PROCESSING...

Anti-Money Laundering
Consulting Services & Strategies

0 Items - Total: $0.00 CAD

RPAA Annual Reporting – Reminder and Key Requirements

Background

Under the RPAA and the Retail Payment Activities Regulations (RPAR), Payment service providers (PSPs) must submit an annual report through the Bank of Canada’s (BoC) online portal using the prescribed reporting form. Reports must be filed annually by March 31 and must cover retail payment activities conducted during the prior calendar year.

Who Must Comply

All PSPs that are on the registration list with BoC must complete the annual report. For clarity, BoC has established the following deadlines:

  • PSPs registered before March 9, 2026, must submit their report by March 31, 2026.
  • PSPs registered between March 9 and March 30, 2026, have until April 28, 2026.

PSPs on the application list as of March 31, 2026, are not required to file a report for the 2025 year and will report in 2026.

The annual report is now available through PSP Connect. It includes mandatory sections and does not permit structural or formatting changes. It is set up similarly to what PSPs saw as part of registration. All required fields must be completed, and any omissions must be explained in accordance with BoC guidance.

What to Report

The following are the reporting elements of the annual report.

1. Operational Risk and Incident Management

In this section, PSPs must provide information on the governance, design, and effectiveness of their operational risk management and incident response frameworks. This includes confirming whether the framework, and any material updates to it, were approved during the reporting year by the senior officer.

In this section, PSPs must identify the operational risk categories monitored during the year and must outline what protective and detective measures were in place. Importantly, this action requires PSPs to provide quantitative staffing and resourcing information.

PSPs must also explain how operational risks arising from third-party service providers and agents or mandataries are managed. PSPs must also indicate whether agreements with third-party service providers were entered into, amended, extended, or renewed. Where agents or mandataries are used, PSPs are expected to confirm that responsibilities are clearly defined, operational risk criteria are established, and assessments are performed to evaluate whether those criteria are met.

Some key requirements for this section are:

  • Did the PSP classify assets and business processes by sensitivity and criticality?
  • Were sufficient human and financial resources available to implement and maintain the framework?
  • Did the framework set out operational reliability objectives, targets, and indicators?
  • Which measures were in place to mitigate technology risks and protect assets and processes?
  • Did the framework include incident response and recovery plans, including third-party incidents?
  • Which elements were included in the incident response plan?

2. Safeguarding of End-User Funds

In this section, PSPs that perform the payment function of holding funds on behalf of end-users must identify whether they safeguard funds through a trust account or through an account supported by insurance or a guarantee, and whether the safeguarding method changed during the reporting year.

PSPs must report whether end-user funds are placed into a safeguarding account upon receipt and, where processing constraints exist, whether funds are placed into the safeguarding account by the next business day. PSPs must identify whether safeguarding accounts are held with Canadian or foreign financial institutions and, where applicable, identify those institutions and their regulators.

PSPs must describe the liquidity approach used to ensure end-users have reliable access to their funds and outline the procedures in place for returning those funds in the event of the PSP’s insolvency.

Some key requirements for this section relate to shortfall reporting. PSPs must report instances during the reporting year where safeguarded funds were insufficient, including:

  • the date the shortfall occurred and the date it was resolved,
  • the maximum daily shortfall amount (in CAD),
  • the root cause (selected from prescribed categories), and
  • the measures taken to prevent recurrence.

3. Significant Changes and Incidents

In this section, PSPs must identify all significant changes that occurred during the reporting year. A change is considered significant where it could reasonably be expected to materially affect operational risk or the safeguarding of end-user funds. The annual report requires each change to be reported separately, including the month and year in which the change took effect.

Examples of reportable significant changes include new or amended outsourcing arrangements, changes to third-party service provider relationships, material technology changes, geographic expansions, new products or market segments, changes in participation in payment systems, and material changes to organizational structure or staffing levels.

It is important to note that the report must also include a complete inventory of incidents experienced during the year, including incidents that were not required to be reported to the Bank under the RPAA at the time they occurred.

PSPs must also identify any retail payment activities that the PSP began or ceased to perform during the reporting year.

