PROCESSING...

Anti-Money Laundering
Consulting Services & Strategies

0 Items - Total: $0.00 CAD

AML “Clearance Certificates” are a Scam

If you’ve received an email, letter or call telling you that a larger than usual sum of money is headed your way, but before it can be delivered to your bank, you are required to get a clearance certificate, you are being set up for a scam.

SCAM

The Setup

The scam goes by many names, but the setup is almost always the same…

Step 1: The Sexy Promise

The scammers need you to want to talk to them. To pique your interest, they’ll promise something that they think you will want. In most cases, it’s not a crazy sum of money that will be sent to you – most people would immediately recognize that as a scam. Instead, it will be a reasonable sum that is nonetheless attractive for your business.

In the most sickening cases that we’ve seen, the scammers have focused on charities by posing as potential donors. Outlier has even received a request for a clearance certificate from a “prospective client overseas.”

Step 2: The Legitimate Power

The scammers will claim that the certificate is being requested by a legitimate organization. Some of the scams that we’ve seen have said that certificates are required by:

  • Financial Transactions and Reports Analysis Centre of Canada (FINTRAC),
  • Financial Crimes Enforcement Network (FinCEN),
  • Office of the Currency Controller (OCC).
  • Securities Exchange Commission (SEC),
  • S. Department of Homeland Security,
  • International Monetary Fund (IMF), and
  • Financial Action Task Force (FATF).

None of these agencies issue, require, or have any other involvement with clearance certificates. In fact, if you call any of these agencies to ask about clearance certificates, they will tell you that you are likely the victim of a scam.

Step 3: The Real Threat

The type of “clearance certificate” that the scammers will ask for varies, but it’s usually something that most businesses have at least read about in the news, like “anti-money laundering” or “anti-terrorism.” It’s always something that sounds like it could be a real threat, although definitely not the type of threat that you would pose. Sometimes the requests will be phrased in a way that’s meant to make you feel a little bit indignant (“Why would this person think I’m a money launderer or a terrorist?!?)…

This is all part of the scam. If you’re emotional, you may not be thinking clearly, and it helps the scammer to build rapport with the victim. The scammer may offer consolations like, “Of course, I know that you’re not a criminal, but according to the * insert the authority from step 2 here * we must take these precautions…”

Step 4: Solving the Problem

The scammer is trying to collect as much information (especially financial information) as possible. The scammer will ask for your details directly (all for the purpose of obtaining the certificate, of course) or helpfully suggest a site for a “company” that can help you get your certificate.

Generally, this site requires a credit card payment (these may range from a few hundred to several thousand dollars). In more sophisticated scams, the site’s fine print states that the certificates are “not authorized by any government or international body” and that there are absolutely no refunds. This means that even if the victim reports the scam to their credit card company, they may not be able to issue a refund.

Step 5: Profit

At this stage, the scammers have the victim’s banking and/or credit card information. They may use this to conduct transactions (like draining the bank account or paying for things with the credit card), or simply sell the information on the dark web to other scammers.

Don’t Get Caught Up

It can be hard to believe that someone that you’ve been corresponding with, someone that seems like they could be good for business, is really just a scammer. It’s difficult, and embarrassing – but the sooner you exit the situation, the better off you are.

While you should report the incident (more about that below), it can be dangerous to attempt to bait the scammer to get more information about them (and the information that they provide is likely to be false in any case). Do collect as much information from your existing correspondence with the scammer (including screen captures and/or links to any websites that the scammer has provided you with), as these will be helpful in reporting the scam.

But if You Did, Protect Yourself

If you have already provided some, or all, of your financial details, it’s in your best interest to act quickly.   Contact your financial institution(s) and let them know what’s happened. They will be able to close your existing accounts, issue new accounts and review your recent transaction history with you.

Report It

At any point, you can report the scam to the Canadian Anti-Fraud Centre either online or by phone (1-888-495-8501).

Need A Hand?

While Outlier is not a law enforcement or investigative agency, we do conduct staff training sessions, including training related to common scams and how to recognize them. You can get in touch with us at info@outliercanada.com or by using the online form.

Unpublished FINTRAC Penalties

Jonathan Krumins, Vice President, vCAMLO

Today’s guest blogger is Jonathan Krumins, Vice-President, AML Risk & Compliance, at vCAMLO Solutions Inc. vCAMLO provides anti-money laundering (AML) and anti-terrorist financing (ATF) support to Canadian credit unions. You can learn more about vCAMLO at www.vcamlo.ca.

Background

Reporting entities (REs) often ask us about penalties, in particular when they are published publicly. Since 2009, The Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) has issued Administrative Monetary Penalties (AMPs) against persons and entities that were found to have violated the Proceeds of Crime (Money Laundering) and Terrorist Financing Act, and its associated Regulations. In many cases up to 2013, FINTRAC has published details on its website about each penalty, including the name of the person or entity, the dollar amount of the AMP, as well as the cited deficiencies. The AMP area of their website has two sections – a list of all published penalties, as well as a running total of AMPs imposed since December 30, 2008, divided by sector.

As of June 26, 2013, FINTRAC changed its policy regarding public notice of AMPs, so that they would be published if one or more of the following criteria are met:

  • The person or entity has committed a very serious violation; or
  • The base penalty amount is equal to or greater than $250,000, before adjustments are made in consideration of the person or entity’s compliance history and ability to pay; or
  • Repeat significant non-compliance on the part of the person or entity.

AMPs can only be published once the appeals process is exhausted, which can take years to complete. This process can include an appeal to FINTRAC’s director, and a subsequent appeal to the Canadian Federal court.

Understanding this context is vital for RE Compliance Officers. While trend information related to published and unpublished penalties is not likely of interest to frontline staff, understanding these patterns is useful in fielding questions from Senior Management and the Board of Directors.

We have conducted an analysis of data published on the FINTRAC’s website which shows a trend of an increasing number of unpublished AMPs since 2013. These unpublished AMPs were primarily imposed on the Credit Union/Caisse Populaire and Money Service Business (MSB) sectors.

Methodology

We have made all calculations using information available as of April 20, 2015. We examined publicly available information on FINTRAC’s webpage, using the running total of AMPs by sector and the list of public AMPs. We also examined a summary of AMPs as of October 2014 obtained by Outlier through an Access to Information request. Our analysis focuses only on the sectors that have received AMPs, either published or unpublished: Credit Unions (including Caisses Populaires), MSBs, Real Estate Brokers, Securities Dealers and Casinos.

In addition, we accessed “cached” versions of FINTRAC’s website to review past versions in order to include six public AMPs that were issued between August 19, 2009 and April 26, 2010. In accordance with FINTRAC policy, these were removed from FINTRAC’s website after the five year public notice period had expired. We have included this historical data in order to provide a full view of the penalties issued. It is noteworthy that there are likely additional penalties in the process of being appealed (this information cannot be made available until the appeals process is complete).

Published AMPs vs. Unpublished AMPs

By analyzing the list of published penalties, compared to the running total of AMPs, it appears that there have been a significant number of unpublished penalties:

FINTRAC AMPs

Credit Unions

Credit Unions have received the largest number of unpublished penalties, both in terms of number and dollar amount. Credit unions have received 3 published AMPs, totalling $246,690. They have also received an additional 11 unpublished AMPs, totalling $405,855.

