PROCESSING...

Anti-Money Laundering
Consulting Services & Strategies

FINTRAC Identification Guidance

Background

On July 10^th, 2019, the final amendments to Canada’s anti-money laundering (AML) regulations were published in the Canada Gazette. One of the welcomed changes that came into force immediately upon publication was related to identification. On November 14^th, 2019, FINTRAC published guidance related to “Methods to verify the identity of an individual and confirm the existence of a corporation or an entity other than a corporation.” This is good news considering the range of identification methods has been broadened, and a step forward in digital identification methods. The updated methods are designed to make it easier to identify customers that are not physically present.

As defined under the Proceeds of Crime (Money Laundering) and Terrorist Financing Regulations (PCMLTFR), reporting entities have to identify their customers in certain situations (specific information on when customers need to be identified is outlined in FINTRAC’s guidance on “When to identify individuals and confirm the existence of entities”). The identification guidance outlines ways to verify the identity of an individual, and how to identify corporations or entities other than corporations (such as a partnership).

Identification Methods For Individuals

There are three ways in which an individual can be identified:

Government-issued photo identification method;
Credit file method; and
Dual-process method.

Government-Issued Photo Identification Method

Under this method, an organization can use an authentic, valid and current government-issued photo identification document, issued by either a federal, provincial or territorial government in order to be used to verify the identity of an individual. Foreign government-issued photo identification can be accepted if it’s equivalent to a Canadian document such as those listed in the guidance.

The photo identification document used to verify identity must:

indicate the individual’s name;
include a photo of the individual;
include a unique identifying number; and
match the name and appearance of the individual being identified.

If a customer is physically present, an organization can authenticate an identification document by looking at the characteristics on the physical document such as security features.

If the customer is not physically present, the authentication of the identification document must be determined by using technology capable of assessing the document’s authenticity. The guidance makes it clear that it is not sufficient to view a person and an identification document through video conference or similar. Meaning, a selfie while holding your driver’s license is not sufficient for identification purposes.

Whatever method is selected by an organization, the process to authenticate a photo identification document, and how the organization will confirm that it is authentic, valid and current, must be documented.

Credit File Method

Under this method, an organization can use valid and current information from a Canadian credit file to identify an individual.

The Credit File must:

be from a Canadian credit bureau (credit files from foreign credit bureaus are not acceptable);
have been in existence for at least three years; and
match the name, address and date of birth that the individual provided.

To rely on a credit file, the search must be completed at the time an organization is verifying the individual’s identity, and can be completed via an automated system or the use of a third party vendor.

When using the Credit File method, organizations must keep a record of the following information:

the individual’s name;
the date they consulted or searched the credit file;
the name of the Canadian credit bureau or third party vendor holding the credit file; and
the individual’s credit file number.

The guidance clarifies that sometimes information found within the credit file may contain variations of the name or address provided by a customer. In these cases, it’s up to the organization to determine whether the information in the credit file is a match to the information collected from the individual.

Dual-Process Method

Under this method, an organization can use valid and current information from two reliable sources. Under the dual-process method, an organization can verify an individual’s identity by referring to any two of the following options:

information from a reliable source that includes the individual’s name and address;
information from a reliable source that includes the individual’s name and date of birth; or
information that includes the individual’s name and confirms that they have a deposit account, credit card or other loan account with a financial entity.

In order to qualify as reliable, the sources should be well-known and considered reputable. There must be two sources providing the information, and the information cannot come from the individual whose identity is being verified, nor can it come from the organization doing the verification. For example, reliable and independent sources can be the federal, provincial, territorial and municipal levels of government, crown corporations, financial entities or utility providers.

A Canadian credit file can be used as one of the two sources required to verify the identity of an individual. so long as the credit file has been in existence for at least six months.

The organization must keep a record of the following:

the individual’s name;
the date they verified the information;
the name of the two different sources that were used to verify the identity of the individual;
the type of information consulted (for example, utility statement, bank statement, marriage licence); and
the number associated with the information (for example, account number or if there is no account number, a number that is associated with the information, which could be a reference number or certificate number, etc.).

Identification Methods For Organizations

The guidance details how to confirm the existence of a corporation, or an organization that is not a corporation. This can be done by referring to a paper or electronic record that was obtained from a source that is accessible to the public such as:

For corporations:
- its certificate of incorporation;
- a certificate of active corporate status;
- a record that has to be filed annually under provincial securities legislation; or
- any other record that confirms the corporation’s existence, such as the corporation’s published annual report.
For organizations that are not corporations:
- a partnership agreement;
- articles of association; or
- any other record that confirms its existence as a legal entity.

If an organization refers to a publicly accessible electronic record to confirm the existence of a corporation or of an entity other than a corporation, a record must be retained including the corporation/entity’s registration number and the source of the electronic version of the record. If a paper record is used, a copy should be retained. At a minimum, for all organization types, an organization must collect and keep a record of the following:

their full legal name;
the organization’s structure;
the organization’s principal business;
the organization’s physical address; and
information about the organization’s directors and beneficial owners.

Other Identification Considerations

The guidance details how a domestic or foreign affiliate, an agent or a mandatary can be used to verify the identify of a customer. If this method is used, it is important for organizations to remember that, legally, they are responsible for verifying a customer’s identity, even though they are relying on someone else to do it. Organizations should obtain the identification information from the other entity and have a written agreement in place requiring the entity doing the identification to provide the identification verification as soon as feasible.

The guidance details how to identify children under 12 years of age (organizations must verify the identity of a parent, guardian, or tutor) and how to identify children between the ages of 12 and 15. For this age range, organizations can verify identity by using one of the prescribed methods to verify an individual’s identity and where not possible, relying on certain information from the child’s parent, guardian, or tutor, and information that includes the child’s name and date of birth.

The guidance also reminds organizations that while the personal information that they are collecting is protected by the Personal Information Protection and Electronic Documents Act (PIPEDA), personal information that is required to be included in reporting to FINTRAC does not have to be disclosed to the Office of the Privacy Commissioner of Canada. It is important that organizations remember that safeguarding is a key consideration for all personal information collected in the normal course of business.

Conclusion

The most significant change for identification standards is related to the Government-Issued Photo Identification Method. A wording change from “original” to “authentic”, that was found in the prior version of the regulations, now allows for scanned copies of documentation, so long as it can be authenticated. It is noteworthy that the guidance gives clarity to all methods that can be used. Where further clarity is warranted, organizations can contact FINTRAC for a policy position related to the identification guidance. This can be done free of charge by emailing guidelines-lignesdirectrices@fintrac-canafe.gc.ca. This can also be done on a no-names basis by a lawyer or consultant on your behalf.

2019 AML Regulation Highlights for Dealers in Virtual Currency

Back in June 2018, we published an article on proposed AML rules for dealers in Virtual Currency. On July 10th, 2019, updates to Canada’s anti-money laundering (AML) regulations were published in the Canada Gazette. There are three different “coming into force” dates (the dates on which the content of various updates become requirements for regulated entities).

July 10, 2019: a small change in wording (from “original” to “authentic”) is good news for digital identification.
June 1, 2020: dealers in virtual currency must be registered as money services businesses (MSBs) and have AML compliance programs in place.
June 1, 2021: additional provisions, including reporting large virtual currency transactions.

This is a significant regulatory package with a lot of changes (the document is over 200 pages long). This article will cover the major points for dealers in virtual currency, but it’s important to remember that there is a lot of nuances and differences between business models. We recommend speaking to your local neighbourhood compliance geek about how to adapt to these changes (if you need a compliance geek, please get in touch).

It is also worth noting that tokens that are considered securities would not be considered virtual currencies. Securities and securities dealers were already regulated. If you’re not sure whether or not a token is a security, we recommend reaching out to a securities lawyer (if you need recommendations, please feel free to contact us). It is possible to be both a securities dealer and a dealer in virtual currencies, but if you are only looking for the changes pertinent to securities dealers, you will find those in another article.