4. Ubiquity and Interconnectedness Metrics

In this section, PSPs must provide quantitative metrics as it relates to end-user funds used by the Bank to assess a PSP’s footprint and interconnectedness within the Canadian payments ecosystem.

These metrics must capture transactions where the PSP performed a payment function directly or indirectly, and must be reported separately for all end-users and end-users in Canada, where applicable.

PSPs must also report the total number of distinct end-users served during the reporting year, including users receiving services directly and indirectly, and provide information on services performed for other registered PSPs.

Some key metrics that must be reported include:

Value of End-User Funds Held

  • The maximum Canadian Dollar (CAD) equivalent value of end-user funds held at any time during the year.
  • For each month, report the average daily value (in CAD) at month-end.
  • Both the total of all funds held, and a breakdown by currency held.

End-Users

  • Total number of distinct end-users, and
  • Number of users receiving direct vs. indirect services (via third-party PSPs).

Number and Value of Electronic Funds Transfers (EFTs)

  • Monthly Count and Total Value
    • Report the monthly count and total value of EFTs.
    • Values in CAD (as both a total of all currencies combined, and a breakdown by currency of the EFT).
  • Value by Payment Type
    • Report an estimate of the total value of EFTs by payment type as a share of total value.

PSP with a place of business in Canada must report values for end-users in Canada and end-users outside of Canada as separate amounts.

5. Financial Information

In this section, PSPs must report key financial information, including total revenue, operating expenses, and total equity. Financial information may be reported using the PSP’s fiscal year-end, whereas most other reporting elements must align with the calendar year.

6. Record-Keeping

In this section, PSPs must confirm whether they maintain records sufficient to demonstrate compliance with the RPAA and the Retail Payment Activities Regulations. PSPs must indicate whether record-keeping is complete, partially complete, or not in place, and should be prepared to support these responses if requested by the Bank.

Preparing for Report

The annual reporting form is available through PSP Connect as of February 2, 2026. We suggest that PSPs may begin gathering the needed information for submission at any time prior to the applicable deadline. To help make this a bit easier, Outlier has put together a spreadsheet that will help in compiling the needed information. Please note that this spreadsheet does not replace formal BoC guidance. The system does allow organizations to save and continue where you left off.

We’re Here To Help

If you would like assistance in understanding what has to be reported or if you need help with RPAA requirements in general, please get in touch.

Canada & Australia Financial Crime Webinar Series

We’re proud to participate in a five-part webinar series on Financial Crime Investigations and Enforcement in Canada and Australia. The series brings together leading voices from Canada and Australia to explore today’s most pressing financial crime challenges.

Join Outlier’s Amber Scott in moderating the 4th session of the Canada & Australia Financial Crime Webinar Series on Due Diligence (Canada) on November 24.

4PM-5PM ET Online

Learn more and register here.

Check Your FINTRAC MSB Registration

Divya BhakthaAre you a money services business (MSB) that serves clients in Canada? Have you checked your MSB registration lately? If not, there’s no time like the present, and you can do so here.

What’s Required?

There have been some changes to the process for updating registration information with the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) that may not be immediately apparent, and further changes are forthcoming. As a reminder, when an MSBs’ information changes, including products, locations, key personnel such as the Compliance Officer, ownership, or agents, that information must be updated with FINTRAC within 30 days. MSB registration must also be renewed prior to the registration’s expiry date. 

MSB Registration Changes 

When your MSB registration information changes, the first step is to complete the change form on FINTRAC’s website and remember to submit it within 30 days of the change. This form has a number of checkboxes that must be selected, depending on the specific updates that are being requested, as well as a freeform field that can be used to provide additional information (but be brief, there is a 100-character limit). There is also an option to download and save a copy of the completed form, which should be kept as part of your AML records. 

Once FINTRAC has received the form, they will reach out, usually to the email address provided in the form, with next steps. The most common next step is currently for FINTRAC to send a PDF form using Canada Post Connect (a secure portal for messages and document sharing), which must be completed and returned within a specific timeframe. As with the online registration form, you should save a copy of your completed change form.

