Since the proposed amendments to the regulations (Regulations) to the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA) were released in June 2018, regulated entities (REs) have been anxiously awaiting the final version of the Regulations, after numerous rounds of consultations with the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC). The suspense has now ended. Although the Regulations will not be formally released in the Canada Gazette until July 10, 2019, the Department of Finance quietly released the final version of the Regulations late last week.
Given the scope of the changes, regulated entities (REs) will be required to significantly revamp their compliance policies and procedures. Thankfully, except for one change that is beneficial to REs, the amendments will not come into force until June 1, 2020 and in the case of some provisions, until June 1, 2021.
There are some positive changes made to the Regulations since the draft Regulations that were released in June 2018. Thankfully, the concept of “every other detail that identifies the transaction”, a mandatory element of many record-keeping requirements, has been removed. In addition, many of the requirements in respect of electronic funds transfers (EFTs), which were drafted to apply to both domestic and cross-border EFTs (now called international EFTs) have been limited in scope to international EFTs only. Given the vast changes to the Regulations, REs are advised to review the Regulations carefully to determine the scope of changes they will need to make to their policies and procedures and the technology builds required to implement the changes operationally.
What follows is an overview of the most substantive changes to the Regulations.
SUSPICIOUS TRANSACTION REPORTING REGULATIONS (STR REGULATIONS)
The timing for filing suspicious transaction reports has been amended, as expected. In that regard, the STR Regulations now require REs to report suspicious transactions to FINTRAC “as soon as reasonably practicable” after they have taken measures that enable them to establish that there are reasonable grounds to suspect that a transaction or attempted transaction is related to money laundering or terrorist financing. Currently, the Regulations require a RE to file a STR within 30 days from the time that a RE “first detects a fact that constitutes reasonable grounds to suspect.” The previous draft of the Regulations had required a filing to be made within three days. This change seems to reflect a compromise to the regulatory pushback that many REs expressed with having a three-day timeline.
The likely effect? Not only will FINTRAC be judging if a RE should have filed a STR for any given set of circumstances, but it will also now subjectively assess if a RE’s STR filings were made “as soon as practicable”, an inherently subjective determination. It will be interesting to see how FINTRAC interprets this provision in its examinations.
In addition to the foregoing, for Terrorist Property Reports, the timing requirement for filing has changed from “without delay” to “immediately”.
In respect of the information that is required to be submitted in a STR, there is much more information that is being requested of REs than was previously the case. In that regard, for items that are not mandatory, FINTRAC takes the view that if the required information is in a RE’s records, it is required to be included in the report. This may be quite challenging for large REs where different information is stored by differing lines of business. Examples of new categories of requested information include IP addresses, ID number of device, and the type of device used to conduct a transaction. The data fields requested are also quite broad. On the positive side, the “catch all” in the previous draft of Regulations in respect of “every other known detail that identifies the transaction” has been removed from the STR reporting requirements.
Electronic Funds Transfers
Some of the most substantive changes in the Regulations are in respect of EFTs, including a change in the definition of an EFT and a change to the record keeping and reporting requirements. These provisions apply to financial entities, money services businesses (MSBs) and casinos.
The definition of an EFT now includes instructions initiated and received by the same person or entity, meaning to catch “in-house” transfer transactions. As is the case in the current definition, in order for a transaction to be an EFT, it does not require the actual transfer of funds, but rather only a transmission for the instruction to transfer funds. Importantly, the EFT definition is no longer limited to only cross-border (now called international) EFTs; instead it includes both domestic and international EFTs. In order to differentiate between the requirements for cross-border and domestic EFTs, a new definition of an “international EFT” has been added. An international EFT is defined in the Regulations as “an electronic funds transfer other than for the transfer of funds within Canada.”
There are some specific exclusions from the definition of an EFT that are particularly relevant given the changes made to the reporting requirements for EFTs in the Regulations. Specifically, while the current Regulations require REs to report to FINTRAC in respect of those EFTs sent at the “request of a client”, the revised Regulations require EFTs that are sent or received “at the request of a person or entity” to be reported. As such, the reporting requirements will extend beyond client-requested EFTs and will instead apply to all EFTs within scope that are sent at another person’s request. As a result, the carve outs from the definition of an EFT become critically important.
