PROCESSING...

Anti-Money Laundering
Consulting Services & Strategies

0 Items - Total: $0.00 CAD

Proposed PCMLTFR Updates

Screen Shot 2015-07-08 at 4.03.31 AM

We’ve created a marked-up version of the Proceeds of Crime (Money Laundering) and Terrorist Financing Regulations (PCMLTFR) that reflects the draft amendments posted in the Canada Gazette on July 4th, 2015.

Here’s a printable and downloadable PDF file: PCMLTFR Mark-Up (July 4, 2015 Draft Amendments)

If you would like a copy of the file in Microsoft Word, please contact us.

Need A Hand?

At Outlier, we believe that it is important to participate in decisions that affect you and your business.  If you would like someone to look over your submission before you make comments to the Department of Finance, you can get in touch with us free of charge.  We will look over your submission and make suggestions, without any cost to you.  If you need a hand, please feel free to contact us.

EFT Reporting Clarification – Field Limitations

Guest Blog

Our guest blogger this week is Jonathan Krumins, Vice-President, AML Risk & Compliance, at vCAMLO Solutions Inc. vCAMLO provides anti money laundering (AML) and anti-terrorist financing (ATF) support to Canadian credit unions. You can learn more about vCAMLO at www.vcamlo.ca.

Background

Over the past year, we have a noticed a change in how Electronic Fund Transfer Reports (EFTRs) are interpreted by the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC).  For entities that are required to report EFTs, any amount valued at CAD 10,000 or more that is sent out of Canada or received from outside of Canada on behalf of a customer is reportable to FINTRAC within 5 business days. During recent exams, FINTRAC has been paying much closer attention to the details of each report, reviewing each field for missing or invalid information. Due to restrictions in how much information can be included in a report, an EFTR can be considered incomplete by FINTRAC, even if all information has been entered by the reporting entity.

Reports that are filed to FINTRAC electronically must meet FINTRAC’s batch reporting specifications, which includes character limits for each field in the report. For example, fields such as “Individual’s Occupation” or “Street Address” are limited to 30 characters. This presents two risks for reporting entities:

  • Descriptions that are longer than the field character limits, and
  • Limitations of third party software.

We have sought additional clarification about these scenarios, and how they may affect your FINTRAC reporting.

Information Longer than the Field Character Limit

Certain information, such as a foreign bank’s street address, can easily be longer than the 30 character limit. We recommend shortening the address as much as possible by using abbreviations, and by trying to ensure that only the bank’s civic address is included in the report.

For example:

If the complete address is: The Example Bank Building, 123 George Washington Street, P.O. Box 456 (69 characters with spaces), the address must be shortened to meet the field limits.

One option for shortening the address is: 123 George Washington St.

Limitations in Third Party Reporting Software

Some third party FINTRAC reporting software does not enforce a field cut off (and the end user may not be notified that some information was cut off). This can result in information that appears to be present in a report, but is actually cut off as it is sent to FINTRAC.

Using the same example, if only the first 30 characters are sent to FINTRAC, the address in the report would read: The Example Bank Building, 123.

Some third party reporting software provides a report “Preview” function, which can show you how the report will actually appear to FINTRAC. If this option is available, be sure to review the “Previewed” report to ensure that all necessary information is contained in the report, and that nothing is cut off.

If your third party reporting software has this limitation, we would recommend contacting the software provider to request that field limits be put in place to match FINTRAC’s reporting specifications.

Need a Hand?

vCAMLO: If you are a credit union or MSB, and have any questions related to EFTR, LCTR or STR reporting, or if you are interested in AML Support Services, please contact us for a complimentary 30 minute compliance discussion.

Outlier: If you need assistance reviewing your technology solution or FINTRAC reporting to be certain that you’re meeting the standard described in this blog, or just someone to chat with to make sure that you’re on the right track please contact us.

Full Text Response

Good afternoon Mr. Krumins,

Thank you for your follow-up inquiry.

As previously stated, the reporting entity is required to include the relevant information to identify the destination or sending institution. It is for the reporting entity to determine the relevant information as this is a question of fact.

For an international or foreign address, there is no specific formula since every country has its own conventions. If no numerical address exists, the reporting entity should take reasonable measures to include the relevant information to help identify the destination or sending institution. When the reporting entity is reporting non-SWIFT Electronic Funds Transfers, and the institution’s information exceeds the character capacity in the given address field, then the reporting entity should consider ways to abbreviate names or words, without deteriorating the quality of the information, as necessary.

Best Regards,

Implementing 2014 AML & ATF Regulatory Changes

We’ve done many AML Compliance Effectiveness Reviews of late, and my first question to clients is always the same: have you implemented the changes that came into effect in February of this year? The answers have varied from a confident “Yes, of course!” to “What changes?” We have a simple guideline for blogs at Outlier. If we receive a question more than three times, we write about it, and we make as much useful information as possible free. We do this because we believe that knowledge is power – and that everyone should have access to it. In the spirit of making knowledge free and available, we’ve decided to share the most significant changes related to updates to the Proceeds of Crime (Money Laundering) and Terrorist Financing Regulations (PCMLTFR) that came into effect earlier this year, and the solutions that we’ve implemented with our clients.

The Big Disclaimer

This blog was not written by a lawyer and shouldn’t be considered legal advice.

While our solutions have been reviewed by:

  • Outlier;
  • Our clients who have implemented these solutions; and
  • The Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) (in the form of examinations conducted with our clients who have implemented these solutions),

this doesn’t guarantee that these solutions will be a perfect fit for your business. They will need to be edited and customized to suit your business model – but we think that they will point you in the right direction.

2014 PCMLTFR Changes In Brief

The most recent changes to the PCMLTFR came into effect in February of this year. Among the most significant changes were:

  • The addition of business relationships;
  • The addition of customer information updates (with more frequent updates for higher risk customers);
  • The addition of delivery channels to the risk assessment (bundled with products and services); and
  • The addition of enhanced transaction monitoring for higher risk customers.

Each of these changes has an impact on your anti-money laundering (AML) and anti-terrorist financing (ATF) program. They should be incorporated into your program documents (your policies, procedures and training) and have an impact on your operations (what you’re doing to meet these obligations).