MSB Registration Renewals

Before your MSB registration expires, complete the renewal form on FINTRAC’s website. Remember, your MSB registration is valid for two years, and you need to renew it before it expires. This form is different from the change form, but does have a checkbox that must be selected if there are also changes to MSB registration information, as well as a freeform field that can be used to provide additional information (remember to be brief, as there is a 100-character limit). There is also an option to download and save a copy of the completed form, which should be kept as part of your AML records. You can also use the save a copy function to download a form in progress, which can be re-uploaded and completed later.

Once FINTRAC has received the form, they will reach out, usually to the email address provided in the form, with next steps. If there are changes to MSB registration information, the most common next step is currently for FINTRAC to send a PDF form using Canada Post Connect (a secure portal for messages and document sharing), which must be completed and returned within a specific timeframe. We recommend whitelisting @fintrac-canafe.gc.ca and @canadapost-postescanada.ca addresses, so that they don’t get caught in your spam filters.

In either of the above scenarios, we recommend that you always download and keep a copy of the registration details, which include the time and date when you submitted the document, so you have proof if required at a later date.

Does FINTRAC Send Notices to Expiring MSBs?

Prior to last year, MSBs received email reminders from FINTRAC when their registration was expiring, but it doesn’t seem that this is the case. You should not expect a notification from FINTRAC when your MSB registration is set to expire. We recommend setting a reminder in your calendar for 30 days before the registration expires, to make sure the form is submitted on time.

Need a hand?

Whether you need assistance with your FINTRAC registration or AML compliance in general, you can contact us here or by email at info@outliercanada.com.

We Turn 12!

Green foil balloons forming the number 12 with gold confetti on a light background, celebrating a 12-year anniversary.Today marks another milestone for us – 12 years since Outlier Compliance Group was founded.

What began as a bold and novel idea, building a consulting firm made up exclusively of seasoned compliance professionals with deep in-house experience, has grown into a thriving, trusted partner for clients navigating Canada’s ever-changing regulatory landscape.

Our name, inspired by Malcolm Gladwell’s “Outliers, the Story of Success” which espoused the notion that to be truly proficient in a skill, 10,000 hours of practice is required. That was the bar that was set, met, and most often exceeded by every compliance professional that joined our team over the years.

Over the years, we’ve grown, evolved, but have stayed true to our roots. We’ve learned that success comes from surrounding ourselves with exceptional people, from listening closely to our clients, and from being willing to adapt in the face of change. We’ve discovered the value of curiosity when navigating complexity, and the power of collaboration when tackling the most challenging problems.

Through it all, our mission has remained the same “good compliance is good business”. It’s the principle that guides our work, shapes our advice, and underpins every solution we deliver.

As the Canadian regulatory environment becomes increasingly complex, our mission and our learnings will play to our continued success and growth as we continue to provide top tier compliance and risk management services. 

To our amazing team, past, present and future, thank you for your passion, expertise and resilience. To our clients, partners and industry peers, thank you for your trust and collaboration. Lastly, but by no means least, a special thank you to our CEO, David Vijan, and our Chairperson, Amber D. Scott, for keeping us on our toes and steering the ship with vision and purpose. 

Here’s to 12 years of achievement and to the future.

Identification Triggers for Factoring Companies

Background

We recently sought clarification from FINTRAC as it relates to identification requirements that Factoring Companies (Factors) must comply with.

Factors supply liquidity to a customer in exchange for the cash value of a certain amount of the customer’s accounts receivable (i.e. invoices) to be collected later by the factoring company. A factor is defined as a person or entity that is engaged in the business of factoring, with or without recourse against the assignor.

If you missed it, Factors became reporting entities under the PCMLTFA effective April 1, 2025. As a reporting entity, Factors must have in place a compliance program and comply with various requirements, including identification requirements.  Please refer to our previous blog post on Factors that outlines full requirements that factors must comply with.

Identification Requirements

Factors must confirm identification using prescribed methods for individuals and entities where they are required to keep a record as defined under section 24.14 of the

Proceeds of Crime (Money Laundering) and Terrorist Financing Regulations.

