Dealers in Virtual Currency | Outlier Solutions

OSFI

There were no updates released from OSFI this week.

OFAC

The U.S. Department of Treasury’s Branch, The Office of Foreign Asset Control (OFAC), released two updates last week, related to the Zimbabwe, Counter-Terrorism and Non-Proliferation Designation Lists. A total of three individuals and six entities were added to the respective lists. OFAC also released the publication of Iran-related General License I and related FAQs.

OFAC administers and enforces economic and trade sanctions based on U.S. foreign policy and national security goals. The sanctions target countries, regimes, terrorists, international narcotics traffickers, the proliferation of weapons of mass destruction, and other threats to the national security, foreign policy or economy of the U.S. All of the additions mentioned above were related to aviation, the names added were either connected to an avionics regime, or were the entity under which they were operating. As for the Iran-related updates, in order to allow for more efficient processing of applications under the Statement of Licensing Policy for Activities Related to the Export or Re-export to Iran of Commercial Passenger Aircraft and Related Parts and Services, OFAC has issued General License I: Authorizing Certain Transactions Related to the Negotiation of, and Entry into, Contingent Contracts for Activities Eligible for Authorization Under the Statement of Licensing Policy for Activities Related to the Export or Re-export to Iran of Commercial Passenger Aircraft and Related Parts and Services. OFAC also updated the Frequently Asked Questions Relating to the Lifting of Certain U.S. Sanctions under JCPOA.

See the Zimbabwe update on OFAC’s website.

See the Counter-Terrorism and Non-Proliferation update on OFAC’s website.

See OFAC’s recent actions page.

Need A Hand?

We would love to hear from you. If there are subjects in this post that you would like to know more about, or if you need assistance with your compliance program, please contact us.

OSFI

On March 2^nd, 2016, the Office of the Superintendent of Financial Institutions (OSFI) released the United Nations Security Council’s (UNSC) Al-Qaida and Taliban Regulations (UNAQTR) update to the consolidated list, underscoring recent information updates on 11 individuals and one entity.

The 11 individuals are subject to the assets freeze, travel ban and arms embargo set out in paragraph 2 of Security Council resolution 2253 (2015) adopted under Chapter VII of the Charter of the United Nations. The individuals all have different nationalities, locations and expertise, but they have been tied to Al-Qaida. The entity included is a Moroccan-led terrorist organization formed in August 2013, and were last known to be operating in the Syrian Arab Republic.

See the update on the United Nations (UN) website.

Go to the OSFI lists page.

OFAC

The U.S. Department of Treasury’s Branch, The Office of Foreign Asset Control (OFAC), released one update last week, related to North Korea and Non-Proliferation Designation Lists updates. A total of 11 individuals and five entities were added to both lists. OFAC also released two updates where information related to two entities was changed.

See the update on OFAC’s website.

See OFAC’s recent actions page.

Need A Hand?

We would love to hear from you. If there are subjects in this post that you would like to know more about, or if you need assistance with your compliance program, please contact us.

OSFI

On February 23^rd, 2016, the Office of the Superintendent of Financial Institutions (OSFI) released the United Nations Security Council (UNSC) ISIL (Da’esh) and Al-Qaida Sanctions Committee’s update, underscoring recent information updates on five individuals.

The five individuals are subject to the assets freeze, travel ban and arms embargo set out in paragraph 2 of Security Council resolution 2253 (2015) adopted under Chapter VII of the Charter of the United Nations. All of the updates relate to their most recent known location, 4 of which being, prison. The final was a ‘last known address’ update for a Tunisian individual, though he was reported as ‘in detention’ in Tunsia, as at December 2009.

See the update on the United Nations (UN) website.

Go to the OSFI lists page.

OFAC

The U.S. Department of Treasury’s Branch, The Office of Foreign Asset Control (OFAC), released two updates last week, but both related to settlement of alleged enforcement actions, or civil penalties related to alleged violations of the Cuban Assets Control Regulations (CACR). The enforcement actions were on two entities, CGG Services S.A., formerly known as CGGVeritas S.A. (CGG France) and Halliburton Atlantic Limited (HAL) on behalf of itself and its affiliate, Halliburton Overseas Limited (HOL).

See OFAC’s recent actions page.

CGG France has agreed to pay $614,250 USD for numerous alleged violations of Cuban Sanctions, when they exported spare parts and other equipment from the United States to M/V Amadeus while the vessel operated in Cuba’s territorial waters.

See the update on OFAC’s website.

The enforcement actions against HAL were for alleged violations of Cuban Sanctions, by dealing in property in which Cuba, or a Cuban national, had an interest when they exported goods and services in support of oil and gas exploration and drilling activities within the Cabinda Onshore South Block oil concession in Angola. HAL knew, or should have known, they were dealing in property in which Cuba had an interest. HAL issued 19 invoices to the Consortium operator Cupet, a company with headquarters in Angola, related to these goods and services, and HAL primarily performed the services which were invoiced. OFAC determined that the alleged violations were voluntarily self-disclosed and constituted a non-egregious case. The total transaction value of the alleged violations was $1,189,752 USD. The statutory maximum civil monetary penalty for the alleged violations was $1,235,000 USD and the base penalty amount for the alleged violations was $423,202 USD. HAL has agreed to pay $304,706 USD.

See the update on OFAC’s website.

Need A Hand?

We would love to hear from you. If there are subjects in this post that you would like to know more about, or if you need assistance with your compliance program, please contact us.

If you’ve received an email, letter or call telling you that a larger than usual sum of money is headed your way, but before it can be delivered to your bank, you are required to get a clearance certificate, you are being set up for a scam.

The Setup

The scam goes by many names, but the setup is almost always the same…

Step 1: The Sexy Promise

The scammers need you to want to talk to them. To pique your interest, they’ll promise something that they think you will want. In most cases, it’s not a crazy sum of money that will be sent to you – most people would immediately recognize that as a scam. Instead, it will be a reasonable sum that is nonetheless attractive for your business.

