Guideline 4: Implementation of a Compliance Regime

November 2003

This replaces the previous version of Guideline 4: Implementation of a Compliance Regime issued in May 2002. The changes made are indicated in the right margin of the PDF version. 

The changes include information based on amendments to Regulations that took effect in November 2003. 

Table of Contents

1. General
2. Who Has to Implement a Compliance Regime?

   2.1	Financial Entities
   2.2	Life Insurance Companies, Brokers And Independent Agents
   2.3	Securities Dealers, Portfolio Managers and Investment Counsellors
   2.4	Casinos
   2.5	Real Estate Brokers or Sales Representatives
   2.6	Agents of the Crown that Sell or Redeem Money Orders
   2.7	Foreign Exchange Dealing
   2.8	Money Services Businesses
   2.9	Accountants and Accounting Firms

3. What is a Compliance Regime?
4. Basics of a Compliance Regime

   4.1	Appointment of the Compliance Officer
   4.2	Compliance Policies and Procedures
   4.3	Review of the Compliance Policies and Procedures
   4.4	Ongoing Compliance Training

5. FINTRAC's Approach to Compliance Monitoring
6. Penalties for Non-Compliance
7. Comments?
8. How to Contact FINTRAC

The following appendices present summaries of reporting, record keeping, client identification and third party determination requirements under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (the Act) and associated Regulations.

1.General

The objective of the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (the Act) is to help detect and deter money laundering and the financing of terrorist activities. It is also to facilitate investigations and prosecutions of money laundering and terrorist activity financing offences. This includes implementation of reporting, record-keeping, client identification and compliance regime requirements for the persons or entities described in Section 2.

If you are one of these persons or entities, this guideline has been prepared to help you implement your compliance regime to meet your reporting, record-keeping and client identification obligations. It uses plain language to explain the most common situations under the Actas well as the related Regulations. It is provided as general information only. It is not legal advice, and is not intended to replace the Act and Regulations. For more information about money laundering, terrorist financing or other requirements under the Act and Regulations, see the guidelines in this series:

• Guideline 1 : Backgrounder explains money laundering, terrorist financing, and their international nature. It also provides an outline of the legislative requirements as well as an overview of FINTRAC's mandate and responsibilities.
• Guideline 2 : Suspicious Transactions explains how to report a suspicious transaction. It also provides guidance on how to identify a suspicious transaction, including general and industry-specific indicators that may help when conducting or evaluating transactions.
• Guideline 3 : Submitting Suspicious Transaction Reports to FINTRAC explains when and how to submit suspicious transaction reports. There are two different versions of Guideline 3, by reporting method.
• Guideline 4 : Implementation of a Compliance Regime explains the requirement for reporting persons and entities to implement a regime to ensure compliance with their obligations under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act and associated Regulations.
• Guideline 5 : Submitting Terrorist Property Reports to FINTRAC explains when and how to submit terrorist property reports.
• Guideline 6 : Record Keeping and Client Identification explains the requirement for reporting persons and entities to identify their clients and keep records. There are eight different versions of Guideline 6, by sector.
• Guideline 7 : Submitting Large Cash Transaction Reports to FINTRAC explains when and how to submit large cash transaction reports. There are two different versions of Guideline 7, by reporting method.
• Guideline 8 : Submitting Electronic Funds Transfer Reports to FINTRAC explains when and how to submit EFT reports.
• Guideline 9 : Submitting Alternative to Large Cash Transaction Reports to FINTRAC explains when and how financial entities can choose the alternative to large cash transaction reports. This is only applicable to financial entities.

If you need more help after you read this or other guidelines, call FINTRACs national toll-free enquiries line at 1-866-346-8722.

If you are a financial entity, such as a bank, credit union, caisse populaire, trust company, loan company or an agent of the Crown that accepts deposit liabilities, you have to implement a compliance regime to comply with your reporting, record-keeping and client identification requirements.

When you remit or transmit funds, issue or redeem money orders, travellers cheques or other similar negotiable instruments for anyone who does not hold an account with you, you are considered to be a money services business. In this case, you have additional record keeping and client identification requirements.