Section 24.14 states a factor shall keep the following records in respect of every factoring agreement that it enters into:

(a) an information record in respect of the person or entity with whom it enters into the agreement;

 (b) if the information record is in respect of an entity, a record of the name, address and date of birth of every person who enters into the agreement on behalf of the entity and the nature of the person’s principal business or their occupation;

 (c) if the information record is in respect of a corporation, a copy of the part of official corporate records that contains any provision relating to the power to bind the corporation in respect of transactions with the factor;

 (d) a record of the financial capacity of the person or entity with which it enters into the agreement and the terms of the agreement;

 (e) for any payment it makes; and

 (f) a receipt of funds record in respect of every amount of $3,000 or more that it receives, unless the amount is received from a financial entity or public body or from a person who is acting on behalf of a client that is a financial entity or public body.

As it relates to the last record, funds may come from a party other than the factoring client (a third party) and in such instances it is not sufficient to rely on identification that would have been completed for the factoring client, but rather the third party would have to be identified.

Below is a response from FINTRAC:

Under the PCMLTFA, specifically section 24.14(f), a receipt of funds record must be kept for every amount of $3,000 or more, unless the funds are received from a financial entity, public body, or a person acting on behalf of such an entity.

In response to your question:
If funds are received from a party other than the identified factoring client, identification requirements may still apply depending on who that third party is.

If the third party is not:

    • a financial entity,
    • a public body, or
    • acting on behalf of one,

then yes, identification and a receipt of funds record would be required, even if the factoring client has already been identified. This is because the receipt of funds record pertains to who the funds are actually received from, not just who the factoring agreement is with.

Identification of the factoring client alone is not sufficient if funds are received from another party who does not fall under the exemptions in s. 24.14(f). The source of funds must be identified and recorded accordingly.

The factoring company must take reasonable measures to identify the sender, document those efforts, and keep a receipt of funds record.

While this may prove to be challenging in some instances, demonstrating that reasonable measures were taken becomes critical.

We’re Here To Help

If you would like assistance in understanding what this mean to your business, or if you need help in creating or updating your compliance program and processes, please get in touch.

Securities Dealers See Rising FINTRAC Penalties

We’re seeing FINTRAC ramp up Administrative Monetary Penalties against all sectors, however, for securities dealers we’re starting to see some heavy hits, something we haven’t seen before, signaling a graduated approach to compliance assessments by FINTRAC.

On July 3, 2025, FINTRAC announced an Administrative Monetary Penalty of $544,500 against an investment dealer headquartered in Vancouver, British Columbia. Additionally, on February 13, 2025, FINTRAC announced an Administrative Monetary Penalty of $66,000 against, a Wealth Management Securities Dealer in Ontario.

Securities dealers must fulfill specific obligations as required by the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA) and associated Regulations, to help combat money laundering and terrorist activity financing in Canada. As defined under the PCMLTFA, a securities dealer means a person or entity authorized under provincial legislation to engage in the business of dealing in securities or any other financial instruments or to provide portfolio management or investment advising services.

FINTRAC has the legislative authority to issue administrative monetary penalties (AMPs) to reporting entities that are found to be non-compliant with the PCMLTFA and associated Regulations. For more information, see Penalties for non-compliance.

Between the two notices, it was found that following compliance examinations, the following failures were found, which resulted in the AMPs:

  • Failure to develop and apply written compliance policies and procedures that are kept up to date; and, in the case of an entity, are approved by a senior officer. Specifically, the firm did not sufficiently develop and document its compliance policies and procedures in relation to know your client and record keeping requirements.
  • Failure to assess and document the risk of a money laundering or terrorist financing offence, taking into consideration prescribed factors. Specifically, the firm’s risk assessment was incomplete, as it did not clearly outline the risks associated with its clients and did not contain assessment of all the required categories. In addition, the risk assessment did not document an adequate methodology for the assessment of its money laundering and terrorist financing risks.
  • Failure to institute and document the prescribed review of its policies and procedures, risk assessment and training program. Specifically, the scope of a review did not cover the firm’s risk assessment. Additionally, the review did not specify how the organization ensured that its compliance program was tested for effectiveness.
  • Failure to submit suspicious transaction reports where there were reasonable grounds to suspect that transactions or attempted transactions were related to a money laundering or terrorist activity financing offence.
  • Failure to take the prescribed special measures for high risk.

