PROCESSING...

Anti-Money Laundering
Consulting Services & Strategies

0 Items - Total: $0.00 CAD

The FINTRAC Outage: Guide for AML Reporting Agencies

Written with Heidi Unrau

 

On March 2, 2024, the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) experienced a major cyber incident. As a security precaution, FINTRAC has taken most of its reporting systems offline, including MSB registration. Canadian reporting entities remain responsible for all anti-money laundering (AML) requirements during the outage.

Application programming interfaces (APIs) are available for some reports, including large cash transaction reports (LCTRs), large virtual currency transaction reports (LVCTRs), and suspicious transaction reports (STRs), as of April 8, 2024.

Reporting entities that are not able to submit reports via API must do so once other systems are back online. In the interim, special processes for priority STR submission and other notifications have been established.

Watch for Official Guidance

It’s essential that you follow FINTRAC’s official communications regarding the outage. Outlier’s insights are meant to complement this directive, not replace it. The official word from FINTRAC remains the final authority on these matters.

It is recommended that all Canadian AML Compliance Officers sign up for FINTRAC’s mailing list to get the latest news from the regulator (if you are not signed up already).

Accessing FINTRAC’s APIs

As of April 8, 2024, FINTRAC APIs are currently available for:

  • LCTRs
  • LVCTRs
  • STRs

An API is a way for different computer programs to communicate with each other. To use FINTRAC’s APIs, reporting entities must first apply to register and be granted access by FINTRAC. The implementation of APIs for reporting will require the support of your technical team or software provider. Reporting via API is different from batch reporting (for those that use it) as the API provides a secure exchange of information that does not require the installation of batch-transmitting software.

For reporting entities that have not implemented API functionality, additional guidance has been provided by FINTRAC.

Priority STRs

For priority STRs with national security or other dangerous implications, FINTRAC has provided a dedicated email address and telephone number to help you with this (see below).

Please note that the CSIS and RCMP systems for Terrorist Property Reporting (TPR) are unaffected by the outage and remain operational.

Priority STR Submission Contact Info:

  • Email: STR-DOD@fintrac-canafe.gc.ca
  • Call Centre: 1-866-346-8722 (toll free)

Reporting entities that are unsure of whether or not an STR is considered a priority may first contact FINTRAC using the information above to determine whether this submission method should be used. It is expected that STRs submitted via this method will also be re-submitted once systems are back online.

No Late Reporting Penalties

FINTRAC has indicated that the regulator understands that late reporting is an inevitable consequence of the outage. Therefore, FINTRAC has indicated that reporting entities will not be penalized for late reporting (within reason). It is expected that reporting entities will submit reports promptly once systems are back online.

Fulfilling Reporting Obligations

During the outage, reporting entities are required to track all reportable transactions. Keep detailed records of transactions that could not be reported during the outage. This will ensure that all required transaction reports are accurately and efficiently submitted once systems are restored.

In addition to information about reportable transactions, reporting entities should keep detailed records of:

  • The outage timing (provides useful context that may factor into future audit and examination-related data analysis)
  • All late reports submitted
  • Time required to clear the backlog once systems become operational

At this time, FINTRAC has not indicated that reporting entities should submit a voluntary self-declaration of non-compliance (VSDONC) related to late reporting due to the current outage. However, if there is a reporting backlog that will take significant time to clear, this may be considered once the outage has been resolved.

No Paper Submissions!

FINTRAC has explicitly advised against submitting paper copies of reports during the outage. Once the issue has been resolved, electronic reporting through the appropriate channels will resume.

MSB Registration & Inquiries

In a recent update on May 17, 2024, FINTRAC introduced a new web form specifically for existing Money Services Businesses (MSBs). This form allows currently registered MSBs to renew, update, or cancel their registration easily. You can access the form here:

It does not appear that new MSB registrations can be completed at this time. MSB registration inquiries can be directed to:

Be Prepared & Stay Alert

Stay up to date on the latest FINTRAC communications to ensure compliance should directives change.

For critical reporting and MSB registration needs, use the designated emails and phone numbers provided by FINTRAC. Keep all communications clear, concise, and accurate with all the necessary information.

Key FINTRAC Contact Information

Issue Email Phone
New MSB Registration Inquiries MSBRegistration@fintrac-canafe.gc.ca n/a
Existing MSB Registration Renewals, Updates, or Cancellations https://forms-formulaires.alpha.canada.ca/en/id/clwtp4i5j031kx883je15qc78? n/a
Priority STR Reporting STR-DOD@fintrac-canafe.gc.ca 1-866-346-8722
General Inquiries guidelines-lignesdirectrices@fintrac-canafe.gc.ca n/a
API Support tech@fintrac-canafe.gc.ca n/a

Additional Resources

Below, you’ll find a slide deck presentation and a YouTube video with the same information in this article. You are welcome to use and distribute these resources:

Need a Hand?

If you have any questions or concerns, the team at Outlier Solutions are here to help. Please contact us.

Final Amendments to the Proceeds of Crime (Money Laundering) and Terrorist Financing Regulations – October 2023

Background

On October 11, 2023, final amendments to regulations under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act were published in the Canada Gazette. The most noteworthy changes fall under the Proceeds of Crime (Money Laundering) and Terrorist Financing Regulations and the addition of a new regulation. This round of anticipated changes introduces the compliance requirements for armoured car companies and mortgage lending entities. Additionally, FINTRAC will now be able to charge businesses and individuals for the annual cost of its compliance program as part of its assessment of expenses funding model.

Other changes include the new requirements for correspondent banking relationships, and additional requirements related to the Money Services Business (MSB) registration.

