PROCESSING...

Anti-Money Laundering
Consulting Services & Strategies

0 Items - Total: $0.00 CAD

Effectiveness Reviews for Dealers in Virtual Currency

Effective June 1, 2020, dealers in Virtual Currency activities were considered as Money Services Businesses (MSBs) and as such, must comply with MSB obligations under amendments made to the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA). One obligation is to have an AML effectiveness review at least once every two years. MSBs must start their effectiveness review no later than two years from the start of their previous review or in the case of dealers in Virtual Currency, no later than June 1, 2022, the date they were considered to be MSBs under law.

Such reviews must test your compliance program and effectiveness of your operations. Our reviews follow a similar format to examinations conducted by the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC), which you can read more about in a previous Blog Post.

We’re Here To Help

If you have not yet engaged or commenced your review, there are still a couple of weeks to be compliant. If you would like to engage Outlier to conduct your AML Compliance Effectiveness Review or have questions regarding this obligation, please get in touch.

Amendments To The Proceeds of Crime (Money Laundering) and Terrorist Financing Regulations – 2022

Background

On April 27, 2022 amendments to the Proceeds of Crime (Money Laundering) and Terrorist Financing Regulations were published in the Canada Gazette. To make reading these changes a little easier, we (thanks Rodney) have created a redlined version of the regulations, with new content showing as tracked changes, which can be found here.

The Regulatory Impact Statement for these changes state the following:

Crowdfunding platforms and some payment service providers are not currently covered by the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (the Act) and therefore have no money laundering and terrorist financing obligations under federal statute. This lack of oversight presents a serious and immediate risk to the security of Canadians and to the Canadian economy. This risk was highlighted in early 2022, when illegal blockades took place across Canada that were financed, in part, through crowdfunding platforms and payment service providers. Allowing these gaps to continue represents a risk to the integrity and stability of the financial sector and the broader economy, as well as a reputational risk for Canada.

Amendments to the Proceeds of Crime (Money Laundering) and Terrorist Financing Regulations, and consequential amendments to the Proceeds of Crime (Money Laundering) and Terrorist Financing Administrative Monetary Penalties Regulations, will help prevent the financing of illegal activities through these types of financial services.

What’s Changed?

The changes are substantial and sudden. They will affect many companies that have not been previously under the purview of AML regulation in Canada. These changes are effective immediately and there is no comment period, which is not the norm for such changes.

To help digest these changes, we have summarized what we feel are the most important changes below:

The definition for an electronic funds transfer has been removed and the corresponding section within the body of the regulations was amended. Previous exemptions related to remitting or transmitting from one person or entity to another by Credit or Debit Card, or Prepaid Payment Product if the beneficiary has an agreement with the payment service provider that permits payment for the provision of goods and services, has been revoked for money services businesses, which as we mentioned now includes Payment Service Providers.

The definitions section was amended by adding the following:

  • crowdfunding platform means a website or an application or other software that is used to raise funds or virtual currency through donations. (plateforme de sociofinancement)
  • crowdfunding platform services means the provision and maintenance of a crowdfunding platform for use by other persons or entities to raise funds or virtual currency for themselves or for persons or entities specified by them.

With these changes, crowdfunding platforms and payment service providers will now be subject to existing money services businesses requirements. These obligations include:

  • Registration with FINTRAC;
  • Developing a compliance program;
  • Customer identification and due diligence;
  • Transaction monitoring and customer risk scoring;
  • Reporting certain transactions to regulators and government agencies;
  • Complying with Ministerial Directives; and
  • Keeping records.

Specific to record keeping, crowdfunding platforms that provide services to persons or entities in Canada where a person donates an amount of CAD 1,000 or more in funds or virtual currency will need to:

(a) keep an information record in respect of the person or entity to which they provide those services;

(b) keep a record of the purpose for which the funds or virtual currency are being raised; and

(c) if the person or entity for which the funds or virtual currency are being raised is different from the person or entity referred to in paragraph (a),

      1. keep a record of their name, and
      2. take reasonable measures to obtain their address, the nature of their principal business or their occupation and, in the case of a person, their date of birth, and keep a record of the information obtained.

What Next?

Due to these changes, FINTRAC will need to revise its interpretation of existing requirements to include crowdfunding platforms and payment service providers. There is no set date for when we can expect guidance from FINTRAC. Additionally, various FINTRAC policy interpretations will no longer be able to be relied upon (i.e. policy interpretations related to merchant services as well as payment processing for utility bills, mortgage and rent, payroll, and tuition being exempt from AML obligations). The hope is FINTRAC will issue new policy interpretations, but for now the industry is left with many questions.