Hefty Disclaimers & Sharing

This article should not be considered advice (legal, tax or otherwise). That said, any of the content shared here may be used and shared freely – you don’t need our permission. While we’d love for content that we’ve written to be attributed to us, we believe that it’s more important to get reliable information into the hands of community members (meaning that if you punk content that we wrote, we may think you’re a jerk but we’re not sending an army of lawyers).

Dealers In Virtual Currency

It’s important to start by understanding what’s being regulated. This is best done by considering some of the definitions that have been added to the regulation.

fiat currency means a currency that is issued by a country and is designated as legal tender in that country. (monnaie fiduciaire)

funds means

(a) cash and other fiat currencies, and securities, negotiable instruments or other financial instruments that indicate a title or right to or interest in them; or

(b) a private key of a cryptographic system that enables a person or entity to have access to a fiat currency other than cash.

For greater certainty, it does not include virtual currency. (fonds)

virtual currency means

(a) a digital representation of value that can be used for payment or investment purposes that is not a fiat currency and that can be readily exchanged for funds or for another virtual currency that can be readily exchanged for funds; or

(b) a private key of a cryptographic system that enables a person or entity to have access to a digital representation of value referred to in paragraph (a). (monnaie virtuelle)

virtual currency exchange transaction means an exchange, at the request of another person or entity, of virtual currency for funds, funds for virtual currency or one virtual currency for another. (opération de change en monnaie virtuelle)

In terms of who will be regulated, businesses (whether or not the business is incorporated) that conduct transactions on behalf of their customers, including:

Exchanging digital currencies for fiat currencies; and
Exchanging between virtual currencies.

This would include custodial wallet services that hold customers’ private keys on their behalf, as well as exchanges, brokerages, and automated teller machines (ATMs). The requirements apply to foreign and domestically based businesses. The inclusion of foreign MSBs means that it won’t matter where your business is incorporated. If you are targeting your services to Canadians, you are expected to comply with Canadian rules and you will need to be aware of requirements as they apply to your Canadian customers.

One of the most important notes in our view is “These amendments serve to mitigate the money laundering and terrorist activity financing vulnerabilities of virtual currency in a way that is consistent with the existing legal framework, while not unduly hindering innovation. For this reason, the amendments are targeted at persons or entities engaged in the business of dealing in virtual currencies, and not virtual currencies themselves.” It is expected that there will be additional updates to the regulations, and community consultations. During these processes, this distinction should remain an important one.

Digital Identification and “Authentic” Documents

Canadian businesses, such as MSBs, that are regulated for AML purposes must identify certain customers either because there is an ongoing service agreement, an account, or because the customer performs specific types of transactions. In these instances, the methods used to identify customers are prescribed in the regulations. Previously, there was a requirement that any document that was used in identification processes be “original”. A narrow view was taken of the definition of the word original: the document itself, in whatever form it was issued. No scans, copies or other digital representations were permitted. This was a significant challenge in non-face-to-face environments.

Effective on publication of the updates, the word “original” has been replaced with “authentic”. It’s important to keep in mind that while this does allow for documents to be submitted in a myriad of digital formats, there will be an expectation that reporting entities do something in order to determine whether or not the document is authentic. The regulations are not prescriptive in terms of how this will be done. We expect that a number of different solutions, ranging from having a human review documents, to using AI to make risk-based determinations, will be valid. If there are processes that you aren’t sure about, it is possible to write to FINTRAC to request a policy interpretation. We expect that FINTRAC will release updated guidance on identification, and issue many subsequent policy interpretations as the landscape evolves.

For customers that were previously identified, there is an expectation that the customer is identified in accordance with the rules that were in place at the time. Unfortunately, this means that if a customer was identified before the updated regulations were published, and an electronic version of a document was used, the identification may not be considered complete. It will be important for businesses to assess the processes that were in place at this point in time in order to make an accurate determination of whether or not the standards were being met.

Registering as a Money Services Business (MSB)

Although the legislation has been published, Dealers in Virtual Currency are not yet able to register as money services businesses (MSBs) with FINTRAC, Canada’s federal AML regulator and financial intelligence unit (FIU). The process is relatively straightforward, beginning with a pre-registration form.

The FINTRAC registration process is generally very efficient (taking two to four weeks in total). As part of this process, you must provide FINTRAC with complete information about your business, including:

Bank account information;
Information about your compliance officer;
Number of employees;
Incorporation information (if your business type is a corporation);
Information about your MSB’s owners and senior management, such as their name and date of birth;
An estimate of the expected total dollar amount of transactions per year for each MSB service you provide;
Detailed information about every branch; and
Detailed information about every Canadian MSB agent.

You are not required to have locations or offices in Canada in order to register as an MSB with FINTRAC. Once registered, the registration must be maintained and you must:

Keep registration information up to date;
Respond to requests for, or to clarify information, in the prescribed form and manner, within 30 days;
Renew our registration before it expires; and
Let FINTRAC know if we stop offering MSB services to Canadians

SCAM ALERT: There is no cost to register an MSB with FINTRAC – although we’ve heard of several scams claiming that there is a fee. Please ensure that you are only registering through valid FINTRAC sites, which will contain “fintrac-canafe.gc.ca” in the url. If you have received a phishing email or other request to pay FINTRAC registration fees, we recommend reporting this to both the Canadian Anti-Fraud Centre and to FINTRAC directly.

All dealers in virtual currency are expected to register with FINTRAC by June 1, 2020.

Building or Updating Your Compliance Program

MSBs in Canada are required to have a documented AML compliance program in place. In all instances, when something is a requirement it’s not enough to have done something to meet that requirement. Both your process and what you’ve actually done in order to meet the requirement must be documented. An AML compliance program has these elements:

Compliance Officer: this is the person who will be responsible for your AML compliance program. They should understand Canadian AML requirements, be relatively senior in your company (access to your Board and Management team is necessary), and sign up to receive updates from FINTRAC.
Policies and Procedures: these are documents that describe what you are required to do, and how you will do it. The processes should be an accurate description of what you are actually doing and detailed enough that a new hire could follow them.
Risk Assessment: this is a document that considers the risk that your business could be used to launder money and/or finance terrorism. FINTRAC has released detailed guidance for MSBs to help create this type of document.
Ongoing Training: any staff (including part-time and temporary staff) that deal with customers, transactions, and systems must receive training on a regular basis (this is generally interpreted to mean at least annually). It’s fine to rely on an external vendor, but your training should also include training on your processes.
AML Compliance Effectiveness Reviews/Audits: every two years, you must complete a formal review of the effectiveness of your AML compliance program and operations. This can be conducted internally or by an external vendor.

In addition, to your documented program, you will need to ensure you operate in a compliant manner which includes, registering with FINTRAC, identifying customers under certain circumstances (more on this under customer identification), collect know your customer (KYC) information, keep records, and report certain transactions to FINTRAC.

All dealers in virtual currency are expected to have compliance programs in place and operational by June 1, 2020.

Customer Identification and Collecting KYC Information

For dealers in virtual currency, customer identification and the collection of KYC information will be required where virtual currency exchange transactions valued at CAD 1,000 or more are conducted. This will include exchanging fiat for virtual currency, as well as exchanges between virtual currencies.

Customers must also be identified, where possible if there are reasonable grounds to suspect that a transaction is related to money laundering or terrorist financing. When a transaction is suspicious, there is no minimum value threshold for identification.

Identification in this context must be completed in specific ways, each of which require particular records to be maintained. The chart below is from FINTRAC’s current customer identification guidance (which must be updated to reflect the change in wording from original to authentic, though other elements remain unchanged).

If the customer is an entity (a company, partnership, trust, etc.), then measures must be taken to confirm the entity’s existence and beneficial ownership. Certain details must be collected for directors, trustees, beneficiaries of trusts, and anyone that owns or controls 25% or more of an entity. This includes “indirect ownership” (such as ownership through another company).