To make reading these changes a little easier, we (thanks Rodney) have created a redlined version of the regulations, with new content showing as tracked changes, which can be found in a combined document here.

What’s Changed?

From the draft regulations published back in February of this year, there have not been significant changes to the final publication. As expected, entities that collect currency, money orders, traveller’s cheques, or other similar negotiable instruments (except for cheques payable to a named person or entity) will be treated as a new category of MSB. With these changes, such providers will be subject to existing money services businesses requirements.

With respect to mortgage lenders (brokers responsible for mortgage origination, lenders responsible for underwriting the loan or supplying the funds, and administrators responsible for servicing the loan), they will now have to comply with AML compliance requirements imposed on reporting entities. Note the definition of a mortgage lender was changed slightly from the draft regulations, narrowing the scope of who is captured.

As part of the assessment of expenses funding model, the new Financial Transactions and Reports Analysis Centre of Canada Assessment of Expenses Regulations will allow FINTRAC to pass on expenses, to reporting entities, that it incurs in the administration of the PCMLTFA. Note there have been some changes to the formula that will be used for assessment amounts. The base assessment amount for federally regulated banks, trust and loan companies, and life insurance companies will be based on their value of consolidated Canadian assets that excludes its subsidiary’s reported value of Canadian assets. Guidance related to how reporting entities will be charged has been issued and can be found here.

Please refer to our previous blog post that outlines details on the changes and the exact requirements that will come into force.

What Next?

Requirements for armoured car companies come into force on July 1, 2024, and October 1, 2024 for mortgage lending entities. Effective April 1, 2024, FINTRAC will commence recovering costs from the 2024–25 fiscal year.

In the meantime, FINTRAC will have to issue guidance related to cash transport and mortgage lending. Additionally, there may be FINTRAC policy interpretations that will no longer be able to be relied upon, as it relates to cash transport and mortgage lending.

While we await guidance, armoured car and mortgage lending entities should start working on developing their compliance program in anticipation of the respective in-force dates noted above.

We’re Here To Help

If you would like assistance in understanding what these changes mean to your business, or if you need help in creating or updating your compliance program and processes, please get in touch.

Ministerial Directives Related to Iran & LVCTRs

There have been a number of conversations floating around about FINTRAC Large Virtual Currency Transaction Reporting (LVCTR) obligations as it relates to transactions involving Iran, and potentially involving Iran, under the current Ministerial Directive (MD). While this is not a new requirement (LVCTRs were effective June 1, 2021 and the original MD became effective July 25, 2020), there has been clarification provided with regards to reporting, and what activities trigger which reports.

For background, Outlier Compliance Group wrote an article on what the Iran-related MD entails, so if you are not familiar with the requirements, we suggest starting there.

Existing Guidance

The existing MD guidance does not align with the information provided in a recent policy interpretation for reporting transactions involving Iran that generally are not otherwise reportable, such as a transaction below the reporting threshold. The current guidance says the following:

Any transaction involving the receipt of virtual currency (VC) for exchange to Iranian rial, or VC that is equivalent to an amount under the reporting threshold of $10,000 CAD must be reported using the LVCTR by:

    • Inserting the IR2020 code when using the LVCTR upload; or
    • Selecting IR2020 in the ‘Ministerial Directive’ field of the LVCTR.
    • Because the report is related to the MD, you must ensure that the information provided reflects a connection to Iran.

Recent Interpretation

On June 11, 2023, a policy interpretation was submitted to clarify FINTRAC’s expectations with regards to reporting VC transactions related to the Iran MD. A few specific scenarios were included to ensure an easily digestible response was provided. The portion below is the most noteworthy sections of the response from FINTRAC clarifying the expectation of reporting virtual currency transactions that are below the reporting threshold where there is a nexus to Iran:

To answer your question regarding other instances that could involve the receipt of VC originating from Iran in one or more transactions under the threshold, please refer to section 3) of the Ministerial Directive. It states that any transaction (originating from or bound for Iran) must be treated as a high-risk transaction for the purposes of subsection 9.6(3) of the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA), and must be reported to FINTRAC. Where these transactions involve the receipt of VC but cannot be reported using an LVCTR, they must be reported using the Suspicious Transaction Report (STR) with the IR2020 code.  Only completed transactions can be reported through an STR if the only reason for reporting is that the transaction is originating from or bound for Iran. An attempted transaction should only be reported when you have reasonable grounds to suspect that the transaction is related to the attempted commission of a money laundering or terrorist activity financing offence. 

Further to section 3(a) of the Ministerial Directive, you need to look at a variety of elements when determining whether a transaction originates from or is bound for Iran because the circumstances of each transaction are different. The exchange of VC for Iranian rial is not the only circumstance in which a VC transaction may fall under the Ministerial Directive. After you’ve considered the facts, contexts and indicators of a transaction and you determine it is subject to the Ministerial Directive, you must determine if the transaction(s) should be reported using the LVCTR or STR, as described above.

I’ve provided the reporting information for the scenarios you presented in your email:

    1. Virtual currency that originates from an identified virtual currency exchange in Iran.
      • Report the transaction in the STR with code IR2020.
    2. Virtual currency that originates from a wallet address identified as being in or from Iran.
      • When the conductor, beneficiary or third party address details list Iran as the country, and the transaction is not a VC exchange to Iranian rial, report the transaction in the STR with code IR2020.
    3. Travel rule information from the receiving client (or from a participant in the travel rule network) that sent the virtual currency from an address associated with an Iranian virtual currency exchange, or a person or entity in Iran that is not captured under the Ministerial Directive.
      • If a VC transaction has travel rule information that indicates it originates from or is bound for Iran and it does not meet the LVCTR criteria for the Ministerial Directive, the transaction must be reported using the STR with code IR2020.