Trend analysis: This appears to be a significant increase in overall enforcement action by FINTRAC in the Credit Union sector. The total number of penalties against Credit Unions have increased sharply to 14, which means that Credit Unions now have the second largest number of listed AMPs (published and unpublished), behind MSBs. All penalties against Credit Unions since 2013 were unpublished. This data can also be interpreted to mean that FINTRAC’s enforcement efforts against Credit Unions have increased since 2013, however it is important to remember that AMPs are listed on FINTRAC’s website after they are finalized, which can mean a significant gap between when an AMP was issued and when it is listed, especially if there is an appeal involved.

Money Service Businesses (MSBs)

MSBs have received 22 published penalties, totalling $527,510. They also have received eight unpublished penalties, totalling $68,520. Interestingly, a $12,880 penalty that was published against an MSB on July 11, 2013 no longer appears on FINTRAC’s website.

Trend analysis: MSBs continue to be the leading sector in terms of receiving AMPs, although similar to the other sectors examined, the majority of AMPs that were against MSBs from late 2013 through to 2015 were unpublished.

Real Estate Brokers

Real Estate Brokers have received three published penalties totalling $40,520 compared to three unpublished penalties totalling $25,960.

Trend Analysis: Real Estate Brokers have received relatively few published and unpublished penalties in comparison to the Credit Union and MSB sectors. The number of unpublished penalties (compared to the number of published penalties) is consistent with trends across all sectors.

Securities Dealers

Securities Dealers have received four published penalties totalling $565,180 compared to one unpublished penalty of $21,480.

Trend Analysis: Securities Dealers have received relatively few published and unpublished penalties in comparison to the Credit Union and MSB sectors.

Casinos

Casinos have never received a published AMP, however FINTRAC’s website shows an unpublished AMP of $56,700 issued against a casino. This may be surprising to anyone that has read about BC Lottery Corporation, however, AMPs are not part of these records until the appeals process has been exhausted (and there have been successful appeals).

Trend analysis: It is difficult to establish a trend based on a single data point, however this unpublished AMP shows that the Casino sector is no longer unaffected by FINTRAC penalties.

What Does This All Mean?

Screen Shot 2015-05-06 at 11.58.01 AM

Note: The dates on the above graph represent when FINTRAC’s website was analyzed to calculate the total number of penalties, with the exception of October 2014, which is the “as of” date of an AMP listing received in a Freedom of Information request. Data for unpublished AMPs is only available since 2013.

As of June 2013, FINTRAC began to apply the updated standard for publicly listing AMPs. Since this change, unpublished penalties comprise approximately 42% of all issued AMPs by amount and 43% by number. While this is excellent news for REs that are concerned with the negative media and other reputational risk related to published penalties, it will make it more difficult to assess the reasons that REs are receiving penalties. The specific violations that led to a penalty are only made public by FINTRAC when the AMP is published. In order to ensure that our Credit Union clients are well-informed about industry trends related to penalties, vCAMLO will be requesting additional information and performing trend analysis. Stay tuned!

Your Best Defence

To avoid AMPs, it is essential to constantly test for weaknesses in your compliance regime. Conduct rigorous effectiveness testing (this is required at least every two years), and consider more frequent testing. Finally, ensure that immediate steps are taken to remediate deficiencies received in FINTRAC exams. Deficiencies that re-appear in follow-up exams are taken seriously by FINTRAC, and can lead to penalties, published or not.

Need a Hand?

vCAMLO: If you are a credit union or MSB, and have any questions related to financial compliance, or if you are interested in AML Support Services, please contact us for a complimentary 30 minute compliance discussion.

Outlier: If you need assistance reviewing your technology solution or FINTRAC reporting to be certain that you’re meeting the standard described in this blog, or just someone to chat with to make sure that you’re on the right track, please contact us.

 

 

 

Suspicious Transaction Reporting in 2015

Preparing for a FINTRAC examination

At the Canadian Institute’s 14th Annual AML Forum, the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) reviewed its expectations for suspicious transaction reporting. FINTRAC emphasized that suspicious transaction reports (STRs) are vital to the agency’s mandate as Canada’s financial intelligence unit (FIU) and ongoing collaboration with law enforcement agencies. While reporting entities (REs) in Canada have been required to report transactions for quite a few years, we’ve had many questions from REs about what FINTRAC expects and looks for in examinations. FINTRAC’s most recent guidance is useful in tuning your technology, enhancing your processes, and asking the right questions at industry association meetings.

What is FINTRAC Looking for in STRs?

When FINTRAC conducts compliance examinations, they will be applying three tests to STR data, including:

  1. Entity Practitioner: FINTRAC will look for transactions that are similar to those involved in STRs that you have reported. If there are similar transactions or transaction patterns that have not been reported to FINTRAC, there should be an explanation for the difference. Where possible, this explanation should be documented.
  2. Sector Practitioner: FINTRAC will compare the number and type of STRs submitted by similar entities. The size and type of business are taken into consideration.
  3. Reasonable Practitioner: FINTRAC will analyze a sample of reported STRs and unreported transactions against relevant guidance. In this case, relevant guidance means the suspicious transaction indicators from FINTRAC’s Guideline 2 that are applicable to your business.

These are terms that we’re likely to hear more about over the coming months, and there are compliance program adjustments (most of them relatively simple) that can be made to ensure that you’re meeting this standard.

Tune Your Technology

Amber looking at laptop FINTRAC screen

Most REs use software solutions to detect potentially suspicious transactions. Almost all transaction monitoring software uses some type of rules-based system to determine when alerts should be generated. These rules should, at minimum, reflect the indicators that are applicable to your business. Not all of the indicators from FINTRAC’s Guideline 2 will be applicable to your business. Where possible, you should document the decisions that you make about your transaction monitoring rules, including the rationale for those decisions.

The most sophisticated software platforms have machine learning functions. These can take the decisions that have been made about previous alerts and use this information to refine how the program works. For example, if a particular pattern of transactions was deemed to be suspicious, the program may look for similar patterns.

If you’re not using software that does this on its own, don’t panic. You can review the STRs that you’ve submitted to FINTRAC to determine whether your transaction monitoring rules are tuned to reflect the types of money laundering and terrorist financing threats that you’ve previously encountered. This should be done on a regular basis (for example, as part of your Risk Assessment updates). If you have an STR that is related to a pattern that you don’t have a rule to cover, you may want to do this sooner, rather than waiting for the next scheduled update.

Train Your Staff

Training

Over the years, I’ve heard many Compliance Officers express frustration about not knowing whether or not STR data has been useful to FINTRAC or law enforcement. To close this gap, I’ve looked for articles and speakers from FINTRAC and law enforcement that could provide meaningful information about the type of information that is most useful. The same principle applies to your staff.

You can use existing cases (you’ll want to remove any personal information for training purposes) to demonstrate the type of transactions that you want your staff to escalate to compliance for review. Existing cases from the media, and end to end cases provided by training companies like TAMLO, are also excellent resources. Keeping your annual training fresh is a challenge, and using your STRs as cases is one way to do that, while also meeting FINTRAC’s expectations.

Refine Your Audits & Effectiveness Reviews

AML Compliance Effectiveness Review

Are your auditors and/or reviewers using the same tests that FINTRAC is using to assess your compliance? If you’re not certain, ask.

If you perform self-assessment testing, you may want to include these tests as well.

As of 2015, all AML Compliance Effectiveness Reviews performed by Outlier will use these three key tests to assess STR data.

Ask Your Industry & Working Groups for More

Hanshake

Most REs have excellent industry associations and working groups such as the Canadian Banker’s Association (CBA), Canadian MSB Association (CMSBA) or the Canadian Jewellers Association (CJA). These groups are excellent resources and can help you understand STR trends across your industry. If you’re not a member, you may still be able to attend regular conferences or events.