In the most sickening cases that we’ve seen, the scammers have focused on charities by posing as potential donors. Outlier has even received a request for a clearance certificate from a “prospective client overseas.”

Step 2: The Legitimate Power

The scammers will claim that the certificate is being requested by a legitimate organization. Some of the scams that we’ve seen have said that certificates are required by:

Financial Transactions and Reports Analysis Centre of Canada (FINTRAC),
Financial Crimes Enforcement Network (FinCEN),
Office of the Currency Controller (OCC).
Securities Exchange Commission (SEC),
S. Department of Homeland Security,
International Monetary Fund (IMF), and
Financial Action Task Force (FATF).

None of these agencies issue, require, or have any other involvement with clearance certificates. In fact, if you call any of these agencies to ask about clearance certificates, they will tell you that you are likely the victim of a scam.

Step 3: The Real Threat

The type of “clearance certificate” that the scammers will ask for varies, but it’s usually something that most businesses have at least read about in the news, like “anti-money laundering” or “anti-terrorism.” It’s always something that sounds like it could be a real threat, although definitely not the type of threat that you would pose. Sometimes the requests will be phrased in a way that’s meant to make you feel a little bit indignant (“Why would this person think I’m a money launderer or a terrorist?!?)…

This is all part of the scam. If you’re emotional, you may not be thinking clearly, and it helps the scammer to build rapport with the victim. The scammer may offer consolations like, “Of course, I know that you’re not a criminal, but according to the * insert the authority from step 2 here * we must take these precautions…”

Step 4: Solving the Problem

The scammer is trying to collect as much information (especially financial information) as possible. The scammer will ask for your details directly (all for the purpose of obtaining the certificate, of course) or helpfully suggest a site for a “company” that can help you get your certificate.

Generally, this site requires a credit card payment (these may range from a few hundred to several thousand dollars). In more sophisticated scams, the site’s fine print states that the certificates are “not authorized by any government or international body” and that there are absolutely no refunds. This means that even if the victim reports the scam to their credit card company, they may not be able to issue a refund.

Step 5: Profit

At this stage, the scammers have the victim’s banking and/or credit card information. They may use this to conduct transactions (like draining the bank account or paying for things with the credit card), or simply sell the information on the dark web to other scammers.

Don’t Get Caught Up

It can be hard to believe that someone that you’ve been corresponding with, someone that seems like they could be good for business, is really just a scammer. It’s difficult, and embarrassing – but the sooner you exit the situation, the better off you are.

While you should report the incident (more about that below), it can be dangerous to attempt to bait the scammer to get more information about them (and the information that they provide is likely to be false in any case). Do collect as much information from your existing correspondence with the scammer (including screen captures and/or links to any websites that the scammer has provided you with), as these will be helpful in reporting the scam.

But if You Did, Protect Yourself

If you have already provided some, or all, of your financial details, it’s in your best interest to act quickly. Contact your financial institution(s) and let them know what’s happened. They will be able to close your existing accounts, issue new accounts and review your recent transaction history with you.

Report It

At any point, you can report the scam to the Canadian Anti-Fraud Centre either online or by phone (1-888-495-8501).

Need A Hand?

While Outlier is not a law enforcement or investigative agency, we do conduct staff training sessions, including training related to common scams and how to recognize them. You can get in touch with us at info@outliercanada.com or by using the online form.

It seems that every time I’m at a conference or event related to compliance, I hear people talking about going “above and beyond” the requirements. Something about this statement has always seemed wrong to me. It wasn’t until recently that I understood why: most of us aren’t getting the basics right.

Most Of Us Are Failing At The Basics

This is not an indictment of Compliance Officers and the tremendous effort that goes into compliance. It’s a simple statistical fact.

We crunched some numbers by industry for anti-money laundering (AML) compliance in Canada based on information obtained from the regulator through an access to information request in 2014. The rate of examinations for which there were no deficiencies (across all reporting entity types) was 17 percent. While we congratulate the savvy few that met this bar, that leaves 83 percent of reporting entities that failed to meet the basic requirements in some way.

While these results are specific to examinations conducted by the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC), it’s not unreasonable to assume that the results can be generalized to compliance more broadly.

Shift The Focus

Before anyone can go “above and beyond” the fundamentals should be solid. One of the most painful reviews (like an audit for compliance) that I’ve conducted was a classic case of going above and beyond while completely missing the mark on baseline compliance. The reporting entity had great technology and related risk ranking metrics. The methods that they used to understand customer behavior involved machine learning and geo-location data at each login, analyzed over time. It was a great risk management strategy, except that they hadn’t identified a single customer in accordance with the law. Not a single one…

Ironically, in working to design measures that went beyond the basic compliance requirements, they found themselves so far outside of what was allowable under the law that had an examination been conducted by a regulator at the time, they could have been facing a very hefty penalty (as was the case for Ripple Labs in the USA).

Consequently, they spent a good deal of time and money updating their systems and identifying customers. In some cases, customers were lost. The (re)identification process was frustrating for people that believed that they had already completed everything that was needful in order to transact freely. There were updates to process documents and IT systems that took place over the course of months, and a good deal of frustration at the rework involved.

A competent third party or in house expert can be useful in assisting with system and process design, provided that they are able to understand your business model, basic compliance requirements and how to achieve these in the most elegant way possible.

Keep It Simple (Seriously)

At a recent conference, I was listening to a speaker whom I consider a model for what not to do, both functionally and ethically. As he sweepingly gestured towards an overly complex chart, he stared into the blank faces of his audience and proclaimed “It’s ok if you don’t get it. That’s not the point. The point is that I should look impressive. Are you impressed?” I was not.

Which model fits your needs?

Remember that the people that are usually fulfilling your compliance requirements are your frontline staff. Would they be able to use the model to the left to risk rank your customers?

While it can be tempting to create complex rating systems, it’s important to understand that your compliance program should be functional. If the system that you’ve created is too complex for your staff to understand and adhere to, it will fail. Whether you’re hiring someone external or creating your program in-house, remember to keep it as simple and easy to follow as possible.