Business Relationships

Reporting entities have a business relationship when a customer has performed any combination of transactions that requires identification and/or confirming the existence of an entity more than twice. This includes suspicious transactions and attempted suspicious transactions. When you have a business relationship with your customer, you must keep a record of the “purpose and intended nature of the business relationship.” In its simplest form, this means asking the customer the purpose of their business with you, and keeping a record of the response. This information is also useful in transaction monitoring, as it allows you to look for activity that isn’t consistent with the answer that the customer has provided.

This is something that you can ask your customer verbally (by phone is fine), by email, via a web form, by fax, or in any other way that makes sense for your business. You don’t need the customer to sign anything, but you do need to document the response. There is also flexibility in how you keep a record of the customer’s response.

If you have flexible information technology (IT) development, you can add a business relationship indicator to your system, as well as a field for the purpose and intended nature of the business relationship. Ideally, the system would detect business relationships automatically, and prompt your staff to collect information about the purpose and intended nature of the business relationship. If your business is relatively straightforward, you may even be able to develop a dropdown menu.

If your IT systems are less flexible, you’ll need to find another way to record this information. This can range from notes in the customer profile section of your client management system to an excel spreadsheet. Whichever method you use, you’ll need to think of a way to make sure that you know about all of the business relationships that exist.

You’ll also need to add a section to your program documentation that explains:

  • What a business relationship is;
  • How you know when you have a business relationship with your customer; and
  • What you do when there is a business relationship.

Your staff and agent training should also be updated to include a definition of business relationships, and your processes where you have a business relationship with your customer.

Here’s some sample language:

Business Relationships

We have a business relationship with anyone that has conducted two or more transactions that require identification (for individuals) or confirmation of the existence of an entity (for organizations). When we have a business relationship with our customer, we need to keep a record of the purpose and intended nature of their business relationship with us. Although this may seem self-evident, it is something that needs to be recorded.

Our system has been updated to prompt all staff to enter the purpose and intended nature of business relationships. This field is not optional; it must be completed whenever we have a business relationship with our customers.

We must also monitor business relationships that and keep information up to date (including customer identification, if the customer is active with us). The Compliance Officer will determine whether or not information about our customers and/or businesses relationships is up to date may contact staff for additional information.

Information Updates

Reporting entities must also keep customer information up to date. Updates should be more frequent for high-risk customers, although the PCMLTFR does not specifically prescribe how often these updates should take place. Depending on your business model and how frequently you interact with your customers, there may be significant differences in how often you perform updates.

Customer information updates refer to the customer’s name, address, email address, telephone number and occupation or principal business. Customers that are organizations are also required to confirm the organization’s beneficial ownership and director information.   This doesn’t mean that you need to collect the articles of incorporation (or other documentation that you’ve already got on file) a second time, but rather than you’re confirming with the customer that this information has not changed, or updating your records if there were any changes.

Once again, if your IT systems are flexible, you can add automatic prompts to ensure that this is completed. Anyone that uses online banking will be familiar with this the type of updates that have occurred this year. When you log into your account, you’re asked to confirm your personal details before proceeding to the banking site.

You’ll also need to add a section to your program documentation that explains:

  • What information must be updated;
  • How frequently this information is updated; and
  • How you update this information;

Your staff and agent training should also be updated to include information updates as well.

Here’s some sample language:

Customer Information Updates

Customer information updates refer to the customer’s name, address, email address, telephone number and occupation or principal business.

Customers that are organizations are also required to confirm the organization’s beneficial ownership and director information.

Inactive Customers

Inactive customers are re-identified in order to re-activate an account and conduct transactions that require identification.

Inactive customers that are required to be re-identified are also required to update their customer information.

Low & Medium-Risk Customers

Low and medium-risk customers that were identified face to face are required to update their customer information at the point that the identification document has expired.

In the case that there is no expiry date for the identification document initially provided, customer information is updated every five years.

In the case that the customer has been identified using non-face-to-face methods, customer information is updated every five years.

Low and medium-risk customers that are not recognized visually or by voice must be re-identified using either face to face or non face to face methods when they request transactions that require identification.

High-Risk Customers

High-risk customers are required to update their customer information every two years.

High-risk customers that are not recognized visually or by voice must be re-identified using either face-to-face or non face-to-face methods when they request transactions that require identification.

If the reason that a customer has been considered high-risk relates to doubts about the veracity of any of the information or identification provided, additional identification or confirmation of customer identification may be required at the Compliance Officer’s discretion.

Risk Assessment: Delivery Channels

Your Risk Assessment (that document that describes the risk that your business could be used to launder money or finance terrorism) already describes the risk related to your products and services (what you sell). This has been updated to include delivery channels (how you deliver your products and services to your customers). This should include all of the methods that you use to interact with your customers (whether they’re sales and service or service only), and a description of the risk associated with those methods. Generally speaking, high-touch delivery methods (anything that allows you to interact directly with the customer) provide more opportunities to detect potential money laundering or terrorist financing activities. This doesn’t mean that low-touch options like online ordering are bad, but it does mean that you need to have good controls in place to prevent money laundering and terrorist financing.

Your Risk Assessment should be updated to describe your “Products, Services and Delivery Channels” (rather than simply “Products and Services”). It should clearly explain how your products and services are delivered, and the risks associated with your delivery methods. The delivery methods should include all of your touch points with your customers (including things that may not be advertised, that you only do for existing customers).

Here’s some sample language:

Delivery Channels

We complete the sales process with our customers:

  • In person (at our retail/commercial locations);
  • In person (at locations other than our own premises);
  • Via mail;
  • Via phone;
  • Via fax;
  • Via internet.

In addition, we provide servicing to our customers:

  • In person
  • Via social media sites;
  • Via email; and
  • Via phone.

Our delivery channels include a mix of “high-touch” and “low-touch” options. High touch options provide us with greater opportunities to interact with our customers, observe customer behavior and ask questions. Low-touch options do not afford the same opportunities to observe behaviours. In these cases, we are more reliant on transaction monitoring and transaction review to detect unusual activity. In the case of low-touch options, we are generally able to contact the customer via our servicing channels to request additional details where the transaction is not consistent with what we know about the customer.

