to provide the identification verification as soon as feasible.

The guidance details how to identify children under 12 years of age (organizations must verify the identity of a parent, guardian, or tutor) and how to identify children between the ages of 12 and 15. For this age range, organizations can verify identity by using one of the prescribed methods to verify an individual’s identity and where not possible, relying on certain  information from the child’s parent, guardian, or tutor, and information that includes the child’s name and date of birth.

The guidance also reminds organizations that while the personal information that they are collecting is protected by the Personal Information Protection and Electronic Documents Act (PIPEDA), personal information that is required to be included in reporting to FINTRAC does not have to be disclosed to the Office of the Privacy Commissioner of Canada. It is important that organizations remember that safeguarding is a key consideration for all personal information collected in the normal course of business.

Conclusion

The most significant change for identification standards is related to the Government-Issued Photo Identification Method. A wording change from “original” to “authentic”, that was found in the prior version of the regulations, now allows for scanned copies of documentation, so long as it can be authenticated. It is noteworthy that the guidance gives clarity to all methods that can be used. Where further clarity is warranted, organizations can contact FINTRAC for a policy position related to the identification guidance. This can be done free of charge by emailing guidelines-lignesdirectrices@fintrac-canafe.gc.ca. This can also be done on a no-names basis by a lawyer or consultant on your behalf.

We’re Here To Help

If you have questions related to the identification changes, or need help updating your identification processes, you can get in touch using the online form on our website, by emailing us at info@outliercanada.com, or by calling us toll-free at 1-844-919-1623.

2019 AML Updates – Redlined Versions

The following red-lined versions have been created to reflect the changes to Canadian anti-money laundering (AML) regulations published in the Canada Gazette on July 10th, 2019.  A redlined version of the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA), reflecting the changes published in Bill C-97 which received Royal Assent on June 21, 2019, is also included below.

These documents are not official versions of the regulations. Official versions can be found on the Government of Canada’s Justice Laws Website.

 

Proceeds of Crime (Money Laundering) and Terrorist Financing Act

Please click the link below for a downloadable pdf file.

PCMLTFA_July_2019_Redline

 

Proceeds of Crime (Money Laundering) and Terrorist Financing Regulations

Please click the links below for downloadable pdf files.

PCMLTFR_July_2019_Redlined_Full

PCMLTFR_July_2019_Redlined_Schedules Removed

Proceeds of Crime (Money Laundering) and Terrorist Financing Suspicious Transaction Reporting Regulations

Please click the link below for a downloadable pdf file.

PCMLTF_Suspicious_Transaction_Reporting_Regulations_July_2019_Redlined

Proceeds of Crime (Money Laundering) and Terrorist Financing Registration Regulations

Please click the link below for a downloadable pdf file.

PCMLTF_Registration_Regulations_July_2019_Redlined

Proceeds of Crime (Money Laundering) and Terrorist Financing Administrative Monetary Penalties Regulations

Please click the link below for a downloadable pdf file.

PCMLTFR_Administrative_Monetary_Penalties_Regulations_July_2019_Redlined

Cross-Border Currency and Monetary Instruments Reporting Regulations

Please click the link below for a downloadable pdf file.

PCMLTFR_Cross-Border_Currency_and_Monetary_Instruments_Reporting_Regulations_July_2019_redline

 

Need a Hand?

Whether you need to figure out if you’re a dealer in virtual currency, to put a compliance program in place, or to evaluate your existing compliance program, we can help. You can get in touch using our online form, by emailing info@outliercanada.com, or by calling us toll-free at 1-844-919-1623.

Technology and Cyber Security Incident Reporting

The issue of cyber security incidents seems to continue to be a hot topic for regulators. Late last year, federal Breach of Security Safeguards Regulations came into force, which require organizations to report to the Office of the Privacy Commissioner (OPC), any breach of security safeguards involving personal information under its control where the breach creates a “real risk of significant harm”. Last week, The Office of the Superintendent of Financial Institutions (OSFI) published an advisory, Technology and Cyber Security Incident Reporting, which sets out OSFI’s expectations for Federally Regulated Financial Institutions (FRFIs) with respect to the reporting of technology and cyber security incidents. The advisory  becomes effective on March 31, 2019.