Need A Hand?

We would love to hear from you. If there are topics that you would like to know more about, or if you need assistance with your compliance program, please contact us.

FINTRAC Examination Results for MSBs

The Canadian Money Services Business Association (CMSBA) recently held their Spring Training events in Montreal, Vancouver and Toronto.  The list of speakers included MSB industry professionals, as well as representatives from regulators including the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC).  For a full synopsis of the Montreal and Toronto events, click here.  FINTRAC presented excellent statistical data about how MSBs have fared in examinations conducted between April 2011 and July 2014.  So how are MSBs faring?  Very well overall. 

ZDE FINTRAC 2008-2013

Data obtained through a freedom of information request indicates that almost 25% of MSBs examined between 2008 and 2013 have not had any deficiencies.

How Does FINTRAC Decide Who Is Examined?

FINTRAC considers several factors when deciding which reporting entities (REs) will be examined.

  • Concurrent Examinations: examinations conducted in tandem with the Office of the Superintendent of Financial Institutions (OSFI). This is applicable to federally regulated financial entities (FRFEs) like banks.
  • Market Share: The largest reporting entities in Canada (because the larger an organization is, the more critical the risk of non-compliance will be);
  • Cyclical: Coverage of a whole industry (this seemed to apply most to Casinos).
  • Follow-Up: Subsequent examinations based, with an emphasis on the resolution of deficiencies found in previous examination(s) to ensure remediation. FINTRAC noted that although it is no longer a requirement to submit a formal action plan to FINTRAC, it is a best practice for REs to document (and update) an action plan internally.
  • Risk: FINTRAC’s evaluation of the RE’s risk, based on a broad selection criteria, such as money laundering and terrorist financing vulnerabilities, the likelihood of non-compliance and industry trends.
  • Theme-Based: Related to specific intelligence about a RE or type of business that indicates there may be an elevated risk of non-compliance, money laundering vulnerability or terrorist financing vulnerability.

Methodology & Analysis

FINTRAC’s statistical analysis of MSB adherence to the requirements laid out in the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA) and its regulations is broken down by percentage, the results of the exams conducted that were fully compliant, partially compliant and non-compliant.  These are colour coded:

  • Green: fully compliant (no deficiencies were observed),
  • Yellow: partially compliant (there was something in place, but the MSB missed something), and
  • Red: non-compliant (in most cases, there was nothing in place or a reporting timeframe was missed).

Overall examination results have been positive.

Overview

It’s noteworthy that if FINTRAC has, as of 2014, found something during an examination that is considered ‘immaterial’, it’s not cited.  For example, in a large sample, if there are two client addresses that appear to be PO boxes, but all other client addresses were complete and in acceptable formats, there may not be a citation.  In these cases, FINTRAC may inform the RE verbally, but it will not be part of the formal ‘findings’ letter.

Compliance Officer

MSBs are required to have a Compliance Officer (a person that is responsible for overseeing the AML & ATF compliance program).  The appointment of the Compliance Officer must be documented in writing.  FINTRAC staff chided that this is likely the easiest area to achieve a fully compliant result in examinations.  MSB examination results certainly reflected this.

CO Chart

From a total of 612 MSB examinations considered, 608 MSBs were fully compliant.

Only four MSBs were deemed to be non-compliant.  It was noted that these were generally new market entrants that did not appear to understand Canadian AML & ATF compliance requirements.

Policies and Procedures

MSBs are required to have policies and procedures.  Policies describe the MSB’s regulatory obligations, while procedures describe what the MSB is doing to meet those requirements.  These must be documented, in writing, and the procedures must cover both staff and agents (if the MSB has agents).

PP Chart

From a total of 765 MSB examinations considered, 477 MSBs were fully compliant.

In 230 examinations, MSBs were deemed to be partially compliant.  Common errors included:

  • The omission of the 24-hour rule (specific descriptions of how the MSB determined whether or not reportable transactions had occurred over a 24 hour period),
  • Third party determinations (specific descriptions of when an MSB must determine if there is a third party involved, as well as what information needs to be collected and recorded), and
  • Politically exposed foreign person (PEFP) determinations (specific descriptions of when an MSB must determine if their client is a PEFP, and if so, what information needs to be collected/recorded. There is also a requirement that senior management signoff on the account within 30 days of the determination).

A total of 55 MSBs did not have any documented policies or procedures. In some cases, FINTRAC noted that there appeared to be processes in place, but that these were not documented in writing.

Training

MSBs are required to have an ongoing training program. The training program must be documented (who, what, where, when and how) and delivered to all staff and agents on an annual basis, at minimum.

Training Chart

From a total of 487 MSB examinations considered, 346 were fully compliant.

In 63 examinations, MSBs were deemed to be partially compliant.  Common errors included:

  • Interviews conducted with staff during an examination that evidenced a misunderstanding of the requirements (during an exam, FINTRAC will interview random staff members related to regulatory requirements to ensure training effectiveness)

In 78 examinations, MSBs did not have any training in place, or if they did, it was not documented.

Among the training options available to MSBs, we’re most excited about a relatively new offering from TAMLO that includes fast paced and visually stunning video content, as well as testing and tracking tools for Compliance Officers.

AML Compliance Effectiveness Review

MSBs are required to complete an AML Compliance Effectiveness Review once every two years.  The review must cover all policy and procedure documentation, as well as operational testing to ensure procedures are being properly followed.

2YR Chart

From a total of 722 MSB examinations considered, 412 were fully compliant.

In 101 examinations, MSBs were deemed to be partially compliant.  Where MSBs missed the mark was typically because they did not respect the two year cycle.  Other common errors included:

  • Only reviewing the policy documents with no operational testing of whether they are being followed (the policy document tells staff and agents what to do. Procedures tell them how to do it.  MSBs must be sure they are testing whether staff and agents are adhering to the procedures).

In 209 examinations, MSBs had not conducted an effectiveness review or could not provide evidence of one taking place.

Risk Assessment

MSBs are required to assess the risk that their business could be used for money laundering or terrorist financing.  The risk assessment must include four key components:

  • Products, services and delivery channels;
  • Geography;
  • Customers; and
  • Any other relevant factors.

Risk must be assessed and scored, and mitigated by appropriate controls.

RA Chart

From a total of 720 MSB examinations considered, 432 were fully compliant.

In 158 examinations, MSBs were deemed to be partially compliant.  The main issue was failing to include one of the four required elements. In some cases, a risk assessment was in place, but the documentation was not sufficient in assessing the MSB’s risk and controls.

In 129 examinations, MSBs had no evidence of a risk assessment.

FINTRAC noted that additional industry-specific risk assessment guidance is expected to be published later this year.

MSB Registration

MSBs are required to register with FINTRAC, as well as update their information within 30 days if there are any changes to business activities, banking or agent information.

MSB Reg Chart

From a total of 591 MSB examinations considered, 230 were fully compliant.

In this category, no partially compliant ratings were provided (the MSB registration was either complete, accurate and up to date, or it was deemed to be non-compliant).

In 361 examinations, MSBs were deemed to be non-compliant.  Most issues were due to a failure to update information when something within the business had changed or a failure to list all business activities. For example, the MSB registration may indicate that an MSB only performed foreign exchange in a case where remittance services were also provided.

Client Identification

MSBs are required to identify their clients in certain situations.  There are prescribed methods for completing this both in person and non-face-to-face (NF2F), and the identification document (ID) information must be recorded.

Client ID Chart

From a total of 796 MSB examinations considered, 621 were fully compliant.