We’re Here To Help

If you would like assistance in understanding what these changes mean to your business, or if you need help in creating or updating your compliance program and processes, please get in touch.

Outlier Solutions Inc. Offering Compliance Services to the Metaverse in Decentraland

February 23, 2022 Toronto — Outlier Solutions Inc. doing business as Outlier Compliance Group, a consultancy specializing in compliance solutions for reporting entities ranging from banks to dealers in virtual currencies (like bitcoin) to real estate firms, is one of the first to offer compliance services in the metaverse. Outlier will be joining as one of the professional service providers setting up shop in conjunction with Grinhaus Law Firm, a leading Canadian law firm in Blockchain regulatory advisory, and DGM Financial Group, a prominent Trust and corporate services office which helps structure crypto businesses internationally, in Decentraland, to service clients globally and through the metaverse.

Visitors to Decentraland will now be able to visit Outlier’s office, and book meetings with one of the team members. Visitors can discuss their Canadian compliance needs on topics such as Canadian anti-money laundering (AML), counter terrorist financing (CTF), privacy, and regulatory compliance management. Virtual spaces include traditional offices and a fountain (and of course, meetings can also be requested in person and via more traditional virtual meeting software). The Decentraland office is located at -39, 121, in the same neighbourhood as Decentraland University.

“The world, actual and virtual, is evolving rapidly” said Outlier’s Founder and CEO, Amber D. Scott. “It’s important to understand what shape that evolution is taking, and no better way to learn than to be involved directly.” She adds, “It just makes sense that in order to be good advisors to companies operating in the metaverse, we would be there too.”

Scott’s avatar in Decentraland checks out the new virtual office space.

Founder of Grinhaus Law Firm, Aaron Grinhaus, stated, “we are pleased to welcome Outlier Solutions Inc. and complement our line up of professional services to help people and businesses navigate the ‘gray areas’ and legitimize the existence of the metaverse.”

Decentraland, with its 800,000+ residents and $54B in transactions, is also home to a wide array of companies and institutions from academia to crypto companies to fashion. This represents an opportunity to strategically grow Outlier’s presence as well as participate in the booming growth and creation in the metaverse.

Please direct media inquiries to decentraland@outliercanada.com.

About Outlier Solutions Inc.
Outlier Solutions Inc. dba Outlier Compliance Group is a Canadian consulting firm, founded in August of 2013, which is focused on developing compliance solutions for reporting entities. Outlier’s areas of expertise include anti-money laundering (AML), counter terrorist financing (CTF), privacy, and regulatory compliance.

For further information please visit https://www.outliercanada.com

About Grinhaus Law Firm
Grinhaus Law Firm was established in 2012 and is a business, tax and regulatory focused firm with a niche expertise in Blockchain and Smart Contract law.

For further information please visit https://grinhauslaw.ca

About DGM Financial Group
DGM Financial Group is a global financial services firm that provides Trust Administration, Corporate Services, Management Services to insurance and non-insurance companies, Family Office, Director Services, and is a Listing Sponsor on the Barbados Stock Exchange.

For further information please visit https://dgmfinancialgroup.com/

About Decentraland
Decentraland is the first fully decentralized virtual world. Powered by DAO, which owns the most important smart contracts and assets of Decentraland. Decentraland is a software running on Ethereum that seeks to incentivize a global network of users to operate a shared virtual world. Decentraland users can buy and sell digital real estate, while exploring, interacting and playing games within this virtual world.

For further information please visit https://decentraland.org

Proliferation Financing

 

 

 

 

What is it, and why should AML compliance professionals be paying attention?

If you’ve looked at the Financial Action Task Force (FATF)’s recommendations recently, you’ve no doubt noticed that there are now three big topics on the covering page:

  • Money laundering,
  • Terrorist financing, and
  • Proliferation.

The last of these has received considerably less attention until recently, and in many cases, it may not be explicitly included in either jurisdiction-specific legislation or compliance programs. While some elements of proliferation are generally included (for instance, it is rare to see a compliance program that does not address sanctions-related list screening), there is often little if any consideration given to risks such as sanctions evasion or the non-implementation of sanctions.

According to the FATF, weapons of mass destruction (WMD) proliferation refers to the manufacture, acquisition, possession, development, export, trans-shipment, brokering, transport, transfer, stockpiling or use of nuclear, chemical or biological weapons and their means of delivery and related materials (including both dual-use technologies and dual use goods used for non-legitimate purposes). The financing of proliferation refers to the risk of raising, moving, or making available funds, other assets or other economic resources, or financing, in whole or in part, to persons or entities for purposes of WMD proliferation, including the proliferation of their means of delivery or related materials (including both dual-use technologies and dual-use goods for non-legitimate purposes). There are targeted financial sanctions intended to prevent specific jurisdictions, organizations, and persons from participating in any proliferation-related activities.

