Anti-Money Laundering
Consulting Services & Strategies

0 Items - Total: $0.00 CAD

Don’t Share STRs or STR Data

Recently the Compliance Officer from a small reporting entity reached out to me to ask an uncomfortable question: should they provide copies of the Suspicious Transaction Reports (STRs) that they had filed with the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) to their financial services providers such as a credit union or bank?

This was a difficult situation for the reporting entity’s Compliance Officer because they were afraid of pushing back too much with the financial services provider. Like most non-bank reporting entities, they rely heavily on the services provided by the bank in order to be able to operate their business. Financial service providers, such as banks and credit unions, have the ability to close the accounts of businesses in Canada (often called de-risking), and it can be difficult for some types of reporting entities to establish new banking or payments relationships. The financial services provider in this situation has significantly more power than the reporting entity that is dependent on them.

My gut reaction was that the reporting entity should not disclose the contents of their STR reports, or provide copies. In Canadian legislation, disclosing the fact that an STR was made, or disclosing the contents of such a report, with the intent to “prejudice a criminal investigation” can be punishable as a criminal offence, with penalties of up to 2 years imprisonment (this is also known as “tipping off”). While there did not appear to be any intent to prejudice a criminal investigation in this case, it still seemed like a bad idea. I did a quick check-in with fellow AML geeks on LinkedIn. There are some great comments here, and I had a number of conversations in DMs and by phone. No one seemed to think that the reporting entity should be providing copies of STRs.

The question then became how to best empower the reporting entity to push back effectively. I submitted the following request to FINTRAC and to the Office of the Privacy Commissioner (OPC), both of which have mechanisms to allow Canadians and Canadian companies to ask the regulators to opine on matters free of charge:

One of our clients, a Canadian Money services business (MSB) has been asked by their financial services provider (bank/credit union) to provide copies of the suspicious transaction reports (STRs) and Attempted Suspicious Transaction Reports (ASTRs) that have been filed with the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) on an ongoing basis. This struck us as being an overreach in terms of the information that should be disclosed to a service provider, and we are reaching out for an opinion on the appropriateness of these requests.

The financial service provider appears to be of the opinion that this is a reasonable request, and that they may close the MSB’s bank account if the STRs and ASTRs are not provided by the MSB.

I let both FINTRAC and OPC know that I had submitted requests to both. So far, only FINTRAC has responded. Their response is below in full (TL:DR: reporting entities should not share copies of STRs reported to FINTRAC).

Thank you for contacting the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC), Canada’s independent agency responsible for the receipt, analysis, assessment and disclosure of information in order to assist in the detection, prevention and deterrence of money laundering and the financing of terrorist activities in Canada and abroad.

I am writing further to your email of July 16th, 2020, wherein you requested clarification regarding the sharing of suspicious transaction reports (STRs) submitted to FINTRAC.

As you know, section 8 of the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA) states that no person or entity shall disclose that they have made, are making, or will make a report under section 7, or disclose the contents of such a report, with the intent to prejudice a criminal investigation, whether or not a criminal investigation has begun.

The PCMLTFA sets out a regime in which the information contained in financial transaction reports sent to FINTRAC (including STRs) is protected from disclosure except in very limited circumstances. The Act also includes specific provisions aimed at protecting the personal information under FINTRAC’s control. For example, as you may be aware, the PCMLTFA is founded on a prohibition on disclosure (s. 55(1), PCMLTFA). Any disclosure of information or intelligence by FINTRAC must fall under one of the exceptions to this prohibition. Outside of these exceptions, FINTRAC is prohibited from disclosing the contents of financial transaction reports, or even acknowledging their existence.

While reporting entities (REs) are not subject to the same prohibitions, FINTRAC strongly believes that STRs should be regarded as highly sensitive documents, given the role FINTRAC plays in the fight against money laundering (ML) and terrorist activity financing (TF) in Canada, and the fact that STRs are a key source of FINTRAC’s intelligence holdings. From FINTRAC’s perspective, it is not in the public interest for REs to disclose financial transaction reports and the information contained therein. Even beyond this, the collection or disclosure of financial transaction reports, including STRs, without a valid purpose and authority, may infringe on legislated privacy protection obligations. Almost all information within financial transaction reports is personal information about an identifiable individual and is considered financial intelligence by

FINTRAC, collected for the sole purpose of reporting to FINTRAC. The potential harm that could occur from the disclosure of the information in these financial transactions reports is great, and includes compromising: (1) police and national security investigations that are both ongoing or could be undertaken in the future; (2) sources of the information/intelligence within the reports, placing those sources at risk of retaliation; and (3) FINTRAC’s compliance activities, given that data provided by REs is always provided in confidence and that confidence is expected to be maintained by all parties. FINTRAC relies on the information included within STRs to support disclosure of financial intelligence to police and other law enforcement and national security organizations, in the interest of detecting, preventing and deterring ML and TF.