There is also information about the customer that must be collected. For individuals, this includes name, date of birth, address, and occupation or principal business. For entities, this includes name, address, place of incorporation (if applicable), and incorporation number (if applicable).

All dealers in virtual currency are expected to have processes in place to identify customers and collect KYC information by June 1, 2020.

FINTRAC Reporting

For reporting, there are two important dates. By June 1, 2020, dealers in virtual currency will need to report the same types of transactions that MSBs are currently required to report. These are:

Large Cash Transactions: if you receive cash (this means fiat in the form of bills and/or coins) valued at CAD 10,000 or more in the same 24-hour period, by or on behalf of the same customer, it must be reported to FINTRAC within 15 calendar days.
Suspicious Transactions: if there are reasonable grounds to suspect that a transaction is related to money laundering or terrorist financing, it must be reported to FINTRAC within 30 calendar days of the discovery of a fact that led you to determine that the transaction was suspicious.
Attempted Suspicious Transactions: if a customer or prospective customer requests a transaction, but does not complete it (including transactions that you reject), and there are reasonable grounds to suspect money laundering or terrorist financing, then it must be reported. The timeframe is the same as it would be for completed transactions.
Terrorist Property: if you’re in possession of property (which includes funds and virtual currency) that belong to a terrorist or terrorist group, it must be reported without delay, and the property must be frozen. In addition to reporting to FINTRAC, these reports are also sent to the CSIS and RCMP – by fax. In order to know if customers fall into this category, it is important to screen against lists published by OSFI. We’ve worked with some friends on a tool to make this easier, which you can try here (use the code Free100 for a free trial).
Electronic Funds Transfers: if you send or receive international electronic funds transfers (EFTs), including wires, valued at CAD 10,000 or more, by or on behalf of the same customer, it must be reported to FINTRAC within 5 working days.

If you are required to report transactions valued at CAD 10,000 or more in a 24-hour period, you must have a mechanism in place to detect reportable transactions.

It’s noteworthy that if you are conducting international EFTs on your customers’ behalf, you may already be an MSB. The best way to know for certain, in our opinion, is to request a policy position from FINTRAC. This can be done free of charge by emailing guidelines-lignesdirectrices@fintrac-canafe.gc.ca. This can also be done on your behalf by a lawyer or consultant.

By June 1, 2021, a new report will be introduced.

Large Virtual Currency Transactions: if you receive virtual currency valued at CAD 10,000 or more in the same 24-hour period, by or on behalf of the same customer, it must be reported to FINTRAC within 5 working days.

There will be some additional changes to reporting and reporting timelines, including the requirement to report suspicious and attempted suspicious transactions “as soon as practicable” after you have determined that there are reasonable grounds to suspect that the transaction is related to money laundering or terrorist financing.

For Extreme Compliance Nerds

We clearly mean nerd as the highest term of admiration and endearment, and for you, we have created red-lined versions of the regulations, with new content showing as tracked changes. This is not an official version of the regulations, and we do, of course, recommend that you check it against the official version.

Need a Hand?

Whether you need to figure out if you’re a dealer in virtual currency, to put a compliance program in place, or to evaluate your existing compliance program, we can help. You can get in touch using our online form, by emailing info@outliercanada.com, or by calling us toll-free at 1-844-919-1623.

2019 AML Updates – Redlined Versions

The following red-lined versions have been created to reflect the changes to Canadian anti-money laundering (AML) regulations published in the Canada Gazette on July 10^th, 2019. A redlined version of the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA), reflecting the changes published in Bill C-97 which received Royal Assent on June 21, 2019, is also included below.

These documents are not official versions of the regulations. Official versions can be found on the Government of Canada’s Justice Laws Website.

Proceeds of Crime (Money Laundering) and Terrorist Financing Act

Please click the link below for a downloadable pdf file.

PCMLTFA_July_2019_Redline

Proceeds of Crime (Money Laundering) and Terrorist Financing Regulations

Please click the links below for downloadable pdf files.

PCMLTFR_July_2019_Redlined_Full

PCMLTFR_July_2019_Redlined_Schedules Removed

Proceeds of Crime (Money Laundering) and Terrorist Financing Suspicious Transaction Reporting Regulations

Please click the link below for a downloadable pdf file.

PCMLTF_Suspicious_Transaction_Reporting_Regulations_July_2019_Redlined

Proceeds of Crime (Money Laundering) and Terrorist Financing Registration Regulations

Please click the link below for a downloadable pdf file.

PCMLTF_Registration_Regulations_July_2019_Redlined

Proceeds of Crime (Money Laundering) and Terrorist Financing Administrative Monetary Penalties Regulations

Please click the link below for a downloadable pdf file.

PCMLTFR_Administrative_Monetary_Penalties_Regulations_July_2019_Redlined

Cross-Border Currency and Monetary Instruments Reporting Regulations

Please click the link below for a downloadable pdf file.

PCMLTFR_Cross-Border_Currency_and_Monetary_Instruments_Reporting_Regulations_July_2019_redline

Need a Hand?

FATF, VASP – What Does It All Mean?

On June 21, 2019 the Financial Action Task Force (FATF) released “Guidance for a Risk-Based Approach to Virtual Assets and Virtual Asset Service Providers”. In the ensuing days, while we read through and considered the implications of this dense 57 page document, we watched social media go overboard with all sorts of wild speculation and inaccurate representations. When that happens, and it’s within our power to get good information out there, we do our best to get solid information out fast to fight the fear, uncertainty and doubt (affectionately referred to as FUD online). Let’s take a closer look at the latest FATF guidance, and what it means for businesses that deal in crypto/digital/virtual currencies like bitcoin, and other virtual assets.

What is the FATF Anyway?

If you’re an AML geek, you can probably skip this section. For the other 99.99% of the world, the Financial Action Task Force (FATF for short) is an inter-governmental body formed in 1989 by its member jurisdictions. If you live in the developed world, odds are good that your country is a FATF member. The role of this organization is to issue guidance to countries on anti-money laundering (AML) and combatting terrorist financing. Countries that are members of the FATF are also evaluated in terms of how well they’re doing at following the FATF’s recommendations (these are called mutual evaluations). Generally speaking, member countries face a good deal of pressure to achieve positive results in mutual evaluations. Countries that are deemed to be non-compliant, or to have strategic deficiencies, are publicly listed and can face significant trade barriers.

To sum it up, the FATF is an international group made up of member countries that issues guidance to countries. That guidance is not law, but it certainly shapes the laws that are written by member countries. It may seem pedantic, but if you hear/read someone saying that the FATF has issued a law or a regulation, it’s likely that the speaker/writer doesn’t really understand how the FATF works – and this is the first piece of FUD that we’re going to dispel today: the FATF does not write laws or regulations.

Once the FATF has issued guidance, its member countries adapt their existing laws and regulations, and in some instances, impose new ones. Generally speaking, the more common approach is to adapt existing laws and regulations. Regardless of the approach taken, a statement released with the guidance stating that the FATF will monitor implementation of the new requirements by countries and service providers and conduct a 12-month review in June 2020. The guidance is also expected to be the subject of further discussion at other international forums, including the G20.

Virtual Assets and Virtual Asset Service Providers

The FATF’s Guidance introduces new terms (and corresponding acronyms): virtual assets (VAs) and virtual asset service providers (VASPs). These are defined in the glossary at the end of the document, but it’s useful to start off by understanding what the terms mean.

A virtual asset is a digital representation of value that can be digitally traded, or transferred, and can be used for payment or investment purposes. Virtual assets do not include digital representations of fiat currencies, securities and other financial assets that are already covered elsewhere in the FATF Recommendations.

The broader text makes it clear that VAs are being broadly defined, and may include cryptocurrencies like bitcoin as well as other types of assets, like initial coin offering (ICO) tokens, which may also be considered securities.

There are also clear statements about the intent of the guidance, and that it is not an attempt to regulate technology. This is another important distinction, in particular where there is a discussion of regulation applicable to Bitcoin (with the capital B indicating that this is a reference to the Bitcoin protocol). That is simply not the case. In fact, the guidance notes that the intent is to remain technology agnostic, and that no specific technological adaptations to protocols are being proposed (we’ll dive a bit more deeply into this in the section that covers customer information).