So What Do I Need To Do?

What is important to understand in this clarification, is the obligation to report every transaction that has a nexus to Iran, such as originating from a VC exchange in Iran, and how that is to be reported. Where a transaction is not otherwise reportable to FINTRAC via an LVCTR, it must be reported using a Suspicious Transaction Report (STR) and the MD indicator IR2020 must be selected (we also suggest including IR2020 in the opening of the narrative in Section G). Transactions that are not otherwise reportable to FINTRAC include VC exchange transactions below the reporting threshold, as referenced in the response from FINTRAC.

Moving Forward

In order to ensure you are compliant with the MD obligation, a thorough lookback to June 1, 2021 for all VC transactions below the reporting threshold, that may have had a nexus with Iran, needs to be performed. Should transactions that should have been reported be found, a Voluntary Self-Disclosure of Non Compliance (VSDONC) should be submitted to FINTRAC. For more information on VSDONCs and how to complete one, please see our blog post on the topic.

Need a Hand?

If you are looking for help completing a lookback or would like a second set of eyes on a VSDONC, please feel free to contact us.

Proposed 2023 AML Changes: Mortgage Lenders and Armoured Car Services

Background

February seems to be the month for proposed legislative changes.

On February 18, 2023, draft amendments to the regulations under the Proceeds of Crime Money Laundering and Terrorist Financing Act (PCMLTFA), and a net-new draft regulation, were published in the Canada Gazette. If you’re the type that likes to read original legislative text, you can find it here. We (thanks Rodney) also created a redlined version of the regulations, with new content showing as tracked changes, which can be found here.

These changes are meant to renew and improve Canada’s anti-money laundering (AML) and Counter Terrorist Financing (CTF) regime, adapting to new money laundering (ML) and terrorist financing (TF) risk. One of the most significant changes, in our opinion, is the introduction of two new regulated entity types, mortgage lenders and armoured car companies.

Currently, mortgages issued by financial entities are captured under the PCMLTFA but these amendments would make all entities involved in the mortgage lending process (brokers responsible for mortgage origination, lenders responsible for underwriting the loan, and administrators responsible for servicing the loan) reporting entities. The intent here is to level the playing field between regulated and unregulated mortgage lenders, and to deter misuse of the sector for illicit activities.

While the activity of transportation is not currently supervised for AML purposes per se, armoured car carriers provide services largely to regulated entities. Given the flow of funds that is typically seen in this sector, reconciliation and identification of the origin of funds can sometimes be challenging, and allows funds to move with some degree of anonymity, which is an ML/TF vulnerability.

The draft regulations also introduce new requirements for correspondent banking relationships, and additional requirements related to the Money Services Business (MSB) registration. There are also some technical amendments related to existing reporting requirements and changes related to Administrative Monetary Penalties (AMPs).

Lastly, a new regulation would introduce a prescribed formula for the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) to assess the expenses it incurs in the administration of the PCMLTFA against reporting entities. Such models are seen from other regulators, such as the Office of the Superintendent of Financial Institutions (OSFI) and the Financial Consumer Agency of Canada (FCAC). Currently, FINTRAC is funded through appropriations.

In the following sections, we have summarized what we feel are the most important requirements to note.

Armoured Car Companies

The proposed changes would require a company that engages in “transporting currency or money orders, traveller’s cheques or other similar negotiable instruments” (except for cheques payable to a named person or entity) to be considered an MSB. As such, the following obligations will have to be met:

  • Development of a compliance program;
  • Maintaining an up-to-date MSB registration with FINTRAC;
  • Conducting compliance effectiveness reviews;
  • Reporting certain transactions;
  • Identifying customers;
  • Record keeping;
  • Risk ranking customers and business relationships;
  • Conducting transaction monitoring and list screening;
  • Conducting enhanced due diligence and transaction monitoring for high-risk customers and business relationships; and
  • Follow ministerial directives and transaction restrictions.

One record keeping obligation to note, which is new for armoured car companies, is the requirement to record the following information when transporting CAD 1,000 or more of cash or virtual currency, or CAD 3,000 or more in money orders or similar negotiable instruments:

  • The date and location of collection and delivery;
  • The type and amount of cash, virtual currency or negotiable instrument transported;
  • The name and address of the person or entity that made the request, the nature of their principal business/occupation and, in the case of an individual, their date of birth;
  • The name and address, if known, of each beneficiary;
  • The number of every account affected by the transport, the type of account, and the name of the account holder;
  • Every reference number that is connected to the transport, and has a function; equivalent to that of an account number; and
  • The method of remittance.

An additional requirement that will apply to armoured car companies is in relation to PEP determinations (existing PEP requirements for MSBs still apply). Specifically, a PEP determination is required whenever a person requests that the MSB transport more than CAD 100,000 in cash or virtual currency, or in an amount that is not declared.

Under the proposed regulations, there are some exemptions for reporting that are noteworthy. Large Cash and Large Virtual Currency reporting requirements will not apply where there is an agreement of transportation between:

  • The Bank of Canada and a person or entity in Canada;
  • Two financial entities;
  • Two places of business of the same person or entity; or
  • Canadian currency coins for purposes of delivery under the Royal Canadian Mint.

It is noteworthy, based on the definition, that there may be more than just armoured car companies that are captured under these new requirements. This will be clarified in guidance from FINTRAC that will follow publication of the legislation.

