Skip Ribbon Commands
Skip to main content

Updated FINTRAC Guidelines


Canada’s anti-money laundering (AML) regulator recently released draft guidance to help companies comply with legislative changes that become effective in February 2014. Those changes were designed to achieve better alignment of Canada’s systems with international AML standards. They impact the ways that financial institutions and other entities with AML responsibilities will identify their clients, monitor business relationships and otherwise manage their money laundering risks.  MNP summarized the legislative changes in this blog article. This article focuses on areas where the newly drafted guidance provides clarity for seemingly ambiguous new legislative standards, areas where it appears to differ from the language of the new regulations, and other ways in which the newly drafted guidelines differs from their predecessors.

The regulator, the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC), is seeking comment on the draft guidance, which include Guideline 4: Implementation of a Compliance Regime and Guideline 6: Record Keeping and Client Identification to reflect the new standards.  The guidance is meant to help provide plain language help to companies trying to comply with complex AML laws.

FINTRAC has requested that any comments be submitted to [email protected] by August 16, 2013.  They expect to publish the final guidance in the fall of 2013. Although useful for planning, readers are cautioned about using draft guidance to inform program amendments. Draft guidance may change before it is finalized, and even when finalized, guidelines do not have the force of law.

Most of the drafted changes in Guideline 4 and 6 relate to risk management, and particularly an explanation of how FINTRAC expects that financial institutions will conduct ongoing monitoring of their entire relationship with any client for the purpose of detecting suspicious transactions and keeping their records current.  The drafted Guideline 6 also addresses the new standards about beneficial ownership and control. 

A Refresher on the New Legislation

The new legislation centers on client knowledge and due diligence as a focal point for money laundering risk management.  It asks that reporting entities identify instances where it has established a business relationship with a client, and then to determine all the components of that relationship (in terms of accounts, signing authority, activities etc.).  That business relationship then becomes a basis upon which money laundering risk is evaluated and against which control measures are applied.  There are some control measures which must be applied to all business relationships (such as periodic identification information update, risk and transaction review) which frequency and extent varying based on risk, and enhanced measures which are applied only to high risk business relationships.  The diagram that follows depicts the obligations described here.

Previously, entities were not explicitly requested to apply the concept of a business relationship in their AML systems, and not mandated to apply money laundering risk control measures to lower risk clients. Entities are still required to assess and document their money laundering risks related to products, services and access channels, as well as relevant geographic regions.

The Definition and Makeup of a Business Relationship:

The drafted Guidelines define a business relationship as “a relationship that is established with a client to conduct financial transactions or provide services related to those transactions.” A business relationship exists when either one of the following two activities is performed:

  • When opening an account for a client (this also includes clients that already have accounts), or
  • When conducting two or more transactions for a client that requires ascertaining their identity.

This definition is slightly different from the amended PCMLTFR in that the regulations do not define how many transactions a client would have to conduct before it would constitute as a business relationship. The Guideline clarifies that a business relationship can exist within or outside of an account.

  • Business Relationship within Account: Clients with one or more accounts and includes all transactions and activities related to those accounts. 
  • Business Relationship outside Account: For clients that do not have accounts but have conducted two or more transactions that require ascertaining their identity, it only includes those transactions where the identity of the client must be ascertained.

Where a business relationship exists reporting entities are required to conduct ongoing monitoring of all business relationships, keep related records, and keep a record of the purpose and intended nature of those business relationships.

According to the drafted Guidelines, “you enter into a business relationship when a client opens or holds an account with you.” This implies that reporting entities will have to apply the same obligations for business relationships on existing accounts and new accounts.  That may require reporting entities to go through all existing accounts to collect and record the purpose and intended nature of the business relationship.  The drafted Guidelines mention that the purpose and intended nature of a business relationship can be obtained through the record of the intended use of an account, which is not explicitly mentioned in the amended PCMLTFR.  Relying on the intended use of an account can get complicated if the client holds multiple accounts since the purpose of that information is specific to each account that the client holds. 

There are some exceptions that apply for when a business relationship exists. However, if two or more suspicious transaction reports were filed on a client then that client is considered to have a business relationship in which the same standard will have to apply to that client. In addition, that client will have to be treated as high risk.

Obligations Related to Ongoing Monitoring:

The drafted Guidelines require that reporting entities develop and apply policies and procedures for ongoing monitoring of business relationships. Ongoing monitoring is defined as monitoring, on a periodic basis, business relationships with the purpose of:

  • Detecting suspicious transactions that have to be reported;
  • Keeping client identification, the purpose and intended nature of the business relationship and beneficial ownership information up to date;
  • Reassessing the level of risk associated with the client’s transactions and activities; and
  • Determining whether the transactions or activities are consistent with the information previously obtained about the client, including the risk assessment of the client. 

Unlike the current Guidelines, the drafted Guidelines do not define the frequency for how often ongoing monitoring is to be conducted. The drafted Guidelines state that the frequency varies and should be based on the risk assessment. So for high risk business relationships, there should be more frequent ongoing monitoring.

The current Guidelines states that you should up date client identification information at least every two years for high risk situations.