What the guidance is, however, suggesting should be regulated are certain business activities that involve virtual assets.

Virtual asset service provider means any natural or legal person who is not covered elsewhere under the Recommendations, and as a business conducts one or more of the following activities or operations for or on behalf of another natural or legal person:

i) exchange between virtual assets and fiat currencies;

ii) exchange between one or more forms of virtual assets;

iii) transfer of virtual assets;

iv) safekeeping and/or administration of virtual assets or instruments enabling control over virtual assets; and

v) participation in and provision of financial services related to an issuer’s offer and/or sale of a virtual asset.

The first, and probably most important, piece of FUD to fight here is the idea that peer-to-peer activity that is not being conducted for business purposes should be covered. This simply is not the FATF’s recommendation. This doesn’t preclude a country from writing laws or regulation that impose requirements on non-business peer-to-peer activity, but it does make that less likely in our estimation.

If you’ve looked at previous FATF guidance, you’ll notice that the scope is a bit different. Earlier guidance was focussed on what were termed “on and off ramps”, meaning transactions that involved trading fiat currency for a VA, or vice versa. The current scope includes trading between different VAs. To understand this change, consider that when the earlier guidance was issued there were no popular “stablecoin” VAs pegged to the value of an underlying asset (often a fiat currency) and ICOs had yet to raise millions in value in VA alone.

What Will It Mean for Businesses to be Regulated?

Businesses (including individuals that are conducting VASP activities on behalf of customers that have not incorporated a separate legal entity such as a company or partnership) may be subject to laws and regulations in more than one jurisdiction, and the specific requirements for each jurisdiction may be different (though most will follow the FATF’s guidance in broad strokes). For VASPs, it is important to understand the requirements that apply in each jurisdiction in which they operate (it is not enough to say that your business is following the FATF’s guidance).

The FATF recommends in its guidance that countries enact laws and regulations that apply to VASPs. This should include (not a comprehensive list):

The licensing and/or registration of VASPs;
A prohibition against criminals and their associates being beneficial owners of VASPs;
A requirement for VASPs to have qualified Compliance Officers, written policies and procedures, documented risk assessments, ongoing training, and measures of the effectiveness of the compliance program (audits);
Know your client (KYC) information and identification should be collected by VASPs for customers and business relationships (with a de minimis exception for occasional transactions valued at less than 1,000 EUR/USD);
Where transactions occur between two VASPs or between a VASP and another regulated entity type (such as banks), sender and receiver information must be transmitted. This has received a lot of attention, and it is not yet clear how this will be accomplished. The options noted in the guidance include:
- Public and private keys,
- Transport Layer Security/Secure Sockets Layer (TLS/SSL),
- 590 Certificates,
- 509 Attribute Certificates,
- API Technology, and
- Other Commercially Available Technology.
VASPs’ customers and business relationships should be subject to ongoing monitoring; and
Mechanisms in place to freeze assets and stop transfers in the case of listed persons and entities (such as known terrorists or sanctioned persons/entities).

The guidance also states that there should be true regulatory oversight, not self-regulatory organizations. There are additional considerations for other entity types that are already regulated (including securities dealers and banks) that engage in VASP activities.

Thinking about Risk

Some of the most interesting content in the guidance is related to the money laundering and terrorist financing risk posed by VAs and VASPs. Here, it was clear that the FATF had done their homework as the discussion included TOR, tumblers, mixers, and other technologies referred to as being “anonymity enhanced”. The factors that are listed as increasing a VAs/VASPs risk include:

Value moving into and out of fiat currency,
The use of anonymity-enhanced technologies,
Operations that are entirely online (non-face-to-face),
Links to high risk jurisdictions, and
The value that can be accessed/transferred.

The guidance does note that not all VAs/VASPs should be considered to be high risk.

A Quick Note on Financial Inclusion & De-Risking

The FATF’s page on financial inclusion defines the term as: Ensuring that financially excluded or underserved groups (such as low income, rural sector or undocumented groups) have access to regulated financial services helps to strengthen the implementation of AML/CTF measures.

If you’ve been watching or participating in VAs or VASPs, you’ll understand that many of these have financial inclusion related goals themselves, but VASPs often struggle with access to banking. In their guidance, the FATF makes a strong statement against banks and financial service providers de-risking all VASPs: It is important that FIs apply the risk-based approach properly and do not resort to the wholesale termination or exclusion of customer relationships within the VASP sector without a proper risk assessment.

Unfortunately, the same cannot be said of prohibition by countries: Some countries may decide to prohibit VA activities or VASPs, based on their assessment of risk and national regulatory context or in order to support other policy goals not addressed in this Guidance (e.g., consumer protection, safety and soundness, or monetary policy). The guidance goes on to note that countries that chose to ban VAs and/or VASPs would still need to ensure that sufficient safeguards are in place. This approach did not seem to be encouraged, but that it is explicitly mentioned is interesting of itself, as this is not the case for other asset or regulated entity types.

Margin Notes

We’ve been asked to post the annotated copy of the first read-through of the FATF’s guidance document. The annotations were not created with the expectation of the audience. They’re likely to be hard to read, idiosyncratic, and to clearly reveal that the author is dyslexic… but if they are of use to you, then these notes are yours to use.

Guidance for a Risk-Based Approach to Virtual Assets and Virtual Asset Service Providers Marked Up Copy

Need a Hand?

If you want to understand the regulations that apply to your VA business/VASP, please contact us.

Compliance with laws and regulations is nuanced; we do not practice in all jurisdictions (and quite frankly, we believe that anyone claiming to understand the nuance of AML in every jurisdiction is greatly exaggerating their skill set). If we don’t practice in the places that matter to you, we’ll do our best to connect you with qualified people that do.

Now We Wait… Canada’s Proposed AML Updates

As of last Friday (September 7, 2018) the comment period for Canada’s draft AML amendments has closed (if you have something to say, they’ll likely still accept submissions for a few more days).

TLDR?

Check out our summary here, or this panel digging into the details.

Want to read our submissions? Here they are!

2018Sep07_OutlierCanada Submission to Finance

2018Sep07_Apendix_SurveyResults

What Now?

The Department of Finance is going to head back to the Bat Cave to revise the policy. We expect that a final version will be published at some point in 2019, and that the content will include “dealing in virtual currency” (including businesses like bitcoin exchanges).

Once the final version is published, there will be a transition period (we expect a year or more) before everything is in force. In the meantime, if you’re expecting to be considered a money services business (MSB) when the final version is published, we recommend checking out some of the community events for MSBs, like the Canadian MSB Association (CMSBA)’s Fall Conference in Toronto.

Why rich people don’t just open a bank…

It can be tough to open and maintain a bank account as a crypto-business. A policy of “derisking” (when banks avoid conducting business with customers perceived as being higher risk) leaves many crypto-businesses (and other MSBs) ill-served by the existing banking system.

A not-uncommon response to this reality (i.e. we’ve had this conversation enough times to deem it worthy of a blog post) is some variation of: “I’m a rich person! Why don’t I just open a bank?”

No doubt, this impulse comes from the admirably entrepreneurial spirit of our community. There’s a problem (lack of access to banking services), so let’s solve it.

But if you don’t have a background in compliance or banking and think that you’re “just” going to magically open your dream-crypto-paradise-bank… We’re here to advise you to slow your roll. We’re not saying you can’t do it… but here are some things you should consider. Knowledge is power.

Sidenote: We’re Canadian and these notes refer to Canadian processes. There are likely to be some differences in other countries, but we won’t know what they are. If you want to know, do the research. Let us know what you find if it’s interesting.

Opening a bank is expensive.

While you may think you have the cash to spare, opening a bank is expensive, and probably more expensive than you expect, both in terms of what you need to have in reserve, and what you’ll spend initially. We’ve heard the figure of $50m buy-in—which, by the way, does not guarantee you a charter.