In that regard, some of the carve outs from the definition of an EFT include transmissions that are:
- Cash withdrawals from accounts
- Both initiated and finally received by persons or entities acting to clear or settle payments obligations between themselves
- Initiated or finally received by REs for the purposes of internal treasury management, including the management of financial assets and liabilities, if one of the parties to the transaction is a subsidiary of the other or if they are subsidiaries of the same corporation.
Given the change to the reporting requirements, REs will need to reconsider all business-related EFTs to ensure that they fall within the carve outs or they will be required to report a new category of EFTs that were not previously contemplated.
One of the most significant changes in respect of international EFTs relates to which RE is now required to report to FINTRAC. Currently, where multiple REs are involved in the transmission of an EFT, the reporting regime requires the last RE to touch the funds to report, in the case of outgoing EFTs, and the first RE to touch the funds to report, for incoming EFTs, provided in both cases information in respect of the originator and beneficiary are provided in the instructions. Under the revised Regulations, the reporting requirements now apply for outgoing EFTs to the RE that initiates the EFT (i.e., receives the first transmission of the instructions to transfer funds) and for incoming EFTs to the RE that is the final recipient of the EFT (i.e., the recipient that is to make the remittance to a beneficiary). As such, there is a complete change in the reporting responsibility for international EFTs where multiple REs are involved. This will require REs to operationalize EFT reporting in circumstances where they have not previously done so.
In addition to the revised reporting requirements, there are new record-keeping requirements for intermediary parties to the transmission of an EFT. While the requirement to identify the transactor for business entities that send EFTs has thankfully been removed, the record-keeping requirements for EFTs include much more information that before, including the exchange rates used for the EFT and their source.
There is also a new requirement that requires REs to verify the identity of beneficiaries of EFTs of C$1,000 or more, which is a net new requirement. The third-party determination requirement in respect of EFTs that was proposed in the earlier draft of the Regulations has been removed.
The travel rule in the PCMLTFA requires those that are subject to it (financial entities, MSBs and casinos) to include with international EFTs the name, address and account number or other reference number of the client who requested it. REs are also required to take reasonable measures to ensure that any transfer that the RE receives also includes that information.
The Regulations now mandate the beneficiary’s name and address also be included in an international EFT and if applicable, the account number or other reference number, if any, of the beneficiary.
Equally important, the Regulations now address the “reasonable measures” requirement for REs in respect of EFTs received by them that do not contain the name, address and account number of the client who requested the EFT. In that regard, the Regulations now require REs that are subject to the travel rule to develop and apply risk-based policies and procedures for circumstances where despite reasonable measures, an international EFT received by a RE does not include the required information. Specifically, the Regulations provide that the REs’ policies should address whether the EFT received in these circumstances should be “suspended or rejected” and any follow-up measures that should be taken. While the Regulations frame this as only a policy requirement, because the language used in the Regulations speaks to whether the RE should “suspend or reject” the EFT (as opposed to “accept or reject” the EFT) FINTRAC may expect such EFTs to in fact be rejected, even though the statutory requirement is to only take reasonable measures to obtain the required information. REs should give this matter strong consideration when revising their compliance policies and practices.
Thankfully, the provisions of the draft regulations that applied the requirements of the travel rule to domestic transfers (other than SWIFT MT-103s) has been removed.
The requirements to report large cash transactions and EFTs are currently triggered where the transaction is for more than C$10,000 or where there have been smaller transactions over a 24-hour period that total C$10,000 or more that are conducted by, or on behalf of, the same person or entity. In these circumstances, the transactions will be deemed to be a “single transaction” and therefore reportable.
The new Regulations amend the “single transaction” rule. They also extend the rule to both casino disbursements and to the receipt of virtual currency.
The single transaction rule now provides that multiple transactions of less than C$10,000 made over a 24-hour period will be deemed to be a single transaction (and therefore reportable) where the RE knows that:
- For large cash transactions, large virtual currency transactions and EFTs initiated by an RE:
- The transactions are conducted or initiated by the same person or entity
- The transactions or requests are conducted or made on behalf of the same person or entity, or
- The amounts are for the same beneficiary.