The requirements applicable to armoured car companies will come into force eight months after final publication in the Canada Gazette.

Mortgage Lending

The proposed regulations would require mortgage lenders, brokers, and administrators (mortgage participants) to put in place compliance regimes, similar to that of other regulated entities, which include the following:

  • Development of a compliance program;
  • Conducting compliance effectiveness reviews;
  • Reporting certain transactions;
  • Identifying customers;
  • Keeping records;
  • Risk ranking customers and business relationships;
  • Conducting transaction monitoring and list screening;
  • Conducting enhanced due diligence and transaction monitoring for high-risk customers and business relationships; and
  • Follow ministerial directives and transaction restrictions.

It is noteworthy, that many mortgage brokers already have existing voluntary AML compliance programs and already apply AML measures. This is in part due to various securities regulations and lending partners.

The requirements applicable to mortgage lending will come into force six months after final publication in the Canada Gazette.

Cost Recovery

As part of this round of regulatory changes, there is a net-new regulation, the Financial Transactions and Reports Analysis Centre of Canada Assessment of Expenses Regulations. This regulation will allow FINTRAC to pass on expenses, to reporting entities, that it incurs in the administration of the PCMLTFA. Only the following prescribed entity types are affected by this:

  • Banks and authorized foreign banks;
  • Life insurance companies;
  • Trust and loan corporations; and
  • Every entity that made more than 500 threshold reports during the previous fiscal year.

The regulations provide a formula that FINTRAC would use to calculate the assessment amounts payable by reporting entities on the basis of their annual asset value, and the volume of all threshold transaction reports submitted. For clarity, threshold transaction reports include Large Cash Transaction Reports (LCTRs), Large Virtual Currency Transaction Reports (LVCTRs), Electronic Funds Transfer Reports (EFTRs), and Casino Disbursement Reports (CDRs).

The requirement would come into force on April 1, 2024. This means FINTRAC would commence recovering costs from the 2024-2025 fiscal year and forward.

Other Changes

Enhancing MSB registration

Under the proposed amendments, as part of MSB registration, MSBs would now need to include the telephone numbers and email addresses of its president, directors and every person who owns or controls 20% or more of the MSB. This is in addition to current required information. Additionally, the number of the MSB’s agents, mandataries and branches in each country will be added (currently, only those within Canada are required).

This requirement will come into force twelve months after final publication in the Canada Gazette.

Streamlining requirements for sending AMPs

Under the proposed amendments, FINTRAC would be allowed to serve a reporting entity solely by electronic means when issuing an AMP. Currently, FINTRAC would also have to send an additional copy by registered mail.

This requirement would come into force on registration.

What Next?

There is a 30 day comment period (ending March 20, 2023) for the proposed regulations. It is strongly recommended that industry, and potentially impacted companies, review carefully and provide feedback. Comments can be submitted online via the commenting feature after each section of the proposed changes, or via email directly to Julien Brazeau, Associate Assistant Deputy Minister, Financial Sector Policy Branch, Department of Finance, 90 Elgin Street, Ottawa, Ontario K1A 0G5.

We’re Here To Help

If you have questions related to the proposed changes, or need help starting to plan, you can get in touch using the online form on our website, by emailing us directly at info@outliercanada.com, or by calling us toll-free at 1-844-919-1623.

The Proposed Retail Payment Activities Regulations

Background

On February 11, 2023, the proposed Retail Payment Activities Regulations were published in the Canada Gazette. This is to support the Retail Payment Activities Act (RPAA) which was released under Bill C-30 and received royal assent in June 2021. The Retail Payment Activities Regulations are required to bring the RPAA into force.

A Payment Service Provider (PSP) is defined as an individual or entity who performs payment functions as a service or business activity that is not incidental to another service or business activity. Certain entities, such as financial institutions, are exempt as they are regulated under other federal obligations (i.e., Office of the Superintendent of Financial Institutions’ Operational Risk and Enterprise Risk management guidelines.)

The current lack of requirements and supervision increases risks, such as the risk of financial loss in instances of business insolvency, and threats to the security of sensitive personal information. The Regulations aim to address gaps in the supervision of unregulated PSPs and are meant to align with other jurisdictions which already have regimes for PSPs.

The principles that guide the Regulations are:

  • Necessity — supervision should address risks that lead to significant harm to end users and avoid duplication of existing rules;
  • Proportionality — level of supervision should be commensurate with the level of risk posed by the payment activity;
  • Consistency — similar risks should be subject to a similar level of supervision; and
  • Effectiveness — requirements should be clear, accessible and easy to integrate within different payment services.

PSPs will be required to apply and register with The Bank of Canada (no date for this yet). There is a proposed registration fee of CAD 2500. Additionally, an annual assessment fee will be required.

In the following sections, we have summarized what we feel are the most important requirements to note.

Operational Risk Management

PSPs will have to implement and maintain an Operational Risk Framework consisting of the following:

  • Identify its operational risks (i.e., business continuity, cybersecurity, fraud, data management, information technology, human resources, process and product design and implementation, change management, physical security and third parties);
  • Protect its retail payment activities from those risks;
  • Detect incidents and control breakdowns;
  • Respond to and recover from incidents;
  • Review, test and audit its Risk Management Framework;
  • Establish roles and responsibilities for the management of operational risk;
  • Have access to sufficient human and financial resources; and
  • Manage risks from third-party service providers, agents and mandataries.

PSP must ensure that the above are proportional to the impact that a reduction, deterioration, or breakdown of its payment activities could have on end users.

