Anti-Money Laundering
Consulting Services & Strategies

0 Items - Total: $0.00 CAD

Technology and Cyber Security Incident Reporting

The issue of cyber security incidents seems to continue to be a hot topic for regulators. Late last year, federal Breach of Security Safeguards Regulations came into force, which require organizations to report to the Office of the Privacy Commissioner (OPC), any breach of security safeguards involving personal information under its control where the breach creates a “real risk of significant harm”. Last week, The Office of the Superintendent of Financial Institutions (OSFI) published an advisory, Technology and Cyber Security Incident Reporting, which sets out OSFI’s expectations for Federally Regulated Financial Institutions (FRFIs) with respect to the reporting of technology and cyber security incidents. The advisory  becomes effective on March 31, 2019.

OSFI’s advisory defines a technology or cyber security incident as an event that has the “potential to, or has been assessed to, materially impact the normal operations of a FRFI, including confidentiality, integrity or availability of its systems and information”. The advisory goes on to give guidance on what a reportable incident may look like:

  • Significant operational impact to key/critical information systems or data;
  • Material impact to FRFI operational or customer data, including confidentiality, integrity or availability of such data;
  • Significant operational impact to internal users that is material to customers or business operations;
  • Significant levels of system/service disruptions;
  • Extended disruptions to critical business systems/operations;
  • Number of external customers impacted is significant or growing;
  • Negative reputational impact is imminent (e.g., public/media disclosure);
  • Material impact to critical deadlines/obligations in financial market settlement or payment systems (e.g., Financial Market Infrastructure);
  • Significant impact to a third party deemed material to the FRFI;
  • Material consequences to other FRFIs or the Canadian financial system;
  • A FRFI incident has been reported to the Office of the Privacy Commissioner or local/foreign regulatory authorities.

Unlike the Breach of Security Safeguards Regulation, which apply to all companies operating in Canada, OSFI’s advisory applies only to FRFIs. These include banks and insurance companies.

How Do the Reporting Obligations Differ?

Incidents that need to be reported to the OPC focuses on “a breach of security safeguards” involving personal information, where it is reasonable to believe that the breach creates a “real risk of significant harm” by assessing factors such as the sensitivity of the personal information involved, and the probability of misuse. Incidents should be reported as soon as feasible.

Incidents that need to be reported to OSFI focuses on operational impact to the integrity or availability of information systems. Items to be looked at include things such as service disruptions, as well as impacts to critical deadlines related to financial market settlement, payment systems, soundness of business etc. These incidents may or may not include personal information. The OSFI advisory does state one of the considerations for reporting is if the incident has been reported to the OPC. Incidents should be reported as soon as possible, but no later than 72 hours after determining an incident has occurred.

It is possible (even probable) that a FRFI would need to report an incident to both the OPC and OSFI. While organizations that are not FRFI’s are not required to report to OSFI, the advisory may still contain useful guidance in thinking about security, breaches, and best-practices for breach response.

Below is a comparison chart noting the differences (or similarities) between reporting obligations:

Breach of Security Safeguards Regulations OSFI Advisory
Who does it apply to?  All Organizations.  All Federally Regulated Financial Institutions.
Who is a breach reported to? The organization must report the breach to the OPC, but also notify affected individuals. The FRFIs must report the breach to its Lead Supervisor as well as
When is a breach reported? As soon as feasible after the organization determines the breach has occurred. As soon as possible, but no later than 72 hours after determining an incident has occurred.
What type of breach is reported? A breach of security safeguards involving personal information where the breach creates a “real risk of significant harm”. Incidents that have a material operational impact to the integrity or availability of information systems.
What type of information must be included in the report? A description of the circumstances of the breach and, if known, the cause;

The day or the period in which the breach occurred;

A description of the personal information that was involved in the breach;

An estimate of the number of individuals impacted – where the breach creates a real risk of significant harm;

The steps that the organization has taken to reduce the risk of harm to the impacted individuals;

The steps that the organization has taken, or will take, to notify impacted individuals; and

The name and contact information of a person the OPC can liaison with.

Date and time the incident was assessed to be material;

Date and time/period the incident took place;

Incident severity and type (e.g. DDoS, malware, data breach, extortion);

A description of the incident (including known direct/indirect impacts, the number of clients impacted etc.);

Primary method used to identify the incident; 

Current status of incident;

Date for internal incident escalation to senior management or Board of Directors;

Mitigation actions taken or planned;

Known or suspected root cause; and

Name and contact information for the FRFI incident executive lead and liaison with OSFI. 


We’re Here To Help

If you have questions about this new advisory related to your reporting obligations for technology and cyber security incidents, or compliance in general, please contact us.

I’m a Compliance Officer! Now What?!?

Compliance Officer

I’ve met a lot of Compliance Officers from around the world, and not one of them has ever told me that as a child they wanted to be a Compliance Officer.  This isn’t to say that the job isn’t interesting (or even an awful lot of fun sometimes), but that we get here in different ways.  One of my favourites (who will remain nameless here) is a gentleman who missed a senior management meeting and was nominated as the organization’s Compliance Officer while he was absent.  When we first met, he was feeling overwhelmed and was looking for a review of his company’s compliance program (and assurances that he wouldn’t wind up in an orange jumpsuit if he made a mistake).