Back

If you are a life insurance company, broker or independent agent, you have to implement a compliance regime to comply with your reporting, record-keeping and client identification requirements.

If you are an employee of a person or entity who is also subject to these requirements, your employer is responsible for the compliance regime. For example, when life insurance agents are employees of a life insurance company, the compliance regime requirement is the responsibility of the life insurance company.

If you are a life insurance broker or independent agent (i.e., you are not an employee), you are responsible for your own compliance regime.

Back

If you are provincially authorized to engage in the business of dealing in securities, portfolio management or investment counselling, you have to implement a compliance regime to comply with your reporting, record-keeping and client identification requirements.

If you are an employee of a person or entity who is also subject to these requirements, your employer is responsible for the compliance regime. For example, if you are an employee of an entity engaged in the business of dealing in securities, the compliance regime requirement is the responsibility of the entity.

Similarly, if you are an agent of (or you are authorized to act on behalf of) a person or entity who is also subject to these requirements, that other person or entity is responsible for the compliance regime.

Back

If you are a casino authorized to do business in Canada, you are required to implement a compliance regime if roulette or card games are carried on in your establishment, or if your establishment has a slot machine. In this context, a slot machine does not include a video lottery terminal.

If you are a registered charity, you may be authorized to do business only temporarily as a casino for charitable purposes. If this is your situation and you carry on business in the casino for two consecutive days or less under the supervision of the casino, you are not required to implement a compliance regime. If you are the supervising casino (i.e., the permanent establishment in which a charity casino operates), you remain responsible for the compliance regime, as well as the reporting and record keeping requirements under the Act and Regulations.

Back

If you are a real estate broker or sales representative, you are required to implement a compliance regime if you engage in any of the following activities on behalf of any person or entity in the course of a real estate transaction:

• receiving or paying funds;
• depositing or withdrawing funds; or
• transferring funds by any means.

If you are an employee of a person or entity who is also subject to these requirements, your employer is responsible for the compliance regime. For example, if you are a sales representative who is an employee of a real estate broker, the compliance regime requirement is the responsibility of the broker.

Similarly, if you are an agent of (or you are authorized to act on behalf of) a person or entity who is also subject to these requirements, that other person or entity is responsible for the compliance regime.

Back

If you are a government department or an agent of the Crown (i.e., an agent of her Majesty in right of Canada or of a province), you are required to implement a compliance regime if you sell or redeem money orders.

If you accept deposit liabilities in the course of providing financial services to the public, such as a provincial savings office, you are considered a financial entity (see Section 2.1).

Back

If you are a person or entity engaged in the business of foreign exchange dealing, you have to implement a compliance regime to comply with your reporting, record-keeping and client identification requirements.

If you are an employee of a foreign exchange dealer, it is your employer who is engaged in the business of foreign exchange dealing and therefore responsible for the compliance regime. If you are an agent of (or you are authorized to act on behalf of) a person or entity engaged in the business of foreign exchange dealing, that other person or entity is responsible for the compliance regime for the relevant activities.

Back

You are a money services business if you are a person or entity engaged in the following business activities:

• remitting or transmitting funds by any means through any person, entity or electronic funds transfer network; or
• issuing or redeeming money orders, travellers cheques or other similar negotiable instruments.

This includes alternative money remittance systems, such as Hawala, Hundi, Chitti, etc. This also include financial entities when they remit or transmit funds, issue or redeem money orders, travellers cheques or other similar negotiable instruments for anyone who does not hold an account with them.

If you are a money services business, you have to implement a compliance regime to comply with your reporting, record-keeping and client identification requirements when you engage any of the business activities described above. This does not include redeeming cheques payable to a named person or entity. In other words, if you are only involved in cashing cheques made out to a particular person or entity, you are not subject to this requirement.

If you are an employee of a money services business, it is your employer who is engaged in the business and therefore responsible for the compliance regime. If you are an agent of (or you are authorized to act on behalf of) another person or entity that is a money services business, that other person or entity is responsible for the compliance regime for the relevant activities that you perform on their behalf.