Enhanced Transaction Monitoring

Reporting entities are required to monitor transactions in order to identify patterns that may indicate that money laundering or terrorist financing is taking place. For higher risk customers, there must be some form of enhanced transaction monitoring. Enhanced means that it is different from the transaction monitoring that takes place for all customers. It can be different either in quality (what you do to monitor transactions) or quantity (how frequently monitoring takes place, or how unusual a transaction must be in order to generate an alert).

If you have an IT system that automatically monitors transactions and generates alerts, and there is flexibility in programming this system, you can make changes to the monitoring activities that take place based on customer risk level. If you’re monitoring transactions manually, you can incorporate enhanced transaction monitoring into the enhanced due diligence that you conduct for your high-risk customers. This can be as simple as reviewing the last two years of high-risk customer activity. Regardless of the method that you use to conduct enhanced transaction monitoring, you’ll need to update your program documentation to describe what you’re doing and what records you’re keeping.

Where transactions are monitored by an IT system, the language in your program documents should reflect the parameters set in your system. If you are monitoring transactions manually, here’s some sample language:

Enhanced Transaction Monitoring

For high-risk customers, enhanced transaction monitoring is conducted. The Compliance Officer (or a delegate) reviews the information that is on file about the customer, as well as records of the customer’s activity for the past two years. If there is activity that appears to be related to money laundering or terrorist financing, appropriate reports are filed with FINTRAC (and in the case of terrorist property, with CSIS and the RCMP).

High-risk customer accounts are reviewed at least annually, and more frequently where triggered by customer activity (for example where there is an internal report submitted to the Compliance Officer). The Compliance Officer will maintain complete records of the reviews and maintain these records for at least five years

Keeping Up To Date

Remember to document the fact that you’ve reviewed and updated your program. This can be done in a simple spreadsheet, or within the program documents. The record should include what updates were completed, when the updates were completed, and by whom the updates were approved.

Need A Hand?

If you need assistance reviewing your program, implementing the updates described in this blog, or just someone to chat with to make sure that you’re on the right track please contact us.

FINTRAC EFT Reporting Clarification

We’ve recently had quite a few conversations with our clients and friends about electronic fund transfer (EFT) reporting.

For entities that EFT 10Kare required to report EFTs, any amount valued at CAD 10,000 or more that is sent out of Canada or received from outside of Canada on behalf of a customer is reportable to the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) within 5 business days.  The question that keeps coming up relates to situations that have multiple senders or beneficiaries.

For example:

When Jaques (your customer in Canada) sends the equivalent of CAD 12,000 to his aunt Sally in Europe, this is clearly reportable as an EFT.

But

What if instead of sending the whole amount to his aunt Sally, Jacques instead send three transactions, each equivalent to CAD 4,000 to each of his nephews, Ralph, Jean and Morty?

After hearing different answers from different people, we thought it best to get a policy clarification from FINTRAC.  You can see the full text of that question, and FINTRAC’s answer below.

Outgoing EFTs With Multiple Beneficiaries Are Reportable

In the case that we mentioned above, Jacques’ transactions would be reportable EFTs, provided that all of the transactions happened within the same 24 hour period.  In this case, 3 reports would be sent, adding up to the total amount (which is over CAD 10,000).

Incoming EFTs From Multiple Senders Are Reportable

It stands to reason that if you receive multiple EFTs of behalf of the same beneficiary, the same rules would apply.

In the example above, for instance, let’s say that the money sent to Jacques’ nephews was a loan.  All of the nephews pay pack the loan at the same time, and you receive 3 EFTs for Jacques, each from a different sender, with a value of CAD 4,000 each (CAD 12,000 in total for the three EFTs).  These are also reportable, provided that the transactions all occurred within the same 24-hour period.

What Does It Mean If You’ve Interpreted the Reporting Requirements Differently?

In some cases, this may mean updates to your IT systems, to allow you to detect transactions that are received on behalf of the same beneficiary, or sent on behalf of the same sender.

It may also mean looking back at your transaction data, in order to figure out whether or not there are any EFTs that should have been reported to FINTRAC that were missed.  If this is the case, we recommend that you consider filing a voluntary disclosure with FINTRAC to proactively let them know about the issue, and what you’re doing to fix it.  If this is the case, we’ve created some free resources to help make this process as simple as possible.

Need a Hand?

If you’re not sure what to do next or you need extra hands to review your IT system updates or a package that you’re submitting to FINTRAC, please contact us.

 

Full Text of FINTRAC’s Response

Amber, 

     I am writing further to your e-mail of May 13, 2014, concerning how to report an electronic funds transfer sent by one client but to

multiple beneficiaries.

     As you know, pursuant to the /Proceeds of Crime (Money Laundering) and Terrorist Financing Regulations/ (PCMLTFR),  reporting entities are required to report to FINTRAC electronic funds transfers valued at $10,000 or more (in the course of a single transaction) at the request of a client, along with the information referred to in Schedule 2 or 5, as the case may be; and the receipt from outside Canada of electronic funds transfers, sent at the request of a client, of $10,000 or more in the course of a single transaction, along with the information referred to in Schedule 3 or 6, as the case may be.

     When a client requesting an EFT conducts a transaction with the initial amount of $10,000 or more and instructs that it be divided between multiple beneficiaries, the EFT is still being carried out by one client, and the EFT must be reported using multiple reports (one per beneficiary).  The key to determining the reporting requirement is the instruction given by the client. To better explain this, I have provided two examples below:

     1)  A client instructs that $15,000 be sent via EFT to different beneficiaries, $5000 each. In this instance, the reporting entity would be required to send three different reports, one for each beneficiary, for a total of the $15,000 that the client requested be sent via EFT. When submitting the reports, the 24-hour-rule indicator must be selected, although this is not considered to be a single transaction of $10,000 or more as defined under section 3 of the PCMLTFR.

