PROCESSING...

Anti-Money Laundering
Consulting Services & Strategies

0 Items - Total: $0.00 CAD

Preparing For An iGaming AML Compliance Effectiveness Review

Written with Heidi Unrau

 

iGaming Ontario is celebrating two years in the province. But before your online gaming (iGaming) business can launch, you must register with the Alcohol and Gaming Commission of Ontario (AGCO). This government body regulates gaming activities in Ontario to ensure the industry operates above board and does not become a breeding ground for illicit activity. iGaming refers to casino-like games that are played over the internet such as Blackjack, Roulette, Poker, and Slot Machines.

As part of the registration process, you must establish an anti-money laundering (AML) program that complies with the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA) and passes a gap analysis, also known as an effectiveness test. If your AGCO registration is successful, your compliance responsibilities don’t stop there.

You must then sign a non-disclosure agreement (NDA) and enter into an operating agreement with Internet Gaming Ontario (iGO). This watchdog organization oversees registered iGaming operators to make sure they consistently fulfill all regulatory obligations, including AML compliance. Here’s what to know about the role of AML in the iGaming registration process and how to set yourself up for long-term success.

Know Your AML Obligations For Registration

Anti-money laundering regulations are designed to prevent money laundering, terrorist financing, and other illegal activity, hence the name. If you plan to operate an iGaming business in Ontario, the AGCO requires you to comply with the Registrar’s Standards for Internet Gaming. These standards include specific AML responsibilities to minimize illegal activity. They typically include, at a high level, but are not limited to:

  • Having documented policies & procedures
  • Designating a Compliance Officer
  • Establishing a training program for all relevant employees
  • Conducting audits & reviews
  • Identifying & verifying customers
  • Risk ranking customers
  • Monitoring transactions
  • Transaction reporting
  • Record keeping

Your AML program must pass a gap review, which is essentially an effectiveness test. This test is a mandatory part of your AGCO registration process to demonstrate that your AML compliance program meets regulatory standards and can function effectively once your platform is live.

Your iGO Operating Agreement

After successfully registering with AGCO, the next step is to execute an operating agreement with its subsidiary, iGO. This organization is responsible for overseeing and managing how private iGaming operators conduct themselves within the province of Ontario.

The iGO registration process requires you to provide a package of documents, templates, and confirmations related to your anti-money laundering and counter-terrorist financing responsibilities. You’ll be teaming up with iGO’s AML department for this part and the entire process takes approximately two weeks.

Your iGO registration is very similar to the AML component of your AGCO registration. iGO requires you to document your AML policies and procedures as part of the registration process. This documentation should outline measures for preventing and detecting money laundering and terrorist financing activities on your iGaming platform.

You will also need to demonstrate compliance with Canadian AML regulations established by regulatory authorities and iGO as the conduct managing entity.

iGO & Compliance Effectiveness Reviews

Once your iGaming platform is live, you are required to submit to an AML effectiveness review by an independent third party every two years as part of your iGO compliance obligations. The purpose of a regular, recurring review is to assess how well your AML program is working, identify weaknesses, and determine whether your business meets requirements. It is also a test to see if your business is doing what it says it’s doing.

A good effectiveness review should mimic a full-scope FINTRAC examination. As Canada’s financial intelligence unit, FINTRAC has the right to audit regulated entities at any time. In this case, iGO would be the direct subject of the examination and they would contact individual operators for specific documentation if necessary.

An effectiveness review not only ensures you remain compliant in your day-to-day operations, it also ensures you’re prepared in the event iGO is examined by FINTRAC.

Scope of the Review

Ongoing effectiveness reviews can include, but are not limited to:

  • Interview staff handling transactions to assess their understanding of policies, procedures, and reporting requirements.
  • Review a sample of records to check compliance with client identification policies.
  • Examine agreements with agents/vendors and review sample information they use for client identification.
  • Check if suspicious transactions were reported to FINTRAC within the required timeframe.
  • Verify application of risk assessment in client records.
  • Assess adequacy and consistency of ongoing monitoring in client records.
  • Confirm implementation of enhanced measures for high-risk clients.
  • Ensure adherence to proper record-keeping procedures.
  • Review and update risk assessment to align with current operations.
  • Update policies and procedures to comply with legislative requirements and reflect current business practices.

After a Review

Once an effectiveness review is complete, the results must be presented to senior management for sign-off. It should include a summary of the findings, a remediation plan, and the status of required changes.

Choosing an AML Program Reviewer

The right AML program reviewer is foundational to the integrity and effectiveness of your compliance program. They should have a deep understanding of the Canadian anti-money laundering and counter-terrorist financing requirements as well as the specific risks unique to the iGaming industry.

Your chosen reviewer needs to provide a comprehensive and objective assessment of the effectiveness of your AML program, with a final report that identifies deficiencies and includes an action plan for improvement. Therefore, you want a reviewer with relevant experience conducting AML reviews for similar businesses.

Need a Hand?

If you would like to engage Outlier to conduct your AML Compliance Effectiveness Review, have questions about your obligation, or need help creating, reviewing, or updating your AML program, reach out to us today.

