Presentation Notes Derek Ramm, Officer FINTRAC April 20, 2010 About FINTRAC FINTRAC is a regulator False. We are considered a Financial Intelligence Unit, with a primary mandate to assist in the detection of money laundering and terrorist financing activities in Canada by analyzing financial transactions that are reported to us and providing this information to police and national security agencies. There are 200 300 financial intelligence units around the world. Essentially every industrialized nation has one with similar types of mandates. FINTRAC differs where we have been given powers under federal legislation to ensure compliance with the act; The Proceeds of Crime and Money Laundering and Terrorist Financing Act. Other financial intelligence units globally do have the compliance mandate within their legislation. Generally speaking they are purely intelligence agencies, their primary focus is to assist in organized crime and security investigations and leave compliance to other agencies. In Canada, FINTRAC has been granted compliance powers under Part 1 of the Act, because of this, a common misconception is that FINTRAC is a regulator. Although we do at times act as a regulator, understanding that our compliance role is there to feed into the intelligence role. When we exercise our compliance mandate, ultimately FINTRAC is concerned with our abilities to fulfil our intelligence mandate. Tracking money and making connections through financial transactions benefits police investigations where money laundering and crime money are involved. FINTRAC receives questions about convictions regularly, we are however not the right agency to make these inquiries. FINTRAC acts simply as one cog in the wheel of the justice system. FINTRAC is strictly an intelligence agency, as such we do not carry the powers of arrest or prosecution. However, since our inception in 2000, the demand for our services has been exponentially increasing every year. Particularly in the cases of fraud and drug trafficking FINTRAC reports are being used frequently. Sectors of the economy that are subject to the federal proceeds of crime laws are accountants, real estate, money services business, life insurance, dealers in precious metals and stones, financial entities, casinos, and securities dealers. These entities report to FINTRAC. Once received FINTRAC analyzes all documents, and upon reasonable belief, will disclose this information to police or appropriate investigative body. Once in the hands of the authorities, they conduct their own investigation. Often the value of our research comes from opening new avenues for authorities to investigate where they once did not know about. Another myth about FINTRAC is that we are fully compliant with the provincial securities laws False. There are similarities to some degrees, and by and large there are similarities with the provincial
legislation and the federal legislations, there are however very distinct differences. Strict compliance with the provincial legislation does not guarantee compliance within AML compliance (anti money laundering compliance). The federal proceeds of Crime (Money Laundering) and Terrorist Financing Act has obligations and requirements that are distinct from provincial securities legislation and rules. We have heard that the Proceeds of Crime (Money Laundering) and Terrorist Financing Act rules are referred to as the FINTRAC rules; this is false. It does in fact disservice to all other agencies that are involved in proceeds of crime legislation. FINTRAC just happens to be the agency that has been tasked with compliance enforcement. FINTRAC has become the public face of the legislation, there are other agencies that are involved in the legislation; Canada Boarder Services Agency enforces part 2. of the act for cross boarder currency reporting. Regulations & Compliance Last time we spoke with the ICAC was on the topic of new enforcement rules that came into effect on June 23, 2008. The general consensus is that many investment firms have not in fact adjusted their antimoney laundering compliance programs accordingly; with respect to the June 23 amendments. The top three issues we are seeing at the moment are: 1. Ongoing training for staff 2. Risk assessment and mitigation measures 3. Customer due diligence On the training, a number of changes have been implemented since June 23, 2008; there has always been the requirement to train staff in an ongoing approach. With the implemented changes, it is now a requirement to document the training programs. The program has to be in writing and be inclusive of what the training plans are, what it will include, who it will include, and future training plans. The training must be appropriate and specific to the firm. Many firms will have employees complete the CSI AML course, which is fine, but does not comply with AML rules. Employees must understand how firm specific AML policies and procedures work. As for ongoing training measures, FINTRAC recommends a minimum of every two years; which would coincide with the firms AML program review. FINTRAC does not prescribe what form of training should take place, again firm specific. On the risk assessment and mitigation measures FINTRAC is seeing issues across more than half the investment firms. Many firms FINTRAC has examined have done nothing to implement policy by June 23, 2008. Other firms lacked appropriate risk assignments or had inadequate measures in place to mitigate identified high risk areas. The requirement is to assess the risk and document the risks associated with your firm being used to launder money or terrorist financing. The law actually gives you reference as to