Of all the findings, the ones that netted the highest AMP were related specifically to:

  • Failure to submit suspicious transaction reports where there were reasonable grounds to suspect that transactions or attempted transactions were related to a money laundering or terrorist activity financing offence.
  • Failure to take the prescribed special measures for high risk.

Failures in suspicious transaction reporting continue to be a big focus for FINTRAC and a trend with the larger value AMPs that we’ve been seeing.

Securities dealers are responsible for the following requirements under the PCMLTFA and associated Regulations:

  1. Compliance program:
    1. Appoint a compliance officer who is responsible for implementing the program. The Compliance Officer must always have access to management and the authority to carry out their duties.
    2. Develop and apply written compliance policies and procedures that are kept up to date and, in the case of an entity, are approved by a senior officer. Policies and procedures must be detailed and reflect the reporting entities business model.
    3. Conduct a risk assessment of your business to assess and document the risk of a money laundering or terrorist activity financing offence occurring in the course of your activities. The categories that must be assessed are outlined in guidance.
    4. Develop and maintain a written, ongoing compliance training program for your employees, agents or mandataries, or other authorized persons.
    5. Institute and document a plan for the ongoing compliance training program and deliver the training (training plan).
    6. Institute and document a plan for a review of the compliance program for the purpose of testing its effectiveness, and carry out this review every two years at a minimum (two-year effectiveness review). The review must test all parts of your compliance program as well as operations.
  2. Know your client:
    1. verifying client identity,
    2. politically exposed persons, heads of international organizations, their family members and close associates, beneficial ownership, and
    3. third party determination.
  3. Transaction reporting:
    1. Suspicious Transaction reporting
    2. Listed Person or Entity Property Reports
    3. Large Cash Transactions reporting
    4. Large Virtual Currency Transaction reporting; and
    5. Reporting suspected sanctions evasion.
  4. Record keeping;
  5. Foreign branches, foreign subsidiaries and affiliates; and
  6. Ministerial directives

We’re Here To Help

If you need help in creating or updating your compliance program and processes, are due for a Compliance Effectiveness Review, or have general questions on your compliance obligations,  please get in touch.

What Should You Do After Submitting Suspicious Transaction Reports to FINTRAC?

What Happens After You Submit a Suspicious Transaction Report?

When it comes to AML compliance, submitting a Suspicious Transaction Report (STR) to FINTRAC is just the beginning, not the end.

In this short video presentation, Divya Bhaktha from Outlier Compliance Group breaks down exactly what you need to do after an STR is filed, and the consequences if you don’t follow-up correctly.

Reference Links

Public notice of administrative monetary penalties

Reporting suspicious transactions to FINTRAC

Guide on harm done assessment for suspicious transaction reports violations (section 2.3.4)

 

Need help navigating STR obligations? Email us at info@outliercanada.com or get in touch here.

60 Days to RPAA: Are You Prepared?

With only 60 days left, the Bank of Canada (BoC)’s operational framework for payment service providers (PSPs) will come into force under the Retail Payment Activities Act (RPAA) and Retail Payment Activities Regulations (RPAR) – collectively referred to as Retail Payments Supervision (RPS) on September 8, 2025. If your business performs any of the following five payment functions, RPS apply to you, and you should already be registered with the BoC:

  • The provision or maintenance of a payment account;
  • The holding of end-user funds until withdrawn or transferred;
  • The initiation of a payment at the request of an end-user;
  • The authorization of an electronic funds transfer, transmission, reception, or facilitation of a payment message; 
  • The clearing or settlement of payment transactions.