Incident Response

Under the proposed Regulations, PSPs must develop a comprehensive plan for investigating, responding to and recovering from incidents that have a material impact on an end user. An incident is defined as an event or series of related events that is unplanned and that results in or could reasonably be expected to result in the reduction, deterioration or breakdown of any payment activity performed by a PSP.

The incident would be reported to the Bank of Canada and would include the following at a minimum:

  • A description of the incident;
  • The impact on individuals or entities listed in the Act; and
  • Actions taken by the PSP to respond to the incident.

There would also need to be a notice to impacted end users and other impacted parties.

PSPs can only resume operations after an incident once they have verified the integrity and confidentiality of all systems, data and information have been restored, and that it is able to perform retail payment activities without reduction, deterioration or breakdown.

Audit, Testing and Training

Under the proposed Regulations, PSP’s will have to complete various types of testing related to the Framework and have training in place.

All staff who have a role in establishing, implementing or maintaining the PSP’s Risk Management Framework must be provided with the information and training that are necessary to carry out that role.

Framework Review

On at least an annual basis, PSP’s must evaluate its compliance with regulatory requirements. Such a review is also required before any significant changes are made to the PSP’s operations or controls after an incident (defined in the section above).  The findings of the review must be reported to a senior officer.

Testing

PSPs must also establish and implement a testing methodology to determine the effectiveness of its Risk Management Framework. This must be tested at least once every three years and findings must also be provided to a senior officer.

Independent Review

In addition to the above, a PSP must have their Framework independently reviewed at least every three years. The review must be documented and describe the scope, methodology use and findings. Findings of the review must be reported to a senior officer.

Biennial Independent Review

PSPs must have requirements related to safeguarding of funds tested at least once every two years by a sufficiently skilled individual who has had no role in the establishment, implementation, or maintenance of the safeguarding requirements under a PSPs Framework. We discuss what safeguards requirements are below.

Safeguards

PSPs will be required to hold customer funds in a trust account or a segregated account, with insurance or a guarantee to safeguard end-user funds against financial losses due to insolvency.

For consumer protection, the Regulations contain requirements to protect the end user from loss. These requirements include:

  • End-user funds must be held at prudentially regulated financial institutions;
  • Insurance or guarantee cannot be from an affiliate of the PSP;
  • The proceeds from the insurance or guarantee cannot form part of the PSP’s estate;
  • The Bank of Canada must be notified at least 30 days in advance of the cancellation of the insurance or guarantee;
  • PSPs must implement and maintain a written fund safeguarding framework to ensure that end-users have reliable access to their funds without delay; and
  • PSPs must keep a ledger with the names of their end-users and the amount of funds held.

This will require detailed flow of funds documentation.

Reporting

Under the proposed Regulations , PSPs will have to complete various types of reports.

Annual Report

PSPs will need to provide an annual report to the Bank of Canada, no later than March 31 of each year.  Some of the information that must be contained in the report is:

  • A description of any changes made to the payment service provider’s risk management and incident response framework;
  • A description of the human and financial resources for implementing and maintaining the risk management and incident response framework;
  • A description of the PSP’s operational risks in respect of the reporting year, their potential causes and the manner in which they were identified;
  • A description of the systems, policies, procedures, processes, controls, including any approvals required;
  • A description of training;
  • A description of all reviews, and independent reviews; and
  • A description of any incidents that the payment service provider experienced during the reporting year.

Also, the report will need to contain certain volume and value statistics related to the services a PSP is providing.

Significant Change Report

PSPs will be required to notify the Bank of Canada, at least five days in advance, before making a significant change that could materially impact operational risks or the safeguarding of end user funds.

The information that must be contained in the report is:

  • The name and contact information of the individual who may be contacted regarding the significant change;
  • A description of the change or new activity to be performed;
  • The reason for the change or new activity;
  • The date on which the change is to be made;
  • The PSP’s assessment of the effect that the change or new activity will have on its operational risks; and
  • A copy of all documentation in relation to the PSP’s Risk Management Framework, that has been amended to reflect the change or new activity, including any necessary approvals.

If a PSP has senior officers, the change or new activity must be approved and receive formal sign off by senior management before submission of a report. This should be taken into account from a planning perspective, as it can take some time to obtain such internal approvals.

Incident Report

PSPs must report incidents that have a material impact on an end user, other PSPs, or designated financial market infrastructures, to the Bank of Canada and other impacted individuals and entities.

The information that must be contained in the report is:

  • A description of the incident;
  • What impact does the incident have on individuals and entities; and
  • What actions have been taken by the PSP to respond and remediate.

The Regulations do not make it clear what timeframe is required for reporting such incidents, however they do state the standard time to respond to a request from the Bank of Canada is 15 days. Failure to report an incident can result in an administrative monetary penalty classified as very serious.

What Does This Mean?

From the highlights, it’s evident that these Regulations will create a substantial burden for PSPs, especially ones that are smaller or just starting. A significant amount of time, resources and cost are going to be needed to manage the compliance requirements that PSPs will need to follow. If a PSP does not comply or there is partial compliance, they may be subject to administrative monetary penalties that range from CAD 1,000,000 per each serious violation, up to CAD 10,000,000 per each very serious violation. The draft Regulations did not make clear what a dispute process would like.

It should be noted that most PSPs captured under the RPAA are also considered money services businesses (MSBs), and as such must also comply with anti-money laundering (AML) compliance obligations. Check out our blog related to that here.

What Next?

Due to these changes not being final, we wait. There is no set date for when we can expect final legislation or when they will come into force, but it is a good time to start budgeting and align resources.