- For EFTs received by an RE:
- The EFTs are initiated at the request of the same person or entity, or
- The amounts are for the same beneficiary.
- For casino disbursements:
- The disbursements are requested by the same person or entity
- The disbursements are received by the same person or entity
- The disbursements are requested on behalf of the same person or entity, or
- The disbursements are received on behalf of the same person or entity.
REs will need to make further inquiries of their clients and adjust their monitoring systems to ensure that the increased scope of the single transaction requirements is addressed.
Prepaid Payment Products
As anticipated, the Regulations now expressly regulate prepaid cards issued by financial entities and life insurance companies. The Regulations parallel those that apply to regular accounts and include record-keeping and client identity requirements, as well as politically exposed person (PEP) and third-party determination requirements.
The new definitions of “prepaid payment product account” and “prepaid payment product” are broadly drafted. The effect is that the Regulations will apply to any prepaid payment product that is tied to an account that permits funds or virtual currency that total C$1,000 or more to be added to the account in a 24-hour period or a balance of funds or virtual currency of C$1,000 or more to be maintained in the account. It should be noted that it is not the balance of the prepaid product that is relevant in determining whether it will be subject to the Regulations but rather, the balance in the account that is connected to a prepaid payment product. Given that many prepaid programs are structured with one pooled account that funds the prepaid cards issued under the program, a large majority of prepaid products, even though they themselves may not allow for balance of C$1,000 or more to be maintained, will be caught by these requirements.
The Regulations exclude from their scope those prepaid products where the underlying account can only be funded by a public body or by a registered charity that is providing humanitarian aid, a much more limited exemption than was proposed by stakeholders. Also excluded are prepaid products that access a credit or debit account or that are issued for use only with particular merchants , many corporate-funded promotional programs will now be caught by the Regulations.
Required records for prepaid products include: the name of the account holder/authorized user and the nature of their principal business/occupation and, for individuals, their date of birth. Also required to be maintained are all account applications, foreign currency transaction information, international EFT information (where EFTs are sent or received through the prepaid product), prepaid payment product slips, corporate records, and virtual currency records (where virtual currency is involved). Because many programs distribute their prepaid cards through retail locations, the extensive record-keeping requirements may prove challenging. Affected REs will need to work training programs into their compliance programs and systems will need to be programmed to capture the new required records and information.
In addition to the required records, there are accompanying identity requirements for individuals, corporations and other entities for whom prepaid product accounts are opened, including for authorized users, and for those who make a payment of C$1,000 or more to a prepaid product account. REs are also required to make PEP determinations in respect of any person who makes a payment of C$100,000 or more to a prepaid product account and on a periodic basis for holders and authorized users of prepaid products and prepaid product accounts.
“Authorized users” are defined in the Regulations as persons who are authorized by the holder of a prepaid payment product account to have electronic access to funds or virtual currency available in the account by means of a prepaid payment product that is connected to it.
Although these requirements are only drafted to apply to financial entities and life insurance companies that issue prepaid products, given how prepaid programs are structured, this will have trickle-down ramifications for everyone involved in the prepaid industry including program managers, processors and retailers.
There have been some refinements to the credit card requirements of the Regulations that will be impactful to financial entities that issue credit cards.
The requirements to collect information now apply to “account holders” as opposed to “clients” and accounts opened in the name of clients. As a result, financial entities are now required to collect information for every “account holder” including for business accounts and information about persons authorized to provide instructions in respect of the account.
There are also requirements to maintain foreign currency transaction tickets for foreign currency exchange transactions connected to the account as well as EFT records for international EFTs transferred to or from the credit card.
In respect of foreign currency exchange transactions, these are defined in the Regulations as “the exchange of one fiat currency for another”. Likely this is not intended to capture purchases made by a credit card holder of goods and services in a currency other than the currency of the issued card. If it is intended to address cash advances of foreign currency requested by cardholders in a foreign country, it is difficult to understand how the RE is to obtain the information required to retain a foreign currency transaction ticket given that they are not involved in the cash advance. As a result, it is likely that foreign currency cash advances will be limited by REs so that the more onerous requirements of the Regulations are not triggered.
