Money Laundering Detection Regimes

Transcription

1 Money Laundering Detection Regimes Credit Unions in Canada Chris Randle, CAMS

2 Contents Executive Summary... 4 Notice to Reader:... 5 Understanding the Requirements... 6 Understanding Suspicious Transactions:... 6 Understanding the Detection of Suspicious Transactions:... 9 Summary of Obligations to Detect Suspicious Transactions Understanding Penalties for Non-Compliance Understanding How FINTRAC Detects Unreported Suspicious Transactions Assessing the Current Money Laundering Detection Regime Summary of Responses by Obligation to Detect Suspicious Transactions Requirement Requirement Requirement Requirement Requirement Requirement Requirement Summary Proposed Money Laundering Detection Regime Guidance Functional Elements Training Elements Audit Elements Manual Detection Regime Elements: General: Training: Audit: Detection Elements: Procedural (Systemic) Detection Regime Elements: General: Training: Audit: Detection Elements: Automated Detection Regime Elements:... 29

3 General: Training: Audit: Transaction-based Detection: Context-based (Profile) Detection: Appendix I Detailed Survey Results Appendix II Survey Respondent Demographics P a g e

4 Executive Summary Credit unions operating in Canada are required to detect and report suspicious transactions to the Financial Transaction Reporting and Analysis Centre of Canada (FINTRAC). This obligation is enacted through the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (The Act), its accompanying regulations, and supporting guidelines from FINTRAC. These obligations are enforced by FINTRAC, other regulators and law enforcement, as necessary. Credit unions, with limited or in some cases constrained resources, may struggle to recognize the breadth and depth of their obligations, and therefore fail to implement and maintain regimes to satisfy the expectations of their regulators. Many credit unions may lack dedicated anti-money laundering (AML) resources, or else their teams may not have the depth of AML expertise necessary for them to be successful; in the end, the credit union system s single biggest risk may be found in their not knowing what they do not know, and therefore they may fail to identify and recognize the risks they face, nor know what questions to ask to effectively manage them. Penalties for the failure of a credit union to identify and report a suspicious transaction can be severe. Therefore, this paper seeks to identify and clearly articulate the various facets of the credit union s obligation to detect suspicious transactions, and propose universally applicable standards to enhance their detection regimes. To achieve this, this paper has sought to: Articulate the regulatory obligations and expectations incumbent of credit unions to detect suspicious transactions; Assess the state of the current money laundering detection regimes employed by credit unions to detect potentially suspicious transactions; Identify best practices from within the credit union industry in the execution of their detection regimes; and Propose the provision of formal detection regime guidance, with standards that may be applied industrywide. In order to assess the state of the current money laundering detection regimes at credit unions, surveys were sent to managers responsible for the execution of these regimes at several credit unions across Canada. Through the survey responses received, this paper has documented that the credit union industry as a whole is facing a high risk of noncompliance against their obligations to detect and therefore report suspicious transactions. The response, being the provision of guidance relative to the development, execution and maintenance of an effective money laundering detection regime, will mitigate this risk and strengthen the overall AML regime in Canada. The obligations of credit unions to detect suspicious transactions are several and challenging; the penalties for failure are severe to catastrophic. This proposed detection 4 P a g e

5 regime implies significant changes to the nature and level of the human and technological resources required to develop, execute and maintain such a regime. Only by being prepared to respond to each and all of these potential challenges, can those responsible for the credit union's AML operations offer reasonable assurance to the credit union, its board of directors, employees, members and communities that their regulatory obligations are met and their social contract upheld. Notice to Reader: Throughout this paper, I will refer to member(s) as opposed to clients or customers, and know your member (KYM) vs. know your customer (KYC). Typically, all clients of a credit union are also members with ownership shares in that credit union. In my opinion, member implies an enhanced standard of KYM and monitoring required over that of a client; a member can participate in the annual meetings of the credit union, vote on all matters of material importance to the credit union (including mergers, setting risk tolerance, etc.), and nominate and elect the board of directors. Therefore, a coordinated effort by a group of members could have a material impact on the operations of a credit union. FINTRAC is Canada s financial intelligence unit, responsible for the analysis of intelligence related to financial transactions conducted through designated reporting entities in Canada; reporting entities include all financial institutions including banks and credit unions, money services businesses, dealers in precious metals and stones, accountants, British Columbia notaries, real estate brokers and agents, life insurance agents, securities dealers, and casinos. FINTRAC also acts as a regulator of every reporting entity, with the authority to audit and enforce the requirements of Canada s AML regime. For the purposes of this paper, I have chosen primarily to reference FINTRAC s guidelines (The Guidelines) as opposed to The Act or regulations to define the various obligations of reporting entities to detect and report suspicious transactions. The Guidelines are derived from The Act and its regulations, are written in plain language and document FINTRAC s expectations for the conduct of reporting entities relative to their obligations under The Act. There are minor variances between The Act and its regulations, and The Guidelines, where The Guidelines interpret the obligations of The Act and its regulations, and in some cases, this interpretation does expand the scope of those obligations. FINTRAC conducts audits relative to the requirements articulated within The Guidelines, and can assess administrative monetary penalties for failure to comply with The Guidelines, or with the underlying obligations of the Act and regulations. Alternatively, FINTRAC can escalate criminal sanctions to law enforcement for failure to comply with The Act and its regulations. 5 P a g e

6 Understanding the Requirements Credit unions, as designated reporting entities, maintain extensive obligations under The Act, including those requiring them to actively detect suspicious transactions conducted through the credit union, and to report those transactions to FINTRAC. In order to fully articulate and respond to these obligations, comprehensive review and interpretation of FINTRAC s guidance relative to the detection of suspicious transactions, including a review of the relevant parts of the definition of a suspicious transaction, is necessary. Understanding Suspicious Transactions: FINTRAC defines a suspicious transaction as: A suspicious transaction is one for which there are reasonable grounds to suspect that the transaction is related to a money laundering offence A suspicious transaction can include one that was attempted. 1 Suspicious transactions are financial transactions that you have reasonable grounds to suspect are related to the commission of a money laundering offence. This includes transactions that you have reasonable grounds to suspect are related to the attempted commission of a money laundering offence. 2 Transactions may give rise to reasonable grounds to suspect that they are related to money laundering regardless of the sum of money involved. There is no monetary threshold for making a report on a suspicious transaction. 3 Under Canadian law, a money laundering offence involves various acts committed with the intention to conceal or convert property or the proceeds of property (such as money) knowing or believing that these were derived from the commission of a designated offence. In this context, a designated offence means most serious offences under the Criminal Code or any other federal Act. It includes, but is not limited to those relating to illegal drug trafficking, bribery, fraud, forgery, murder, robbery, counterfeit money, stock manipulation, tax evasion and copyright infringement. A money laundering 1 FINTRAC Guideline 2(1): 2 FINTRAC Guideline 2(3.1): 3 FINTRAC Guideline 2(6.1): 6 P a g e

7 offence may also extend to property or proceeds derived from illegal activities that took place outside Canada. 4 In this case, FINTRAC s reference to a designated offense must be further clarified through referral to the definition of same in the Criminal Code of Canada: Designated offense means (a) any offense that may be prosecuted as an indictable offense under this or any other Act of Parliament, other than an indictable offense prescribed by regulation, or (b) a conspiracy or an attempt to commit, being an accessory after the fact in relation to, or any counselling in relation to, an offence referred to in paragraph (a); 5 Therefore, a designated offense is any indictable (serious) criminal offense or violation of other federal acts, not limited to those identified in FINTRAC s guidance. From this guidance, it can be derived that a suspicious transaction: Is a financial transaction (therefore, nonfinancial transactions are not reportable) May be completed or an attempted transaction Is one that is suspected (on reasonable grounds) to be related to an actual or attempted money laundering offense, where the designated offense occurred in Canada or internationally Can be of any value Nonfinancial transactions may include activities like the opening of an account or operation of a safe deposit box. Credit unions should still identify suspicions relative to these activities in order to assess whether or not a reportable financial transaction may have been attempted or completed through the execution of these nonfinancial transactions. FINTRAC provides further guidance relative to the evaluation of indicia of money laundering against the reasonable grounds to suspect threshold: A suspicious transaction may involve several factors that may on their own seem insignificant, but together may raise suspicion that the transaction is related to the commission or attempted commission of a money laundering offence The context in which the transaction occurs or is attempted is a significant factor in assessing suspicion. This will vary from business to business, and 4 FINTRAC Guideline 2(3.1): 5 Criminal Code (R.S.C., 1985, c. C-46); Part XII (1): 93.html?txthl=462.3#s P a g e

8 from one client to another. You should evaluate transactions in terms of what seems appropriate and is within normal practices in your particular line of business, and based on your knowledge of your client. The fact that transactions do not appear to be in keeping with normal industry practices may be a relevant factor for determining whether there are reasonable grounds to suspect that the transactions are related to money laundering An assessment of suspicion should be based on a reasonable evaluation of relevant factors, including the knowledge of the customer's business, financial history, background and behaviour. Remember that behaviour is suspicious, not people. Also, it could be the consideration of many factors not just one factor that will lead you to a conclusion that there are reasonable grounds to suspect that a transaction is related to the commission or attempted commission of a money laundering offence All circumstances surrounding a transaction should be reviewed. 6 The indicators (of potentially suspicious activity) have to be assessed in the context in which the transaction occurs or is attempted. Each indicator may contribute to a conclusion that there are reasonable grounds to suspect that the transaction is related to the commission or attempted commission of a money laundering offence However, it may also offer no indication of this in light of factors such as the client's occupation, business, financial history and past investment pattern. Taken together, the presence of one or more indicators as well as your knowledge of your client's business or financial affairs may help you identify suspicious transactions. 7 From this guidance, it can be derived that adjudication of a transaction against the reasonable grounds to suspect threshold should include: The consideration of individual indicators of potentially suspicious behavior or activity, as well as typologies involving multiple or combinations of indicators An evaluation of the indicator(s) against the context in which the transaction occurred or was attempted Context should include consideration for the: o o o Normal and expected business practices within the credit union and credit union industry Normal and expected business practices within the member s industry, or among members of similar profile Normal and expected business practices of the specific member, including occupation, nature of business, financial history, prior investment pattern, background and behavior. 6 FINTRAC Guideline 2(6.1): 7 FINTRAC Guideline 2(6.3): 8 P a g e

9 Understanding the Detection of Suspicious Transactions: The Regulations oblige every employee or representative of the credit union to attempt to detect potentially suspicious transactions. The report shall be sent to the Centre (FINTRAC) within 30 days after the person or entity or any of its employees or officers first detects a fact respecting a financial transaction or an attempted financial transaction that constitutes reasonable grounds to suspect that the transaction or attempted transaction is related to the commission of a money laundering offence 8 FINTRAC has further articulated the obligation to actively detect suspicious transactions, among other requirements, through the establishment of business relationships. FINTRAC provides the following definition of a business relationship: A business relationship is a relationship that you establish with a client to conduct financial transactions or provide services related to those transactions. For financial institutions, these relationships can be established within or outside of an account Account-based business relationship: You are in a business relationship with a client that holds an account with you. You enter into a business relationship when a client opens an account with you. For a new or existing client that has one or more accounts, the business relationship includes all transactions and activities relating to those accounts. Non-account-based business relationship: If your client does not have an account, you enter into a business relationship when you conduct two or more transactions in which you have to: Ascertain the identity of the individual or Confirm the existence of a corporation or other entity In such a case, the business relationship only includes transactions and related activities for which you have to ascertain the identity of your client. 9 Based on this definition, all members of a credit union would be considered to have entered into a business relationship with that credit union. Credit unions typically have limited nonaccount-based business relationships, if any at all. 8 Proceeds of Crime (Money Laundering) and Terrorist Financing Suspicious Transactions Reporting Regulations (SOR/ )9(2): 2.html?txthl=officers%20-%20s-9 9 FINTRAC Guideline 6G(5): 9 P a g e

10 A member s business relationship includes all profiles, accounts and products associated with the specific legal entity, including joint relationships. The business relationship does not extend to any other distinct legal entities otherwise controlled by that entity. Where an individual has a retail chequing account with a financial institution, this establishes a business relationship and this business relationship consists of all accounts that the individual holds, including joint accounts and any business accounts where the individual is a sole proprietor. However, if the individual has signing authority on a business account, the business relationship is established with the account holder of that account, namely the entity. The business relationship that the financial institution has with the individual does not include the accounts where this individual is a signatory because the accounts are not held by the same client. 10 FINTRAC provides the following guidance with respect to the obligations to detect suspicious transactions conducted on behalf of business relationships: Ongoing monitoring (of a business relationship and related records) means that you have to monitor your business relationship with a client on a periodic basis. Use your risk assessment of the client with whom you have a business relationship to determine how frequently you will monitor that business relationship... You have to perform ongoing monitoring of each business relationship in order to: Detect suspicious transactions that have to be reported; Keep client identification, beneficial ownership information, and the purpose and intended nature of the business relationship up-to-date; Reassess the level of risk associated with the client's transactions and activities; and Determine whether the transactions or activities are consistent with the information previously obtained about the client, including the risk assessment of the client. The above-listed requirements do not need to follow the same timeframe, so long as you monitor your high-risk clients more frequently and with more scrutiny than you do your low-risk clients. 11 Therefore, monitoring activities undertaken to detect suspicious transactions must be commensurate with the assessed money laundering risk of the business relationship, and must seek to detect activities and behaviors that are inconsistent with the expectations that your credit union has established for that relationship. 10 FINTRAC Policy Interpretations, Business Relationship 3.: eng.asp?s=14 11 FINTRAC Guideline 6G(5): 10 P a g e