Also, as there is a 45-day comment period for the proposed Regulations which closes on March 28, 2023, PSPs should review the Regulations carefully and provide feedback. Comments can be submitted online via the commenting feature after each section of the proposed Regulations, via email, or via regular mail to Nicolas Marion, Senior Director, Payments Policy, Department of Finance, 90 Elgin Street, Ottawa, Ontario K1A 0G5.

We’re Here To Help

If you have questions related to the proposed changes, or need help starting to plan, you can get in touch using the online form on our website, by emailing us at info@outliercanada.com, or by calling us toll-free at 1-844-919-1623.

Suspicious Transaction Reporting Updates

FINTRAC has published updated resources related to upcoming changes to suspicious transaction reports (STRs) on its Draft Documents page. This includes updated draft guidance on STRs, expected to come into force in September 2023.

While the updated forms are not yet in use, it is important that you communicate these changes to your information technology (IT) teams and service providers. The documentation published this week includes JSON schemas and API endpoints.

For reporting entities that complete STR reporting manually through FINTRAC’s online reporting portal, it is also important to familiarize yourself with updated structured reporting fields, including:

  • URL,
  • Type of device used,
  • Username,
  • Device identifier number,
  • Internet protocol address, and
  • Date and time in which online session request was made.

These can be reviewed in the draft STR form.

Of course, if you require assistance, Outlier Compliance is here to help, please contact us.

Canada’s Proposed AML Changes for MSBs

What’s Old is New Again, Well Updated

On June 9th, 2018, draft amendments to the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA) and its enacted regulations (there are five separate regulations that we’re going to collectively call regulations here for simplicity’s sake). This article is intended to give a high-level summary of the proposed amendments as they relate to Money Services Businesses (MSBs).

This article should not be considered advice (legal, tax or otherwise). That said, any of the content shared here may be used and shared freely – you don’t need our permission. While we’d love for content that we’ve written to be attributed to us, we believe that it’s more important to get reliable information into the hands of community members (meaning that if you punk content that we wrote, we may think you’re a jerk but we’re not sending an army of lawyers).

Finally, we want to encourage the community to discuss the proposed changes and submit meaningful feedback for policy makers. The comment period for this draft is 90 days. After this, the Department of Finance takes the feedback to the bat cave and drafts a final version of the amendments. From the time that the final version is published, the draft indicates that there will be 12 months of transition to comply with the new requirements.

♬The Times Regulations Are Changing♬

Foreign MSBs

Currently, the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) has issued a policy interpretation (PI-5594) in August of 2013, which states that a “real and substantial connection” to Canada must be present for an entity to be required to register as an MSB with FINTRAC.  A “real and substantial connection” was defined in the interpretation as having one or more of the following:

  • Whether the business is incorporated in Canada;
  • Whether the business has agents in Canada;
  • Whether the business has physical locations in Canada; and/ or
  • Whether the business maintains a bank account or a server in Canada.

The draft amendments introduce a new definition, which is “Foreign Money Services Business” that means anyone serving Canadian customers or entities in Canada is now subject to all Canadian requirements no matter where they are located.  Throughout the proposed changes, where there is a reference to money services businesses, there is also a reference to foreign money services businesses.  This will be significant to MSBs who operate non-face-to-face in the online marketplace and do not reside in Canada.

Non-Face-To-Face Customer Identification

Currently, there is a requirement that when customers are identified using the dual process method, the document and/or data that you collect is in its “original” format. This has been interpreted to mean that if the customer receives a utility bill in the mail, they must send you the original paper (not scanned or copied) document. The word “original” will be replaced with “authentic” (meaning that so long as you believe that the utility bill is a real utility bill for that person, it doesn’t need to be the same piece of paper that they received in the mail).

In addition, there are provisions that would allow reporting entities to rely on the identification conducted previously by other reporting entities. If this method is used to identify a customer, the reporting entity must immediately obtain the identification information from the other reporting entity and have a written agreement in place requiring the entity doing the identification to provide the identification verification within 3 days of the request.

Reporting EFTs of $10,000 or More

If you conduct international remittance transactions at the request of your customers, the requirement to report transactions of $10,000 or more will now be your responsibility, not your financial services provider.

The proposed change removes the language commonly known as the “first in, last out” rule.  This means that the first person/entity to ‘touch’ the funds for transactions incoming to Canada or the last person/entity to ‘touch’ the funds for a transaction outgoing from Canada had the reporting obligation (as long as the prescribed information was provided to them).

The update will change the reporting obligation to whoever maintains the customer relationship. So if you initiate a transaction at your customer’s request (outgoing transaction) or provide final receipt of payment to your customer (incoming transaction), it will be your obligation to report that transaction to FINTRAC.

For example, if the flow of the instructions for payment were as follows:

Currently, the reporting obligation of the outgoing EFT would fall to the bank in Canada.  With the draft updates, the reporting obligation would now fall to the MSB in Canada, because they have the relationship with the customer initiating the transaction.

 

Third Party Determination

Currently, the obligation to determine whether a third party is involved in a transaction relates to Large Cash Transactions.  The proposed changes would include the obligation to make a third party determination for all EFTs of $10,000 or more.  This would also require similar record keeping obligations as a third party determination under the current Large Cash Transaction records.

Suspicious Transaction Reporting

Currently, if a reporting entity has reasonable grounds to suspect that a transaction or attempted transaction is related to money laundering or terrorist financing, a report must be submitted to FINTRAC within 30 days of the date that a fact was discovered that caused the suspicion. This change appeared in the last round of amendments that came into force last year, and the proposed new wording would be another significant change:

The person or entity shall send the report to the Centre within three days after the day on which measures taken by them enable them to establish that there are reasonable grounds to suspect that the transaction or attempted transaction is related to the commission of a money laundering offence or a terrorist activity financing offence.