     OR

     2)  A client instructs that $5000 be sent to beneficiary subsequent $5000 be sent to beneficiary B and a third $5000 be sent to beneficiary C. In this instance, the 24- hour rule must be considered.

The 24-hour rule applies if the reporting entity knows, or an employee or senior officer knows, that the transactions were made within 24 consecutive hours of each other, by or on behalf of the same individual or entity. It applies only to transactions that are under $10,000. If a transaction is for $10,000 or more, it is reportable as one transaction.  As such, if the reporting entity knows that the first two EFTs of $5000 each were made by, or on behalf of, the same person, then the reporting entity would be required to submit two reports under the 24-hour rule, as these two EFTs total $10,000.    

I trust this information will be of assistance.

Best regards

Canadian Digital Currency Regulation

BitcoinAcceptedHereLate last week, Canadian Bill C-31 received royal assent (meaning that it has been approved and will become Canadian law).  The bill covered many areas, one of which was anti money laundering (AML) and anti-terrorist financing (ATF) requirements for Canadian businesses.  This included adding “dealers in digital currency” to the definition of money services businesses (MSBs).

It’s not yet clear when these changes will come into force, but we expect that there will be a period of at least six months before businesses need to be compliant.   You can read the final version of the bill here. In the mean time, we expect to see a consultation paper and draft regulations before final regulations are released.  The law will not come into effect until final regulations are released, and the regulations will clarify exactly what dealers in digital currency need to do to comply.

For businesses that operate in Canada or have Canadian customers (customers that are served in Canada – including via the web), this will mean registering with government agencies as an MSB, maintaining an AML and ATF compliance program, being compliant with the laws (which includes keeping records and identifying customers and reporting certain types of transactions), answering to the regulators and disclosing certain information to financial service providers.

Who Is a Dealer In Digital Currency?

Bill C-31 did not define dealers in digital currency.  Instead, the bill states that the definition will be included in the Proceeds of Crime (Money Laundering) and Terrorist Financing Regulations (Regulations).  Generally speaking, being a dealer in any type of good or service implies that you are selling something for profit.  The proposed definition is likely to appear in the initial consultation paper (expected this summer) as well as the draft version of the regulations.

It’s important to note that if you are dealing in digital currency today, but not engaging in any other MSB activities, you’re still not considered an MSB and you don’t have compliance obligations (yet).

MSB Registration

Dealers in digital currency will need to register as MSBs.  Anyone dealing with customers in Canada will need to register as an MSB with the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC).  The process involves contacting FINTRAC to provide initial information and gaining access to the MSB registration site.  There will be a number of questions about the owners of the business, senior officers, banking relationships and projected revenues.  While the process is not costly, it can take time (in particular if the regulator requires clarification).

MSBs serving customers in the province of Quebec are also required to be licensed with the Authorite des Marches Financiers (AMF).  Licensing related fees range from about CAD 607 to CAD 2428, excluding additional fees of CAD 202 per automated teller machine (ATM) operated in Quebec.  You can learn more about the Quebec licensing process here.

Dealers in digital currency will not be able to register as MSBs at this time, but should expect to do so once the final regulations have been issued.  The registration processes can take time, and it’s useful for businesses to start the process as early as possible in order to avoid being off side with the law.

Compliance Programs

AML and ATF Compliance Programs generally have five elements:

  • A Compliance Officer (the person who oversees compliance for the organization),
  • Policies and Procedures (documents that describe what you’re doing to comply),
  • A Risk Assessment (a document that describes the risk that your business could be used to launder money or finance terrorism, and the controls that you have in place to prevent this from happening),
  • Training (this is delivered at least annually to all staff that deal with customers or transactions), and
  • Effectiveness Reviews (like an audit for compliance, these are completed at least every two years).

Some dealers in digital currency may already have voluntary compliance programs in place.  These programs will most likely need to be updated when the final regulations are published.

Operational Compliance

In addition to having a documented AML & ATF compliance program, there are certain things that MSBs need to do in order to comply with the law.  Currently, these include identifying customers when the MSB:

  • receives the equivalent of CAD 10,000 or more in cash,
  • sells or cashes $3,000 or more of traveller’s cheques, money orders, or anything similar instruments,
  • exchanges currency of $3,000 or more for another currency,
  • sends or receives international money transfers of $1,000 or more, and/or
  • suspects that a transaction, or an attempted transaction, of any amount, is related to a money laundering offence or a terrorist financing offence.

Identification in this case is tightly defined as either the MSB or it’s representative looking at an original, valid (not expired) piece of government issued identification in person (via Skype or webcam doesn’t count) or using specific methods described in the Regulations.

MSBs are also required to keep specific types of records for at least five years, including customer and transactions records.  All records must be stored in such a way that they can be quickly retrieved if the regulator requires them (generally within 30 days of the date that the regulator makes the request).  In addition, MSBs are required to report certain transactions to FINTRAC and other agencies within set timeframes.

Like having a compliance program in place, these requirements don’t apply to dealers in digital currency yet, but it’s helpful for business owners to start thinking about the types of changes that may need to be made to IT systems and processes once regulations are released.

Penalties

The penalties for non-compliance can be significant, and may include either civil penalties, criminal penalties or both.  For instance, failure to report suspicious transactions can result in penalties up to CAD 2 million and/or 5 years imprisonment.

In addition, FINTRAC may publish penalties on its website.  While monetary penalties can be substantial, it is the publication of these penalties that can ultimately be more damaging to businesses.  Few banks or other financial service providers are willing to work with organizations that have published violations for non-compliance.

What’s Next For You?

If your business is likely to be considered a dealer in digital currencies, you will have an opportunity later this year to comment on the consultation papers and draft regulations.  It is unlikely that the sector will remain unregulated in Canada for long, but you will have an opportunity to voice your opinion about the proposed changes.

In the mean time, it’s time to start thinking about what you’ll need to do in order to be compliant.  Who will your Compliance Officer be?  What changes will you need to make to your documents, systems and processes?  Although there are certain things that you won’t be able to do quite yet, you can organize your resources to be ready later this year.

