Anti-Money Laundering
Consulting Services & Strategies

0 Items - Total: $0.00 CAD

Breach of Security Safeguards Regulations

Back in June of 2015, the Digital Privacy Act received royal assent, resulting in amendments to the Personal Information Protection and Electronic Documents Act (PIPEDA). Most amendments came into force at that time, except for the much-anticipated requirements related to breach notification. These requirements will come into force once regulations have been developed and put into place, and will affect any organization that collects, uses or discloses personal information in the course of commercial activities.

On September 2, 2017, a draft of those regulations was published in the Canada Gazette. The draft regulations will require organizations to report, to the privacy commissioner, any breach of security safeguards involving personal information under its control if it is reasonable to believe the breach creates a real risk of significant harm. The draft regulations state that such a report would have to contain the following:

  • a description of the circumstances of the breach and, if known, the cause;
  • the day or the period in which the breach occurred;
  • a description of the personal information that was involved in the breach;
  • an estimate of the number of individuals impacted – where the breach creates a real risk of significant harm;
  • the steps that the organization has taken to reduce the risk of harm to the impacted individuals;
  • the steps that the organization has taken or will take to notify impacted individuals; and
  • the name and contact information of a person who can answer, on behalf of the organization, the Privacy Commissioner’s questions about the breach.

Organizations that experience such a breach will also have to do the  following:

  • Determine if the breach poses a “real risk of significant harm” to any individual whose personal information was involved in the breach by conducting a risk assessment;
  • Notify affected individuals if it is determined that there is a real risk of significant harm. How the notification will take place depends on serval factors such as if contact information of the impacted individuals is known, cost, and if the method chosen to deliver such a notification will cause further harm;
  • Issue notification that contains:
    • a description of the circumstances of the breach;
    • the day or period during which the breach occurred;
    • a description of the personal information that was involved in the breach;
    • the steps that the organization has taken to reduce the risk of harm to the impacted individuals;
    • the steps that the impacted individuals could take to reduce the risk of harm resulting from the breach;
    • a toll-free number or email address that the impacted individuals can use to obtain further information about the breach; and
    • information about the organization’s internal complaint process and about the individual’s rights under PIPEDA, and that they can make a complaint with the privacy commissioner;
  • Notify other organizations or government institutions if they believe they may be able to reduce the risk of harm to the impacted individuals (i.e. law enforcement agencies). If this is the case, consent of individuals is not required for such disclosures; and
  • Keep records of any data breach for a minimum of 24 months.

The determination if there is a real risk of significant harm to an individual, and reporting “as soon as feasible” requirements, are likely to be the most challenging for organizations.

In determining if there is a “real risk of significant harm”, the assessment of risk conducted must consider factors such as the sensitivity of the personal information involved, whether or not the data was data encrypted, whether the personal information could be misused, if the information has been recovered, etc. The true risk of such factors may not always be known at the time that the risk assessment is first conducted. If not known, it may be best to use a worst case scenario in the assessment.

In reporting “as soon as feasible” after an organization determines that the breach has occurred, to both the Privacy Commissioner and impacted individuals, organizations may be hesitant to provide specific information. Reasons why organizations may be hesitant may include, details and information may change as further investigating of the breach is conducted, or for fear of litigation risk down the road. Additionally, there is reputational risk that organizations will be concerned about. When notifying the Privacy Commissioner, organizations may want to state that the investigation is ongoing and that updates will be provided in a timely manner. When notifying impacted individuals, organizations should ensure that all required information is contained in the notification. It is best to be transparent and truthful in such notifications, as not doing so may cause even greater litigation and reputational risk.

Regulatory Impact Analysis and Regulations

The draft regulations are open for a comment period, to read full details of the draft and the accompanying regulatory impact analysis statement please visit the Canada Gazette.

We’re Here To Help

If you have questions regarding this or any questions related to privacy legislation in general, please contact us.

Sanctions This Week: July 18th – 22nd, 2016

OSFIOutlier3_032

On July 18th and 22nd, 2016, the Office of the Superintendent of Financial Institutions (OSFI) released the United Nations Security Council’s (UNSC’s) Al’Qaida and Taliban regulations updates to the sanctions list, deleting one individual and amending another.

The individuals are subject to the assets freeze, travel ban and arms embargo set out in paragraph 2 of Security Council resolution 2253 (2015) adopted under Chapter VII of the Charter of the United Nations.

The review of the individual who was deleted from the list was triggered by regularly scheduled updates.  However, no additional information was available regarding the justification.

The amendment of one individual’s information included the following:

  • A physical description;
  • The confirmation of the most recent position held within the Taliban, as of April 2015; and
  • That they are currently involved in drug trafficking and operate a heroin laboratory in Afghanistan.

See the July 18th update on the United Nations (UN) website.

See the July 22nd update on the United Nations (UN) website.

Go to the OSFI lists page.

OFAC

The U.S. Department of Treasury’s Branch, The Office of Foreign Asset Control (OFAC), released three updates last week.  One update was related to the addition of three individuals to the Counter Terrorism Designations list.  The second update was related to the addition of multiple individuals and entities to the Syria and Non-proliferation Designations lists.  The final update last week was to the Kingpin Act and Panama-related Frequently Asked Questions (FAQs) regarding General Licenses.

OFAC administers and enforces economic and trade sanctions based on U.S. foreign policy and national security goals.  The sanctions target countries, regimes, terrorists, international narcotics traffickers, the proliferation of weapons of mass destruction, and other threats to the national security, foreign policy or economy of the U.S.

The changes to the Counter Terrorism Designations list included three individuals of different nationalities, Saudi Arabia, Egypt and Algeria, though all have been linked to Al Qa’ida.

The update to the Syria Sanctions list included eight individuals, all of whom are Syrian.  The seven entities, which range from construction, to finance to manufacturing industries and vary in location, which include:

  • Syria;
  • Saint Kitts and Nevis;
  • Cyprus;
  • UAE; and

The update to the Kingpin Act and Panama-related FAQs are specific General License 5B and 6B

See the Counter Terrorism Designations list update on OFAC’s website.

See the Syrian and Non-proliferation Designations lists update on OFAC’s website.

See the Kingpin Act and Panama-related General License FAQs update on OFAC’s website.

