In preparation for the audit of Canada’s anti-money laundering and terrorist financing regime by the Financial Action Task Force (FATF) in the fall of 2015, the Department of Finance and the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) have been very busy. In that regard, they have each released guidance that is intended to provide information to reporting entities under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA) in respect of the inherent risks of money laundering (ML) and terrorist financing (TF) in Canada and how to factor those risk elements into their required risk assessments.
In May of 2015, FINTRAC quietly published a paper entitled “Guidance on the Risk-Based Approach to Combatting Money Laundering and Terrorist Financing” on its website (Guidance). While FINTRAC notes that it has developed the Guidance to “help” reporting entities meet their risk-based approach obligations under the PCMLTFA, based on the wording used in the Guidance and based on experience of some reporting entities with FINTRAC, it is more likely that the information in this Guidance now forms a regulatory expectation. Accordingly, reporting entities can expect their risk-based approach to combatting ML and TF to now be evaluated based on the criteria set out in this “Guidance”.
In addition to the Guidance, in July of 2015, the Department of Finance published its Assessment of Inherent Risks of Money Laundering and Terrorist Financing in Canada report (Report), which is intended to “better identify, assess and understand inherent money laundering and terrorist financing risks in Canada on an ongoing basis”. In the Report, the Government of Canada notes that reporting entities are “encouraged” to use the findings in the Report to inform their efforts in assessing and mitigating risks.
In light of the information provided in these two important documents, it is submitted that the risk-based approach requirements under the PCMLTFA, which are for the most part principle based, have now become much more prescriptive in nature and that regulatory expectations in respect of risk-based assessments will also be similarly interpreted.
The FINTRAC Guidance provides that risk in the ML and TF context can be broken down into two levels:
- National Risk: threats and vulnerabilities presented by ML/TF that put at risk the integrity of the Canadian financial system and the safety and security of Canadians
- Reporting Entity Risk: threats and vulnerabilities that put the reporting entity at risk of being used to facilitate ML/TF
The FINTRAC Guidance addresses the reporting entity risk while the Government of Canada Report addresses both reporting entity risks and the national risk. It is clear that the regulatory intention is that the information contained in these two documents be considered in totality when reporting entities are updating or creating their risk assessments.
As a starting point, the regulations under the PCMTFA (Regulations) require reporting entities to perform a risk assessment of their business activities and clients using certain prescribed elements. These elements are as follows:
- The reporting entity’s clients and business relationships
- The reporting entity’s products and delivery channels
- The geographic location of the activities of the reporting entity
- Other relevant factors
These identified risks must then be determined and mitigated through the implementation of controls. In addition, where the risk is found to be high, there are prescribed measures that must be implemented by reporting entities.
The Guidance indicates that there are six steps that must be considered in the risk-based approach:
- Identification of inherent risks (business risk and relationship risk)
- Setting of an institution’s risk tolerance
- Creating risk-reduction measures and key controls
- Evaluating the institution’s residual risks
- Implementing the institution’s risk-based approach
- Reviewing the institution’s risk-based approach
In respect of these steps, the concept of setting a “risk tolerance” is a new one and is not expressly addressed in the Regulations; however, it is clear from the Guidance that this is now a regulatory expectation. FINTRAC indicates that setting risk tolerance is answering the question “As a business, what level of risk are you willing to accept?”
In determining a reporting entity’s risk tolerance, FINTRAC points to the following risk categories that could be considered in an organization’s risk tolerance:
In addition, FINTRAC recommends that determining a reporting entity’s risk tolerance is an exercise that should include obtaining senior management approval. In that regard, FINTRAC notes that the approach to the management of risk and risk mitigation requires the leadership and engagement of senior management generally.
This Guidance issued by FINTRAC seems to extend their role purely from regulating compliance with the PCMLTFA to requiring more robust risk management processes.
In addition to setting a reporting entity’s risk tolerance, the Guidance also requires reporting entities to evaluate their residual risks. The Guidance defines residual risk as “the risk remaining after taking into consideration risk mitigation measures and controls”. The Guidance refers to two types of residual risks:
- Tolerated risks: risks that although tolerated are still risks and acceptance means there is no benefit in trying to reduce them. Tolerated risks may increase over time.
- Mitigated risks: risks that although mitigated are still risks. These risks have been reduced but not eliminated.
FINTRAC notes in the Guidance that it expects reporting entities take time to evaluate their level of residual risks and confirm that the level of risk is aligned with what they are willing to tolerate to ensure the integrity of their own business. In this regard, FINTRAC notes that if a reporting entity’s residual risk is not in line with its risk tolerance, it is expected to go back and increase the level and/or quantity of mitigation measures that were put in place. While FINTRAC notes that evaluating residual risk is not a regulatory requirement, the tone of the Guidance indicates otherwise.
In addition to the requirement to have and document a reporting entity’s risk tolerance and residual risk; there are a few other important insights in the Guidance worth noting.