Ask, Check, Test

One of the many arguments that I’ve heard for going above and beyond is that this is helpful when dealing with regulators and banking service providers. While I agree that this can certainly be the case, it’s a moot point if the basic requirements are not met.

In my experience, both regulators and bankers are candid – when asked – about where their expectations are set. There is no real appetite on the part of either to create a set of secret standards related to going above and beyond. From a practical perspective, this means that reporting entities should be focused on understanding the basic requirements, and seeking clarification as needed.

Effectiveness reviews can also be a useful tool in this regard, provided that the reviewer or auditor is well versed in local compliance requirements. Similarly, internal testing should be geared towards baseline requirements to ensure that these are being met.

Opportunities & Innovation

Going above and beyond for its own sake (in terms of compliance) is neither required, nor particularly good business.

This is not to say that reporting entities should avoid innovation. Rather, these efforts should be focused and prioritized on finding the most cost-effective and efficient ways to meet baseline compliance requirements, and mitigating risk.

Changing compliance legislation can also provide opportunities for innovation, in particular where there are public consultations. This type of dialogue with lawmakers allows stakeholders to suggest alternatives that may mitigate risk in new and innovative ways. It provides an opportunity to showcase new technologies and processes that solve common compliance problems with greater efficiency (although they may not fit into the current regulatory paradigm).

Need A Hand?

We believe that good compliance is good business. If you have questions, please feel free to contact us.

On July 4^th, 2015, draft amendments to Canada’s Proceeds of Crime (Money Laundering) and Terrorist Financing Regulations were published in the Canada Gazette. These updates are intended to, among other things, strengthen Canada’s anti-money laundering (AML) regime and address certain technical issues. The draft does expand the definition of a money services business (MSB) to include “dealers in digital currency,” but digital currency businesses may still consider submitting comments related to the draft, as the consultation period of 60 days is open to the public.

This round of amendments didn’t include ‘dealers in digital currency’ – so why should you comment?

While dealers in digital currency are not yet regulated as MSBs, it is reasonable to expect that this is the direction Canada is taking based on Bill C-31, which was passed last year. This means that the regulations could apply to digital currency businesses in the near future. The 60-day comment period is likely to be the only public comment period before a final version of the amended regulations is published.

One of the most significant changes in the current draft relates to customer identification. The current customer identification methods for non-face-to-face customers (which apply to all online MSB customers) are complicated and heavily reliant on an individual having at least six months of Canadian credit history (you can learn more here). The proposed amendments have the potential to broaden the range of available sources to include sources other than credit reporting bureaus.

Digital currency businesses should consider commenting on these amendments. While we at Outlier consider the changes to be positive overall, we’re aware that there are many identification solutions on the market (many of which don’t meet the current Canadian identification requirements). This has caused more than a few headaches for businesses that operate online. While the proposed changes may alleviate some of the current pain points, businesses should consider how these fit with your business model and service providers.

Customer Identification Measures

In the text below, the text that is struck through includes proposed deletions, while the green text includes proposed additions. You can also see a full marked-up version of the Proceeds of Crime (Money Laundering) and Terrorist Financing Regulations here.

MEASURES FOR ASCERTAINING IDENTITY

(1) In the cases referred to in sections 53, 53.1, 54, paragraph 54.1(a) and sections 55, 56, 57, 59, 59.1, 59.2, 59.3, 59.4, 59.5, 60 and 61, a person’s the identity of a person shall is to be ascertained, at the time referred to in subsection (2) and in accordance with subsection (3), in the following manner:

(a) By referring to the person’s birth certificate, driver’s licence, provincial health insurance card (if such use of the card is not prohibited by the applicable provincial law), passport or other similar document; or

(a) By referring to identification document that contains their name and photograph and that is issued by the federal government or a provincial government or by a foreign government other than a municipal government, and by verifying that the name and photograph are those of the person;

(b) if the person is not physically present when the account is opened, the credit card application is submitted, the trust is established, the client information record is created or the transaction is conducted,

(i) by obtaining the person’s name, address and date of birth and

(A) confirming that one of the following entities has identified the person in accordance with paragraph (a), namely,

(I) an entity, referred to in any of paragraphs 5(a) to (g) of the Act, that is affiliated with the entity ascertaining the identity of the person,

(II) an entity that carries on activities outside Canada similar to the activities of a person or entity referred to in any of paragraphs 5(a) to (g) of the Act and that is affiliated with the entity ascertaining the identity of the person, or

(III) an entity that is subject to the Act and is a member of the same association as the entity ascertaining the identity of the person, and

(B) verifying that the name, address and date of birth in the record kept by that affiliated entity or that entity that is a member of the same association corresponds to the information provided in accordance with these Regulations by the person, or

(ii) subject to subsection (1.3), by using one of the following combinations of the identification methods set out in Part A of Schedule 7, namely,

(A) methods 1 and 3,

(B) methods 1 and 4,

(C) methods 1 and 5,

(D) methods 2 and 3,

(E) methods 2 and 4,

(F) methods 2 and 5,

(G) methods 3 and 4, or

(H) methods 3 and 5.

(b) by referring to information concerning them that is received by the person or entity that is ascertaining their identity on request from a federal or provincial government body — or a body that is acting as the agent or mandatary of such a body — that is authorized in Canada to ascertain the identity of persons, and by verifying that either the name and address or the name and date of birth contained in the information are those of the person;

(c) by referring to information that is contained in the person’s credit file — if that file is located in Canada and has been in existence for at least three years — and by verifying that the name, address and date of birth contained in the credit file are those of the person;

(d) by doing any two of the following:

(i) referring to information from a reliable source that contains their name and address, and verifying that the name and address are those of the person,

(ii) referring to information from a reliable source that contains their name and date of birth, and verifying that the name and date of birth are those of the person, or

(iii) referring to information that contains their name and confirms that they have a deposit account or a credit card or other loan account with a financial entity, and verifying that information; or

(e) by confirming that one of the following entities previously ascertained their identity in accordance with any of paragraphs (a) to (d), and by verifying that the name, address and date of birth contained in the entity’s record are those of the person:

(i) an entity that is referred to in any of paragraphs 5(a) to (g) of the Act and that is affiliated with the entity that is ascertaining the person’s identity,

(ii) an entity that carries on activities outside Canada similar to the activities of a person or entity referred to in any of paragraphs 5(a) to (g) of the Act and that is affiliated with the entity that is ascertaining the person’s identity, or

(iii) a financial entity that is subject to the Act and that is a member of the same financial services cooperative or credit union central as the entity that is ascertaining the person’s identity.

