PROCESSING...

Anti-Money Laundering
Consulting Services & Strategies

0 Items - Total: $0.00 CAD

AML Compliance Effectiveness Reviews

AML Compliance Effectiveness Review

Canadian reporting entities are required to conduct and document an effectiveness review at least every two years.  This review must consider the completeness and effectiveness of the anti money laundering (AML) and anti-terrorist financing (ATF) compliance program and include operational testing (testing what the organization is actually doing).  For larger institutions, this is generally done as part of audit related testing.  For federally regulated financial institutions (banks, trust companies, insurance companies, etc.) there is a requirement for the testing to be independent.  For smaller companies that aren’t designated as federally regulated financial institutions, effectiveness reviews may be performed by staff members, consultants or by another organization.  Deciding who should perform the review and what to spend can be challenging.  No matter which option you choose for your business, your reviewer should be qualified and the final report should be comprehensive and signed-off by your management team within 30 days of the date that you receive the final version.

What Should The Report Look Like?

A comprehensive report means that the report tests both your documented program (policies, procedures, risk assessment and training).  This means that the reviewer must read your documentation and comment on whether or not it meets the requirements for your business.  Your operations (what you actually do) must also be tested.  This should include customer identification, recordkeeping and FINTRAC reporting.  The report should be specific about what testing was completed and how testing was conducted.  The reviewer should be someone that understands Canadian AML and ATF requirements.

The report should be focused on facts; namely whether or not you’ve met the requirements.  If requirements are not met, the report should be specific about what is missing.  The final report should be a formal document that provides complete information to the reader.  Your management team’s sign-off on the contents of the report must be documented.  This can be in meeting minutes or in a simple document like this one.

Choosing A Reviewer

The reviewer that you choose will depend on your resources that you have, including your budget.  It’s important to remember that no matter how much or how little you spend or the size of your business, the requirements are exactly the same.  The reviewer should be someone that understands Canadian AML compliance requirements for your reporting entity type.  If possible, it should not be a person that is directly involved in your compliance or operations.

Accountants and Consultants

There are a number of accounting and consulting firms (including Outlier) that can complete reviews.  The price ranges will generally vary depending on the size of your business, the complexity of your business model, the size of the firm and the experience of the reviewer.  If you are hiring a consultant to conduct your review, check out our guide to negotiating consulting agreements.  You should ask the reviewers that you are considering:

  • If they have conducted reviews for your reporting entity type before?
  • If FINTRAC or any other regulator has had negative findings related to any of the reviews that have been conducted?
  • Who will be working on your review?
  • What references (especially from similar business types) the reviewer can provide?
  • What the review process looks like?  (Here you’re checking to be certain that the reviewer will be testing both your program and operations.)

Pros:  You have a choice of reviewers (including reviewers with experience conducting reviews) and the ability to hire independent firms (not involved in your compliance program design or operations).

Cons:  This is likely to be the most expensive option.

Colleagues & Competitors

You may choose to have a review conducted by a colleague or competitor.  This option can work well if the companies have good relationships and are not concerned about sharing information that includes customer information.  It is relatively common in some industries for Compliance Officers to have reciprocal agreements that allow them to perform reviews for one another.  If you choose to have a review conducted by a colleague or competitor, you will want to consider:

  • The confidentiality of your information, including customer information.  Your agreement should contain a clause that states that this information will only be used for the purpose of the review and will not be shared within the colleague or competitor’s company.
  • The experience of the reviewer (in particular if they have not previously conducted a review).
  • Whether the reviewer’s company will allow them to conduct a review for a colleague or competitor.
  • Who will be compensated for the review (you don’t want to get in a dispute with your reviewer and their employer over who should be paid and how).

Pros:  The reviewer is likely to be familiar with the business processes and requirements that apply to your reporting entity types and there is the potential to conduct reviews for one another (reciprocal agreements) at little to no cost.

Cons:  The reviewer may have less experience in conducting reviews and you may be reluctant to share business and customer information (required to complete testing) with a competitor.

You & Your Staff

You may choose to conduct a review internally, either on your own or with assistance from other staff members.  This will require you to take a step back from your day-to-day work and consider it from a fresh perspective, which can be challenging.  The larger your company is, the more likely it is that regulators and banking service providers will expect your review to be independent.  However, as the least costly option, it can be worth considering if you are squeezed from a budget perspective and have the right experience to conduct the review and reporting on your own.

Pros:  You know your company’s business model and requirements well and this option is likely the least costly.

Cons: You are directly involved in the company’s compliance program and operations, which may be viewed by a regulator or banking service provider as having the potential to bias your findings.

After Your Review

Your review should serve as a guide to help you improve your AML and ATF compliance program.  It can be helpful to keep records of each finding, and the changes that you’ve made after the review.  It’s important to remember that the review is a snapshot of your compliance at a particular point in time.  Your reviewer cannot go back and change their findings based on changes that you’ve made after the review is complete.  If you’ve made significant changes to your program or operations following a review, it can be useful to have a follow up review conducted (or to conduct your own internal testing) to demonstrate that the changes that you’ve made are working as expected.

Need a Hand?

Outlier has developed on-demand model documents for reporting entities.  Our AML Compliance Review documents include:

  • Working papers to record the testing as it takes place
  • A report template to help you summarize your findings
  • A guide for the reviewer that explains how to use the documents

You can buy these documents on this website under each reporting entity type.  If the documents are not available for your reporting entity type yet, or you are looking for a consultant to conduct your review, please contact us.