11 Monitoring activities must encompass the entire business relationship, and therefore the member s assessed risk of money laundering must be unified across all profiles, accounts, products and joint relationships. For a new or existing client that has one or more accounts, the business relationship includes all transactions and activities relating to those accounts. 12 Account-based business relationships must be monitored for suspicious activities for five years after the closure of the account. In other words, should the credit union become aware of indicators of potentially suspicious activity after the closure of the account, for transactions that occurred while the account was active, these must also be reviewed and adjudicated. Transactions conducted outside of a business relationship must also be monitored for indicators of potentially suspicious activity. A business relationship is established when two transactions that require you to ascertain the identity of your client occur within a maximum of five years from one another. If a period of five years passes from the last transaction that required you to ascertain the identity of your client, the business relationship with that client ceases in the case of non-account-based business relationships. In the case of clients who hold an account, the business relationship ceases five years after the client closes that account. 13 If you have a client without an account who conducts two or more suspicious transactions, you have still entered into a business relationship with that client, even if you are unable to ascertain the identity of that client. This is because suspicious transactions require you to take reasonable measures to ascertain the identity of the client and so two or more of these transactions will trigger a business relationship. 14 Summary of Obligations to Detect Suspicious Transactions Relative the credit union s obligations to detect suspicious transactions, the following requirements of a detection regime may be surmised: The regime must require and incorporate the participation of every employee and representative of the credit union in the detection of suspicious activities; All activities relative to the commission or attempted commission of a designated offense through the credit union must be reviewed for eligibility to report as a suspicious transaction; Monitoring activities must encompass all completed or attempted financial transactions, regardless of value, conducted at the direction of an individual or entity 12 FINTRAC Guideline 6G(5): 13 FINTRAC Guideline 6G(5): 14 FINTRAC Guideline 6G(5): 11 P a g e

12 that is not itself transacting on behalf of the credit union, whether or not that individual or entity maintains a business relationship with the credit union; Monitoring activities should seek to detect both individual indicators of potentially suspicious transactions, as well as activities where multiple or combinations of indicators may be present; All profiles, accounts, products and joint accounts within a business relationship must be monitored for the detection of suspicious transactions, and the money laundering risk assessment for that relationship must be unified across the entire relationship. Monitoring activities must be commensurate with that assessed risk, for all transactions conducted or attempted within or on behalf of that business relationship; Monitoring activities must seek to detect transactions and behaviors that are inconsistent with the expectations that the credit union has established for that business relationship; and Monitoring activities must continue for five years after the closure of all profiles, accounts, products and joint accounts within a business relationship. Understanding Penalties for Noncompliance As the Proceeds of Crime (Money Laundering) and Terrorist Financing Act is a part of the Criminal Code of Canada, failure to comply with a provision of The Act, including failing to report a suspicious transaction, may result in criminal penalties for both the credit union, and for any employee that fails to report or appropriately escalate a suspicious transaction. Alternatively, FINTRAC also has the ability to assess an administrative monetary penalty (AMP) against both the credit union and its individual employees. Non-compliance with Part 1 of the Proceeds of Crime (Money Laundering) Terrorist Financing Act may result in criminal or administrative penalties. Both criminal and administrative monetary penalties (AMPs) cannot be issued against the same instances of non-compliance. Criminal penalties FINTRAC may disclose cases of non-compliance to law enforcement when there is extensive non-compliance or little expectation of immediate or future compliance. Criminal penalties may include the following: Failure to report suspicious transactions: Up to $2 million and/or five years imprisonment. Failure to report a large cash transaction or an electronic funds transfer: Up to $500,000 for the first offence, $1 million for subsequent offenses. Failure to meet record keeping requirements: Up to $500,000 and/or five years imprisonment. Failure to provide assistance or provide information during compliance examination: Up to $500,000 and/or five years imprisonment. 12 P a g e

13 Disclosing the fact that a suspicious transaction report was made, or disclosing the contents of such a report, with the intent to prejudice a criminal investigation: Up to two years imprisonment. 15 Administrative monetary penalties (AMPs) are an additional tool to criminal sanctions with the objective of supporting and enhancing efforts to ensure compliance on the part of reporting entities. AMPs allow for a measured and proportionate response to particular instances of noncompliance. Violations are classified by the Proceeds of Crime (Money Laundering) and Terrorist Financing Regulations as minor, serious or very serious and carry the following range of penalties: Minor violation: From $1 to $1,000 per violation Serious violation: From $1 to $100,000 per violation Very serious violation: From $1 to $100,000 per violation for an individual, and from $1 to $500,000 per violation for an entity (e.g., corporation) The limits above apply to each violation, and multiple violations can result in a total amount that exceeds these limits. 16 There are penalties if you fail to meet the suspicious transaction reporting obligations. Failure to report a suspicious transaction could lead to up to five years imprisonment, a fine of up to $2,000,000, or both. Alternatively, failure to meet the suspicious transaction reporting obligations can lead to an administrative monetary penalty. Penalties for failure to report do not apply to employees who report suspicious transactions to their superior. There are also penalties if you tip anyone off about a suspicious transaction report, if your intent is to harm or impair a criminal investigation. 17 Understanding How FINTRAC Detects Unreported Suspicious Transactions FINTRAC has not provided any formal guidance relative to how it seeks to detect suspicious transactions that a reporting entity has failed to report. FINTRAC has the authority to audit all aspects of a credit union s operations, including the authority to inspect all documents that have or ought to have been retained by the credit union, and interview all of its employees. FINTRAC can instigate an audit at any time, and may choose to limit or broaden the scope of any such engagement at its sole discretion. 15 FINTRAC Penalties for non-compliance: 16 FINTRAC Administrative monetary penalties: 17 FINTRAC Guideline 2(5.3): 13 P a g e

14 To understand how FINTRAC may seek to detect unreported suspicious transactions, a brief explanation of FINTRAC s sources of financial intelligence is necessary. Prescribed Reporting Reporting entities are required to send certain prescribed reports to FINTRAC, within specific prescribed timelines and containing certain prescribed information. These reports include: Suspicious transaction reports (STR), for any transaction or attempted transaction for which a reporting entity has established that there are reasonable grounds to suspect that the transaction is related to the commission or attempted commission of a money laundering offence; Large cash transaction reports (LCTR), for any deposit of $10,000 or more of cash, in a single transaction or through combination of transactions conducted within a 24- hour period, on behalf of the same individual or entity; Electronic funds transfer reports (EFTR), for any transfer of funds in to or out of Canada, totaling $10,000 or more, in a single transaction or through a combination of transactions conducted within a 24-hour period, on behalf of the same individual or entity; and Casino disbursement reports, for any disbursements of $10,000 or more, in a single transaction or through a combination of transactions conducted within a 24-hour period, on behalf of the same individual or entity. Other Reporting FINTRAC also receives reporting from other sources beyond designated reporting entities, including: Cross-border currency or monetary instruments reports, submitted by the Canada Border Services Agency (CBSA) any time a person enters or leaves Canada carrying a sum of currency or monetary instruments totaling $10,000 or more, or if such sums are sent by mail. S seizure report is also filed when a person fails to properly report to the CBSA that such currency has been carried or sent; and Voluntary disclosures may be submitted to report suspicions of money laundering, by any person in Canada or abroad. Law Enforcement As a financial intelligence unit, FINTRAC is also responsible for the receipt and management of financial intelligence disclosures from law enforcement agencies in Canada and abroad, including: The Canada Revenue Agency; Local, provincial, and national law enforcement and intelligence agencies; and 14 P a g e

15 International sources including other financial intelligence units, international law enforcement and intelligence agencies. While the entirety of FINTRAC s detection methodologies may not be known publicly, FINTRAC has many detection vehicles at its disposal which can be deployed either remotely or through the execution of a formal audit. A credit union must reasonably assume that each of these elements could be included in FINTRAC s detection regime. Remote Detection FINTRAC may review LCTRs or EFTRs submitted by the credit union, to detect scenarios that may be similar to transactions or typologies previously reported as suspicious by the credit union, which have not been reported in the present circumstance. FINTRAC may review LCTRs and EFTRs submitted by the credit union, for entities related to a previously filed STR, where they presently (or previously) reported large cash transaction (LCT) or electronic funds transfer (EFT) has not also been reported as suspicious. FINTRAC may review previous STRs submitted by the credit union, to identify where the credit union has ceased to file for ongoing activity for the same entity. FINTRAC may identify entities that maintain business relationships with the credit union and with other reporting entities, through the information contained in any prescribed reports received from either; where an entity has been found to be suspicious by another reporting entity, FINTRAC may challenge the credit union if the credit union has failed to identify indicators of potentially suspicious transactions conducted within its own business relationship. FINTRAC may identify entities that maintain business relationships with the credit union through the information contained in any prescribed reports or other intelligence, which are suspected by law enforcement to be involved in money laundering, and may challenge the credit union if the credit union has failed to identify indicators of potentially suspicious transactions conducted within its own business relationship. FINTRAC may evaluate the money laundering typologies detected and reported, the sophistication of those typologies, as well as the volume and quality of any reports submitted by the credit union, against other reporting entities within the credit union s peer group, to assess the quality of the credit union s detection regime. Audit Detection FINTRAC may review the credit union s policies and procedures relative to the obligation of all employees to detect and report indicators of potentially suspicious activity; FINTRAC may question employees involved in the management of specific business relationships to determine if any indicators were identified and not reported. FINTRAC may audit all documented cases and case sources to challenge the escalation or adjudication of any indicators identified; case sources may include but 15 P a g e

16 are not limited to system-generated money laundering alerts, production orders or other requests from law enforcement, fraud detection or case systems, list scan results, and unusual transaction reports submitted by credit union employees. FINTRAC may review all de-marketed or closed business relationships, rejected account applications, where any closure or denial may be related to an attempt to commit a designated offense (i.e., fraud). FINTRAC may review all rejected credit applications, or files where a credit loss has been realized, to determine if the reason for the rejection or loss may be related to a designated offense or an attempt to commit a designated offense (i.e., fraud, tax evasion). FINTRAC may also review approved credit applications, to determine whether any deviations in reported or verified income versus actual or apparent income have been escalated for review relative to the commission of a designated offense (i.e., fraud, tax evasion). FINTRAC may review any fraud loss or other loss records, including GL entries, to determine if the money laundering activities associated with those designated offenses went unreported. Credit unions must be prepared to defend any challenge from FINTRAC related to a possible failure to identify and report a suspicious transaction. Credit unions should evaluate each channel and process within their operations to identify those that could indicate that a suspicious transaction has occurred. As no detection regime can be perfect and failures will occur, a credit union may only defend itself in case of such failures through the implementation of a robust money laundering detection regime. Assessing the Current Money Laundering Detection Regime To attempt to assess the current state of money laundering detection regimes within the credit union sector, surveys were sent to compliance managers at several credit unions in Canada. Respondents are all responsible for the management of their respective AML/CTF compliance regimes, and their positions within their organizations range from operational management to executive-level roles. Their unedited responses to each survey question can be found in the appendices. Those responses have been summarized against the detection obligations established. Invitations to participate in the survey were sent to 24 credit unions; the 14 respondents represent more than 47 percent of the assets under management (>$78 billion) by the credit union system in Canada, excluding Quebec. The survey contained 53 distinct questions, many that were open-ended. Some of the questions were intended to assess compliance with the obligations identified, while others were intended to solicit best practices for inclusion in a detection regime guidance document. Respondents were directed not to answer any question that they were not comfortable with. After an assessment of the responses received for each question or series of questions, a risk rating was assigned to each detection regime obligation: 16 P a g e

17 High risk: Material noncompliance is likely Medium risk: Material noncompliance is possible Low risk: Material noncompliance is unlikely The assessments are inherently subjective and based solely on the responses received, though the overall compliance trends identified should serve to adequately articulate the challenges faced by the credit union industry in Canada with respect to compliance with these obligations. Summary of Responses by Obligation to Detect Suspicious Transactions Requirement 1 The regime must require and incorporate the participation of every employee and representative of the credit union in the detection of suspicious activities. Success against this requirement necessitates that the credit union engage all of its employees in the detection of potentially suspicious activities, regardless of their role within the credit union. High Risk: Employee engagement in the detection of suspicious activity not documented Medium Risk: Employee engagement in the detection of suspicious activity limited to front-line employees Low Risk: All employees engaged in the detection of suspicious activity Unscored: No response, or employee engagement was not defined All respondents stated that their employees are responsible for the submission of unusual transaction reports where unusual or suspicious transactions have been identified. Many credit unions assigned this responsibility solely to front-line or branch employees, in addition to compliance staff; while some responses were ambiguous regarding which employees maintained this obligation. Medium risk: most employee escalations are reasonably expected to come from branch employees, though this requirement should be established with all employees. Requirement 2 All activities relative to the commission or attempted commission of a designated offense through the credit union must be reviewed for eligibility to report as a suspicious transaction. 17 P a g e