In Canada, reporting entities have strict obligations to comply with sanctions requirements.

Similarly, terrorists and terrorist groups are often subject to financial sanctions and prohibitions. All accounts and transactions are scanned against listed persons and entities. In the case that we have property (including money and investments) in our possession that belongs to a listed person or entity, it must be frozen and reported immediately.

Recommendation 1 requires countries and private sector entities to identify, assess, and understand “proliferation financing risks”. In the context of Recommendation 1, “proliferation financing risk” refers strictly and only to the potential breach, non-implementation or evasion of the targeted financial obligations referred to in Recommendation 7. These R.7 obligations apply to two country-specific regimes for the Democratic People’s Republic of Korea (DPRK) and Iran, require countries to freeze without delay the funds or other assets of, and to ensure that no funds and other assets are made available, directly or indirectly to or for the benefit of (a) any person or entity designated by the United Nations (UN), (b) persons and entities acting on their behalf or at their direction, (c) those owned or controlled by them. The full text of Recommendations 1 and 7 is set out at Annex A.

Canadian reporting entities will be familiar with Ministerial Directives related to North Korea and Iran that impose additional requirements, as well as providing indicators of activity related to these jurisdictions. While we may not be used to thinking about these requirements as being controls related to proliferation financing risk, this is exactly what they are. We may also fail to consider how they fit into our overall compliance regimes.

Proliferation Financing Trends and Typologies

It is not enough to simply say that your business does not deal with these jurisdictions directly. In many cases, funds are not actually repatriated to these jurisdictions but are held in other countries. For instance, identified state-sponsored North Korean hacking groups have moved stolen funds and virtual currencies through the Philippines, Macau, and China. In addition, actors intending to circumvent sanctions are known to be relatively proficient in using false and manufactured identities, as well as well as organizational structures intended to obfuscate true beneficial ownership. In the FATF’s webinar on proliferation financing, the global watchdog noted that proliferation financing may be one of the most challenging threats to detect in action, due to its complex nature.

Helpful Resources

Late in 2021, the FATF conducted an excellent webinar on proliferation financing risk assessment and mitigation, which has now been posted publicly. This presentation includes an excellent high-level overview, as well as detailed discussions of the trends and typologies that are relevant today.

It can be useful to review the aspects of the FATF’s recommendations that refer to proliferation.

There is additional guidance from the FATF on proliferation financing risk assessment and mitigation. This is a detailed document focused entirely on proliferation financing, and the FATF’s expectations.

The UK has conducted a national level assessment of proliferation financing risk. This includes a number of relevant case studies and typologies. If you want the sense of it, but are short on time, our friend Dev Odedra has published a summary.

Manchester CF has launched a proliferation financing training module as part of the Financial Intelligence Specialist (FIS) designation, offered in conjunction with the University of Newhaven.

Need a Hand?

If you want to get ahead of the curve by having a conversation about proliferation financing risk and potential impacts to your compliance program, please contact us.

FINTRAC Examinations for the Real Estate Sector

We often hear friends and clients in the real estate sector say they are unsure what to expect if (and when) the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) notifies them of an examination. This article is meant to provide guidance on what to expect and how to ensure a smooth review.

Background

In 2019–20, FINTRAC conducted 399 compliance examinations, of which 146 were focused on the real estate sector [1]. The real estate sector has been the main focus for FINTRAC examinations since 2017 due to the growing concern of money laundering taking place in the Vancouver, Toronto and Montreal real estate market.

For the purpose of assessing compliance, the Proceeds of Crime (Money Laundering) and Terrorist Financing Act gives FINTRAC the authority to inquire into the business of any regulated entity.

FINTRAC examinations are reviews of your compliance program (what you say you are doing to stay in compliance) and your operations (what you’re actually doing to stay in compliance). These exams can take place at any time and should not be confused with your obligation to have an AML Effectiveness Review at least once every two years. FINTRAC examinations can take place in-person onsite at your office, at a FINTRAC office, or over the phone. FINTRAC will provide advance notice of an examination, which is scheduled by telephone and confirmed by letter [2]. Note, due to the COVID-19 pandemic, FINTRAC is not currently conducting onsite examinations [3].

I Have Received Notice of an Exam. Now What?

