Anti-Money Laundering
Consulting Services & Strategies

0 Items - Total: $0.00 CAD

Don’t Share STRs or STR Data

Recently the Compliance Officer from a small reporting entity reached out to me to ask an uncomfortable question: should they provide copies of the Suspicious Transaction Reports (STRs) that they had filed with the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) to their financial services providers such as a credit union or bank?

This was a difficult situation for the reporting entity’s Compliance Officer because they were afraid of pushing back too much with the financial services provider. Like most non-bank reporting entities, they rely heavily on the services provided by the bank in order to be able to operate their business. Financial service providers, such as banks and credit unions, have the ability to close the accounts of businesses in Canada (often called de-risking), and it can be difficult for some types of reporting entities to establish new banking or payments relationships. The financial services provider in this situation has significantly more power than the reporting entity that is dependent on them.

My gut reaction was that the reporting entity should not disclose the contents of their STR reports, or provide copies. In Canadian legislation, disclosing the fact that an STR was made, or disclosing the contents of such a report, with the intent to “prejudice a criminal investigation” can be punishable as a criminal offence, with penalties of up to 2 years imprisonment (this is also known as “tipping off”). While there did not appear to be any intent to prejudice a criminal investigation in this case, it still seemed like a bad idea. I did a quick check-in with fellow AML geeks on LinkedIn. There are some great comments here, and I had a number of conversations in DMs and by phone. No one seemed to think that the reporting entity should be providing copies of STRs.

The question then became how to best empower the reporting entity to push back effectively. I submitted the following request to FINTRAC and to the Office of the Privacy Commissioner (OPC), both of which have mechanisms to allow Canadians and Canadian companies to ask the regulators to opine on matters free of charge:

One of our clients, a Canadian Money services business (MSB) has been asked by their financial services provider (bank/credit union) to provide copies of the suspicious transaction reports (STRs) and Attempted Suspicious Transaction Reports (ASTRs) that have been filed with the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) on an ongoing basis. This struck us as being an overreach in terms of the information that should be disclosed to a service provider, and we are reaching out for an opinion on the appropriateness of these requests.

The financial service provider appears to be of the opinion that this is a reasonable request, and that they may close the MSB’s bank account if the STRs and ASTRs are not provided by the MSB.

I let both FINTRAC and OPC know that I had submitted requests to both. So far, only FINTRAC has responded. Their response is below in full (TL:DR: reporting entities should not share copies of STRs reported to FINTRAC).

Thank you for contacting the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC), Canada’s independent agency responsible for the receipt, analysis, assessment and disclosure of information in order to assist in the detection, prevention and deterrence of money laundering and the financing of terrorist activities in Canada and abroad.

I am writing further to your email of July 16th, 2020, wherein you requested clarification regarding the sharing of suspicious transaction reports (STRs) submitted to FINTRAC.

As you know, section 8 of the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA) states that no person or entity shall disclose that they have made, are making, or will make a report under section 7, or disclose the contents of such a report, with the intent to prejudice a criminal investigation, whether or not a criminal investigation has begun.

The PCMLTFA sets out a regime in which the information contained in financial transaction reports sent to FINTRAC (including STRs) is protected from disclosure except in very limited circumstances. The Act also includes specific provisions aimed at protecting the personal information under FINTRAC’s control. For example, as you may be aware, the PCMLTFA is founded on a prohibition on disclosure (s. 55(1), PCMLTFA). Any disclosure of information or intelligence by FINTRAC must fall under one of the exceptions to this prohibition. Outside of these exceptions, FINTRAC is prohibited from disclosing the contents of financial transaction reports, or even acknowledging their existence.

While reporting entities (REs) are not subject to the same prohibitions, FINTRAC strongly believes that STRs should be regarded as highly sensitive documents, given the role FINTRAC plays in the fight against money laundering (ML) and terrorist activity financing (TF) in Canada, and the fact that STRs are a key source of FINTRAC’s intelligence holdings. From FINTRAC’s perspective, it is not in the public interest for REs to disclose financial transaction reports and the information contained therein. Even beyond this, the collection or disclosure of financial transaction reports, including STRs, without a valid purpose and authority, may infringe on legislated privacy protection obligations. Almost all information within financial transaction reports is personal information about an identifiable individual and is considered financial intelligence by

FINTRAC, collected for the sole purpose of reporting to FINTRAC. The potential harm that could occur from the disclosure of the information in these financial transactions reports is great, and includes compromising: (1) police and national security investigations that are both ongoing or could be undertaken in the future; (2) sources of the information/intelligence within the reports, placing those sources at risk of retaliation; and (3) FINTRAC’s compliance activities, given that data provided by REs is always provided in confidence and that confidence is expected to be maintained by all parties. FINTRAC relies on the information included within STRs to support disclosure of financial intelligence to police and other law enforcement and national security organizations, in the interest of detecting, preventing and deterring ML and TF.

Therefore, while your client (MSB) is not prohibited from sharing the STRs it has submitted to FINTRAC with its service provider (Bank/CU), unless it is with the intent to prejudice a criminal investigation, strong consideration should be given to the above.

If you would like a PDF copy of the complete question and policy position for your due diligence files, or to provide to an external party that is requesting copies of your STRs, or information about their content, you can download it here.

Response from FINTRAC – Re_ Sharing Copies of STRs_ASTRs

A version of this Q&A is also now posted on FINTRAC’s website (PI-10662).

