PROCESSING...

Anti-Money Laundering
Consulting Services & Strategies

0 Items - Total: $0.00 CAD

FINTRAC Examinations for the Real Estate Sector

We often hear friends and clients in the real estate sector say they are unsure what to expect if (and when) the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) notifies them of an examination. This article is meant to provide guidance on what to expect and how to ensure a smooth review.

Background

In 2019–20, FINTRAC conducted 399 compliance examinations, of which 146 were focused on the real estate sector [1]. The real estate sector has been the main focus for FINTRAC examinations since 2017 due to the growing concern of money laundering taking place in the Vancouver, Toronto and Montreal real estate market.

For the purpose of assessing compliance, the Proceeds of Crime (Money Laundering) and Terrorist Financing Act gives FINTRAC the authority to inquire into the business of any regulated entity.

FINTRAC examinations are reviews of your compliance program (what you say you are doing to stay in compliance) and your operations (what you’re actually doing to stay in compliance). These exams can take place at any time and should not be confused with your obligation to have an AML Effectiveness Review at least once every two years. FINTRAC examinations can take place in-person onsite at your office, at a FINTRAC office, or over the phone. FINTRAC will provide advance notice of an examination, which is scheduled by telephone and confirmed by letter [2]. Note, due to the COVID-19 pandemic, FINTRAC is not currently conducting onsite examinations [3].

I Have Received Notice of an Exam. Now What?

FINTRAC will request documentation, including your compliance policies and procedures, assessment of risks of money laundering and terrorist financing, measures to mitigate high risks, samples of transaction documentation, and other documents be summitted to them. Based on FINTRAC’s areas of review, the below is a sample list of what you can expect to provide. We have also created a more detailed version of the list which you can find here.

  • Most recent version of compliance policies and procedures;
  • Most recent version of your documented risk assessment;
  • Copy of the last two documented internal and/or external reviews of your compliance program (this may include the reviewer’s working papers as well);
  • Training program and records;
  • Organizational Chart;
  • Financial Statements;
  • Number of full-time and part-time employees/sales representative;
  • All suspicious and attempted suspicious transaction records;
  • A list of all closed deals related to the sale/purchase of real estate;
  • In-Trust bank account records; and
  • Large cash transaction records.

You will generally have 30 days to provide all requested documentation to FINTRAC. It’s a good idea to read through the request carefully before you begin your preparation.

Whether you are submitting your materials on paper or in electronic format, it is a good idea to create folders or cover pages for each item that FINTRAC has requested. This creates separate sections for each item and helps you to stay organized. A missed item usually can’t be submitted once the deadline has passed, and can result in deficiencies. We’ve created a sample format for your submission package that you can download for free here.

The Exam

Whether the FINTRAC exam is in-person, at their office or over the phone, they follow very similar formats. The key difference is the regulator’s ability to request additional operational data during onsite examinations.

It is ok for you to take notes throughout the examination process (and we recommend that you do). You are permitted to have a lawyer, consultant or other representative with you (if you do, FINTRAC will request that you complete the Authorized Representative Form in advance). While your representative cannot generally answer questions on your behalf, they can prompt you if you are nervous or stuck, and help you to understand what is being asked of you if it is not clear.

The Introduction

The examiner will provide a brief overview of the examination process as a formal opening to the examination. At the end of this introduction, the examiner will ask if you have any questions. At this point, it can be useful to provide a very brief (five minutes maximum) overview of your business.

Your introduction should reflect the materials that you have already submitted to FINTRAC (which ideally included an opening letter that described anything about the business that would not be readily apparent to the examiner, or anything that you believe could be misunderstood). Key facts about your business include:

  • Your corporate structure and ownership;
  • The types of products and services that are offered/types of transactions that are conducted;
  • Where your offices, agents and customers are located;
  • How you connect with your customers; and
  • Anything significant that has changed since your last FINTRAC examination.

This overview should be simple and brief.  At this point, the examination will then begin. At the end of each section, the examiner will ask if you have any questions and let you know whether there are any deficiencies.

Compliance Policies & Procedures

During this part, FINTRAC will ask questions about the policy and procedure documents that you have provided in advance of the examination. There are a few standard questions that are generally asked:

  • Who wrote the policies and procedures?
  • Were the versions submitted to FINTRAC the most recent versions?
  • When were they last updated?
  • When and how do you identify your customers?
  • How do you ensure that identification is up to date?
  • How do you monitor transactions?
  • How do you recognize, document and monitor “business relationships” (note: this is any time that you have either an ongoing service agreement with a customer and/or your customer has performed two or more transactions that require identification [4]).
  • What are indicators of a suspicious transaction?
  • The examiner will also ask a number of questions based on the documents that you have submitted, including questions about compliance-related processes.

Risk Assessment

During this part, FINTRAC will focus on your Risk Based Approach, asking specific questions about the Risk Assessment and related documents that you have provided in advance of your examination. Again, there are some common questions that are asked:

  • Do you have any high risk customers or business relationships?
  • What factors do you consider in determining that a customer or business relationship is high risk?
  • How are customer due diligence and enhanced due diligence different (both generally, and in your processes and documentation)?

Most additional questions will be related to risk management processes. For example, it has been common in the last few months for examiners to ask if a customer or transaction could be rejected (“Yes, if it was outside of our risk tolerance”).