You will spend money for years before you serve customers.

If you’re curious about where all those millions could possibly go, you’re going to get friendly* with an army of consultants, lawyers, and accountants over the next few years. (*And by friendly, we mean pay a lot of money to).

The process of getting issued a charter is lengthy (if you don’t believe us, you may enjoy perusing the 27-page long PDF guide from OFSI on the subject) and getting this process right means your investment will be whittled away by hiring people who can help navigate you through this labyrinth. You’ll also be spending money on employees, by the way, for years before you’ll ever have the privilege of serving a customer. Years. Plural.

Your team will spend a long time pleasing regulators before you’re operational.

Yes, even though you won’t be permitted to have customers for a long time, you will still need to assemble a team that can put together all of the elements of a bank into place. Your team will spend all of their time implementing processes, demonstrating to the regulator(s) that they’ve done so, and then tweaking these processes as the regulators require or request (in these instances, a request is really a politely stated requirement). If it’s any comfort, your employees will certainly be kept busy, even without customers.

You’re probably not going to be the CEO…

Despite making the decision to open a bank, you will likely not become the bank’s CEO, or even its COO. Senior management positions at banks require regulatory approval. Regulators are looking for you to have had a long history, at a senior level, in a bank or other federally regulated financial institution

… or even on the Board of Directors.

As with senior management positions, seats on the Board of Directors require regulatory approval. Even if you successfully jump through all the hoops required to start your bank, you will likely end up with little to no say in how it is ultimately run.

Well That’s Awkward!

There’s a noble sentiment behind the desire to “just open a bank” and solve the problems you see in the current banking system. But, the risks, effort, and returns are seldom well understood. In essence, opening a bank means making a substantial investment (in both time and money) in something that may one day become an asset (but may not). You can own the bank, but will likely not run it, despite the multi-year multi-million commitment you make. Even if you’re a wealthy investor with patient money, we’d suggest that you ought to be really passionate about setting up a bank if you want to embark upon this kind of endeavour.

What can you do instead?

So, if you’re not going to start a bank but are still frustrated by the banking system as it currently stands—what can you do instead?

Frankly, we need grassroots pressure to change the system we have. It’s important for us to have discussions with the gatekeepers (regulators, traditional banking institutions) for crypto business to get access to banking services. Part of the burden of being in this space is taking the time to educate those who control access to the resources we need. We’ve found that often even people with responsibility for developing policy related to bitcoin and other virtual currencies or tokens don’t fully understand it (and therefore its risk implications). While it may be frustrating to explain that it is possible to buy a fraction of a bitcoin to someone who we really think ought to understand this already, the more we can normalize crypto within the system, the more access we can hope to gain.

And while it can be difficult to speak out if you are a business who has been refused a bank account (or had your account shut down), we’d encourage you to share your experiences of trying to find banking services. Make a complaint to the institution. Share your story with the media (even if you don’t name the FI) or contact your political representatives. You can also, at the moment, contribute your feedback on the draft legislation on AML Regulations for “Virtual Currencies.” (See this blog post for more on how to do that). Exert pressure on the existing players.

But, of course… if you’ve decided you are passionate enough (and deep-pocketed enough) to start a truly crypto-friendly bank: more power to you and definitely let us know how you get on.

AML Changes For The Real Estate Sector

Here We Go Again! Canada’s Proposed AML Changes for Real Estate Developers, Brokers and Sales Representatives

Finally, we want to encourage the community to discuss the proposed changes and submit meaningful feedback for policy makers. The comment period for this draft is 90 days. After this, the Department of Finance takes the feedback to the bat cave and drafts a final version of the amendments. From the time that the final version is published, the draft indicates that there will be 12 months of transition to comply with the new requirements.

What does this mean for my business?

While there are quite a number of proposed changes (the draft is about 200 pages in length), some are likely to have more of an impact on for real estate developers, brokers and sales representatives than others. We’ve summarized the changes that we expect to have the most impact below. Remember these are just proposed changes so there is no need to update your compliance material just yet.

What’s New?

Virtual Currency:

While there are not many proposed amendments that will introduce new requirements for real estate developers, brokers and sales representatives the draft regulations introduce reporting requirements for the receipt of CAD 10,000 or more of virtual currency. These basically are the same as large cash reporting obligations and will require reporting entities to maintain a large virtual currency transaction record.

The requirements for reporting and recordkeeping for virtual currency will be very similar to cash reporting requirements.

What existing requirements are changing?

24-hour rule:

The draft regulations clarify that multiple transactions performed by or on behalf of the same customer or entity within a 24-hour period are considered a single transaction for reporting purposes when they total CAD 10,000 or more. Only one report would need to be submitted to capture all transactions that aggregate to CAD 10,000 or more. For real estate developers, brokers and sales representatives this would apply to recipient of cash deposits. Specifically, this will apply to large cash transactions or CAD 10,000 or more.

Identification:

The draft regulations replace the word “original” with “authentic” and states that a document used for verification of identity must be “authentic, valid and current. This would allow for scanned copies of documentation and/or for software that can authenticate identification documents to be used for the dual process method for real estate developers, brokers and sales representatives that identify clients in a non-face-to-face manner. Another change, related to measures for verifying identity, is that the word “verify” has been replaced with “confirm” and “ascertain” has been replaced with confirm. What this will mean exactly is still unclear (FINTRAC will need to provide more guidance once the final amendments are released). We are hopeful that it will allow for easier customer identification – especially for customers outside of Canada.

Records:

There have been some changes to the details that must be recorded in records that real estate broker or sales representative must maintain. In particular, the draft regulations add the requirement that information records must contain details of every person or entity for which they act as an agent or mandatary in respect of the purchase or sale of real property. Under the existing regulations information related to the person or entity purchasing real estate only.

Risk Assessment:

Under current regulations, reporting entities are required to assess the risks associated with its business and develop a risk assessment specific to your situation. For real estate developers, brokers and sales representatives a risk assessment must address the following four areas:

Products, services, and delivery channels (to better reflect the reality of the real estate sector, this workbook will now only refer to services and delivery channels);
Geography;
Clients and business relationships; and
Other relevant factors

A proposed amendment would require all reporting entities to assess the risk related the use of new technologies, before they are implemented. This has been a best practice since the requirement to conduct a risk assessment came into force, but this change would make this a formal requirement.

Suspicious Transaction Reporting:

Under current regulations if a reporting entity has reasonable grounds to suspect that a transaction or attempted transaction is related to money laundering or terrorist financing, a report must be submitted to FINTRAC within 30 days of the date that a fact was discovered that caused the suspicion. The revised regulations add to this requirement by stating:

“The person or entity shall send the report to the Centre within three days after the day on which measures taken by them enable them to establish that there are reasonable grounds to suspect that the transaction or attempted transaction is related to the commission of a money laundering offence or a terrorist activity financing offence.

This would require reports to be submitted to FINTRAC within three days after the reporting entity conducts an analysis that established reasonable grounds for suspicion.

Schedules:

The draft regulations introduce changes to reporting schedules, requiring more detailed information to be filed with FINTRAC then previously was required. This is in addition to including information that is marked as optional, if a reporting entity has the information. As it relates real estate developers, brokers and sales representatives these changes will impact attempted suspicious and suspicious transaction reporting, terrorist property reporting and large cash reporting. Some of the additional proposed data fields are:

every reference number that is connected to the transaction,
every other known detail that identifies the receipt (of cash for large cash transactions),
type of device used by person who makes request online,
number that identifies device,
internet protocol address (IP address) used by device,
person’s user name, and
date and time of person’s online session in which request is made.

Such changes may be onerous for reporting entities, especially for transactions that are conducted online.

Training:

Under current regulation, if real estate developers, brokers and sales representatives use agents, mandataries or other persons to act on their behalf, they must develop and maintain a written, ongoing compliance training program for those agents, mandataries or other persons. The draft regulations introduces an additional requirement in which there must be a documented plan for the ongoing compliance training program and delivering of that the training.

