PROCESSING...

Implementing 2014 AML & CTF Regulatory Changes

We’ve done many AML Compliance Effectiveness Reviews of late, and my first question to clients is always the same: have you implemented the changes that came into effect in February of this year? The answers have varied from a confident “Yes, of course!” to “What changes?” We have a simple guideline for blogs at Outlier. If we receive a question more than three times, we write about it, and we make as much useful information as possible free. We do this because we believe that knowledge is power – and that everyone should have access to it. In the spirit of making knowledge free and available, we’ve decided to share the most significant changes related to updates to the Proceeds of Crime (Money Laundering) and Terrorist Financing Regulations (PCMLTFR) that came into effect earlier this year, and the solutions that we’ve implemented with our clients.

The Big Disclaimer

This blog was not written by a lawyer and shouldn’t be considered legal advice.

While our solutions have been reviewed by:

  • Outlier;
  • Our clients who have implemented these solutions; and
  • The Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) (in the form of examinations conducted with our clients who have implemented these solutions),

this doesn’t guarantee that these solutions will be a perfect fit for your business. They will need to be edited and customized to suit your business model – but we think that they will point you in the right direction.

2014 PCMLTFR Changes In Brief

The most recent changes to the PCMLTFR came into effect in February of this year. Among the most significant changes were:

  • The addition of business relationships;
  • The addition of customer information updates (with more frequent updates for higher risk customers);
  • The addition of delivery channels to the risk assessment (bundled with products and services); and
  • The addition of enhanced transaction monitoring for higher risk customers.

Each of these changes has an impact on your anti money laundering (AML) and counter terrorist financing (CTF) program. They should be incorporated into your program documents (your policies, procedures and training) and have an impact on your operations (what you’re doing to meet these obligations).

Business Relationships

Reporting entities have a business relationship when a customer has performed any combination of transactions that requires identification and/or confirming the existence of an entity more than twice. This includes suspicious transactions and attempted suspicious transactions. When you have a business relationship with your customer, you must keep a record of the “purpose and intended nature of the business relationship.” In its simplest form, this means asking the customer the purpose of their business with you, and keeping a record of the response. This information is also useful in transaction monitoring, as it allows you to look for activity that isn’t consistent with the answer that the customer has provided.

This is something that you can ask your customer verbally (by phone is fine), by email, via a web form, by fax, or in any other way that makes sense for your business. You don’t need the customer to sign anything, but you do need to document the response. There is also flexibility in how you keep a record of the customer’s response.

If you have flexible information technology (IT) development, you can add a business relationship indicator to your system, as well as a field for the purpose and intended nature of the business relationship. Ideally, the system would detect business relationships automatically, and prompt your staff to collect information about the purpose and intended nature of the business relationship. If your business is relatively straightforward, you may even be able to develop a dropdown menu.

If your IT systems are less flexible, you’ll need to find another way to record this information. This can range from notes in the customer profile section of your client management system to an excel spreadsheet. Whichever method you use, you’ll need to think of a way to make sure that you know about all of the business relationships that exist.

You’ll also need to add a section to your program documentation that explains:

  • What a business relationship is;
  • How you know when you have a business relationship with your customer; and
  • What you do when there is a business relationship.

Your staff and agent training should also be updated to include a definition of business relationships, and your processes where you have a business relationship with your customer.

Here’s some sample language:

Business Relationships

We have a business relationship with anyone that has conducted two or more transactions that require identification (for individuals) or confirmation of the existence of an entity (for organizations). When we have a business relationship with our customer, we need to keep a record of the purpose and intended nature of their business relationship with us. Although this may seem self-evident, it is something that needs to be recorded.

Our system has been updated to prompt all staff to enter the purpose and intended nature of business relationships. This field is not optional; it must be completed whenever we have a business relationship with our customers.

We must also monitor business relationships that and keep information up to date (including customer identification, if the customer is active with us). The Compliance Officer will determine whether or not information about our customers and/or businesses relationships is up to date may contact staff for additional information.

Information Updates

Reporting entities must also keep customer information up to date. Updates should be more frequent for high-risk customers, although the PCMLTFR does not specifically prescribe how often these updates should take place. Depending on your business model and how frequently you interact with your customers, there may be significant differences in how often you perform updates.

Customer information updates refer to the customer’s name, address, email address, telephone number and occupation or principal business. Customers that are organizations are also required to confirm the organization’s beneficial ownership and director information.   This doesn’t mean that you need to collect the articles of incorporation (or other documentation that you’ve already got on file) a second time, but rather than you’re confirming with the customer that this information has not changed, or updating your records if there were any changes.

Once again, if your IT systems are flexible, you can add automatic prompts to ensure that this is completed. Anyone that uses online banking will be familiar with this the type of updates that have occurred this year. When you log into your account, you’re asked to confirm your personal details before proceeding to the banking site.

You’ll also need to add a section to your program documentation that explains:

  • What information must be updated;
  • How frequently this information is updated; and
  • How you update this information;

Your staff and agent training should also be updated to include information updates as well.