FINTRAC will request documentation, including your compliance policies and procedures, assessment of risks of money laundering and terrorist financing, measures to mitigate high risks, samples of transaction documentation, and other documents be summitted to them. Based on FINTRAC’s areas of review, the below is a sample list of what you can expect to provide. We have also created a more detailed version of the list which you can find here.

  • Most recent version of compliance policies and procedures;
  • Most recent version of your documented risk assessment;
  • Copy of the last two documented internal and/or external reviews of your compliance program (this may include the reviewer’s working papers as well);
  • Training program and records;
  • Organizational Chart;
  • Financial Statements;
  • Number of full-time and part-time employees/sales representative;
  • All suspicious and attempted suspicious transaction records;
  • A list of all closed deals related to the sale/purchase of real estate;
  • In-Trust bank account records; and
  • Large cash transaction records.

You will generally have 30 days to provide all requested documentation to FINTRAC. It’s a good idea to read through the request carefully before you begin your preparation.

Whether you are submitting your materials on paper or in electronic format, it is a good idea to create folders or cover pages for each item that FINTRAC has requested. This creates separate sections for each item and helps you to stay organized. A missed item usually can’t be submitted once the deadline has passed, and can result in deficiencies. We’ve created a sample format for your submission package that you can download for free here.

The Exam

Whether the FINTRAC exam is in-person, at their office or over the phone, they follow very similar formats. The key difference is the regulator’s ability to request additional operational data during onsite examinations.

It is ok for you to take notes throughout the examination process (and we recommend that you do). You are permitted to have a lawyer, consultant or other representative with you (if you do, FINTRAC will request that you complete the Authorized Representative Form in advance). While your representative cannot generally answer questions on your behalf, they can prompt you if you are nervous or stuck, and help you to understand what is being asked of you if it is not clear.

The Introduction

The examiner will provide a brief overview of the examination process as a formal opening to the examination. At the end of this introduction, the examiner will ask if you have any questions. At this point, it can be useful to provide a very brief (five minutes maximum) overview of your business.

Your introduction should reflect the materials that you have already submitted to FINTRAC (which ideally included an opening letter that described anything about the business that would not be readily apparent to the examiner, or anything that you believe could be misunderstood). Key facts about your business include:

  • Your corporate structure and ownership;
  • The types of products and services that are offered/types of transactions that are conducted;
  • Where your offices, agents and customers are located;
  • How you connect with your customers; and
  • Anything significant that has changed since your last FINTRAC examination.

This overview should be simple and brief.  At this point, the examination will then begin. At the end of each section, the examiner will ask if you have any questions and let you know whether there are any deficiencies.

Compliance Policies & Procedures

During this part, FINTRAC will ask questions about the policy and procedure documents that you have provided in advance of the examination. There are a few standard questions that are generally asked:

  • Who wrote the policies and procedures?
  • Were the versions submitted to FINTRAC the most recent versions?
  • When were they last updated?
  • When and how do you identify your customers?
  • How do you ensure that identification is up to date?
  • How do you monitor transactions?
  • How do you recognize, document and monitor “business relationships” (note: this is any time that you have either an ongoing service agreement with a customer and/or your customer has performed two or more transactions that require identification [4]).
  • What are indicators of a suspicious transaction?
  • The examiner will also ask a number of questions based on the documents that you have submitted, including questions about compliance-related processes.

Risk Assessment

During this part, FINTRAC will focus on your Risk Based Approach, asking specific questions about the Risk Assessment and related documents that you have provided in advance of your examination. Again, there are some common questions that are asked:

  • Do you have any high risk customers or business relationships?
  • What factors do you consider in determining that a customer or business relationship is high risk?
  • How are customer due diligence and enhanced due diligence different (both generally, and in your processes and documentation)?

Most additional questions will be related to risk management processes. For example, it has been common in the last few months for examiners to ask if a customer or transaction could be rejected (“Yes, if it was outside of our risk tolerance”).

This may also lead to questions about whether or not an Attempted Suspicious Transaction Report (ASTR) or Suspicious Transaction Report (STR) was filed. If there were reasonable grounds to suspect money laundering or terrorist financing, the answer should be yes. If not, you should explicitly say “There were not reasonable grounds to believe that this event was related to money laundering or terrorist financing”, then provide an explanation.

Operational Compliance & Reporting

During this part, the examiner will ask questions about specific transactions/deals. Some of the cases that you must be ready to explain are:

  • A transaction matches an indicator of potentially suspicious activity (if there were reasonable grounds to suspect money laundering or terrorist financing, the answer should be that you filed an STR, if not, you should explicitly say that “there were not reasonable grounds to believe that this event was related to money laundering or terrorist financing”, then provide an explanation);
  • Questions related to receipt of funds and large cash transactions; and
  • Business relationships and ongoing monitoring (in particular, if this did not occur earlier in the examination).