In terms of geographic risk, the Guidance indicates that if a business is situated near a border crossing, a reporting entity may have higher inherent risk due to the fact that the business may be the first entry point into the Canadian financial system. There are also numerous links to maps and information on high crime regions. This geographic risk information is consistent with the position that FINTRAC has been taking, that being that using “Canada” as a geographic region for risk is not sufficient. Instead, Canada must be broken down by region and demographics.
The prescribed matters that must be completed in a risk assessment include the catch-all category of “other relevant factors”. In that regard, the Guidance provides some indication of what FINTRAC considers “relevant factors”. Specifically, FINTRAC notes that relevant factors could include:
- Legal: related to domestic laws, regulations and potential threats
- Structural: related to specific business models and process
- Trends and typologies for a reporting entity’s activity sector
- Operational structure including high employee turnover and/or a large number of employees
- Third party and/or service providers: reporting entities are ultimately responsible for compliance even where these parties are utilized
The Guidance provides a lot of other useful information in respect of FINTRAC’s expectations, including detailed guidance on how to implement the risk-based approach in compliance with FINTRAC’s expectations. Reporting entities should familiarize themselves with the requirements of the Guideline as it is submitted that this Guidance is now a regulatory expectation.
As previously noted, as part of performing an institution’s risk assessment, reporting entities are required to determine their inherent risks of being used for ML/TF. In that respect, the Report provides some information as to what Canada’s inherent ML/TF risks are. Specifically, the Report found ML/TF vulnerabilities for 27 economic sectors and financial products. The Government of Canada expects reporting entities to use the information in the Report to understand their vulnerabilities to inherent ML/TF risks. However, in that respect the information in the Report is very general in nature and does not provide a lot more information than that which is readily available through FATF and other sources. Notwithstanding this, the information in the Report is important for reporting entities to consider in undertaking their risk assessments.
The Report indicates that threats from the following constitute “Very High Money Laundering Threats”:
- Capital markets fraud
- Commercial trade fraud
- Corruption and bribery
- Counterfeiting and piracy
- Drug trafficking
- Mass marketing fraud
- Mortgage fraud
- Third party money laundering
- Tobacco smuggling and trafficking
In addition to these “very high” money laundering threats, the Report also outlines certain “high” and “medium” threats and one “low” threat, that being the ML threat from wildlife crime.
The Report also provides an assessment of TF threats and in that regard — not surprisingly — provides a list of countries that are the most likely location where such funds or goods would be received: Afghanistan, Egypt, India, Lebanon, Pakistan, Palestinian Territories, Somalia, Sri Lanka, Syria, Turkey, United Arab Emirates and Yemen. There is also a list of 10 terrorist groups with a Canadian nexus and a description of the TF risk of such groups by examining the following factors: sophistication, capability, scope of terrorist financing, estimated fundraising, diversification of methods and suspected use of funds. However, while the Report indicates that these 10 terrorist groups pose either a low, medium or high TF risk in Canada, presumably for security reasons, there is no specific information into which category any one particular group falls.
The Report also notes that the inherent vulnerability of the six designated domestic systemically important banks is very high given their size, scope and reach and their involvement in multiple business lines. In addition, certain non-regulated entities were also considered for ML/TF risks. Such entities include corporations, express trusts, lawyers, non- profit organizations, cheque cashing businesses, closed-loop pre-paid access, factoring companies, financing and leasing companies, ship based casinos, unregulated mortgage lenders and white label ATMs. It is submitted that the findings in the Report should be considered in establishing business relationships with these entities and performing the related risk assessments.
In terms of the overall inherent ML/TF vulnerability rating results, the entities that were found to have a very high vulnerability rating were corporations, domestic banks, express trusts, national full-service money service businesses (MSBs) and small independent MSBs.
Combining all of the contained information, the Report concludes that there are 14 sectors and products that are exposed to very high ML risks involving threat actors (such as organized crime).
Interestingly, the Report also concludes that cash smuggling or the use of cash couriers within Canada and across the Canadian border is a ML method that is frequently used, including by professional money launderers. It is noteworthy that this method of ML does not in fact involve any sector, product or service. In addition, although many unregulated sectors were identified as posing high ML/TF risks, the Report does not indicate if the government intends to regulate these sectors, although we understand that the Department of Finance is planning to regulate pre-paid access issued by financial entities.
Reporting entities should review the Report to consider what adjustments/refinements should be made to their risk assessments to address the information and findings in the Guidance and the Report.
In terms of risks assessments generally, it is also noteworthy that the recent proposed amendments to the Regulations under the PCMLTFA (see our July 2015 Blakes Update: Amendments to Canada’s Anti-Money Laundering Legislation: What’s New and What’s Next) add additional prescribed requirements to be considered in risk assessments. These additional factors are:
- Any new developments in respect of, or the impact of new technologies on, a regulated entity’s clients, business relationships, products or delivery channels or the geographic locations of their activities
- For financial entities or securities dealers, any risk resulting from the activities of an affiliated Canadian financial entity or securities dealer or from the activities of an affiliated foreign entity that carries out similar activities
Given the new information now available, it is submitted that regulated entities should be reviewing their risk assessment methodology to ensure that it will meet regulatory expectations.