While it seems like an extreme case, many Compliance Officer’s feel this way at least once during their careers.  It’s a big responsibility that doesn’t often come with the budget to match.  Whether you’re new to the world of anti-money laundering (AML) or just looking for a quick “sanity check” to make sure that things are going the way that they should be, this “cheat sheet” is for you.

Your Compliance Program

You need to have a Compliance Program in place with these 5 elements:

  1. Appoint A Compliance Officer (hey that’s you!);
  2. Document Your Policies And Procedures;
  3. A Risk Assessment;
  4. Training; and
  5. An AML Compliance Effectiveness Review.

If your organization is a money service business (MSB) you will also need to register with the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC).  If your organization is an MSB operating in Quebec, you also need to register with the Autorité des marchés financiers (AMF).  The definition of an MSB in Quebec is a bit broader than the Canadian federal definition; some companies may only be required to register with the AMF.

The first thing that you should do is review your documentation to make sure that it’s up to date.  Here’s a quick checklist to get you started – answer each of the questions with ‘Yes’ or ‘No’.

Program Component

Questions You Should Ask

Compliance Officer Is my appointment documented? This can be in the form of meeting minutes or a formal document, but it must be in writing.
Policies and Procedures Do they describe what we’re doing to meet our obligations? The descriptions should be clearly written so that someone that doesn’t know your business could understand them.
Have they been updated in the last year?
Risk Assessment Does the Risk Assessment describe the risk that your business could be used for money laundering or terrorist financing?
Are there risk ratings?
Are your controls (what you do to prevent your business from being used for money laundering or terrorist financing) describe?
Do your controls make sense given your risk level?
Training Have your staff been trained in the last year?
Does your training cover all of the obligations that apply to your business?
AML Compliance Effectiveness Review Has an AML Compliance Effectiveness Review been completed in the last two years?
Was there a formal report that described the methodology and findings?
Did management sign-off on the final report within 30 days?

If you answered yes to all of these questions, you’re off to a good start.  If the answer to any of these questions is no, you have some work to do.  If that’s the case, consider letting your management team know right away.  It’s easier to get their support when they know what you’re working on.

FINTRAC Reporting

Other than terrorist property reports, FINTRAC reports can be filed electronically using a system called F2R.  If your organization is not already using this system, you can enroll by contacting FINTRAC.  Filing your reporting electronically can make it easier to keep track of the reports that you’ve filed (remember to save copies of the PDF reports on your network) and let you know more quickly whether or not FINTRAC has accepted your reports.

FINTRAC has published guides to help you with your reporting.  Each report type in the chart is hyperlinked to FINTRAC’s guidance.  The types of reports that you will submit will depend on the type of reporting entity you belong to.  However, all reports have set time limits.

Report Type


Suspicious Transaction Reports (STRs) and Attempted Suspicious Transaction Reports (ASTRs) As soon as practicable
Large Cash Transaction Reports (LCTRs) 15 calendar days from the date that the transaction takes place
Electronic Funds Transfer Reports (EFTRs) 5 working days from the date that the transaction takes place
Large Virtual Currency Transaction Reports (LVCRTs) 5 working days from the date that the transaction takes place
Casino Disbursement Reports (CDRs) 15 calendar days from the date that the transaction takes place
Terrorist Property Reports (TPRs) As soon as possible (Immediately)

Training Your Staff

All staff should be trained at least once a year (including part-time, temporary and contract staff).  Your training records should include:

  • Who was trained?
  • When did training take place?
  • How was training delivered (in person, webinar, etc…)
  • What topics were covered?

This can be done in a simple spreadsheet.  You don’t need to collect signatures to prove that training took place, but you do need to be sure that your records are accurate.

There are very few instances when staff members do not need to be trained.  Generally, these would be staff members that are not involved in any way with customers or customer transactions.  If there are staff members that are not trained, you should document who they are, their roles, and the reason that they are exempt from training.

AML Compliance Effectiveness Reviews & FINTRAC Exams

I’ve put together some detailed guidance on preparing for reviews and exams.  It’s important to remember to get all of your documentation in order in advance.  Make sure that you’ve read the request and understand what you are being asked for.  If you have questions about what you should include, it’s fine to call the reviewer or examiner to ask.

Information requests are time-sensitive.  For FINTRAC exams, you generally have 30 days from the date that the request was mailed to assemble your submission.  This seems like a long time, but you may need some extra help pulling everything together.  It’s a good idea to let your management team know as soon as you receive a request from the regulator, especially if you need extra resources to stay on top of the request and everyday compliance tasks.

Need a Hand?

If you’re feeling like your AML program needs work, and you’re not sure what to do next or you need extra hands to put together or look over your FINTRAC package, please contact us.

Return to Blog Listing