In 64 examinations, MSBs were deemed to be partially compliant.  Common errors included:

  • Unacceptable ID (such as health card in Ontario);
  • Accepting ID that was expired at the time of the transaction (identification documents must be valid, or not expired, at the time they are reviewed);
  • Failing to record the prescribed details of the ID used (when reviewing a client’s ID, MSBs must keep a record of certain prescribed information); and
  • In Non-Face-To-Face Identification situations, only using one method, or using an unacceptable combination of methods (when identifying a customer who is not physically present, there are prescribed methods of how this is to be accomplished).

In 111 examinations, MSBs were non-compliant with client identification requirements.

Record Keeping

MSBs are required to keep certain records related to transactions and client identification.  These records must be stored in a manner that they can be accessed in the event they are requested, and must be maintained for at least five years.

RK Chart

From a total of 811 MSB examinations considered, 470 were fully compliant.

In 300 examinations MSBs were deemed to be partially compliant.  In these cases, record keeping was taking place but elements of the record keeping requirements were being overlooked.  Common issues included:

  • Missing telephone numbers;
  • Vague occupation information (for example “manager” or “worker”);
  • PO boxes recorded as customer addresses;
  • Missing postal codes;
  • Third party determinations that were incomplete; and
  • Payment methods for incoming and outgoing payments.

In 41 examinations, MSBs were non-compliant with record keeping requirements.

Third Party Determinations

MSBs are required to make a third party determination in certain prescribed circumstances, as well as collect and record certain information (name, address, date of birth, occupation and relationship to your client) about the third party.

TPD Chart

The total number of MSBs included in the review was not provided, with the statement: “there was not enough information available to conduct reasonable analysis”.  However, the total number of non-compliant MSBs was 6, indicating that approximately 600 MSB examinations were considered in this sample.

FINTRAC Reporting

When FINTRAC assesses reporting obligations, it uses the internal acronym “QTV”, which stands for quality, timing and volume.  Quality refers to the information in the report, specifically, if the report has all the required information.  Timing simply means, was the report filed within the designated timeframe.  Volume is slightly more complicated, but mainly refers to the amount of reports you have filed compared to your previous submissions.  It was noted that typically, where MSBs were deemed partially compliant, it was due to the quality.  Where non-compliance was related to the timing.

Electronic Fund Transfers Reports

MSBs are required to submit electronic funds transfer (EFT) reports to FINTRAC within 5 business days from the date the transaction took place.  An EFT includes the international transfer of CAD 10,000 or more, either in a single transaction, or multiple transactions within a 24-hour period.

EFT Chart

From a total of 434 MSB examinations considered, 165 were fully compliant.

In 87 examinations, MSBs were deemed to be partially compliant. MSBs were typically failing to include all required information, such as:

  • Phone number;
  • Date of birth; or
  • Postal code.

It is noteworthy that while not all fields are marked as required in F2R, all fields must be filled in if the MSB has recorded the information.

In 182 examinations, MSBs were deemed non-compliant, with most not reporting the EFTs within the specified time frame, and a small portion missing EFT reports.

Large Cash Transaction Reports

MSBs are required to submit large cash transaction (LCT) reports to FINTRAC within 15 calendar days from the date of the transaction, if the transaction was CAD 10,000 or more in cash, either in a single transaction, or multiple transactions within a 24-hour period.

LCTR Chart

From a total of 428 MSB examinations considered, 232 were fully compliant.

In 104 examinations, MSBs were deemed to be partially compliant.  MSBs were typically failing to include all required information, such as:

  • Occupation;
  • Date of birth;
  • Postal code; or
  • Type of ID used to identify the client.

In 92 examinations, MSBs were non-compliant, with most not reporting the LCTs within the specified time frame, and a small portion missing LCT reports.

Suspicious Transaction Reports

MSBs are required to submit suspicious transaction reports (STRs) and attempted suspicious transaction reports (ASTRs) to FINTRAC within 30 calendar days from the date the transaction is deemed suspicious by the Compliance Officer.

STR Chart

From a total of 285 MSB examinations considered, 262 were fully compliant.

In 14 examinations, MSBs were deemed to be partially compliant.  In these cases, MSBs were typically failing to include all required information.

In 9 examinations, MSBs were non-compliant.  Failing to file STRs carries relatively sever penalties, as the Canadian intelligence community relies on this type of reporting to build cases.  Where items are escalated as being potentially suspicious (either by staff or a transaction monitoring system), MSBs should always document the reason that these items are deemed not to be suspicious if no STR or ASTR reporting is completed.

Need a Hand?

If you are an MSB that needs compliance assistance (or a bank that wants assistance in setting up and maintaining a compliance regime that effectively manages MSB related risk), please contact us.

 

 

 

EFT Reporting Clarification – Field Limitations

Guest Blog

Our guest blogger this week is Jonathan Krumins, Vice-President, AML Risk & Compliance, at vCAMLO Solutions Inc. vCAMLO provides anti money laundering (AML) and anti-terrorist financing (ATF) support to Canadian credit unions. You can learn more about vCAMLO at www.vcamlo.ca.

Background

Over the past year, we have a noticed a change in how Electronic Fund Transfer Reports (EFTRs) are interpreted by the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC).  For entities that are required to report EFTs, any amount valued at CAD 10,000 or more that is sent out of Canada or received from outside of Canada on behalf of a customer is reportable to FINTRAC within 5 business days. During recent exams, FINTRAC has been paying much closer attention to the details of each report, reviewing each field for missing or invalid information. Due to restrictions in how much information can be included in a report, an EFTR can be considered incomplete by FINTRAC, even if all information has been entered by the reporting entity.

Reports that are filed to FINTRAC electronically must meet FINTRAC’s batch reporting specifications, which includes character limits for each field in the report. For example, fields such as “Individual’s Occupation” or “Street Address” are limited to 30 characters. This presents two risks for reporting entities:

  • Descriptions that are longer than the field character limits, and
  • Limitations of third party software.

We have sought additional clarification about these scenarios, and how they may affect your FINTRAC reporting.

Information Longer than the Field Character Limit

Certain information, such as a foreign bank’s street address, can easily be longer than the 30 character limit. We recommend shortening the address as much as possible by using abbreviations, and by trying to ensure that only the bank’s civic address is included in the report.

For example:

If the complete address is: The Example Bank Building, 123 George Washington Street, P.O. Box 456 (69 characters with spaces), the address must be shortened to meet the field limits.

One option for shortening the address is: 123 George Washington St.

Limitations in Third Party Reporting Software

Some third party FINTRAC reporting software does not enforce a field cut off (and the end user may not be notified that some information was cut off). This can result in information that appears to be present in a report, but is actually cut off as it is sent to FINTRAC.

Using the same example, if only the first 30 characters are sent to FINTRAC, the address in the report would read: The Example Bank Building, 123.

Some third party reporting software provides a report “Preview” function, which can show you how the report will actually appear to FINTRAC. If this option is available, be sure to review the “Previewed” report to ensure that all necessary information is contained in the report, and that nothing is cut off.

If your third party reporting software has this limitation, we would recommend contacting the software provider to request that field limits be put in place to match FINTRAC’s reporting specifications.

Need a Hand?

vCAMLO: If you are a credit union or MSB, and have any questions related to EFTR, LCTR or STR reporting, or if you are interested in AML Support Services, please contact us for a complimentary 30 minute compliance discussion.

Outlier: If you need assistance reviewing your technology solution or FINTRAC reporting to be certain that you’re meeting the standard described in this blog, or just someone to chat with to make sure that you’re on the right track please contact us.