See OFAC’s recent actions page.

Need A Hand?

We would love to hear from you.  If there are subjects in this post that you would like to know more about, or if you need assistance with your compliance program, please contact us.

Sanctions This Week: July 11th – 15th, 2016

OSFIOutlier3_036

There were no updates released from OSFI this week.

Go to the OSFI lists page.

OFAC

The U.S. Department of Treasury’s Branch, The Office of Foreign Asset Control (OFAC), released one update last week.  The update was related to the addition of two Russian individuals who were added to the Counter Terrorism Designations list.

OFAC administers and enforces economic and trade sanctions based on U.S. foreign policy and national security goals.  The sanctions target countries, regimes, terrorists, international narcotics traffickers, the proliferation of weapons of mass destruction, and other threats to the national security, foreign policy or economy of the U.S.

No other information was available on the individuals who were added.

See the Counter Terrorism Designations list update on OFAC’s website.

See OFAC’s Recent Actions page.

Need A Hand?

We would love to hear from you.  If there are subjects in this post that you would like to know more about, or if you need assistance with your compliance program, please contact us.

Sanctions This Week: July 4th – 8th, 2016

OSFISanctions Pic

On July 5th, 2016, the Office of the Superintendent of Financial Institutions (OSFI) released the United Nations Security Council’s (UNSC’s) Al’Qaida and Taliban regulations update to the sanctions list, removing one individual.

Individuals who are included in the list are subject to the assets freeze, travel ban and arms embargo set out in paragraph 2 of Security Council resolution 2253 (2015) adopted under Chapter VII of the Charter of the United Nations. The individual delisted was decided following a review, initiated by a request that was submitted to the Ombudsperson.  The individual is a German national and has been imprisoned in Germany since 2007.

See the update on the United Nations (UN) website.

Go to the OSFI lists page.

OFAC

The U.S. Department of Treasury’s Branch, The Office of Foreign Asset Control (OFAC), released three updates last week.  The first update, released on July 5th, 2016 was related to the settlement of a potential civil liability for apparent violations of the Iranian and Sudanese transactions and sanctions regulations.  The second update was related to the addition of multiple North Korean individuals and entities to the North Korean Designations List.  The final update was further clarification to the new Cuba-related Frequently Asked Questions (FAQ).

OFAC administers and enforces economic and trade sanctions based on U.S. foreign policy and national security goals.  The sanctions target countries, regimes, terrorists, international narcotics traffickers, the proliferation of weapons of mass destruction, and other threats to the national security, foreign policy or economy of the U.S.

The settlement on July 5th for apparent violations of the Iranian and Sudanese sanctions was levied against Alcon Laboratories, Inc., Alcon Pharmaceuticals Ltd., and Alcon Management SA.  In the course of the investigations, Alcon produced documents and information where it appeared that from August 2008 to December 2011, Alcon violated Iranian sanctions on 452 occasions and Sudanese sanctions on 61 occasions.  Alcon engaged in the sale and exportation of medical end-use surgical and pharmaceutical products from the United States to distributors located in Iran and Sudan without OFAC authorization. OFAC determined that Alcon did not make a voluntary self-disclosure and that the apparent violations were not egregious. The statutory maximum civil monetary penalty amount for the Apparent Violations was $138,982,584 USD and the base penalty amount was $16,927,000 USD.  Ultimately, Alcon paid $1,317,150 USD.

The North Korean sanctions list update included numerous individuals and entities, some of whom are high-ranking officials with titles such as:

  • Director of the Fifth Bureau of the Reconnaissance;
  • Director of the Workers’ Party of Korea Propaganda and Agitation Department; and
  • Minister of People’s Security.

The update to the Cuba-related FAQs were specific to the issuance of two new questions added, #43 and #50, regarding the use of the U.S. dollar in certain transactions.

See the Enforcement Action update on OFAC’s website.

See the North Korea Designations List update on OFAC’s website.

See the Cuba-related FAQ update on OFAC’s website.

See OFAC’s Recent Actions page.

Need A Hand?

We would love to hear from you.  If there are subjects in this post that you would like to know more about, or if you need assistance with your compliance program, please contact us.

Unpublished FINTRAC Penalties

Jonathan Krumins, Vice President, vCAMLO

Today’s guest blogger is Jonathan Krumins, Vice-President, AML Risk & Compliance, at vCAMLO Solutions Inc. vCAMLO provides anti-money laundering (AML) and counter terrorist financing (CTF) support to Canadian credit unions. You can learn more about vCAMLO at www.vcamlo.ca.

Background

Reporting entities (REs) often ask us about penalties, in particular when they are published publicly. Since 2009, The Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) has issued Administrative Monetary Penalties (AMPs) against persons and entities that were found to have violated the Proceeds of Crime (Money Laundering) and Terrorist Financing Act, and its associated Regulations. In many cases up to 2013, FINTRAC has published details on its website about each penalty, including the name of the person or entity, the dollar amount of the AMP, as well as the cited deficiencies. The AMP area of their website has two sections – a list of all published penalties, as well as a running total of AMPs imposed since December 30, 2008, divided by sector.

As of June 26, 2013, FINTRAC changed its policy regarding public notice of AMPs, so that they would be published if one or more of the following criteria are met:

  • The person or entity has committed a very serious violation; or
  • The base penalty amount is equal to or greater than $250,000, before adjustments are made in consideration of the person or entity’s compliance history and ability to pay; or
  • Repeat significant non-compliance on the part of the person or entity.

AMPs can only be published once the appeals process is exhausted, which can take years to complete. This process can include an appeal to FINTRAC’s director, and a subsequent appeal to the Canadian Federal court.

Understanding this context is vital for RE Compliance Officers. While trend information related to published and unpublished penalties is not likely of interest to frontline staff, understanding these patterns is useful in fielding questions from Senior Management and the Board of Directors.

We have conducted an analysis of data published on the FINTRAC’s website which shows a trend of an increasing number of unpublished AMPs since 2013. These unpublished AMPs were primarily imposed on the Credit Union/Caisse Populaire and Money Service Business (MSB) sectors.