 

I’m a Compliance Officer! Now What?!?

Compliance Officer

I’ve met a lot of Compliance Officers from around the world, and not one of them has ever told me that as a child they wanted to be a Compliance Officer.  This isn’t to say that the job isn’t interesting (or even an awful lot of fun sometimes), but that we get here in different ways.  One of my favourites (who will remain nameless here) is a gentleman who missed a senior management meeting and was nominated as the organization’s Compliance Officer while he was absent.  When we first met, he was feeling overwhelmed and was looking for a review of his company’s compliance program (and assurances that he wouldn’t wind up in an orange jumpsuit if he made a mistake).

While it seems like an extreme case, many Compliance Officer’s feel this way at least once during their careers.  It’s a big responsibility that doesn’t often come with the budget to match.  Whether you’re new to the world of anti-money laundering (AML) or just looking for a quick “sanity check” to make sure that things are going the way that they should be, this “cheat sheet” is for you.

Your Compliance Program

You need to have a Compliance Program in place with these 5 elements:

  1. Appoint A Compliance Officer (hey that’s you!);
  2. Document Your Policies And Procedures;
  3. A Risk Assessment;
  4. Training; and
  5. An AML Compliance Effectiveness Review.

If your organization is a money service business (MSB) you will also need to register with the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC).  If your organization is an MSB operating in Quebec, you also need to register with the Autorité des marchés financiers (AMF).  The definition of an MSB in Quebec is a bit broader than the Canadian federal definition; some companies may only be required to register with the AMF.

The first thing that you should do is review your documentation to make sure that it’s up to date.  Here’s a quick checklist to get you started – answer each of the questions with ‘Yes’ or ‘No’.

Program Component

Questions You Should Ask
Compliance Officer Is my appointment documented? This can be in the form of meeting minutes or a formal document, but it must be in writing.
Policies and Procedures Do they describe what we’re doing to meet our obligations? The descriptions should be clearly written so that someone that doesn’t know your business could understand them.
Have they been updated in the last year?
Risk Assessment Does the Risk Assessment describe the risk that your business could be used for money laundering or terrorist financing?
Are there risk ratings?
Are your controls (what you do to prevent your business from being used for money laundering or terrorist financing) describe?
Do your controls make sense given your risk level?
Training Have your staff been trained in the last year?
Does your training cover all of the obligations that apply to your business?
AML Compliance Effectiveness Review Has an AML Compliance Effectiveness Review been completed in the last two years?
Was there a formal report that described the methodology and findings?
Did management sign-off on the final report within 30 days?

If you answered yes to all of these questions, you’re off to a good start.  If the answer to any of these questions is no, you have some work to do.  If that’s the case, consider letting your management team know right away.  It’s easier to get their support when they know what you’re working on.

FINTRAC Reporting

Other than terrorist property reports, FINTRAC reports can be filed electronically using a system called F2R.  If your organization is not already using this system, you can enroll by contacting FINTRAC.  Filing your reporting electronically can make it easier to keep track of the reports that you’ve filed (remember to save copies of the PDF reports on your network) and let you know more quickly whether or not FINTRAC has accepted your reports.

FINTRAC has published guides to help you with your reporting.  Each report type in the chart is hyperlinked to FINTRAC’s guidance.  The types of reports that you will submit will depend on the type of reporting entity you belong to.  However, all reports have set time limits.

Report Type

Timing
Suspicious Transaction Reports (STRs) and Attempted Suspicious Transaction Reports (ASTRs) As soon as practicable
Large Cash Transaction Reports (LCTRs) 15 calendar days from the date that the transaction takes place
Electronic Funds Transfer Reports (EFTRs) 5 working days from the date that the transaction takes place
Large Virtual Currency Transaction Reports (LVCRTs) 5 working days from the date that the transaction takes place
Casino Disbursement Reports (CDRs) 15 calendar days from the date that the transaction takes place
Terrorist Property Reports (TPRs) As soon as possible (Immediately)

Training Your Staff

All staff should be trained at least once a year (including part-time, temporary and contract staff).  Your training records should include:

  • Who was trained?
  • When did training take place?
  • How was training delivered (in person, webinar, etc…)
  • What topics were covered?

This can be done in a simple spreadsheet.  You don’t need to collect signatures to prove that training took place, but you do need to be sure that your records are accurate.

There are very few instances when staff members do not need to be trained.  Generally, these would be staff members that are not involved in any way with customers or customer transactions.  If there are staff members that are not trained, you should document who they are, their roles, and the reason that they are exempt from training.

AML Compliance Effectiveness Reviews & FINTRAC Exams

I’ve put together some detailed guidance on preparing for reviews and exams.  It’s important to remember to get all of your documentation in order in advance.  Make sure that you’ve read the request and understand what you are being asked for.  If you have questions about what you should include, it’s fine to call the reviewer or examiner to ask.

Information requests are time-sensitive.  For FINTRAC exams, you generally have 30 days from the date that the request was mailed to assemble your submission.  This seems like a long time, but you may need some extra help pulling everything together.  It’s a good idea to let your management team know as soon as you receive a request from the regulator, especially if you need extra resources to stay on top of the request and everyday compliance tasks.

Need a Hand?

If you’re feeling like your AML program needs work, and you’re not sure what to do next or you need extra hands to put together or look over your FINTRAC package, please contact us.

Return to Blog Listing