What’s Next?

If you’ve read this far, congratulations and thank you!

We hope that you will contribute your thoughts and comments. You can do this by contacting the Department of Finance directly. Their representative on this file is:

Lynn Hemmings
Acting Director General
Financial Systems Division
Financial Sector Policy Branch
Department of Finance
90 Elgin Street
Ottawa, Ontario
K1A 0G5
Email: fin.fc-cf.fin@canada.ca

If you would like assistance drafting a submission, or have questions that you would like Outlier to answer, please get in touch!

Canada’s Proposed AML Changes for MSBs

What’s Old is New Again, Well Updated

♬The Times Regulations Are Changing♬

Foreign MSBs

Currently, the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) has issued a policy interpretation (PI-5594) in August of 2013, which states that a “real and substantial connection” to Canada must be present for an entity to be required to register as an MSB with FINTRAC. A “real and substantial connection” was defined in the interpretation as having one or more of the following:

Whether the business is incorporated in Canada;
Whether the business has agents in Canada;
Whether the business has physical locations in Canada; and/ or
Whether the business maintains a bank account or a server in Canada.

The draft amendments introduce a new definition, which is “Foreign Money Services Business” that means anyone serving Canadian customers or entities in Canada is now subject to all Canadian requirements no matter where they are located. Throughout the proposed changes, where there is a reference to money services businesses, there is also a reference to foreign money services businesses. This will be significant to MSBs who operate non-face-to-face in the online marketplace and do not reside in Canada.

Non-Face-To-Face Customer Identification

Currently, there is a requirement that when customers are identified using the dual process method, the document and/or data that you collect is in its “original” format. This has been interpreted to mean that if the customer receives a utility bill in the mail, they must send you the original paper (not scanned or copied) document. The word “original” will be replaced with “authentic” (meaning that so long as you believe that the utility bill is a real utility bill for that person, it doesn’t need to be the same piece of paper that they received in the mail).

In addition, there are provisions that would allow reporting entities to rely on the identification conducted previously by other reporting entities. If this method is used to identify a customer, the reporting entity must immediately obtain the identification information from the other reporting entity and have a written agreement in place requiring the entity doing the identification to provide the identification verification within 3 days of the request.

Reporting EFTs of $10,000 or More

If you conduct international remittance transactions at the request of your customers, the requirement to report transactions of $10,000 or more will now be your responsibility, not your financial services provider.

The proposed change removes the language commonly known as the “first in, last out” rule. This means that the first person/entity to ‘touch’ the funds for transactions incoming to Canada or the last person/entity to ‘touch’ the funds for a transaction outgoing from Canada had the reporting obligation (as long as the prescribed information was provided to them).

The update will change the reporting obligation to whoever maintains the customer relationship. So if you initiate a transaction at your customer’s request (outgoing transaction) or provide final receipt of payment to your customer (incoming transaction), it will be your obligation to report that transaction to FINTRAC.

For example, if the flow of the instructions for payment were as follows:

Currently, the reporting obligation of the outgoing EFT would fall to the bank in Canada. With the draft updates, the reporting obligation would now fall to the MSB in Canada, because they have the relationship with the customer initiating the transaction.

Third Party Determination

Currently, the obligation to determine whether a third party is involved in a transaction relates to Large Cash Transactions. The proposed changes would include the obligation to make a third party determination for all EFTs of $10,000 or more. This would also require similar record keeping obligations as a third party determination under the current Large Cash Transaction records.

Suspicious Transaction Reporting

Currently, if a reporting entity has reasonable grounds to suspect that a transaction or attempted transaction is related to money laundering or terrorist financing, a report must be submitted to FINTRAC within 30 days of the date that a fact was discovered that caused the suspicion. This change appeared in the last round of amendments that came into force last year, and the proposed new wording would be another significant change:

The person or entity shall send the report to the Centre within three days after the day on which measures taken by them enable them to establish that there are reasonable grounds to suspect that the transaction or attempted transaction is related to the commission of a money laundering offence or a terrorist activity financing offence.

This means that a report would be due three days after the reporting entity conducts an investigation or does something that allows them to reach the conclusion that there are reasonable grounds to suspect.

Information Included In Reports to FINTRAC

Certain information is required in reports to FINTRAC. Even where information is marked as being optional, if a reporting entity has the information, it becomes mandatory to include it. Some of the additional proposed data fields are:

every reference number that is connected to the transaction,
type of device used by person who makes request online,
number that identifies device,
internet protocol address (IP address) used by device,
person’s user name, and
date and time of person’s online session in which request is made.

These fields may require significantly more data to be included in reports, especially for transactions that are conducted online.

Ongoing Compliance Training

Currently, there are five required elements of a Canadian AML compliance program, but there is soon to be a sixth. Before you get too worried, it’s not that major. The change is specific to your ongoing compliance training obligations, which says you must institute and document a plan for your ongoing compliance training program and the delivery of the training. Basically, in your AML compliance program documentation, you need to provide a description of your training program for at least the next year and how the training will be delivered. Many MSBs have already implemented this best practice.

Risk Assessment Obligations

With the recent addition of the “New Technologies and Developments” category to the Risk-Based Approach requirements, the next logical progression has be added. The updates include the obligation to assess the money laundering and terrorist financing risk of any new technology before implementation. Meaning, if you are looking to take your business online and are going to use this fancy, new non-face-to-face ID system, you had better take careful inventory of where your risks are and be sure the appropriate controls have been put in place before going live. Much like the training plan, many MSBs have already implemented this best practice.

Virtual Currency

The draft updates also include major changes related to virtual currency. “Dealers in virtual currencies’ would be regulated as MSBs. New record keeping and reporting obligations would apply to all reporting entities that accept payment in virtual currency, or send virtual currency on behalf of their customers.

For more information on updates specific to virtual currency, please check out our full article.

What Next

If you’ve read this far, congratulations and thank you!

We hope that you will contribute your thoughts and comments. You can do this by contacting the Department of Finance directly. Their representative on this file is:

Lynn Hemmings

Acting Director General

Financial Systems Division

Financial Sector Policy Branch

Department of Finance

90 Elgin Street

Ottawa, Ontario

K1A 0G5

Email: fin.fc-cf.fin@canada.ca

If you would like assistance drafting a submission, or have questions that you would like Outlier to answer, please get in touch!

If you are interested in sharing your comments with the Canadian MSB Association (and we highly encourage you to do so) please email luisa@global-currency.com. She will have more information on the industry group’s submission and consultation process.

The Dos & Donts of Breaking into Blockchain

This article was created by Amber D. Scott & Emma Todd (of MMH Blockchain Group) with writing assistance from Ailsa Bristow.

We go to a lot of events, and the number one thing people keep asking us is how to get into Blockchain. Developers, students, accountants, lawyers… anyone with something to sell.

Our knee-jerk response is if you want to get into blockchain, just get into blockchain. Yes, it’s that simple.

However, that doesn’t seem to be the conversation-stopper we intend it to be, so a more fulsome response is called for. Here are our collected thoughts on how to get involved, along with some tips on how (and how not to) conduct yourself along the way.

Get Involved

First things first: blockchain is, at its heart, a community. The best place to start is to do your research, find a meetup in your city, and start talking to people. Don’t just sit at home reading about blockchain and bitcoin on the internet.

The blockchain community is one of the more welcoming places on the planet. Here are people who are passionate about what they do, committed to the open-source philosophy, and willing to help newbies learn. Sure, it can get technical at times, and that can be intimidating when you don’t have a strong opinion about proof of stake, the latest token, or whether it was ok for Microsoft to buy GitHub… but as long as you don’t pretend to know more than you do, you’ll be fine. These folks will know when you’re bluffing, and they will call you out on it.

If you really want a crash course in blockchain, volunteer either through a meetup or at one of the big blockchain conferences. This is a great way to start meeting people: you could be brushing shoulders with the big names in blockchain before you even know who they are.