In addition to regulating those who deal in virtual currency as MSBs (discussed below), there are numerous changes peppered throughout the Regulations that apply to all REs in respect of virtual currency transactions. While the reporting requirements for virtual currency transfers proposed in the draft regulations have been removed, there still remain numerous requirements in respect of virtual currency transactions.
As a starting point, the definition of a “virtual currency” has changed from the one set out in the draft Regulations. In that regard, a “virtual currency” is now defined as:
- A digital representation of value that can be used for payment or investment purposes, that is not a fiat currency and that can be readily exchanged for funds or for another virtual currency that can be readily exchanged for funds; or
- A private key of a cryptographic system that enables a person or entity to have access to a digital representation of value referred to in paragraph (a).
This definition now includes representations of value for “investment purposes”, which may extend to certain types of initial coin offerings. In addition, the inclusion of private keys as a second part of the definition will extend to those that host digital wallets. This definition is also relevant in that those that deal in “virtual currency” (as defined) will now be considered to be MSBs. This is discussed in more detail below.
REs will be required to maintain “large virtual currency transaction records” for every amount of C$10,000 or more received in a “single transaction” (discussed above), unless received by another financial entity or public body or a person who is acting on behalf of a client that is a financial entity or public body. A “large virtual currency transaction record” is similar to a large cash transaction record and is to contain certain prescribed information including: the name and address of every person involved in the transaction, including the nature of their principal business/occupation and their date of birth, the type and amount of virtual currency involved in the receipt, the exchange rates used and their source, the number of every account affected by the transaction, the type of account and the name of each account holder, and every transaction identifier.
There is also an accompanying requirement to report such transactions to FINTRAC and to determine if the person from whom the virtual currency is received is acting on behalf of a third party.
Other required records include virtual currency exchange transaction records where virtual currency is exchanged, at the request of another person or entity, for funds or where funds are exchanged into virtual currency. These records include (for transactions of more than C$1,000) a record to be maintained of the name and address of the person requesting the exchange, the nature of their principal business/occupation/date of birth, the method by which payment is made and received, the type and amount of funds and virtual currencies involved, the exchange rates used and their source, and every transaction identifier, including the sending and receiving address.
There are also required records where REs transfer C$1,000 or more in virtual currency and where they receive C$1,000 or more in virtual currency for remittance to a beneficiary.
In addition to the record-keeping and reporting requirements, there are identity verification requirements for transactors in respect of large virtual currency transaction (C$10,000 or more), and where a person or entity requests a transfer of an amount of C$1,000 or more in virtual currency. There are also identity verification requirements for beneficiaries of virtual currency transfers of C$1,000 or more.
Where a RE has a client that requests a transfer of virtual currency of C$100,000 or more or is a beneficiary of virtual currency of C$100,000 or more, the PEP determination requirements will also apply.
The foregoing requirements do not apply to a transfer of virtual currency that is obtained as part of “mining” or a transfer or exchange of a nominal amount for the purposes of validating another transaction or transfer of information.
In light of the comprehensive provisions in respect of virtual currency, those REs that are involved in this line of business will be required to ramp up their compliance policies and procedures to address these new requirements.
In a positive development, the identity verification requirements have been somewhat modernized to (hopefully) make them less onerous and allow regulated entities to utilize new and innovative fintech products to verify identity. In that regard, there is no longer a requirement for an identity document relied upon to be “original”. Instead, a RE will be entitled to rely on an identity document where it is “valid, authentic and current”. As such, this will allow for identity verification for documents presented by way of electronic means (provided that they can be “authenticated”). This provision came into force on June 25, 2019 and is the only provision in the Regulations that has immediate effect.
Other changes to the identity verification requirements are as follows:
- For credit file verification (single source) the credit file information must now be derived from more than one source. This is a new requirement where there is a reliance on credit reports as a single source and REs will need to change their practices accordingly.
- There is now an allowance to use a prepaid product account for a dual source method.
- For the dual source method, a few more qualifications have been added.
Specifically, where a RE is relying on a credit report as part of a dual source (where it does not qualify as a single source) the credit file must have been in existence for at least six months. Additionally, the person or entity that is verifying the information cannot be a source. This becomes difficult to operationalize where credit reports have tradelines that include the RE that is verifying identity. There is related FINTRAC guidance that draws a distinction between the credit bureau being a source and the underlying trade line supplier being a source, but this issue is not really addressed in the Regulations.