The drafted Guidelines change the term “higher” risk to “high” risk for when applying enhanced due diligence measures. This change takes away the idea that there is something between low and high risk that would require enhanced measures to be applied that are not already described under customer due diligence.

As part of ongoing monitoring, the drafted Guidelines mentions the requirement to keep client identification information up to date. The term “reasonable measures” have been removed in the drafted Guideline 6G and is replaced with the term “measures” making it a requirement to apply the following measures:

  • Customer Due Diligence Measures: Include asking the client to confirm or update their identification information
  • Enhanced Due Diligence Measures: Include confirming or updating the information using the non-face-to-face methods.

The drafted Guideline 6G then goes on to state that information can be obtained verbally to keep client identification information up to date. It is unclear as to whether this measure refers to the enhanced measures since it is a repeat of the first measure.

Other Risk-Based Approach Considerations:

As part of the risk-based approach, where a business relationship is determine to be high risk based on the results of the ongoing monitoring, the drafted Guidelines requires reporting entities to conduct more frequent monitoring of those business relationships, update client identification more frequently, and adopt other appropriate enhanced measures. The drafted Guidelines do not include the requirement to take enhanced measures to ascertain client identity or confirm the existence of an entity for high risk clients which is a requirement in the amended PCMLTFR.

The drafted Guideline 4 states the requirement to conduct a risk assessment on all clients when there is a business relationship, as well as clients outside of business relationships. This is different from the current Guideline 4, where the requirement was to only conduct a risk assessment where there is an ongoing relationship.

The drafted Guideline 4 mentions that it is not a requirement to complete individual risk assessments of each client and allows for client risk assessments to be clustered using broader risk profiles. However, ongoing monitoring requirements in the drafted Guideline 6G mentions the requirement keep all client identification information up to date which will require reporting entities to monitor all their clients on an individual level to ensure identification information is up to date based on their ongoing monitoring procedures.

The drafted Guideline 4 prescribes factors to consider when assessing the risk of a business relationship to include considering:

  • The duration of the business relationship
  • The activities of the business relationship
  • The number of accounts (if applicable) within the business relationship
  • The products and services used 
  • Third party involvement in the business relationship
  • Beneficial owners of an entity and their impact on risk

The drafted Guideline 4 states that reporting entities must consider a client as high risk when a client is acting on behalf of an entity and is not aware of the entity’s beneficial owners or when a client has been identified as a politically exposed foreign person.  The current Guideline 4 only states that you “should consider” them as higher risk.

Beneficial Ownership:

An area of significant change is the beneficial ownership requirement section in both of the drafted Guidelines. There is no longer a requirement to collect the occupation information of the directors (for corporations) and the occupation information of the individuals who own or control 25% of the organization.

The new requirements not only require beneficial ownership to be collected on corporations and entities other than corporation but also on trusts. For trusts the names and addresses of all trustees and all known beneficiaries and settlors of the trust must be obtained. As part of the beneficial ownership information, the ownership, control and structure of the organization must be collected. The draft Guidelines states that “you must search through as many levels of information as necessary in order to determine beneficial ownership” and that you must take reasonable measures to confirm the accuracy of the information. According to the drafted Guidelines, a record of the documents and references that were used to confirm the beneficial ownership information has to be kept. The drafted Guidelines state reasonable measures to include:

  • Asking the client to provide documentation;
  • Consulting existing files; or
  • Searching for the information through publicly available sources.

In circumstances where the accuracy of beneficial ownership could not be obtained, according to the new standard, it is unnecessary to keep a record of why beneficial ownership could not be determined. Instead, the draft Guidelines requires reporting entities to obtain the name of the senior manager of the organization, take reasonable measures to ascertain their identity, and treat the client as high risk.

Client Identification for Suspicious Transactions:

In the drafted Guideline 6G, the exception for identify individuals who has attempted to conduct a transaction that is suspicious has been removed. The drafted Guideline 6G clarifies that for all suspicious transactions and attempted transactions, including transactions where there are exemptions to identity client would require you to take reasonable measures to ascertain the client’s identity. As a practical matter, many financial entities are concerned about tipping off clients to their consideration of a suspicious transaction reporting whether or not a transaction is completed.

Politically Exposed Foreign Person (PEFP):

The drafted Guideline 6 provides more clarification around PEFP determination. In the current Guideline, reporting entities only have to determine if someone is a PEFP once. In the drafted Guideline, it states that if the initial determination found that the individual was not a PEFP, reasonable measures should still be taken to determine PEFP involvement for the following situations:

  • For every subsequent account opening; or
  • For prescribed electronic funds transfers. 
Compliance Effectiveness Review:

As part of the compliance effective review that is to be conducted every two years, the drafted Guideline 4 added guidance for testing the effectiveness of the risk-based approach to include:

  • Sampling of clients to see if the risk assessment was adequate
  • Sampling of clients to see if the frequency of ongoing monitoring is adequate
  • Sampling of high risk clients to review the enhanced measures taken

If you are interested in reading the full drafted Guidelines visit FINTRAC’s website here for more information.

For information on how MNP can help adapt your compliance program, or evaluate your amendments against the new standards, contact our Valuation, Forensics and Litigation Support team.