This may also lead to questions about whether or not an Attempted Suspicious Transaction Report (ASTR) or Suspicious Transaction Report (STR) was filed. If there were reasonable grounds to suspect money laundering or terrorist financing, the answer should be yes. If not, you should explicitly say “There were not reasonable grounds to believe that this event was related to money laundering or terrorist financing”, then provide an explanation.

Operational Compliance & Reporting

During this part, the examiner will ask questions about specific transactions/deals. Some of the cases that you must be ready to explain are:

  • A transaction matches an indicator of potentially suspicious activity (if there were reasonable grounds to suspect money laundering or terrorist financing, the answer should be that you filed an STR, if not, you should explicitly say that “there were not reasonable grounds to believe that this event was related to money laundering or terrorist financing”, then provide an explanation);
  • Questions related to receipt of funds and large cash transactions; and
  • Business relationships and ongoing monitoring (in particular, if this did not occur earlier in the examination).

During a desk examination, the examiners typically do not request additional materials.

During onsite examinations, it has become commonplace for examiners to request additional materials. These are generally related to:

  • Business relationships;
  • Ongoing monitoring (including the monitoring of business relationships);
  • High risk customers;
  • Enhanced due diligence; and
  • Other risk-based processes.

Be clear with the examiner about what can be extracted easily from your IT systems, and in the case that data cannot be extracted easily, be prepared to show the examiner an example (or several). If your system has an “auditor access” feature (generally read-only access with search capability), it can be useful to set this up in advance of the onsite visit.

Exit Interview

Congratulations – you’ve made it to the finish line!

At this point, the examiner will sum up the findings (if there are any), and read a standard disclosure statement. For most of us, the disclosure statement is terrifying, as it talks about penalties. This is standard process – do not be alarmed. When the examiner has finished, you may ask if a penalty is being recommended (if you’re a worrier, please do this). Not all FINTRAC examiners will provide guidance at this stage, but it doesn’t hurt to ask.

After the Exit Interview

After the examination and exit interview, generally within 30 days, you will receive a formal letter that details FINTRAC’s findings. The letter will state either of these possibilities:

  • No further compliance or enforcement action;
  • Possible follow-up compliance action; or
  • A recommendation for an enforcement action, such as an administrative monetary penalty (AMP).

In the case that there is an AMP imposed, we recommend taking action as soon as possible. In most cases, FINTRAC does not require real estate brokers and sales representatives to submit an action plan.

We’re Here To Help

If you need assistance preparing for a FINTRAC exam or have any compliance questions in general, please contact us.

 

 

[1] https://www.fintrac-canafe.gc.ca/publications/ar/2020/1-eng

[2] FINTRAC considers the date on which you are advised of an examination, which is typically done by phone, to be the start of the compliance examination process.

[3] https://www.fintrac-canafe.gc.ca/covid19/covid-2020-07-27-eng

[4] Effective June 1, 2021 a business relationship will be defined as either entering into an ongoing service agreement with a customer and/or your customer has performed one or more transactions that require identification.

Changes to PIPEDA, Canada’s Private-Sector Privacy Law

Background

On November 17, 2020, Bill C-11, the Digital Charter Implementation Act, 2020 was introduced. If passed, the proposed Act would repeal part 1 of the Personal Information Protection and Electronic Documents Act (PIPEDA) and a new Consumer Privacy Protection Act (CPPA) would regulate the way in which personal information is collected, used and disclosed by private sector organizations in the course of their commercial activity.

The bill would also create an administrative tribunal to hear appeals of decisions made by the Privacy Commissioner of Canada and impose penalties. Currently, such appeals are heard in federal court.

As technology continues to evolve, the proposed Act is meant to protect Canadians by creating and enhancing current obligations, including:

  • Increasing control and transparency when Canadians’ personal information is handled by companies;
  • Giving Canadians the freedom to move their personal information from one organization to another;
  • Ensuring that Canadians have the ability to request that their personal information be destroyed;
  • Providing the Privacy Commissioner with broad order-making powers, including the ability to force an organization to comply; and
  • Fines of up to 5% of revenue or $25 million.

What Will Change?

The proposed Act brings about many changes. Highlighted below are what we feel are some of the most significant:

Privacy Program: Organizations would be required to maintain a privacy management program setting out policies and procedures the organization takes to protect and deal with personal information. The Office of the Privacy Commissioner (OPC) could request these procedures at any time.

Consent: The Act adopts elements of the OPCGuidelines for obtaining meaningful consent, creating transparency requirements.

Exceptions: The Act defines a list of “business activities” for which an organization can process personal information without consent.

Transfers to Service Providers: The Act would establish that consent is not required to transfer personal information to a service provider.

Automated Decision-MakingIf an organization uses an “automated decision system”, under the Act, they must ensure how a prediction, recommendation or decision about a person is made is documented.

Data Mobility: The Act would allow that on the request of an individual, an organization must, as soon as feasible, disclose the personal information it has on file of the individual to another organization if those organizations are subject to a “data mobility framework”.

Disposal of PI: The Act would provide individuals with an explicit right to request the deletion of their personal information.

Revised OPC powers: The OPC would have the authority to issue enforcement orders and recommend penalties. Currently, the OPC only has the power to recommend measures after an investigation.

Private Right of Action: The Act would allow individuals to sue companies within two years following a regulatory investigation. The individual would have to prove loss in order to recover damages.