This means that a report would be due three days after the reporting entity conducts an investigation or does something that allows them to reach the conclusion that there are reasonable grounds to suspect.

Information Included In Reports to FINTRAC

Certain information is required in reports to FINTRAC. Even where information is marked as being optional, if a reporting entity has the information, it becomes mandatory to include it. Some of the additional proposed data fields are:

  • every reference number that is connected to the transaction,
  • type of device used by person who makes request online,
  • number that identifies device,
  • internet protocol address (IP address) used by device,
  • person’s user name, and
  • date and time of person’s online session in which request is made.

These fields may require significantly more data to be included in reports, especially for transactions that are conducted online.

Ongoing Compliance Training

Currently, there are five required elements of a Canadian AML compliance program, but there is soon to be a sixth.  Before you get too worried, it’s not that major.  The change is specific to your ongoing compliance training obligations, which says you must institute and document a plan for your ongoing compliance training program and the delivery of the training.  Basically, in your AML compliance program documentation, you need to provide a description of your training program for at least the next year and how the training will be delivered. Many MSBs have already implemented this best practice.

Risk Assessment Obligations

With the recent addition of the “New Technologies and Developments” category to the Risk-Based Approach requirements, the next logical progression has be added.  The updates include the obligation to assess the money laundering and terrorist financing risk of any new technology before implementation.  Meaning, if you are looking to take your business online and are going to use this fancy, new non-face-to-face ID system, you had better take careful inventory of where your risks are and be sure the appropriate controls have been put in place before going live. Much like the training plan, many MSBs have already implemented this best practice.

Virtual Currency

The draft updates also include major changes related to virtual currency. “Dealers in virtual currencies’ would be regulated as MSBs. New record keeping and reporting obligations would apply to all reporting entities that accept payment in virtual currency, or send virtual currency on behalf of their customers.

For more information on updates specific to virtual currency, please check out our full article.

What Next

If you’ve read this far, congratulations and thank you!

We hope that you will contribute your thoughts and comments. You can do this by contacting the Department of Finance directly. Their representative on this file is:

Lynn Hemmings

Acting Director General

Financial Systems Division

Financial Sector Policy Branch

Department of Finance

90 Elgin Street

Ottawa, Ontario

K1A 0G5

Email: fin.fc-cf.fin@canada.ca

If you would like assistance drafting a submission, or have questions that you would like Outlier to answer, please get in touch!

If you are interested in sharing your comments with the Canadian MSB Association (and we highly encourage you to do so) please email luisa@global-currency.com. She will have more information on the industry group’s submission and consultation process.

Would You Recognize Real Estate Red Flags?

Rodney_FINTRACOn November 14th, 2016 FINTRAC released a brief for all reporting entities who may be involved in real estate transactions.  The briefing is intended as guidance to provide some examples of indicators that may be present in transactions that may suggest they are linked to money laundering or terrorist financing.  The indicators described have been taken from transactions suspected of being related to money laundering or terrorist financing reported internationally.  The briefing focuses on the potential risks and vulnerabilities within the real estate industry and provides suggestions on how to ensure reporting entities are sufficiently meeting suspicious transaction reporting obligations.

The briefing is meant to provide operational guidance given the small overall number of suspicious transactions that have been reported to FINTRAC by the Real Estate industry.  The briefing states that these indicators will be used by FINTRAC to assess compliance with your reporting obligations.  If you are a reporting entity that interacts with the real estate industry in one form or another, the indicators and scenarios outlined in this brief should be considered when updating your Risk Assessment and training materials.

To put things into perspective, though the actual size of the real estate market is difficult to determine precisely, CMHC has produced some statistics.  CMHC suggests that between 2003 and 2013 over $9 trillion of mortgage credits were negotiated and roughly 5 million sales took place through Multiple Listing Services (MLS).  In contrast, FINTRAC received only 127 Suspicious Transactions Reports (STRs) from real estate brokers, agents and developers and 152 by other types of reporting entities, such as banks and trust/loan companies.  To go a step further, in FINTRAC’s 2015 Annual Report, between April 1, 2014 and March 31, 2015, a total of 92,531 STRs were filed across all reporting entities.

 

re-strs-filed-vs-sales

This evidence supports FINTRAC’s assertion that operational guidance for the real estate industry is needed.

The indicators and examples covered in the brief outline numerous scenarios that may suggest that a transaction is related to a money laundering or terrorist financing offense.  It also speaks to how the appearance of legitimacy obfuscates the clarity of suspicious transactions and requires more than a just “gut feel”.  What is required is the consideration of the facts related to the transaction and their context.  Does the transaction with all the known factors, positive or negative, make sense?

 

What This Means to Your Business? 

First off, FINTRAC will be using the indicators provided to assess your compliance with reporting obligations.  This has a couple different applications.  The first being, does your AML compliance program documentation make reference to the suspicious indicators that are provided.  Basically, are staff aware of the elements that may be present in a transaction that would suggest money laundering or terrorist financing may be occurring?