During a desk examination, the examiners typically do not request additional materials.

During onsite examinations, it has become commonplace for examiners to request additional materials. These are generally related to:

  • Business relationships;
  • Ongoing monitoring (including the monitoring of business relationships);
  • High risk customers;
  • Enhanced due diligence; and
  • Other risk-based processes.

Be clear with the examiner about what can be extracted easily from your IT systems, and in the case that data cannot be extracted easily, be prepared to show the examiner an example (or several). If your system has an “auditor access” feature (generally read-only access with search capability), it can be useful to set this up in advance of the onsite visit.

Exit Interview

Congratulations – you’ve made it to the finish line!

At this point, the examiner will sum up the findings (if there are any), and read a standard disclosure statement. For most of us, the disclosure statement is terrifying, as it talks about penalties. This is standard process – do not be alarmed. When the examiner has finished, you may ask if a penalty is being recommended (if you’re a worrier, please do this). Not all FINTRAC examiners will provide guidance at this stage, but it doesn’t hurt to ask.

After the Exit Interview

After the examination and exit interview, generally within 30 days, you will receive a formal letter that details FINTRAC’s findings. The letter will state either of these possibilities:

  • No further compliance or enforcement action;
  • Possible follow-up compliance action; or
  • A recommendation for an enforcement action, such as an administrative monetary penalty (AMP).

In the case that there is an AMP imposed, we recommend taking action as soon as possible. In most cases, FINTRAC does not require real estate brokers and sales representatives to submit an action plan.

We’re Here To Help

If you need assistance preparing for a FINTRAC exam or have any compliance questions in general, please contact us.

 

 

[1] https://www.fintrac-canafe.gc.ca/publications/ar/2020/1-eng

[2] FINTRAC considers the date on which you are advised of an examination, which is typically done by phone, to be the start of the compliance examination process.

[3] https://www.fintrac-canafe.gc.ca/covid19/covid-2020-07-27-eng

[4] Effective June 1, 2021 a business relationship will be defined as either entering into an ongoing service agreement with a customer and/or your customer has performed one or more transactions that require identification.

Changes to PIPEDA, Canada’s Private-Sector Privacy Law

Background

On November 17, 2020, Bill C-11, the Digital Charter Implementation Act, 2020 was introduced. If passed, the proposed Act would repeal part 1 of the Personal Information Protection and Electronic Documents Act (PIPEDA) and a new Consumer Privacy Protection Act (CPPA) would regulate the way in which personal information is collected, used and disclosed by private sector organizations in the course of their commercial activity.

The bill would also create an administrative tribunal to hear appeals of decisions made by the Privacy Commissioner of Canada and impose penalties. Currently, such appeals are heard in federal court.

As technology continues to evolve, the proposed Act is meant to protect Canadians by creating and enhancing current obligations, including:

  • Increasing control and transparency when Canadians’ personal information is handled by companies;
  • Giving Canadians the freedom to move their personal information from one organization to another;
  • Ensuring that Canadians have the ability to request that their personal information be destroyed;
  • Providing the Privacy Commissioner with broad order-making powers, including the ability to force an organization to comply; and
  • Fines of up to 5% of revenue or $25 million.

What Will Change?

The proposed Act brings about many changes. Highlighted below are what we feel are some of the most significant:

Privacy Program: Organizations would be required to maintain a privacy management program setting out policies and procedures the organization takes to protect and deal with personal information. The Office of the Privacy Commissioner (OPC) could request these procedures at any time.

Consent: The Act adopts elements of the OPCGuidelines for obtaining meaningful consent, creating transparency requirements.

Exceptions: The Act defines a list of “business activities” for which an organization can process personal information without consent.

Transfers to Service Providers: The Act would establish that consent is not required to transfer personal information to a service provider.

Automated Decision-MakingIf an organization uses an “automated decision system”, under the Act, they must ensure how a prediction, recommendation or decision about a person is made is documented.

Data Mobility: The Act would allow that on the request of an individual, an organization must, as soon as feasible, disclose the personal information it has on file of the individual to another organization if those organizations are subject to a “data mobility framework”.

Disposal of PI: The Act would provide individuals with an explicit right to request the deletion of their personal information.

Revised OPC powers: The OPC would have the authority to issue enforcement orders and recommend penalties. Currently, the OPC only has the power to recommend measures after an investigation.

Private Right of Action: The Act would allow individuals to sue companies within two years following a regulatory investigation. The individual would have to prove loss in order to recover damages.