Learn The Ropes

As you start your journey into blockchain, spend some time listening. Seriously. Listen more than you talk. It’s hard to learn anything when you’re the one speaking. Be interested, and be genuine: these are the attributes that will earn you credibility in the blockchain space. But don’t just rely on people to be your tour guides: people will get frustrated with you when you ask questions without doing your basic research first (if you want a great list of bitcoin resources go here). And seriously: please don’t email/ DM/ whatever at leaders in the blockchain community asking them questions that you can easily google for yourselves. That’s not how to win friends and influence people, folks.

If you want to be a coder, there are a lot of free learning resources out there. You don’t need to spend $100,000s getting a computer science degree (unless that’s something you want to do otherwise) given the wealth of learning you can do online. Two communities that we love are freeCodeCamp and BlockGeeks. There are also scholarships out there if you are planning on following this route.

Finally, if you’ve been in the blockchain for all of a minute, please, don’t start advertising yourself as an expert before you’ve even had a chance to learn the basics. Two months attending Meetups and some internet reading does not an expert make. Showing up on panels or guesting on blogs before you’ve really had a chance to learn is going to hurt your reputation.

Get Some Skin In the Game

If you’re interested in working with or selling to blockchain companies, get some skin in the game. We’re always shocked whenever a vendor asks us about selling to blockchain companies, and when I ask them if they’ve ever used a blockchain based service, or a cryptocurrency they say no. If you haven’t taken the time to understand the ecosystem, how can you possibly hope to understand your customers? Why should anyone in the blockchain world trust anything you have to say?

It’s fine to start small. Set up a wallet. Buy some Dogecoin (it has much of the same “backbone” as bitcoin) or even a small fraction of a bitcoin (yes, they are divisible). You don’t need to break the bank. You should participate only according to your passion, your risk tolerance, and your knowledge. But you do need to get a feel for how things work, and demonstrate a personal investment.

Prove Your Value

Blockchain is about proving your value. If you come from a background where people are impressed by your education, your resume, who your parents are, or how much money you made, get ready for a reality-check. In the blockchain world, people are interested in learning about what you’re doing that’s cool.

There’s room for all skillsets in blockchain, from traditional accounting to marketing. But don’t come in trying to make the hard sell. Do talk about things you’re doing that’s cool, and be interested in what other people are working on in return.

Be Respectful

Respect people’s time. Do not use people’s names or photos or logos to promote your event without checking with them first. Do not call someone an advisor to your project if you’ve only spoken to them once. Get explicit agreement from people before plastering their name all over your website.

Also, if you’re chatting to someone and you hear they got into bitcoin X number of years ago, do not ask them a) how much coin they have, b) if they are a millionaire. If you wouldn’t feel comfortable asking for somebody’s bank statement, or the state of their investment portfolio, don’t ask them for the ins and outs of how much money they’ve made from bitcoin. Your curiosity is not a reason to override basic good manners.

Twitter is King

If you want to keep your finger on the pulse of what’s happening in Blockchain, Twitter is the place to be. It’s where news breaks, connections get made, and discussions are had. Follow one or two of the biggest names in Blockchain, follower their followers, and start jumping in.

Fit Matters

Finally, know that not everyone should be in Blockchain. Sure, you’ve heard the buzz and that there’s money to be made, but that doesn’t mean you need to be in this world. If you’re simply chasing money, you’re probably going to end up getting burned. If you don’t like change and uncertainty, this probably isn’t the place for you. If you don’t have the ability to pivot, this probably isn’t the place for you. If the thought of listening to engineers argue technical points fills you with dread, this probably isn’t the place for you. And if you aren’t at least open to the idea of being converted into a flaming libertarian, we’d suggest this probably isn’t the place for you. And if that’s true, that’s ok.

On the other hand, if nothing we’ve said here has put you off and you’re ready to dive in, welcome. You’re joining one of the most passionate, genuine, smart, and exciting communities on the planet.

Welcome – we’re glad you’re here!

Canada’s AML Rules for “Virtual Currency”

On June 9^th, 2018, draft amendments to the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA) and its enacted regulations (there are five separate regulations, that we’re going to collectively call regulations here for simplicity’s sake). While not all of the proposed amendments are related to virtual currency, many are (the term virtual currency comes up 304 times in about 200 pages). This article is intended to give a high-level summary of the proposed amendments as they relate to virtual currency for businesses in that industry (exchanges, brokerages, etc.).

Finally, we want to encourage the community to discuss the draft and submit meaningful feedback for policymakers. To this end, we’re going to be posting, hosting and attending community events. We’ve also set up a survey that can be completed without submitting any personal information (though you may choose to do so). If you would like one of our compliance nerds at your event, please get in touch. If you’re already having a related event that benefits the community, let us know or post it in the comments.

The comment period for this draft is 90 days. After this, the Department of Finance takes the feedback to the bat cave and drafts a final version of the amendments. From the time that the final version is published, the draft indicates that there will be 12 months of transition to comply with the new requirements.

What to expect when you’re expecting (to be regulated)?

While we acknowledge that our sample is biased (people that talk to compliance geeks), we know that many businesses such as brokerages and exchanges have expected to be regulated as money services businesses (MSBs) since Bill C-31 was passed in 2014. Many of these businesses already have in place the required elements of an anti-money laundering (AML) compliance regime, including:

The appointment of a Compliance Officer;
Written policies and procedures;
A documented risk assessment;
Training; and
Effectiveness testing (like an audit, but for compliance).

In addition, many have been voluntarily reporting suspicious activity to the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC), the body under which they expect to be regulated for AML.

The proposed amendments would formalize compliance program requirements, as well as create new requirements specific to businesses “dealing in virtual currency” (which would now be considered MSBs). While “dealing in virtual currency” itself is not defined, the text of the regulations implies that it will include exchanging, sending, and receiving virtual currency on behalf of other people or entities. Such entities would be required to register as MSBs if they are serving Canadian customers (whether or not they are located in Canada).

There are a number of thresholds that are proposed, including identification (at CAD 1,000) and reporting (at CAD 10,000). In each case, specific information must be collected and recorded. The identification methods that are available in these circumstances are relatively prescriptive, although the proposed amendments do make some headway towards supporting a broader array of identification methods by requiring that documents be considered “authentic” rather than requiring documents in their original format. Of course, as with any complex issue, guidance from FINTRAC will be required before we’re certain how this will be interpreted by the regulator (It’s good news; we’re just not sure how good, yet).

As always in compliance, the devil is in the details. What follows is a few of those key details, as well as some of the issues that we anticipate. We encourage you to conduct your own analysis and to join the conversation.

What’s In A Definition?

Definitions are generally not very interesting. When was the last time that you read the dictionary? (Sidenote: if you are a serious scrabble geek and do this on the regular, you will enjoy this section more than most)… In this case though, definitions matter. Definitions will make a difference in terms of the businesses and activities that are regulated, and how they are regulated. Fortunately, our community includes a number of engineers, debaters, and other individuals with a penchant for the precise – and your skills are needed here. We encourage you to carefully consider the following and to submit feedback on how they can be improved.

authorized user means a person who is authorized by a holder of a prepaid payment product account to have electronic access to funds or virtual currency available in the account by means of a prepaid payment product that is connected to it.

funds means

(a) cash and other fiat currencies, and securities, negotiable instruments or other financial instruments that indicate a title or right to or interest in them; or

(b) information that enables a person or entity to have access to a fiat currency other than cash.