Politically Exposed Persons
The Regulations add some new requirements in respect of PEPs. As noted previously, in addition to the current requirements, PEP determinations will also be required to be undertaken for (i) the opening of a prepaid product account; (ii) authorized users of prepaid products; (iii) persons who request a transfer of C$100,000 or more in virtual currency; and (iv) persons who make payments of C$100,000 or more to prepaid product accounts. In addition, life insurance companies will also be required to undertake a PEP determination in respect of beneficiaries to whom they remit an amount of C$100,000 or more over the duration of an immediate or deferred annuity or life insurance policy.
In addition, the following are net new requirements that apply to PEPs:
- There is now an additional requirement to obtain the “source of wealth” of a PEP
- For PEPs that fall within the category of “heads on international organizations”, such persons will continue to be treated as PEPs for a period of five years, after which they hold the position that made them a PEP.
Life Insurance Companies
The Regulations add some additional requirements in respect of life insurance companies. Specifically, the requirements that apply to financial entities will now apply in the life insurance sector where a life insurance company makes loans or issues prepaid payment products. Unlike the previous draft of the Regulations, the current draft now carves out the following types of loans from the application of the PCMLTFA:
- Certain types of loans made by the insurer to a policy holder in respect of a terminal illness
- Loans to the policy holder for the purpose of funding the life insurance policy
- Advance payments to which the policy holder is entitled.
As such, life insurance companies will need to make the proper modifications to their policies and procedures to capture these types of products.
As noted above, life insurance companies will also be subject to PEP determination requirements in certain circumstances.
Treatment of Trusts
There are a few new provisions in the Regulations in respect of trusts and their treatment. In a welcome change, the exceptions to record keeping and identity verification that currently only apply to, among others, large public corporations, have now been extended to apply to public trusts (on prescribed stock exchanges) which have net assets of C$75-million or more and which operate in a Financial Action Task Force member country.
In respect of widely held or publicly traded trusts that do not qualify for this exemption, there is a new requirement to determining the beneficial ownership of such trusts. Specifically, the Regulations require that for widely held or publicly traded trusts, a RE is required to obtain the name of all trustees, and the names and addresses of all persons who own or control, directly or indirectly, 25 per cent or more of the units of the trust.
In addition to the changes noted above in respect of publicly traded trusts, there are some other modifications that have been made to the beneficial ownership requirements. For domestic and foreign MSBs there is an expanded list of circumstances where the MSB is required to determine beneficial ownership, beyond the previous “ongoing services agreement” requirement. The list is meant to expand the type of service agreements that will trigger the requirement to ascertain beneficial ownership and includes ongoing international electronic funds transfer agreements and service agreements to redeem money orders.
In addition, the requirement to take reasonable measures to confirm the accuracy of beneficial ownership information is now required not only when the information is first obtained but also in the course of ongoing monitoring. FINTRAC has explained that this provision is meant to address circumstances where there is a change in the beneficial ownership information in the course of a client relationship that is identified as part of the ongoing monitoring process. In this respect, where the beneficial ownership information in fact changes, there is a requirement to confirm that the new information is accurate. It is hoped that once all the Canadian corporate statutes are amended to require corporations to keep beneficial ownership records, these requirements will prove less challenging. For more information, please see our November 2018 Blakes Bulletin: Beneficial Ownership: New Developments.
Money Services Businesses
The Regulations, as expected, modify the money services business provisions and now differentiate between domestic and foreign MSBs. As a result of these new categories of MSB, it is likely that MSBs without a Canadian presence will need to de-register with FINTRAC and register again as foreign MSBs. Although the requirements that apply to foreign and domestic MSBs are similar, they are not the same and foreign MSBs will need to be cognizant of the requirements of the Regulations as they apply to their Canadian customers.
In addition to this significant change, the definition of an MSB has been expanded to include those that deal in “virtual currency”. As such, operators of digital currency platforms, digital wallet providers and those that provide transfer services in respect of digital currency, will be required to be registered with FINTRAC and be subject to the MSB obligations under the PCMLTFA.