If you’re concerned about the next steps and need a hand, please feel free to contact us anytime.  Conversation are always free, and if you choose to hire us for a project, we do accept payment in bitcoin.

Outlier BTC Tipping AddressTipping QR Code

Foreign Exchange Transactions May Be Derivatives

There are new regulatory requirements that will soon impact MSBs dealing in foreign exchange (“FX”).  Securities are regulated by the provinces and territories, and the dates for implementation and regulators will differ, however, the intent of the law and the basic premise is expected to be the same Canada wide.  All FX transactions that settle in a period longer than two days will be required to be reported.  In some provinces, these requirements will come into force sooner for registered derivatives dealers dealing in FX, and later for FX dealers not registered as derivatives dealers.

If you are a securities dealer providing derivatives to your clients, you will most likely already be aware that these changes are on the horizon.  If you are an MSB providing FX services, these changes may have been less foreseen.  The comments below are intended to help FX shops, who are not currently registered securities dealers, to understand derivatives reporting.

You may also be asking; “what is a derivative?” Simply, a derivative is a financial instrument whose value is based on that of an underlying entity, which could be an asset, currency or interest rate.

The new rule is meant to collect data in Canada on the economic ecosystem of the use of derivatives for financial speculation. So FX dealers who facilitate clients who speculate for financial gain using FX trading will be impacted by this rule.  If you are an FX dealer, the first thing that you will need to know is whether or not your transactions are considered to be derivatives.

Are My FX Transactions Derivatives?

To determine whether or not your FX transactions should be considered derivatives, consider the longest time that it takes to settle a transaction.  In this context, to settle the FX transaction means that you have delivered the currency to your client, or on your client’s behalf. A day, in this context, refers to business days (any days that your business is open and accepting or processing transactions).

For Example:

Screen Shot 2014-05-19 at 2.27.45 PM

There is an exception provided in the case that there is an event that prevents the delivery of the currency (but this is expected to be rare).

If you provide FX transactions that either include a rollover provision (something that allows you to extend the contract) or are intended as speculative investments (whether or not the trade actually settles over two business days) you will also need to meet the same requirements.  If you are conducting these types of transactions, you will need to take steps to be prepared by the time that the laws come into force in the province(s) and/or territories in which you do business.

My Transaction Are Derivatives – Now What?

As an FX dealer, you will have a choice:  you can either change your practices to settle all of your transactions by the end of the next business day; or you can complete additional steps to ensure that you are compliant.  For FX dealers that want to continue to settle transactions that are considered to be derivatives, there are 3 steps that must be completed before June 30, 2015:

  1. Obtain a Legal Entity Identifier (“LEI”)
  2. Set up Unique Product Identifiers (“UPIs”)
  3. Set up Unique Transaction Identifiers (“UTIs”) for applicable transactions (if your IT system doesn’t already do this)

After June 30, 2015, you will also need to keep certain records and report all applicable FX trades that are not settled within two business days.

Legal Entity Identifier

FX dealers to whom the new requirements apply will need to ensure that they obtain a Legal Entity Identifier (“LEI”), from a Local Operating Unit of an accredited Trade Repository (“TR”).  A list off TRs is available at leiroc.org.  This is expected to cost approximately $200-300 and the application process is expected to take 1-3 weeks.

Unique Product Identifiers

You will need to create Unique Product Identifiers UPI for all applicable product types you offer to clients.  For most FX dealers, this means that you will need to create a code to identify transactions that are settling over more than two days.  A list of the types of transaction identifiers can be found at isda.org under OTC taxonomies in the foreign exchange tabs of the downloadable document in Microsoft Excel.

Unique Transaction Identifiers

You will need to create a system that generates or attributes Unique Transaction Identifiers (“UTI”) for every applicable transaction.

Record Keeping And Reporting

Once you’re registered and you have all of your identifier numbers in place, you will need to report applicable transactions to the TR in “real time” (as soon as possible after the transaction has settled).  This means that you will need to have a system in place that keeps track of applicable transactions and a process to stay on top of reporting.

The information that you will need to report for each applicable transaction includes:

  • Your LEI (and the LEIs for any other applicable parties to the transaction);
  • The UPI;
  • The UTI; and
  • Transaction information.

This information is sent to the local TR

Keeping Up To Date

We’ve assembled some quick resources to help you stay up to date.  You can use the links below to connect to the regulators’ websites and other resources for your province or territory.

 

Province or Territory Regulatory Agency Website Is There a Law? Links
Alberta Alberta Securities Commission www.albertasecurities.com Yes http://www.assembly.ab.ca/ISYS/LADDAR_files/docs/bills/bill/legislature_28/session_2/20140303_bill-003.pdf
British Columbia British Columbia Securities Commission www.bcsc.bc.ca Not yet N/A
Manitoba Manitoba Securities Commission www.msc.gov.mb.ca Yes https://web2.gov.mb.ca/laws/statutes/ccsm/s050e.php
New Brunswick Financial and Consumer Services Commission (New Brunswick) www.fcnb.ca Yes http://www.gnb.ca/legis/bill/pdf/57/4/Bill-9.pdf
Newfoundland & Labrador Office of the Superintendent of SecuritiesService Newfoundland and Labrador www.gov.nl.ca/gs Not yet N/A
Nova Scotia Nova Scotia Securities Commission http://nssc.novascotia.ca/ Yes http://nslegislature.ca/legc/bills/62nd_1st/1st_read/b060.htm
North West Territories Northwest Territories Securities Office www.justice.gov.nt.ca/ Not yet N/A
Nunavut Nunavut Securities Office http://nunavutlegalregistries.ca/sr_index_en.shtml Not yet N/A
Ontario Ontario Securities Commission osc.gov.on.ca Yes http://www.canlii.org/en/on/laws/stat/rso-1990-c-s5/latest/rso-1990-c-s5.html
Prince Edward Island Office of the Superintendent of Securities www.gov.pe.ca/securities Not yet N/A
Quebec Autorité des marchés financiers www.lautorite.qc.ca Yes https://lautorite.qc.ca/fileadmin/lautorite/reglementation/instruments-derives/avis-autorite/2017oct05-avis-regl-modif-rid-en.pdf
Financial and Consumer Affairs Authorityof Saskatchewan www.fcaa.gov.sk.ca Not yet N/A

Need A Hand?

