Anti-Money Laundering
Consulting Services & Strategies

0 Items - Total: $0.00 CAD

Above And Beyond What?

It seems that every time I’m at a conference or event related to compliance, I hear people talking about going “above and beyond” the requirements. Something about this statement has always seemed wrong to me. It wasn’t until recently that I understood why: most of us aren’t getting the basics right.

FINTRAC Examination Data


Most Of Us Are Failing At The Basics

This is not an indictment of Compliance Officers and the tremendous effort that goes into compliance. It’s a simple statistical fact.

We crunched some numbers by industry for anti-money laundering (AML) compliance in Canada based on information obtained from the regulator through an access to information request in 2014. The rate of examinations for which there were no deficiencies (across all reporting entity types) was 17 percent. While we congratulate the savvy few that met this bar, that leaves 83 percent of reporting entities that failed to meet the basic requirements in some way.

While these results are specific to examinations conducted by the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC), it’s not unreasonable to assume that the results can be generalized to compliance more broadly.

Shift The Focus

Before anyone can go “above and beyond” the fundamentals should be solid. One of the most painful reviews (like an audit for compliance) that I’ve conducted was a classic case of going above and beyond while completely missing the mark on baseline compliance. The reporting entity had great technology and related risk ranking metrics. The methods that they used to understand customer behavior involved machine learning and geo-location data at each login, analyzed over time. It was a great risk management strategy, except that they hadn’t identified a single customer in accordance with the law. Not a single one…

Ironically, in working to design measures that went beyond the basic compliance requirements, they found themselves so far outside of what was allowable under the law that had an examination been conducted by a regulator at the time, they could have been facing a very hefty penalty (as was the case for Ripple Labs in the USA).


Consequently, they spent a good deal of time and money updating their systems and identifying customers. In some cases, customers were lost. The (re)identification process was frustrating for people that believed that they had already completed everything that was needful in order to transact freely. There were updates to process documents and IT systems that took place over the course of months, and a good deal of frustration at the rework involved.

A competent third party or in house expert can be useful in assisting with system and process design, provided that they are able to understand your business model, basic compliance requirements and how to achieve these in the most elegant way possible.

Keep It Simple (Seriously)

At a recent conference, I was listening to a speaker whom I consider a model for what not to do, both functionally and ethically. As he sweepingly gestured towards an overly complex chart, he stared into the blank faces of his audience and proclaimed “It’s ok if you don’t get it. That’s not the point. The point is that I should look impressive. Are you impressed?” I was not.

Which model fits your needs?

Which model fits your needs?

Remember that the people that are usually fulfilling your compliance requirements are your frontline staff. Would they be able to use the model to the left to risk rank your customers?

While it can be tempting to create complex rating systems, it’s important to understand that your compliance program should be functional. If the system that you’ve created is too complex for your staff to understand and adhere to, it will fail. Whether you’re hiring someone external or creating your program in-house, remember to keep it as simple and easy to follow as possible.

Ask, Check, Test

One of the many arguments that I’ve heard for going above and beyond is that this is helpful when dealing with regulators and banking service providers. While I agree that this can certainly be the case, it’s a moot point if the basic requirements are not met.

In my experience, both regulators and bankers are candid – when asked – about where their expectations are set. There is no real appetite on the part of either to create a set of secret standards related to going above and beyond. From a practical perspective, this means that reporting entities should be focused on understanding the basic requirements, and seeking clarification as needed.

Effectiveness reviews can also be a useful tool in this regard, provided that the reviewer or auditor is well versed in local compliance requirements. Similarly, internal testing should be geared towards baseline requirements to ensure that these are being met.

Opportunities & Innovation

Going above and beyond for its own sake (in terms of compliance) is neither required, nor particularly good business.

This is not to say that reporting entities should avoid innovation. Rather, these efforts should be focused and prioritized on finding the most cost-effective and efficient ways to meet baseline compliance requirements, and mitigating risk.

Changing compliance legislation can also provide opportunities for innovation, in particular where there are public consultations. This type of dialogue with lawmakers allows stakeholders to suggest alternatives that may mitigate risk in new and innovative ways. It provides an opportunity to showcase new technologies and processes that solve common compliance problems with greater efficiency (although they may not fit into the current regulatory paradigm).

Need A Hand?

We believe that good compliance is good business. If you have questions, please feel free to contact us.

Highlights from the 2015 AML Forum

This year I had the honour of co-chairing the Canadian Institute’s 14th Annual AML Forum, along with Ron King of Scotiabank. The event brought together a diverse group of stakeholders and speakers including regulators, law enforcement, bankers, money service businesses (MSBs), technology experts and government. Over two days, we enjoyed many lively discussions, and while I can’t cover all of the content here, I want to provide some insight for colleagues that weren’t able to attend the event.

Key Messages from Regulators & The Department of Finance

Representatives from the Department of Finance, the Office of the Superintendent of Financial Institutions (OSFI) and the Financial Transactions Reports Analysis Centre of Canada (FINTRAC) were present throughout the conference, and fielded questions from the audience throughout the event. Among the most exciting announcement was the Department of Finance’s assertion that we should expect a new AML regulations package to be released in draft for public comment later this year. Though the target date is set for June or July, anything can happen in an election year and there may be delays.

The Department of Finance, OSFI and FINTRAC also discussed Canada’s upcoming mutual evaluation by the Financial Action Task Force (FATF) and Canada’s countrywide risk assessment. The risk assessment is underway and expected to be shared later this year, in advance of the FATF’s visit this fall (with results expected to be published next summer). The risk assessment will likely prove to be a useful tool for regulated entities struggling to qualify Canadian money laundering and terrorist financing risk.