Methodology

We have made all calculations using information available as of April 20, 2015. We examined publicly available information on FINTRAC’s webpage, using the running total of AMPs by sector and the list of public AMPs. We also examined a summary of AMPs as of October 2014 obtained by Outlier through an Access to Information request. Our analysis focuses only on the sectors that have received AMPs, either published or unpublished: Credit Unions (including Caisses Populaires), MSBs, Real Estate Brokers, Securities Dealers and Casinos.

In addition, we accessed “cached” versions of FINTRAC’s website to review past versions in order to include six public AMPs that were issued between August 19, 2009 and April 26, 2010. In accordance with FINTRAC policy, these were removed from FINTRAC’s website after the five year public notice period had expired. We have included this historical data in order to provide a full view of the penalties issued. It is noteworthy that there are likely additional penalties in the process of being appealed (this information cannot be made available until the appeals process is complete).

Published AMPs vs. Unpublished AMPs

By analyzing the list of published penalties, compared to the running total of AMPs, it appears that there have been a significant number of unpublished penalties:

FINTRAC AMPs

Credit Unions

Credit Unions have received the largest number of unpublished penalties, both in terms of number and dollar amount. Credit unions have received 3 published AMPs, totalling $246,690. They have also received an additional 11 unpublished AMPs, totalling $405,855.

Trend analysis: This appears to be a significant increase in overall enforcement action by FINTRAC in the Credit Union sector. The total number of penalties against Credit Unions have increased sharply to 14, which means that Credit Unions now have the second largest number of listed AMPs (published and unpublished), behind MSBs. All penalties against Credit Unions since 2013 were unpublished. This data can also be interpreted to mean that FINTRAC’s enforcement efforts against Credit Unions have increased since 2013, however it is important to remember that AMPs are listed on FINTRAC’s website after they are finalized, which can mean a significant gap between when an AMP was issued and when it is listed, especially if there is an appeal involved.

Money Service Businesses (MSBs)

MSBs have received 22 published penalties, totalling $527,510. They also have received eight unpublished penalties, totalling $68,520. Interestingly, a $12,880 penalty that was published against an MSB on July 11, 2013 no longer appears on FINTRAC’s website.

Trend analysis: MSBs continue to be the leading sector in terms of receiving AMPs, although similar to the other sectors examined, the majority of AMPs that were against MSBs from late 2013 through to 2015 were unpublished.

Real Estate Brokers

Real Estate Brokers have received three published penalties totalling $40,520 compared to three unpublished penalties totalling $25,960.

Trend Analysis: Real Estate Brokers have received relatively few published and unpublished penalties in comparison to the Credit Union and MSB sectors. The number of unpublished penalties (compared to the number of published penalties) is consistent with trends across all sectors.

Securities Dealers

Securities Dealers have received four published penalties totalling $565,180 compared to one unpublished penalty of $21,480.

Trend Analysis: Securities Dealers have received relatively few published and unpublished penalties in comparison to the Credit Union and MSB sectors.

Casinos

Casinos have never received a published AMP, however FINTRAC’s website shows an unpublished AMP of $56,700 issued against a casino. This may be surprising to anyone that has read about BC Lottery Corporation, however, AMPs are not part of these records until the appeals process has been exhausted (and there have been successful appeals).

Trend analysis: It is difficult to establish a trend based on a single data point, however this unpublished AMP shows that the Casino sector is no longer unaffected by FINTRAC penalties.

What Does This All Mean?

Screen Shot 2015-05-06 at 11.58.01 AM

Note: The dates on the above graph represent when FINTRAC’s website was analyzed to calculate the total number of penalties, with the exception of October 2014, which is the “as of” date of an AMP listing received in a Freedom of Information request. Data for unpublished AMPs is only available since 2013.

As of June 2013, FINTRAC began to apply the updated standard for publicly listing AMPs. Since this change, unpublished penalties comprise approximately 42% of all issued AMPs by amount and 43% by number. While this is excellent news for REs that are concerned with the negative media and other reputational risk related to published penalties, it will make it more difficult to assess the reasons that REs are receiving penalties. The specific violations that led to a penalty are only made public by FINTRAC when the AMP is published. In order to ensure that our Credit Union clients are well-informed about industry trends related to penalties, vCAMLO will be requesting additional information and performing trend analysis. Stay tuned!

Your Best Defence

To avoid AMPs, it is essential to constantly test for weaknesses in your compliance regime. Conduct rigorous effectiveness testing (this is required at least every two years), and consider more frequent testing. Finally, ensure that immediate steps are taken to remediate deficiencies received in FINTRAC exams. Deficiencies that re-appear in follow-up exams are taken seriously by FINTRAC, and can lead to penalties, published or not.

Need a Hand?

vCAMLO: If you are a credit union or MSB, and have any questions related to financial compliance, or if you are interested in AML Support Services, please contact us for a complimentary 30 minute compliance discussion.

Outlier: If you need assistance reviewing your technology solution or FINTRAC reporting to be certain that you’re meeting the standard described in this blog, or just someone to chat with to make sure that you’re on the right track, please contact us.

 

 

 

Suspicious Transaction Reporting in 2015

Preparing for a FINTRAC examination

At the Canadian Institute’s 14th Annual AML Forum, the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) reviewed its expectations for suspicious transaction reporting. FINTRAC emphasized that suspicious transaction reports (STRs) are vital to the agency’s mandate as Canada’s financial intelligence unit (FIU) and ongoing collaboration with law enforcement agencies. While reporting entities (REs) in Canada have been required to report transactions for quite a few years, we’ve had many questions from REs about what FINTRAC expects and looks for in examinations. FINTRAC’s most recent guidance is useful in tuning your technology, enhancing your processes, and asking the right questions at industry association meetings.

What is FINTRAC Looking for in STRs?

When FINTRAC conducts compliance examinations, they will be applying three tests to STR data, including:

  1. Entity Practitioner: FINTRAC will look for transactions that are similar to those involved in STRs that you have reported. If there are similar transactions or transaction patterns that have not been reported to FINTRAC, there should be an explanation for the difference. Where possible, this explanation should be documented.
  2. Sector Practitioner: FINTRAC will compare the number and type of STRs submitted by similar entities. The size and type of business are taken into consideration.
  3. Reasonable Practitioner: FINTRAC will analyze a sample of reported STRs and unreported transactions against relevant guidance. In this case, relevant guidance means the suspicious transaction indicators from FINTRAC’s Guideline 2 that are applicable to your business.