Codes of practice and certification: The Act would allow for the creation of codes of practice and certification programs to facilitate compliance with the Act, which would be subject to approval by the OPC.

What Do We Do?

For now, we wait but plan for changes to your privacy program in the years ahead. If the bill is passed, the draft legislation will be open for a comment period in which you are encouraged to submit comments. The OPC released a statement on November 19, 2020 related to the bill. Our guess is we will see amendments based on the OPCs statement.

We’re Here To Help

If you have questions related to this or privacy legislation in general, please contact us.

The Iran Ministerial Directive’s Impact

Quick Overview

On July 25, 2020, a new Ministerial Directive (MD) was published in the Canada Gazette by the Minister of Finance on financial transactions associated with the Islamic Republic of Iran.  On July 27, 2020, FINTRAC issued guidance on how to incorporate the MD into your anti-money laundering (AML) program, along with some indicators for determining if a transaction is associated with Iran. This MD requires that every transaction originating from or bound for Iran be treated as high risk, regardless of the amount. This includes identifying every client, performing customer due diligence, and recording certain information. It is vital that your AML compliance program documentation contains internal processes related to MDs, even if you do not conduct transactions with Iran (or North Korea, based on the previous MD issued December 9, 2017).

What is a Ministerial Directive?

MDs are specific requirements imposed by the Minister of Finance that are meant to mitigate risks associated with activities that pose elevated risk and safeguard the integrity of Canada’s financial system. To date, these areas of elevated risk have been identified by the Financial Action Task Force (FATF) as posing strategic deficiencies with regards to international standards for anti-money laundering and counter terrorist financing.

What does this Ministerial Directive require?

The guidance from FINTRAC states that every bank, credit union, financial services cooperative, caisse populaire, authorized foreign bank and Money Services Business (MSB) must:

  • Treat every financial transaction originating from or bound for Iran, regardless of its amount, as a high-risk transaction;
  • Verify the identity of any client (person or entity) requesting or benefiting from such a transaction;
  • Exercise customer due diligence, including ascertaining the source of funds in any such transaction, the purpose of the transaction and, where appropriate, the beneficial ownership or control of any entity requesting or benefiting from the transaction;
  • Keep and retain a record of any such transaction;
  • Determine whether there are reasonable grounds to suspect the commission or attempted commission of a money laundering or terrorist financing offence and report all suspicious transactions to FINTRAC;
  • Reporting all other reportable transactions (if applicable).

To be clear, this MD does not apply to transactions where there is no suspicion or explicit connection with Iran and there is no evidence of the transaction originating from or being bound for Iran. A couple of examples were provided in the FINTRAC Guidance:

  • A client who has previously sent funds to Iran requests an outgoing EFT, where the transaction details do not suggest that this transaction is bound for Iran and you are unable to obtain further details about the transaction destination; or
  • The client’s identification information is the only suggestion of a connection to Iran (for example, a transaction where the conductor’s identification document is an Iranian passport).

What does it mean to you?

It is important to understand that even if your business does not facilitate transactions involving Iran, it is expected that you have a process in place for adhering to MDs, including how the Compliance Officer stays up to date. Within your AML compliance program documentation, you need to have a section that talks about MDs generally, plus specific procedures related to handling the current MDs (transactions involving Iran and North Korea). In the FINTRAC guidance related to this MD, it states that during an examination, FINTRAC will assess your compliance with MDs and failures to do so are considered very serious and may result in a penalty.

What now?

In order to ensure familiarity for anyone who interacts with customers and their transactions, the list of FINTRAC’s indicators should be communicated immediately.  Furthermore, the indicators should also be included in your procedure manuals and annual AML compliance training topics, allowing easy access to the information. Documenting the information and related processes for MDs is very important so you can demonstrate to FINTRAC your adherence to the requirements during an examination.

Need a hand?

We’ve made it easier for you to integrate this content into your program by putting the information into a Word document for you. If you aren’t sure what to do with this information and would like some assistance, please feel free to contact us.

Information Should Be Free!

Outlier has produced an open-source AML and CTF, and Privacy repositories of definitions, acronyms, and terminology that is free for whoever wants it.

Please feel free to provide contributions and/or feedback, as it would be greatly appreciated. We have already had three contributors!

Discombobulated

About a year ago, we had a client who was interacting with the world of Anti-Money Laundering (AML) and Counter Terrorist Financing (CTF) for the first time. They were aggravated by the amount of jargon, acronyms, and uncommon uses of certain commonly understood terms. An example is, a business relationship. Those of you that are relatively familiar with the AML space know a business relationship doesn’t mean what the rest of the world thinks it means. In Canada, in the AML context, it means something very different.

A Helping Hand

At the time, they wished for a simple reference point where they could easily find the meaning for different terms. Unfortunately, this entails combing multiple locations, including FINTRAC’s website, plus the Act and Regulations themselves. To make a long story short, there is no easy way. Fed up, they (not so) gently suggested that we (Outlier) fix this. Their idea was creating a GitHub repository.

For those unfamiliar with GitHub, it is a web-based hosting service for version control. It is mostly used for computer code, but has also been used to write and edit books. It offers access control and several collaboration features. A GitHub repository is where the code and/or information is maintained for a specific project. This process is fairly simple to someone who is a coder with years of experience working with GitHub. For myself, this was not so simple. A year later, almost to the day, the repository is created, open and available to the public. There is no need to be scared, you are able to comment and make suggestions without knowing how to code at all. If you can’t figure out how to provide commentary in GitHub, send it to use via email at info@outliercanada.com with the subject line “GitHub Feedback.”