Full Text Response

Good afternoon Mr. Krumins,

Thank you for your follow-up inquiry.

As previously stated, the reporting entity is required to include the relevant information to identify the destination or sending institution. It is for the reporting entity to determine the relevant information as this is a question of fact.

For an international or foreign address, there is no specific formula since every country has its own conventions. If no numerical address exists, the reporting entity should take reasonable measures to include the relevant information to help identify the destination or sending institution. When the reporting entity is reporting non-SWIFT Electronic Funds Transfers, and the institution’s information exceeds the character capacity in the given address field, then the reporting entity should consider ways to abbreviate names or words, without deteriorating the quality of the information, as necessary.

Best Regards,

Implementing 2014 AML & ATF Regulatory Changes

We’ve done many AML Compliance Effectiveness Reviews of late, and my first question to clients is always the same: have you implemented the changes that came into effect in February of this year? The answers have varied from a confident “Yes, of course!” to “What changes?” We have a simple guideline for blogs at Outlier. If we receive a question more than three times, we write about it, and we make as much useful information as possible free. We do this because we believe that knowledge is power – and that everyone should have access to it. In the spirit of making knowledge free and available, we’ve decided to share the most significant changes related to updates to the Proceeds of Crime (Money Laundering) and Terrorist Financing Regulations (PCMLTFR) that came into effect earlier this year, and the solutions that we’ve implemented with our clients.

The Big Disclaimer

This blog was not written by a lawyer and shouldn’t be considered legal advice.

While our solutions have been reviewed by:

  • Outlier;
  • Our clients who have implemented these solutions; and
  • The Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) (in the form of examinations conducted with our clients who have implemented these solutions),

this doesn’t guarantee that these solutions will be a perfect fit for your business. They will need to be edited and customized to suit your business model – but we think that they will point you in the right direction.

2014 PCMLTFR Changes In Brief

The most recent changes to the PCMLTFR came into effect in February of this year. Among the most significant changes were:

  • The addition of business relationships;
  • The addition of customer information updates (with more frequent updates for higher risk customers);
  • The addition of delivery channels to the risk assessment (bundled with products and services); and
  • The addition of enhanced transaction monitoring for higher risk customers.

Each of these changes has an impact on your anti-money laundering (AML) and anti-terrorist financing (ATF) program. They should be incorporated into your program documents (your policies, procedures and training) and have an impact on your operations (what you’re doing to meet these obligations).

Business Relationships

Reporting entities have a business relationship when a customer has performed any combination of transactions that requires identification and/or confirming the existence of an entity more than twice. This includes suspicious transactions and attempted suspicious transactions. When you have a business relationship with your customer, you must keep a record of the “purpose and intended nature of the business relationship.” In its simplest form, this means asking the customer the purpose of their business with you, and keeping a record of the response. This information is also useful in transaction monitoring, as it allows you to look for activity that isn’t consistent with the answer that the customer has provided.

This is something that you can ask your customer verbally (by phone is fine), by email, via a web form, by fax, or in any other way that makes sense for your business. You don’t need the customer to sign anything, but you do need to document the response. There is also flexibility in how you keep a record of the customer’s response.

If you have flexible information technology (IT) development, you can add a business relationship indicator to your system, as well as a field for the purpose and intended nature of the business relationship. Ideally, the system would detect business relationships automatically, and prompt your staff to collect information about the purpose and intended nature of the business relationship. If your business is relatively straightforward, you may even be able to develop a dropdown menu.

If your IT systems are less flexible, you’ll need to find another way to record this information. This can range from notes in the customer profile section of your client management system to an excel spreadsheet. Whichever method you use, you’ll need to think of a way to make sure that you know about all of the business relationships that exist.

You’ll also need to add a section to your program documentation that explains:

  • What a business relationship is;
  • How you know when you have a business relationship with your customer; and
  • What you do when there is a business relationship.

Your staff and agent training should also be updated to include a definition of business relationships, and your processes where you have a business relationship with your customer.

Here’s some sample language:

Business Relationships

We have a business relationship with anyone that has conducted two or more transactions that require identification (for individuals) or confirmation of the existence of an entity (for organizations). When we have a business relationship with our customer, we need to keep a record of the purpose and intended nature of their business relationship with us. Although this may seem self-evident, it is something that needs to be recorded.

Our system has been updated to prompt all staff to enter the purpose and intended nature of business relationships. This field is not optional; it must be completed whenever we have a business relationship with our customers.

We must also monitor business relationships that and keep information up to date (including customer identification, if the customer is active with us). The Compliance Officer will determine whether or not information about our customers and/or businesses relationships is up to date may contact staff for additional information.

Information Updates

Reporting entities must also keep customer information up to date. Updates should be more frequent for high-risk customers, although the PCMLTFR does not specifically prescribe how often these updates should take place. Depending on your business model and how frequently you interact with your customers, there may be significant differences in how often you perform updates.

Customer information updates refer to the customer’s name, address, email address, telephone number and occupation or principal business. Customers that are organizations are also required to confirm the organization’s beneficial ownership and director information.   This doesn’t mean that you need to collect the articles of incorporation (or other documentation that you’ve already got on file) a second time, but rather than you’re confirming with the customer that this information has not changed, or updating your records if there were any changes.

Once again, if your IT systems are flexible, you can add automatic prompts to ensure that this is completed. Anyone that uses online banking will be familiar with this the type of updates that have occurred this year. When you log into your account, you’re asked to confirm your personal details before proceeding to the banking site.

You’ll also need to add a section to your program documentation that explains:

  • What information must be updated;
  • How frequently this information is updated; and
  • How you update this information;

Your staff and agent training should also be updated to include information updates as well.

Here’s some sample language:

Customer Information Updates

Customer information updates refer to the customer’s name, address, email address, telephone number and occupation or principal business.

Customers that are organizations are also required to confirm the organization’s beneficial ownership and director information.

Inactive Customers

Inactive customers are re-identified in order to re-activate an account and conduct transactions that require identification.

Inactive customers that are required to be re-identified are also required to update their customer information.

Low & Medium-Risk Customers

Low and medium-risk customers that were identified face to face are required to update their customer information at the point that the identification document has expired.

In the case that there is no expiry date for the identification document initially provided, customer information is updated every five years.

In the case that the customer has been identified using non-face-to-face methods, customer information is updated every five years.

Low and medium-risk customers that are not recognized visually or by voice must be re-identified using either face to face or non face to face methods when they request transactions that require identification.

High-Risk Customers

High-risk customers are required to update their customer information every two years.

High-risk customers that are not recognized visually or by voice must be re-identified using either face-to-face or non face-to-face methods when they request transactions that require identification.

If the reason that a customer has been considered high-risk relates to doubts about the veracity of any of the information or identification provided, additional identification or confirmation of customer identification may be required at the Compliance Officer’s discretion.

Risk Assessment: Delivery Channels

Your Risk Assessment (that document that describes the risk that your business could be used to launder money or finance terrorism) already describes the risk related to your products and services (what you sell). This has been updated to include delivery channels (how you deliver your products and services to your customers). This should include all of the methods that you use to interact with your customers (whether they’re sales and service or service only), and a description of the risk associated with those methods. Generally speaking, high-touch delivery methods (anything that allows you to interact directly with the customer) provide more opportunities to detect potential money laundering or terrorist financing activities. This doesn’t mean that low-touch options like online ordering are bad, but it does mean that you need to have good controls in place to prevent money laundering and terrorist financing.