18 Success against this requirement necessitates that the credit union assess all points of contact with a member, and all sources of information about a member obtained through the normal course of business, to reasonably identify enhanced risks of involvement by that member in the commission of a designated offense. High Risk: No documented formal activities specific to the detection of identifiable designated offenses Medium Risk: Some documented formal activities specific to the detection of identifiable designated offenses Low Risk: Robust documented formal activities specific to the detection of identifiable designated offences Unscored: No response Only two credit unions provided a comprehensive list of case intake sources to indicate that reasonable efforts to identify evidence of a designated offense are undertaken, and therefore reviewed to determine eligibility for reporting. This list included indicators of fraud, inquiries from law enforcement including the receipt of production orders, referrals from the Credit Union Office of Crime Prevention Investigators (CUOCPI), and the formal review of negative media. One other credit union noted that their AML cases are sometimes referred from a fraud investigation. Another stated that they are exploring the possibility of including fraud in their reporting regime, though they also report sharing human resources between their AML and fraud operations. Two others that share human resources between AML and fraud operations did not reference referrals from fraud investigations as a source of their AML cases. Several noted the use of structured or unstructured negative media review processes. One additional credit union noted referrals from the receipt of production orders. High risk: absent a structured and comprehensive regime specific to the detection of activities related to the commission of an identifiable designated offense, material deficiencies are likely to occur frequently. Requirement 3 Monitoring activities must encompass all completed or attempted financial transactions, regardless of value, conducted at the direction of an individual or entity that is not itself transacting on behalf of the credit union, whether or not that individual or entity maintains a business relationship with the credit union. Success against this requirement presumes that the credit union has fully engaged its employees in the detection of suspicious activities, as this may be the only method of detecting certain attempted transactions, and presumes that the credit union has 18 P a g e

19 implemented an automated detection tool, as this is the only reasonable way to encompass the monitoring of all transactions into the detection regime. High Risk: Employee engagement in the detection of suspicious activity not documented and/or no use of automated detection software Medium Risk: Employees are engaged in the detection of suspicious activity and automated detection software is in use, though without quality assurance and/or effectiveness testing Low Risk: Employees are engaged in the detection of suspicious activity and automated detection software is in use, including quality assurance and/or effectiveness testing Unscored: No response All respondents indicated that automated transaction monitoring systems are in use by their credit unions. All respondents stated that their employees are responsible for the submission of unusual transaction reports where unusual or suspicious transactions have been identified. None of the respondents specifically noted the requirement to detect attempted transactions, though these may reasonably be included in the submission of unusual transaction reports by branch employees. Only one respondent specifically noted that their regime tests that all transactions from their core banking system are fed correctly to their transaction monitoring software. Medium risk: absent structured effectiveness testing regimes that include the testing of transactional data feeds from core banking systems into transaction monitoring systems, material deficiencies are possible. Absent the establishment of specific obligations to escalate attempted transactions via the submission of unusual transaction reports, material deficiencies are possible. Requirement 4 Monitoring activities should seek to detect both individual indicators of potentially suspicious transactions, as well as activities where multiple or combinations of indicators may be present. Success against this requirement presumes that the credit union has implemented an automated detection tool, as this is the only reasonable way to incorporate the detection of combinations of indicators across the credit union s portfolio. 19 P a g e

20 High Risk: Mo automated detection systems have been implemented Medium Risk: Automated detection systems have been implemented, to identify either individual indicators or combinations of indicators Low Risk: Automated detections systems have been implemented, to identify both individual and combinations of indicators Unscored: No response Most respondents indicated that their transaction monitoring systems evaluate both individual transactional indicators, as well as combinations of different types of activities that may be indicative of money laundering. Low risk. Requirement 5 All profiles, accounts, products and joint accounts within a business relationship must be monitored for the detection of suspicious transactions, and the money laundering risk assessment for that relationship must be unified across the entire relationship. Monitoring activities must be commensurate with that assessed risk, for all transactions conducted or attempted within or on behalf of that business relationship. Success against this requirement presumes that the credit union has a systemic method of grouping all of their member s profiles, accounts and products into the requisite business relationships, has a method to measure the risk of each business relationship as a whole, and can monitor the transactions conducted through the various profiles, accounts and products of a business relationship in a manner commensurate with that business relationship s assessed risk. High Risk: Business relationships are not identified Medium Risk: Business relationships are identified, but risk is scored at a level other than the level of the business relationship Low Risk: Business relationships are identified, risk scored, and monitored through an automated detection system. Unscored: No response Several respondents stated that they lacked the technical ability to associate all profiles, accounts, products and joint accounts for an individual or entity into a single business relationship.

21 Several respondents stated that they had established business relationships as required, but that they lacked the technical ability to assign a unified risk score to all aspects of each business relationship. High risk: absent the ability to properly identify and risk score business relationships, material deficiencies are likely. Requirement 6 Monitoring activities must seek to detect transactions and behaviors that are inconsistent with the expectations that the credit union has established for that business relationship. Success against this requirement necessitates that the credit union implement a method to segment its business relationships systemically, in order to establish expectations for each segment, and to monitor the transactions conducted in each business relationship against those expectations. High Risk: No segmentation of business relationships Medium Risk: Some segmentation, with monitoring against individual business relationships only Low Risk: Business relationship segments established, and systemic monitoring in place for each business relationship against their respective segment Unscored: No response All respondents indicated that their current automated transaction monitoring systems do not analyze business relationships by segment, though some noted that they maintain separate alert-generation transaction thresholds for business and personal accounts. All respondents stated that their employees are responsible for the submission of unusual transaction reports. Reasonably employees may consider this to be a factor in their determinations that a transaction is unusual. Some respondents noted that PEFP accounts are maintained as a segment. Another respondent noted that they monitor MSB accounts as a segment. High risk: absent a well-defined method of segmenting a portfolio of business relationships, material deficiencies are likely in the monitoring of all business relationships against established transactional and behavioral expectations. Requirement 7 All business relationships must be monitored, and those monitoring activities must continue for five years after the closure of all profiles, accounts, products and joint accounts within a business relationship. 21 P a g e

22 Success against this requirement necessitates that the credit union continue to monitor all business relationships for five years post closure, inclusive of risk scoring, and that the ongoing monitoring of these closed business relationships must be commensurate with the risks assessed. This monitoring and risk assessment regime may be distinctly different than those deployed for the monitoring of active relationships. High Risk: Mo monitoring or risk assessment of business relationship post closure Medium Risk: Some monitoring or risk assessment methodology applied to closed relationships Low Risk: Monitoring and risk assessment regime established for closed relationships, and monitoring is commensurate with risks assessed Unscored: No response Only one respondent noted the implementation of a monitoring regime specific to closed business relationships, and further noted how this regime was applied differently to those business relationships deemed high risk while they were active. Two respondents noted that closed relationships were assigned a low-risk score, as transactional activity had ceased. High risk: respondents primarily focused on transactional monitoring and failed to recognize that the monitoring of closed accounts may include other considerations. Summary High Risk: Material noncompliance is likely Medium Risk: Material noncompliance is possible Low Risk: Material noncompliance is unlikely As even a single unreported suspicious transaction can result in serious penalties, and any systemic deficiency can have catastrophic consequences, a single high-risk determination against any of the requirements above is indicative of an overall high risk for the entire credit union system. 22 P a g e

23 Proposed Money Laundering Detection Regime Guidance The purpose of this proposed money laundering detection regime guidance is to establish the minimum standards expected in the development and execution of a detection regime at a Canadian credit union. While this proposed regime encompasses elements both to meet regulatory obligations and also elements that may be considered best practices, none of these elements are specific or exclusive to the credit union industry. Many of the elements are scalable and universally applicable. This regime is intended to be interpreted as guidance. Where a credit union has elected not to implement an element or elements of this regime, these exclusions should align with their enterprise money laundering risk assessment (enterprise risk assessment) and be documented within their compliance regime along with the corresponding rationale. The credit union s board of directors should review and approve all exclusions. The credit union should document each element of their detection regime within their compliance regime, and all executable elements should be included within the institution s operational policies and procedures. The detection regime is comprised of three primary guidance elements: Guidance relative to the purpose and execution of the functional elements Guidance relative to the training necessary to execute the functional elements Guidance relative to the audit and oversight of the functional and training elements Functional Elements All money laundering detection regimes should be comprised of manual, procedural (systemic) and automated detection elements: Manual detection elements are those that are dependent on the identification of an indicator of potentially suspicious activity by an employee, and are dependent on that employee to escalate that identified behavior for review. Procedural detection elements are those where the indicators are identified through the execution of formal processes intended to detect potentially suspicious activities for escalation. Automated detection elements are those that are reliant on the use of software to analyze transactional and other system data to recognize high-risk transactional activity and patterns that may be indicative of suspicious activities. Training Elements 23 P a g e

24 Training specific to each detection element should be conducted at a frequency commensurate with the credit union s enterprise risk assessment, and at least annually for all eligible employees. The training materials should be documented and include information about: The regulatory purpose of the specific element The money laundering risk(s) or typology(ies) that the element seeks to detect How any settings or thresholds were derived (as applicable) How the effectiveness of the element is tested and measured Audit Elements Audit and effectiveness testing protocols specific to each detection element should be conducted at a frequency commensurate with credit union s enterprise risk assessment, and at least annually for each element. Audit protocols should include a review of: The credit union s enterprise risk assessment to ensure each identified risk has been addressed, as possible, through the detection regime; The minutes of any meeting of the board of directors where any exclusion against this guidance was approved or reviewed; The credit union s compliance regime to ensure that each detection element has been sufficiently documented, including any quantitative and/or qualitative rationale used to establish any element and its escalation thresholds (if applicable); The effectiveness testing that has occurred against each element and its escalation thresholds (if applicable); The credit union s operational policies and procedures to ensure that the executable elements of each detection element have been sufficiently documented, including any methodology used to test effectiveness; A sample of detected transactions, where the sample size is commensurate with the credit union s enterprise risk assessment, to ensure that the adequate review of detections in a manner consistent with the credit union s operational policies and procedures has occurred; All training materials to ensure that they contain the prescribed content, and have been executed as required; Manual Detection Regime Elements: General: Manual detection methods should be established to identify potentially suspicious transactions, attempted transactions and potentially suspicious behaviors, which may not otherwise be detectable through the use of a procedural or automated detection method. Manual detection methods should be agnostic of assessed enterprise or business relationship risk. Indicators of potentially suspicious activity identified should be escalated for review irrespective of the assessed enterprise or business relationship risk. Non- 24 P a g e

25 transactional or behavior-based indicators must be escalated for review whether or not a specific potentially suspicious transaction has been identified. Training: A training regime relative to the identification and escalation of indicators of potentially suspicious activities must be established. The training material, inclusive of the relevant indicators, must be specific and appropriate to the job functions of the target audience and commensurate with the general and specific money laundering risks identified in the credit union s enterprise risk assessment. The training material should include sanitized case studies as appropriate, and must be updated regularly to include information on any new trends or typologies identified. All employees and representatives of the credit union must receive such training. Audit: The audit regime should include a review of a sample of submissions and the associated case work and adjudications, as well as all records associated with the training regime, and all records associated with any effectiveness testing activities. Records of effectiveness testing should include any responses or escalations based on exceptions identified. Testing should include, but not be limited to: A review of submission quality; A review of the quantity of submissions from each operating location and channel, to identify any location or channel that is failing to submit as expected and may be underreporting; A review of the indicators identified in submissions, to identify any common or expected indicators that may be underreported; and A review of submissions to ensure that reports based on attempted transactions or behavioral indicators are submitted at the rate expected. Effectiveness testing records should additionally include a review of every STR filed as a result of indicators identified through a manual detection element, to determine if a procedural or automated detection element can be derived to identify other similar activities. Alignment to the enterprise risk assessment should be demonstrably evident. For example, operating locations or channels identified as high risk in the assessment should have received more frequent or otherwise enhanced training. The effectiveness of their submissions should be tested more frequently or with greater rigour. Detection Elements: Manual detection elements should include: 25 P a g e

26 Unusual activity reports, submitted by employees in traditional member-facing channels o Member-facing channels should include any employee who has direct contact with a member. o Examples include, but are not limited to, branch and call center employees. Unusual activity reports, submitted by employees in nontraditional member service channels o Member service channels should include any employee who has direct access to a member s information or transactions, but that does not have direct contact with that member. o Examples include, but are not limited to, back office functions including cheque clearing, wire processing and credit underwriters. Unusual activity reports, submitted by any other employee, who through the course of their working activities, has identified unusual activity o This should include all employees not directly engaged with a member or their transactions. o Examples include, but are not limited to, members of the board, executives, marketing employees and technical service (IT) employees. Unusual activity reports, submitted by any employee who becomes aware of information that may lead to the identification of unusual activity; o Employees should understand their obligation to escalate any information they receive that may lead to the identification of unusual activity, even if they obtain that information through activities unrelated to their employment with the credit union. Unusual activity reports, submitted by an agent or other person or entity affiliated with the credit union o This should include any representative or third party, which has a contractual obligation to the credit union in the onboarding of, maintenance of, or to conduct transactions for, any member of the credit union. o Examples include, but are not limited to, any agent or mandatary acting on behalf of the credit union to identify a member or execute documents, or any entity with a formalized referral agreement with the credit union. Unusual activity reports, submitted by employees in response to the receipt of a request or notification from an external party that may be indicative of potentially suspicious activity o Examples include, but are not limited to, the receipt of production orders, requirements to provide information, contact from law enforcement, requests relative to civil lawsuits, or any informal or other inquiries. Manual context-based review (see context-based detection ) where a business relationship has been identified as high risk, but the business type is not inherently high risk, a manual context-based should be performed of that business relationship; and Manual review of business relationships that are related to any business relationship for which a suspicious transaction report has been filed, to detect any other transactions that are eligible for reporting, and to reassess the risk of each relationship. 26 P a g e