Therefore, while your client (MSB) is not prohibited from sharing the STRs it has submitted to FINTRAC with its service provider (Bank/CU), unless it is with the intent to prejudice a criminal investigation, strong consideration should be given to the above.

If you would like a PDF copy of the complete question and policy position for your due diligence files, or to provide to an external party that is requesting copies of your STRs, or information about their content, you can download it here.

Response from FINTRAC – Re_ Sharing Copies of STRs_ASTRs

A version of this Q&A is also now posted on FINTRAC’s website (PI-10662).

The response from OPC, in contrast, was underwhelming. In essence, they will investigate specific complaints, but they will not issue advanced rulings. That said, if any service provider is insisting that copies of STRs must be shared with them, a complaint to the OPC may be an option.

Response from the Office of the Privacy Commissioner of Canada – INFO-084075

Need a hand?

If you have AML or privacy-related questions, we can help. You can get in touch using our online form, by emailing, or by calling us toll-free at 1-844-919-1623.

Why rich people don’t just open a bank…


It can be tough to open and maintain a bank account as a crypto-business. A policy of “derisking” (when banks avoid conducting business with customers perceived as being higher risk) leaves many crypto-businesses (and other MSBs) ill-served by the existing banking system.

A not-uncommon response to this reality (i.e. we’ve had this conversation enough times to deem it worthy of a blog post) is some variation of: “I’m a rich person! Why don’t I just open a bank?”

No doubt, this impulse comes from the admirably entrepreneurial spirit of our community. There’s a problem (lack of access to banking services), so let’s solve it.

But if you don’t have a background in compliance or banking and think that you’re “just” going to magically open your dream-crypto-paradise-bank… We’re here to advise you to slow your roll. We’re not saying you can’t do it… but here are some things you should consider. Knowledge is power.

Sidenote: We’re Canadian and these notes refer to Canadian processes. There are likely to be some differences in other countries, but we won’t know what they are. If you want to know, do the research. Let us know what you find if it’s interesting.

Opening a bank is expensive.

While you may think you have the cash to spare, opening a bank is expensive, and probably more expensive than you expect, both in terms of what you need to have in reserve, and what you’ll spend initially. We’ve heard the figure of $50m buy-in—which, by the way, does not guarantee you a charter.

You will spend money for years before you serve customers.

If you’re curious about where all those millions could possibly go, you’re going to get friendly* with an army of consultants, lawyers, and accountants over the next few years. (*And by friendly, we mean pay a lot of money to).

The process of getting issued a charter is lengthy (if you don’t believe us, you may enjoy perusing the 27-page long PDF guide from OFSI on the subject) and getting this process right means your investment will be whittled away by hiring people who can help navigate you through this labyrinth. You’ll also be spending money on employees, by the way, for years before you’ll ever have the privilege of serving a customer. Years. Plural.

Your team will spend a long time pleasing regulators before you’re operational.

Yes, even though you won’t be permitted to have customers for a long time, you will still need to assemble a team that can put together all of the elements of a bank into place. Your team will spend all of their time implementing processes, demonstrating to the regulator(s) that they’ve done so, and then tweaking these processes as the regulators require or request (in these instances, a request is really a politely stated requirement). If it’s any comfort, your employees will certainly be kept busy, even without customers.

You’re probably not going to be the CEO…

Despite making the decision to open a bank, you will likely not become the bank’s CEO, or even its COO. Senior management positions at banks require regulatory approval. Regulators are looking for you to have had a long history, at a senior level, in a bank or other federally regulated financial institution

… or even on the Board of Directors.

As with senior management positions, seats on the Board of Directors require regulatory approval. Even if you successfully jump through all the hoops required to start your bank, you will likely end up with little to no say in how it is ultimately run.