OSFI emphasized the importance of considering the AML program as part of the overall prudential compliance management strategy for federally regulated financial entities (FRFEs). It is expected that OSFI’s guideline B-8 will be revised in the near term. To avoid rework, OSFI is waiting for several key inputs including the updated AML regulations package, FINTRAC’s updated risk assessment guidance and the countrywide risk assessment. OSFI will also continue to work with FINTRAC on streamlining examination processes, citing the need to create a common framework and approach to examinations.

FINTRAC reviewed its recent statistics and emphasized the importance of the agency’s role as a financial intelligence unit (FIU). Key to this role are suspicious transaction reports (STRs), which will play a key role in upcoming examinations for regulated entities. FINTRAC will be applying several tests to STR data, including:

  • Entity Practitioner: similar transactions within an entity that were not reported to FINTRAC;
  • Sector Practitioner: a comparison of the number and type of STRs submitted by similar entities (the size and type of business are taken into consideration); and
  • Reasonable Practitioner: a comparison of the reported and unreported transactions against relevant guidance on reasonable grounds to suspect that money laundering or terrorist financing activity may be taking place.

This echoes FINTRAC’s comments throughout 2014 on the importance of suspicious activity reporting, a sentiment that was echoed by law enforcement.

Law Enforcement Focus

Speakers representing the Royal Canadian Mounted Police (RCMP) and US Federal Bureau of Investigation (FBI) discussed the strategic value of intelligence obtained through FIUs and directly from the financial services community. While the specifics of ongoing cases cannot be discussed publicly, both speakers emphasized the importance of providing complete and concise information, and excellent examples of how this type of intelligence is used by law enforcement.

The speakers confirmed that the dollar values for terrorism related transactions seen in Canada are consistently low. The RCMP discussed a transaction pattern relevant to individuals planning to attend radical training camps wherein an individual saves a relatively small sum via legitimate work (often at low wage jobs), then purchases a plane ticket and camping gear (which may account for all or almost all of the funds saved). Patterns such as these are useful for institutions seeking to understand and identify patterns of activity that may be indicative of potential terrorism.

The De-Risking Debate Continues

One of the most lively discussions of the event surrounded “de-risking” (refusing to provide service to a customer that is outside of the institution’s risk tolerance). While banks in Canada are private, for profit enterprises, access to banking facilities remains a vital component for business success. The money service business (MSB) sector has struggled with banking relationships both in Canada and abroad. Best-practices discussed included independent third party compliance reviews conducted by qualified practitioners as a valuable tool in assisting banks to assess the state of an MSB’s compliance. It was noted that while the MSB sector is certainly vulnerable to money laundering and terrorist financing, it is not the only vulnerable sector in Canada. While Canadian MSBs are regulated by FINTRAC, other sectors that are both vulnerable and unregulated have not experienced the same degree of de-risking.

Banks emphasized the risks for financial institutions in dealing with certain types of business as being broader than AML compliance. Chief among these risks was reputational risk. As one banker noted, when a bank’s larger clients are offside with requirements, the client, not the bank, is publicly held accountable. When the bank’s client is of a smaller size however, banks are being considered more responsible in the eyes of the media and the public. This, coupled with the profitability of accounts held for smaller entities considered by banks to be high risk, may be at the root of some of the banking woes experienced in the MSB sector, in particular by smaller MSBs.

Sanctions, PEPs and Analytics

Several speakers emphasized the importance of implementing and tuning technology solutions to detect persons and entities subject to sanctions, politically exposed persons and potentially suspicious transactions. Sanctions in particular appeared to be an emerging concern, with list screening alone viewed as being insufficient in terms of banking controls. The increased complexity of sanctions includes not only specific individuals and entities but their affiliates, including subsidiaries (which may not be easy to detect in many cases) and sanctions applied to specific types of transactions. For multinational financial service providers, there is additional complexity in managing sanctions related to doing business in several jurisdictions with different requirements. In order to comply effectively, information sharing across jurisdictions (including information about customer activity and risk) is likely to be required. For many entities, this will mean revising privacy related policies and disclosures to enable information sharing across a network of affiliated entities.

In addition to privacy considerations, the integration of systems and processes across affiliated entities and lines of business was a key consideration. One Canadian bank noted that they are in the process of synchronizing know your client (KYC) requirements across all lines of business, a process that involves the integration of data from over 35 separate IT systems and databases. Such synchronization is necessary to ensure that customer risk is considered consistently across all lines of business.

A Key Question on Emerging Technology

My co-chair raised an insightful point with the emerging payments panel in regards to Bitcoin and other emerging payment technologies. While banks have heard loud and clear that these technologies are not as anonymous as they were initially believed to be, there is a sense within the banking community that there has not, to date, been a solid assessment of the risk (or subsequently established best practices in mitigating these risks). Some of the risks raised by panelists included consumer protection (the risk that funds may be lost through negligence or bad actors) and the risks related to effective controls (which are similar to the types of risk that exist in other vulnerable sectors).

While it’s clear that emerging payment technology companies are working to demonstrate compliance in a changing regulatory landscape, there is clearly a gap between these companies and traditional financial institutions, in terms of messaging and expectations. We expect that this will be an ongoing conversation as the industry, regulations and technology continue to evolve.

We Would Love To Hear From You!

If there are topics that you would like to know more about, or if you need assistance with your compliance program, please contact us.

Return to Blog Listing