Codes of practice and certification: The Act would allow for the creation of codes of practice and certification programs to facilitate compliance with the Act, which would be subject to approval by the OPC.

What Do We Do?

For now, we wait but plan for changes to your privacy program in the years ahead. If the bill is passed, the draft legislation will be open for a comment period in which you are encouraged to submit comments. The OPC released a statement on November 19, 2020 related to the bill. Our guess is we will see amendments based on the OPCs statement.

We’re Here To Help

If you have questions related to this or privacy legislation in general, please contact us.

The Iran Ministerial Directive’s Impact

Quick Overview

On July 25, 2020, a new Ministerial Directive (MD) was published in the Canada Gazette by the Minister of Finance on financial transactions associated with the Islamic Republic of Iran.  On July 27, 2020, FINTRAC issued guidance on how to incorporate the MD into your anti-money laundering (AML) program, along with some indicators for determining if a transaction is associated with Iran. This MD requires that every transaction originating from or bound for Iran be treated as high risk, regardless of the amount. This includes identifying every client, performing customer due diligence, and recording certain information. It is vital that your AML compliance program documentation contains internal processes related to MDs, even if you do not conduct transactions with Iran (or North Korea, based on the previous MD issued December 9, 2017).

What is a Ministerial Directive?

MDs are specific requirements imposed by the Minister of Finance that are meant to mitigate risks associated with activities that pose elevated risk and safeguard the integrity of Canada’s financial system. To date, these areas of elevated risk have been identified by the Financial Action Task Force (FATF) as posing strategic deficiencies with regards to international standards for anti-money laundering and counter terrorist financing.

What does this Ministerial Directive require?

The guidance from FINTRAC states that every bank, credit union, financial services cooperative, caisse populaire, authorized foreign bank and Money Services Business (MSB) must:

  • Treat every financial transaction originating from or bound for Iran, regardless of its amount, as a high-risk transaction;
  • Verify the identity of any client (person or entity) requesting or benefiting from such a transaction;
  • Exercise customer due diligence, including ascertaining the source of funds in any such transaction, the purpose of the transaction and, where appropriate, the beneficial ownership or control of any entity requesting or benefiting from the transaction;
  • Keep and retain a record of any such transaction;
  • Determine whether there are reasonable grounds to suspect the commission or attempted commission of a money laundering or terrorist financing offence and report all suspicious transactions to FINTRAC;
  • Reporting all other reportable transactions (if applicable).

To be clear, this MD does not apply to transactions where there is no suspicion or explicit connection with Iran and there is no evidence of the transaction originating from or being bound for Iran. A couple of examples were provided in the FINTRAC Guidance:

  • A client who has previously sent funds to Iran requests an outgoing EFT, where the transaction details do not suggest that this transaction is bound for Iran and you are unable to obtain further details about the transaction destination; or
  • The client’s identification information is the only suggestion of a connection to Iran (for example, a transaction where the conductor’s identification document is an Iranian passport).

What does it mean to you?

It is important to understand that even if your business does not facilitate transactions involving Iran, it is expected that you have a process in place for adhering to MDs, including how the Compliance Officer stays up to date. Within your AML compliance program documentation, you need to have a section that talks about MDs generally, plus specific procedures related to handling the current MDs (transactions involving Iran and North Korea). In the FINTRAC guidance related to this MD, it states that during an examination, FINTRAC will assess your compliance with MDs and failures to do so are considered very serious and may result in a penalty.

What now?

In order to ensure familiarity for anyone who interacts with customers and their transactions, the list of FINTRAC’s indicators should be communicated immediately.  Furthermore, the indicators should also be included in your procedure manuals and annual AML compliance training topics, allowing easy access to the information. Documenting the information and related processes for MDs is very important so you can demonstrate to FINTRAC your adherence to the requirements during an examination.

Need a hand?

We’ve made it easier for you to integrate this content into your program by putting the information into a Word document for you. If you aren’t sure what to do with this information and would like some assistance, please feel free to contact us.

Information Should Be Free!

Outlier has produced an open-source AML and CTF, and Privacy repositories of definitions, acronyms, and terminology that is free for whoever wants it.

Please feel free to provide contributions and/or feedback, as it would be greatly appreciated. We have already had three contributors!

Discombobulated

About a year ago, we had a client who was interacting with the world of Anti-Money Laundering (AML) and Counter Terrorist Financing (CTF) for the first time. They were aggravated by the amount of jargon, acronyms, and uncommon uses of certain commonly understood terms. An example is, a business relationship. Those of you that are relatively familiar with the AML space know a business relationship doesn’t mean what the rest of the world thinks it means. In Canada, in the AML context, it means something very different.