The Power of Collaboration

The (not so) gentle nudge meshed well with one of Outlier’s core beliefs: that information should be free. By collecting the information, housing it in GitHub, and making it available to anyone, we are able to provide free information to everyone who wants it. By making information free and public, it gives others the opportunity to make suggestions, add content, and improve the quality of the information.

What Happens When We Work Together?

By sharing this open-source project with the world, we are looking to empower anyone willing to be empowered. From the client who is interacting with the world of AML for the first time. To the seasoned-veteran who is looking for helpful resources. To the person who wants to provide their customer with a helpful resource. Take the information and do what you wish with it. If you would like to attribute Outlier, awesome! If not, that’s ok too. Our only request is this should never be provided for a fee.

Have a Question?

If you looked at the resource and are curious about how to make a contribution, please feel free to contact us anytime. Contributions can include anything from corrections and suggestions, to the addition of different jurisdictional definitions, specifically the European perspective.

This is not a solicitation (but we do get this request often), should you want to provide a tip in BTC or ETH, our addresses are listed below.

To open a channel with our Lightning Node, our address is: 03acb418d5b88c0009cf07d31ec53d0486814bc77917c352bd7e952520edf7bf3c@99.236.76.38:9735

or you can use Tippin.Me.

bitcoin ethereum
3AqYJQhfKYCde7syKKqTJJPdLs6M5CbWkR 0x03CDF23a2Eb070F2c79De5B2E6FB90671D3c70fE
Outlier BTC Tipping Address

FINTRAC Alert – Laundering the Proceeds of a Romance Scam

Quick Overview

On April 11th, 2019, FINTRAC published an Operational Alert issued in part with the Canadian Anti-Fraud Centre.  The information provided related to laundering the proceeds of romance scams and mass marketing fraud. The publication provided an explanation of what constitutes a romance scam, some common indicators that may be present and transaction patterns or flow of funds that may suggest fraud.

What Does it Mean?

The suspicious indicators provided by FINTRAC list circumstances or activities that might signal potential cases of individuals caught in a romance scam or the subject of a mass marketing fraud.  This does not mean that if one or more of the indicators are present that the transaction is definitely suspicious and must be reported to FINTRAC. It is meant to ensure that you are aware of the potential that suspicious activity may be taking place.  In that context, if you are involved in customer’s transactions, whether on the front lines or in back office, you must be aware of the indicators in the alert.  If you do encounter a transaction that may be considered unusual, you should attempt to collect additional information that will aid in the Compliance Officer’s decision to report it or clearly document why it was not considered suspicious. Where the Compliance Officer makes the decision to report the transaction to FINTRAC as suspicious, be sure to include “Project CHAMELEON” or “#CHAMELEON” in Part G—Description of suspicious activity in the STR. This will help to facilitate FINTRAC’s disclosure process.

What Now?

In order to ensure familiarity for anyone who interacts with customers and their transactions, the list of FINTRAC’s indicators should be included in your ongoing AML compliance training program.  Furthermore, the indicators should also be included in your procedure manuals, allowing easy access to the information.  Finally, the indicators should be incorporated into your Risk Assessment documentation.  Specifically, when determining customer risk and the controls used to effectively mitigate potential risks.

We’ve made it easier for you to integrate this content into your program by putting the indicators in a Word document for you.

Need a Hand?

Outlier has taken the list of indicators provided by FINTRAC and formatted them into an easy to use Microsoft Word document, which can be found here.  This should allow companies to easily update their documentation and ensure they are sufficiently monitoring for potential instances of romance scams or mass marketing fraud. If you aren’t sure what to do with this information and would like some assistance, please feel free to contact us.

Technology and Cyber Security Incident Reporting

The issue of cyber security incidents seems to continue to be a hot topic for regulators. Late last year, federal Breach of Security Safeguards Regulations came into force, which require organizations to report to the Office of the Privacy Commissioner (OPC), any breach of security safeguards involving personal information under its control where the breach creates a “real risk of significant harm”. Last week, The Office of the Superintendent of Financial Institutions (OSFI) published an advisory, Technology and Cyber Security Incident Reporting, which sets out OSFI’s expectations for Federally Regulated Financial Institutions (FRFIs) with respect to the reporting of technology and cyber security incidents. The advisory  becomes effective on March 31, 2019.

OSFI’s advisory defines a technology or cyber security incident as an event that has the “potential to, or has been assessed to, materially impact the normal operations of a FRFI, including confidentiality, integrity or availability of its systems and information”. The advisory goes on to give guidance on what a reportable incident may look like:

  • Significant operational impact to key/critical information systems or data;
  • Material impact to FRFI operational or customer data, including confidentiality, integrity or availability of such data;
  • Significant operational impact to internal users that is material to customers or business operations;
  • Significant levels of system/service disruptions;
  • Extended disruptions to critical business systems/operations;
  • Number of external customers impacted is significant or growing;
  • Negative reputational impact is imminent (e.g., public/media disclosure);
  • Material impact to critical deadlines/obligations in financial market settlement or payment systems (e.g., Financial Market Infrastructure);
  • Significant impact to a third party deemed material to the FRFI;
  • Material consequences to other FRFIs or the Canadian financial system;
  • A FRFI incident has been reported to the Office of the Privacy Commissioner or local/foreign regulatory authorities.

