There is a game changer around the corner for Canadian financial institutions (FIs), a regime shift in anti-money laundering (AML) regulation towards stringent enforcement and compliance mandates, with potentially significant impact on business costs, processes and technology implementation.
Soon FIs will no longer get by with simply implementing basic AML controls or meeting the minimum compliance standards. Preparation for this change should begin promptly, if it hasn’t already, for FIs that want to stay ahead of the regulatory enforcement curve and avoid serious penalties and reputational risks.
The regime shift in AML regulation, which ends the laissez faire-era of principles-based AML rules, should come as no surprise. It is the Canadian federal government’s long-overdue response to mounting criticisms from the international financial community following numerous public scandals involving FIs that failed to identify and remediate poor AML controls, leading to serious breaches and ultimately financial penalties. The well-publicized scandal involving Danske Bank’s Estonian branch and recent fines imposed on several US banks have drawn the ire of organizations such as the Financial Action Task Force (FATF) and Transparency International (TI), which recently decried Canada’s lax disclosure requirements.
The Canadian national press has fueled the public and government’s interest in money laundering matters, with a recent editorial in The Globe and Mail blasting Canada for being “dirty money’s 24-hour laundromat.” The extent of money laundering issues across Canada’s real estate business, particularly in the greater Vancouver and Toronto housing markets, have also been well publicized. TI Canada’s 2019 report on secrecy, anonymous ownership and its impact on the Canadian real estate market, aptly called “Opacity: Why Criminals Love Canadian Real Estate (And How to Fix It),” describes how companies that pumped $28.4 billion into Greater Toronto Area (GTA) housing market, made $9.8 billion in cash purchases and took out $10.4 billion in mortgages from unregulated lenders. Overall, at least $20 billion appears to have entered the GTA housing market in the past 10 years without oversight from the Financial Transactions & Reports Analysis Centre of Canada (FINTRAC), the country’s financial intelligence unit tasked with detection, prevention and deterrence of money laundering and the financing of terrorist activities.
Against this backdrop, Canadian regulators are chomping at the bit to rein in money laundering. The broad legislative changes are intended to have real bite; the proposals are supported by increased funding commitments in the March 2019 Federal Budget for FINTRAC, the Royal Canadian Mounted Police (RCMP), Canada Revenue Agency and other agencies to strengthen oversight and enforcement against money-laundering.
In addition, FINTRAC has received expanded authority to publicize financial institutions’ AML violations, a name-and-shame enforcement tool that would have significant impact on how financial institutions view, assess and manage reputational risks of a potential violation.
There are other proposals, which are of importance to banks, trust companies and credit unions. Highlighted below are three measures that would have the biggest impact on FI processes and technology:
Beneficial Ownership Rule Changes
The absence of stringent beneficial ownership rules in Canada is often cited as the reason for the failure to close the gap in anti-money laundering in the real estate sector. As TI Canada, CD Howe and others have noted, Canada’s record on beneficial ownership can be improved.
Currently, regulators expect reporting entities to obtain newly onboarded entities’ beneficial ownership information and keep the information up to date on an ongoing basis. However, the regulations do not explicitly require the reporting entities to take reasonable measures to confirm the accuracy of this information at onboarding or during regular updates. This principles-based compliance approach changes under the proposed regulations, which makes this ongoing requirement explicit.
To verify the accuracy of beneficial ownership, reporting entities can refer to records such as minute books, securities registers, shareholders registers, articles of incorporation, annual returns, and certificates of corporate status, shareholder or partnership agreements and board of director's meeting records of decisions. In a case of a trust, ownership information can be confirmed by reviewing the trust deed. Other reasonable measures include open source search or consulting commercially available information.
While some of the verification steps are already performed, reporting entities would now be required to document the steps taken to confirm the information provided.
Reporting Deadline for Suspicious Transactions
A change in the deadline for submitting a Suspicious Transactions Report (STR) is another amendment that would have significant impact on day-to- day operations of reporting entities. Previously, in Canada, like in the United States currently, reporting entities were given up to 30 days to submit STRs.
Under the initial proposed amendment, reporting entities would be required to file an STR within three days of determining that a transaction, or attempted transaction, is reasonably suspected of being related to the commission of a money laundering or terrorist financing offence. However, based on strong responses from the financial community, the revision landed on “as soon as reasonably practical” which although seems like we dodged the bullet, could be tricky if left to the regulators to determine what is deemed “reasonably practical”. This added ambiguity could make matters worst for some institutions depending on the tools and system at their disposition.