These are terms that we’re likely to hear more about over the coming months, and there are compliance program adjustments (most of them relatively simple) that can be made to ensure that you’re meeting this standard.

Tune Your Technology

Amber looking at laptop FINTRAC screen

Most REs use software solutions to detect potentially suspicious transactions. Almost all transaction monitoring software uses some type of rules-based system to determine when alerts should be generated. These rules should, at minimum, reflect the indicators that are applicable to your business. Not all of the indicators from FINTRAC’s Guideline 2 will be applicable to your business. Where possible, you should document the decisions that you make about your transaction monitoring rules, including the rationale for those decisions.

The most sophisticated software platforms have machine learning functions. These can take the decisions that have been made about previous alerts and use this information to refine how the program works. For example, if a particular pattern of transactions was deemed to be suspicious, the program may look for similar patterns.

If you’re not using software that does this on its own, don’t panic. You can review the STRs that you’ve submitted to FINTRAC to determine whether your transaction monitoring rules are tuned to reflect the types of money laundering and terrorist financing threats that you’ve previously encountered. This should be done on a regular basis (for example, as part of your Risk Assessment updates). If you have an STR that is related to a pattern that you don’t have a rule to cover, you may want to do this sooner, rather than waiting for the next scheduled update.

Train Your Staff

Training

Over the years, I’ve heard many Compliance Officers express frustration about not knowing whether or not STR data has been useful to FINTRAC or law enforcement. To close this gap, I’ve looked for articles and speakers from FINTRAC and law enforcement that could provide meaningful information about the type of information that is most useful. The same principle applies to your staff.

You can use existing cases (you’ll want to remove any personal information for training purposes) to demonstrate the type of transactions that you want your staff to escalate to compliance for review. Existing cases from the media, and end to end cases provided by training companies like TAMLO, are also excellent resources. Keeping your annual training fresh is a challenge, and using your STRs as cases is one way to do that, while also meeting FINTRAC’s expectations.

Refine Your Audits & Effectiveness Reviews

AML Compliance Effectiveness Review

Are your auditors and/or reviewers using the same tests that FINTRAC is using to assess your compliance? If you’re not certain, ask.

If you perform self-assessment testing, you may want to include these tests as well.

As of 2015, all AML Compliance Effectiveness Reviews performed by Outlier will use these three key tests to assess STR data.

Ask Your Industry & Working Groups for More

Hanshake

Most REs have excellent industry associations and working groups such as the Canadian Banker’s Association (CBA), Canadian MSB Association (CMSBA) or the Canadian Jewellers Association (CJA). These groups are excellent resources and can help you understand STR trends across your industry. If you’re not a member, you may still be able to attend regular conferences or events.

Need A Hand?

We would love to hear from you. If there are topics that you would like to know more about, or if you need assistance with your compliance program, please contact us.

FINTRAC Examination Results for MSBs

The Canadian Money Services Business Association (CMSBA) recently held their Spring Training events in Montreal, Vancouver and Toronto.  The list of speakers included MSB industry professionals, as well as representatives from regulators including the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC).  For a full synopsis of the Montreal and Toronto events, click here.  FINTRAC presented excellent statistical data about how MSBs have fared in examinations conducted between April 2011 and July 2014.  So how are MSBs faring?  Very well overall. 

ZDE FINTRAC 2008-2013

Data obtained through a freedom of information request indicates that almost 25% of MSBs examined between 2008 and 2013 have not had any deficiencies.

How Does FINTRAC Decide Who Is Examined?

FINTRAC considers several factors when deciding which reporting entities (REs) will be examined.

  • Concurrent Examinations: examinations conducted in tandem with the Office of the Superintendent of Financial Institutions (OSFI). This is applicable to federally regulated financial entities (FRFEs) like banks.
  • Market Share: The largest reporting entities in Canada (because the larger an organization is, the more critical the risk of non-compliance will be);
  • Cyclical: Coverage of a whole industry (this seemed to apply most to Casinos).
  • Follow-Up: Subsequent examinations based, with an emphasis on the resolution of deficiencies found in previous examination(s) to ensure remediation. FINTRAC noted that although it is no longer a requirement to submit a formal action plan to FINTRAC, it is a best practice for REs to document (and update) an action plan internally.
  • Risk: FINTRAC’s evaluation of the RE’s risk, based on a broad selection criteria, such as money laundering and terrorist financing vulnerabilities, the likelihood of non-compliance and industry trends.
  • Theme-Based: Related to specific intelligence about a RE or type of business that indicates there may be an elevated risk of non-compliance, money laundering vulnerability or terrorist financing vulnerability.

Methodology & Analysis

FINTRAC’s statistical analysis of MSB adherence to the requirements laid out in the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA) and its regulations is broken down by percentage, the results of the exams conducted that were fully compliant, partially compliant and non-compliant.  These are colour coded:

  • Green: fully compliant (no deficiencies were observed),
  • Yellow: partially compliant (there was something in place, but the MSB missed something), and
  • Red: non-compliant (in most cases, there was nothing in place or a reporting timeframe was missed).

Overall examination results have been positive.

Overview

It’s noteworthy that if FINTRAC has, as of 2014, found something during an examination that is considered ‘immaterial’, it’s not cited.  For example, in a large sample, if there are two client addresses that appear to be PO boxes, but all other client addresses were complete and in acceptable formats, there may not be a citation.  In these cases, FINTRAC may inform the RE verbally, but it will not be part of the formal ‘findings’ letter.

Compliance Officer

MSBs are required to have a Compliance Officer (a person that is responsible for overseeing the AML & CTF compliance program).  The appointment of the Compliance Officer must be documented in writing.  FINTRAC staff chided that this is likely the easiest area to achieve a fully compliant result in examinations.  MSB examination results certainly reflected this.

CO Chart

From a total of 612 MSB examinations considered, 608 MSBs were fully compliant.

Only four MSBs were deemed to be non-compliant.  It was noted that these were generally new market entrants that did not appear to understand Canadian AML & CTF compliance requirements.