Well That’s Awkward!

There’s a noble sentiment behind the desire to “just open a bank” and solve the problems you see in the current banking system. But, the risks, effort, and returns are seldom well understood. In essence, opening a bank means making a substantial investment (in both time and money) in something that may one day become an asset (but may not). You can own the bank, but will likely not run it, despite the multi-year multi-million commitment you make. Even if you’re a wealthy investor with patient money, we’d suggest that you ought to be really passionate about setting up a bank if you want to embark upon this kind of endeavour.

What can you do instead?

So, if you’re not going to start a bank but are still frustrated by the banking system as it currently stands—what can you do instead?

Frankly, we need grassroots pressure to change the system we have. It’s important for us to have discussions with the gatekeepers (regulators, traditional banking institutions) for crypto business to get access to banking services. Part of the burden of being in this space is taking the time to educate those who control access to the resources we need. We’ve found that often even people with responsibility for developing policy related to bitcoin and other virtual currencies or tokens don’t fully understand it (and therefore its risk implications). While it may be frustrating to explain that it is possible to buy a fraction of a bitcoin to someone who we really think ought to understand this already, the more we can normalize crypto within the system, the more access we can hope to gain.

And while it can be difficult to speak out if you are a business who has been refused a bank account (or had your account shut down), we’d encourage you to share your experiences of trying to find banking services. Make a complaint to the institution. Share your story with the media (even if you don’t name the FI) or contact your political representatives. You can also, at the moment, contribute your feedback on the draft legislation on AML Regulations for “Virtual Currencies.” (See this blog post for more on how to do that). Exert pressure on the existing players.

But, of course… if you’ve decided you are passionate enough (and deep-pocketed enough) to start a truly crypto-friendly bank: more power to you and definitely let us know how you get on.

We’re Here To Help

If you have questions about virtual currency and regulation in Canada, or regulation in Canada in general, please contact us.

Who Wins The De-Risking Shell Game?

BankRisk_2The volume of evidence, both empirical and anecdotal, grows every day. The story on the surface is simple enough: banks are making the decision to “de-risk” (a polite way to say close the account of) certain types of businesses including money service businesses (MSBs) and digital currency businesses that are considered “too risky” by traditional financial services providers. The unintended consequences have included strained remittance corridors and frustration for businesses struggling to get by without reliable banking services. While these consequences are well documented, there are other unintended consequences of the de-risking phenomenon that have been less widely discussed. These include a growing lack of transparency between some industries and their banking service providers and directly threatens our ability to effectively manage money laundering and terrorist financing risk at both the financial institution and national levels.

It’s a shell game of “hide the risk” – and we’re all losing.

Businesses Are Losing

By now, if you haven’t heard about businesses struggling to survive without access to banking facilities, you would have had to ignore financial media for the past two years. The global effects of de-risking have attracted the attention of the G-20, the Financial Action Task Force (FATF), Financial Crimes Enforcement Network (FinCEN), the World Bank, and many more. While it’s clear that there are issues in terms of access to banking, let’s be honest with one another: while some businesses will close up shop, many others will take a different track.

Whether it’s using alternative financial service providers, payment processors, personal bank accounts or merely opening accounts at other financial institutions without revealing the true nature of the underlying activity, businesses will find a way to carry on. I’ve spoken personally to businesses that have taken these approaches, and it has never been their first or most ideal choice. These aren’t criminals carrying on some nefarious business! They are entrepreneurs who would rather be able to provide their real business plan to their banks and explain their activity honestly, but they do not believe that this option is open to them.

Banks Are Losing

Consequently, a bank with a policy that prohibits these types of businesses from holding accounts will deal with businesses that have gone to great lengths to conceal the true nature of their activity. The banks are unaware of the true nature of the activity passing through their accounts, and therefore ill equipped to manage the risk related to these activities. The strain on banking resources must be phenomenal, as banks must constantly devise new ways to interpret patterns of customer activity to detect undeclared MSB or digital currency activity. While it isn’t easy to quantify these costs, I can only surmise that the cost of this detective work must be high, despite being ineffective.