Back

If you are an accountant or an accounting firm, you are required to implement a compliance regime if you engage in any of the following activities on behalf of any person or entity (other than your employer) or give instructions in respect of those activities on behalf of any person or entity (other than your employer):

• receiving or paying funds;
• purchasing or selling securities, real property or business assets or entities; or
• transferring funds or securities by any means.

You are also subject to this if you receive professional fees to engage in any of these accountant activities. 

These do not include audit, review or compilation work carried out according to the recommendations in the Canadian Institute of Chartered Accountants (CICA) Handbook. 

If you are an employee of a person or entity who is also subject to these requirements, your employer is responsible for the compliance regime. For example, if you are an accountant who is an employee of an accounting firm, the compliance regime requirement is the responsibility of the firm.

Similarly, if you are an agent of (or you are authorized to act on behalf of) a person or entity who is also subject to these requirements, that other person or entity is responsible for the compliance regime.

Back

The implementation of a compliance regime is good business practice for anyone subject to the Act and its Regulations. A well-designed, applied and monitored regime will provide a solid foundation for compliance with the legislation. As not all persons and entities operate under the same circumstances, your compliance regime will have to be tailored to fit your individual needs. It should reflect the nature, size and complexity of your operations.

If you are a member of an association within your sector of activity, you may wish to check with them to find out if any information sharing about any aspect of compliance regime implementation is available. You may also check with any regulatory body covering your sector in this regard.

Your compliance regime should include the following, as far as practicable:

• the appointment of a compliance officer;
• the development and application of compliance policies and procedures;
• a review of your compliance policies and procedures to test their effectiveness; and
• if you have employees or agents or any other individuals authorized to act on your behalf,an on-going compliance training program for them.

These four elements are key to any effective system of internal controls and are expanded upon in Section 4.

Back

The individual you appoint will be responsible for the implementation of your compliance regime. Your compliance officer should have the authority and the resources necessary to discharge his or her responsibilities effectively. Depending on your type of business, your compliance officer should report, on a regular basis, to the board of directors or senior management, or to the owner or chief operator.

If you are a small business, the appointed officer could be a senior manager or the owner or operator of the business. If you are an individual, you can appoint yourself as compliance officer or you may choose to appoint another individual to help you implement a compliance regime.

In the case of a large business, the compliance officer should be from a senior level and have direct access to senior management and the board of directors. Further, as a good governance practice, the appointed compliance officer in a large business should not be directly involved in the receipt, transfer or payment of funds.

For consistency and ongoing attention to the compliance regime, your appointed compliance officer may choose to delegate certain duties to other employees. For example, the officer may delegate an individual in a local office or branch to ensure that compliance procedures are properly implemented at that location.

Back

An effective compliance regime includes policies and procedures and shows your commitment to prevent, detect and address non-compliance.

The formality of these policies and procedures depends on your needs. Generally, the degree of detail, specificity and formality of the regime varies according to the complexity of the issues and transactions you are involved in. It will also depend on your risk of exposure to money laundering or terrorist financing. For example, the compliance policies and procedures of a small business may be less formal and simpler than those of a bank.

What is important for your compliance policies and procedures is that they are communicated, understood and adhered to by all within your business who deal with clients or any property owned or controlled on behalf of clients. This includes those who work in the areas relating to client identification, record keeping, and any of the types of transactions that have to be reported. They need enough information to process and complete a transaction properly as well as identify clients and keep records as required.

They also need to know when an enhanced level of caution is required in dealing with transactions, such as those involving countries or territories that have not yet established adequate anti-money laundering regimes consistent with international standards. Information about this, including updates to the list of non-cooperative countries and territories issued by the Financial Action Task Force on Money Laundering is available from the "What's New?" section of FINTRACs Web site or at the following link: http://www.fintrac.gc.ca/publications/avs/2003-11-07_e.asp.