The response from OPC, in contrast, was underwhelming. In essence, they will investigate specific complaints, but they will not issue advanced rulings. That said, if any service provider is insisting that copies of STRs must be shared with them, a complaint to the OPC may be an option.

Response from the Office of the Privacy Commissioner of Canada – INFO-084075

Need a hand?

If you have AML or privacy-related questions, we can help. You can get in touch using our online form, by emailing, or by calling us toll-free at 1-844-919-1623.

In Memoriam: Colleen P. Waddell

It is with great sadness that we inform you of the passing of Colleen P. Waddell. Colleen passed away on September 23, 2020. She was both a valued member of the Outlier team, and a friend to many Outlier ninjas and clients. She will be missed. 

Colleen’s funeral will be on September 28th, 2020:

Ely Funeral Home

3316 State Hwy 33

Neptune, NJ 07753

1 (732) 918-6650

Visitation: 10AM-12PM

Directly Following: Graveside Service at 12:30PM

Monmouth Memorial Park

In lieu of flowers, the family has asked for donations to be made to the Associated Humane Society – Popcorn Park Zoo. Colleen loved animals of all types, and this park close to where she grew up was quite special to her. Those who got to know Colleen’s sense of humour will also appreciate that the park is not operated by Carole Baskin.

To celebrate Colleen’s love of cryptoasset technology, memes, and dogs, Outlier will be sponsoring a Patas monkey named Dogo in her honour.

Regulations Amending the Regulations February 15, 2020- Redlined Versions

The following red-lined versions have been created to reflect the amendments to Canadian anti-money laundering (AML) regulations published in the Canada Gazette on February 15, 2020. You can also read our article “Amending the Amendments!” for a summary of the proposed changes by industry.

Redlined versions of all the Proceeds of Crime (Money Laundering) and Terrorist Financing Regulations are listed below for download.

These documents are not official versions of the regulations. Official versions can be found on the Government of Canada’s Justice Laws Website.

Regulations Amending the Regulations Amending Certain Regulations Made Under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act

Please click the link below for downloadable PDF file.
Amending_the_Regulations_Amending_Certain_Regulations_Made_Under_the_Proceeds_of_Crime_July_2019 – Redlined_Feb_2020

Proceeds of Crime (Money Laundering) and Terrorist Financing Regulations

Please click the links below for downloadable pdf files.
PCMLTF_July_2019_Redlined_Full_July_2019 – Redlined_Feb_2020

Proceeds of Crime (Money Laundering) and Terrorist Financing Suspicious Transaction Reporting Regulations

Please click the links below for downloadable pdf files.
PCMLTF_Suspicious_Transaction_Reporting_Regulations_July_2019 – Redlined_Feb_2020

Proceeds of Crime (Money Laundering) and Terrorist Financing Registration Regulations

Please click the link below for a downloadable PDF file.
PCMLTF_Registration_Regulations_July_2019 – Redlined_Feb_2020

Proceeds of Crime (Money Laundering) and Terrorist Financing Administrative Monetary Penalties Regulations

Please click the link below for a downloadable pdf file.
PCMLTF_Administrative_Monetary_Penalties_Regulations_July_2019 – Redlined_Feb_2020

Proceeds of Crime (Money Laundering) and Terrorist Financing Cross-Border Currency and Monetary Instruments Reporting Regulations

Please click the link below for a downloadable pdf file.
PCMLTF_Cross-Border_Currency_and_Monetary_Instruments_Reporting_Regulations_July_2019 – Redlined_Feb_2020

Need a Hand?

Whether you need to figure out if you’re a dealer in virtual currency, to put a compliance program in place, or to evaluate your existing compliance program, we can help. You can get in touch using our online form, by emailing, or by calling us toll-free at 1-844-919-1623.

Dealers In Virtual Currencies Can Pre-Register With FINTRAC

Last week, the Canadian Federal anti–money laundering agency, the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC), announced that money services businesses (MSBs) dealing in virtual currencies will be allowed to voluntarily register in advance of becoming reporting entities. All dealers in virtual currency (also referred to as cryptocurrency) are expected to register with FINTRAC by June 1, 2020.

The process of registration is relatively straightforward, beginning with a pre-registration form. In order to complete pre-registration, you simply need to provide full business and contact information. There is no cost to register an MSB with FINTRAC, although we’ve heard of several scams claiming that there is a fee. We also suggest that before you hire someone to assist, you try to complete the form on your own. 

To read more on the full registration details and all obligations that will apply to dealers in virtual currency beginning June 1, 2020, check out our blog 2019 AML Regulation Highlights for Dealers in Virtual Currency.

We’re Here To Help

Whether you need to figure out if you’re a dealer in virtual currency, put a compliance program in place, or evaluate your existing compliance program, we can help. You can get in touch using our online form, by emailing, or by calling us toll-free at 1-844-919-1623.

FINTRAC Identification Guidance


On July 10th, 2019, the final amendments to Canada’s anti-money laundering (AML) regulations were published in the Canada Gazette.  One of the welcomed changes that came into force immediately upon publication was related to identification. On November 14th, 2019, FINTRAC published guidance related to “Methods to verify the identity of an individual and confirm the existence of a corporation or an entity other than a corporation.” This is good news considering the range of identification methods has been broadened, and a step forward in digital identification methods. The updated methods are designed to make it easier to identify customers that are not physically present.