Unlike the Breach of Security Safeguards Regulation, which apply to all companies operating in Canada, OSFI’s advisory applies only to FRFIs. These include banks and insurance companies.

How Do the Reporting Obligations Differ?

Incidents that need to be reported to the OPC focuses on “a breach of security safeguards” involving personal information, where it is reasonable to believe that the breach creates a “real risk of significant harm” by assessing factors such as the sensitivity of the personal information involved, and the probability of misuse. Incidents should be reported as soon as feasible.

Incidents that need to be reported to OSFI focuses on operational impact to the integrity or availability of information systems. Items to be looked at include things such as service disruptions, as well as impacts to critical deadlines related to financial market settlement, payment systems, soundness of business etc. These incidents may or may not include personal information. The OSFI advisory does state one of the considerations for reporting is if the incident has been reported to the OPC. Incidents should be reported as soon as possible, but no later than 72 hours after determining an incident has occurred.

It is possible (even probable) that a FRFI would need to report an incident to both the OPC and OSFI. While organizations that are not FRFI’s are not required to report to OSFI, the advisory may still contain useful guidance in thinking about security, breaches, and best-practices for breach response.

Below is a comparison chart noting the differences (or similarities) between reporting obligations:

Breach of Security Safeguards Regulations OSFI Advisory
Who does it apply to?  All Organizations.  All Federally Regulated Financial Institutions.
Who is a breach reported to? The organization must report the breach to the OPC, but also notify affected individuals. The FRFIs must report the breach to its Lead Supervisor as well as TRD@osfi-bsif.gc.ca
When is a breach reported? As soon as feasible after the organization determines the breach has occurred. As soon as possible, but no later than 72 hours after determining an incident has occurred.
What type of breach is reported? A breach of security safeguards involving personal information where the breach creates a “real risk of significant harm”. Incidents that have a material operational impact to the integrity or availability of information systems.
What type of information must be included in the report? A description of the circumstances of the breach and, if known, the cause;

The day or the period in which the breach occurred;

A description of the personal information that was involved in the breach;

An estimate of the number of individuals impacted – where the breach creates a real risk of significant harm;

The steps that the organization has taken to reduce the risk of harm to the impacted individuals;

The steps that the organization has taken, or will take, to notify impacted individuals; and

The name and contact information of a person the OPC can liaison with.

Date and time the incident was assessed to be material;

Date and time/period the incident took place;

Incident severity and type (e.g. DDoS, malware, data breach, extortion);

A description of the incident (including known direct/indirect impacts, the number of clients impacted etc.);

Primary method used to identify the incident; 

Current status of incident;

Date for internal incident escalation to senior management or Board of Directors;

Mitigation actions taken or planned;

Known or suspected root cause; and

Name and contact information for the FRFI incident executive lead and liaison with OSFI. 

 

We’re Here To Help

If you have questions about this new advisory related to your reporting obligations for technology and cyber security incidents, or compliance in general, please contact us.

Meaningful Consent

Meaningful Consent

The Office of the Privacy Commissioner of Canada’s Guidelines for obtaining meaningful consent became effective on January 1, 2019. The new guideline builds on examining the current state of consent in Canada (see Background section below), and is meant to assist businesses in distinguishing between those things an organization “must do” to obtain meaningful consent, and those things an organization “should do” related to consent.

The guideline is comprised of seven guiding principles for obtaining meaningful consent. These are:

  1. Emphasize key elements (What personal information is being collected, with whom personal information is being shared, for what purposes personal information is collected, used or disclosed and risk of harm and other consequences);
  2. Allow individuals to control the level of detail they get and when;
  3. Provide individuals with clear options to say ‘yes’ or ‘no’;
  4. Be innovative and creative;
  5. Consider the consumer’s perspective;
  6. Make consent a dynamic and ongoing process; and
  7. Be accountable: Stand ready to demonstrate compliance.

Consent – Must Dos

The new guideline lists out the following things an organization must do in order to meet their obligations related to consent:

  1. Make privacy information readily available in complete form, while giving emphasis or bringing attention to the four key elements (What personal information is being collected, with sufficient precision for individuals to meaningfully understand what they are consenting to, with what parties personal information is being shared, for what purposes personal information is being collected, used or disclosed, in sufficient detail for individuals to meaningfully understand what they are consenting to and risks of harm and other consequences).
  1. Provide information in manageable and easily-accessible ways.
  2. Make available to individuals a clear and easily accessible choice for any collection, use or disclosure that is not necessary to provide the product or service.
  3. Consider the perspective of your consumers, to ensure consent processes are user-friendly and generally understandable.
  4. Obtain consent when making significant changes to privacy practices, including use of data for new purposes or disclosures to new third parties.
  5. Only collect, use or disclose personal information for purposes that a reasonable person would consider appropriate, under the circumstances.
  6. Allow individuals to withdraw consent (subject to legal or contractual restrictions).

There are also requirements related to the form of consent and consent for children under the age of 13. 

Background

The new guideline builds on previous publications examining the current state of consent.

In May 2016, the Office of the Privacy Commissioner of Canada (OPC) published a discussion paper exploring potential enhancements to the Personal Information Protection and Electronic Documents Act (PIPEDA). The paper asked organizations, individuals and other interested parties to provide comments related to key issues and potential solutions to the consent model as currently formulated.