Your compliance policies and procedures should incorporate, at a minimum, the reporting, record-keeping, and client identification requirements applicable to you. For more information about these, see Appendix 1 of this guideline for each sector of activity that you are involved in. For example, in the case of your reporting obligations relating to terrorist property or suspicions of terrorist financing, your policies and procedures should reflect the verification of related lists published in Canada. These are available on the Office of the Superintendent of Financial Institutions Web site at http://www.osfi-bsif.gc.ca, by referring to the Suppression of Terrorism link.

Although directors and senior officers may not be involved in day-to-day compliance, they need to understand the statutory duties placed upon them, their staff and the entity itself.

Back

Another component of a comprehensive compliance regime is a review of your compliance policies and procedures, as often as is necessary, to test their effectiveness. This will help evaluate the need to modify existing policies and procedures or to implement new ones.

Your appointed compliance officer will play a key role in assessing the need for a review. Several factors could trigger this need, such as changes in legislation, non-compliance issues, or new services or products. If you are in a sector that is regulated at the federal or provincial level, the need for review of your compliance policies and procedures could also be triggered by requirements administered by your regulator.

The review is to be conducted by an internal or external auditor, if you have one. The review by an internal or external auditor could include interviews, tests and samplings, such as the following:

• interviews with those handling transactions and with their supervisors to determine their knowledge of the legislative requirements and your policies and procedures.
• a review of the criteria and process for identifying and reporting suspicious transactions.
• a sampling of large cash transactions followed by a review of the reporting of such transactions.
• a sampling of international electronic funds transfers (if those are reportable by the reporting person or entity in question) followed by a review of the reporting of such transactions.
• a test of the validity and reasonableness of any exceptions to large cash transaction reports including the required annual report to FINTRAC (this is applicable only for financial entities who choose the alternative to large cash transactions for certain business clients).
• a test of the record-keeping system for compliance with the legislation.
• a test of the client identification procedures for compliance with the legislation.

The scope and the results of the review should be documented. Any deficiencies should be identified and reported to senior management or the board of directors. This should also include a request for a response indicating corrective actions and a timeline for implementing such actions.

If you do not have an internal or external auditor, you can do a self-review. If  feasible, this self-review should be conducted by an individual who is independent of the reporting, record-keeping and compliance-monitoring functions. This could be an employee or an outside consultant. The objective of a self-review is similar to the objectives of a review conducted by internal or external auditors. It should address whether policies and procedures are in place and are being adhered to, and whether procedures and practices comply with legislative and regulatory requirements.

The scope and details of the review will depend on the nature, size and complexity of your operations. The review process should be well documented and should identify and note weaknesses in policies and procedures, corrective measures and follow-up actions.

Back

If you have employees, agents or other individuals authorized to act on your behalf, your compliance regime has to include training. This is to make sure that all those who have contact with customers, who see customer transaction activity, or who handle cash in any way understand the reporting, client identification and record-keeping requirements. This includes those at the front line as well as senior management.

In addition others who have responsibilities under your compliance regime, such as information technology and other staff responsible for designing and implementing electronic or manual internal controls should receive training. This could also include the appointed compliance officer and internal auditors.

Standards for the frequency and method of training, such as formal, on-the-job or external, should be addressed. New people should be trained before they begin to deal with customers. All should be periodically informed of any changes in anti-money-laundering or anti-terrorism legislation, policies and procedures, as well as current developments and changes in money laundering or terrorist activity financing schemes particular to their jobs. Those who change jobs within your organization should be given training as necessary to be up-to-date with the policies, procedures and risks of exposure to money laundering or terrorist financing that are associated with their new job.

The method of training may vary greatly depending on the size of your business and the complexity of the subject matter. The training program for a small business may be less sophisticated and not necessarily formalized in writing.

When assessing your training needs, consider the following elements:

• Requirements and related liabilities
  The training should give those who need it an understanding of the reporting, client identification and record-keeping requirements as well as penalties for not meeting those requirements. For more information about this, see the other guidelines regarding each of those requirements applicable to you.