We’re not securities lawyers, but fortunately we know someone who happens to be just that. For assistance registering as a derivatives dealer, resolving potential disputes, and securities law questions, contact Susan Han at AUM Law.

If you require assistance reviewing your business for triggering activities, amending your policies, procedures and risk assessment, as well as,  setting up a reporting regime, please contact us.

 

AML Compliance Effectiveness Reviews

AML Compliance Effectiveness Review

Canadian reporting entities are required to conduct and document an effectiveness review at least every two years.  This review must consider the completeness and effectiveness of the anti money laundering (AML) and anti-terrorist financing (ATF) compliance program and include operational testing (testing what the organization is actually doing).  For larger institutions, this is generally done as part of audit related testing.  For federally regulated financial institutions (banks, trust companies, insurance companies, etc.) there is a requirement for the testing to be independent.  For smaller companies that aren’t designated as federally regulated financial institutions, effectiveness reviews may be performed by staff members, consultants or by another organization.  Deciding who should perform the review and what to spend can be challenging.  No matter which option you choose for your business, your reviewer should be qualified and the final report should be comprehensive and signed-off by your management team within 30 days of the date that you receive the final version.

What Should The Report Look Like?

A comprehensive report means that the report tests both your documented program (policies, procedures, risk assessment and training).  This means that the reviewer must read your documentation and comment on whether or not it meets the requirements for your business.  Your operations (what you actually do) must also be tested.  This should include customer identification, recordkeeping and FINTRAC reporting.  The report should be specific about what testing was completed and how testing was conducted.  The reviewer should be someone that understands Canadian AML and ATF requirements.

The report should be focused on facts; namely whether or not you’ve met the requirements.  If requirements are not met, the report should be specific about what is missing.  The final report should be a formal document that provides complete information to the reader.  Your management team’s sign-off on the contents of the report must be documented.  This can be in meeting minutes or in a simple document like this one.

Choosing A Reviewer

The reviewer that you choose will depend on your resources that you have, including your budget.  It’s important to remember that no matter how much or how little you spend or the size of your business, the requirements are exactly the same.  The reviewer should be someone that understands Canadian AML compliance requirements for your reporting entity type.  If possible, it should not be a person that is directly involved in your compliance or operations.

Accountants and Consultants

There are a number of accounting and consulting firms (including Outlier) that can complete reviews.  The price ranges will generally vary depending on the size of your business, the complexity of your business model, the size of the firm and the experience of the reviewer.  If you are hiring a consultant to conduct your review, check out our guide to negotiating consulting agreements.  You should ask the reviewers that you are considering:

  • If they have conducted reviews for your reporting entity type before?
  • If FINTRAC or any other regulator has had negative findings related to any of the reviews that have been conducted?
  • Who will be working on your review?
  • What references (especially from similar business types) the reviewer can provide?
  • What the review process looks like?  (Here you’re checking to be certain that the reviewer will be testing both your program and operations.)

Pros:  You have a choice of reviewers (including reviewers with experience conducting reviews) and the ability to hire independent firms (not involved in your compliance program design or operations).

Cons:  This is likely to be the most expensive option.

Colleagues & Competitors

You may choose to have a review conducted by a colleague or competitor.  This option can work well if the companies have good relationships and are not concerned about sharing information that includes customer information.  It is relatively common in some industries for Compliance Officers to have reciprocal agreements that allow them to perform reviews for one another.  If you choose to have a review conducted by a colleague or competitor, you will want to consider:

  • The confidentiality of your information, including customer information.  Your agreement should contain a clause that states that this information will only be used for the purpose of the review and will not be shared within the colleague or competitor’s company.
  • The experience of the reviewer (in particular if they have not previously conducted a review).
  • Whether the reviewer’s company will allow them to conduct a review for a colleague or competitor.
  • Who will be compensated for the review (you don’t want to get in a dispute with your reviewer and their employer over who should be paid and how).

Pros:  The reviewer is likely to be familiar with the business processes and requirements that apply to your reporting entity types and there is the potential to conduct reviews for one another (reciprocal agreements) at little to no cost.

Cons:  The reviewer may have less experience in conducting reviews and you may be reluctant to share business and customer information (required to complete testing) with a competitor.

You & Your Staff

You may choose to conduct a review internally, either on your own or with assistance from other staff members.  This will require you to take a step back from your day-to-day work and consider it from a fresh perspective, which can be challenging.  The larger your company is, the more likely it is that regulators and banking service providers will expect your review to be independent.  However, as the least costly option, it can be worth considering if you are squeezed from a budget perspective and have the right experience to conduct the review and reporting on your own.

Pros:  You know your company’s business model and requirements well and this option is likely the least costly.

Cons: You are directly involved in the company’s compliance program and operations, which may be viewed by a regulator or banking service provider as having the potential to bias your findings.

After Your Review

Your review should serve as a guide to help you improve your AML and ATF compliance program.  It can be helpful to keep records of each finding, and the changes that you’ve made after the review.  It’s important to remember that the review is a snapshot of your compliance at a particular point in time.  Your reviewer cannot go back and change their findings based on changes that you’ve made after the review is complete.  If you’ve made significant changes to your program or operations following a review, it can be useful to have a follow up review conducted (or to conduct your own internal testing) to demonstrate that the changes that you’ve made are working as expected.

Need a Hand?

Outlier has developed on-demand model documents for reporting entities.  Our AML Compliance Review documents include:

  • Working papers to record the testing as it takes place
  • A report template to help you summarize your findings
  • A guide for the reviewer that explains how to use the documents

You can buy these documents on this website under each reporting entity type.  If the documents are not available for your reporting entity type yet, or you are looking for a consultant to conduct your review, please contact us.