As defined under the Proceeds of Crime (Money Laundering) and Terrorist Financing Regulations (PCMLTFR), reporting entities have to identify their customers in certain situations (specific information on when customers need to be identified is outlined in FINTRAC’s guidance on “When to identify individuals and confirm the existence of entities”). The identification guidance outlines ways to verify the identity of an individual, and how to identify corporations or entities other than corporations (such as a partnership).

Identification Methods For Individuals

There are three ways in which an individual can be identified:

  • Government-issued photo identification method;
  • Credit file method; and
  • Dual-process method.

Government-Issued Photo Identification Method

Under this method, an organization can use an authenticvalid and current government-issued photo identification document, issued by either a federal, provincial or territorial government in order to be used to verify the identity of an individual. Foreign government-issued photo identification can be accepted if it’s equivalent to a Canadian document such as those listed in the guidance.

The photo identification document used to verify identity must:

  • indicate the individual’s name;
  • include a photo of the individual;
  • include a unique identifying number; and
  • match the name and appearance of the individual being identified.

If a customer is physically present, an organization can authenticate an identification document by looking at the characteristics on the physical document such as security features.

If the customer is not physically present, the authentication of the identification document must be determined by using technology capable of assessing the document’s authenticity. The guidance makes it clear that it is not sufficient to view a person and an identification document through video conference or similar. Meaning, a selfie while holding your driver’s license is not sufficient for identification purposes.

Whatever method is selected by an organization, the process to authenticate a photo identification document, and how the organization will confirm that it is authentic, valid and current, must be documented.

Credit File Method

Under this method, an organization can use valid and current information from a Canadian credit file to identify an individual.

The Credit File must:

  • be from a Canadian credit bureau (credit files from foreign credit bureaus are not acceptable);
  • have been in existence for at least three years; and
  • match the name, address and date of birth that the individual provided.

To rely on a credit file, the search must be completed at the time an organization is verifying the individual’s identity, and can be completed via an automated system or the use of a third party vendor.

When using the Credit File method, organizations must keep a record of the following information:

  • the individual’s name;
  • the date they consulted or searched the credit file;
  • the name of the Canadian credit bureau or third party vendor holding the credit file; and
  • the individual’s credit file number.

The guidance clarifies that sometimes information found within the credit file may contain variations of the name or address provided by a customer. In these cases, it’s up to the organization to determine whether the information in the credit file is a match to the information collected from the individual.

Dual-Process Method

Under this method, an organization can use valid and current information from two reliable sources. Under the dual-process method, an organization can verify an individual’s identity by referring to any two of the following options:

  • information from a reliable source that includes the individual’s name and address;
  • information from a reliable source that includes the individual’s name and date of birth; or
  • information that includes the individual’s name and confirms that they have a deposit account, credit card or other loan account with a financial entity.

In order to qualify as reliable, the sources should be well-known and considered reputable. There must be two sources providing the information, and the information cannot come from the individual whose identity is being verified, nor can it come from the organization doing the verification. For example, reliable and independent sources can be the federal, provincial, territorial and municipal levels of government, crown corporations, financial entities or utility providers.

A Canadian credit file can be used as one of the two sources required to verify the identity of an individual. so long as the credit file has been in existence for at least six months.

The organization must keep a record of the following:

  • the individual’s name;
  • the date they verified the information;
  • the name of the two different sources that were used to verify the identity of the individual;
  • the type of information consulted (for example, utility statement, bank statement, marriage licence); and
  • the number associated with the information (for example, account number or if there is no account number, a number that is associated with the information, which could be a reference number or certificate number, etc.).

Identification Methods For Organizations

The guidance details how to confirm the existence of a corporation, or an organization that is not a corporation. This can be done by referring to a paper or electronic record that was obtained from a source that is accessible to the public such as:

  • For corporations:
    • its certificate of incorporation;
    • a certificate of active corporate status;
    • a record that has to be filed annually under provincial securities legislation; or
    • any other record that confirms the corporation’s existence, such as the corporation’s published annual report.
  • For organizations that are not corporations:
    • a partnership agreement;
    • articles of association; or
    • any other record that confirms its existence as a legal entity.

If an organization refers to a publicly accessible electronic record to confirm the existence of a corporation or of an entity other than a corporation, a record must be retained including the corporation/entity’s registration number and the source of the electronic version of the record. If a paper record is used, a copy should be retained. At a minimum, for all organization types, an organization must collect and keep a record of the following:

  • their full legal name;
  • the organization’s structure;
  • the organization’s principal business;
  • the organization’s physical address; and
  • information about the organization’s directors and beneficial owners.

Other Identification Considerations

The guidance details how a domestic or foreign affiliate, an agent or a mandatary can be used to verify the identify of a customer. If this method is used, it is important for organizations to remember that, legally, they are responsible for verifying a customer’s identity, even though they are relying on someone else to do it. Organizations should obtain the identification information from the other entity and have a written agreement in place requiring the entity doing the identification to provide the identification verification as soon as feasible.

The guidance details how to identify children under 12 years of age (organizations must verify the identity of a parent, guardian, or tutor) and how to identify children between the ages of 12 and 15. For this age range, organizations can verify identity by using one of the prescribed methods to verify an individual’s identity and where not possible, relying on certain  information from the child’s parent, guardian, or tutor, and information that includes the child’s name and date of birth.