For greater certainty, it does not include virtual currency. (fonds)

fiat currency means a currency that is issued by a country and is designated as legal tender in that country.

large virtual currency transaction record means a record that indicates the receipt of an amount of $10,000 or more in virtual currency in a single transaction and that contains the following information:

(a) the date of the receipt;

(b) if the amount is received for deposit into an account, the name of each account holder;

(c) the name, address and telephone number of every other person or entity that is involved in the transaction, the nature of their principal business or their occupation and, in the case of a person, their date of birth;

(d) the type and amount of each virtual currency involved in the receipt;

(e) the exchange rate used and the source of the exchange rate;

(f) the number of every other account that is affected by the transaction, the type of account and the name of each account holder;

(g) every reference number that is connected to the transaction;

(h) every other known detail that identifies the receipt; and

(i) if the amount is received by a dealer in precious metals and precious stones for the sale of precious metals, precious stones or jewellery,

(i) the type of precious metals, precious stones or jewellery,

(ii) the value of the precious metals, precious stones or jewellery, if different from the amount of virtual currency received, and

(iii) the wholesale value of the precious metals, precious stones or jewellery.

prepaid payment product means a product that is issued by a financial entity and that enables a person or entity to engage in a transaction by giving them electronic access to funds or virtual currency paid to a prepaid payment product account held with the financial entity in advance of the transaction. It excludes a product that enables a person or entity to access a credit or debit account or one that is issued for use only with particular merchants.

prepaid payment product account means an account that is connected to a prepaid payment product and that permits

(a) one or more transactions that total $1,000 or more to be conducted within a 24-hour period; or

(b) a balance of funds or virtual currency available of $1,000 or more to be maintained.

virtual currency means

(a) a digital currency that is not a fiat currency and that can be readily exchanged for funds or for another virtual currency that can be readily exchanged for funds; or

(b) information that enables a person or entity to have access to a digital currency referred to in paragraph (a).

virtual currency exchange transaction means an exchange, at the request of another person or entity, of virtual currency for funds, funds for virtual currency or one virtual currency for another.

virtual currency exchange transaction ticket means a record respecting a virtual currency exchange transaction — including an entry in a transaction register — that sets out

(a) the date of the transaction;

(b) in the case of a transaction of $1,000 or more, the name, address and telephone number of the person or entity that requests the exchange, the nature of their principal business or their occupation and, in the case of a person, their date of birth;

(c) the type and amount of each of the funds and virtual currencies involved in the payment made and received by the person or entity that requests the exchange;

(d) the method by which the payment is made and received;

(e) the exchange rate used and the source of the exchange rate;

(f) the number of every account that is affected by the transaction, the type of account and the name of each account holder;

(g) every reference number that is connected to the transaction; and

(h) every other known detail that identifies the transaction.

Diving Deeper – Obligations and Potential Issues

1 – Do the definitions capture unintended parties?

We were surprised to see that there were not specific carve-outs for certain types of tokens, including securities, and tokens intended specifically for gaming. The definition, as it’s currently written seems capable of encompassing both tokenized security offerings and gaming tokens.

In addition, the second part of the definition that includes “information that enables a person or entity to have access to a digital currency referred to in paragraph (a).” has the potential to open the definition even more broadly. For instance, if I have stored a copy of a seed phrase or a hardware device with a vault service – have they received virtual currency? Are they sending virtual currency to me if the contents of my vault are couriered to me?

2 – What about peer-to-peer, decentralized applications, and smart contracts?

The amendments as they are presented appear to take the view that transactions have intermediaries. There are no specific carve-outs for peer-to-peer transactions (though we expect that previous guidance could be applied here), decentralized applications, and smart contracts. This may be a particularly contentious issue in the case of an exchange from one “virtual currency” to another – especially where such an exchange is initiated or completed without any human intervention. Similarly, questions arise for wallet service providers. For instance, what if a wallet provider does not have access to private keys, but connects to applications that permit users to initiate transactions that would be considered to be exchange transactions under the current definition?

That said, there are some astute exclusions, including the following activities which are explicitly not covered:

(a) a transfer or receipt of virtual currency as compensation for the validation of a transaction that is recorded in a distributed ledger; or

(b) an exchange, transfer or receipt of a nominal amount of virtual currency for the sole purpose of validating another transaction or a transfer of information.

Nonetheless, it is difficult to determine where the policymakers intended to draw the line, and where the regulator will later enforce it…

3 – Jurisdiction doesn’t matter; foreign money services businesses (MSBs) are covered.

While not specific to virtual currency, it is noteworthy that the proposed amendments expand the definition of an MSB to include any business that is providing prescribed services in Canada. As we’ve seen in the case of the NY BitLicense, badly drafted legislation can drive away business and lead to a lack of service providers willing to do business in a region.

While we’re not suggesting that the proposed amendments are nearly as ill-conceived as the NY BitLicense, it is important to consider whether or not these will affect Canadians’ ability to access services, and the attractiveness of the Canadian market generally for innovative international businesses. While we do not expect this particular amendment to be altered, we would encourage businesses located outside of Canada that serve Canadians to comment.

What Next?

If you’ve read this far, congratulations and thank you!

We hope that you will contribute your thoughts and comments. You can do this by contacting the Department of Finance directly. Their representative on this file is:

Lynn Hemmings

Acting Director General

Financial Systems Division

Financial Sector Policy Branch

Department of Finance

90 Elgin Street

Ottawa, Ontario

K1A 0G5

Email: fin.fc-cf.fin@canada.ca

If you would like assistance drafting a submission, or have questions that you would like Outlier to answer, please get in touch!

You can also answer specific questions in our survey, or join us at a community event.

FINTRAC Identification Guidance

Background

Identification Methods For Individuals

Government-Issued Photo Identification Method

Credit File Method

Dual-Process Method

Identification Methods For Organizations

Other Identification Considerations

Conclusion

We’re Here To Help

2019 AML Regulation Highlights for Dealers in Virtual Currency

Hefty Disclaimers & Sharing

Dealers In Virtual Currency

Digital Identification and “Authentic” Documents

Registering as a Money Services Business (MSB)

Building or Updating Your Compliance Program

Customer Identification and Collecting KYC Information

FINTRAC Reporting

For Extreme Compliance Nerds

Need a Hand?

2019 AML Updates – Redlined Versions

Proceeds of Crime (Money Laundering) and Terrorist Financing Act

Proceeds of Crime (Money Laundering) and Terrorist Financing Regulations

Proceeds of Crime (Money Laundering) and Terrorist Financing Suspicious Transaction Reporting Regulations

Proceeds of Crime (Money Laundering) and Terrorist Financing Registration Regulations

Proceeds of Crime (Money Laundering) and Terrorist Financing Administrative Monetary Penalties Regulations

Cross-Border Currency and Monetary Instruments Reporting Regulations

Need a Hand?

FATF, VASP – What Does It All Mean?

What is the FATF Anyway?

Virtual Assets and Virtual Asset Service Providers

What Will It Mean for Businesses to be Regulated?

Thinking about Risk

A Quick Note on Financial Inclusion & De-Risking

Margin Notes

Need a Hand?

Now We Wait… Canada’s Proposed AML Updates

What Now?

We’re Here To Help

Why rich people don’t just open a bank…

Opening a bank is expensive.

You will spend money for years before you serve customers.

Your team will spend a long time pleasing regulators before you’re operational.

You’re probably not going to be the CEO…

… or even on the Board of Directors.

Well That’s Awkward!

What can you do instead?

We’re Here To Help

AML Changes For The Real Estate Sector

Here We Go Again! Canada’s Proposed AML Changes for Real Estate Developers, Brokers and Sales Representatives

What does this mean for my business?

What’s New?

Virtual Currency:

What existing requirements are changing?

24-hour rule:

Identification:

Records:

Risk Assessment:

Suspicious Transaction Reporting:

Schedules:

Training:

What’s Next?

Canada’s Proposed AML Changes for MSBs

What’s Old is New Again, Well Updated

♬The Times Regulations Are Changing♬

Foreign MSBs

Non-Face-To-Face Customer Identification

Reporting EFTs of $10,000 or More

Third Party Determination

Suspicious Transaction Reporting

Information Included In Reports to FINTRAC

Ongoing Compliance Training

Risk Assessment Obligations

Virtual Currency

What Next

The Dos & Donts of Breaking into Blockchain

Get Involved

Learn The Ropes

Get Some Skin In the Game

Prove Your Value