OSFI’s advisory defines a technology or cyber security incident as an event that has the “potential to, or has been assessed to, materially impact the normal operations of a FRFI, including confidentiality, integrity or availability of its systems and information”. The advisory goes on to give guidance on what a reportable incident may look like:

  • Significant operational impact to key/critical information systems or data;
  • Material impact to FRFI operational or customer data, including confidentiality, integrity or availability of such data;
  • Significant operational impact to internal users that is material to customers or business operations;
  • Significant levels of system/service disruptions;
  • Extended disruptions to critical business systems/operations;
  • Number of external customers impacted is significant or growing;
  • Negative reputational impact is imminent (e.g., public/media disclosure);
  • Material impact to critical deadlines/obligations in financial market settlement or payment systems (e.g., Financial Market Infrastructure);
  • Significant impact to a third party deemed material to the FRFI;
  • Material consequences to other FRFIs or the Canadian financial system;
  • A FRFI incident has been reported to the Office of the Privacy Commissioner or local/foreign regulatory authorities.

Unlike the Breach of Security Safeguards Regulation, which apply to all companies operating in Canada, OSFI’s advisory applies only to FRFIs. These include banks and insurance companies.

How Do the Reporting Obligations Differ?

Incidents that need to be reported to the OPC focuses on “a breach of security safeguards” involving personal information, where it is reasonable to believe that the breach creates a “real risk of significant harm” by assessing factors such as the sensitivity of the personal information involved, and the probability of misuse. Incidents should be reported as soon as feasible.

Incidents that need to be reported to OSFI focuses on operational impact to the integrity or availability of information systems. Items to be looked at include things such as service disruptions, as well as impacts to critical deadlines related to financial market settlement, payment systems, soundness of business etc. These incidents may or may not include personal information. The OSFI advisory does state one of the considerations for reporting is if the incident has been reported to the OPC. Incidents should be reported as soon as possible, but no later than 72 hours after determining an incident has occurred.

It is possible (even probable) that a FRFI would need to report an incident to both the OPC and OSFI. While organizations that are not FRFI’s are not required to report to OSFI, the advisory may still contain useful guidance in thinking about security, breaches, and best-practices for breach response.

Below is a comparison chart noting the differences (or similarities) between reporting obligations:

Breach of Security Safeguards Regulations OSFI Advisory
Who does it apply to?  All Organizations.  All Federally Regulated Financial Institutions.
Who is a breach reported to? The organization must report the breach to the OPC, but also notify affected individuals. The FRFIs must report the breach to its Lead Supervisor as well as TRD@osfi-bsif.gc.ca
When is a breach reported? As soon as feasible after the organization determines the breach has occurred. As soon as possible, but no later than 72 hours after determining an incident has occurred.
What type of breach is reported? A breach of security safeguards involving personal information where the breach creates a “real risk of significant harm”. Incidents that have a material operational impact to the integrity or availability of information systems.
What type of information must be included in the report? A description of the circumstances of the breach and, if known, the cause;

The day or the period in which the breach occurred;

A description of the personal information that was involved in the breach;

An estimate of the number of individuals impacted – where the breach creates a real risk of significant harm;

The steps that the organization has taken to reduce the risk of harm to the impacted individuals;

The steps that the organization has taken, or will take, to notify impacted individuals; and

The name and contact information of a person the OPC can liaison with.

Date and time the incident was assessed to be material;

Date and time/period the incident took place;

Incident severity and type (e.g. DDoS, malware, data breach, extortion);

A description of the incident (including known direct/indirect impacts, the number of clients impacted etc.);

Primary method used to identify the incident; 

Current status of incident;

Date for internal incident escalation to senior management or Board of Directors;

Mitigation actions taken or planned;

Known or suspected root cause; and

Name and contact information for the FRFI incident executive lead and liaison with OSFI. 

 

We’re Here To Help

If you have questions about this new advisory related to your reporting obligations for technology and cyber security incidents, or compliance in general, please contact us.

Return to Blog Listing


PROCESSING...