This year I had the honour of co-chairing the Canadian Institute’s 14th Annual AML Forum, along with Ron King of Scotiabank. The event brought together a diverse group of stakeholders and speakers including regulators, law enforcement, bankers, money service businesses (MSBs), technology experts and government. Over two days, we enjoyed many lively discussions, and while I can’t cover all of the content here, I want to provide some insight for colleagues that weren’t able to attend the event.
Key Messages from Regulators & The Department of Finance
Representatives from the Department of Finance, the Office of the Superintendent of Financial Institutions (OSFI) and the Financial Transactions Reports Analysis Centre of Canada (FINTRAC) were present throughout the conference, and fielded questions from the audience throughout the event. Among the most exciting announcement was the Department of Finance’s assertion that we should expect a new AML regulations package to be released in draft for public comment later this year. Though the target date is set for June or July, anything can happen in an election year and there may be delays.
The Department of Finance, OSFI and FINTRAC also discussed Canada’s upcoming mutual evaluation by the Financial Action Task Force (FATF) and Canada’s countrywide risk assessment. The risk assessment is underway and expected to be shared later this year, in advance of the FATF’s visit this fall (with results expected to be published next summer). The risk assessment will likely prove to be a useful tool for regulated entities struggling to qualify Canadian money laundering and terrorist financing risk.
OSFI emphasized the importance of considering the AML program as part of the overall prudential compliance management strategy for federally regulated financial entities (FRFEs). It is expected that OSFI’s guideline B-8 will be revised in the near term. To avoid rework, OSFI is waiting for several key inputs including the updated AML regulations package, FINTRAC’s updated risk assessment guidance and the countrywide risk assessment. OSFI will also continue to work with FINTRAC on streamlining examination processes, citing the need to create a common framework and approach to examinations.
FINTRAC reviewed its recent statistics and emphasized the importance of the agency’s role as a financial intelligence unit (FIU). Key to this role are suspicious transaction reports (STRs), which will play a key role in upcoming examinations for regulated entities. FINTRAC will be applying several tests to STR data, including:
- Entity Practitioner: similar transactions within an entity that were not reported to FINTRAC;
- Sector Practitioner: a comparison of the number and type of STRs submitted by similar entities (the size and type of business are taken into consideration); and
- Reasonable Practitioner: a comparison of the reported and unreported transactions against relevant guidance on reasonable grounds to suspect that money laundering or terrorist financing activity may be taking place.
This echoes FINTRAC’s comments throughout 2014 on the importance of suspicious activity reporting, a sentiment that was echoed by law enforcement.
Law Enforcement Focus
Speakers representing the Royal Canadian Mounted Police (RCMP) and US Federal Bureau of Investigation (FBI) discussed the strategic value of intelligence obtained through FIUs and directly from the financial services community. While the specifics of ongoing cases cannot be discussed publicly, both speakers emphasized the importance of providing complete and concise information, and excellent examples of how this type of intelligence is used by law enforcement.
The speakers confirmed that the dollar values for terrorism related transactions seen in Canada are consistently low. The RCMP discussed a transaction pattern relevant to individuals planning to attend radical training camps wherein an individual saves a relatively small sum via legitimate work (often at low wage jobs), then purchases a plane ticket and camping gear (which may account for all or almost all of the funds saved). Patterns such as these are useful for institutions seeking to understand and identify patterns of activity that may be indicative of potential terrorism.
The De-Risking Debate Continues
One of the most lively discussions of the event surrounded “de-risking” (refusing to provide service to a customer that is outside of the institution’s risk tolerance). While banks in Canada are private, for profit enterprises, access to banking facilities remains a vital component for business success. The money service business (MSB) sector has struggled with banking relationships both in Canada and abroad. Best-practices discussed included independent third party compliance reviews conducted by qualified practitioners as a valuable tool in assisting banks to assess the state of an MSB’s compliance. It was noted that while the MSB sector is certainly vulnerable to money laundering and terrorist financing, it is not the only vulnerable sector in Canada. While Canadian MSBs are regulated by FINTRAC, other sectors that are both vulnerable and unregulated have not experienced the same degree of de-risking.
Banks emphasized the risks for financial institutions in dealing with certain types of business as being broader than AML compliance. Chief among these risks was reputational risk. As one banker noted, when a bank’s larger clients are offside with requirements, the client, not the bank, is publicly held accountable. When the bank’s client is of a smaller size however, banks are being considered more responsible in the eyes of the media and the public. This, coupled with the profitability of accounts held for smaller entities considered by banks to be high risk, may be at the root of some of the banking woes experienced in the MSB sector, in particular by smaller MSBs.
Sanctions, PEPs and Analytics
Several speakers emphasized the importance of implementing and tuning technology solutions to detect persons and entities subject to sanctions, politically exposed persons and potentially suspicious transactions. Sanctions in particular appeared to be an emerging concern, with list screening alone viewed as being insufficient in terms of banking controls. The increased complexity of sanctions includes not only specific individuals and entities but their affiliates, including subsidiaries (which may not be easy to detect in many cases) and sanctions applied to specific types of transactions. For multinational financial service providers, there is additional complexity in managing sanctions related to doing business in several jurisdictions with different requirements. In order to comply effectively, information sharing across jurisdictions (including information about customer activity and risk) is likely to be required. For many entities, this will mean revising privacy related policies and disclosures to enable information sharing across a network of affiliated entities.
In addition to privacy considerations, the integration of systems and processes across affiliated entities and lines of business was a key consideration. One Canadian bank noted that they are in the process of synchronizing know your client (KYC) requirements across all lines of business, a process that involves the integration of data from over 35 separate IT systems and databases. Such synchronization is necessary to ensure that customer risk is considered consistently across all lines of business.
A Key Question on Emerging Technology
My co-chair raised an insightful point with the emerging payments panel in regards to Bitcoin and other emerging payment technologies. While banks have heard loud and clear that these technologies are not as anonymous as they were initially believed to be, there is a sense within the banking community that there has not, to date, been a solid assessment of the risk (or subsequently established best practices in mitigating these risks). Some of the risks raised by panelists included consumer protection (the risk that funds may be lost through negligence or bad actors) and the risks related to effective controls (which are similar to the types of risk that exist in other vulnerable sectors).
While it’s clear that emerging payment technology companies are working to demonstrate compliance in a changing regulatory landscape, there is clearly a gap between these companies and traditional financial institutions, in terms of messaging and expectations. We expect that this will be an ongoing conversation as the industry, regulations and technology continue to evolve.
We Would Love To Hear From You!
If there are topics that you would like to know more about, or if you need assistance with your compliance program, please contact us.