Your Risk Assessment should be updated to describe your “Products, Services and Delivery Channels” (rather than simply “Products and Services”). It should clearly explain how your products and services are delivered, and the risks associated with your delivery methods. The delivery methods should include all of your touch points with your customers (including things that may not be advertised, that you only do for existing customers).

Here’s some sample language:

Delivery Channels

We complete the sales process with our customers:

  • In person (at our retail/commercial locations);
  • In person (at locations other than our own premises);
  • Via mail;
  • Via phone;
  • Via fax;
  • Via internet.

In addition, we provide servicing to our customers:

  • In person
  • Via social media sites;
  • Via email; and
  • Via phone.

Our delivery channels include a mix of “high-touch” and “low-touch” options. High touch options provide us with greater opportunities to interact with our customers, observe customer behavior and ask questions. Low-touch options do not afford the same opportunities to observe behaviours. In these cases, we are more reliant on transaction monitoring and transaction review to detect unusual activity. In the case of low-touch options, we are generally able to contact the customer via our servicing channels to request additional details where the transaction is not consistent with what we know about the customer.

Enhanced Transaction Monitoring

Reporting entities are required to monitor transactions in order to identify patterns that may indicate that money laundering or terrorist financing is taking place. For higher risk customers, there must be some form of enhanced transaction monitoring. Enhanced means that it is different from the transaction monitoring that takes place for all customers. It can be different either in quality (what you do to monitor transactions) or quantity (how frequently monitoring takes place, or how unusual a transaction must be in order to generate an alert).

If you have an IT system that automatically monitors transactions and generates alerts, and there is flexibility in programming this system, you can make changes to the monitoring activities that take place based on customer risk level. If you’re monitoring transactions manually, you can incorporate enhanced transaction monitoring into the enhanced due diligence that you conduct for your high-risk customers. This can be as simple as reviewing the last two years of high-risk customer activity. Regardless of the method that you use to conduct enhanced transaction monitoring, you’ll need to update your program documentation to describe what you’re doing and what records you’re keeping.

Where transactions are monitored by an IT system, the language in your program documents should reflect the parameters set in your system. If you are monitoring transactions manually, here’s some sample language:

Enhanced Transaction Monitoring

For high-risk customers, enhanced transaction monitoring is conducted. The Compliance Officer (or a delegate) reviews the information that is on file about the customer, as well as records of the customer’s activity for the past two years. If there is activity that appears to be related to money laundering or terrorist financing, appropriate reports are filed with FINTRAC (and in the case of terrorist property, with CSIS and the RCMP).

High-risk customer accounts are reviewed at least annually, and more frequently where triggered by customer activity (for example where there is an internal report submitted to the Compliance Officer). The Compliance Officer will maintain complete records of the reviews and maintain these records for at least five years

Keeping Up To Date

Remember to document the fact that you’ve reviewed and updated your program. This can be done in a simple spreadsheet, or within the program documents. The record should include what updates were completed, when the updates were completed, and by whom the updates were approved.

Need A Hand?

If you need assistance reviewing your program, implementing the updates described in this blog, or just someone to chat with to make sure that you’re on the right track please contact us.

FINTRAC EFT Reporting Clarification

We’ve recently had quite a few conversations with our clients and friends about electronic fund transfer (EFT) reporting.

For entities that EFT 10Kare required to report EFTs, any amount valued at CAD 10,000 or more that is sent out of Canada or received from outside of Canada on behalf of a customer is reportable to the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) within 5 business days.  The question that keeps coming up relates to situations that have multiple senders or beneficiaries.

For example:

When Jaques (your customer in Canada) sends the equivalent of CAD 12,000 to his aunt Sally in Europe, this is clearly reportable as an EFT.

But

What if instead of sending the whole amount to his aunt Sally, Jacques instead send three transactions, each equivalent to CAD 4,000 to each of his nephews, Ralph, Jean and Morty?

After hearing different answers from different people, we thought it best to get a policy clarification from FINTRAC.  You can see the full text of that question, and FINTRAC’s answer below.

Outgoing EFTs With Multiple Beneficiaries Are Reportable

In the case that we mentioned above, Jacques’ transactions would be reportable EFTs, provided that all of the transactions happened within the same 24 hour period.  In this case, 3 reports would be sent, adding up to the total amount (which is over CAD 10,000).

Incoming EFTs From Multiple Senders Are Reportable

It stands to reason that if you receive multiple EFTs of behalf of the same beneficiary, the same rules would apply.

In the example above, for instance, let’s say that the money sent to Jacques’ nephews was a loan.  All of the nephews pay pack the loan at the same time, and you receive 3 EFTs for Jacques, each from a different sender, with a value of CAD 4,000 each (CAD 12,000 in total for the three EFTs).  These are also reportable, provided that the transactions all occurred within the same 24-hour period.

What Does It Mean If You’ve Interpreted the Reporting Requirements Differently?

In some cases, this may mean updates to your IT systems, to allow you to detect transactions that are received on behalf of the same beneficiary, or sent on behalf of the same sender.

It may also mean looking back at your transaction data, in order to figure out whether or not there are any EFTs that should have been reported to FINTRAC that were missed.  If this is the case, we recommend that you consider filing a voluntary disclosure with FINTRAC to proactively let them know about the issue, and what you’re doing to fix it.  If this is the case, we’ve created some free resources to help make this process as simple as possible.

Need a Hand?

If you’re not sure what to do next or you need extra hands to review your IT system updates or a package that you’re submitting to FINTRAC, please contact us.

 

Full Text of FINTRAC’s Response

Amber, 

     I am writing further to your e-mail of May 13, 2014, concerning how to report an electronic funds transfer sent by one client but to

multiple beneficiaries.

     As you know, pursuant to the /Proceeds of Crime (Money Laundering) and Terrorist Financing Regulations/ (PCMLTFR),  reporting entities are required to report to FINTRAC electronic funds transfers valued at $10,000 or more (in the course of a single transaction) at the request of a client, along with the information referred to in Schedule 2 or 5, as the case may be; and the receipt from outside Canada of electronic funds transfers, sent at the request of a client, of $10,000 or more in the course of a single transaction, along with the information referred to in Schedule 3 or 6, as the case may be.

     When a client requesting an EFT conducts a transaction with the initial amount of $10,000 or more and instructs that it be divided between multiple beneficiaries, the EFT is still being carried out by one client, and the EFT must be reported using multiple reports (one per beneficiary).  The key to determining the reporting requirement is the instruction given by the client. To better explain this, I have provided two examples below:

     1)  A client instructs that $15,000 be sent via EFT to different beneficiaries, $5000 each. In this instance, the reporting entity would be required to send three different reports, one for each beneficiary, for a total of the $15,000 that the client requested be sent via EFT. When submitting the reports, the 24-hour-rule indicator must be selected, although this is not considered to be a single transaction of $10,000 or more as defined under section 3 of the PCMLTFR.

     OR

     2)  A client instructs that $5000 be sent to beneficiary subsequent $5000 be sent to beneficiary B and a third $5000 be sent to beneficiary C. In this instance, the 24- hour rule must be considered.

The 24-hour rule applies if the reporting entity knows, or an employee or senior officer knows, that the transactions were made within 24 consecutive hours of each other, by or on behalf of the same individual or entity. It applies only to transactions that are under $10,000. If a transaction is for $10,000 or more, it is reportable as one transaction.  As such, if the reporting entity knows that the first two EFTs of $5000 each were made by, or on behalf of, the same person, then the reporting entity would be required to submit two reports under the 24-hour rule, as these two EFTs total $10,000.    