With the deadline approaching, PSPs should be close to finalizing their operational risk and incident response policy frameworks which must include mapping all operational risk factors to BoC guidance. Key areas to focus on include

  • Identifying the human and financial resources that are required to implement and maintain the framework;
  • Allocating specific roles and responsibilities in respect of the implementation and maintenance of the framework;
  • Identifying the assets (systems, data, and information) and business processes that are associated with the PSPs performance of retail payment activities; 
  • Identifying operational risks, which must cover: 
    • business continuity and resilience,
    • cybersecurity,
    • fraud,
    • information and data management,
    • information technology,
    • human resources,
  • Identifying process and product design and implementation related to operational risk;
  • Establishing measures for protecting payment activities from identified risks;
  • Reviewing and testing of the framework; and
  • Managing its risks from third-party service providers, agents, and mandataries.

Additionally, PSPs that hold end-user funds must adhere to the safeguarding requirements under RPS. To safeguard funds on behalf of end-users, PSPs must utilize one of the following methods:

  1. Hold the funds in trust in a trust account used solely for that purpose; or
  2. Hold the funds in a segregated account backed by eligible insurance or guarantee in an amount equal to or greater than the funds held.

As a reminder, RPS requirements are in addition to your existing AML obligations under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA). We’re advising clients every day to align their policies, controls, and documentation to meet the BoC’s expectations. This often means creating and implementing new frameworks for many organizations.  If you haven’t finalized your framework yet, now is the time to act.

Outlier is here to help, so please get in touch.

Integrity Over Profit

Earlier this week I was approached by a client with whom we had completed a full overhaul of their Risk Assessment documentation, which occurred about 3-4 months ago. The project was completed with excellent results, and from all accounts, an ideal outcome. Mainly, the client was satisfied with the deliverable, felt more confident in the status of their overall compliance program, and was a delight to work with.

When they reached out this week, they were inquiring about Outlier completing their upcoming 2 year Compliance Effectiveness Review (CER). This was a clear indication of their satisfaction, which was a good feeling. However, we had to keep in mind that we (Outlier) revised their Risk Assessment documentation not too long ago. After some internal discussion, we felt it was not the right move for us to take on their CER, as we would be reviewing a portion of our own work. Not only would this be less value to the client, but should their financial service provider or FINTRAC determine that their reviewer was also the drafter of a portion of the compliance documentation, that would be a bad look. FINTRAC guidance states “Also, as a best practice, to ensure that your review is impartial, it should not be conducted by someone who is directly involved in your compliance program activities.”

Informing the client about our perceived conflict, and that it would not be the right move given the situation, felt less than optimal. No one wants to turn business away. However, the response was received with grace and understanding. This isn’t a shock as this individual is, in my opinion, an underrated pillar of the AML community, and generally, a person with a high degree of integrity.

Ok, So What?

This post is not intended to be a self-congratulatory post, but rather a message to highlight an important point for reporting entities. We have sat through examinations with clients where FINTRAC has identified the lack of separation between the drafter of the documentation and reviewer of the documentation. This situation left the reporting entity in a position they could not defend, resulting in, what I deem, an entirely unnecessary position. Had the reviewer acted with integrity, by informing the reporting entity about the potential risk and downfalls, the FINTRAC examination would have resulted in a more favorable outcome, including one less deficiency.

From my experience, the separation between the drafter and reviewer should go beyond merely assigning different people, or different departments, within the same organization because the baseline knowledge is consistent across the business. You want completely fresh eyes on your compliance program and its effectiveness.

The intent of this post is to serve as an FYI to reporting entities that relying on one firm to handle all aspects of compliance support is not an ideal scenario and can lead to problems down the line. There is no shortage of fantastic compliance consulting firms in Canada, each with deep expertise when it comes to Canadian regulatory requirements and FINTRAC expectations. If you would like some suggestions on additional firms that can offer compliance support, please feel free to reach out to us, and we can make warm introductions to other trusted firms.

Finally, this also raises concerns regarding independence of the CER process when the same company is engaged for multiple reviews in succession. We have strongly suggested to a few longstanding clients that they source a different reviewer for a “fresh set of eyes,” after completing multiple CERs for them previously. We have also received feedback from clients that during FINTRAC exams, FINTRAC examiners are suggesting the same thing. While its nice to have a good relationship with your compliance support providers, there comes a point where a changeup is not only suggested, it is necessary. It’s better to make the choice yourself, rather than have FINTRAC make it for you.