27 Related to an individual must include the business relationships of any joint parties, direct familial relationships, known associates (known to the FI), any relationship where the individual is a signer, director, officer, or beneficial owner, and any other relationship where the individual is suspected to exercise control. Related to an entity must include the relationships of all subsidiaries, affiliates, signers, directors, officers and beneficial owners. For each signer, director, officer and beneficial owner, the review must include a review of the relationships listed as related to an individual. Procedural (Systemic) Detection Regime Elements: General: Procedural detection elements should be established to systemically respond to, and be commensurate with, risks identified in the credit union s enterprise risk assessment. Procedural detection methods should assist to mitigate risks not otherwise managed by an automated detection method, or may seek to compliment same. Indicators of potentially suspicious activity identified should be escalated for review irrespective of the assessed enterprise or business relationship risk. Nontransactional indicators must be escalated for review whether or not a specific potentially suspicious transaction has been identified. Training: A training regime relative to the identification and escalation of indicators of potentially suspicious activities must be established. The training material, inclusive of the relevant indicators, must be specific and appropriate to the detection element, including information on the nature of the risk to be mitigated, and the purpose and intent of the process in its management. Only employees engaged in the execution and oversight of the detection element must receive such training. Audit: The audit regime should include a review of a sample of potentially suspicious transactions identified through each detection element, as well as all records associated with the training regime, and all records associated with any effectiveness testing activities. Records of effectiveness testing should include any responses or escalations based on exceptions identified, Testing should include, but not be limited to: Data quality testing, to ensure that any executable process is providing the quality of results necessary for adequate review; A review of executable processes, to ensure consistency in their execution; and A review of all data sources to ensure they meet all requirements and contain the expected attributes. 27 P a g e

28 Effectiveness testing records should additionally include a review of every STR filed as a result of indicators identified through a procedural detection element, to determine if an automated detection element can be derived to identify other similar activities. Alignment to the enterprise risk assessment should be demonstrably evident. For example, the lack of local, reliable media sources must be reflected in the enterprise and business relationship risk assessments for all impacted regions. Detection Elements: Procedural (systemic) detection elements should include: The creation and review of exception-based reporting, commensurate with the risks identified in your enterprise and business relationship risk assessments; Examples of exception-based reporting may include, but are not limited to: o Review of business relationships that frequently conduct high-risk transactions (percentile analysis by transaction type, for cash deposits, wire transactions, etc.); o Review of transactions conducted in high-risk jurisdictions (online IP, bank card, etc.); o Wire activity to or from high-risk jurisdictions, where the values or volumes of the transactions may not otherwise be caught by an automated detection method; o Business relationship profile risk exceptions, absent transactional factors (review of unexpected addresses, high-risk occupations or natures of business, accounts with positive third-party determinations, etc.); and o Unusual use of non-transactional products or services (lease of multiple safe deposit boxes, frequent purchase of travel insurance, etc.) List scanning of all business relationships and transactional records, against prescribed lists of high-risk or prohibited entities; o Examples include, but are not limited to, lists of politically exposed persons, sanctioned persons and entities, and terrorist persons or groups. List scanning, to identify any new profiles, accounts, products, or joint accounts opened for any existing high-risk business relationship, such that the risk score of the business relationship can be updated and unified; List scanning, for no less than five years after the closure of all accounts, for the reestablishment of any business relationship that was high risk while operational; List scanning of all business relationships and transactional records, using a caution or black list of high-risk individuals or entities, derived from local, reliable media sources; o The number of local, reliable sources and depth of review must be commensurate with your enterprise risk assessment. o List scanning of all business relationships for five years after the closure of all profiles, accounts, products, and joint accounts within a business relationship. Should a closed account be identified through the list scanning process, the prior transactional activity must be evaluated for the need to report any suspicious transactions. 28 P a g e

29 Transaction records Include all records where information relative to the source or beneficiary of a transaction is identifiable. o Examples may include, but are not limited to, incoming and outgoing electronic funds transfers (wires), ACH transactions, cheque deposits and withdrawals. Local Jurisdictions or regions where the credit union s branches are located; or any geographic region where the credit union draws or intends to draw a meaningful percentage of its membership, in alignment with and commensurate to its enterprise risk assessment. Meaningful An increase or decrease in the number of members in that region would or should impact the credit union s enterprise risk assessment. Reliable Must be determined by what sources are available within the credit union s local geography, but sources should be of sufficient credibility such that the credit union would consider any information identified in its decisions related to the ongoing maintenance of any business relationship with the credit union. Examples may include, but are not limited to, police or government websites, reputable media outlets, other credible local sources, and commercially available lists. o Commercial list sources must be reviewed to ensure they meet the local requirement. Unavailability of sufficient local, reliable media sources must be reflected in the credit union s enterprise risk assessment and in the business relationship risk assessments of members from that region. Automated Detection Regime Elements: General: Automated detection methods should be established to automatically monitor all transactions conducted, and to analyze those transactions by business relationship to identify those that are potentially suspicious for further review. All elements of the automated detection regime must be demonstrably aligned with and commensurate to the credit union s enterprise and business relationship risk assessments. This means that the credit union must use quantitative and/or well-reasoned and documented qualitative analysis in order to support any automated elements and transactional thresholds established. Higher risk business relationships must trigger detection events at a more vigorous rate than lower risk business relationships that have similar transactional profiles. This may be accomplished by either having the business relationship risk score directly aggravate detection event generation, or by maintaining a separate automated detection regime with enhanced elements and detection thresholds for higher risk business relationships. 29 P a g e

30 Training: A training regime relative to the identification and escalation of indicators of potentially suspicious transactions must be established. The training material must include information about the money laundering typology that each automated detection element and related detection event generation thresholds are intended to detect. Only employees engaged in the execution and oversight of the detection element must receive such training. Audit: The audit regime should include a review of a sample of potentially suspicious transactions identified through each detection element, as well as all records associated with the training regime, and all records associated with any effectiveness testing activities. Records of effectiveness testing should include any responses or escalations based on exceptions identified. Testing should include, but not be limited to: Data quality testing, to ensure that any executable process is providing the quality of results necessary for adequate review; A review of executable processes, to ensure consistency in their execution; A review of all data sources to ensure they meet all requirements and contain the expected attributes; A review of each detection element and its associated thresholds, including any quantitative or qualitative analysis conducted to determine the threshold; Alignment to the enterprise risk assessment should be demonstrably evident. For example, detection element thresholds must be set based on the results of a robust effectiveness testing regime, and must not be set based on the resources available for the review of any resultant detection events; resourcing must be based on the detection rate that is demonstrably appropriate for the credit union, commensurate with its enterprise risk assessment. Automated detection regimes should include a robust set of detection elements, in two primary categories: Transaction-based detection Context-based (profile) detection Transaction-Based Detection: Transaction-based detection elements should seek to identify potentially suspicious transactions by analyzing the transactions that occur through a business relationship, by identifying individual high-risk transactions, or combinations of transactions, that may be indicative of money laundering activities; automated detection systems should apply dynamic or sliding-scale thresholds, or else maintain separate reduced thresholds, for the assessment of detection risk relative to combinations of activities. For example, a credit union may set a detection threshold for cash deposits to a personal account at $10,000, and have a similar threshold for international wire transfers for a personal account, based on the perceived risk; where an individual deposits only $5,000 in cash and then issues an international wire for the same value. The perceived level of risk may be similar but the 30 P a g e

31 automated detection system may fail to create an alert as neither the cash deposit nor the international wire thresholds were breached. These detection elements should be deployed primarily to identify transactions that may be related to one or more of the stages of money laundering, including placement, layering, and/or integration. The credit union should have robust elements deployed to attempt to detect transactions related to each stage. Examples of transaction-based detection elements may include, but are not limited to: Cash deposits value, volume and velocity Cash deposits structuring to avoid prescribed reporting thresholds Cash withdrawals value, volume and velocity Cash withdrawals structuring to avoid perceived prescribed reporting thresholds (large cash withdrawals are reportable in the U.S.) International wire activity value, volume, velocity and high-risk geography Domestic wire, or negotiable instrument activity value, volume and velocity Wire activity structuring to avoid prescribed reporting thresholds Cash deposit for the issuance of a wire or purchase of a negotiable instrument Cash withdrawal from the deposit of a negotiable instrument or the receipt of a wire Elements to detect fraudulent activity Elements to detect changes in transactional types, values, volumes and velocities against historical norms for the specific business relationship Analysis of bank card transaction location and retailer-type data to identify transactions conducted at high-risk retailers (i.e,. money services businesses, casinos, hotels) Context-Based (Profile) Detection: Context-based detection elements should seek to identify suspicious transactions by analyzing the transactions that occur through a business relationship, by identifying activities that may not be consistent with what the credit union understands or expects of that business relationship. These detection elements should be deployed primarily to identify transactions that may be related to one or more of the methods of money laundering or other high-risk behaviors. Examples of these methods may include, but are not limited to, the use of nominees or smurfs, comingling, trade-based money laundering and the use of gatekeepers. The credit union should have robust elements deployed to attempt to detect each methodology where the credit union has identified a material exposure within their enterprise or business relationship risk assessments. Gatekeeper Refers to an individual acting in a professional capacity where they, by the nature of their professional function, have privileged access to and extensive knowledge of the financial system. Examples of gatekeepers 31 P a g e

32 include, but are not limited to, lawyers, real estate agents and brokers, accountants, mortgage brokers and investment advisors. The credit union should seek to segment or categorize their business relationships, to facilitate the targeting of higher risk transaction types or business relationship profile elements as identified within their enterprise or business relationship risk assessments. Examples of higher risk transaction types may include, but are not limited to, cash deposits and international wires. Examples of higher risk business relationship profile elements may include, but are not limited to, gatekeeper-type occupations and high-risk operating locations. As an example of segmentation based on a higher risk transaction type, the deposit of cash to accounts for individuals may be considered a higher risk activity. The credit union may choose to segment their business relationships for individuals in two categories based on their occupations; those that may be expected to deposit cash from employment income, and those that are not. The credit union may then implement different detection elements for each segment, to enhance the detection of cash deposits in accounts where cash deposits are not expected. High-Risk Industry Types: The credit union must establish business relationship segments and implement detection elements for each high-risk industry type identified within the credit union s enterprise risk assessment. The detection elements must be specific to each business relationship segment. The credit union must establish expectations for any material transaction types that would reasonably be expected to be conducted through the business relationships within these segments, and implement detection elements to respond to any enhanced risks identified within each specific segment. For example, a business relationship maintained for a gas station would be expected to deposit large sums of cash on a regular basis. Therefore, gas station business relationships may be considered a high-risk industry type. The credit union should seek to establish a general expectation for the deposit-mix expected for gas stations in a given area (i.e., the amount of cash deposited as a percentage of total deposits), and then should implement detection elements to identify any gas station business relationship that deviates materially from this deposit-mix expectation. If the credit union has an insufficient sample size or inadequate data available to establish transactional expectations for a specific high-risk industry type, the credit union must seek to obtain that data from another reliable source. Reliable sources may include, but are not limited to, Statistics Canada or another financial institution (sanitized statistical data). If sufficient reliable sources cannot be identified, this must be reflected in the credit union s enterprise and business relationship risk assessment for any applicable segment. Examples of context-based detection elements may include, but are not limited to: Evaluation of actual deposit methods, sources, values, volumes, and velocity against those expected based on occupation and/or employment data 32 P a g e

33 Evaluation of actual deposit methods, sources, values, volumes, and velocity against those expected based on nature of business and/or business type Evaluation of actual deposit values and volumes against stated or declared income values. Evaluation of transactional geography against the geographic profile of the business relationship (i.e., IP addresses, bank card usage) Analysis of bank card transaction location and retailer-type data to identify transactions that are not consistent with business relationship profile data (i.e., the frequent use of terminals related to hotels, where these terminals are located near the residential address of the member). Appendix I Detailed Survey Results Responses have been edited to preserve the anonymity of the respondents. *N/R indicates that the respondent did not provide a response to the question. *N/A indicates that the respondent deemed the question not applicable. 33 P a g e