For many reporting entities, demonstrating that they are complying with this new requirement would mean updating policies, procedures and processes (both manual and automated) to reflect the new regulatory expectation. In addition, larger financial institutions that process troves of reportable transactions may have no choice but to rely more on automation such as Robotics Process Automation (RPA) and Natural Language Processing (NLP) to achieve better efficiency and meet the requirement.
RPA would help expedite the process, starting with the process of gathering multiple data points required to file an STR, management approval and submission to FINTRAC via their proprietary F2R system.
Politically Exposed Persons (PEP)
Regulators also seek to modify the Proceeds of Crime (Money Laundering) and Terrorist Financing Act
(PCMLTFA), the enabling legislation for FINTRAC, with specific requirements pertaining to the onboarding of politically exposed persons (PEP).
Under the proposed rules, reporting entities would be required to amend their policies and procedures regarding the onboarding process of PEPs, taking steps to verify that accumulated funds or wealth is consistent with the information received. Any doubts regarding the origin of funds or wealth would have to be satisfied prior to onboarding or before a specific transaction is permitted.
To satisfy this requirement, regulators intend to publish a standardized questionnaire that would provide guidance on gathering information regarding accumulated funds or wealth of a newly onboarded PEP. The standard questions may include information on employment details and ownership of businesses or properties to corroborate information concerning their source of wealth.
How to Close the Gap
While most institutions have a Compliance function or designated individuals to monitor impending regulatory changes, they are likely to face significant challenges with developing concrete plans to operationalize the changes.
Going forward, institutions will be required to demonstrate their readiness with tangible evidence of their control implementation. Here are several considerations to help institutions evaluate their readiness for the impending regulatory changes:
Policies & Procedures
- Do you have a process to review policies and procedures (P&P) against the new requirements?
- Do you maintain a P&P inventory with identified owners that would allow you to identify all affected procedures?
- Do you have an effective roll-out protocol to communicate the key procedural changes effectively and implement training where appropriate?
- Do you have a process to include all affected stakeholders (lines of business as well as operational units) in the change management efforts?
- Do you maintain an inventory of all customer facing forms and disclosures? If not, do you have a process for updating the necessary documentation so it can incorporate the additional information required?
Process Flow Documentation & Ownership
- Do you have well-documented process flows to effectively identify processes and potential downstream effects of the proposed changes?
- Does your process flows clearly identify hand offs to other departments or centralized units?
- Are there clear process owners to enable effective change management?
- Do you have a process to identify how the changes will impact both manual as well as automated processes and controls?
- For automated controls; do you engage your technology partner to have a solid understanding of the significance of any technology changes?For example, would the change require any automated form or book of records capability update?
- Did you prepare a project plan and budget proposal well ahead of time to ensure you can obtain necessary signoffs in accordance with your organization cost approval and/or procurement processes?
- Have you aligned project plan timelines to reflect the impending regulatory changes and built in appropriate contingencies?
Centralization vs. Decentralization
- Do you have a centralized control and governance structure? Or, is it decentralized?
- Do you have a means on consolidating data on an aggregated and timely basis?
Database Capability Review/Assessment
- Do you have a centralized database? Are you able to certify its accuracy, completeness and timeliness?
- Do you review regularly for data completeness and to ensure adherence to legislative requirements?
- Do you have a process to ensure completeness and accuracy?
Project Plan and Budget
- Do you have a plan (e.g. quarterly, annual) for activities or work streams?
- Do you have key performance metrics or milestones to measure progress?
- Do you have a resource budget to match the project plan? Do you map prioritization of projects against capability, change readiness and resource availability?
- Do you have a financial budget to monitor activities, performance and resources; to assist in measuring progress and accountability?
Training and Awareness
- Do you have a training and roll out plan to ensure that all affected employees are aware of the new requirements and understand the new procedures?
- Did you review the enterprise training program to update all the necessary sections and reflect all the changes?
How Protiviti Can Help
Given the increasing regulatory scrutiny related to AML issues and complex challenges faced by financial services organizations in that regard, institutions are realizing the importance of implementing and maintaining a robust AML program. In addition, companies are realizing the importance of implementing a risk-based Anti-Money Laundering and Combating the Financing of Terrorism (AML/CFT) Compliance Program that can be applied across diverse business lines. However, evaluating the money laundering risks in an organization and the tools and techniques available for mitigating these risks can present a significant challenge.
The core members of Protiviti’s AML Practice are former financial institution regulators, financial institution compliance officers, fraud and forensic specialists, technology experts, and individuals with hands-on experience working in financial institutions of all types. They have considerable experience advising institutions of all types on the design and implementation of their AML/CFT Compliance Programs, conducting independent tests of AML/CFT Compliance Program effectiveness and conducting money laundering investigations.