what to look at when doing these risk assessments. The firm needs to look at the clients and the types of relationships you have with the clients, the products that the firm offers and delivery channels, look into the geographic location of your activities and that of clients activities. To fulfil this requirement I recommend thinking like a criminal; that is, take a look at your products and services and try to determine how you would launder money through your firm and document your findings. For portfolio managers, there is a lesser risk, however the risk lies in the money entering and leaving the firm. By and large discretionary managers have a very different risk profile than a mutual fund dealer or an investment dealer would. The second requirement is to implement mitigation measures for high risk profiles; again this is part of the law. The firm must take ongoing measures to ensure client information is up to date, take reasonable measures to conduct ongoing monitoring with the aim of reporting suspicious transactions, and then taking measures to mitigate the identified risks. These would be above and beyond the firm s regular measures, to prevent situations of money laundering. Regardless of registration category FINTRAC is seeing an inadequate identification of clients in non faceto face situations, particularly in non residence, inadequate confirmation of a corporation s existence and a lack of beneficial ownership information. We do not see this with IIROC firms because they have been required for the longest time to obtain beneficial ownership information, but what is new for portfolio and mutual fund members is you now need to obtain beneficial ownership information for anyone who owns or controls 25% or more of the corporation. If you are however unable to obtain that information, that is acceptable as the law does recognize secrecy jurisdictions, there must be an attempt made to obtain the information with documentation of attempts made. This may be something you may want to consider for your risk model; if you are unable to see who is behind the company that client should be put into a higher risk category. Additionally, there is a similar issue with knowledge of a politically exposed person. Issues arise when the generic question is asked on the KYC form without definition or context. It is imperative that both you and your client understands what this means. We have seen cases where firms have put the lengthy definition directly on the KYC form so it is right there in black and white. Another addition to the compliance regime is to conduct formal reviews of the effectiveness of policies and procedures with regards to the training programs and risk assessments. This has been in force from day one but was too vague. Since June 23, 2008 Firms must now conduct this review no more than every two years. Reviews must be documented and reported to a senior officer within 30 days of review, including actions taken. There is no requirement for an external auditor, however the more independent the reviewer the better. Penalties have been in place since December 30, 2008, FINTRAC can levy administrative monetary penalties for non compliance. FINTRAC may also refer non compliance cases to law enforcement for criminal prosecution, which may get you up to five years in prison for non compliance. The process is
very different from what provincial regulators abide by. FINTRAC starts by issuing a formal notice of violation which outlines exactly what the issues are and classified as minor, serious, and very serious. Dependant on classification of violation the fines range from $1,000 $500,000 per violation. The fines are prescribed by law; as such FINTRAC must follow criteria, Did the firm gain a competitive advantage by being non compliant? Were people harmed by this non compliance? Did it impact an ongoing investigation? Would knowledge of reported transactions change the case? Compliance history of the reporting firm Fines are supposed to be non punitive, not intended to put someone out of business, but to be corrective. Once notice of violation has been received, there is a 30 day window for appeals to be given in writing to the director of FINTRAC. The notice will then go to a reviews and case assessment panel, they will determine if fines need to stay, be reduced, or thrown out. Serious or very serious penalties that levy over $10,000 may be appealed to a federal court. However, for serious and very serious violations FINTRAC may publish details on the public website, as of yet there are seven listings on the site with the highest fine of $37,000 against a money services business. Registration fines have been levied against some money services dealers (foreign exchange dealers) for non registration. Money services dealers are a non regulated sector of the industry and they are now required by law to register with us. Securities firms are not required to register with us, that is a common misconception we see. Question Period Q1: what steps does FINTRAC envision firms taking to identify beneficial ownership of a corporate entity? A1: A straight forward request to the corporation for that information. It is a fairly standard requirement for most industrialized nations for AML compliance issues. There is obviously the possibility that clients can provide false information at every stage of the KYC due diligence stages, but if you can demonstrate that the firm has taken reasonable steps to perform their due diligence that is fine.