34 About your credit union's transaction monitoring methods: How does your credit union detect potentially suspicious transactions? Manual methods? Please list: 1 Face to face interactions/transactions resulting in Unusual Transaction Reports (UTR) submitted for investigation Review of reports (ie, Large cash transaction reports) resulting in UTRs submitted for investigation CUO(C)PI requests from other Fis Law Enforcement requests and Product orders Searches of Negative news and money laundering news High risk member transaction reviews Fraud monitoring 2 From our front line staff 3 Front line staff (+100 staff) face to face interaction with members 4 Branch/front-line staff submit reports to AML Compliance department Observation by branch staff (mainly) 2. Manual review by AML staff of accounts on which STRs have already been filed 3. Quarterly review of activity in accounts of high risk members 4. Manual review of accounts where production orders have been received 5. Sometimes through media search but no formal review process Based on behaviours; employees are trained to understand indicators; also based on the enhanced due diligence high risk account review 7 Front line staff, compliance department staff, deposit services staff. KYC, experience. Ongoing review of outgoing and incoming EFTs (no details other than dollar amount are available in our AML/ATF software thus we manually review for suspicious activity... We have created many reports based on banking system transactions: We are able to review ATM deposits $10K+, cash deposits $10K+, incoming and outgoing wire and transfers, sale of negotiable instruments, transactions in US funds, preauthorized transfers $3K+ to assist in identifying suspicious activity. We also call regular wire reports from the CUPS website to look for suspicious EFTs Via LCTR reports. Generally our employees who process and submit these reports can spot when unusual activity is occurring. 8 front line UTRs - annual CBT for front-line; annual face-to-face training; CUOCPI 9 (credit union's) frontline staff is trained on identifying STR s and report on a web based system to our Corporate Risk Dept. who review and investigate each manual STR. 10 Training for Front line staff Investigations by Risk management staff; these investigations can be instigated by either manual or electronic alerts Regular review and maintain heightened awareness as it relates to high risk relationships 11 STR reports from staff 12 UTRs submitted from all employees; formal media review process (includes law enforcement websites, media, and CUOCPI/BCPIO); activity or profile KYM exception reporting; review of production orders and requests for information. 13 Front line staff are trained to detect suspicious and unusual activity; Core banking system reports are reviewed 14 Suspicious Transaction notifications are received through open source, automated solution alerts, and notifications from first line of defense. Automated methods? Please list: 1 Automated Transaction Monitoring rules (solution provider) rules based monitoring to detect money laundering tuned regularly to reduce false positives/detect new methodologies PEFP/Watch List detections (solution provider) High risk wire reviews based on sending/receiving high risk country lists for originator address/beneficiary address/bank address. 2 We use (solution provider) as a tracking tool and receive AML alerts from them 3 (solution provider) software alerts 4 (solution provider), (solution provider) - alerts 5 Automated transaction monitoring with (solution provider) software 6 We currently use (solution provider) to detect suspicious transactions. 34 P a g e

35 7 (solution provider) helps financial institutions detect potential money laundering activity by monitoring transactions within a 28-day time frame for individuals, businesses, and groups, and comparing them against user-configurable behavior parameters. Alerts are created in instances where transactional activity does not fall within the behavior parameters. The AML analytics evaluates transactions for the last 28 days for each customer and group that had some noticeable activity in the last week or since the last analysis date. Noticeable activity includes one or more cash deposits over $500, one or more wires (incoming and outgoing) over $500, or any other type of transaction over $1000. The Evidence page informs you why the alert was generated. It shows the alert type, risk score of an alert, and evidence that caused (solution provider) to generate the alert. (solution provider) also detects the transactions that contributed to the alert. (solution provider) generates alerts for activity that surpasses configured values. These configurable values include risk thresholds, global behaviors, joints, and custom behaviors (custom behaviors are covered in the Investigating Cases section). Volume is tied to custom behaviors. Location is tied to global and custom behaviors as well as risky locations. 8 (solution provider) 9 (solution provider) 10 (solution provider) analysis all of our relationships and transactions 11 (solution provider) 12 (solution provider) events 13 (solution provider), (solution provider) 14 Using an automated monitoring solution which generates alerts that are suspicious for money laundering activity Monitor business relationships (if different from above)? Manual methods? Please list: 1 Face to face interactions/transactions resulting in Unusual Transaction Reports (UTR) submitted for investigation Review of reports (ie, Large cash transaction reports) resulting in UTRs submitted for investigation CUO(C)PI requests from other Fis Law Enforcement requests and Product orders Searches of Negative news and money laundering news High risk member transaction reviews Fraud monitoring 2 N/R 3 Annual reviews of credit Audit processes Notifications/Media/networking Alerts 4 N/A 5 Same as above plus we are implementing processes for updating member data on annual basis for high risk and less frequent for medium and low 6 This is entered via the account opening software manually by the front line 7 Non customers performing a triggering transaction are manually tracked and monitored through the use of form completion and spreadsheet tracking. 8 none 9 N/R 10 N/R 12 manual high-risk account monitoring includes review of all accounts for all associated entities, both in and related to a highrisk business relationship 13 When a new product or service is requested an entire portfolio review is completed at that time 14 The non-member (customer) record was created in banking system to ensure accurate recording and tracking of any transactions conducted by a non-member at (credit union) which would require the identification of the conductor of the transaction A spreadsheet was created by the Business Information Analysis Department in order to facilitate the tracking of any instances where a non-member has conducted two or more transactions within a calendar month. Automated methods? Please list: 1 Aggregation of business relationships to identify common account based relationships into member based relationships. 2 We use (solution provider) as a tracking tool and receive AML alerts from them 35 P a g e

36 3 (solution provider) monitoring 4 (solution provider), (solution provider) - alerts 5 N/R 6 We utilize (solution provider) which is a product of (solution provider) to monitor the business relationships 7 (solution provider) 8 review periods established in (solution provider) - low risk is trigger dependant, med and high are scheduled - KYM update, and assessment against business relationship expectations 9 (solution provider) 10 N/R 11 (solution provider) and (solution provider) (KYC software) 12 (solution provider) aggregates business relationship records based on SIN/tax ID and joint relationships from the banking system for alert analysis and prescribed reporting purposes 13 As stated above manual review is done when a new product or review is requested. 14 N/R What steps, if any, does your credit union take to monitor all business relationships for 5 years after the closure of the all profiles, accounts, products, and joint accounts? 1 We do nothing once all products are closed. 2 N/R 3 N/R 4 My understanding is that (solution provider) includes closed accounts in the risk analysis but we don t specifically monitor these since there is no activity on them. 5 N/R 6 We do not monitor business relationships after membership accounts are closed, however our AML software retains profile information regarding all membership accounts including closed memberships. 7 N/R 8 Our memberships are not able to be reopened and no member can have connections with another account if their membership is closed. So it is not possible for a member to have any kind of activity after their membership is closed. If they only close accounts but not the full membership, the closed accounts will still appear in the membership history. If a member closes their membership and then comes back to reopen it, we do not permit memberships to be reopened. However, when the SIN is put into our system, it will flag the member as already being in the system. If we see that it is closed, when we create the new membership for the individual (or entity) we will link the old profile in our CRM software (solution provider). 9 N/R 10 None as once the account is closed we no longer allow any transactions. 12 media scan results are reviewed against all current and former relationships; any hits require a review of closed account data for any reportable transactions; closed high-risk relationships are monitored for re-establishment such that risk score can be restored. 13 We have deemed this as a LOW Risk and monitoring of the business relationship will be done on an annual basis. 14 N/R During this monitoring of closed accounts, do you treat business relationships that were high-risk when open any differently than those that were not? 1 N/R 2 N/R 3 N/R 4 N/A 5 N/R 36 P a g e

37 6 N/A 7 We treat our closed business relationships as low risk. This is an area where we are waiting to hear what FINTRAC is expecting when they are out auditing and if they even get into the weeds on this one at all. 8 N/R 9 N/R 10 No 12 closed high-risk relationships are monitored for re-establishment such that risk score can be restored. 13 The HIGH Risk business accounts will be reduced to LOW Risk once the account has been closed. 14 N/R What steps, if any, does your credit union take to identify all of the profiles, accounts, products, and joint accounts included in a business relationship for monitoring purposes? 1 Best effort basis to identify high risk relationships only across all profiles in the credit union. 2 N/R 3 N/R 4 We use (solution provider) (primarily) to automatically assign risk ratings. Their methodology does not combine multiple accounts/profiles to assign the rating. The (solution provider) analysis function that generates money laundering alerts does combine multiple accounts (based on SIN). Also, if we manually risk rate an individual account as high we will of course search for additional accounts the person has a connection to (personal and sole proprietors only) and rate those appropriately as well. 5 N/R 6 Our AML software identifies/links all joint profiles and accounts in each business or personal membership profile 7 is an area we need to work on. Currently do not have a way to connect multiple profiles for (solution provider) analysis. 8 Multiple memberships are connected in our CRM software. Additionally, any individual who is setup as a signer on an account has at a minimum a non-member profile setup, which is linked through our banking software (solution provider). This allows us to track all relations that individual has N/R Although not 100% perfect we are able to see the entire relationship and all investigations are done as one relationship. We do treat each legal relationship as one however investigate where there is any cross over (solution provider) aggregates business relationship records based on SIN/tax ID and joint relationships from the banking system; manual high-risk account monitoring includes review of all accounts for all associated entities, both in and related to a high-risk business relationship; transactions for non-members are specifically limited to those that could not trigger business relationship requirements. When the Customer triggers an event (product or service) the Portfolio is reviewed at that time and the Business Relationship is determined. Depending on what additional product or service is requested will determine if what risk category the Customer will fall into and if additional approval or monitoring is required. 14 N/R Does your current risk scoring methodology measure and assign risk at the business relationship level, or rather at the profile/account level (where a business relationship may be comprised of multiple individual profiles or accounts)? 1 No - however, we use the highest risk rating from any one line of business to determine the risk rating for the business relationship. 2 N/R 3 N/R 4 N/R 5 N/R 37 P a g e

38 6 Risk scoring in the AML software program is assigned at the individual or organization (business relationship) level. 7 N/R 8 The risk score is measured at the membership level. However, part of that review will look at the different accounts (and memberships) that entity is joint with. 9 N/R 10 see above 12 profile/account level - manually unified for high-risk relationships 13 This is done at both levels. The person is looked at and so is the Portfolio with the Credit Union. 14 N/R Conduct enhanced monitoring of high-risk relationships (if different from above)? Manual methods? Please list: 1 Manual review of all high risk relationships identified including updating know your member core information and conducting transactional reviews to validate activity. 2 N/R 3 List of high risk relationships with up to daily review of list and transactions conducted Above is based on risk 4 Relationships are flagged as HR in (solution provider)/(solution provider) software. Once they are identified AML compliance staff review activity, update info, etc. as required, set review dates 5 N/R 6 We have one MSB that we monitor manually in addition to our software 7 Consideration for rating a (credit union) member as high risk may result from reviewing information received from many sources including branches, departments, media and/or the (solution provider) customer risk assessment automated analysis. Members that have been rated as high risk are monitored on an annual basis. All high risk members will be monitored at least annually by the AMLO who will review information available through (solution provider), the banking system and any other systems or data sources available. All results will be documented. The review will include but is not limited to: Current occupation for personal accounts or nature of business for entities. Current beneficial ownership for entities including corporate registry profile report. Source of funds deposited. A review of transactions to ensure consistency with state(d) type of business. A comparison of transaction amounts and numbers from previous year. A comparison of other businesses in the same field if monitoring shows higher than expected volume of transactions or dollar amount of specific transactions. Valid identification if the member has not been previously identified. Most instances of this would be members who opened their account prior to the 2002 regulatory requirements and the PCMLTFA Any other investigation as is deemed necessary. 8 none 9 We use the (solution provider) product offered through (solution provider). On monthly basis my staff does a manual review of the high risk accounts and complete a report on activity and any recommendations they have regarding the accounts or memberships. They forward this report to my attention for consideration and comment. I will request further investigation or details if required or approve the recommended action. 10 N/R 11 High risk lists are provided to branches quarterly to ensure information on Owners is up to date and to review account history and report back to Compliance Officer. 12 manual quarterly review of all high-risk business relationships N/R Account review is completed where the support officer completes a review of the account this is dependent on the risk it could be by transaction or by month. Automated methods? Please list: 1 Automated risk rating of members based on customer, transaction and geographic traits. 2 We use (solution provider) as a tracking tool and receive AML alerts from them 38 P a g e

39 3 (solution provider) - date sensitive reviews 4 Identified through (solution provider) and (solution provider) software 5 N/R 6 We utilize (solution provider) which is a product of (solution provider) to complete the enhanced due diligence (EDD) 7 (solution provider) customer risk assessment automated analysis is used to identify high risk members. The (solution provider) Customer Risk Review case system allows tracking and monitoring of all high risk members; those identified by the system along with those identified through other methods. Monitoring is aided by (solution provider) data the specific customer statistical data, behaviour data, account holder information and the ability to attach files and notes. 8 confirmation of source of funds - declaration from member during scheduled 9 (solution provider) 10 N/R 12 risk score aggravates event generation in (solution provider) 13 This is done manually not automated regardless is the Entity has automation. 14 There are four key activities that comprise (credit union's) relationship and transaction monitoring activities, the frequency and extent of which are risk sensitive: Automated Transaction Monitoring and Risk Update; Manual Transaction Monitoring and Risk Update; High Risk Relationship Reviews and Risk Update; Client Identification Update for Low Risk Relationships About the transaction monitoring rules that your credit union uses: Do you create your own rules, or use those from a service provider? Or both? 1 2 A bit of both. The core transaction monitoring rules provided by (solution provider) were adapted to meet the credit union's products and services. These are reviewed regularly to reduce false positives and new rules created to address current money laundering typologies. We use (solution provider), but we have tweaked some of the parameters based on our transactional volumes and client types and geographic locations. 3 Based on (credit union) risk tolerances, peer group discussion/review, direction from CUCM/CUCC/FINTRAC/Previous FINTRAC/Arms length audits 4 We may tweak the rules in the transaction monitoring software but I don t think I can say we create our own. 5 We use those of the service provider and the (solution provider) software 6 We utilize the basics provided by the service provider however have them tweaked to work with our processes. 7 Transaction monitoring is most often completed by the (solution provider) automated system as per system default analysis. We have continuously review(ed) our setting(s) in (solution provider) to ensure we are getting quality alerts. We have manual transaction review processes that are either set up with reports from the banking system data or generated manually using the (solution provider) transaction search process. 8 tweaked those provided - in process of creating some of own 9 (solution provider)/ We do manual reviews for all potential STR s and High Risk 10 (solution provider) is not really a rules based provider. It does provide base criteria that we can customize. 11 Use those from service provider 12 Both 13 If the CU has automation they use the service provider rules. 14 Both service provider uses algorithms for transaction monitoring, (credit union) AML analysts have transaction monitoring which incorporates rules. How many rules has your credit union implemented? 1 About 16 transaction monitoring rules plus customer profiling based on value/volume thresholds of all transactions conducted in the banking system. 39 P a g e