Policies and Procedures

MSBs are required to have policies and procedures.  Policies describe the MSB’s regulatory obligations, while procedures describe what the MSB is doing to meet those requirements.  These must be documented, in writing, and the procedures must cover both staff and agents (if the MSB has agents).

PP Chart

From a total of 765 MSB examinations considered, 477 MSBs were fully compliant.

In 230 examinations, MSBs were deemed to be partially compliant.  Common errors included:

  • The omission of the 24-hour rule (specific descriptions of how the MSB determined whether or not reportable transactions had occurred over a 24 hour period),
  • Third party determinations (specific descriptions of when an MSB must determine if there is a third party involved, as well as what information needs to be collected and recorded), and
  • Politically exposed foreign person (PEFP) determinations (specific descriptions of when an MSB must determine if their client is a PEFP, and if so, what information needs to be collected/recorded. There is also a requirement that senior management signoff on the account within 30 days of the determination).

A total of 55 MSBs did not have any documented policies or procedures. In some cases, FINTRAC noted that there appeared to be processes in place, but that these were not documented in writing.

Training

MSBs are required to have an ongoing training program. The training program must be documented (who, what, where, when and how) and delivered to all staff and agents on an annual basis, at minimum.

Training Chart

From a total of 487 MSB examinations considered, 346 were fully compliant.

In 63 examinations, MSBs were deemed to be partially compliant.  Common errors included:

  • Interviews conducted with staff during an examination that evidenced a misunderstanding of the requirements (during an exam, FINTRAC will interview random staff members related to regulatory requirements to ensure training effectiveness)

In 78 examinations, MSBs did not have any training in place, or if they did, it was not documented.

Among the training options available to MSBs, we’re most excited about a relatively new offering from TAMLO that includes fast paced and visually stunning video content, as well as testing and tracking tools for Compliance Officers.

AML Compliance Effectiveness Review

MSBs are required to complete an AML Compliance Effectiveness Review once every two years.  The review must cover all policy and procedure documentation, as well as operational testing to ensure procedures are being properly followed.

2YR Chart

From a total of 722 MSB examinations considered, 412 were fully compliant.

In 101 examinations, MSBs were deemed to be partially compliant.  Where MSBs missed the mark was typically because they did not respect the two year cycle.  Other common errors included:

  • Only reviewing the policy documents with no operational testing of whether they are being followed (the policy document tells staff and agents what to do. Procedures tell them how to do it.  MSBs must be sure they are testing whether staff and agents are adhering to the procedures).

In 209 examinations, MSBs had not conducted an effectiveness review or could not provide evidence of one taking place.

Risk Assessment

MSBs are required to assess the risk that their business could be used for money laundering or terrorist financing.  The risk assessment must include four key components:

  • Products, services and delivery channels;
  • Geography;
  • Customers; and
  • Any other relevant factors.

Risk must be assessed and scored, and mitigated by appropriate controls.

RA Chart

From a total of 720 MSB examinations considered, 432 were fully compliant.

In 158 examinations, MSBs were deemed to be partially compliant.  The main issue was failing to include one of the four required elements. In some cases, a risk assessment was in place, but the documentation was not sufficient in assessing the MSB’s risk and controls.

In 129 examinations, MSBs had no evidence of a risk assessment.

FINTRAC noted that additional industry-specific risk assessment guidance is expected to be published later this year.

MSB Registration

MSBs are required to register with FINTRAC, as well as update their information within 30 days if there are any changes to business activities, banking or agent information.

MSB Reg Chart

From a total of 591 MSB examinations considered, 230 were fully compliant.

In this category, no partially compliant ratings were provided (the MSB registration was either complete, accurate and up to date, or it was deemed to be non-compliant).

In 361 examinations, MSBs were deemed to be non-compliant.  Most issues were due to a failure to update information when something within the business had changed or a failure to list all business activities. For example, the MSB registration may indicate that an MSB only performed foreign exchange in a case where remittance services were also provided.

Client Identification

MSBs are required to identify their clients in certain situations.  There are prescribed methods for completing this both in person and non-face-to-face (NF2F), and the identification document (ID) information must be recorded.

Client ID Chart

From a total of 796 MSB examinations considered, 621 were fully compliant.

In 64 examinations, MSBs were deemed to be partially compliant.  Common errors included:

  • Unacceptable ID (such as health card in Ontario);
  • Accepting ID that was expired at the time of the transaction (identification documents must be valid, or not expired, at the time they are reviewed);
  • Failing to record the prescribed details of the ID used (when reviewing a client’s ID, MSBs must keep a record of certain prescribed information); and
  • In Non-Face-To-Face Identification situations, only using one method, or using an unacceptable combination of methods (when identifying a customer who is not physically present, there are prescribed methods of how this is to be accomplished).

In 111 examinations, MSBs were non-compliant with client identification requirements.

Record Keeping

MSBs are required to keep certain records related to transactions and client identification.  These records must be stored in a manner that they can be accessed in the event they are requested, and must be maintained for at least five years.

RK Chart

From a total of 811 MSB examinations considered, 470 were fully compliant.

In 300 examinations MSBs were deemed to be partially compliant.  In these cases, record keeping was taking place but elements of the record keeping requirements were being overlooked.  Common issues included:

  • Missing telephone numbers;
  • Vague occupation information (for example “manager” or “worker”);
  • PO boxes recorded as customer addresses;
  • Missing postal codes;
  • Third party determinations that were incomplete; and
  • Payment methods for incoming and outgoing payments.

In 41 examinations, MSBs were non-compliant with record keeping requirements.

Third Party Determinations

MSBs are required to make a third party determination in certain prescribed circumstances, as well as collect and record certain information (name, address, date of birth, occupation and relationship to your client) about the third party.

TPD Chart

The total number of MSBs included in the review was not provided, with the statement: “there was not enough information available to conduct reasonable analysis”.  However, the total number of non-compliant MSBs was 6, indicating that approximately 600 MSB examinations were considered in this sample.

FINTRAC Reporting

When FINTRAC assesses reporting obligations, it uses the internal acronym “QTV”, which stands for quality, timing and volume.  Quality refers to the information in the report, specifically, if the report has all the required information.  Timing simply means, was the report filed within the designated timeframe.  Volume is slightly more complicated, but mainly refers to the amount of reports you have filed compared to your previous submissions.  It was noted that typically, where MSBs were deemed partially compliant, it was due to the quality.  Where non-compliance was related to the timing.

