Share with your friends
spiral of dots

The 2019 amendments to the PCMLTFA

The 2019 amendments to the PCMLTFA

This point-of-view (POV) is a follow-up to KPMG’s previously published ‘Responding in the face of a changing AML/ATF landscape’ thought leadership piece (October 2018). It contains insights from KPMG’s Financial Crimes practice on some important aspects of the recently published amendments to regulations under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (hereinafter “PCMLTFA”, or “the Act”).

This point-of-view (POV) is a follow-up to KPMG’s previously published ‘Responding in the face of a changing AML/ATF landscape’ thought leadership piece (October 2018). It contains insights from KPMG’s Financial Crimes practice on some important aspects of the recently published amendments to regulations under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (hereinafter “PCMLTFA”, or “the Act”).

Since the release of the proposed amendments to the regulations made under the PCMLTFA in June 2018, reporting entities regulated by the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) have been anxiously awaiting the government’s finalized version of the amendments, which were published in July 2019.

KPMG welcomes the release of the amendments, which will strengthen Canada’s ability to fight money laundering and terrorist financing (ML / TF) by operationalizing changes to the Act and closing gaps in the country’s Anti-Money Laundering (AML) / Anti-Terrorist Financing (ATF) Regime. This will assist reporting entities in their efforts to comply with their obligations, and improve monitoring and enforcement in Canada.

While certain measures are effective immediately1 and others on June 1, 2020, the majority of the provisions are currently scheduled to come into effect in June 2021. How Canadian reporting entities update their AML/ATF compliance program requirements to comply with the amended regulations within this timeframe is critical to managing the potential regulatory, legal, and reputational risk that comes with non-compliance.

These amendments will help elevate Canada’s AML Regime, but they also represent one of many steps towards more fully aligning the Regime with leading practices and international standards for combatting ML / TF set by the international community and the Financial Action Tack Force (FATF). KPMG is looking forward to both the publishing of forthcoming guidance from FINTRAC on how to comply with the amendments as well as future amendments.

In the absence of published guidance from FINTRAC, experienced advisors are stepping in to help reporting entities translate the implication of the new/revised requirements into their day to day operations. KPMG’s Éric Lachapelle, formerly head of AML and Anti-tax Evasion for Desjardins Group, was a member of the Department of Finance’s Advisory Committee on Money Laundering and Terrorist Financing which acted as a high-level discussion forum to address emerging issues and provide general advice on Canada’s AML Regime, both within a domestic context, including its effectiveness and efficiency, and in support of international AML/ATF developments. Éric Co-Leads KPMG’s National Financial Crimes practice with Hitesh Patel, who has a 28 year track record of providing trusted advice and solutions to financial services clients globally in the areas of regulatory compliance and operational risk management, with a specific focus on fraud, AML, sanctions, and bribery and corruption compliance.

Hitesh and Éric assembled KPMG’s Financial Crimes team in a virtual roundtable to discuss their perspectives on the most important aspects of the recently published amended regulations. Their points of view are discussed herein.

KPMG Points-of-View

What do you feel will be the most impactful elements of the amendments to reporting entities at large?

Éric Lachapelle: There are a number of key changes that affect specific types of reporting entities and others that cut across all entities. New requirements for entities providing prepaid products and virtual currencies come to mind, as do the clarifications made with respect to foreign money service businesses (MSBs). However, let’s start with Electronic Fund Transfers (EFTs).
The reporting requirements for international EFTs involving multiple entities have also changed. Under the current requirements, the entities that are the last to touch an outgoing EFT and the first to touch an incoming EFT are required to report to FINTRAC. Under the revised regulations, the obligations have switched. The onus is now on the first entity that initiates an outgoing EFT and the final recipient of an incoming EFT to report transactions. That’s a welcomed change for the regime since it brings the reporting entity closer to the originator and beneficiary.

Janice Mensah: In its publication, the government stated that changes were made for the purpose of ensuring that information relating to an EFT remains with a transfer “throughout the payment chain” so that reporting entities have all the relevant information they need to detect and report transactions effectively. It will be up to reporting entities to gain a fulsome understanding of the new requirements, and identify what impact these changes may have on their internal systems and business processes.

Rebecca Ip: Recordkeeping will also be an important element to maintain and further develop in accordance with the new requirements because there is now an expectation to provide even more information in STRs (for example, IP addresses, and the identification number and type of device used to conduct a transaction). Reporting entities will not only need to be cognizant of this at the reporting stage (to FINTRAC), but also throughout the life cycle of the client relationship. For example, all of these new data points will not only need to be captured but kept up-to-date throughout the relationship.

The impact on processes and procedures related to Know Your Customer (KYC) records management as well as on internal IT resources and systems, which will need to be assessed to ensure that the necessary information is captured, maintained, and readily accessible, will be immense.