(1.1) In the case referred to in paragraph 54.1(a), the identity of a person shall be ascertained by a person or entity, at the time referred to in subsection (2) and in accordance with subsection (3),

(a) by referring to the person’s birth certificate, driver’s licence, provincial health insurance card (if such use of the card is not prohibited by the applicable provincial law), passport or other similar document; or

(b) where the person is not physically present when the credit card application is submitted,

(i) by obtaining the person’s name, address and date of birth and

(A) confirming that one of the following entities has identified the person in accordance with paragraph (a), namely,

(I) an entity, referred to in any of paragraphs 5(a) to (g) of the Act, that is affiliated with the entity ascertaining the identity of the person,

(II) an entity that carries on activities outside Canada similar to the activities of a person or entity referred to in any of paragraphs 5(a) to(g) of the Act and that is affiliated with the entity ascertaining the identity of the person, or

(III) an entity that is subject to the Act and is a member of the same association as the entity ascertaining the identity of the person, and

(ii) subject to subsection (1.3), by using a combination of any two identification methods referred to in either Part A or Part B of Schedule 7, or

(iii) subject to subsection (1.3), where the person has no credit history in Canada and the credit limit on the card is not more than $1,500, by using combination of any two identification methods referred to in any of Parts A, B and C of Schedule 7.

(1.1) For the purposes of subparagraphs (1)(d)(i) to (iii), the information that is referred to must be from different sources, and the person whose identity is being ascertained and the person or entity that is ascertaining their identity cannot be a source.

(1.2) for the purposes of paragraphs (1)(b)(i) and (1.1)(b)(i), an entity is affiliated with another entity if one of them is wholly owned by the other or both are wholly owned by the same entity.

(1.2) The person or entity that is ascertaining the identity of a person who is at least 12 years of age but not more than 15 years of age may refer under subparagraph (1)(d)(i) to information that contains the name and address of one of the person’s parents or their guardian or tutor in order to verify that the address is that of the person.

(1.21) For the purposes of subparagraphs (1)(b)(i) and (1.1)(b)(i),

(a) a financial services cooperative and each of its members that is a financial entity are considered to be members of the same association; and

(b) a credit union central and each of its members that is a financial entity are considered to be members of the same association.

(1.3) A combination of methods referred to in sub-paragraph (1)(b)(ii) or (1.1)(b)(ii) or (iii) shall not be relied on by a person or entity to ascertain the identity of a person unless

(a) the information obtained in respect of that person from each of the two applicable identification methods is determined by the person or entity to be consistent; and

(b) the information referred to in paragraph (a) is determined by the person or entity to be consistent with the information in respect of that person, if any, that is contained in a record kept by the person or entity under these Regulations.

(1.3) If a document is used to ascertain identity under subsection (1), it must be original, valid and current. Other information that is used for that purpose must be valid and current and must not include an electronic image of a document.

(2) The identity shall be ascertained

(a) in the cases referred to in paragraph 54(1)(a) and subsection 57(1), and paragraph 60(a), before any transaction other than an initial deposit is carried out on an account;

(b) in the cases referred to in section 53, paragraph 54(1)(b), subsection 59(1) and paragraphs 59.3(a), 59.4(1)(a), 59.5(a), 60(b) and 61(b), at the time of the transaction;

(b.1) in the case referred to in section 53.1, before the transaction is reported as required under section 7 of the Act;

(b.2) in the case referred to in paragraph 54.1 (a), before any credit card is activated;

(c) in the cases referred to in paragraphs 55(a), (d) and (e), within 15 days after the trust company becomes the trustee;

(d) in the cases referred to in subsection 56(1) and paragraph 61(a), within 30 days after the client information record is created;

(e) in the cases referred to in paragraphs 59.1(a) and 59.2(1)(a), at the time of the transaction; and

(e.1) in the case referred to in paragraph 60(a), before any funds are disbursed; and

(f) in the case referred to in subsection 62(3), at the time a contribution in respect of an individual member of the group plan is made to the plan, if

(i) the member’s contribution is not made as described in paragraph 62(3)(a), or

(ii) the existence of the plan sponsor has not been confirmed in accordance with section 65 or 66.

(3) Unless otherwise specified in these Regulations, only original documents that are valid and have not expired may be referred to for the purpose of ascertaining identity in accordance with paragraph (1)(a) or (1.1)(a).

64.1 (1) A person or entity that is required to take measures to ascertain a person’s identity under subsection 64(1) or (1.1) may rely on an agent or mandatary to take the identification those measures described in that subsection only if that person or entity has entered into an agreement or arrangement, in writing, with that agent or mandatary for the purposes of ascertaining identity.

(2) A person or entity that enters into an agreement or arrangement referred to in subsection (1) must obtain from the agent or mandatary the customer information obtained by the agent or mandatary under that agreement or arrangement.

(2) The person or entity may rely on measures that were previously taken by an agent or mandatary to ascertain the person’s identity if the agent or mandatary was, at the time they took the measures,

(a) acting in their own capacity, whether or not they were required to take the measures under these Regulations; or

(b) acting as an agent or mandatary under a written agreement or arrangement — entered into with another person or entity that is required to take measures to ascertain a person’s identity — for the purposes of ascertaining identity under subsection 64(1).