A Helping Hand

At the time, they wished for a simple reference point where they could easily find the meaning for different terms. Unfortunately, this entails combing multiple locations, including FINTRAC’s website, plus the Act and Regulations themselves. To make a long story short, there is no easy way. Fed up, they (not so) gently suggested that we (Outlier) fix this. Their idea was creating a GitHub repository.

For those unfamiliar with GitHub, it is a web-based hosting service for version control. It is mostly used for computer code, but has also been used to write and edit books. It offers access control and several collaboration features. A GitHub repository is where the code and/or information is maintained for a specific project. This process is fairly simple to someone who is a coder with years of experience working with GitHub. For myself, this was not so simple. A year later, almost to the day, the repository is created, open and available to the public. There is no need to be scared, you are able to comment and make suggestions without knowing how to code at all. If you can’t figure out how to provide commentary in GitHub, send it to use via email at info@outliercanada.com with the subject line “GitHub Feedback.”

The Power of Collaboration

The (not so) gentle nudge meshed well with one of Outlier’s core beliefs: that information should be free. By collecting the information, housing it in GitHub, and making it available to anyone, we are able to provide free information to everyone who wants it. By making information free and public, it gives others the opportunity to make suggestions, add content, and improve the quality of the information.

What Happens When We Work Together?

By sharing this open-source project with the world, we are looking to empower anyone willing to be empowered. From the client who is interacting with the world of AML for the first time. To the seasoned-veteran who is looking for helpful resources. To the person who wants to provide their customer with a helpful resource. Take the information and do what you wish with it. If you would like to attribute Outlier, awesome! If not, that’s ok too. Our only request is this should never be provided for a fee.

Have a Question?

If you looked at the resource and are curious about how to make a contribution, please feel free to contact us anytime. Contributions can include anything from corrections and suggestions, to the addition of different jurisdictional definitions, specifically the European perspective.

This is not a solicitation (but we do get this request often), should you want to provide a tip in BTC or ETH, our addresses are listed below.

To open a channel with our Lightning Node, our address is: 03acb418d5b88c0009cf07d31ec53d0486814bc77917c352bd7e952520edf7bf3c@99.236.76.38:9735

or you can use Tippin.Me.

bitcoin ethereum
3AqYJQhfKYCde7syKKqTJJPdLs6M5CbWkR 0x03CDF23a2Eb070F2c79De5B2E6FB90671D3c70fE
Outlier BTC Tipping Address

FINTRAC Alert – Laundering the Proceeds of a Romance Scam

Quick Overview

On April 11th, 2019, FINTRAC published an Operational Alert issued in part with the Canadian Anti-Fraud Centre.  The information provided related to laundering the proceeds of romance scams and mass marketing fraud. The publication provided an explanation of what constitutes a romance scam, some common indicators that may be present and transaction patterns or flow of funds that may suggest fraud.

What Does it Mean?

The suspicious indicators provided by FINTRAC list circumstances or activities that might signal potential cases of individuals caught in a romance scam or the subject of a mass marketing fraud.  This does not mean that if one or more of the indicators are present that the transaction is definitely suspicious and must be reported to FINTRAC. It is meant to ensure that you are aware of the potential that suspicious activity may be taking place.  In that context, if you are involved in customer’s transactions, whether on the front lines or in back office, you must be aware of the indicators in the alert.  If you do encounter a transaction that may be considered unusual, you should attempt to collect additional information that will aid in the Compliance Officer’s decision to report it or clearly document why it was not considered suspicious. Where the Compliance Officer makes the decision to report the transaction to FINTRAC as suspicious, be sure to include “Project CHAMELEON” or “#CHAMELEON” in Part G—Description of suspicious activity in the STR. This will help to facilitate FINTRAC’s disclosure process.

What Now?

In order to ensure familiarity for anyone who interacts with customers and their transactions, the list of FINTRAC’s indicators should be included in your ongoing AML compliance training program.  Furthermore, the indicators should also be included in your procedure manuals, allowing easy access to the information.  Finally, the indicators should be incorporated into your Risk Assessment documentation.  Specifically, when determining customer risk and the controls used to effectively mitigate potential risks.

We’ve made it easier for you to integrate this content into your program by putting the indicators in a Word document for you.

Need a Hand?

Outlier has taken the list of indicators provided by FINTRAC and formatted them into an easy to use Microsoft Word document, which can be found here.  This should allow companies to easily update their documentation and ensure they are sufficiently monitoring for potential instances of romance scams or mass marketing fraud. If you aren’t sure what to do with this information and would like some assistance, please feel free to contact us.