To further muddy the waters, businesses who fail to provide transparent information to their banks for fear of de-risking may also conduct completely legal activities in a way that starts to look like criminal activity. For example, if you believe that your business banking relationship is not reliable, you may open many accounts (in some combination of personal and business names) and conduct fractions of your banking through each, transferring funds from one account to another as needed to meet your obligations. On the surface, it can seem much like “layering” or “structuring” activity (techniques used by money launderers to make funds more difficult to trace). This further adds to the banks’ burden by creating more activity that must be monitored and investigated.

Entire Nations Are Losing

It has been widely publicized that in some cases like Somalia, entire nations that are dependent on remittance payments from friends and family living and working abroad are experiencing increased difficulty. Reliable and cost-effective remittance payment providers are a shrinking pool. This seems absurd in a time when technology can facilitate a payment in seconds.

National Security Is Losing

It’s not just far-flung places dependent on remittance payments that are losing. Here at home, we have a national security system that is dependent on our financial intelligence units (FIUs) having access to reliable data. The reliability of that data is undermined at every level by the de-risking shell game:

  • Businesses do not declare the true nature of their activity – and there are no incentives for them to do so;
  • Banks do not understand the nature of their customers’ activities, making it difficult detect potentially criminal activity; and
  • There is likely to be an increase in “false positives”, where activity conducted by businesses that do not believe that they can reveal the true nature of their activity to their banks instead conduct business in a manner that resembles criminal money laundering techniques.

Taken together, this results in the likelihood that key information is not being reported to FIUs correctly. Consequently, it becomes more difficult for law enforcement and other national securities to rely on this data to perform their roles effectively.

Who Is Winning?

There are two potential winners in this game and much like the shell games that you see duping tourists on the streets of large cities, neither is without malevolent intent.

The first are unregistered/unlicensed MSB businesses. These are businesses that have ignored regulatory requirements and carried on business without any FIU reporting. In some cases, these businesses will even minimize their interaction with the local financial system by using foreign bank accounts (and point of sale terminals) to collect customer funds. While the risk of penalty is high, the reward for these businesses (in particular where they are able to complete transactions that pose a challenge for their compliant counterparts) can also be high.

The second is criminal organizations. When legitimate businesses are performing transactions that look like money laundering, detecting true criminal activity becomes exponentially more difficult. I can only assume that the criminals are laughing all the way to the bank.

Shutting Down The Shell Game

De-risking is a complex problem with complex outcomes, but the solution need not be complicated. It does, however, involve the cooperation of all levels of the financial services community: regulators, banking service providers and businesses.

The costs and benefits of de-risking need to be reassessed. Where banking service providers are capable of accepting and managing accounts for businesses considered to be “higher risk”, they should do so, with their regulator’s blessing. Rather than perpetuating the shell game, regulators should encourage banking service providers to manage risk (and provide solid guidance with reference to how this should be done). Finally, there should be open communication between banking service providers, regulators and business banking customers. The lines of communication closed by de-risking must be opened, allowing banks to have honest conversations that will provide real insight into their customers’ business and lead to effective long-term risk management.

Keeping Your Bank Happy

For many reporting entities, a growing concern has become obtaining and maintaining banking relationships.  Most, if not all, businesses need a banking relationship to survive and prosper.  If you are an individual in Canada, you are entitled to basic banking services, but it is not so for businesses.  Banks and other financial service providers choose the business customers that they will serve.  This means that the stakes can be very high for businesses shopping for a banking relationship.

As reporting entities themselves, banks and other financial services companies have similar obligations to other reporting entities.  They must understand their customers and their customer’s transactions.  There is mounting pressure for banks to conduct due diligence that includes reviewing the compliance programs of clients that are reporting entities.  As a business owner, your best defence against losing your banking relationship is making your banker’s work easier.

This isn’t something that most business owners have spent a lot of time thinking about, but a few hours every year can go a long way towards ensuring that your banking relationships keep operating smoothly.  Based on my clients (and my own) experiences, I’ve summed up a five-step plan to help you on your way, which includes links to free resources to help you get started.