(3) In order to rely on measures taken by an agent or mandatary under subsection (1) or (2), the person or entity shall

(a) have entered into a written agreement or arrangement with the agent or mandatary for the purposes of ascertaining a person’s identity under subsection 64(1);

(b) obtain from the agent or mandatary all of the information that the agent or mandatary used to ascertain the person’s identity; and

(c) be satisfied that the information is valid and current and that the agent or mandatary ascertained the person’s identity in the manner described in any of paragraphs 64(1)(a) to (d).

64.2 Every person or entity that is required under these Regulations to ascertain a person’s identity in connection with a record that the person or entity has created and is required to keep under these Regulations — or in connection with a transaction that they have carried out and in respect of which they are required to keep a record under these Regulations or under section 12.1 of the Proceeds of Crime (Money Laundering) and Terrorist Financing Suspicious Transaction Reporting Regulations — shall set out on or in, or include with, that record the person’s name and the following information:

(a) if the person or entity referred to an identification document under paragraph 64(1)(a), the type of document referred to, its reference number and the issuing authority and, if available, the place it was issued and its expiry date;

(b) if the person or entity referred to information under paragraph 64(1)(b), the source of the information, the type of information referred to, a reference number associated with the information and the date on which the person or entity verified the information;

(c) if the person or entity referred to information under paragraph 64(1)(c), the source of the information, the reference number associated with the search of the credit file and the date on which the person or entity verified the information;

(d) if the person or entity referred to information under paragraph 64(1)(d), the source of the information, the type of information referred to and the account number contained in it — or if there is no account number contained in it, a reference number associated with the information — and the date on which the person or entity verified the information; or

(e) if the person or entity confirmed under paragraph 64(1)(e) that another entity had previously ascertained the person’s identity, the name of that entity, the manner in which it previously ascertained the person’s identity under any of paragraphs 64(1)(a) to (d), the applicable information set out in one of paragraphs (a) to (d) of this section that is associated with that manner of ascertaining identity and the date on which the person or entity verified the information.

Submit comments by September 12, 2015

Comments must be submitted in writing during the comment period, either by email or snail mail:

Snail Mail:

Lisa Pezzack, Director Financial Systems Division,

Financial Sector Policy Branch Department of Finance

90 Elgin Street Ottawa, Ontario K1A 0G5

Email:

fcs-scf@fin.gc.ca

Need a Hand?

At Outlier, we believe that it is important to participate in decisions that affect you and your business. If you would like someone to look over your submission before you make comments to the Department of Finance, you can get in touch with us free of charge. We will look over your submission and make suggestions, without any cost to you. If you need a hand, please feel free to contact us.

We’ve created a marked-up version of the Proceeds of Crime (Money Laundering) and Terrorist Financing Regulations (PCMLTFR) that reflects the draft amendments posted in the Canada Gazette on July 4th, 2015.

Here’s a printable and downloadable PDF file: PCMLTFR Mark-Up (July 4, 2015 Draft Amendments)

If you would like a copy of the file in Microsoft Word, please contact us.

Need A Hand?

At the Canadian Institute’s 14^th Annual AML Forum, the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) reviewed its expectations for suspicious transaction reporting. FINTRAC emphasized that suspicious transaction reports (STRs) are vital to the agency’s mandate as Canada’s financial intelligence unit (FIU) and ongoing collaboration with law enforcement agencies. While reporting entities (REs) in Canada have been required to report transactions for quite a few years, we’ve had many questions from REs about what FINTRAC expects and looks for in examinations. FINTRAC’s most recent guidance is useful in tuning your technology, enhancing your processes, and asking the right questions at industry association meetings.

What is FINTRAC Looking for in STRs?

When FINTRAC conducts compliance examinations, they will be applying three tests to STR data, including:

Entity Practitioner: FINTRAC will look for transactions that are similar to those involved in STRs that you have reported. If there are similar transactions or transaction patterns that have not been reported to FINTRAC, there should be an explanation for the difference. Where possible, this explanation should be documented.
Sector Practitioner: FINTRAC will compare the number and type of STRs submitted by similar entities. The size and type of business are taken into consideration.
Reasonable Practitioner: FINTRAC will analyze a sample of reported STRs and unreported transactions against relevant guidance. In this case, relevant guidance means the suspicious transaction indicators from FINTRAC’s Guideline 2 that are applicable to your business.

These are terms that we’re likely to hear more about over the coming months, and there are compliance program adjustments (most of them relatively simple) that can be made to ensure that you’re meeting this standard.

Tune Your Technology

Most REs use software solutions to detect potentially suspicious transactions. Almost all transaction monitoring software uses some type of rules-based system to determine when alerts should be generated. These rules should, at minimum, reflect the indicators that are applicable to your business. Not all of the indicators from FINTRAC’s Guideline 2 will be applicable to your business. Where possible, you should document the decisions that you make about your transaction monitoring rules, including the rationale for those decisions.

The most sophisticated software platforms have machine learning functions. These can take the decisions that have been made about previous alerts and use this information to refine how the program works. For example, if a particular pattern of transactions was deemed to be suspicious, the program may look for similar patterns.

If you’re not using software that does this on its own, don’t panic. You can review the STRs that you’ve submitted to FINTRAC to determine whether your transaction monitoring rules are tuned to reflect the types of money laundering and terrorist financing threats that you’ve previously encountered. This should be done on a regular basis (for example, as part of your Risk Assessment updates). If you have an STR that is related to a pattern that you don’t have a rule to cover, you may want to do this sooner, rather than waiting for the next scheduled update.

Train Your Staff

Over the years, I’ve heard many Compliance Officers express frustration about not knowing whether or not STR data has been useful to FINTRAC or law enforcement. To close this gap, I’ve looked for articles and speakers from FINTRAC and law enforcement that could provide meaningful information about the type of information that is most useful. The same principle applies to your staff.

You can use existing cases (you’ll want to remove any personal information for training purposes) to demonstrate the type of transactions that you want your staff to escalate to compliance for review. Existing cases from the media, and end to end cases provided by training companies like TAMLO, are also excellent resources. Keeping your annual training fresh is a challenge, and using your STRs as cases is one way to do that, while also meeting FINTRAC’s expectations.