The guidance also reminds organizations that while the personal information that they are collecting is protected by the Personal Information Protection and Electronic Documents Act (PIPEDA), personal information that is required to be included in reporting to FINTRAC does not have to be disclosed to the Office of the Privacy Commissioner of Canada. It is important that organizations remember that safeguarding is a key consideration for all personal information collected in the normal course of business.


The most significant change for identification standards is related to the Government-Issued Photo Identification Method. A wording change from “original” to “authentic”, that was found in the prior version of the regulations, now allows for scanned copies of documentation, so long as it can be authenticated. It is noteworthy that the guidance gives clarity to all methods that can be used. Where further clarity is warranted, organizations can contact FINTRAC for a policy position related to the identification guidance. This can be done free of charge by emailing This can also be done on a no-names basis by a lawyer or consultant on your behalf.

We’re Here To Help

If you have questions related to the identification changes, or need help updating your identification processes, you can get in touch using the online form on our website, by emailing us at, or by calling us toll-free at 1-844-919-1623.

2019 AML Regulation Highlights for Dealers in Virtual Currency

Back in June 2018, we published an article on proposed AML rules for dealers in Virtual Currency. On July 10th, 2019, updates to Canada’s anti-money laundering (AML) regulations were published in the Canada Gazette. There are three different “coming into force” dates (the dates on which the content of various updates become requirements for regulated entities). 

  • July 10, 2019: a small change in wording (from “original” to “authentic”) is good news for digital identification.
  • June 1, 2020: dealers in virtual currency must be registered as money services businesses (MSBs) and have AML compliance programs in place.
  • June 1, 2021: additional provisions, including reporting large virtual currency transactions.

This is a significant regulatory package with a lot of changes (the document is over 200 pages long). This article will cover the major points for dealers in virtual currency, but it’s important to remember that there is a lot of nuances and differences between business models. We recommend speaking to your local neighbourhood compliance geek about how to adapt to these changes (if you need a compliance geek, please get in touch).

It is also worth noting that tokens that are considered securities would not be considered virtual currencies. Securities and securities dealers were already regulated. If you’re not sure whether or not a token is a security, we recommend reaching out to a securities lawyer (if you need recommendations, please feel free to contact us). It is possible to be both a securities dealer and a dealer in virtual currencies, but if you are only looking for the changes pertinent to securities dealers, you will find those in another article.

Hefty Disclaimers & Sharing

This article should not be considered advice (legal, tax or otherwise). That said, any of the content shared here may be used and shared freely – you don’t need our permission. While we’d love for content that we’ve written to be attributed to us, we believe that it’s more important to get reliable information into the hands of community members (meaning that if you punk content that we wrote, we may think you’re a jerk but we’re not sending an army of lawyers).

Dealers In Virtual Currency

It’s important to start by understanding what’s being regulated. This is best done by considering some of the definitions that have been added to the regulation.

fiat currency means a currency that is issued by a country and is designated as legal tender in that country. (monnaie fiduciaire)

funds means

(a) cash and other fiat currencies, and securities, negotiable instruments or other financial instruments that indicate a title or right to or interest in them; or

(b) a private key of a cryptographic system that enables a person or entity to have access to a fiat currency other than cash.

For greater certainty, it does not include virtual currency. (fonds)

virtual currency means

(a) a digital representation of value that can be used for payment or investment purposes that is not a fiat currency and that can be readily exchanged for funds or for another virtual currency that can be readily exchanged for funds; or

(b) a private key of a cryptographic system that enables a person or entity to have access to a digital representation of value referred to in paragraph (a). (monnaie virtuelle)

virtual currency exchange transaction means an exchange, at the request of another person or entity, of virtual currency for funds, funds for virtual currency or one virtual currency for another. (opération de change en monnaie virtuelle)

In terms of who will be regulated, businesses (whether or not the business is incorporated) that conduct transactions on behalf of their customers, including:

  • Exchanging digital currencies for fiat currencies; and 
  • Exchanging between virtual currencies.

This would include custodial wallet services that hold customers’ private keys on their behalf, as well as exchanges, brokerages, and automated teller machines (ATMs). The requirements apply to foreign and domestically based businesses. The inclusion of foreign MSBs means that it won’t matter where your business is incorporated. If you are targeting your services to Canadians, you are expected to comply with Canadian rules and you will need to be aware of requirements as they apply to your Canadian customers.

One of the most important notes in our view is “These amendments serve to mitigate the money laundering and terrorist activity financing vulnerabilities of virtual currency in a way that is consistent with the existing legal framework, while not unduly hindering innovation. For this reason, the amendments are targeted at persons or entities engaged in the business of dealing in virtual currencies, and not virtual currencies themselves.” It is expected that there will be additional updates to the regulations, and community consultations. During these processes, this distinction should remain an important one.

Digital Identification and “Authentic” Documents

Canadian businesses, such as MSBs, that are regulated for AML purposes must identify certain customers either because there is an ongoing service agreement, an account, or because the customer performs specific types of transactions. In these instances, the methods used to identify customers are prescribed in the regulations. Previously, there was a requirement that any document that was used in identification processes be “original”. A narrow view was taken of the definition of the word original: the document itself, in whatever form it was issued. No scans, copies or other digital representations were permitted. This was a significant challenge in non-face-to-face environments.