Here’s some sample language:

Customer Information Updates

Customer information updates refer to the customer’s name, address, email address, telephone number and occupation or principal business.

Customers that are organizations are also required to confirm the organization’s beneficial ownership and director information.

Inactive Customers

Inactive customers are re-identified in order to re-activate an account and conduct transactions that require identification.

Inactive customers that are required to be re-identified are also required to update their customer information.

Low & Medium-Risk Customers

Low and medium-risk customers that were identified face to face are required to update their customer information at the point that the identification document has expired.

In the case that there is no expiry date for the identification document initially provided, customer information is updated every five years.

In the case that the customer has been identified using non-face-to-face methods, customer information is updated every five years.

Low and medium-risk customers that are not recognized visually or by voice must be re-identified using either face to face or non face to face methods when they request transactions that require identification.

High-Risk Customers

High-risk customers are required to update their customer information every two years.

High-risk customers that are not recognized visually or by voice must be re-identified using either face-to-face or non face-to-face methods when they request transactions that require identification.

If the reason that a customer has been considered high-risk relates to doubts about the veracity of any of the information or identification provided, additional identification or confirmation of customer identification may be required at the Compliance Officer’s discretion.

Risk Assessment: Delivery Channels

Your Risk Assessment (that document that describes the risk that your business could be used to launder money or finance terrorism) already describes the risk related to your products and services (what you sell). This has been updated to include delivery channels (how you deliver your products and services to your customers). This should include all of the methods that you use to interact with your customers (whether they’re sales and service or service only), and a description of the risk associated with those methods. Generally speaking, high-touch delivery methods (anything that allows you to interact directly with the customer) provide more opportunities to detect potential money laundering or terrorist financing activities. This doesn’t mean that low-touch options like online ordering are bad, but it does mean that you need to have good controls in place to prevent money laundering and terrorist financing.

Your Risk Assessment should be updated to describe your “Products, Services and Delivery Channels” (rather than simply “Products and Services”). It should clearly explain how your products and services are delivered, and the risks associated with your delivery methods. The delivery methods should include all of your touch points with your customers (including things that may not be advertised, that you only do for existing customers).

Here’s some sample language:

Delivery Channels

We complete the sales process with our customers:

  • In person (at our retail/commercial locations);
  • In person (at locations other than our own premises);
  • Via mail;
  • Via phone;
  • Via fax;
  • Via internet.

In addition, we provide servicing to our customers:

  • In person
  • Via social media sites;
  • Via email; and
  • Via phone.

Our delivery channels include a mix of “high-touch” and “low-touch” options. High touch options provide us with greater opportunities to interact with our customers, observe customer behavior and ask questions. Low-touch options do not afford the same opportunities to observe behaviours. In these cases, we are more reliant on transaction monitoring and transaction review to detect unusual activity. In the case of low-touch options, we are generally able to contact the customer via our servicing channels to request additional details where the transaction is not consistent with what we know about the customer.

Enhanced Transaction Monitoring

Reporting entities are required to monitor transactions in order to identify patterns that may indicate that money laundering or terrorist financing is taking place. For higher risk customers, there must be some form of enhanced transaction monitoring. Enhanced means that it is different from the transaction monitoring that takes place for all customers. It can be different either in quality (what you do to monitor transactions) or quantity (how frequently monitoring takes place, or how unusual a transaction must be in order to generate an alert).

If you have an IT system that automatically monitors transactions and generates alerts, and there is flexibility in programming this system, you can make changes to the monitoring activities that take place based on customer risk level. If you’re monitoring transactions manually, you can incorporate enhanced transaction monitoring into the enhanced due diligence that you conduct for your high-risk customers. This can be as simple as reviewing the last two years of high-risk customer activity. Regardless of the method that you use to conduct enhanced transaction monitoring, you’ll need to update your program documentation to describe what you’re doing and what records you’re keeping.

Where transactions are monitored by an IT system, the language in your program documents should reflect the parameters set in your system. If you are monitoring transactions manually, here’s some sample language:

Enhanced Transaction Monitoring

For high-risk customers, enhanced transaction monitoring is conducted. The Compliance Officer (or a delegate) reviews the information that is on file about the customer, as well as records of the customer’s activity for the past two years. If there is activity that appears to be related to money laundering or terrorist financing, appropriate reports are filed with FINTRAC (and in the case of terrorist property, with CSIS and the RCMP).

High-risk customer accounts are reviewed at least annually, and more frequently where triggered by customer activity (for example where there is an internal report submitted to the Compliance Officer). The Compliance Officer will maintain complete records of the reviews and maintain these records for at least five years

Keeping Up To Date

Remember to document the fact that you’ve reviewed and updated your program. This can be done in a simple spreadsheet, or within the program documents. The record should include what updates were completed, when the updates were completed, and by whom the updates were approved.

Need A Hand?

If you need assistance reviewing your program, implementing the updates described in this blog, or just someone to chat with to make sure that you’re on the right track please contact us.

Return to Blog Listing