I trust this information will be of assistance.

Best regards

Does Québec MSB Licensing Apply to Me?

We recently sought clarification from the Autorité des marchés financiers (AMF), Québec’s provincial regulator, on when money services businesses (MSBs) need to be licensed in Québec.  The Québec licensing process is completely separate from the federal MSB registration with the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC).  The full text of the response that we received appears below this blog entry.

Are You Required To Be Licensed in Québec?

To determine whether or not you need to be licensed in Québec, we’ve developed a chart:

Screen Shot 2014-05-19 at 2.08.51 PM

If you are offering any of the defined MSB services to people of organizations in Québec (including via the web) you are expected to be licensed as an MSB in that province.

The AMF has announced that digital currency exchanges and ATMs are also regulated under the MSB Act.

How Can You Become Licensed And What Does It Cost?

Before you apply for an MSB license, you must obtain a Québec Enterprise Number from the Enterprise Registrar.  This is a unique numeric identifier that you will use when dealing with Québec government agencies and business partners.  The registration process will cost approximately CAD 34.00 and will require you to provide documents such as your articles of incorporation.  We recommend that you speak with your tax professional about the implications of registering as an enterprise in Québec, as it is likely that you will need to consider this in future tax filings.  You can access the registration site here.

Next, you’ll need to apply for your Québec MSB license.  The AMF has developed a user guide that explains the process in plain language.  You must have a respondent (someone acting on your behalf) in the province of Québec.  If you do not have any physical operations in Québec, the respondent  can be a third party that you trust, such as a lawyer, paralegal, accountant, consultant  or other professional that will act on your behalf.  A licensing fee of CAD 650.00 applies to each category of product or service that you offer (except for ATMs).  This means that the total fee for this stage will range from CAD 650.00 to CAD 2600.00.

In addition, MSBs that operate ATMs will be required to pay a fee of CAD 216.00 per ATM machine (located in the province of Québec) later in the process.

In addition to these fees, specific security clearance fees are required.  These include CAD 121.00 for the enterprise and each of the following (that apply to your business):

  • The Respondent;
  • Officers;
  • Directors;
  • Partners;
  • Branch managers;
  • Any person or entity who directly or indirectly owns or controls the money-services business;
  • Employees working in Québec (unless they are not involved in any of the MSB business);
  • Mandataries (who are responsible for the money services offered on behalf of the MSB);
  • Officers of the mandataries;
  • Any lender that is not a financial institution; and
  • For any lender that is not a financial institution or a natural person, lender is not a natural person, its officers, directors or partners.

You must obtain consent and information from each of these individuals in order to complete the security clearance process.  You must also assemble and submit corporate documents for your MSB, including:

  • Business plan and description of business activities;
  • Financial statements;
  • Document showing legal structure of the business;
  • Document confirming appointment of respondent; and
  • Document showing corporate structure of the business.

You should expect the application process to take six to eight weeks if all of the forms are filled out completely and correctly.  It can take significantly longer if your applications are missing information or signatures.  We recommend looking over all of your documents carefully before you submit them and reaching out proactively to the AMF if you have questions about how to complete the application forms.

Need A Hand?

Many MSBs have successfully gone through this process on their own (you don’t need to hire a lawyer or consultant), but if you want a hand assembling your package and communicating with the AMF we’re happy to assist – please contact us.

Full Text Of AMF Response

As discussed earlier, any entity who executes from Québec or makes available the following money services for the people of Québec has to submit an application in order to have the Autorité des marchés financiers release a Money services business (MSB) licence:

  • Currency exchange;
  • Funds transfer (over the counter or internet);
  • Issue / redemption of traveller’s cheque, money order, bank drafts.
  • Cheque cashing
  • Operation of ATM

A corporation does not have to have an establishment, an address, a post office box or even a telephone line in Québec for it to be considered as carrying an activity in Québec as long as it conducts business for a profit. It is often the case for corporations acting in the funds transfer category.

 The first step towards registration for a MSB should first be registration as a corporate entity with the Registraire des entreprises (http://www.registreentreprises.gouv.qc.ca/). This will provide a corporation number (NEQ) to the registrant that will be required for application purposes.

 Afterwards will come the submission of the E-services access form by its appointed respondent (see section 5 of the MSB Act) along with a payment of 614$ for each money services category to appear on the licence.

 All info and documentation is available on our website (www.lautorite.qc.ca).

AML Compliance Effectiveness Reviews

AML Compliance Effectiveness Review

Canadian reporting entities are required to conduct and document an effectiveness review at least every two years.  This review must consider the completeness and effectiveness of the anti money laundering (AML) and anti-terrorist financing (ATF) compliance program and include operational testing (testing what the organization is actually doing).  For larger institutions, this is generally done as part of audit related testing.  For federally regulated financial institutions (banks, trust companies, insurance companies, etc.) there is a requirement for the testing to be independent.  For smaller companies that aren’t designated as federally regulated financial institutions, effectiveness reviews may be performed by staff members, consultants or by another organization.  Deciding who should perform the review and what to spend can be challenging.  No matter which option you choose for your business, your reviewer should be qualified and the final report should be comprehensive and signed-off by your management team within 30 days of the date that you receive the final version.

What Should The Report Look Like?

A comprehensive report means that the report tests both your documented program (policies, procedures, risk assessment and training).  This means that the reviewer must read your documentation and comment on whether or not it meets the requirements for your business.  Your operations (what you actually do) must also be tested.  This should include customer identification, recordkeeping and FINTRAC reporting.  The report should be specific about what testing was completed and how testing was conducted.  The reviewer should be someone that understands Canadian AML and ATF requirements.

The report should be focused on facts; namely whether or not you’ve met the requirements.  If requirements are not met, the report should be specific about what is missing.  The final report should be a formal document that provides complete information to the reader.  Your management team’s sign-off on the contents of the report must be documented.  This can be in meeting minutes or in a simple document like this one.

Choosing A Reviewer

The reviewer that you choose will depend on your resources that you have, including your budget.  It’s important to remember that no matter how much or how little you spend or the size of your business, the requirements are exactly the same.  The reviewer should be someone that understands Canadian AML compliance requirements for your reporting entity type.  If possible, it should not be a person that is directly involved in your compliance or operations.

Accountants and Consultants

There are a number of accounting and consulting firms (including Outlier) that can complete reviews.  The price ranges will generally vary depending on the size of your business, the complexity of your business model, the size of the firm and the experience of the reviewer.  If you are hiring a consultant to conduct your review, check out our guide to negotiating consulting agreements.  You should ask the reviewers that you are considering:

  • If they have conducted reviews for your reporting entity type before?
  • If FINTRAC or any other regulator has had negative findings related to any of the reviews that have been conducted?
  • Who will be working on your review?
  • What references (especially from similar business types) the reviewer can provide?
  • What the review process looks like?  (Here you’re checking to be certain that the reviewer will be testing both your program and operations.)

Pros:  You have a choice of reviewers (including reviewers with experience conducting reviews) and the ability to hire independent firms (not involved in your compliance program design or operations).

Cons:  This is likely to be the most expensive option.