Effective on publication of the updates, the word “original” has been replaced with “authentic”. It’s important to keep in mind that while this does allow for documents to be submitted in a myriad of digital formats, there will be an expectation that reporting entities do something in order to determine whether or not the document is authentic. The regulations are not prescriptive in terms of how this will be done. We expect that a number of different solutions, ranging from having a human review documents, to using AI to make risk-based determinations, will be valid. If there are processes that you aren’t sure about, it is possible to write to FINTRAC to request a policy interpretation. We expect that FINTRAC will release updated guidance on identification, and issue many subsequent policy interpretations as the landscape evolves.

For customers that were previously identified, there is an expectation that the customer is identified in accordance with the rules that were in place at the time. Unfortunately, this means that if a customer was identified before the updated regulations were published, and an electronic version of a document was used, the identification may not be considered complete. It will be important for businesses to assess the processes that were in place at this point in time in order to make an accurate determination of whether or not the standards were being met.

Registering as a Money Services Business (MSB)

Although the legislation has been published, Dealers in Virtual Currency are not yet able to register as money services businesses (MSBs) with FINTRAC, Canada’s federal AML regulator and financial intelligence unit (FIU). The process is relatively straightforward, beginning with a pre-registration form. 

The FINTRAC registration process is generally very efficient (taking two to four weeks in total). As part of this process, you must provide FINTRAC with complete information about your business, including:

  • Bank account information;
  • Information about your compliance officer;
  • Number of employees;
  • Incorporation information (if your business type is a corporation);
  • Information about your MSB’s owners and senior management, such as their name and date of birth;
  • An estimate of the expected total dollar amount of transactions per year for each MSB service you provide;
  • Detailed information about every branch; and
  • Detailed information about every Canadian MSB agent.

You are not required to have locations or offices in Canada in order to register as an MSB with FINTRAC. Once registered, the registration must be maintained and you must:

  • Keep registration information up to date;
  • Respond to requests for, or to clarify information, in the prescribed form and manner, within 30 days;
  • Renew our registration before it expires; and
  •  Let FINTRAC know if we stop offering MSB services to Canadians

SCAM ALERT: There is no cost to register an MSB with FINTRAC – although we’ve heard of several scams claiming that there is a fee. Please ensure that you are only registering through valid FINTRAC sites, which will contain “” in the url. If you have received a phishing email or other request to pay FINTRAC registration fees, we recommend reporting this to both the Canadian Anti-Fraud Centre and to FINTRAC directly.

All dealers in virtual currency are expected to register with FINTRAC by June 1, 2020.

Building or Updating Your Compliance Program

MSBs in Canada are required to have a documented AML compliance program in place. In all instances, when something is a requirement it’s not enough to have done something to meet that requirement. Both your process and what you’ve actually done in order to meet the requirement must be documented. An AML compliance program has these elements:

  1. Compliance Officer: this is the person who will be responsible for your AML compliance program. They should understand Canadian AML requirements, be relatively senior in your company (access to your Board and Management team is necessary), and sign up to receive updates from FINTRAC.
  2. Policies and Procedures: these are documents that describe what you are required to do, and how you will do it. The processes should be an accurate description of what you are actually doing and detailed enough that a new hire could follow them.
  3. Risk Assessment: this is a document that considers the risk that your business could be used to launder money and/or finance terrorism. FINTRAC has released detailed guidance for MSBs to help create this type of document.
  4. Ongoing Training: any staff (including part-time and temporary staff) that deal with customers, transactions, and systems must receive training on a regular basis (this is generally interpreted to mean at least annually). It’s fine to rely on an external vendor, but your training should also include training on your processes.
  5. AML Compliance Effectiveness Reviews/Audits: every two years, you must complete a formal review of the effectiveness of your AML compliance program and operations. This can be conducted internally or by an external vendor.

In addition, to your documented program, you will need to ensure you operate in a compliant manner which includes, registering with FINTRAC, identifying customers under certain circumstances (more on this under customer identification), collect know your customer (KYC) information, keep records, and report certain transactions to FINTRAC.

All dealers in virtual currency are expected to have compliance programs in place and operational by June 1, 2020.

Customer Identification and Collecting KYC Information

For dealers in virtual currency, customer identification and the collection of KYC information will be required where virtual currency exchange transactions valued at CAD 1,000 or more are conducted. This will include exchanging fiat for virtual currency, as well as exchanges between virtual currencies.

Customers must also be identified, where possible if there are reasonable grounds to suspect that a transaction is related to money laundering or terrorist financing. When a transaction is suspicious, there is no minimum value threshold for identification.

Identification in this context must be completed in specific ways, each of which require particular records to be maintained. The chart below is from FINTRAC’s current customer identification guidance (which must be updated to reflect the change in wording from original to authentic, though other elements remain unchanged).

If the customer is an entity (a company, partnership, trust, etc.), then measures must be taken to confirm the entity’s existence and beneficial ownership. Certain details must be collected for directors, trustees, beneficiaries of trusts, and anyone that owns or controls 25% or more of an entity. This includes “indirect ownership” (such as ownership through another company).

There is also information about the customer that must be collected. For individuals, this includes name, date of birth, address, and occupation or principal business. For entities, this includes name, address, place of incorporation (if applicable), and incorporation number (if applicable). 

All dealers in virtual currency are expected to have processes in place to identify customers and collect KYC information by June 1, 2020.