40 2 3 Not sure exactly, primarily the AML cash limits, EFT limits, customer risk, new account risk threshold, remote banking thresholds, remote banking threshold & $ limits. Focus has been on defining risk, identifying risk, and then creating a process to escalate oversight/creation of action plan De marketing strategy would be based on above Started as very much a case by case review but after some practice/experience is becoming much more rules based 4 Whatever the software contains 5 All rules contained within the (solution provider) software have been implemented. There are three primary categories of rules, with a large number of sub-rules. The primary categories are Cash In / Transfer Out, Transfer In / Transfer Out and Transfer In / Cash Out. 6 We have a total of 12 rules, with 4 rules that have different parameters for personal and business accounts. 7 Not sure what is meant by rules? 8 7 rules running; testing continues 9 N/R 10 N/A 11 Default (solution provider) recommended rules 12 currently 15 in use or under active development 13 N/R 14 An exact number is not available. What specific types of activity are these rules intended to detect? Please list all (e.g. cash deposit structuring): 1 Cash structuring Cash volume configured differently for personal/business relationships Layering deposit in/withdrawal out Wire transactions in/out Etransfer activity on business/personal relationships Prepaid card purchase activity Draft purchase activity 2 cash intensive accounts, dormant/inactive account activity, non-face to face activity. 3 Red flags based on FINTRAC legislation 4 As per (solution provider) structure, volume, location for various categories (cash deposits/withdrawals, wires in/out, cheque deposits/withdrawals) 5 Transaction structuring Transaction volume (cash, cheques) Layering Excessive location use (several different branches) 6 7 Bounded Structuring of Deposits / Funds Circulation / Large Value Aggregate Wire Transfers Funds Circulation / Large Round Dollar Amounts / Large Value & Volume Transaction Accounts / Historical Activity Profiling (solution provider) analysis considers cash deposits and withdrawals, cheque deposits and withdrawals, ATM deposits, incoming and outgoing ACH (automated clearing house) transfers, incoming and outgoing wires, instrument purchases and unknown deposits. They analyze these transactions in relation to volume, location and structuring. 8 cash deposit structuring, transaction flow through, large value transactions 9 cash deposit structuring; Cross Boarder $10k Transaction; Missing/Coded Counter Parties on EFT s; Any cash transaction that is over the reporting threshold of $10k; Multiple cash transactions over a running 24 hour period; Bounded Structuring of Deposits or Withdrawals; General Fund Circulation and Kiting; Large Value e-transfers or Bill Payments; Repetitive Deposits or Withdrawals; Dormant to Active Account Status, including Dormant to Active Accounts transacting e-transfers or Bill Payments; High Risk Jurisdiction Transactions; Transactions Between Unrelated Customers; Excessive Credit Card Repayment Activity; Early Loan Repayment; Frequent Loan Repayment; Unusual Loan Payments; Historical Activity Profiling 10 Cash deposit structuring, layering using varied products including wires, money transfers, utility payments, etc. Placement. 11 Large value transactions; Funds circulation; Bounded structuring of deposits; Historical activity profiling 12 cash deposits (value, volume, velocity, structuring); wire transactions (value, volume, velocity, structuring, jurisdictions); funds circulation; percentage of cash deposited vs. total deposits; historical activity profiling to identify significant deviations 13 Layering of cash; Kiting; ATM deposits at multiple locations; Fraud 40 P a g e

41 14 structuring, movement of funds through shell accounts, use of SDBs detection, funds moving into and out of trust/estate accounts, de-marketing proposals. How often do you review or update your rule types, or the list of activities that you are trying to detect? Is this requirement to review documented in your P&Ps? 1 Updated as part of analyst performance plans to consistently reduce false positives while detecting money laundering activity. Documented in performance plans and operational policies in the Corporate Security department. 2 As the need arises and no it is not documented in our P&Ps 3 Daily as learning/requirements/risk tolerances/legislation requires/changes 4 We don t other than on triggering event see below no 5 Annually and yes it is in our Policies and procedures 6 We review the rule types a minimum every two years (occasionally sooner). This is in our POC/ML&TFA Policy 7 We review Bi- Annually or when (credit union) introduces a new product or service. Yes we have a methodology document that outlines the requirements. 8 at least annually (new process) 9 No 10 We work with (solution provider) regularly and ensure that we emphasize higher risk transaction codes as they come into play. 12 continually. Yes 13 As often as needed, when legislation changes, when an audit deems necessary, when activity is found to be trending, when effective testing. Yes this is required in P & P. 14 Every 2 years minimum. Yes it is. What could/would trigger you to do so? 1 Too many detections for non-suspicious activity false positives Transactional activity not detected by rules but determined egregious enough to create new rules or amend existing rules Known money laundering transactional based money laundering typology 10 2 Any anomaly or change in alerts generated. 3 Daily as learning/requirements/risk tolerances/legislation requires/changes 4 E.g. new product/services/transactions may prompt us to request service provider to add or change rules 5 Prompted by (3rd party service provider) who is our outsourced service provider for some aspects of the AML regime 6 Bi annual review / review of AML software program 7 New FINTRAC requirements, new products and services or change to (credit union) Risk tolerance 8 manual detection of something that should be an automated detection 9 An example would be when FINTRAC issues their Typologies and trends reports New product/transaction types such as money transfers. Based on new information from the general media or our internal alert process. 12 new typology or risk identified; rule effectiveness; new regulatory requirements; audit results 13 Audit & Legislation 14 If a gap is identified, or a new product is being implemented, rules in transaction monitoring would be reviewed. Are the rules intended to trigger based upon the breach of a single transaction-type threshold (e.g. cash deposit volume)? Or do they look for combinations of different types of activity (e.g. a cash deposit followed by a wire)? Or Both? 1 Both, some rules are transaction specific, while others are based on multiple transaction types. 2 The rules look at a wide range of activity to generate the alerts. 3 There can be one catastrophic risk that comes up, however, we want to take a holistic view of risk so both 4 Both 41 P a g e

42 5 Both 6 We have rules that identify both cash deposits just under the reporting threshold and deposits followed by outgoing transactions such as wire transfers, cheques etc. in a short period of time (circulation of funds). 7 (solution provider) analyzes generates alerts based on both triggers. 8 are all single trigger type 9 Both 10 Both 11 both 12 both, depending on the rule and the size of the transaction(s) 13 Rules are triggered by a single transaction. 14 Combinations Do you tune any of your rules based on the expected behaviours of a specific segment of your membership (e.g. a doctor wouldn t be expected to deposit cash, so you have a special rule for doctors with a lower cash deposit threshold to trigger an alert)? 1 No, we don t have these kind of specific member attributes available to embed both customer and transaction rules. All rules are based on transactions conducted. However, automated risk rating does consider member attributes to detect risk based on an aggregate of attributes. 2 We do not tune our rules based on membership segment. 3 We take a holistic approach to assessing risk 4 No, although we may look at doing so in future 5 No 6 No 7 No, rules are not configured based on specific segments; however we make use of (solution provider) s custom configuration process to set transactional activity expectations specific to individual members (mostly all businesses). 8 no - working to segment between personal and business accounts 9 We have Peer Group Activity Profiling through (solution provider) which identifies customers whose activity falls significantly outside their peer group s historical transactional standard deviation and average. 10 Not really at this time although we are again looking at some functionality that (solution provider) uses no 14 N/R different thresholds for business vs. personal; specific members can be exempted from specific rules if activity is consistent with expectations If so, in what way do you use these? 1 As noted above 2 N/R 3 Risk rating has about 8 factors that go into final rating 4 N/A 5 N/R 6 N/A 7 N/A 8 none yet 9 N/R 10 N/R 12 analyze transaction volumes, values, and velocities to establish different thresholds for personal or business accounts 13 N/R 42 P a g e

43 14 We use target segments by NAICs or SOCs. Grouping them by industry and/or occupation to identify any transactional activity within the group that stands out in comparison to the rest. How have you segmented your membership to facilitate this analysis? 1 Business accounts are segmented by NAICS coding and risk rating attributes are assigned differently based on NAICS. PEFP are segmented Self Employed and Third Parties are segmented by risk 2 N/R 3 We create a numeric rating for each risk factor then create an overall risk rating 4 No 5 N/R 6 N/A 7 N/A 8 none yet 9 N/R 10 We are just looking at standardising an industry/sector list 12 personal accounts vs. business accounts; PEFPs and MSBs also receive special treatment, though through manual review. 13 N/R 14 yes How many alerts does your credit union generate monthly, on average? 1 About 300 automated transaction monitoring and customer profiling alerts About 30 manual UTRs submitted for investigation 2 On average we received approximately 50 AML alerts weekly, in addition we receive roughly 25 remote banking and new account alerts daily. 3 AML would be approx. 40 monthly (Jan 2016) probably similar in other months Approximately 80 alerts monthly on average 7 Explanation about problems with alerts and banking system transaction/cash identification issues. Alert threshold is much higher than (solution provider) recommended etc potential STR alerts STR alerts 10 Manual 10, (solution provider) Approx. 40 STR alerts generated monthly. (medium and high scores only) 12 Approx. 80 system generated events, though this is increasing as we add more rules; approx cases from other sources 13 Cannot answer this Both application have been having numerous upgrades in the past 6 months so data is not consistent money laundering alerts per month; 80 suspicious transaction notifications per month; 350 watch list alerts; 729 electronic funds transfers (potential); 2460 large cash transactions (potential) Approximately how many member transactions does your credit union process monthly, on average? 1 No specifics but from IT intervention and anecdotal conversations, approximately 1.5 million per week (or possibly higher). 2 Approximately 800, N/R 4 Jan M 43 P a g e

44 5 Approximately 1,400,000 6 This is unknown 7 2,900,000 8 don't know 9 1,000, N/R 12 don t know 13 (varies dramatically) 14 N/R What is the false positive rate for alerts being generated by your transaction monitoring solution (approximate %)? 1 Difficult to assess because we don t look at this in detail by transaction monitoring rule however simply based on total number of alerts versus number of escalated alerts for January % closed as not suspicious following investigation. 2 Less than 2% 3 15% % - mostly result of inaccurate input of transactions on core system 5 Approximately 99% 6 99% 7 N/R 8 100% - have not yet filed an STR based on an alert 9 97% 10 75% 11 99% 12 >95% 13 60% 14 For LCTRs = 51% false positive How many alerts are escalated for a more detailed review (approximate %)? 1 5% 2 We review each alert and if the staff are unsure, they bring it to my attention. 3 All alerts are viewed manually % 5 Approximately 1% 6 1% 7 40% 8 all are manually reviewed 9 8% 10 85% primarily based on the fact that not all of our historical member information has been input into the banking system. As we get our records updated we expect to see this number come down. Many of these alerts are solved as non STR s once we have the updated demographic information % 12 approx. 25% 13 30% 14 STNs = 80% How many alerts result in an STR (approximate %)? 1 About 2-3% 44 P a g e

45 2 About 5%, typically behaviour reviews are generated more than STR s, however we also have STR s generated at the branch level that are escalated to us to review and report. 3 5% % 5 Less than 1% 6 1% 7 15%. Most STRs are a result of front line or compliance department staff identification of suspicious activity. 8 0% 9 1% 10 25% 11 1% 12 <5% 13 10% 14 From the ones worked on 52% About setting transaction monitoring rules for your credit union: Do you set your own transaction thresholds, or use the defaults set by your solution provider? Or does your solution provider establish customized thresholds? 1 Installed... with custom thresholds and amended over time. 2 Both 3 (credit union) has established 4 We establish our own global thresholds (and also customize individual members based on expected activity to eliminate unnecessary alerts). 5 We set our own 6 We utilize the basics provided by the service provider however have them tweaked to work with our processes 7 Combination (solution provider) has defaults which we are able to customize. Individual member activity is also able to be customized. As an FYI - We have done a combination of both based on recommendations provided through third party recommendations as a result of effectiveness testing reviews customized the thresholds 9 (solution provider) established customized thresholds We use customization related to both transaction types and relationship. That said the constraints of our provider are limited to business or personal at the highest level. 11 Use the defaults set by (solution provider) 12 customized thresholds provided by us and (solution provider) 13 Defaults are used in most cases. The only time it is customized is if a business account has been solidly established. 14 We use the algorithm set by the provider however customize the thresholds to meet (credit union) needs. In setting transaction thresholds, do you use primarily qualitative or quantitative rationale to determine what those should be? 1 Qualitative 2 This is all done primarily through (solution provider) and it uses a number of factors when it is setting the thresholds. We can go in and adjust those thresholds either globally or by client. 3 Both 4 Not sure what the original rationale was, but has been tweaked over time to reduce alerts and also with acquisition of new partners. 5 Quantitative 6 We use both for setting transaction thresholds 7 We utilize a combination of both qualitative and quantitative. 8 both 9 N/R 45 P a g e