Technology and Cyber Security Incident Reporting

The issue of cyber security incidents seems to continue to be a hot topic for regulators. Late last year, federal Breach of Security Safeguards Regulations came into force, which require organizations to report to the Office of the Privacy Commissioner (OPC), any breach of security safeguards involving personal information under its control where the breach creates a “real risk of significant harm”. Last week, The Office of the Superintendent of Financial Institutions (OSFI) published an advisory, Technology and Cyber Security Incident Reporting, which sets out OSFI’s expectations for Federally Regulated Financial Institutions (FRFIs) with respect to the reporting of technology and cyber security incidents. The advisory  becomes effective on March 31, 2019.

OSFI’s advisory defines a technology or cyber security incident as an event that has the “potential to, or has been assessed to, materially impact the normal operations of a FRFI, including confidentiality, integrity or availability of its systems and information”. The advisory goes on to give guidance on what a reportable incident may look like:

  • Significant operational impact to key/critical information systems or data;
  • Material impact to FRFI operational or customer data, including confidentiality, integrity or availability of such data;
  • Significant operational impact to internal users that is material to customers or business operations;
  • Significant levels of system/service disruptions;
  • Extended disruptions to critical business systems/operations;
  • Number of external customers impacted is significant or growing;
  • Negative reputational impact is imminent (e.g., public/media disclosure);
  • Material impact to critical deadlines/obligations in financial market settlement or payment systems (e.g., Financial Market Infrastructure);
  • Significant impact to a third party deemed material to the FRFI;
  • Material consequences to other FRFIs or the Canadian financial system;
  • A FRFI incident has been reported to the Office of the Privacy Commissioner or local/foreign regulatory authorities.

Unlike the Breach of Security Safeguards Regulation, which apply to all companies operating in Canada, OSFI’s advisory applies only to FRFIs. These include banks and insurance companies.

How Do the Reporting Obligations Differ?

Incidents that need to be reported to the OPC focuses on “a breach of security safeguards” involving personal information, where it is reasonable to believe that the breach creates a “real risk of significant harm” by assessing factors such as the sensitivity of the personal information involved, and the probability of misuse. Incidents should be reported as soon as feasible.

Incidents that need to be reported to OSFI focuses on operational impact to the integrity or availability of information systems. Items to be looked at include things such as service disruptions, as well as impacts to critical deadlines related to financial market settlement, payment systems, soundness of business etc. These incidents may or may not include personal information. The OSFI advisory does state one of the considerations for reporting is if the incident has been reported to the OPC. Incidents should be reported as soon as possible, but no later than 72 hours after determining an incident has occurred.

It is possible (even probable) that a FRFI would need to report an incident to both the OPC and OSFI. While organizations that are not FRFI’s are not required to report to OSFI, the advisory may still contain useful guidance in thinking about security, breaches, and best-practices for breach response.

Below is a comparison chart noting the differences (or similarities) between reporting obligations:

Breach of Security Safeguards Regulations OSFI Advisory
Who does it apply to?  All Organizations.  All Federally Regulated Financial Institutions.
Who is a breach reported to? The organization must report the breach to the OPC, but also notify affected individuals. The FRFIs must report the breach to its Lead Supervisor as well as TRD@osfi-bsif.gc.ca
When is a breach reported? As soon as feasible after the organization determines the breach has occurred. As soon as possible, but no later than 72 hours after determining an incident has occurred.
What type of breach is reported? A breach of security safeguards involving personal information where the breach creates a “real risk of significant harm”. Incidents that have a material operational impact to the integrity or availability of information systems.
What type of information must be included in the report? A description of the circumstances of the breach and, if known, the cause;

The day or the period in which the breach occurred;

A description of the personal information that was involved in the breach;

An estimate of the number of individuals impacted – where the breach creates a real risk of significant harm;

The steps that the organization has taken to reduce the risk of harm to the impacted individuals;

The steps that the organization has taken, or will take, to notify impacted individuals; and

The name and contact information of a person the OPC can liaison with.

Date and time the incident was assessed to be material;

Date and time/period the incident took place;

Incident severity and type (e.g. DDoS, malware, data breach, extortion);

A description of the incident (including known direct/indirect impacts, the number of clients impacted etc.);

Primary method used to identify the incident; 

Current status of incident;

Date for internal incident escalation to senior management or Board of Directors;

Mitigation actions taken or planned;

Known or suspected root cause; and

Name and contact information for the FRFI incident executive lead and liaison with OSFI. 

 

We’re Here To Help

If you have questions about this new advisory related to your reporting obligations for technology and cyber security incidents, or compliance in general, please contact us.

Return to Blog Listing