• Policies and procedures
  The training should make your employees, agents, or others who act on your behalf aware of the internal policies and procedures for deterring and detecting money laundering and terrorist financing that are associated with their jobs. It should also give each one a clear understanding of his or her responsibilities under these policies and procedures.

  They need to understand how their institution, organization or profession is vulnerable to abuse by criminals laundering the proceeds of crime or by terrorists financing their activities. Training should include examples of how your particular type of organization could be used to launder illicit funds or fund terrorist activity. This should help them to identify suspicious transactions and should give you some assurance that your services are not being abused for the purposes of money laundering or terrorist financing. For example, employees should also be made aware that they cannot disclose that they have made a Suspicious Transaction Report, or disclose the contents of such a report, with the intent to prejudice a criminal investigation, whether it has started or not. They should also understand that no criminal or civil proceedings may be brought against them for making a report in good faith.

• Background information on money laundering and terrorist financing
  Any training program should include some background information on money laundering so everyone who needs to can understand what money laundering is, why criminals choose to launder money and how the process usually works. They also need to understand what terrorist financing is and how that process usually works. For more information about this, see Guideline 1: Backgrounder and FINTRACs website (http://www.fintrac.gc.ca).

All businesses should consult, if possible, training material available through their associations. In addition, FINTRAC makes material available on its Web site that can provide help with training. For example, a simulation facility is available within the reporting section of FINTRACs Web site that can be used for training. You can use this to complete simulated electronic reports.

Back

FINTRAC has a responsibility to ensure compliance with your legislative requirements under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act. To do this, FINTRAC can examine your compliance regime and records. FINTRAC may also periodically provide you with feedback about the adequacy, completeness and timeliness of the information you have reported.

FINTRAC favours a co-operative approach to monitoring. The emphasis will be on working with you to achieve compliance. When compliance issues are identified, FINTRAC intends to work with you in a constructive manner to find reasonable solutions. If this is not successful, FINTRAC has the authority to refer non-compliance cases to the appropriate law enforcement agencies.

FINTRACs compliance program will use risk management strategies to identify those most in need of improving compliance. Efforts will be focused on areas where there is greater risk of non-compliance and in which the failure to comply could have significant impact on the ability to detect and deter money laundering and terrorist financing.

Finally, FINTRAC will work with other regulators at the federal and provincial levels to identify areas of common interest and address the potential for overlap in some areas of its responsibilities. In that context, FINTRAC will explore avenues for cost efficiencies, consistency of approach and information sharing.

Back

As stated above, FINTRAC favours a co-operative approach to monitoring and to finding co-operative solutions. However, if this is not successful, FINTRAC has the authority to refer non-compliance cases to the appropriate law enforcement agencies.

Failure to comply with your legislative requirements can lead to criminal charges against you if you are a person or entity described in Section 2. The following are some of the penalties:

• failure to report a suspicious transaction or failure to make a terrorist property report conviction of this could lead to up to five years imprisonment, to a fine of $2,000,000, or both.
• failure to report a large cash transaction or an electronic funds transfer conviction of this could lead to a fine of $500,000 for a first offence and $1,000,000 for each subsequent offence.
• failure to retain records conviction of this could lead to up to five years imprisonment, to a fine of $500,000, or both.
• failure to implement a compliance regime conviction of this could lead to up to five years imprisonment, to a fine of $500,000, or both.

Back

These guidelines will be reviewed on a periodic basis. If you have any comments or suggestions to help improve them, please send your comments to the mailing address provided below, or by email to guidelines@fintrac.gc.ca.

Back

For further information on FINTRAC and its activities, and on implementing a compliance regime, please go to FINTRACs website (http://www.fintrac.gc.ca) or contact FINTRAC:

Financial Transactions and Reports Analysis Centre of Canada
234 Laurier Avenue West, 24^th floor
Ottawa, Ontario
Canada K1P 1H7

Toll-free: 1-866-346-8722

Back

APPENDIX 1: Reporting, Record Keeping, Client Identification and Third Party Determination Requirements by Reporting Person or Reporting Entity Sector