Independent Support

If you are in need of a completely independent reviewer, a suggestion for a couple of different options, or just have general questions, please feel free to contact us. We are here to help, and truly believe that rising tides lift all boats.

New Reporting Entity: Factoring Companies

Background

On March 26, 2025 final amendments to the Proceeds of Crime (Money Laundering) and Terrorist Financing Regulations were officially published in the Canada Gazette (SOR/2025-68). This round of anticipated changes introduces three company types that will become reporting entities. Below, we summarize the requirements that Factoring Companies will have to comply with as of April 1, 2025.

Factoring Companies (Factors)

Factors supply liquidity to a customer in exchange for the cash value of a certain amount of the customer’s accounts receivable (i.e. invoices) to be collected later by the factoring company. A factor is defined as a person or entity that is engaged in the business of factoring, with or without recourse against the assignor.

Requirements

All reporting entities (including Factoring Companies, as of April 1, 2025) must have in place a compliance program as defined under the PCMLTFA and associated regulations. The following is a summary of the requirements, as well as links to FINTRAC guidance (some of which will need to be updated).

Program Elements

  • Appoint a compliance officer who is responsible for implementing the compliance program and have oversight. The Compliance Officer must always have access to management and have the authority to carry out their duties.
  • Develop and apply written compliance policies and procedures that describe what is required under law and how these obligations will be met. These must be kept up to date and approved by a senior officer.
  • Conduct and document a risk assessment of your business. This assessment should include all activities that could make an entity vulnerable to money laundering or terrorist financing, as well as the mitigating controls that are put into place to prevent such risks.
  • Develop and maintain an ongoing compliance training program for your staff and agents. Everyone that deals with customers, customer funds, or transactions must receive AML and ATF training at least annually.
  • Conducting compliance effectiveness reviews. This is an audit that tests a company’s AML and ATF program and its effectiveness. These reviews must be completed at least once every two years.

Operational Elements

  • Reporting certain transactions. Where there are reasonable grounds to suspect that a particular financial transaction is related to the commission of a money laundering or terrorist activity financing offence, a Suspicious Transaction Report must be summitted to FINTRAC. This includes Large Cash and Large Virtual Currency reporting.
  • Follow ministerial directives and perform watchlist screening. Where a company may be in possession of funds or property that belong to a terrorist (either an individual or an organization) or a listed person, a Listed Person or Entity Report must be submitted to FINTRAC.
  • Identifying customers. Upon entering into a factoring agreement or when an information record is created, Factoring Companies will need to verify the identity of a customer using prescribed methods for individuals and entities.
  • Conducting transaction monitoring.
  • Conducting enhanced due diligence and enhanced transaction monitoring for high-risk customers.
  • Keeping certain records. In addition to keeping records related to the requirements above, Factoring Companies are required to keep the following records:
    • an information record in respect of the person or entity with whom it enters into the agreement;
    • if the information record is in respect of an entity, a record of the name, address, and date of birth of every person who enters into the agreement on behalf of the entity and the nature of the person’s principal business or their occupation;
    • if the information record is in respect of a corporation, a copy of the part of official corporate records that contains any provision relating to the power to bind the corporation in respect of transactions with the factor;
    • a record of the financial capacity of the person or entity with which it enters into the agreement and the terms of the agreement;
    • for any payment it makes, a record of:
      • the date of the payment,
      • if the payment is in funds, the type and amount of each type of funds involved,
      • if the payment is not in funds, the type of payment and its value,
      • the method by which the payment is made,
      • the name of every person or entity involved in the payment, and
      • every account number or other equivalent reference number connected to the payment; and
    • a receipt of funds record in respect of every amount of $3,000 or more that it receives, unless the amount is received from a financial entity or public body or from a person who is acting on behalf of a client that is a financial entity or public body.

What Next?

Factoring Companies should start working on developing their compliance program immediately if they have not done so already. FINTRAC has updated their sector-specific guidance page with relevant information for this new reporting entity and should be read.

We’re Here To Help

If you would like assistance in understanding what these changes mean to your business, or if you need help in creating or updating your compliance program and processes, please get in touch.

Return to Blog Listing