Electronic Fund Transfers Reports

MSBs are required to submit electronic funds transfer (EFT) reports to FINTRAC within 5 business days from the date the transaction took place.  An EFT includes the international transfer of CAD 10,000 or more, either in a single transaction, or multiple transactions within a 24-hour period.

EFT Chart

From a total of 434 MSB examinations considered, 165 were fully compliant.

In 87 examinations, MSBs were deemed to be partially compliant. MSBs were typically failing to include all required information, such as:

  • Phone number;
  • Date of birth; or
  • Postal code.

It is noteworthy that while not all fields are marked as required in F2R, all fields must be filled in if the MSB has recorded the information.

In 182 examinations, MSBs were deemed non-compliant, with most not reporting the EFTs within the specified time frame, and a small portion missing EFT reports.

Large Cash Transaction Reports

MSBs are required to submit large cash transaction (LCT) reports to FINTRAC within 15 calendar days from the date of the transaction, if the transaction was CAD 10,000 or more in cash, either in a single transaction, or multiple transactions within a 24-hour period.

LCTR Chart

From a total of 428 MSB examinations considered, 232 were fully compliant.

In 104 examinations, MSBs were deemed to be partially compliant.  MSBs were typically failing to include all required information, such as:

  • Occupation;
  • Date of birth;
  • Postal code; or
  • Type of ID used to identify the client.

In 92 examinations, MSBs were non-compliant, with most not reporting the LCTs within the specified time frame, and a small portion missing LCT reports.

Suspicious Transaction Reports

MSBs are required to submit suspicious transaction reports (STRs) and attempted suspicious transaction reports (ASTRs) to FINTRAC within 30 calendar days from the date the transaction is deemed suspicious by the Compliance Officer.

STR Chart

From a total of 285 MSB examinations considered, 262 were fully compliant.

In 14 examinations, MSBs were deemed to be partially compliant.  In these cases, MSBs were typically failing to include all required information.

In 9 examinations, MSBs were non-compliant.  Failing to file STRs carries relatively sever penalties, as the Canadian intelligence community relies on this type of reporting to build cases.  Where items are escalated as being potentially suspicious (either by staff or a transaction monitoring system), MSBs should always document the reason that these items are deemed not to be suspicious if no STR or ASTR reporting is completed.

Need a Hand?

If you are an MSB that needs compliance assistance (or a bank that wants assistance in setting up and maintaining a compliance regime that effectively manages MSB related risk), please contact us.

 

 

 

Insights From the CMSBA Education Days

We were fortunate enough to be able to attend the Canadian MSB Association (CMSBA)’s Montreal and Toronto spring training days. For Money Services Businesses (and those affiliated with the industry), the CMSBA is an excellent resource for collaboration, information sharing and advocacy. For those that were not able to attend any of the spring training sessions, here’s a roundup of the topics covered.

FINTRAC & MSB Compliance Examinations

Canada’s federal regulator for anti-money laundering (AML), the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC), provided in depth statistics related to compliance examinations, as well as common issues for MSBs. Despite what some highly publicized administrative monetary penalties (AMPs) may lead you to believe, MSBs are faring well as a sector in FINTRAC’s compliance examinations. It’s noteworthy that through a freedom of information request, Outlier obtained data on the number of MSBs that did not have any deficiencies in examinations. Between 2008 and the end of 2014, this amounted to approximately 25% of all MSBs examined. In most cases, MSBs were largely compliant, with some partial deficiencies.

Overview Big

For a complete breakdown of common issues noted in examinations, click here.

AMF, Respondents & Digital Currency

Québec’s provincial regulator, the Autorité des Marchés Financiers (AMF), provided clarification on its expectations for MSB respondents. For MSBs dealing with customers in Québec that do not have offices in the province, a respondent must be nominated to deal with the AMF on the MSB’s behalf. Among the requirements are that the respondent must:

  • Be over 18 years old;
  • Have an address in Québec (home address or business address); and
  • Not be under tutorship, curatorship or advisorship.

The AMF also addressed digital currency, noting that not all digital currency business models are covered by the Québec MSB Act, and that there must be an element of fiat currency involved in the transactions. Both the AMF’s press release from February 2015 and the current presentation confirmed that digital currency trading platforms (that include fiat currency transactions) and digital currency ATMs are considered in scope. As there are a myriad of other digital currency related business models, if you are unsure of where you fit, you can contact the AMF and receive a decision (we recommend that you request a decision in writing where possible).

Agency Agreements

I had the honour of speaking about MSB agency agreements (the agreements between MSBs and their agents) with Susan Han (previously of AUM Law). Like most things, agent agreements should be documented in writing and clearly spell out the terms of the agreement. MSBs that take on agents should understand that the MSB would bear most of the risk (financial, compliance and reputational). Agents should be aware that the client (and information about the client) “belongs” to the MSB rather than the agent (and this information should always be provided to the MSB when it is requested).

International Collaboration & De-Risking

The CMSBA has partnered with MSB associations worldwide to increase awareness of the negative ways in which de-risking (which CMSBA Director Ken Saul noted should be called de-banking) affects the financial system. As the de-risking issue has affected MSBs worldwide, and there does not appear to be any effective solutions under consideration, a whitepaper was developed and presented to the Financial Action Task Force (FATF). This whitepaper has received a positive reception. Stay tuned for more on the international efforts in this regard.

One of the few Canadian Financial Institutions that (openly) banks MSBs, Luminus Financial, was on hand to discuss factors that MSBs should consider when dealing with banking relationships. MSBs should be prepared to provide complete and transparent information about their business. In order to achieve success in both obtaining and maintaining banking relationships, MSBs should be able to demonstrate that they are compliant and present information in a way that is well organized and addresses all of the questions and requests that the bank has made. In some cases, this will be a higher standard than simply meeting the minimum compliance requirements set out in law and regulation.

