I’ve met a lot of Compliance Officers from around the world, and not one of them has ever told me that as a child they wanted to be a Compliance Officer. This isn’t to say that the job isn’t interesting (or even an awful lot of fun sometimes), but that we get here in different ways. One of my favourites (who will remain nameless here) is a gentleman who missed a senior management meeting and was nominated as the organization’s Compliance Officer while he was absent. When we first met, he was feeling overwhelmed and was looking for a review of his company’s compliance program (and assurances that he wouldn’t wind up in an orange jumpsuit if he made a mistake).
While it seems like an extreme case, many Compliance Officer’s feel this way at least once during their careers. It’s a big responsibility that doesn’t often come with the budget to match. Whether you’re new to the world of anti-money laundering (AML) or just looking for a quick “sanity check” to make sure that things are going the way that they should be, this “cheat sheet” is for you.
Your Compliance Program
You need to have a Compliance Program in place with these 5 elements:
- Appoint A Compliance Officer (hey that’s you!);
- Document Your Policies And Procedures;
- A Risk Assessment;
- Training; and
- An AML Compliance Effectiveness Review.
If your organization is a money service business (MSB) you will also need to register with the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC). If your organization is an MSB operating in Quebec, you also need to register with the Autorité des marchés financiers (AMF). The definition of an MSB in Quebec is a bit broader than the Canadian federal definition; some companies may only be required to register with the AMF.
The first thing that you should do is review your documentation to make sure that it’s up to date. Here’s a quick checklist to get you started – answer each of the questions with ‘Yes’ or ‘No’.
Program Component |
Questions You Should Ask |
| Compliance Officer | Is my appointment documented? This can be in the form of meeting minutes or a formal document, but it must be in writing. |
| Policies and Procedures | Do they describe what we’re doing to meet our obligations? The descriptions should be clearly written so that someone that doesn’t know your business could understand them. |
| Have they been updated in the last year? | |
| Risk Assessment | Does the Risk Assessment describe the risk that your business could be used for money laundering or terrorist financing? |
| Are there risk ratings? | |
| Are your controls (what you do to prevent your business from being used for money laundering or terrorist financing) describe? | |
| Do your controls make sense given your risk level? | |
| Training | Have your staff been trained in the last year? |
| Does your training cover all of the obligations that apply to your business? | |
| AML Compliance Effectiveness Review | Has an AML Compliance Effectiveness Review been completed in the last two years? |
| Was there a formal report that described the methodology and findings? | |
| Did management sign-off on the final report within 30 days? |
If you answered yes to all of these questions, you’re off to a good start. If the answer to any of these questions is no, you have some work to do. If that’s the case, consider letting your management team know right away. It’s easier to get their support when they know what you’re working on.
FINTRAC Reporting
Other than terrorist property reports, FINTRAC reports can be filed electronically using a system called F2R. If your organization is not already using this system, you can enroll by contacting FINTRAC. Filing your reporting electronically can make it easier to keep track of the reports that you’ve filed (remember to save copies of the PDF reports on your network) and let you know more quickly whether or not FINTRAC has accepted your reports.
FINTRAC has published guides to help you with your reporting. Each report type in the chart is hyperlinked to FINTRAC’s guidance. The types of reports that you will submit will depend on the type of reporting entity you belong to. However, all reports have set time limits.
Report Type |
Timing |
| Suspicious Transaction Reports (STRs) and Attempted Suspicious Transaction Reports (ASTRs) | As soon as practicable |
| Large Cash Transaction Reports (LCTRs) | 15 calendar days from the date that the transaction takes place |
| Electronic Funds Transfer Reports (EFTRs) | 5 working days from the date that the transaction takes place |
| Large Virtual Currency Transaction Reports (LVCRTs) | 5 working days from the date that the transaction takes place |
| Casino Disbursement Reports (CDRs) | 15 calendar days from the date that the transaction takes place |
| Terrorist Property Reports (TPRs) | As soon as possible (Immediately) |
Training Your Staff
All staff should be trained at least once a year (including part-time, temporary and contract staff). Your training records should include:
- Who was trained?
- When did training take place?
- How was training delivered (in person, webinar, etc…)
- What topics were covered?
This can be done in a simple spreadsheet. You don’t need to collect signatures to prove that training took place, but you do need to be sure that your records are accurate.
There are very few instances when staff members do not need to be trained. Generally, these would be staff members that are not involved in any way with customers or customer transactions. If there are staff members that are not trained, you should document who they are, their roles, and the reason that they are exempt from training.
AML Compliance Effectiveness Reviews & FINTRAC Exams
I’ve put together some detailed guidance on preparing for reviews and exams. It’s important to remember to get all of your documentation in order in advance. Make sure that you’ve read the request and understand what you are being asked for. If you have questions about what you should include, it’s fine to call the reviewer or examiner to ask.
Information requests are time-sensitive. For FINTRAC exams, you generally have 30 days from the date that the request was mailed to assemble your submission. This seems like a long time, but you may need some extra help pulling everything together. It’s a good idea to let your management team know as soon as you receive a request from the regulator, especially if you need extra resources to stay on top of the request and everyday compliance tasks.
Need a Hand?
If you’re feeling like your AML program needs work, and you’re not sure what to do next or you need extra hands to put together or look over your FINTRAC package, please contact us.