FINTRAC Reporting

For reporting, there are two important dates. By June 1, 2020, dealers in virtual currency will need to report the same types of transactions that MSBs are currently required to report. These are:

  • Large Cash Transactions: if you receive cash (this means fiat in the form of bills and/or coins) valued at CAD 10,000 or more in the same 24-hour period, by or on behalf of the same customer, it must be reported to FINTRAC within 15 calendar days. 
  • Suspicious Transactions: if there are reasonable grounds to suspect that a transaction is related to money laundering or terrorist financing, it must be reported to FINTRAC within 30 calendar days of the discovery of a fact that led you to determine that the transaction was suspicious.
  • Attempted Suspicious Transactions: if a customer or prospective customer requests a transaction, but does not complete it (including transactions that you reject), and there are reasonable grounds to suspect money laundering or terrorist financing, then it must be reported. The timeframe is the same as it would be for completed transactions.
  • Terrorist Property: if you’re in possession of property (which includes funds and virtual currency) that belong to a terrorist or terrorist group, it must be reported without delay, and the property must be frozen. In addition to reporting to FINTRAC, these reports are also sent to the CSIS and RCMP – by fax. In order to know if customers fall into this category, it is important to screen against lists published by OSFI. We’ve worked with some friends on a tool to make this easier, which you can try here (use the code Free100 for a free trial).
  • Electronic Funds Transfers: if you send or receive international electronic funds transfers (EFTs), including wires, valued at CAD 10,000 or more, by or on behalf of the same customer, it must be reported to FINTRAC within 5 working days.

If you are required to report transactions valued at CAD 10,000 or more in a 24-hour period, you must have a mechanism in place to detect reportable transactions.

It’s noteworthy that if you are conducting international EFTs on your customers’ behalf, you may already be an MSB. The best way to know for certain, in our opinion, is to request a policy position from FINTRAC. This can be done free of charge by emailing This can also be done on your behalf by a lawyer or consultant.

By June 1, 2021, a new report will be introduced.

  • Large Virtual Currency Transactions: if you receive virtual currency valued at CAD 10,000 or more in the same 24-hour period, by or on behalf of the same customer, it must be reported to FINTRAC within 5 working days.

There will be some additional changes to reporting and reporting timelines, including the requirement to report suspicious and attempted suspicious transactions “as soon as practicable” after you have determined that there are reasonable grounds to suspect that the transaction is related to money laundering or terrorist financing.

For Extreme Compliance Nerds

We clearly mean nerd as the highest term of admiration and endearment, and for you, we have created red-lined versions of the regulations, with new content showing as tracked changes. This is not an official version of the regulations, and we do, of course, recommend that you check it against the official version.

Need a Hand?

Whether you need to figure out if you’re a dealer in virtual currency, to put a compliance program in place, or to evaluate your existing compliance program, we can help. You can get in touch using our online form, by emailing, or by calling us toll-free at 1-844-919-1623.

FATF, VASP – What Does It All Mean?

On June 21, 2019 the Financial Action Task Force (FATF) released “Guidance for a Risk-Based Approach to Virtual Assets and Virtual Asset Service Providers”. In the ensuing days, while we read through and considered the implications of this dense 57 page document, we watched social media go overboard with all sorts of wild speculation and inaccurate representations. When that happens, and it’s within our power to get good information out there, we do our best to get solid information out fast to fight the fear, uncertainty and doubt (affectionately referred to as FUD online). Let’s take a closer look at the latest FATF guidance, and what it means for businesses that deal in crypto/digital/virtual currencies like bitcoin, and other virtual assets.

What is the FATF Anyway?

If you’re an AML geek, you can probably skip this section. For the other 99.99% of the world, the Financial Action Task Force (FATF for short) is an inter-governmental body formed in 1989 by its member jurisdictions. If you live in the developed world, odds are good that your country is a FATF member. The role of this organization is to issue guidance to countries on anti-money laundering (AML) and combatting terrorist financing. Countries that are members of the FATF are also evaluated in terms of how well they’re doing at following the FATF’s recommendations (these are called mutual evaluations). Generally speaking, member countries face a good deal of pressure to achieve positive results in mutual evaluations. Countries that are deemed to be non-compliant, or to have strategic deficiencies, are publicly listed and can face significant trade barriers.

To sum it up, the FATF is an international group made up of member countries that issues guidance to countries. That guidance is not law, but it certainly shapes the laws that are written by member countries. It may seem pedantic, but if you hear/read someone saying that the FATF has issued a law or a regulation, it’s likely that the speaker/writer doesn’t really understand how the FATF works – and this is the first piece of FUD that we’re going to dispel today: the FATF does not write laws or regulations.

Once the FATF has issued guidance, its member countries adapt their existing laws and regulations, and in some instances, impose new ones. Generally speaking, the more common approach is to adapt existing laws and regulations.  Regardless of the approach taken, a statement released with the guidance stating that the FATF will monitor implementation of the new requirements by countries and service providers and conduct a 12-month review in June 2020. The guidance is also expected to be the subject of further discussion at other international forums, including the G20.

Virtual Assets and Virtual Asset Service Providers

The FATF’s Guidance introduces new terms (and corresponding acronyms): virtual assets (VAs) and virtual asset service providers (VASPs). These are defined in the glossary at the end of the document, but it’s useful to start off by understanding what the terms mean.

A virtual asset is a digital representation of value that can be digitally traded, or transferred, and can be used for payment or investment purposes. Virtual assets do not include digital representations of fiat currencies, securities and other financial assets that are already covered elsewhere in the FATF Recommendations.

The broader text makes it clear that VAs are being broadly defined, and may include cryptocurrencies like bitcoin as well as other types of assets, like initial coin offering (ICO) tokens, which may also be considered securities.

