Section 3: Compliance Program

What is a compliance program?

An internal AML and ATF framework required under the PCMLTFA

Why is a compliance program important?

It helps detect; prevent; and manage ML and TF risks

Who must implement a compliance program?

All reporting entities under the PCMLTFA

What does PCMLTFA stand for?

Proceeds of Crime Money Laundering and Terrorist Financing Act

How many core elements are in a compliance program?

Six

Who is responsible for implementing the compliance program?

The Compliance Officer

What must a Compliance Officer have?

Authority and resources to perform their duties

Who should the Compliance Officer report to?

Senior management; board; owner; or chief operator

What must compliance policies and procedures include?

Reporting; record keeping; client identification; risk assessment; and mitigation

Who must approve policies and procedures?

A senior officer

What should policies include regarding terrorist financing?

Watchlist verification and Ministerial Directives processes

What is the purpose of a training program?

To ensure ongoing AML and ATF training

Who must receive compliance training?

Employees; agents; mandataries; and authorized representatives

What is a training plan?

Documented process for delivering and maintaining training

How often must effectiveness reviews occur?

At least every two years

What should an effectiveness review assess?

Policies; procedures; risk assessment; mitigation; and training effectiveness

Who should conduct the effectiveness review?

Someone not directly involved in compliance activities

When must review findings be reported?

Within 30 days of review completion

What must be included in the review report?

Findings; updates; mitigation measures; and implementation status

What factors are included in a risk assessment?

Clients; geography; products; services; affiliates; and technology

What is risk mitigation?

Measures used to reduce identified ML and TF risks

What are the two mandates of a compliance program?

Operational framework and employee understanding

What is legal risk?

Loss from non-compliance or unenforceable contracts

What is reputational risk?

Loss caused by negative publicity or reduced trust

What is operational risk?

Loss from weak procedures; systems; or personnel

What authority does FINTRAC have under the PCMLTFA?

To examine records and inquire into business affairs

What types of FINTRAC examinations exist?

Desk-based and on-site examinations

What can happen if documentation is created after a FINTRAC notice?

It may result in deficiencies or violations

What can FINTRAC issue for non-compliance?

AMPs or criminal charges

Can AMPs and criminal charges apply to the same violation?

No

What does AMP stand for?

Administrative Monetary Penalty

What is the purpose of AMPs?

To encourage compliance rather than punish

What factors determine AMP amounts?

Harm done; ability to pay; and compliance objectives

When did mandatory AMP publication begin?

June 21; 2019

How are violations classified under the AMP regime?

Minor; serious; or very serious

What is a Ministerial Directive?

A legally enforceable compliance directive under the PCMLTFA

Can failure to follow a Ministerial Directive lead to penalties?

Yes; including AMPs and criminal offences

What is a criminal offence under subsection 74(1)?

Failure to register; verify identity; or keep records

What does subsection 75(1) address?

Suspicious transaction reporting offences

What does subsection 77(1) address?

EFT; large cash; VC; and casino reporting offences

What is Section 77.1 related to?

False or misleading MSB registration information

What is the maximum criminal fine on indictment under the PCMLTFA?

Up to $2 million

What is the maximum imprisonment term on indictment?

Up to 5 years

What is the penalty for failing to report suspicious transactions?

Up to $2 million and or 5 years imprisonment

What is the penalty for disclosing an STR?

Up to 2 years imprisonment

What does FINTRAC share through MOUs?

Compliance-related information with regulators

Do regulators conduct FINTRAC examinations?

No; FINTRAC retains examination authority

What international groups does FINTRAC work with?

FATF and the Egmont Group

Why is international cooperation important in AML and ATF?

ML and TF often cross national borders

How many international MOUs has FINTRAC signed?

More than 100

What are the six elements of a compliance program?

Compliance Officer; policies; training; training plan; review; and risk assessment

What is the primary responsibility of a Compliance Officer?

To implement and oversee the compliance program

Does appointing a Compliance Officer alone satisfy compliance requirements?

No; all compliance program elements must be implemented

What must a Compliance Officer understand about the business?

Its functions; structure; and operations

What ML and TF knowledge should a Compliance Officer possess?

Risks; vulnerabilities; trends; and typologies

What legal knowledge should a Compliance Officer have?

PCMLTFA and associated Regulations requirements

What factors should be considered when appointing a Compliance Officer?

Independence; seniority; accountability; reporting lines; and experience

Who remains responsible for compliance obligations?

The reporting entity

What authority should a Compliance Officer have?

Authority to implement changes and access resources

Who should a Compliance Officer report to?

Board; senior management; owner; or chief operator

Who may serve as Compliance Officer in a small business?

A senior manager or the owner

Can an individual appoint themselves as Compliance Officer?

Yes

Who should be appointed Compliance Officer in a large organization?

A senior-level individual with executive access

Should a Compliance Officer in a large organization handle funds directly?

No; as a governance best practice

Can a Compliance Officer delegate duties?

Yes; but responsibility remains with the Compliance Officer

What is the Compliance Officer's relationship with FINTRAC?

Primary contact between the organization and FINTRAC

What training responsibility does a Compliance Officer have?

Ensure staff receive AML and ATF training

What review responsibility does a Compliance Officer have?

Organize independent effectiveness reviews

What culture responsibility does a Compliance Officer have?

Promote a culture of compliance

What should policies and procedures be?

Written; maintained; and approved by a senior officer

What is the purpose of AML and ATF policies?

Establish compliance standards and expectations

What is the purpose of AML and ATF procedures?

Describe how policies are carried out in practice

Who must approve compliance policies and procedures?

A senior officer

What should policies establish throughout the organization?

Clear and definitive compliance requirements

What should procedures clearly identify?

What; who; when; and where actions occur

Why must procedures be updated regularly?

To reflect regulatory and business changes

What are procedures used to do?

Translate policies into operational actions

What compliance program activities should policies cover?

Risk assessment; training; and effectiveness reviews

What client identification topics should policies cover?

Identity verification; beneficial ownership; and PEP requirements

What does PEP stand for?

Politically Exposed Person

What ongoing monitoring requirements should policies address?

Business relationships and high-risk clients

What enhanced measures may be required for high-risk clients?

Additional verification and monitoring

What record-keeping requirements should policies address?

Client; account; and transaction records

How quickly must records be provided to FINTRAC when requested?

Within 30 days

What reports should policies address?

All required FINTRAC reporting obligations

What is an STR?

Suspicious Transaction Report

What is an LCTR?

Large Cash Transaction Report

What is an EFT report?

Electronic Funds Transfer Report

What is an LVCTR?

Large Virtual Currency Transaction Report

What is the travel rule?

Requirement to include prescribed information with transfers

When might a transfer be suspended or rejected?

When required travel rule information is missing

What is a Ministerial Directive?

A targeted measure issued by the Minister of Finance

Why are Ministerial Directives issued?

To protect Canada's financial system from ML and TF risks

Must organizations have a separate Ministerial Directive policy?

No; it can be incorporated into existing procedures

What may happen if Ministerial Directives are not followed?

Administrative penalties may apply

What is the maximum AMP mentioned for failing to comply with a directive?

Up to $500000

What should policies explain about Ministerial Directives?

How to identify them and what actions to take

What is publicly available information?

Information from regulators; law enforcement; and credible media sources

How is publicly available information used?

Risk assessment; monitoring; and STR processes

What does FINTRAC expect when concerning public information is discovered?

Reasonable action and documented decisions