Q2: The requirement to keep high risk clients identification up to date, what does that entail? A2: Part of the requirement is ongoing monitoring. For example if the passport expires you can do a follow up for new identification information. Or, if there is a significant trade years down the road, you can at that point follow up with the client to ensure your records reflect truthfully of their current situation. Q3: If their passport expires, what does it accomplish by asking for their new information? If the firm was satisfied at the time that the client was who they were saying they were, what would that update do to help? A3: That part of the requirement is probably geared to the one off type business relationships rather than ongoing business relationships. There are a lot of businesses subject to the act such as casinos and money services businesses. If you can demonstrate that you have taken reasonable measures to keep account information up to date and monitor the account for activity, then we are happy. Q4: Face to face requirement; if you send off a KYC and get independently verified information on job and identification, then meet the client months down the road, does this meet the spirit of the requirement? A4: The law does not actually require anyone to meet face to face it just says that if you do not physically meet the client, there are certain things you need to do to verify the identity. Guidelines 6E are where you need to look at for details of how you can do this. The real issues we saw were from cross boarder clients. Firms were not taking necessary steps to identify clients. Steps taken need to be firm specific or more accurately registration specific. Q5: Does FINTRAC have an inspection team that is going around looking at firms? If so, how do you select who you go to see? A5: We do have offices all over Canada, being a federal agency our head offices are in Ottawa. We do have examination teams that do reviews. Sometimes these are desk reviews and we would not even show up on site, we just ask for certain documents are provided; as I talked about earlier, everything must be documented, so we expect anything we ask for be readily available. We also have onsite inspection teams, depending on size of firms we spend anywhere from a few hours to days. Our mandate is different from the provincial securities regulators, we are strictly concerned with AML issues, and as such we are very directed in our investigations. As per selection, we have risk based compliance program, it does mean because of that we have random names that pop up to test our risk assessment models. That means that just because you are chosen does not mean we have deemed you high risk, it just means your name came up in our review pool. We are not on a cycle, this means you may only see us once every ten years, or if we deem there to be specific cause, you may see us every year.
Q6: You stated that approximately half of the firms FINTRAC has reviewed have been in noncompliance, how many firms have you reviewed? A6: I cannot give you the exact figure, but with regards to securities it would be well over 200 reviews. Either by desk review or site review. It would be hard for me to break down exactly how many of which are securities dealers and those of other professions from memory. Q7: How is the industry doing overall? A7: The biggest concern for us is that FINTRAC is seen as a regulator and we are not, we are an intelligence agency. Our compliance program is geared towards that. Our compliance is not for compliance sake, it is geared towards compliance to aid in criminal investigations. The failure we see in this industry is in reporting of suspicious transactions. That is across the board, granted our expectations differ by the firm (size). Given by the amount of fraud that occurs in the industry, we are surprised by the low levels of reporting to FINTRAC. Q8: Could you give us some stats specifically on the reporting issues? A8: the centre receives about 75,000 reports per day, the majority of which are through cross boarder electronic reports. We now have a database of over 120,000,000 reports, since 2001 only.ooo1 have come from the investment industry, which is too low. Q9: One of the challenges we face on the mutual fund side, where we have nominee accounts that are open to clients of other dealers, we have little KYC information on them. It is therefore very hard for us to determine suspicious acts, as we do not know the client well enough. A9: This is a similar situation that the portfolio managers face. In the instance where the company is a fund manufacturer, there would be little to no KYC information, as the business is strictly manufacturing these funds and distributing them through branch levels or mutual fund dealers. Again this would be a firm specific issue. There have been however cases where mutual fund managers have been able to report to us interesting stats, particularly where a client has multiple accounts across multiple dealers. Fund managers would be privy to information that could very well help FINTRAC in its investigation mandates. I do however agree that this would be very difficult for this business situation to find this type of information.