Refine Your Audits & Effectiveness Reviews

Are your auditors and/or reviewers using the same tests that FINTRAC is using to assess your compliance? If you’re not certain, ask.

If you perform self-assessment testing, you may want to include these tests as well.

As of 2015, all AML Compliance Effectiveness Reviews performed by Outlier will use these three key tests to assess STR data.

Ask Your Industry & Working Groups for More

Most REs have excellent industry associations and working groups such as the Canadian Banker’s Association (CBA), Canadian MSB Association (CMSBA) or the Canadian Jewellers Association (CJA). These groups are excellent resources and can help you understand STR trends across your industry. If you’re not a member, you may still be able to attend regular conferences or events.

Need A Hand?

We would love to hear from you. If there are topics that you would like to know more about, or if you need assistance with your compliance program, please contact us.

The Canadian Money Services Business Association (CMSBA) recently held their Spring Training events in Montreal, Vancouver and Toronto. The list of speakers included MSB industry professionals, as well as representatives from regulators including the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC). For a full synopsis of the Montreal and Toronto events, click here. FINTRAC presented excellent statistical data about how MSBs have fared in examinations conducted between April 2011 and July 2014. So how are MSBs faring? Very well overall.

Data obtained through a freedom of information request indicates that almost 25% of MSBs examined between 2008 and 2013 have not had any deficiencies.

How Does FINTRAC Decide Who Is Examined?

FINTRAC considers several factors when deciding which reporting entities (REs) will be examined.

Concurrent Examinations: examinations conducted in tandem with the Office of the Superintendent of Financial Institutions (OSFI). This is applicable to federally regulated financial entities (FRFEs) like banks.
Market Share: The largest reporting entities in Canada (because the larger an organization is, the more critical the risk of non-compliance will be);
Cyclical: Coverage of a whole industry (this seemed to apply most to Casinos).
Follow-Up: Subsequent examinations based, with an emphasis on the resolution of deficiencies found in previous examination(s) to ensure remediation. FINTRAC noted that although it is no longer a requirement to submit a formal action plan to FINTRAC, it is a best practice for REs to document (and update) an action plan internally.
Risk: FINTRAC’s evaluation of the RE’s risk, based on a broad selection criteria, such as money laundering and terrorist financing vulnerabilities, the likelihood of non-compliance and industry trends.
Theme-Based: Related to specific intelligence about a RE or type of business that indicates there may be an elevated risk of non-compliance, money laundering vulnerability or terrorist financing vulnerability.

Methodology & Analysis

FINTRAC’s statistical analysis of MSB adherence to the requirements laid out in the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA) and its regulations is broken down by percentage, the results of the exams conducted that were fully compliant, partially compliant and non-compliant. These are colour coded:

Green: fully compliant (no deficiencies were observed),
Yellow: partially compliant (there was something in place, but the MSB missed something), and
Red: non-compliant (in most cases, there was nothing in place or a reporting timeframe was missed).

Overall examination results have been positive.

It’s noteworthy that if FINTRAC has, as of 2014, found something during an examination that is considered ‘immaterial’, it’s not cited. For example, in a large sample, if there are two client addresses that appear to be PO boxes, but all other client addresses were complete and in acceptable formats, there may not be a citation. In these cases, FINTRAC may inform the RE verbally, but it will not be part of the formal ‘findings’ letter.

Compliance Officer

MSBs are required to have a Compliance Officer (a person that is responsible for overseeing the AML & CTF compliance program). The appointment of the Compliance Officer must be documented in writing. FINTRAC staff chided that this is likely the easiest area to achieve a fully compliant result in examinations. MSB examination results certainly reflected this.

From a total of 612 MSB examinations considered, 608 MSBs were fully compliant.

Only four MSBs were deemed to be non-compliant. It was noted that these were generally new market entrants that did not appear to understand Canadian AML & CTF compliance requirements.

Policies and Procedures

MSBs are required to have policies and procedures. Policies describe the MSB’s regulatory obligations, while procedures describe what the MSB is doing to meet those requirements. These must be documented, in writing, and the procedures must cover both staff and agents (if the MSB has agents).

From a total of 765 MSB examinations considered, 477 MSBs were fully compliant.

In 230 examinations, MSBs were deemed to be partially compliant. Common errors included:

The omission of the 24-hour rule (specific descriptions of how the MSB determined whether or not reportable transactions had occurred over a 24 hour period),
Third party determinations (specific descriptions of when an MSB must determine if there is a third party involved, as well as what information needs to be collected and recorded), and
Politically exposed foreign person (PEFP) determinations (specific descriptions of when an MSB must determine if their client is a PEFP, and if so, what information needs to be collected/recorded. There is also a requirement that senior management signoff on the account within 30 days of the determination).

A total of 55 MSBs did not have any documented policies or procedures. In some cases, FINTRAC noted that there appeared to be processes in place, but that these were not documented in writing.

Training

MSBs are required to have an ongoing training program. The training program must be documented (who, what, where, when and how) and delivered to all staff and agents on an annual basis, at minimum.

From a total of 487 MSB examinations considered, 346 were fully compliant.

In 63 examinations, MSBs were deemed to be partially compliant. Common errors included:

Interviews conducted with staff during an examination that evidenced a misunderstanding of the requirements (during an exam, FINTRAC will interview random staff members related to regulatory requirements to ensure training effectiveness)

In 78 examinations, MSBs did not have any training in place, or if they did, it was not documented.

Among the training options available to MSBs, we’re most excited about a relatively new offering from TAMLO that includes fast paced and visually stunning video content, as well as testing and tracking tools for Compliance Officers.

AML Compliance Effectiveness Review

MSBs are required to complete an AML Compliance Effectiveness Review once every two years. The review must cover all policy and procedure documentation, as well as operational testing to ensure procedures are being properly followed.

From a total of 722 MSB examinations considered, 412 were fully compliant.

In 101 examinations, MSBs were deemed to be partially compliant. Where MSBs missed the mark was typically because they did not respect the two year cycle. Other common errors included:

Only reviewing the policy documents with no operational testing of whether they are being followed (the policy document tells staff and agents what to do. Procedures tell them how to do it. MSBs must be sure they are testing whether staff and agents are adhering to the procedures).