 

Negotiate Your Consulting Contracts Like a Pro

Hanshake copy

Having worked for a couple of consulting firms, it occurs to me that there are things that everyone should consider while negotiating a consulting contract.  The hefty disclaimer:  I’m not a lawyer, and this shouldn’t be construed as legal advice.  Outlier is a consulting company, but I’ve worked to build a model that’s different from the status quo.  I’m not saying that we’re perfect, or that it doesn’t pay to shop around (in fact, I encourage it and will happily provide names and contact information for other companies that do the same type of work that we do).  I am saying that it pays to be informed, and to ask the right questions before you sign an agreement.  This is my “top 10 list” to help you negotiate your consulting agreements.

1. Can the contract include fixed fees for deliverables instead of hourly rates?

Negotiating fixed-fee contracts is something that big companies, like banks, do on a regular basis.  The irony is that small businesses can benefit just as much, if not more, from using this strategy.  Fixed-fee contracts benefit you by forcing the consultant to be extremely clear about the deliverables (what you are getting) and to be mindful about the scope of the work they’re doing and the time that it will take.  In essence, with a fixed-fee contract you’re agreeing to pay for a clearly defined product or service rather than for someone’s time.

The vast majority of Outlier’s contracts are fixed-fee, because I believe that this will benefit our clients the most.  As a business owner, I understand the value of knowing what you are paying for and how much you will pay before you get started.

2.  Who will be staffing the project?  What are their qualifications (and rates)?

Some firms have a tendency to advertise the experience of top tier professionals, when in reality junior staff (with little or no experience) complete most work.  If your project requires specialized skill sets, the firm that you are hiring should be able to tell you exactly who will be working on your project, what experience they have and what rates you’ll be paying.

3.  What work will a partner be doing on the project?

In many large firms, partners “sell” work, but aren’t actively involved in the management or execution of the project (doing the work).  Sadly, in some cases this doesn’t stop partners from billing clients for their time (including the time that they spend selling).  Since these are the people with the highest hourly rates, it helps to understand what their role will be early on.

In some cases, there may be a requirement for one or two partners to review documents before they are shared with you.  If this is the case, get an estimate of the time that this will take and the rates that will apply (or negotiate a fixed fee contract).  If you think that you may have been billed for something that doesn’t make sense, ask for detailed records that include a description of the work that was done, when and by whom.  In some cases, asking for this alone may reduce the size of your bill.

4.  Who will be managing the project (the point person)?  When and how should they be contacted?

We’ve already covered the fact that the person that is “selling” the work may not be the same person that is actually “doing” the work.  Aside from knowing who will be working on your project, you should know who is coordinating the consulting firm’s efforts.  If this person can be in the room when you’re setting out terms like timing, it’s nice, but that isn’t always possible.  At the very least, you should know who this person is, and how you can reach them.  You’ll want to connect with them early on to make sure that your expectations are clear (especially if this is not the same person that was “selling” consulting services).

5.  Will subcontractors be used?  If so, who, how many and from what companies?

Even big consulting firms will use subcontractors (either independent consultants or consultants from other firms) when there is a need for very specialized skill sets.  This isn’t a bad thing, but comes back to knowing who is working on your project and what background they have.  This can also be relevant if the subcontractors haven’t had the same types of background checks as other employees.

6.  What happens if a key staff member leaves the firm while the project is underway?

This isn’t something that can be easily predicted and it does happen.  The consulting firm should solve for this at their expense, not yours.  This means that if new staff need training in order to work on your project, this is not time that should be billed to you (if you are paying hourly rates).  In some cases, a more senior person may need to step in to cover some of the work, and if this happens, you can ask to continue paying the (lower) rate that you would have paid for the more junior team member (don’t worry, the consulting firm will still be making money; they’ll also be a lot more careful about the amount of time that they bill to your project).

7.  Is there any part of the work that your staff can do internally?

I would always rather work with internal staff members as part of my project team when I can.  It means that I’ll be in a better position to understand your organization and it’s culture.  It can also save you money if you have people on your payroll already that can do some of the work.  In these cases, the roles and responsibilities for each person should be clear.

8.  Are you paying for travel time?

Travel time has been a contentious issue, especially when firms charge a full hourly rate.  Charging for travel time makes sense if the person traveling is also working, but can get a bit dicey when they aren’t.  I’ve had the not so heartwarming experience of being ordered by a partner to bill a client for time that I was sleeping on an airplane at my full rate.  It was a debate that I fought on the client’s behalf, because it seemed absurd to me that anyone would want to pay several hundred dollars an hour for me to sleep.  Ultimately, the partner in question chose to bill the client, and I decided that firm was not a great fit for me ethically.

So it pays to ask, under what circumstances will you be required to pay for a consultant’s travel time?  How much (what rate) will you pay under each applicable circumstance?

Bonus tip:  You can also set per diems (daily limits) on travel related expenses like food and lodging.  I encourage my clients to apply the same standards to my expenses that they would apply to their own staff, including the submission of all receipts.

9.  What additional work are you paying for?

Any additional work that you will be billed for should be approved before it is conducted.  This is true especially if you are paying for services on an hourly basis.  Here’s the situation that I’ve seen time and time again:

Client:  Asks a question.

Consultant:  Offers to research the answer and create a memo; does this and bills the client for the time.

Client:  Is unhappy to receive an invoice for the time spent researching and creating the memo.

Consultant:  Reminds the client that he or she was following the client’s instructions.

There’s a balance that’s often missed here.  The client wants to be fair and compensate the consultant for their work, but feels that the price isn’t justified (or is something that should have been discussed in advance).  The consultant feels like they were following the client’s instructions.  They shouldn’t be at cross-purposes here, but it can feel that way.

One way to avoid this is to get pricing for any extra work (anything that isn’t specified in the original agreement) in advance and in writing (via email is often fine for this purpose).  Again, it can be useful to ask for fixed fees here.

10.  What are the consequences if you don’t get your deliverables?  What if you don’t get them on time?

Most agreements have some sort of timing included, but what happens if you don’t get what you paid for on time (or at all)?  If you have deadlines that you need to meet, it makes sense that you should have assurances that your consulting firm is able to help you meet those deadlines on time.  You can ask for penalties to be built into the contract if you don’t receive your deliverables on time (or bonuses if they are).  Remember that these should be fair and that in many cases your consultant’s ability to deliver on time is based on inputs that come from you (so you need to stick to the schedule as well if you’re putting this type of agreement in place).