Hitesh Patel: The amendments have also clarified the requirements of foreign MSBs offering products to Canadians. These businesses will now be held to a similar standard as domestic MSBs. The requirements include registering with FINTRAC as an MSB, having in place an adequate compliance program, maintain detailed records and reporting relevant transactions to FINTRAC. These businesses should take the amendments seriously as they expose these businesses to the possibility of an Administrative Monetary Penalty (AMP), if found non-compliant, and the potential to be locked out of the Canadian market via de-registration by FINTRAC. Canadian regulated entities (such as banks) cannot open or maintain accounts (or correspondent relationships) with unregistered MSBs.

What are some of the other key changes to reporting requirements?

Hitesh Patel: One change that will affect all reporting entities is the new Suspicious Transaction Reports (STR) requirements, which have undergone a shift in a variety of ways. First of all, the timeline within which entities are required to report suspicious activity has changed from within 30 days from the time that a reporting entity “first detects a fact that constitutes reasonable grounds to suspect” to “as soon as reasonably practicable” after the reporting entity has taken measures that enable them to establish that a transaction or attempted transaction is related to money laundering or terrorist financing.

Cameron Christie: How reporting entities interpret the change in the STR requirements will be critical. It will require them to keep detailed and transparent records of escalations of unusual activity, as well as decision-making processes involved in any investigations conducted as a result of these escalations; so as to ensure that an audit trail is preserved to support both the initial detection of potentially suspicious activity, and the decision made to file. In comparing the STR filing portion of the amendments to the examination guidelines contained within the recently published FINTRAC Assessment Manual2 (containing information on the approach and methods used by FINTRAC to conduct its examinations), one can begin to see the broader picture of how FINTRAC will be looking to enforce the change.

Hitesh Patel: To build on Cameron and Rebecca’s prior points, the manner in which reporting entities interpret “as soon as practicable” will also have a significant effect on business process modifications and transformation decisions. Reporting entities will need to be mindful of whether their current processes are capturing the additional required client and transaction information, the form in which this information is captured, and how easy it is to access this information. Reporting entities will need to make sure that their processes allow them to comply by having appropriate internal expectations around timeframes and also the new mandatory STR data fields.

In our previous publication, we identified a proposed amendment to the rules for verifying customer identification relating to authentic identification – did that proposal make its way into the final published version?

Steve Fantham: Yes, it did! The previous requirement was that identification documents must be “original”, valid and current; however, the amendment has changed the requirement from “original” to “authentic.” This means that entities do not have to verify an original identification document but can instead begin to adopt new ideas and technologies to verify the authenticity of a client’s identification document. For example, I do not have to be physically in possession of the customer’s original document to verify whether or not it is “authentic”. These days, a Canadian passport is equipped with a bar code, detailed holograms and even RFID chips in some cases, which allows for flexibility during onboarding in an online environment. Reporting entities will have to establish clear and transparent processes for what constitutes “authentic” identification, and whether new technology, information sources and approaches can be used to leverage unique identifiers to remain compliant and also enhance the customer experience.

Are there amendments which will have a similar opportunities to positively alter the customer or client experience? Alternatively, are there amendments which may present reporting entities with additional challenges on the customer front?

Dominic Hurtubise: Without a doubt, the new requirements relating to prepaid products will alter the customer experience. Directly in the crosshairs are financial entities and life insurance companies who currently maintain accounts connected to a prepaid payment products which allow transaction(s) of $1,000 or more within a 24-hour period, or allow for a balance of $1,000 or more to be maintained in the account. The amended regulations will not only impose record keeping and identification requirements (such as the name and address of each account holder or authorized user, as well as the nature of their principal business or occupation) for all accounts opened going forward but also for each transaction conducted through such an account.

Rebecca Ip: That is a key point. Prepaid products are often distributed through retailers and with the way that the new regulations are written, they may end up drawing these end-sellers into the compliance process. For example, the regulations state that in addition to identifying the account holders, there is also a requirement to identify “authorized users” of the account. “Authorized Users” are defined as persons who are authorized by the holder of a prepaid payment product account to have electronic access to funds or virtual currency available in the account by means of a prepaid payment product that is connected to it. So if I were to go to a retailer and purchase a prepaid card, I would in effect become an authorized user of the account – and if that account holds a balance of $1,000 or more, the requirements would kick in.

It will be imperative for reporting entities to conduct a review of the life cycle of their prepaid products to gain a fulsome understanding of their exposure and begin addressing the inherent challenges of implementing recordkeeping and identification responsibilities particularly with respect to third parties who do not have the same level of financial literacy as the reporting entities themselves.

Dominic Hurtubise: The cost and effort required in this area could be massive. Those offering prepaid products will have to weigh this cost against the profitability of their product(s) and may have to make hard choices about the continued viability of these products.