On June 15, 2017 the Office of the Privacy Commissioner of Canada (OPC) published a report on qualitative public opinion research conducted with Canadians on the issue of consent under the PIPEDA. The purpose of the research was to understand Canadians’ opinions, attitudes, and concerns with respect to consent.

It was noted that the question of consent became a recurring theme in discussions and emerged as the key measure used by participants for assessing what are acceptable or not acceptable uses of personal information by companies. There was widespread agreement among participants that consent implies both understanding and acceptance of terms and conditions related to the collection and use of their personal information.

On September 21, 2017, the OPC also published their Report on Consent in their 2016-17 Annual Report to Parliament. The report outlined recommendations to address consent challenges posed by the digital age.

Keep In Mind

Consent is one of the foundational elements of PIPEDA. To ensure your organization is always meeting requirements related to consent, you should be able to answer yes (and evidence) the following questions from the OPC’s PIPEDA Self-Assessment Tool related to consent, regardless of the types of products or services you offer:

  • You obtain customer consent for any collection, use or disclosure of personal information.
  • If you don’t obtain customer consent for the collection, use and disclosure of personal information, you have determined that it is not required under s.7 of PIPEDA.
  • You make reasonable efforts to ensure that clients and customers are notified of the purposes for which personal information will be used or disclosed.
  • You do not require clients and customers to consent to the collection, use or disclosure of personal information beyond what is necessary to fulfill explicitly specified and limited purposes as a condition of supplying a product or service.
  • You assess the purposes and limit the collection, use and disclosure of personal information when it is required as a condition for obtaining a product or service.
  • You obtain consent through lawful and fair means.
  • You allow a client or customer to withdraw consent at any time subject to legal or contractual restrictions and reasonable notice.
  • You inform clients and customers of the implication of the withdrawal of consent.
  • You consider the sensitivity and intended use of personal information, and the reasonable expectations of clients and customers in determining which form of consent (implied or expressed) you will accept for the collection, use and disclosure of personal information.

It is important to note that evidence of consent should be retained in a manner that is easily retrievable and easily sortable.  

We’re Here To Help

If you have questions about this new guideline regarding your consent obligations under PIPEDA, or compliance in general, please contact us.

Mandatory Breach Reporting under PIPEDA

Back in late 2017 we published an article on breach reportingOn November 1, 2018, the new provisions to the Personal Information Protection and Electronic Documents Act (PIPEDA) related to breach of security safeguards along with the Breach of Security Safeguards Regulations came into force.

The regulations require organizations to report to the Office of the Privacy Commissioner (OPC) and affected individuals, any breach of security safeguards involving personal information under its control, if it is reasonable to believe the breach creates a “real risk of significant harm”. Failure to report a breach is punishable by a fine of up to CAD 100,000.

On October 29, 2018, the OPC published the final guidance intended to assist organizations with the Breach of Security Safeguards Regulations. The guidance provides direction on how organizations can assess whether a breach creates a “real risk of significant harm” (the guidance provides a non-exhaustive list of the types of harm that will be considered significant) and provides a breach report form that organizations may use to report a breach to the OPC.

We’re Here To Help

If you have questions regarding how your organization will be impacted by these requirements, or any questions related to privacy legislation in general, please contact us.

Real Estate Sector – Identifying Individuals

We often hear friends and clients in the real estate sector say they are frustrated that there are not many ways to identify a customer other than meeting them face-to-face. Real estate developers, brokers and sales representatives have an obligation to ascertain a customer’s identity which requires them to refer to specific information and/or documentation to verify a customer’s identity.  However, this does not mean that identification must take place face-to-face. Below is a summary of all the different methods outlined in FINTRAC Guidance that are currently available to identify customers that are individuals and what’s coming.[1]

This article should not be considered advice (legal or otherwise). Throughout this article we refer to a purchaser of real estate as a customer, but you may refer to them as clients depending on your internal procedures. Also, your internal procedures may dictate what methods are acceptable in identifying a customer. If you are unsure, consult with your Compliance Officer where there is any doubt on what is acceptable within your organization.

Face-to-Face Identification for Individuals

When meeting customers face-to-face you may ask for a piece of identification that is:

  • Issued by a provincial, territorial or federal government in Canada or an equivalent foreign government (a foreign Passport would be acceptable for example);
  • Valid, not expired (if there is not expiry date this must be stated in the customer identification record);
  • Bears a unique identifier number (such as a driver’s license number);
  • Bears the name of the individual being identified;
  • Is an original (not a copy, photo, scan, video call, etc.); and
  • Bears a photo of the individual being identified.

Information that must also be collected and recorded includes things such as the customer’s full name (no initials, short forms or abbreviations), their occupation, date of birth, etc. The needed information is included in various fields on industry customer identification forms that are used so it is crucial they are complete and accurate.

Single Process Method

Under the single process method, a customer’s identify can be confirmed by completing  a credit header match on their Canadian credit file, provided it has been in existence for at least three years and has at least two trade lines.  This means there is not a ‘hard hit’, impacting the customer’s credit score. This must be completed at the time of confirming a customer’s identity and cannot take place earlier or later.  To be acceptable, the credit file details must match the exact name, date of birth and address provided by the customer. When using this method to confirm a customer’s identity a record of the following information must be retained:

  • The customer’s name;
  • The name of the Canadian credit bureau holding the credit file;
  • The reference number of the credit file; and
  • The date the credit file was consulted.