In respect of the definition of a foreign MSB under the PCMLTFA, foreign MSBs are defined in the Regulations as persons or entities that do not have a place of business in Canada but direct prescribed services to persons or entities in Canada. The prescribed services include:
- Foreign exchange dealing
- Remitting or transmitting funds
- Issuing or redeeming money orders, traveller’s cheques and other negotiable instruments
- Dealing in virtual currencies.
It should be noted that an entity will not necessarily be considered a foreign MSB if it passively provides services to persons in Canada. Rather, in order to fall within the definition of a foreign MSB the MSB is required to direct its services to persons in Canada. While what is viewed as “directing” services to persons in Canada will ultimately be a matter of FINTRAC guidance, advertising in Canada and having a Canadian URL are the types of factors that FINTRAC will likely look to in making this type of determination. On a positive note, it is hoped that this new definition will move FINTRAC from its current view that the existence of a simple bank account in Canada in and of itself is enough to trigger a MSB registration requirement.
As previously noted, the change in international EFT reporting requirements will likely have the most significant effect on the MSB sector, as many MSBs are structured so that financial entities are the REs that are ultimately required to do the reporting.
For domestic MSBs, the reporting requirements now include:
- The receipt from a person or entity of C$10,000 or more in cash
- The initiation of international EFTs of C$10,000 or more
- The final receipt of an international EFT of C$10,000 or more
The initiation of an international EFT of C$10,000 or more if the MSB also finally receives the EFT
- The final receipt of an international EFT of C$10,000 or more if the MSB also initiated the EFT
- The receipt from a person or entity of an amount of C$10,000 or more in virtual currency.
Foreign MSBs have similar but different reporting requirements that revolve around transactions with Canadians. Foreign MSBs are required to report to FINTRAC the following transactions:
- The receipt from a person or entity in Canada of C$10,000 or more in cash
- The initiation, at the request of a person or entity in Canada, of an EFT of C$10,000 or more, if the EFT is sent or is to be sent from one country to another
- The final receipt of an EFT of C$10,000 or more if the EFT was sent from one country to another and the beneficiary is in Canada
- The initiation at the request of a person or entity in Canada, of an international EFT if the foreign MSB is to also finally receive the EFT
- The final receipt of an international EFT if the foreign MSB also initiated the EFT and the beneficiary is in Canada
- The receipt from a person or entity in Canada of C$10,000 or more in virtual currency.
As illustrated by the above reporting requirements, the obligations imposed on foreign MSBs go beyond those imposed on domestic MSBs. Specifically, foreign MSBs are required to report to FINTRAC transactions where Canadians are involved regardless if the funds or the instructions to transfer funds involve Canada. As such, by way of example, a foreign MSB will be required to report transactions where a Canadian asks for funds to be transferred from the United States to the U.K. where Canada is not involved in the transaction. This will likely require extensive system modifications by foreign MSBs and may be difficult to operationalize, especially when the Canadian person is not transacting online. It is hoped that FINTRAC will provide by way of guidance, more information of what is expected by foreign MSBs in this context.
For those persons or entities that are MSBs as a result of dealing in virtual currency, all the above noted requirements under the virtual currency heading will apply.
Reasonable Measures: The existing regulations have many provisions that require REs to take “reasonable measures” to obtain certain information. Recent amendments have also required REs to maintain records of the reasonable measures that they have taken. Recognizing that these requirements have been particularly onerous, they have been removed.
Definitions and Record Keeping: There are changes to certain definitions in the Regulations including to the definitions of “large cash transaction records”, “foreign currency exchange transaction tickets”, and “deposit slips”. The effect of these changes will require REs to collect much more information in respect of these types of records than was previously the case. The record-keeping requirements have been similarly expanded, requiring more extensive information in respect of foreign exchange transactions, where a client redeems a negotiable instrument, and where an RE transmits, receives or is an intermediary in respect of an EFT.
Regulatory Schedules: All the reporting schedules have been expanded to provide more data fields. REs should review the reporting schedules closely to ensure they are able to operationalize the requirements.
The next two years will likely prove busy for all REs to prepare for these changes.