46 10 Quantitative 12 both 13 both 14 N/R Please describe any qualitative aspects of your approach: 1 Industry specific known typologies Guidance from regulators, FATF or other professional groups Patterns identified from fraud or manual UTR investigations 2 N/R 3 N/R 4 N/R 5 N/R 6 We identify outgoing/incoming wire transfers with similar value transactions preceding/following within a short period of time. 7 We look for trends and anomalies in transactions such as volumes, cash and changes to types of account activity. Have an internal process that includes research, analysis and discussion to make a judgement decision on setting custom configurations. 8 none 9 N/R 10 N/R 12 based on risk tolerance, or the types of activity that we want to see (eg. Low tolerance for cash deposited to personal accounts) 13 We look for consistency 14 The initially established thresholds may be modified periodically as the Corporate Compliance Officer monitors the output from the Member Risk Scoring page, and makes determinations as to their suitability based on continued experience with (credit union's) customer base. Please describe any quantitative aspects of your approach: 1 Similarly looking for specific trends ie, all cash transactions conducted between $9700 and $9999 in the previous month. 2 N/R 3 N/R 4 N/R 5 6 Analysis of average transaction amounts extracted from other credit union banking systems to determine appropriate threshold levels. We identify cash deposits between $8700 and $9999 to monitor deposits that may be avoiding large cash transaction reporting. 7 We do an industry comparison to benchmark what would be normal transactions based on industry averages. 8 how many were being generating - some didn't generate any 9 N/R 10 investigation 12 percentile analysis of high-risk transaction types to establish outlier values for transactional values, volumes, and velocities 13 N/R 14 Monitoring solution sets the thresholds chosen for High, Medium and Low risk This setting is hard-coded within Automated monitoring solution using algorithms. 46 P a g e

47 Do you consider any other factors or use any other methodologies in determining your thresholds? 1 Direction from CAMLO on detecting specific activity rare. 2 N/R 3 No 4 N/R Transaction levels and activity at other credit unions, testing of automatically generated transaction alerts to determine if thresholds should be adjusted. Personal and Business memberships have different thresholds for some rules, as transaction volumes and values differ for these two categories. 7 N/R 8 no 9 N/R Consistent thresholds are difficult for us in that we have multiple branches in high tourist communities where cash can vary greatly. We take this into consideration using similar business types as a bench mark. 12 develop rules based on local risks identified in enterprise risk assessment 13 N/R 14 The Corporate Compliance Officer configures the Automated monitoring solution Member Risk Scoring-Configuration Home Screen by setting parameters at the institution level and tuning risk level settings for high, medium and low risk clients identified through the Risk Scoring Model (RSM). The RSM is updated by the Corporate Compliance Officer every 2 years in accordance with regulatory requirements. Automated monitoring solution scoring will be re-tuned when the RSM is reviewed and if any changes occur. How often do you review or update these thresholds? Is this requirement to review documented in your P&Ps? 1 Part of performance plans for analysts and documented in operational policy. 2 On an as need(ed) basis but usually annually. 3 2 x annually at minimum 4 Reviewed/updated only on triggering event. 5 Annually and yes it s in our Policies and procedures 6 We review the rule types every two years, and this is in our POC/ML&TFA Policy 7 We review annually. Yes it is documented in our P&Ps. 8 annually - new process 9 Yes 10 Documented to be at minimum every two years- realistically at least annually more often lately. 11 Part of the annual risk assessment review this is documented in our P & Ps 12 continually if necessary, minimum annually 13 Six months and yes this is in Procedures 14 Yes What would/could trigger you to do so? 1 Significant false positives on a particular rule or profiling threshold Activity identified but not captured by current rules (ie, Ponzi type activity) 2 Usually something that we discover that shouldn t have flagged or should have flagged, then we review the parameters to determine the cause. 3 Report/data driven Legislative changes Constant updating based on experience 4 Increase/decrease in alerts, banking system conversion, new products/codes, acquisition of new partner 47 P a g e

48 5 Prompted by (3rd party service provider) who is our outsourced service provider for some aspects of the AML regime 6 N/R 7 If a suspicious transaction report would trigger us to review. 8 if something detected manually that should be done through automated; new trends, networking, new products 9 Annual review 10 Enhanced requirements, changes to affiliated procedures, news articles, higher/lower % of false positives 12 new risks or typologies identified; suspicious activity identified through manual channel not flagged by (solution provider); false positive volume 13 The account is also considered High Risk due to cash volume (potential to structure) so every quarter it is reviewed. 14 The initially established thresholds may be modified periodically as the Corporate Compliance Officer assigns an analyst to monitor the output from the member risk scoring page, and makes determinations as to their suitability based on continued experience with member s transaction activity and the Corporate Compliance Officer s alert resolution experience. Do you test the rules for effectiveness? Is this process documented in your P&Ps? 1 Yes in operational policy The only thing we currently test is that the information and transactions in our banking system equal the output in (solution provider). 3 tested through audits 4 No 5 No 6 No 7 No, we do not test 8 nothing formalized; informal if we are not seeing something we think we should. In process of implementing. 9 yes No, as noted only if we noticed a significant change in false positives. We have not found an effective way of testing STR alert creation. 12 yes, not yet. Currently building testing regime. 13 yes 14 N/R If so, how do you test them? 1 Ongoing review is captured in performance plans. 2 N/R 3 N/R 4 N/R 5 N/R 6 N/A 7 N/R 8 will be sample based, run the rules manually and test against (solution provider) detections 9 we do a random monthly audit 10 N/R 12 building copies of the rules outside of the (solution provider's) system, to test generation; data quality tests to ensure all banking system data is seen by (solution provider). 13 Compare to the Core banking system, and running banking system reports to ensure data is correct 48 P a g e

49 14 yes How often do you test them? 1 No current method to test but the results are analyzed by rule over time to assess whether there are any technological issues preventing rules from running properly. 2 N/R 3 N/R 4 N/R 5 N/R 6 N/A 7 N/R 8 N/R 9 N/R 10 N/R 12 currently building testing regime 13 Quarterly 14 Annually testing through Internal Audit, and change (if required) min every 2 years. About your credit union's specific ML/TF risk profile: What approximate percentage of your total cases deal with what, in your opinion, would be material cases of ML/TF? 1 About 80% of all cases are identified as suspicious for ML/TF 2 Not sure how to answer this one. 3 De market approx. 25 members in % 5 Less than 1% 6 20% 7 10% 8 <10% 9 perhaps 1% or less 10 We are answering this based on a post investigation determination of high risk. The % would be % 13 5% 14 N/R How would you define material? 1 Identification of a predicate offense to ML/TF 2 N/R 3 Behaviour is outside risk tolerances of (credit union) 4 Would increase our risk (financial/regulatory/reputational) if activity continued e.g. illegal business, known criminal, etc. 5 Impact on society, Dollar value 6 Suspicious enough to monitor and report STRs more than once annually. 7 No material cases of TF. Material ML would be where there is unexplainable activity occurring by a member that does not fit within our KYC. 8 reported an STR 9 actual cases as defined by Law 49 P a g e

50 10 Based on the overall investigation, which includes looking for any criminal charges/convictions as well as a reasonableness test. This is an educated assumption based on all the facts at hand. This includes the advantage of being in smaller communities where the Members and their actions are often well known. In these instances we look to withdraw services from the relationship holder 12 evidence of predicate offence with contemporary or former evidence of ML in account vs. simple 'reasonable grounds to suspect' 13 Significant occurrence of proceeds of crime being committed 14 Reasonable grounds to suspect money laundering or terrorist financing activity is present. What approximate percentage of these material cases are detected by your automated transaction monitoring systems? 1 50% 2 Our system detects far more AML cases than our staff do, as to percentage, I am not sure. 3 25% 4 Minimal 5 30% 6 90% 7 2% 8 0% 9 25% 10 50% 12 <5% 13 0% 14 Data not available for this. By your other detection methods, excluding information provided by a third-party (e.g. production orders)? 1 50% 2 N/R 3 Best detection tool which is your own staff 4 Majority 5 N/R 6 10% 7 N/R % 9 staff awareness and reporting 10 50% % 13 none 14 52% approximately. What is your credit union s most effective detection method? 1 Cash placement into deposit accounts automated and manual 2 Staff & (solution provider) 3 Best detection tool which is your own staff 4 Manual reports submitted by branch staff 5 Manual review of accounts and observation by branch staff 50 P a g e

51 6 Front line staff 7 Staff knowledge/experience, KYC of our membership. 8 front-line staff 9 Staff reporting of STR s 10 Knowing the Member and their entire relationship 12 formal media scan process, which includes review of media, police websites, and CUOCPI/BCPIO 13 staff 14 First line of defense notification Has your credit union identified any other particularly useful/effective detection methods that you can share? 1 E-transfer aggregation in/out personal and business accounts High value wire transfers in/out of personal accounts 2 The only other tools that we use are court listings, newspaper articles and news alerts. 3 Net working 4 Names in high profile news articles searched on our banking systems Networking and sharing via industry peers 5 Nothing at this time 6 Sometimes a fraud investigation or a request from another FI brings about a suspicious activity 7 No 8 excellent relationship with local police 9 NO Just (solution provider), Staff and our monthly review of High Risk. 10 Educating staff to ask questions that build the relationship with the member from a holistic perspective not just a sales opportunity. We find this has the added benefit of a better relationship with greater sales with those members we wish to continue to grow with. 12 formal media scan process, as above 13 It all comes down to Staff training and my hands on approach 14 Corporate AML Trainer trains branches/departments face to face on how to detect suspicious activity using behavioural and transactional indicators from FINTRACs guidelines. This has had a direct correlation to increase in quality suspicious transaction notifications. Does your member profile risk score impact/inform the generation of your alerts? 1 Yes 2 Yes 3 Yes 4 5 No Don t know (solution provider) does not share all the details of their analytics with us. I believe that alerts are generated strictly on transaction activity. Same applies to (solution provider) don t know how their analytics work. 6 Yes 7 No - Based on information shared from (solution provider). 8 yes 9 yes 10 No not at this point in time. 12 yes 13 no 14 yes Are there any ML/TF risks that you believe are unique or special to your credit union? Are there any ML/TF risks where you think your organization s level of exposure to that risk is unique or special to your organization? 51 P a g e

52 1 Not really, we are a regional credit union but (urban area) is a high intensity drug/crime region which influences the volume of activity we observe in account relationships. Dispensaries social advocacy in credit union has outweighed the legal risks to banking these business types. 2 I am not sure if it is unique or special to our organization, but we do live in a coastal city, close border proximity and international airport. There is also a high level of drug crime in the city and a very large (ethnic) and (ethnic) demographic. 3 No 4 5 No 6 No No to both but that will likely change as I am just in the process of re-doing our risk assessments. Overall risk is probably greater due to our unique business model..., multiple subsidiaries, etc. 7 We are a CU with branches spread across a wide area of the province. (number of) Branches located close to borders, members located outside the province, branches located in areas of economic hardship or oil field activity. Not sure if we have more non -face to face than other CUs? We have a Dealer Finance division, new business online. These may not necessarily be unique to (credit union) but do increase our risk exposure border community, tax evasion relative to currency exchange (border) 9 No, not different than any other CU no 14 (region) is a known drug haven however all FI s are in the same boat. We do find that there is a bigger live and let live attitude that can cause complacency. very high risk; proximity to border, economically depressed regions, economically thriving regions, large urban area; many known organized crime groups operate in our area Yes, non-member transactions whereby proper controls and/or limits have not been set resulting in fraud losses, and 8-10 STRs per month on this channel alone. Do you use your transaction monitoring to help mitigate these risks? If so, how? 1 Yes based on NAICS coding and Transaction Monitoring rules, identification of suspicious transactions. 2 Yes, this definitely will determine our weakest branches by highlighting some of the transactions they take for granted without doing proper due diligence, it also helps us concentrate on education to those branches. 3 N/R 4 N/R 5 N/R 6 N/A 7 10 No, we don t monitor transactions based on branch location for example. We have developed reports that help us monitor our risk and form part of our risk mitigation strategy. 8 yes 9 no Manually monitoring sort of- we take extra care when investigating in more rural areas. The employees will know the Member better but are often less suspicious. 12 we try to build rules to speak to specific risks, or those identified in our STRs; risk score aggravates alert generation 13 No criminals seem to know these programs 14 No, (credit union) automated solution cannot detect this due to limited functionality. Does your enterprise risk assessment impact/inform the generation of your alerts (e.g. are your rules tuned to consider your credit union s geographic profile risk, etc.?)? 1 Geographic risk is considered in enterprise risk assessment, however the transaction monitoring rules do not contain geographic attributes, except for high risk wire monitoring. 52 P a g e