There are also clear statements about the intent of the guidance, and that it is not an attempt to regulate technology. This is another important distinction, in particular where there is a discussion of regulation applicable to Bitcoin (with the capital B indicating that this is a reference to the Bitcoin protocol). That is simply not the case. In fact, the guidance notes that the intent is to remain technology agnostic, and that no specific technological adaptations to protocols are being proposed (we’ll dive a bit more deeply into this in the section that covers customer information).

What the guidance is, however, suggesting should be regulated are certain business activities that involve virtual assets.

Virtual asset service provider means any natural or legal person who is not covered elsewhere under the Recommendations, and as a business conducts one or more of the following activities or operations for or on behalf of another natural or legal person:

i) exchange between virtual assets and fiat currencies;

ii) exchange between one or more forms of virtual assets;

iii) transfer of virtual assets;

iv) safekeeping and/or administration of virtual assets or instruments enabling control over virtual assets; and

v) participation in and provision of financial services related to an issuer’s offer and/or sale of a virtual asset.

The first, and probably most important, piece of FUD to fight here is the idea that peer-to-peer activity that is not being conducted for business purposes should be covered. This simply is not the FATF’s recommendation. This doesn’t preclude a country from writing laws or regulation that impose requirements on non-business peer-to-peer activity, but it does make that less likely in our estimation.

If you’ve looked at previous FATF guidance, you’ll notice that the scope is a bit different. Earlier guidance was focussed on what were termed “on and off ramps”, meaning transactions that involved trading fiat currency for a VA, or vice versa. The current scope includes trading between different VAs. To understand this change, consider that when the earlier guidance was issued there were no popular “stablecoin” VAs pegged to the value of an underlying asset (often a fiat currency) and ICOs had yet to raise millions in value in VA alone.

What Will It Mean for Businesses to be Regulated?

Businesses (including individuals that are conducting VASP activities on behalf of customers that have not incorporated a separate legal entity such as a company or partnership) may be subject to laws and regulations in more than one jurisdiction, and the specific requirements for each jurisdiction may be different (though most will follow the FATF’s guidance in broad strokes). For VASPs, it is important to understand the requirements that apply in each jurisdiction in which they operate (it is not enough to say that your business is following the FATF’s guidance).

The FATF recommends in its guidance that countries enact laws and regulations that apply to VASPs. This should include (not a comprehensive list):

  • The licensing and/or registration of VASPs;
  • A prohibition against criminals and their associates being beneficial owners of VASPs;
  • A requirement for VASPs to have qualified Compliance Officers, written policies and procedures, documented risk assessments, ongoing training, and measures of the effectiveness of the compliance program (audits);
  • Know your client (KYC) information and identification should be collected by VASPs for customers and business relationships (with a de minimis exception for occasional transactions valued at less than 1,000 EUR/USD);
  • Where transactions occur between two VASPs or between a VASP and another regulated entity type (such as banks), sender and receiver information must be transmitted. This has received a lot of attention, and it is not yet clear how this will be accomplished. The options noted in the guidance include:
    • Public and private keys,
    • Transport Layer Security/Secure Sockets Layer (TLS/SSL),
    • 590 Certificates,
    • 509 Attribute Certificates,
    • API Technology, and
    • Other Commercially Available Technology.
  • VASPs’ customers and business relationships should be subject to ongoing monitoring; and
  • Mechanisms in place to freeze assets and stop transfers in the case of listed persons and entities (such as known terrorists or sanctioned persons/entities).

The guidance also states that there should be true regulatory oversight, not self-regulatory organizations. There are additional considerations for other entity types that are already regulated (including securities dealers and banks) that engage in VASP activities.

Thinking about Risk

Some of the most interesting content in the guidance is related to the money laundering and terrorist financing risk posed by VAs and VASPs. Here, it was clear that the FATF had done their homework as the discussion included TOR, tumblers, mixers, and other technologies referred to as being “anonymity enhanced”. The factors that are listed as increasing a VAs/VASPs risk include:

  • Value moving into and out of fiat currency,
  • The use of anonymity-enhanced technologies,
  • Operations that are entirely online (non-face-to-face),
  • Links to high risk jurisdictions, and
  • The value that can be accessed/transferred.

The guidance does note that not all VAs/VASPs should be considered to be high risk.

A Quick Note on Financial Inclusion & De-Risking

The FATF’s page on financial inclusion defines the term as: Ensuring that financially excluded or underserved groups (such as low income, rural sector or undocumented groups) have access to regulated financial services helps to strengthen the implementation of AML/CTF measures.

If you’ve been watching or participating in VAs or VASPs, you’ll understand that many of these have financial inclusion related goals themselves, but VASPs often struggle with access to banking. In their guidance, the FATF makes a strong statement against banks and financial service providers de-risking all VASPs: It is important that FIs apply the risk-based approach properly and do not resort to the wholesale termination or exclusion of customer relationships within the VASP sector without a proper risk assessment.

Unfortunately, the same cannot be said of prohibition by countries: Some countries may decide to prohibit VA activities or VASPs, based on their assessment of risk and national regulatory context or in order to support other policy goals not addressed in this Guidance (e.g., consumer protection, safety and soundness, or monetary policy). The guidance goes on to note that countries that chose to ban VAs and/or VASPs would still need to ensure that sufficient safeguards are in place. This approach did not seem to be encouraged, but that it is explicitly mentioned is interesting of itself, as this is not the case for other asset or regulated entity types.