Step 1:  Have A Compliance Program (and Keep It Up To Date)

All reporting entities need to have an anti money laundering (AML) and counter terrorist financing (CTF) compliance program in place, that includes these five elements:

  1. Appoint A Compliance Officer (this is the person that is responsible for the compliance program; they should be fairly senior within your company and their appointment should be documented);
  2. Document Your Policies And Procedures (your documentation should be detailed enough to describe what you actually do, and be updated at least once a year);
  3. Create A Risk Assessment (this is a document that describes the risk that your business could be used to launder money or finance terrorism, and the controls that you have in place to prevent that from happening);
  4. Train Your Staff (this should happen at least once a year and all training sessions should be documented); and
  5. Have An AML Compliance Effectiveness Review (this is like an audit of your AML program and operations; it must be done at least every two years).

When you are creating and updating your documentation, remember that you and your staff are not the only people that will see it.  Your regulators, bankers and other people that don’t know your business the way that you do will also need to rely on your documentation.  This means that you need to write as if your reader doesn’t know your business.  Take the time to explain everything clearly.

If you need help creating a compliance program, please have a look at our resources pages for your reporting entity type or contact us.

Step 2:  Have a business plan

Your business plan should describe what you do, how you make money and include historical business volumes (for existing businesses) and predicted business volumes (for new and existing businesses).  This document should explain your business simply and clearly (to someone outside of your industry).  To make things easier for your banking service provider, you should explain the types of transactions that will go through your bank account and the estimated volumes.

Many business owners are hesitant to describe their transactions and marketing strategies in any type of document that will leave their hands.  This type of thinking can seriously harm banking relationships, especially if the bank perceives you as being secretive or evasive.  Remember that the bank needs to understand your business in order to keep you as a customer, and the easier that you can make it for them to understand, the better off you’ll be.

I’ve worked with consulting firms that charge high rates for business planning, but there is no real need to spend a lot of money creating a business plan.  There are many free resources available for Canadian businesses.  Here are some of my favourites:

Not surprisingly, the banks themselves offer many of these resources!

Step 3:  Have Contracts In Place

Any third party that is involved in your business (vendors, agents, etc) should have contracts in place, and your bankers may ask to see these agreements.  The contracts should spell out what the third party is obligated to do on your behalf and the copies of the agreements that you provide to your banker should be signed and dated by all parties.  Don’t provide original documents to your bank unless you are required to do so (often banks want copies only, as they will not be returned to you).

Many existing businesses have long-term business relationships that may never have had a formal agreement in place.  In these cases, especially if the third party is doing something like identifying customers on your behalf, you will need to get written agreements.  These don’t need to be overly complicated.  The agreement should state what all parties are required to do and when.  It can be a plain language document that you draft yourself, or something more complicated that you work on with the advice of a lawyer.  The important thing is that you have agreements in place and that they’re clear enough to allow the reader to understand how the parties are related.

Step 4:  Take The Time to Build Alliances

You don’t usually get to speak directly with your bank’s compliance department. The sales representative or branch manager is your liaison. They need to be your advocate.  In this type of scenario, a person becomes your advocate not because you’re cute or gave a nice gift but because they know, understand and can explain your business. This takes patience and time.  Remember you need them as much as they need you. Make it a no brainer for them to want you as a customer (profitable, low risk, low effort).

Your representative at the branch is your point of contact and can act as a sounding board for your documentation.  For instance, if they have requested your business plan, ask if you can walk through it with them and get their advice before it is submitted to the bank’s head office or compliance department.  Remember that they can’t write documentation for you, but they can provide excellent insights about what the bank expects to see.

Step 5:  Consider Having Audited Financial Statements Completed

In some cases, your financial service provider may require audited financial statements. Only a licensed accounting professional or firm (specifically someone with a CA or CPA) can issue this type of report in Canada.  The process involves an independent evaluation of your company’s financial statements and other documents.  The auditor expresses an opinion about your company’s financial statements, based on the audit work performed, to state if they feel that the financials are free from material errors.  This is not specific to anti-money laundering.  The audit report refers to the company’s financial risk and fraud risk, among many other topics, to give your financial service provider more comfort over the financials they are reviewing to help lower your risk profile.  While we at Outlier aren’t accountants, and don’t perform this type of work, we’re happy to recommend accounting firms that have experience with audited financial statements, including our friends at Helen Loukatos Chartered Accountant, who’ve generously given us permission to link to this Money Service Businesses Audit FAQ.

Stepping It Up

All of this is relatively simple, but it takes time.  Consider it an investment in your business.  If you need a hand getting started, please feel free to contact us.

Return to Blog Listing