In 209 examinations, MSBs had not conducted an effectiveness review or could not provide evidence of one taking place.

Risk Assessment

MSBs are required to assess the risk that their business could be used for money laundering or terrorist financing. The risk assessment must include four key components:

Products, services and delivery channels;
Geography;
Customers; and
Any other relevant factors.

Risk must be assessed and scored, and mitigated by appropriate controls.

From a total of 720 MSB examinations considered, 432 were fully compliant.

In 158 examinations, MSBs were deemed to be partially compliant. The main issue was failing to include one of the four required elements. In some cases, a risk assessment was in place, but the documentation was not sufficient in assessing the MSB’s risk and controls.

In 129 examinations, MSBs had no evidence of a risk assessment.

FINTRAC noted that additional industry-specific risk assessment guidance is expected to be published later this year.

MSB Registration

MSBs are required to register with FINTRAC, as well as update their information within 30 days if there are any changes to business activities, banking or agent information.

From a total of 591 MSB examinations considered, 230 were fully compliant.

In this category, no partially compliant ratings were provided (the MSB registration was either complete, accurate and up to date, or it was deemed to be non-compliant).

In 361 examinations, MSBs were deemed to be non-compliant. Most issues were due to a failure to update information when something within the business had changed or a failure to list all business activities. For example, the MSB registration may indicate that an MSB only performed foreign exchange in a case where remittance services were also provided.

Client Identification

MSBs are required to identify their clients in certain situations. There are prescribed methods for completing this both in person and non-face-to-face (NF2F), and the identification document (ID) information must be recorded.

From a total of 796 MSB examinations considered, 621 were fully compliant.

In 64 examinations, MSBs were deemed to be partially compliant. Common errors included:

Unacceptable ID (such as health card in Ontario);
Accepting ID that was expired at the time of the transaction (identification documents must be valid, or not expired, at the time they are reviewed);
Failing to record the prescribed details of the ID used (when reviewing a client’s ID, MSBs must keep a record of certain prescribed information); and
In Non-Face-To-Face Identification situations, only using one method, or using an unacceptable combination of methods (when identifying a customer who is not physically present, there are prescribed methods of how this is to be accomplished).

In 111 examinations, MSBs were non-compliant with client identification requirements.

Record Keeping

MSBs are required to keep certain records related to transactions and client identification. These records must be stored in a manner that they can be accessed in the event they are requested, and must be maintained for at least five years.

From a total of 811 MSB examinations considered, 470 were fully compliant.

In 300 examinations MSBs were deemed to be partially compliant. In these cases, record keeping was taking place but elements of the record keeping requirements were being overlooked. Common issues included:

Missing telephone numbers;
Vague occupation information (for example “manager” or “worker”);
PO boxes recorded as customer addresses;
Missing postal codes;
Third party determinations that were incomplete; and
Payment methods for incoming and outgoing payments.

In 41 examinations, MSBs were non-compliant with record keeping requirements.

Third Party Determinations

MSBs are required to make a third party determination in certain prescribed circumstances, as well as collect and record certain information (name, address, date of birth, occupation and relationship to your client) about the third party.

The total number of MSBs included in the review was not provided, with the statement: “there was not enough information available to conduct reasonable analysis”. However, the total number of non-compliant MSBs was 6, indicating that approximately 600 MSB examinations were considered in this sample.

FINTRAC Reporting

When FINTRAC assesses reporting obligations, it uses the internal acronym “QTV”, which stands for quality, timing and volume. Quality refers to the information in the report, specifically, if the report has all the required information. Timing simply means, was the report filed within the designated timeframe. Volume is slightly more complicated, but mainly refers to the amount of reports you have filed compared to your previous submissions. It was noted that typically, where MSBs were deemed partially compliant, it was due to the quality. Where non-compliance was related to the timing.

Electronic Fund Transfers Reports

MSBs are required to submit electronic funds transfer (EFT) reports to FINTRAC within 5 business days from the date the transaction took place. An EFT includes the international transfer of CAD 10,000 or more, either in a single transaction, or multiple transactions within a 24-hour period.

From a total of 434 MSB examinations considered, 165 were fully compliant.

In 87 examinations, MSBs were deemed to be partially compliant. MSBs were typically failing to include all required information, such as:

Phone number;
Date of birth; or
Postal code.

It is noteworthy that while not all fields are marked as required in F2R, all fields must be filled in if the MSB has recorded the information.

In 182 examinations, MSBs were deemed non-compliant, with most not reporting the EFTs within the specified time frame, and a small portion missing EFT reports.

Large Cash Transaction Reports

MSBs are required to submit large cash transaction (LCT) reports to FINTRAC within 15 calendar days from the date of the transaction, if the transaction was CAD 10,000 or more in cash, either in a single transaction, or multiple transactions within a 24-hour period.

From a total of 428 MSB examinations considered, 232 were fully compliant.

In 104 examinations, MSBs were deemed to be partially compliant. MSBs were typically failing to include all required information, such as:

Occupation;
Date of birth;
Postal code; or
Type of ID used to identify the client.

In 92 examinations, MSBs were non-compliant, with most not reporting the LCTs within the specified time frame, and a small portion missing LCT reports.

Suspicious Transaction Reports

MSBs are required to submit suspicious transaction reports (STRs) and attempted suspicious transaction reports (ASTRs) to FINTRAC within 30 calendar days from the date the transaction is deemed suspicious by the Compliance Officer.

From a total of 285 MSB examinations considered, 262 were fully compliant.

In 14 examinations, MSBs were deemed to be partially compliant. In these cases, MSBs were typically failing to include all required information.

In 9 examinations, MSBs were non-compliant. Failing to file STRs carries relatively sever penalties, as the Canadian intelligence community relies on this type of reporting to build cases. Where items are escalated as being potentially suspicious (either by staff or a transaction monitoring system), MSBs should always document the reason that these items are deemed not to be suspicious if no STR or ASTR reporting is completed.