Compliance Maturity Model

In looking proactively at issues related to de-risking and demonstrating compliance, the CMSBA is working to develop a compliance maturity model (CMM). Currently, CMSBA members can complete the first stage of this model by completing an attestation form online. The attestation states that the MSB is compliant with applicable legislation and not subject to administrative or criminal proceedings. Questions, comments or suggestions related to the CMM can be directed to cmsba-cmm@canadianmsb.org.

Need a Hand?

If you are an MSB that needs compliance assistance (or a bank that wants assistance in setting up and maintaining a compliance regime that effectively manages MSB related risk), please contact us.

 

Highlights from the 2015 AML Forum

This year I had the honour of co-chairing the Canadian Institute’s 14th Annual AML Forum, along with Ron King of Scotiabank. The event brought together a diverse group of stakeholders and speakers including regulators, law enforcement, bankers, money service businesses (MSBs), technology experts and government. Over two days, we enjoyed many lively discussions, and while I can’t cover all of the content here, I want to provide some insight for colleagues that weren’t able to attend the event.

Key Messages from Regulators & The Department of Finance

Representatives from the Department of Finance, the Office of the Superintendent of Financial Institutions (OSFI) and the Financial Transactions Reports Analysis Centre of Canada (FINTRAC) were present throughout the conference, and fielded questions from the audience throughout the event. Among the most exciting announcement was the Department of Finance’s assertion that we should expect a new AML regulations package to be released in draft for public comment later this year. Though the target date is set for June or July, anything can happen in an election year and there may be delays.

The Department of Finance, OSFI and FINTRAC also discussed Canada’s upcoming mutual evaluation by the Financial Action Task Force (FATF) and Canada’s countrywide risk assessment. The risk assessment is underway and expected to be shared later this year, in advance of the FATF’s visit this fall (with results expected to be published next summer). The risk assessment will likely prove to be a useful tool for regulated entities struggling to qualify Canadian money laundering and terrorist financing risk.

OSFI emphasized the importance of considering the AML program as part of the overall prudential compliance management strategy for federally regulated financial entities (FRFEs). It is expected that OSFI’s guideline B-8 will be revised in the near term. To avoid rework, OSFI is waiting for several key inputs including the updated AML regulations package, FINTRAC’s updated risk assessment guidance and the countrywide risk assessment. OSFI will also continue to work with FINTRAC on streamlining examination processes, citing the need to create a common framework and approach to examinations.

FINTRAC reviewed its recent statistics and emphasized the importance of the agency’s role as a financial intelligence unit (FIU). Key to this role are suspicious transaction reports (STRs), which will play a key role in upcoming examinations for regulated entities. FINTRAC will be applying several tests to STR data, including:

  • Entity Practitioner: similar transactions within an entity that were not reported to FINTRAC;
  • Sector Practitioner: a comparison of the number and type of STRs submitted by similar entities (the size and type of business are taken into consideration); and
  • Reasonable Practitioner: a comparison of the reported and unreported transactions against relevant guidance on reasonable grounds to suspect that money laundering or terrorist financing activity may be taking place.

This echoes FINTRAC’s comments throughout 2014 on the importance of suspicious activity reporting, a sentiment that was echoed by law enforcement.

Law Enforcement Focus

Speakers representing the Royal Canadian Mounted Police (RCMP) and US Federal Bureau of Investigation (FBI) discussed the strategic value of intelligence obtained through FIUs and directly from the financial services community. While the specifics of ongoing cases cannot be discussed publicly, both speakers emphasized the importance of providing complete and concise information, and excellent examples of how this type of intelligence is used by law enforcement.

The speakers confirmed that the dollar values for terrorism related transactions seen in Canada are consistently low. The RCMP discussed a transaction pattern relevant to individuals planning to attend radical training camps wherein an individual saves a relatively small sum via legitimate work (often at low wage jobs), then purchases a plane ticket and camping gear (which may account for all or almost all of the funds saved). Patterns such as these are useful for institutions seeking to understand and identify patterns of activity that may be indicative of potential terrorism.

The De-Risking Debate Continues

One of the most lively discussions of the event surrounded “de-risking” (refusing to provide service to a customer that is outside of the institution’s risk tolerance). While banks in Canada are private, for profit enterprises, access to banking facilities remains a vital component for business success. The money service business (MSB) sector has struggled with banking relationships both in Canada and abroad. Best-practices discussed included independent third party compliance reviews conducted by qualified practitioners as a valuable tool in assisting banks to assess the state of an MSB’s compliance. It was noted that while the MSB sector is certainly vulnerable to money laundering and terrorist financing, it is not the only vulnerable sector in Canada. While Canadian MSBs are regulated by FINTRAC, other sectors that are both vulnerable and unregulated have not experienced the same degree of de-risking.

Banks emphasized the risks for financial institutions in dealing with certain types of business as being broader than AML compliance. Chief among these risks was reputational risk. As one banker noted, when a bank’s larger clients are offside with requirements, the client, not the bank, is publicly held accountable. When the bank’s client is of a smaller size however, banks are being considered more responsible in the eyes of the media and the public. This, coupled with the profitability of accounts held for smaller entities considered by banks to be high risk, may be at the root of some of the banking woes experienced in the MSB sector, in particular by smaller MSBs.

Sanctions, PEPs and Analytics

Several speakers emphasized the importance of implementing and tuning technology solutions to detect persons and entities subject to sanctions, politically exposed persons and potentially suspicious transactions. Sanctions in particular appeared to be an emerging concern, with list screening alone viewed as being insufficient in terms of banking controls. The increased complexity of sanctions includes not only specific individuals and entities but their affiliates, including subsidiaries (which may not be easy to detect in many cases) and sanctions applied to specific types of transactions. For multinational financial service providers, there is additional complexity in managing sanctions related to doing business in several jurisdictions with different requirements. In order to comply effectively, information sharing across jurisdictions (including information about customer activity and risk) is likely to be required. For many entities, this will mean revising privacy related policies and disclosures to enable information sharing across a network of affiliated entities.

In addition to privacy considerations, the integration of systems and processes across affiliated entities and lines of business was a key consideration. One Canadian bank noted that they are in the process of synchronizing know your client (KYC) requirements across all lines of business, a process that involves the integration of data from over 35 separate IT systems and databases. Such synchronization is necessary to ensure that customer risk is considered consistently across all lines of business.