Dual Process Method

Where the single process method provides information that does not match what the customer has provided and/or the credit file does not meet the requisite requirements, the dual process method can be used to identify that customer.  This involves referring to information from reliable and independent sources and must be original, valid and the most recent.  In order to qualify as reliable, the sources should be well-known and reputable. Reliable and independent sources can be the federal, provincial, territorial and municipal levels of government, crown corporations, financial entities or utility providers. It is important to note that independent means neither of the sources can be the same, nor can they be you or your business.

Documentation being used must be in its original form.  This makes electronic documents the preference because the customer can send the originals via email, while retaining a copy for themselves. You cannot accept documents that have been photocopied, scanned or faxed.

Under the dual process method, you can refer to any two of the following options:

  • Documents or information from a reliable source that contain the customer’s name and date of birth;
  • Documents or information from a reliable source that contain the customer’s name and address; or
  • Documents or information that contain the customer’s name and confirms that they have a deposit, credit card or other loan account with a financial entity.

The table below provides some examples of the sources and documents that can be referred to when confirming a customer’s identification.  In order to meet the standards of the dual process method, two documents must be obtained but each document cannot be in the same column.

 

Documents or information to verify name and address

 

 

Column A

Documents or information to verify name and date of birth

 

 

Column B

Documents or information to verify name and confirm a financial account

 

Column C

 

Issued by a Canadian government body:

Any card or statement issued by a Canadian government body (federal, provincial, territorial or municipal):

·      Canada Pension Plan (CPP) statement;

·      Property tax assessment issued by a municipality; or

·      Provincially-issued vehicle registration.

·      Federal, provincial, territorial, and municipal levels.

CRA documents:

·      Notice of assessment;

·      Requirement to pay notice;

·      Installment reminder / receipt;

·      GST refund letter; or

·      Benefits statement.

Issued by a Canadian government body:

Any card or statement issued by a Canadian government body (federal, provincial, territorial or municipal):

·      Canada Pension Plan (CPP) statement of contributions;

 

 

Issued by other Canadian sources:

·      Referring to a customer/customer’s Canadian credit file that has been in existence for at least 6 months; or

Insurance documents (home, auto, life);

Confirm that your customer/customer has a deposit account, credit card or loan account by means of:

·      Credit card statement;

·      Bank statement;

·      Loan account statement (for example: mortgage);

·      Cheque that has been processed by a financial institution;

·      Telephone call, email or letter from the financial entity holding the deposit account, credit card or loan account; or

·      Identification product from a Canadian credit bureau (containing two trade lines in existence for at least 6 months);

Issued by other Canadian sources:

·      Referring to the customer/customer ‘s Canadian credit file that has been in existence for at least 6 months;

·      Utility bill (for example, electricity, water, telecommunications);

·      T4 statement;

·      Record of Employment;

·      Investment account statements (for example, RRSP, GIC); or

·      Identification product from a Canadian credit bureau (containing two trade lines in existence for at least 6 months).

 

Where the dual process method is used to confirm the identity of a customer, a record of certain information must be maintained. Specifically:

  • The customer’s name;
  • The name of the two different sources that were used to identify the customer;
  • The type of information (for example, utility statement, bank statement, etc.) that was referred to;
  • The account number associated with the information for each source (if there is account number, you must record a reference number); and
  • The date the information was verified.

Third Parties (Agent or Mandatary)

If you are unable to use any of the methods above (say in the case of a foreign buyer that you cannot meet with face-to-face), you can ask someone in their area to identify them on your behalf.  There must be a written agreement or arrangement in place before using this method and procedures must be in place on how the third party will identify a buyer.

 

What’s To Come?

On June 9th, 2018, draft amendments to the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA) and its enacted regulations (there are five separate regulations that we’re going to collectively call regulations here for simplicity’s sake) were published. The draft amendments include some positive changes in respect to requirements related to identity verification.

With regards to the identification document used to identify a customer, the draft amendments replace the word “original” with “authentic” and state that a document used for verification of identity must be “authentic, valid and current.” This may[2] allow for scanned copies of documentation and/or for software that can authenticate identification documents to be used for the dual process method.

Under the draft amendments, regarding the single process method, information in a credit report must be derived from more than one source (this means there must be more than one trade line).

Under the draft amendments, real estate developers, brokers and sales representatives would be allowed to rely on identity verification undertaken by other regulated entities. This method requires a written agreement and a requirement to deliver the identity documentation within three days.

 

We’re Here To Help

If you have questions regarding the identification requirements in place currently or the requirements that are in draft form please contact us.

 

[1] Note that methods used to identify customers that are organizations are different from the ones discussed in this article.

[2] There is no certainty in this regard until a final version is published and FINTRAC has provided their guidance on the matter.

AML Changes For The Real Estate Sector

Here We Go Again! Canada’s Proposed AML Changes for Real Estate Developers, Brokers and Sales Representatives

 

On June 9th, 2018, draft amendments to the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA) and its enacted regulations (there are five separate regulations that we’re going to collectively call regulations here for simplicity’s sake). This article is intended to give a high-level summary of the proposed amendments as they relate to the real estate industry.

This article should not be considered advice (legal, tax or otherwise). That said, any of the content shared here may be used and shared freely – you don’t need our permission. While we’d love for content that we’ve written to be attributed to us, we believe that it’s more important to get reliable information into the hands of community members (meaning that if you punk content that we wrote, we may think you’re a jerk but we’re not sending an army of lawyers).