53 2 Yes and no, this is a work in progress. We have recently purchased the (solution provider) to assist us with beefing up our risk assessment even though FINTRAC was satisfied with our current program, I wanted something more robust. 3 Yes 4 Not quite yet but we are getting there 5 No 6 Yes 7 Our rules for geographic risk affect the member s risk score however that does not impact our money laundering alerts. 8 not for alerts, but does inform rule creation and review 9 Not at this time, we are in the process of implementing. 10 No because the information available is inconsistent at this time. 12 not yet 13 Yes alerts are set well within range 14 Yes, geographic risk is considered however it is based on postal code information. Extra-provincial entities are not considered as part of geography risk. What methodology is your credit union using to ensure that you are identifying and reporting suspicious activity that is consistent with suspicious activity that has been previously reported for other members? Or has your credit union not implemented a methodology at this time? 1 Not implemented at this time. Manual review of all cases by manager and senior manager for all not filed cases to assess consistent application of reporting for same type of activity. 2 No we have not implemented a methodology at this time 3 Our experience makes up our risk tolerances We have a centralized compliance Department so easier to do 4 Staff training (branch staff and AML Compliance staff), analysis of trends (monthly numbers, locations, etc. e.g. is anyone branch location submitting few or no reports) 5 Not implemented at this time 6 Each member is risk rated using an AML software program risk rating component based on six risk criteria. Members rated as high risk are flagged as such in the software program and monitored more frequently. 7 Use of the (solution provider) system ensures consistent analysis. We train of our staff consistently organization wide on how to spot and submit STR s. We have an internal documented procedure for reviewing and submitting STR s to ensure we have consistency. 8 not really - face-to-face training about case studies, using same detection software. 9 Not at this time, we are in the process of implementing. 10 We do have a methodology and we tend to (err) on the side of caution from a reporting perspective. We will report if we cannot solve an alert to 100% satisfaction. All STR s are done through centralized reporting with skilled investigators making the determinations and completing the final report. 12 all cases have some level of review by management; all STRs are reviewed and approved by management 13 Aside from Artificial Intelligence, Staff training catches the suspicious behaviour. Staff are more alert to people s behaviour as they see the person and speak to the person conducting the transaction 14 Yes, this is considered. All STNs reviewed are entered into a case management software and transactions are uploaded as well. Consistency is demonstrated through (credit union's) review methodology as well as adding WHY an STN was nonactionable into the narrative section of the case management tool. This is done for ALL notifications received. What methodology is your credit union using to ensure that what your institution is reporting as suspicious is consistent with those activities reported by your industry peers? Or has your credit union not implemented a methodology at this time? 1 No methodology but ongoing peer relationships of AML compliance specialists to assess common best practices. 2 We don t have a methodology for this, however we do have a peer group of local CU s that meet and discuss issues, particularly in relation to legislative changes. 53 P a g e

54 3 Networking, legislation, audits 4 Haven t really implemented a methodology, just keep informed through meetings and informal discussions. We believe we are consistent other than we have just recently begun to explore reporting STRs based on fraud transactions. 5 Not implemented at this time 6 7 The AML software program risk rating component is based on six risk criteria, business-based and relationship based risk assessments. We participate in COAG, Collaboration Group- Compliance Officer Groups which promote the sharing of best practises in this regard. 8 participate in networking groups to keep current on trends and typologies 9 We have not implemented a methodology at this time. 10 Not at this time 12 no formal process, just industry knowledge possessed by AML team members 13 I am the constant in... Industry so I can keep... informed as to statistics. I have knowledge what a like sized Entity is doing. Also if a suspicious person is... (at credit union) I can alert IPOC immediately of this behaviour if this needs to be escalated immediately while still reporting to FINTRAC. 14 Compile and analyze crime trends and statistics for proceeds generating illegal activities relevant to the location of (credit union's) activities; Compile and analyze Suspicious Transaction Report characteristics, particularly those related to transaction values, types and aspects of the subjects involved; Review reports released by the Financial Action Task Force (FATF) and FINTRAC for information relevant to methods and trends of ML/TF pertinent to (credit union's) business activities and the location of its activities; Review notes from peer meetings, conferences and industry groups, relating to methods and trends of ML/TF pertinent to (credit union's) business activities and the location of its activities About your AML/CTF team: How many f/t dedicated AML/CTF resources does your credit union have? in central office (credit union) is decentralized which means most compliance obligations are conducted within the lines of business. 3 5 fte and one Manager We (have) 4 full time employees We are a dept. of three F/T staff. As a best guess we have the equivalent to 1.5 FTE. This is a tough guess as our 3 permanent and 1 temporary person department is responsible for a number of other areas as well FTE 12 5 FTE 13 Each one of my CU s has me and 1 FT at their location and some also have a PT 14 7 analysts, 1 trainer, 1 team lead, 1 Manager, 1 Director = 11 FTE Generally, what are their roles or primary functions? 1 2 CAMLO oversees compliance regime AML Compliance team manager provides advice and support to enterprise on regulations and money laundering detection and documents policies, training, compliance regime. Oversees STR investigations and LCTR reporting Analysts (2) UTR investigations and STR reporting, PEFP detection, Watchlist monitoring, Terrorist monthly reporting 1. Daily input of data, investigating and referring to manager (CAMLO) 2. Manager/CAMLO manage the department, review reports, determine whether reports are truly suspicious, etc. (among other responsibilities) 54 P a g e

55 3 AML/Fraud/FATCA compliance 4 AML Specialist ft manage all aspects of AML/CTF regime (policy/procedure development, training, risk assessments), manages transaction monitoring software (escalates issues, configuration management) 5 N/R 6 One FTE completes the reporting of LCTR and EFT transactions and submits within the software to FINTRAC; completes the EDD and suspicious transaction events; reviews memberships for compliance. One FTE is the CAMLO to oversee and create policies and procedures and the risk assessment process. 7 Manager, Compliance: Developing and maintaining the organization s legislative compliance management program; Overseeing the development, implementation and maintenance of... compliance program; monitoring organizational adherence to the program; Providing oversight, as... (CAMLO) for (credit union), of the... (AML/ATF) compliance regime; overseeing the regulatory compliance and risk management components of the AML/ATF program; Ensuring the compliance management program complies with policy and legislation Manager, Operational Compliance: As... (DCAMLO), designing and leading the... (AML) and... (ATF) compliance programs... to ensure the organization s compliance to legislation and to mitigate risk; Leading the management of AML and ATF related software applications e.g. (solution provider) to ensure optimum performance and compliance; Leading the... (FATCA) compliance program; Providing support in the ongoing development of the legislative compliance management program; Ensuring the delivery of AML/ATF compliance programs complies with policy and legislation Compliance Analyst: Ensuring compliance with... (AML) and... (ATF) legislation including... (STR), record keeping, ongoing compliance training and risk assessment, policy and procedures creation, update, maintenance; Completing investigations, risk based analysis and trending to identify red flags / activities that may be related to money laundering or terrorist financing (e.g. watch lists, suspicious transactions, high-risk accounts); Managing AML and ATF related software applications e.g. (solution provider); making recommendations for customization to ensure optimum performance and compliance Compliance Officers: Fulfilling required filing of large cash and Electronic Funds Transfer (EFT) reports to FINTRAC as per legislative requirements; Ensuring applicable AML record keeping requirements are being met (e.g. wire transfer record keeping); Monitoring and record-keeping in compliance with Privacy legislation (Withdrawal / Reinstatement of Consent) 8 deputy CAMLO - full operational responsibility Everything FINTRAC, documenting procedures, reporting, reviewing, follow up with staff for missing or incorrect data on reports, completion of (solution provider) reports, etc. We deal with items pertaining to FRAUD investigations and are the contacts for the (local) Police Service. Corporate Risk Dept. is a main referral point and provides guidance to other staff with regards to fraud, AML, FACTA, branch and HO security issues, suspicious activity of any type. FACTA reporting and monitoring, documenting procedures. Internal account reviews as required. Monitoring all CCTV systems throughout the branch and HO network. Subject Matter expertise to all relevant areas of the organization: Training, Procedures; compliance. High Risk monitoring, reporting, All Prescribed reporting to FINTRAC through (solution provider), Review of events for STR, investigating/research unusual transactions, terrorist financing, monthly reporting, quarterly reporting, training Oversight of AML/CTF Compliance Regime - implementing/reviewing policy & procedures, RBA, data quality, board reporting, high risk review. 12 Manager, 3 investigators, 1 prescribed reporting. This team executes all aspects of the compliance regime. 13 I am the Compliance Officer and they are the Support Officer who provide on-site support at (credit union)... I provide... CU with P & P which they implement, I do their reporting for them, I administer their (solution provider)/(solution provider) (I do not risk rate or monitor their membership that is their job), I complete a risk assessment and risk review annually and provide off-site support. I also administer their training and report quarterly to... (the) Board. 14 Analysts = High Risk, Investigative, LCTR/Wires Trainer = train AML/ATF across entire organization Team Lead = Supervisor of team and handles STRs as well as High Risk accounts Manager = Manages entire AML team, responsible for Risk Based Approach, Implementation of Compliance Program Director= Oversight of AML Team. How many p/t AML/CTF resources does your credit union have? P a g e

56 they are full time staff with combined AML/Fraud responsibilities none 7 1 employee nil 10 None but our Central Operations department does complete all LCTR s as above 14 0 Generally, what are their roles or primary functions? 1 LCTR filing administration 2 N/R 3 N/R 4 1 investigator (investigates/prepares/submits STRs), 2 administrators manage LCT and EFT reporting, 1 analyst manages ML and watch list alerts, some analysis of (solution provider) software components has been started (this is a fairly new position) 5 3 internal staff but these individuals are also responsible for handling fraud Senior Manager who is responsible for the oversight of all legislative policies, procedures and activities. Also responsible for fraud detection and management. This individual is the CAMLO for (credit union) and works closely with (3rd party service provider) in maintaining the RBA annually and setting the parameters and thresholds in the (solution provider) software Manager who performs quarterly high risk member reviews, manages program for regular updating of AML information for High, medium and low risk members files STRs where required, manages day to day aspects of fraud prevention and management Analyst who files wire reports to FINTRAC daily (as required), monitors (solution provider) daily for requests from (3rd party service provider) for additional information required for them to file our LCTRs and STRs, performs investigations of fraud and recommends appropriate actions to Manager (3rd party service provider) who is responsible for a) Development and maintenance of RBA b) Policies and procedures c) maintenance of (solution provider) configurations d) Monitoring and investigation of (solution provider) money laundering alerts e) reporting of LCTRs and STRs (where applicable) to FINTRAC f) Conducting semi-annual selfassessments6) Telephone and support for AML related questions and guidance 6 N/A 7 Compliance Officers: Fulfilling required filing of large cash and Electronic Funds Transfer (EFT) reports to FINTRAC as per legislative requirement; Ensuring applicable AML record keeping requirements are being met (e.g. wire transfer record keeping); Monitoring and record-keeping in compliance with Privacy legislation (Withdrawal / Reinstatement of Consent) 8 CAMLO - Oversight and Board reporting; shares other responsibilities 9 N/R 10 N/R 12 CAMLO, Deputy CAMLO, Quality Assurance Officer - all have responsibilities beyond AML, and are not engaged in the day-today execution of the compliance regime 13 The branch support officer is my designate at each CU. 14 N/A Does any member(s) of your team possess specialist-level data analysis skills? 56 P a g e

57 1 10 Not defined but both analysts are ACAMS trained and working on certification. AML compliance team manager is ACAMS certified and has background in data analysis. 2 No, only experience. 3 No 4 No 5 No 6 No 7 Specialist is subjective. No we do not have any employees who have data analysis skills. 8 CAMS designation, nothing for data analysis 9 no 12 yes 13 No but we have a very thorough lead investigator who is capable of understanding the data that is electronically analyzed by our AML provider. The branch support officer is also the Administrator of their (solution provider) or (solution provider) and can report to FINTRAC if necessary. 14 Manager = CAMS, all analysts are (training provider) trained on analyzing data and using the net for investigative purposes. Are there any other thoughts or best practices that you would like to share? 1 Not at this time. (credit union) is undergoing a compliance re-evaluation to consider minimal compliance with AML regulations. 2 N/R 3 N/R 4 N/R 5 N/R 6 We have centralized our reporting for AML so that it minimizes the resources of the branch and ensure there is a level of expertise involved in the actual reporting. The majority of information is retrieved via the banking system and other systems such as (solution provider). 7 N/R 8 N/R 9 N/R 10 N/R 12 not at this time 13 N/R 14 N/R Bonus: With respect to the upcoming regulatory changes, and the proposed change in language relative to the STR threshold, do you assess any impact from this change in language? The Department of Finance has stated that they did not intend to change the threshold, only to clarify it; do you think the industry has been missing anything, necessitating this clarification? 1 Initially yes, but after discussions with Finance Canada, will not implement any specific changes until more information provided that indicates the threshold for filing has dropped below reasonable suspicions. yes 2 N/R 3 No impact 4 I don t know I can only speak for us and I am confident we have not been missing anything. So I would say there really is no impact to us. 5 Could affect the timing of reporting of STRs. 57 P a g e

58 10 6 I wasn t aware that there are changes proposed on this? I will need to do some research. 7 N/R 8 no impact assessed yet 9 not in my opinion N/R I don t think that the industry has been missing anything. I am optimistic that the proposed changes in language will not have a major impact but am holding off on forming an opinion of the clarification until guidance is provided. Yes. I believe that while the intent is not to change the reporting threshold, the intent is to re-affirm the threshold and increase enforcement against it. 14 Yes, in my opinion, parameters will need to be set around what constitutes the suspicious transaction threshold. (credit union) has continued to take the same approach as we have in the past until more guidance comes out with regards to this. 58 P a g e

59 Appendix II Survey Respondent Demographics The distribution of assets within the credit union system in Canada is heavily skewed in favor of a small number of credit unions. As some respondents wished to remain anonymous, only the most basic of demographic data may be presented in order to preserve their anonymity. As a result of this distribution, the limited number of respondents represents a material portion of the credit union system in Canada. The figures are accurate as of August 2015, and represent all credit unions in Canada excluding Quebec Credit Union Central of Canada; 2Q 2015 System Results, Aug 26, 2015 & Largest 100 Credit Unions 2Q 2015, Sep 22, P a g e