Secondly, is there an oversight process to ensure if there are transactions that contain one or more of these indicators where an STR was not submitted, is reviewed?  If so, does the process ensure supporting evidence that the Compliance Officer reviewed the transaction and determined there were not reasonable grounds to suspect its relation to money laundering or terrorist financing?  When you encounter a transaction involving any of the indicators provided, it is very important that you collect as much information as possible to assist the Compliance Officer with their determination of whether there are reasonable grounds to suspect that a transaction, or attempted transaction, may be related to money laundering or terrorist financing.  Alternatively, even if none of the indicators provided by FINTRAC are present but we still feel there is “something off” about our customer’s transaction, speak with your Compliance Officer.  They will be able to provide some insight on additional information that may assist our decision.  Once you have collected any additional information you may still not feel comfortable, but this does not mean you cannot complete the transaction, but that you must be sure your Compliance Officer is provided with all the information, which includes our reason for the escalation, so that they can decide whether there are reasonable grounds to suspect it may be related to a money laundering or terrorist financing offense.  The Compliance Officer will document their decision and, if necessary, submit an STR to FINTRAC.

Need a Hand?

If you are a reporting entity that interacts with the real estate industry and would like assistance updating your AML compliance program documentation or simply have some questions, please contact us.

Sanctions This Week: July 25th – 29th, 2016

 

OSFISanctions Pic

There were no updates released from OSFI this week.

Go to the OSFI lists page.

OFAC

The U.S. Department of Treasury’s Branch, The Office of Foreign Asset Control (OFAC), released four updates last week.  One update was related to the publication of Cuba-related Frequently Asked Questions (FAQ), covering some of the recent changes made to the sanctions that had previously been placed on Cuba.  Other updates included the removal of 12 individuals from the Counter Terrorism Designations List, the issuance of a Finding of Violation and the publication of Iran General License J.

OFAC administers and enforces economic and trade sanctions based on U.S. foreign policy and national security goals.  The sanctions target countries, regimes, terrorists, international narcotics traffickers, the proliferation of weapons of mass destruction, and other threats to the national security, foreign policy or economy of the U.S.

The update to the Cuba-related FAQs was for the issuance of a new FAQ (#38) and a revision of an existing FAQ (#39), relating to certain information collection and recordkeeping requirements for persons subject to U.S. jurisdiction who provide authorized carrier or travel services to or from Cuba for specifically licensed travelers.

The update to the Counter Terrorism Designations List included the removal of 12 individuals of Libyan origin who are currently residing in the UK.

The Finding of Violation was issued to Compass Bank, which uses the trade name BBVA Compass, for violations of the Foreign Narcotics Kingpin Sanctions Regulations. From June 12, 2013 to June 3, 2014, Compass maintained accounts on behalf of two individuals on OFAC’s List of Specially Designated Nationals and Blocked Persons (the “SDN List”).

The final update of the week was related to OFAC issuing “General License J”, authorizing the re-exportation of certain civil aircraft to Iran on temporary sojourn and related transactions.

See the Cuba-related FAQ update on OFAC’s website.

See the Counter Terrorism Designations List update on OFAC’s website.

See the issuance of a Finding of Violation to Compass Bank on OFAC’s website.

See the Iran General License J details on OFAC’s website.

See OFAC’s recent actions page.

Need A Hand?

We would love to hear from you.  If there are subjects in this post that you would like to know more about, or if you need assistance with your compliance program, please contact us.

Sanctions This Week: June 27th – July 1st, 2016

Sanctions Pic

OSFI

On June 27th, 2016, the Office of the Superintendent of Financial Institutions (OSFI) released two updates to the United Nations Security Council’s (UNSC’s) Al-Qaida and Taliban regulations sanctions list, amending 8 individuals and 1 entity.

The individuals are subject to the assets freeze, travel ban and arms embargo set out in paragraph 2 of Security Council resolution 2253 (2015) adopted under Chapter VII of the Charter of the United Nations.

All of the individuals are of different nationalities, but all have connections to Al-Qaida and French terrorist groups.  Some of the individuals have been detained and are currently serving out sentences.  Where others have arrest warrants issued by France, which are currently outstanding.

Go to the OSFI UNAQTR update on the OSFI page.

Go to the OSFI lists page.

OFAC

The U.S. Department of Treasury’s Branch, The Office of Foreign Asset Control (OFAC), released three updates last week.  One update was related to the Counter Terrorist Designations list.  The second update was the publication of new Panama-related and Kingpin Act General Licenses and related Frequently Asked Questions (FAQ). The FAQ update is related to recent adjustments made to the sanctions placed on Panama.

OFAC also released the details about the implementation of the Federal Civil Penalties Inflation Adjustment Act, where penalties related to AML failings have increased 150%, the allowable maximum.  The adjustment to the base fine of USD 11,000, has now increased to USD 27,500.  This is based off the Consumer Price Index, and if you are curious about the actual math, see the image below:

OFAC CMP Calculation

OFAC administers and enforces economic and trade sanctions based on U.S. foreign policy and national security goals.  The sanctions target countries, regimes, terrorists, international narcotics traffickers, the proliferation of weapons of mass destruction, and other threats to the national security, foreign policy or economy of the U.S.  The changes to the Counter Terrorism Designations list included the removal of 11 Somali and Djibouti nationals.  The update also included the addition of one individual of Indian nationality with ties to the entity added, which is a section of Al-Qaida operating within India.

See the Counter Terrorism Designations List update on OFAC’s website.

See the Kingpin Act/Panama-related General Licenses and FAQs update on OFAC’s website.

See the Implementation of the Federal Civil Penalties Inflation Adjustment Act update on OFAC’s website.

See OFAC’s Recent Actions page.

Need A Hand?

We would love to hear from you.  If there are subjects in this post that you would like to know more about, or if you need assistance with your compliance program, please contact us.

Return to Blog Listing