First AML Compliance Effectiveness Review Timing

As a company that gets to work with a lot of startups, and existing companies entering the Canadian market, we get to help folks understand the regulatory landscape in Canada. One of the required elements of a Canadian compliance program is an AML Compliance Effectiveness Review. These reviews must be completed every two years at a minimum. You can think of it like an audit, but for compliance.

The purpose of an effectiveness review is to determine whether your AML compliance program has gaps or weaknesses that may prevent your business from effectively preventing, detecting and deterring money laundering and terrorist financing. Recently, we have seen an increased focus on Effectiveness Reviews during FINTRAC examinations. Specifically, on whether the review really tested the effectiveness of the compliance program as a whole (not just what you say you’re doing, but also what you’re actually doing). This has led to FINTRAC examiners requesting the working papers for completed effectiveness reviews where the report did not clearly describe how the effectiveness was tested and assessed. This is the main reason Outlier has started providing our working papers with the final report. This also provides a pretty good reference point for making sure you are meeting your regulatory expectations.

First Time for Everything

In previous engagements, Outlier has operated on the theory that the clock for when your first review was due stemmed from the MSB’s FINTRAC registration date. However, we were incorrect. It wasn’t until a recent conversation where the registration date preceded any customer transactions by six months, that really spurred on an official clarification from the regulator. The trigger for the 2-year clock to start ticking is not registration but “a registered MSB is required to create a compliance program once it engages in one or more of the MSB-related activities.” This means that the clock starts ticking after the MSB has conducted their first transaction.

Here is a PDF version of the policy interpretation we received from FINTRAC that you can keep for your records.

Potential Corrections

If we have completed a review for you in the past that has a commencement date prior to your first customer transaction, please feel free to reach out so we can amend your report to the proper date.

Upcoming Effectiveness Reviews

While this article talks about your first review, you must also be sure to initiate all subsequent reviews within 2 years of the start date of your previous review. Please note that this is based on the previous commencement date, not the date of completion or issuance of the final report.

Need a Hand?

If you are looking for an idea of pricing for an upcoming review or have questions about a review that is currently underway, please feel free to contact us.

Is Your MSB Ready for a FINTRAC Exam?

Rodney_MSB2
We get a lot of questions about examinations conducted by the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC). While we’re happy to be able to help our customers in their examinations (you can check out our free resources for FINTRAC exams here), the responsibility during the examination will rest with the money services business (MSB), mainly with the MSB’s Compliance Officer.

FINTRAC’s expectations have changed dramatically, since MSB’s were first required to comply with the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA) and its enacted regulations. In 2015, we noticed that there was a dramatic shift in focus of MSB examinations. FINTRAC’s examiners were much more interested in detailed procedures (documents that describe how MSBs are complying with the PCMLTFA and regulations), and the Risk Based Approach.

One of the most important things that MSBs can do to ensure that their AML compliance programs are up to date, and at the same time, prepare for FINTRAC examinations, is to read FINTRAC’s published guidance. Two important guidance topics published in 2015 are, the Risk-Based Approach Guide (this guide describes what is the risk-based approach) and the Risk-Based Approach Workbook for MSBs (this workbook is for MSBs looking to implement a risk-based approach). While guidance published by FINTRAC doesn’t carry the weight of law or regulation, it does provide valuable insight about FINTRAC’s expectations.

Another excellent source of information is FINTRAC’s published Policy Interpretations. These are FINTRAC’s official answers to questions asked by MSBs and other reporting entities.

In Person & Desk Examinations

Whether the FINTRAC exam is in person or desk (conducted by phone) examinations, they follow very similar formats. The key difference is the regulator’s ability to request additional operational data during onsite examinations.

It is ok for you to take notes throughout the examination process (and we recommend that you do). You are permitted to have a lawyer, consultant or other representative with you (if you do, FINTRAC will request that you complete the Authorized Representative Form in advance). While your representative cannot generally answer questions on your behalf, they can prompt you if you are nervous or stuck, and help you to understand what is being asked of you, if it is not clear.

If you do not speak English and/or French fluently, we highly recommend that you have a person present who can translate questions and responses for you.

If you are not certain what the examiner is asking for, you should always ask for clarification before answering.

For in person examinations, do not invite the examiner to have a pint, lunch or even a coffee. FINTRAC has very strict policies around bribery, to the extent that if I am out socially with an acquaintance who works for FINTRAC, I cannot pay for their tea. It may feel a little bit “over the top”, not to be able to extend these courtesies, but don’t be offended – it’s not you, it’s policy.

The Introduction

The examiner will provide a brief overview of the examination process as a formal opening to the examination. At the end of this introduction, the examiner will ask if you have any questions. At this point, it can be useful to provide a very brief (five minutes maximum) overview of your business.

Your introduction should reflect the materials that you have already submitted to FINTRAC (which ideally included an opening letter that described anything about the business that would not be readily apparent to the examiner, or anything that you believe could be misunderstood). Key facts about your business include:

  • Your corporate structure and ownership;
  • The types of products and services that are offered / types of transactions that are conducted;
  • Where your offices, agents and customers are located;
  • How you connect with and your customers; and
  • Anything significant that has changed since your last FINTRAC examination.