Margin Notes

We’ve been asked to post the annotated copy of the first read-through of the FATF’s guidance document. The annotations were not created with the expectation of the audience. They’re likely to be hard to read, idiosyncratic, and to clearly reveal that the author is dyslexic… but if they are of use to you, then these notes are yours to use.

Guidance for a Risk-Based Approach to Virtual Assets and Virtual Asset Service Providers Marked Up Copy

Need a Hand?

If you want to understand the regulations that apply to your VA business/VASP, please contact us.

Compliance with laws and regulations is nuanced; we do not practice in all jurisdictions (and quite frankly, we believe that anyone claiming to understand the nuance of AML in every jurisdiction is greatly exaggerating their skill set). If we don’t practice in the places that matter to you, we’ll do our best to connect you with qualified people that do.

Technology and Cyber Security Incident Reporting

The issue of cyber security incidents seems to continue to be a hot topic for regulators. Late last year, federal Breach of Security Safeguards Regulations came into force, which require organizations to report to the Office of the Privacy Commissioner (OPC), any breach of security safeguards involving personal information under its control where the breach creates a “real risk of significant harm”. Last week, The Office of the Superintendent of Financial Institutions (OSFI) published an advisory, Technology and Cyber Security Incident Reporting, which sets out OSFI’s expectations for Federally Regulated Financial Institutions (FRFIs) with respect to the reporting of technology and cyber security incidents. The advisory  becomes effective on March 31, 2019.

OSFI’s advisory defines a technology or cyber security incident as an event that has the “potential to, or has been assessed to, materially impact the normal operations of a FRFI, including confidentiality, integrity or availability of its systems and information”. The advisory goes on to give guidance on what a reportable incident may look like:

  • Significant operational impact to key/critical information systems or data;
  • Material impact to FRFI operational or customer data, including confidentiality, integrity or availability of such data;
  • Significant operational impact to internal users that is material to customers or business operations;
  • Significant levels of system/service disruptions;
  • Extended disruptions to critical business systems/operations;
  • Number of external customers impacted is significant or growing;
  • Negative reputational impact is imminent (e.g., public/media disclosure);
  • Material impact to critical deadlines/obligations in financial market settlement or payment systems (e.g., Financial Market Infrastructure);
  • Significant impact to a third party deemed material to the FRFI;
  • Material consequences to other FRFIs or the Canadian financial system;
  • A FRFI incident has been reported to the Office of the Privacy Commissioner or local/foreign regulatory authorities.

Unlike the Breach of Security Safeguards Regulation, which apply to all companies operating in Canada, OSFI’s advisory applies only to FRFIs. These include banks and insurance companies.

How Do the Reporting Obligations Differ?

Incidents that need to be reported to the OPC focuses on “a breach of security safeguards” involving personal information, where it is reasonable to believe that the breach creates a “real risk of significant harm” by assessing factors such as the sensitivity of the personal information involved, and the probability of misuse. Incidents should be reported as soon as feasible.

Incidents that need to be reported to OSFI focuses on operational impact to the integrity or availability of information systems. Items to be looked at include things such as service disruptions, as well as impacts to critical deadlines related to financial market settlement, payment systems, soundness of business etc. These incidents may or may not include personal information. The OSFI advisory does state one of the considerations for reporting is if the incident has been reported to the OPC. Incidents should be reported as soon as possible, but no later than 72 hours after determining an incident has occurred.

It is possible (even probable) that a FRFI would need to report an incident to both the OPC and OSFI. While organizations that are not FRFI’s are not required to report to OSFI, the advisory may still contain useful guidance in thinking about security, breaches, and best-practices for breach response.

Below is a comparison chart noting the differences (or similarities) between reporting obligations:

Breach of Security Safeguards Regulations OSFI Advisory
Who does it apply to?  All Organizations.  All Federally Regulated Financial Institutions.
Who is a breach reported to? The organization must report the breach to the OPC, but also notify affected individuals. The FRFIs must report the breach to its Lead Supervisor as well as
When is a breach reported? As soon as feasible after the organization determines the breach has occurred. As soon as possible, but no later than 72 hours after determining an incident has occurred.
What type of breach is reported? A breach of security safeguards involving personal information where the breach creates a “real risk of significant harm”. Incidents that have a material operational impact to the integrity or availability of information systems.
What type of information must be included in the report? A description of the circumstances of the breach and, if known, the cause;

The day or the period in which the breach occurred;

A description of the personal information that was involved in the breach;

An estimate of the number of individuals impacted – where the breach creates a real risk of significant harm;

The steps that the organization has taken to reduce the risk of harm to the impacted individuals;

The steps that the organization has taken, or will take, to notify impacted individuals; and

The name and contact information of a person the OPC can liaison with.

Date and time the incident was assessed to be material;

Date and time/period the incident took place;

Incident severity and type (e.g. DDoS, malware, data breach, extortion);

A description of the incident (including known direct/indirect impacts, the number of clients impacted etc.);

Primary method used to identify the incident; 

Current status of incident;

Date for internal incident escalation to senior management or Board of Directors;

Mitigation actions taken or planned;

Known or suspected root cause; and

Name and contact information for the FRFI incident executive lead and liaison with OSFI. 


We’re Here To Help

If you have questions about this new advisory related to your reporting obligations for technology and cyber security incidents, or compliance in general, please contact us.

Return to Blog Listing