Need a Hand?

If you are an MSB that needs compliance assistance (or a bank that wants assistance in setting up and maintaining a compliance regime that effectively manages MSB related risk), please contact us.

We were fortunate enough to be able to attend the Canadian MSB Association (CMSBA)’s Montreal and Toronto spring training days. For Money Services Businesses (and those affiliated with the industry), the CMSBA is an excellent resource for collaboration, information sharing and advocacy. For those that were not able to attend any of the spring training sessions, here’s a roundup of the topics covered.

FINTRAC & MSB Compliance Examinations

Canada’s federal regulator for anti-money laundering (AML), the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC), provided in depth statistics related to compliance examinations, as well as common issues for MSBs. Despite what some highly publicized administrative monetary penalties (AMPs) may lead you to believe, MSBs are faring well as a sector in FINTRAC’s compliance examinations. It’s noteworthy that through a freedom of information request, Outlier obtained data on the number of MSBs that did not have any deficiencies in examinations. Between 2008 and the end of 2014, this amounted to approximately 25% of all MSBs examined. In most cases, MSBs were largely compliant, with some partial deficiencies.

For a complete breakdown of common issues noted in examinations, click here.

AMF, Respondents & Digital Currency

Québec’s provincial regulator, the Autorité des Marchés Financiers (AMF), provided clarification on its expectations for MSB respondents. For MSBs dealing with customers in Québec that do not have offices in the province, a respondent must be nominated to deal with the AMF on the MSB’s behalf. Among the requirements are that the respondent must:

Be over 18 years old;
Have an address in Québec (home address or business address); and
Not be under tutorship, curatorship or advisorship.

The AMF also addressed digital currency, noting that not all digital currency business models are covered by the Québec MSB Act, and that there must be an element of fiat currency involved in the transactions. Both the AMF’s press release from February 2015 and the current presentation confirmed that digital currency trading platforms (that include fiat currency transactions) and digital currency ATMs are considered in scope. As there are a myriad of other digital currency related business models, if you are unsure of where you fit, you can contact the AMF and receive a decision (we recommend that you request a decision in writing where possible).

Agency Agreements

I had the honour of speaking about MSB agency agreements (the agreements between MSBs and their agents) with Susan Han (previously of AUM Law). Like most things, agent agreements should be documented in writing and clearly spell out the terms of the agreement. MSBs that take on agents should understand that the MSB would bear most of the risk (financial, compliance and reputational). Agents should be aware that the client (and information about the client) “belongs” to the MSB rather than the agent (and this information should always be provided to the MSB when it is requested).

International Collaboration & De-Risking

The CMSBA has partnered with MSB associations worldwide to increase awareness of the negative ways in which de-risking (which CMSBA Director Ken Saul noted should be called de-banking) affects the financial system. As the de-risking issue has affected MSBs worldwide, and there does not appear to be any effective solutions under consideration, a whitepaper was developed and presented to the Financial Action Task Force (FATF). This whitepaper has received a positive reception. Stay tuned for more on the international efforts in this regard.

One of the few Canadian Financial Institutions that (openly) banks MSBs, Luminus Financial, was on hand to discuss factors that MSBs should consider when dealing with banking relationships. MSBs should be prepared to provide complete and transparent information about their business. In order to achieve success in both obtaining and maintaining banking relationships, MSBs should be able to demonstrate that they are compliant and present information in a way that is well organized and addresses all of the questions and requests that the bank has made. In some cases, this will be a higher standard than simply meeting the minimum compliance requirements set out in law and regulation.

Compliance Maturity Model

In looking proactively at issues related to de-risking and demonstrating compliance, the CMSBA is working to develop a compliance maturity model (CMM). Currently, CMSBA members can complete the first stage of this model by completing an attestation form online. The attestation states that the MSB is compliant with applicable legislation and not subject to administrative or criminal proceedings. Questions, comments or suggestions related to the CMM can be directed to cmsba-cmm@canadianmsb.org.

Need a Hand?

If you are an MSB that needs compliance assistance (or a bank that wants assistance in setting up and maintaining a compliance regime that effectively manages MSB related risk), please contact us.

Sanctions This Week: March 21-27, 2016

OSFI

OFAC

Need A Hand?

Sanctions This Week: February 29-March 6, 2016

OSFI

OFAC

Need A Hand?

Sanctions This Week: February 22-28, 2016

OSFI

OFAC

Need A Hand?

AML “Clearance Certificates” are a Scam

The Setup

Don’t Get Caught Up

But if You Did, Protect Yourself

Report It

Need A Hand?

Above And Beyond What?

Most Of Us Are Failing At The Basics

Shift The Focus

Keep It Simple (Seriously)

Ask, Check, Test

Opportunities & Innovation

Need A Hand?

AML Regulation Updates & Digital Currency

This round of amendments didn’t include ‘dealers in digital currency’ – so why should you comment?

Customer Identification Measures

Submit comments by September 12, 2015

Need a Hand?

Proposed PCMLTFR Updates

Need A Hand?

Suspicious Transaction Reporting in 2015

What is FINTRAC Looking for in STRs?

Tune Your Technology

Train Your Staff

Refine Your Audits & Effectiveness Reviews

Ask Your Industry & Working Groups for More

Need A Hand?

FINTRAC Examination Results for MSBs

How Does FINTRAC Decide Who Is Examined?

Methodology & Analysis

Compliance Officer

Policies and Procedures

Training

AML Compliance Effectiveness Review

Risk Assessment

MSB Registration

Client Identification

Record Keeping

Third Party Determinations

FINTRAC Reporting

Electronic Fund Transfers Reports

Large Cash Transaction Reports

Suspicious Transaction Reports

Need a Hand?

Insights From the CMSBA Education Days

FINTRAC & MSB Compliance Examinations

AMF, Respondents & Digital Currency

Agency Agreements

International Collaboration & De-Risking

Compliance Maturity Model

Need a Hand?

Return to Blog Listing