Colleagues & Competitors

You may choose to have a review conducted by a colleague or competitor.  This option can work well if the companies have good relationships and are not concerned about sharing information that includes customer information.  It is relatively common in some industries for Compliance Officers to have reciprocal agreements that allow them to perform reviews for one another.  If you choose to have a review conducted by a colleague or competitor, you will want to consider:

  • The confidentiality of your information, including customer information.  Your agreement should contain a clause that states that this information will only be used for the purpose of the review and will not be shared within the colleague or competitor’s company.
  • The experience of the reviewer (in particular if they have not previously conducted a review).
  • Whether the reviewer’s company will allow them to conduct a review for a colleague or competitor.
  • Who will be compensated for the review (you don’t want to get in a dispute with your reviewer and their employer over who should be paid and how).

Pros:  The reviewer is likely to be familiar with the business processes and requirements that apply to your reporting entity types and there is the potential to conduct reviews for one another (reciprocal agreements) at little to no cost.

Cons:  The reviewer may have less experience in conducting reviews and you may be reluctant to share business and customer information (required to complete testing) with a competitor.

You & Your Staff

You may choose to conduct a review internally, either on your own or with assistance from other staff members.  This will require you to take a step back from your day-to-day work and consider it from a fresh perspective, which can be challenging.  The larger your company is, the more likely it is that regulators and banking service providers will expect your review to be independent.  However, as the least costly option, it can be worth considering if you are squeezed from a budget perspective and have the right experience to conduct the review and reporting on your own.

Pros:  You know your company’s business model and requirements well and this option is likely the least costly.

Cons: You are directly involved in the company’s compliance program and operations, which may be viewed by a regulator or banking service provider as having the potential to bias your findings.

After Your Review

Your review should serve as a guide to help you improve your AML and ATF compliance program.  It can be helpful to keep records of each finding, and the changes that you’ve made after the review.  It’s important to remember that the review is a snapshot of your compliance at a particular point in time.  Your reviewer cannot go back and change their findings based on changes that you’ve made after the review is complete.  If you’ve made significant changes to your program or operations following a review, it can be useful to have a follow up review conducted (or to conduct your own internal testing) to demonstrate that the changes that you’ve made are working as expected.

Need a Hand?

Outlier has developed on-demand model documents for reporting entities.  Our AML Compliance Review documents include:

  • Working papers to record the testing as it takes place
  • A report template to help you summarize your findings
  • A guide for the reviewer that explains how to use the documents

You can buy these documents on this website under each reporting entity type.  If the documents are not available for your reporting entity type yet, or you are looking for a consultant to conduct your review, please contact us.

 

I’m a Compliance Officer! Now What?!?

Compliance Officer

I’ve met a lot of Compliance Officers from around the world, and not one of them has ever told me that as a child they wanted to be a Compliance Officer.  This isn’t to say that the job isn’t interesting (or even an awful lot of fun sometimes), but that we get here in different ways.  One of my favourites (who will remain nameless here) is a gentleman who missed a senior management meeting and was nominated as the organization’s Compliance Officer while he was absent.  When we first met, he was feeling overwhelmed and was looking for a review of his company’s compliance program (and assurances that he wouldn’t wind up in an orange jumpsuit if he made a mistake).

While it seems like an extreme case, many Compliance Officer’s feel this way at least once during their careers.  It’s a big responsibility that doesn’t often come with the budget to match.  Whether you’re new to the world of anti-money laundering (AML) or just looking for a quick “sanity check” to make sure that things are going the way that they should be, this “cheat sheet” is for you.

Your Compliance Program

You need to have a Compliance Program in place with these 5 elements:

  1. Appoint A Compliance Officer (hey that’s you!);
  2. Document Your Policies And Procedures;
  3. A Risk Assessment;
  4. Training; and
  5. An AML Compliance Effectiveness Review.

If your organization is a money service business (MSB) you will also need to register with the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC).  If your organization is an MSB operating in Quebec, you also need to register with the Autorité des marchés financiers (AMF).  The definition of an MSB in Quebec is a bit broader than the Canadian federal definition; some companies may only be required to register with the AMF.

The first thing that you should do is review your documentation to make sure that it’s up to date.  Here’s a quick checklist to get you started – answer each of the questions with ‘Yes’ or ‘No’.

Program Component

Questions You Should Ask
Compliance Officer Is my appointment documented? This can be in the form of meeting minutes or a formal document, but it must be in writing.
Policies and Procedures Do they describe what we’re doing to meet our obligations? The descriptions should be clearly written so that someone that doesn’t know your business could understand them.
Have they been updated in the last year?
Risk Assessment Does the Risk Assessment describe the risk that your business could be used for money laundering or terrorist financing?
Are there risk ratings?
Are your controls (what you do to prevent your business from being used for money laundering or terrorist financing) describe?
Do your controls make sense given your risk level?
Training Have your staff been trained in the last year?
Does your training cover all of the obligations that apply to your business?
AML Compliance Effectiveness Review Has an AML Compliance Effectiveness Review been completed in the last two years?
Was there a formal report that described the methodology and findings?
Did management sign-off on the final report within 30 days?

If you answered yes to all of these questions, you’re off to a good start.  If the answer to any of these questions is no, you have some work to do.  If that’s the case, consider letting your management team know right away.  It’s easier to get their support when they know what you’re working on.

FINTRAC Reporting

Other than terrorist property reports, FINTRAC reports can be filed electronically using a system called F2R.  If your organization is not already using this system, you can enroll by contacting FINTRAC.  Filing your reporting electronically can make it easier to keep track of the reports that you’ve filed (remember to save copies of the PDF reports on your network) and let you know more quickly whether or not FINTRAC has accepted your reports.

FINTRAC has published guides to help you with your reporting.  Each report type in the chart is hyperlinked to FINTRAC’s guidance.  The types of reports that you will submit will depend on the type of reporting entity you belong to.  However, all reports have set time limits.

Report Type

Timing
Suspicious Transaction Reports (STRs) and Attempted Suspicious Transaction Reports (ASTRs) As soon as practicable
Large Cash Transaction Reports (LCTRs) 15 calendar days from the date that the transaction takes place
Electronic Funds Transfer Reports (EFTRs) 5 working days from the date that the transaction takes place
Large Virtual Currency Transaction Reports (LVCRTs) 5 working days from the date that the transaction takes place
Casino Disbursement Reports (CDRs) 15 calendar days from the date that the transaction takes place
Terrorist Property Reports (TPRs) As soon as possible (Immediately)

Training Your Staff

All staff should be trained at least once a year (including part-time, temporary and contract staff).  Your training records should include:

  • Who was trained?
  • When did training take place?
  • How was training delivered (in person, webinar, etc…)
  • What topics were covered?

This can be done in a simple spreadsheet.  You don’t need to collect signatures to prove that training took place, but you do need to be sure that your records are accurate.

There are very few instances when staff members do not need to be trained.  Generally, these would be staff members that are not involved in any way with customers or customer transactions.  If there are staff members that are not trained, you should document who they are, their roles, and the reason that they are exempt from training.

AML Compliance Effectiveness Reviews & FINTRAC Exams

I’ve put together some detailed guidance on preparing for reviews and exams.  It’s important to remember to get all of your documentation in order in advance.  Make sure that you’ve read the request and understand what you are being asked for.  If you have questions about what you should include, it’s fine to call the reviewer or examiner to ask.

Information requests are time-sensitive.  For FINTRAC exams, you generally have 30 days from the date that the request was mailed to assemble your submission.  This seems like a long time, but you may need some extra help pulling everything together.  It’s a good idea to let your management team know as soon as you receive a request from the regulator, especially if you need extra resources to stay on top of the request and everyday compliance tasks.

Need a Hand?

If you’re feeling like your AML program needs work, and you’re not sure what to do next or you need extra hands to put together or look over your FINTRAC package, please contact us.

Return to Blog Listing