Finally, we want to encourage the community to discuss the proposed changes and submit meaningful feedback for policy makers. The comment period for this draft is 90 days. After this, the Department of Finance takes the feedback to the bat cave and drafts a final version of the amendments. From the time that the final version is published, the draft indicates that there will be 12 months of transition to comply with the new requirements.

What does this mean for my business?

While there are quite a number of proposed changes (the draft is about 200 pages in length), some are likely to have more of an impact on for real estate developers, brokers and sales representatives than others. We’ve summarized the changes that we expect to have the most impact below. Remember these are just proposed changes so there is no need to update your compliance material just yet.

What’s New?

Virtual Currency:

While there are not many proposed amendments that will introduce new requirements for real estate developers, brokers and sales representatives the draft regulations introduce reporting requirements for the receipt of CAD 10,000 or more of virtual currency. These basically are the same as large cash reporting obligations and will require reporting entities to maintain a large virtual currency transaction record.

The requirements for reporting and recordkeeping for virtual currency will be very similar to cash reporting requirements.

What existing requirements are changing?

24-hour rule:

The draft regulations clarify that multiple transactions performed by or on behalf of the same customer or entity within a 24-hour period are considered a single transaction for reporting purposes when they total CAD 10,000 or more. Only one report would need to be submitted to capture all transactions that aggregate to CAD 10,000 or more. For real estate developers, brokers and sales representatives this would apply to recipient of cash deposits. Specifically, this will apply to large cash transactions or CAD 10,000 or more. 

Identification:

The draft regulations replace the word “original” with “authentic” and states that a document used for verification of identity must be “authentic, valid and current. This would allow for scanned copies of documentation and/or for software that can authenticate identification documents to be used for the dual process method for real estate developers, brokers and sales representatives that identify clients in a non-face-to-face manner. Another change, related to measures for verifying identity, is that the word “verify” has been replaced with “confirm” and “ascertain” has been replaced with confirm. What this will mean exactly is still unclear (FINTRAC will need to provide more guidance once the final amendments are released). We are hopeful that it will allow for easier customer identification – especially for customers outside of Canada.

Records:

There have been some changes to the details that must be recorded in records that real estate broker or sales representative must maintain. In particular, the draft regulations add the requirement that information records must contain details of every person or entity for which they act as an agent or mandatary in respect of the purchase or sale of real property. Under the existing regulations information related to the person or entity purchasing real estate only.

Risk Assessment:

Under current regulations, reporting entities are required to assess the risks associated with its business and develop a risk assessment specific to your situation. For real estate developers, brokers and sales representatives a risk assessment must address the following four areas:

  • Products, services, and delivery channels (to better reflect the reality of the real estate sector, this workbook will now only refer to services and delivery channels);
  • Geography;
  • Clients and business relationships; and
  • Other relevant factors

A proposed amendment would require all reporting entities to assess the risk related the use of new technologies, before they are implemented.  This has been a best practice since the requirement to conduct a risk assessment came into force, but this change would make this a formal requirement.

Suspicious Transaction Reporting:

Under current regulations if a reporting entity has reasonable grounds to suspect that a transaction or attempted transaction is related to money laundering or terrorist financing, a report must be submitted to FINTRAC within 30 days of the date that a fact was discovered that caused the suspicion. The revised regulations add to this requirement by stating:

The person or entity shall send the report to the Centre within three days after the day on which measures taken by them enable them to establish that there are reasonable grounds to suspect that the transaction or attempted transaction is related to the commission of a money laundering offence or a terrorist activity financing offence.

This would require reports to be submitted to FINTRAC within three days after the reporting entity conducts an analysis that established reasonable grounds for suspicion.

Schedules:

The draft regulations introduce changes to reporting schedules, requiring more detailed information to be filed with FINTRAC then previously was required. This is in addition to including information that is marked as optional, if a reporting entity has the information. As it relates real estate developers, brokers and sales representatives these changes will impact attempted suspicious and suspicious transaction reporting, terrorist property reporting and large cash reporting. Some of the additional proposed data fields are:

  • every reference number that is connected to the transaction,
  • every other known detail that identifies the receipt (of cash for large cash transactions),
  • type of device used by person who makes request online,
  • number that identifies device,
  • internet protocol address (IP address) used by device,
  • person’s user name, and
  • date and time of person’s online session in which request is made.

Such changes may be onerous for reporting entities, especially for transactions that are conducted online.

Training:

Under current regulation, if real estate developers, brokers and sales representatives use agents, mandataries or other persons to act on their behalf, they must develop and maintain a written, ongoing compliance training program for those agents, mandataries or other persons. The draft regulations introduces an additional requirement in which there must be a documented plan for the ongoing compliance training program and delivering of that the training.

What’s Next?

If you’ve read this far, congratulations and thank you!

We hope that you will contribute your thoughts and comments. You can do this by contacting the Department of Finance directly. Their representative on this file is:

Lynn Hemmings
Acting Director General
Financial Systems Division
Financial Sector Policy Branch
Department of Finance
90 Elgin Street
Ottawa, Ontario
K1A 0G5
Email: fin.fc-cf.fin@canada.ca

If you would like assistance drafting a submission, or have questions that you would like Outlier to answer, please get in touch!

Return to Blog Listing