This synopsis must be very brief. If there is anything that is complex, it should be included as an explanation in your initial package (preferably in a simplified chart form – for example an ownership structure chart).

The examination will then begin. At the end of each section, the examiner will ask if you have any questions and let you know whether there are any deficiencies.

Part 1 – FINTRAC MSB Registration

In this part, FINTRAC will go through your MSB registration field by field and confirm that the information is accurate. The most common errors that we have seen are:

  • Not listing a trade name/operating name;
  • Not listing all relevant locations;
  • Listing bank accounts that are inactive or not listing bank accounts that are active;
  • Not including MSB or agent relationships (either buying from or selling to another MSB);
  • Incomplete ownership information; and
  • Senior Management and/or Compliance Officer information, that is out of date.

Although it is not technically part of the registration, some examiners will ask about the Compliance Officer’s responsibilities/duties at this stage.

Failure to update the MSB registration in the “prescribed form and manner” is the single most common deficiency for MSBs from 2008 to the present, accounting for deficiencies in 61% of examinations (according to FINTRAC data released in 2015).

Part 2 – Compliance Policies & Procedures

In this part, FINTRAC will ask questions about the policy and procedure documents that you have provided in advance of the examination. There are a few standard questions that are generally asked:

  • Who wrote the policies and procedures?
  • Were the versions submitted to FINTRAC the most recent versions?
  • When were they updated?
  • When and how do you identify your customers?
  • How do you ensure that identification is up to date?
  • How do you monitor transactions?
  • How do you recognize, document and monitor “business relationships” (note: this is any time that you have either an ongoing service agreement with a customer and/or your customer has performed two or more transactions that require identification).
  • What are indicators of a suspicious transaction?

The examiner will also ask a number of questions based on the documents that you have submitted, including questions about compliance-related processes.

Part 3 – Risk Assessment

In this part, FINTRAC will focus on your Risk Based Approach, asking specific questions about the Risk Assessment and related documents that you have provided in advance of your examination. Again, there are some common questions that are asked:

  • Do you have any high-risk customers or business relationships?
  • What factors do you consider in determining that a customer or business relationship is high risk?
  • How are customer due diligence and enhanced due diligence different (both generally, and in your processes and documentation)?

Most additional questions will be related to risk management processes. For example, it has been common in the last few months for examiners to ask if a customer or transaction could be rejected (“Yes, if it was outside of our risk tolerance.”)

This may also lead to questions about whether or not an Attempted Suspicious Transaction Report (ASTR) or Suspicious Transaction Report (STR) was filed. If there were reasonable grounds to suspect money laundering or terrorist financing, the answer should be yes, if not, you should explicitly say, “There were not reasonable grounds to believe that this event was related to money laundering or terrorist financing” then provide an explanation.

Part 4 – Operational Compliance & Reporting

In this part, the examiner will ask questions about specific transactions. Some of the cases that you must be ready to explain are:

  • A reportable transaction (generally an electronic funds transfer or EFT) was reported by another reporting entity;
  • A transaction matches an indicator of potentially suspicious activity (if there were reasonable grounds to suspect money laundering or terrorist financing, the answer should be yes, if not, you should explicitly say that “there were not reasonable grounds to believe that this event was related to money laundering or terrorist financing” then provide an explanation); and
  • Business relationships and ongoing monitoring (in particular, if this did not occur earlier in the examination).

During a desk examination, the examiners do not request additional materials.

During onsite examinations, it has become commonplace for examiners to request additional materials. These are generally related to:

  • Business relationships;
  • Ongoing monitoring (including the monitoring of business relationships),
  • High risk customers;
  • Enhanced due diligence; and
  • Other risk-based processes.

Be clear with the examiner about what can be extracted easily from your IT systems, and in the case that data cannot be extracted easily, be prepared to show the examiner an example (or several). If your system has an “auditor access” feature (generally read only access with search capability), it can be useful to set this up in advance of the onsite visit.

Exit Interview

Congratulations – you’ve made it to the finish line!

At this point, the examiner will sum up the findings (if there are any), and read a standard disclosure statement. For most of us, the disclosure statement is terrifying, as it talks about penalties. This is standard process – do not be alarmed. When the examiner has finished, you may ask if a penalty is being recommended (if you’re a worrier, please do this). Not all FINTRAC examiners will provide guidance at this stage, but it doesn’t hurt to ask.

The examiner will let you know when to expect a formal letter (generally within 30 days of the end of an examination).

After the Examination

You will receive a formal letter that details FINTRAC’s findings, as well as whether or not an Administrative Monetary penalty (AMP) is being recommended. In the case that there is a potential penalty, we recommend taking action as soon as possible). In most cases, FINTRAC does not require MSBs to submit an action plan (but your bank might still require that you do this, and it’s a good idea to keep a record of the actions that you’ve taken to correct any deficiencies).

Need a Hand?

If you are an MSB that needs compliance assistance preparing for an FINTRAC exam, remediating findings, or setting up an AML compliance program, please contact us.

Return to Blog Listing