There’s also the worst-case scenario:  what if you don’t get a deliverable?  In general, you shouldn’t pay in full before you see the final product.  You can structure your agreements so that your final payment is due when you receive your deliverables.  If it is a long project with more than one deliverable, the contract can be structured so that there are payments when each deliverable is complete.

Finally, when you’re hiring a consultant or consulting firm, you should have a clear idea of what you want before you sign a contract.  It’s up to you to know what you need, and what you’re willing to pay for it.  Make sure that your agreement clearly sets out the deliverables and timing.

If you’re feeling ready to hire a consultant and want to test your new negotiating superpowers, please feel free to contact us.

I’m a Compliance Officer! Now What?!?

Compliance Officer

I’ve met a lot of Compliance Officers from around the world, and not one of them has ever told me that as a child they wanted to be a Compliance Officer.  This isn’t to say that the job isn’t interesting (or even an awful lot of fun sometimes), but that we get here in different ways.  One of my favourites (who will remain nameless here) is a gentleman who missed a senior management meeting and was nominated as the organization’s Compliance Officer while he was absent.  When we first met, he was feeling overwhelmed and was looking for a review of his company’s compliance program (and assurances that he wouldn’t wind up in an orange jumpsuit if he made a mistake).

While it seems like an extreme case, many Compliance Officer’s feel this way at least once during their careers.  It’s a big responsibility that doesn’t often come with the budget to match.  Whether you’re new to the world of anti-money laundering (AML) or just looking for a quick “sanity check” to make sure that things are going the way that they should be, this “cheat sheet” is for you.

Your Compliance Program

You need to have a Compliance Program in place with these 5 elements:

  1. Appoint A Compliance Officer (hey that’s you!);
  2. Document Your Policies And Procedures;
  3. A Risk Assessment;
  4. Training; and
  5. An AML Compliance Effectiveness Review.

If your organization is a money service business (MSB) you will also need to register with the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC).  If your organization is an MSB operating in Quebec, you also need to register with the Autorité des marchés financiers (AMF).  The definition of an MSB in Quebec is a bit broader than the Canadian federal definition; some companies may only be required to register with the AMF.

The first thing that you should do is review your documentation to make sure that it’s up to date.  Here’s a quick checklist to get you started – answer each of the questions with ‘Yes’ or ‘No’.

Program Component

Questions You Should Ask
Compliance Officer Is my appointment documented? This can be in the form of meeting minutes or a formal document, but it must be in writing.
Policies and Procedures Do they describe what we’re doing to meet our obligations? The descriptions should be clearly written so that someone that doesn’t know your business could understand them.
Have they been updated in the last year?
Risk Assessment Does the Risk Assessment describe the risk that your business could be used for money laundering or terrorist financing?
Are there risk ratings?
Are your controls (what you do to prevent your business from being used for money laundering or terrorist financing) describe?
Do your controls make sense given your risk level?
Training Have your staff been trained in the last year?
Does your training cover all of the obligations that apply to your business?
AML Compliance Effectiveness Review Has an AML Compliance Effectiveness Review been completed in the last two years?
Was there a formal report that described the methodology and findings?
Did management sign-off on the final report within 30 days?

If you answered yes to all of these questions, you’re off to a good start.  If the answer to any of these questions is no, you have some work to do.  If that’s the case, consider letting your management team know right away.  It’s easier to get their support when they know what you’re working on.

FINTRAC Reporting

Other than terrorist property reports, FINTRAC reports can be filed electronically using a system called F2R.  If your organization is not already using this system, you can enroll by contacting FINTRAC.  Filing your reporting electronically can make it easier to keep track of the reports that you’ve filed (remember to save copies of the PDF reports on your network) and let you know more quickly whether or not FINTRAC has accepted your reports.

FINTRAC has published guides to help you with your reporting.  Each report type in the chart is hyperlinked to FINTRAC’s guidance.  The types of reports that you will submit will depend on the type of reporting entity you belong to.  However, all reports have set time limits.

Report Type

Timing
Suspicious Transaction Reports (STRs) and Attempted Suspicious Transaction Reports (ASTRs) As soon as practicable
Large Cash Transaction Reports (LCTRs) 15 calendar days from the date that the transaction takes place
Electronic Funds Transfer Reports (EFTRs) 5 working days from the date that the transaction takes place
Large Virtual Currency Transaction Reports (LVCRTs) 5 working days from the date that the transaction takes place
Casino Disbursement Reports (CDRs) 15 calendar days from the date that the transaction takes place
Terrorist Property Reports (TPRs) As soon as possible (Immediately)

Training Your Staff

All staff should be trained at least once a year (including part-time, temporary and contract staff).  Your training records should include:

  • Who was trained?
  • When did training take place?
  • How was training delivered (in person, webinar, etc…)
  • What topics were covered?

This can be done in a simple spreadsheet.  You don’t need to collect signatures to prove that training took place, but you do need to be sure that your records are accurate.

There are very few instances when staff members do not need to be trained.  Generally, these would be staff members that are not involved in any way with customers or customer transactions.  If there are staff members that are not trained, you should document who they are, their roles, and the reason that they are exempt from training.

AML Compliance Effectiveness Reviews & FINTRAC Exams

I’ve put together some detailed guidance on preparing for reviews and exams.  It’s important to remember to get all of your documentation in order in advance.  Make sure that you’ve read the request and understand what you are being asked for.  If you have questions about what you should include, it’s fine to call the reviewer or examiner to ask.

Information requests are time-sensitive.  For FINTRAC exams, you generally have 30 days from the date that the request was mailed to assemble your submission.  This seems like a long time, but you may need some extra help pulling everything together.  It’s a good idea to let your management team know as soon as you receive a request from the regulator, especially if you need extra resources to stay on top of the request and everyday compliance tasks.

Need a Hand?

If you’re feeling like your AML program needs work, and you’re not sure what to do next or you need extra hands to put together or look over your FINTRAC package, please contact us.

Return to Blog Listing