A Key Question on Emerging Technology

My co-chair raised an insightful point with the emerging payments panel in regards to Bitcoin and other emerging payment technologies. While banks have heard loud and clear that these technologies are not as anonymous as they were initially believed to be, there is a sense within the banking community that there has not, to date, been a solid assessment of the risk (or subsequently established best practices in mitigating these risks). Some of the risks raised by panelists included consumer protection (the risk that funds may be lost through negligence or bad actors) and the risks related to effective controls (which are similar to the types of risk that exist in other vulnerable sectors).

While it’s clear that emerging payment technology companies are working to demonstrate compliance in a changing regulatory landscape, there is clearly a gap between these companies and traditional financial institutions, in terms of messaging and expectations. We expect that this will be an ongoing conversation as the industry, regulations and technology continue to evolve.

We Would Love To Hear From You!

If there are topics that you would like to know more about, or if you need assistance with your compliance program, please contact us.

Who Wins The De-Risking Shell Game?

BankRisk_2The volume of evidence, both empirical and anecdotal, grows every day. The story on the surface is simple enough: banks are making the decision to “de-risk” (a polite way to say close the account of) certain types of businesses including money service businesses (MSBs) and digital currency businesses that are considered “too risky” by traditional financial services providers. The unintended consequences have included strained remittance corridors and frustration for businesses struggling to get by without reliable banking services. While these consequences are well documented, there are other unintended consequences of the de-risking phenomenon that have been less widely discussed. These include a growing lack of transparency between some industries and their banking service providers and directly threatens our ability to effectively manage money laundering and terrorist financing risk at both the financial institution and national levels.

It’s a shell game of “hide the risk” – and we’re all losing.

Businesses Are Losing

By now, if you haven’t heard about businesses struggling to survive without access to banking facilities, you would have had to ignore financial media for the past two years. The global effects of de-risking have attracted the attention of the G-20, the Financial Action Task Force (FATF), Financial Crimes Enforcement Network (FinCEN), the World Bank, and many more. While it’s clear that there are issues in terms of access to banking, let’s be honest with one another: while some businesses will close up shop, many others will take a different track.

Whether it’s using alternative financial service providers, payment processors, personal bank accounts or merely opening accounts at other financial institutions without revealing the true nature of the underlying activity, businesses will find a way to carry on. I’ve spoken personally to businesses that have taken these approaches, and it has never been their first or most ideal choice. These aren’t criminals carrying on some nefarious business! They are entrepreneurs who would rather be able to provide their real business plan to their banks and explain their activity honestly, but they do not believe that this option is open to them.

Banks Are Losing

Consequently, a bank with a policy that prohibits these types of businesses from holding accounts will deal with businesses that have gone to great lengths to conceal the true nature of their activity. The banks are unaware of the true nature of the activity passing through their accounts, and therefore ill equipped to manage the risk related to these activities. The strain on banking resources must be phenomenal, as banks must constantly devise new ways to interpret patterns of customer activity to detect undeclared MSB or digital currency activity. While it isn’t easy to quantify these costs, I can only surmise that the cost of this detective work must be high, despite being ineffective.

To further muddy the waters, businesses who fail to provide transparent information to their banks for fear of de-risking may also conduct completely legal activities in a way that starts to look like criminal activity. For example, if you believe that your business banking relationship is not reliable, you may open many accounts (in some combination of personal and business names) and conduct fractions of your banking through each, transferring funds from one account to another as needed to meet your obligations. On the surface, it can seem much like “layering” or “structuring” activity (techniques used by money launderers to make funds more difficult to trace). This further adds to the banks’ burden by creating more activity that must be monitored and investigated.

Entire Nations Are Losing

It has been widely publicized that in some cases like Somalia, entire nations that are dependent on remittance payments from friends and family living and working abroad are experiencing increased difficulty. Reliable and cost-effective remittance payment providers are a shrinking pool. This seems absurd in a time when technology can facilitate a payment in seconds.

National Security Is Losing

It’s not just far-flung places dependent on remittance payments that are losing. Here at home, we have a national security system that is dependent on our financial intelligence units (FIUs) having access to reliable data. The reliability of that data is undermined at every level by the de-risking shell game:

  • Businesses do not declare the true nature of their activity – and there are no incentives for them to do so;
  • Banks do not understand the nature of their customers’ activities, making it difficult detect potentially criminal activity; and
  • There is likely to be an increase in “false positives”, where activity conducted by businesses that do not believe that they can reveal the true nature of their activity to their banks instead conduct business in a manner that resembles criminal money laundering techniques.

Taken together, this results in the likelihood that key information is not being reported to FIUs correctly. Consequently, it becomes more difficult for law enforcement and other national securities to rely on this data to perform their roles effectively.

Who Is Winning?

There are two potential winners in this game and much like the shell games that you see duping tourists on the streets of large cities, neither is without malevolent intent.

The first are unregistered/unlicensed MSB businesses. These are businesses that have ignored regulatory requirements and carried on business without any FIU reporting. In some cases, these businesses will even minimize their interaction with the local financial system by using foreign bank accounts (and point of sale terminals) to collect customer funds. While the risk of penalty is high, the reward for these businesses (in particular where they are able to complete transactions that pose a challenge for their compliant counterparts) can also be high.

The second is criminal organizations. When legitimate businesses are performing transactions that look like money laundering, detecting true criminal activity becomes exponentially more difficult. I can only assume that the criminals are laughing all the way to the bank.

Shutting Down The Shell Game

De-risking is a complex problem with complex outcomes, but the solution need not be complicated. It does, however, involve the cooperation of all levels of the financial services community: regulators, banking service providers and businesses.

The costs and benefits of de-risking need to be reassessed. Where banking service providers are capable of accepting and managing accounts for businesses considered to be “higher risk”, they should do so, with their regulator’s blessing. Rather than perpetuating the shell game, regulators should encourage banking service providers to manage risk (and provide solid guidance with reference to how this should be done). Finally, there should be open communication between banking service providers, regulators and business banking customers. The lines of communication closed by de-risking must be opened, allowing banks to have honest conversations that will provide real insight into their customers’ business and lead to effective long-term risk management.

Return to Blog Listing


PROCESSING...