Janice Mensah: Another key change that could significantly impact how reporting entities interact with their customers is the amendment of the “single transaction rule.” Multiple transactions totalling $10,000 CAD within a 24 hour period - either conducted or initiated by a single party, made on behalf of the same party, or for the same beneficiary – will now be considered a “single transaction.” Not only has the “single transaction” definition changed, the reporting requirements have been extended to transactions involving the receipt of virtual currency and casino disbursements. Reporting entities will not only need to adjust their transaction monitoring systems appropriately but also ensure that they are capturing the proper transaction information (for example, the identification of multiple individuals who have initiated transactions for a single beneficiary) to ensure that they are complying with this widened scope.

What are the implications of the new regulations on Fintech/Virtual Currency Businesses?

David Colantonio: The definition of virtual currency has changed3 which expands the scope of products captured. However, the responsibilities specifically focused on dealers in virtual currencies have gone largely unchanged from those originally proposed in October 2018. While the new obligations are coming into force in June 2020 and onwards - requiring virtual currency dealers to meet standards similar to those of traditional MSBs - they should not come as a shock to reporting entities operating in this space. A recent Globe and Mail article4 cited internal FINTRAC documents, which indicated that the regulator views financial technology, or fintech, companies as having a “limited understanding” of their anti-money-laundering obligations and that many don’t have compliance programs in place to mitigate risk. While no further details from these documents were referenced in the article, and while certainly not all fintechs can be painted with the same brush, the regulator’s reported view may imply a future focus on fintechs going forward.

Janice Mensah: It will be up to Virtual Currency Businesses themselves to set the tone. We have seen many public pronouncements from companies in this area, welcoming the changes, since the proposed amendments were published. If that is any indication of the industry’s attitude towards compliance, the virtual currency industry may be in better shape than anticipated. The new/added requirements - maintaining records of, and filing, large virtual currency transaction; maintaining records of virtual currency exchange transactions; performing in-depth KYC - will be new to some. As such, it will be important for these entities to understand their new requirements fully, map their current internal processes, and determine how to leverage their inherent innovative spirit to quickly build out a future state designed with compliance in mind.

David Colantonio: Reporting entities who have clients involved in the virtual currency business should also take note. They will need to ensure that these clients are compliant with the new requirements – including being registered as MSBs and having an effective and operating compliance program. Financial entities may be forced to make hard choices about maintaining relationships with clients who are slow to comply.

There are also new requirements for Life Insurance companies. What will be the impact and how will they need to adapt?

Éric Lachapelle: Life Insurance companies that offer prepaid products will certainly be affected, but the same is also true for those companies offering loans to clients. These companies will now be required to comply with the same obligations as a bank or other financial entity, including identifying and conducting due diligence on clients, monitoring client activity, maintaining proper records, and in certain instances making PEP determinations. For certain Life Insurance companies, this may mean that an entire AML Compliance Program will need to be reviewed. Companies offering these products will need to exert significant effort to ensure that they have policies, procedures and processes in place that remain compliant with these new obligations.

What implications do you think the new and revised requirements will have on a reporting entities existing transaction monitoring process?

Dominic Hurtubise: The regulator will still be looking at the outputs (alerts) generated by transaction monitoring (TM) systems to make sure all suspicious transactions were reported. In theory, they will also continue to look at what has been missed by the surveillance systems, which has always been the tricky part. In order to support that, it would have been a good time for the regulator to include some requirements and guidance about “model risk governance.” In Canada, we are almost ten years behind our fellow neighbors in the U.S. where we have seen important fines related to issues on “integrity and integrality” of the data used for transaction monitoring. The new regulatory changes also bring some complexity with regards to information that needs to be reported along with suspicious transactions (as mentioned previously by my colleague Rebecca, source of funds, type of device used to conduct online transactions, IP addresses, etc.). IT development and/or staff augmentation will need to be effected to ensure compliance largely as the additional information that will need to be captured is usually not collected by TM systems. Newly regulated products/services such as prepaid products, virtual currency will require transactions monitoring (with limited exceptions), which is not the case right now.

Do you have any closing thoughts on how the amended regulations position Canada’s AML Regime going forward?

Éric Lachapelle: As noted at the outset, these amendments represent an important step in closing some of the gaps in the Regime that have been well publicized. They will enhance both our country’s ability to monitor ML/TF activity and enforce the requirements of the Regime. But make no mistake, while the amended regulations certainly represent an improvement, they do not take us all the way to where we need to go. Further waves of change will be needed to get us there, and I’m looking forward to seeing what those next waves look like.

Hitesh Patel: Agreed. There is still some way to go if the goal is to build Canada’s AML Regime into a world leader in the fight against ML/TF. For example, the House of Commons’ Standing Committee on Finance released a report in November 2018 detailing the findings of its mandated five-year review of the Regime, which included thirty-two recommendations for closing legislative and regulatory gaps identified in the review. One could read this as the Government telegraphing what may be next on the agenda – the next wave - in the Regime’s continued evolution. However, while further change in regulations is inevitable given the propensity of criminals to continually adopt new methods and channels to launder ill gotten gains ever it cannot be discounted that the amended regulations have put Canada in a much stronger position to combat money laundering and terrorist financing.