|
|
Guideline 4: Implementation of a Compliance RegimeNovember 2003This replaces the previous version of Guideline 4: Implementation of a Compliance Regime issued in May 2002. The changes made are indicated in the right margin of the PDF version. The changes include information based on amendments to Regulations that took effect in November 2003. Table of Contents
APPENDIX 1: Reporting, Record Keeping, Client Identification and Third Party Determination Requirements by Reporting Person or Reporting Entity Sector The following appendices present summaries of reporting, record keeping, client identification and third party determination requirements under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (the Act) and associated Regulations.
Back to the guidelines menu The objective of the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (the Act) is to help detect and deter money laundering and the financing of terrorist activities. It is also to facilitate investigations and prosecutions of money laundering and terrorist activity financing offences. This includes implementation of reporting, record-keeping, client identification and compliance regime requirements for the persons or entities described in Section 2. If you are one of these persons or entities, this guideline has been prepared to help you implement your compliance regime to meet your reporting, record-keeping and client identification obligations. It uses plain language to explain the most common situations under the Actas well as the related Regulations. It is provided as general information only. It is not legal advice, and is not intended to replace the Act and Regulations. For more information about money laundering, terrorist financing or other requirements under the Act and Regulations, see the guidelines in this series:
If you need more help after you read this or other guidelines, call FINTRACs national toll-free enquiries line at 1-866-346-8722. Back 2. Who Has to Implement a Compliance Regime?2.1 Financial Entities If you are a financial entity, such as a bank, credit union, caisse populaire, trust company, loan company or an agent of the Crown that accepts
deposit liabilities, you have to implement a compliance regime to
comply with your reporting, record-keeping and client identification
requirements. If you are a life
insurance company, broker or independent agent, you have to
implement a compliance regime to comply with your reporting, record-keeping and
client identification requirements. If you are provincially authorized to engage in the business of dealing in securities, portfolio management or investment counselling, you have to implement a compliance regime to comply with your reporting, record-keeping and client identification requirements. If you are an employee of a person or entity who is also subject to these requirements, your employer is responsible for the compliance regime. For example, if you are an employee of an entity engaged in the business of dealing in securities, the compliance regime requirement is the responsibility of the entity. Similarly, if you are an agent of (or you are authorized to act on behalf of) a person or entity who is also subject to these requirements, that other person or entity is responsible for the compliance regime. 2.4 CasinosIf you are a casino authorized to do business in Canada, you are required to implement a compliance regime if roulette or card games are carried on in your establishment, or if your establishment has a slot machine. In this context, a slot machine does not include a video lottery terminal. If you are a registered charity, you may be authorized to do business only temporarily as a casino for charitable purposes. If this is your situation and you carry on business in the casino for two consecutive days or less under the supervision of the casino, you are not required to implement a compliance regime. If you are the supervising casino (i.e., the permanent establishment in which a charity casino operates), you remain responsible for the compliance regime, as well as the reporting and record keeping requirements under the Act and Regulations. 2.5 Real Estate Brokers or Sales RepresentativesIf you are a real estate broker or sales representative, you are required to implement a compliance regime if you engage in any of the following activities on behalf of any person or entity in the course of a real estate transaction:
If you are an employee of a person or entity who is also subject to these requirements, your employer is responsible for the compliance regime. For example, if you are a sales representative who is an employee of a real estate broker, the compliance regime requirement is the responsibility of the broker. Similarly, if you are an agent of (or you are authorized to act on behalf of) a person or entity who is also subject to these requirements, that other person or entity is responsible for the compliance regime. 2.6 Agents of the Crown that Sell or Redeem Money OrdersIf you are a government department or an agent of the Crown (i.e., an agent of her Majesty in right of Canada or of a province), you are required to implement a compliance regime if you sell or redeem money orders. If you accept deposit liabilities in the course of providing financial services to the public, such as a provincial savings office, you are considered a financial entity (see Section 2.1). 2.7 Foreign Exchange DealingIf you are a person or entity engaged in the business of foreign exchange dealing, you have to implement a compliance regime to comply with your reporting, record-keeping and client identification requirements. If you are an employee of a foreign exchange dealer, it is your employer who is engaged in the business of foreign exchange dealing and therefore responsible for the compliance regime. If you are an agent of (or you are authorized to act on behalf of) a person or entity engaged in the business of foreign exchange dealing, that other person or entity is responsible for the compliance regime for the relevant activities. 2.8 Money Services BusinessesYou are a money services business if you are a person or entity engaged in the following business activities:
This includes alternative money remittance systems, such as Hawala, Hundi, Chitti, etc. This also include financial entities when they remit or transmit funds, issue or redeem money orders, travellers cheques or other similar negotiable instruments for anyone who does not hold an account with them. If you are a money services business, you have to implement a compliance regime to comply with your reporting, record-keeping and client identification requirements when you engage any of the business activities described above. This does not include redeeming cheques payable to a named person or entity. In other words, if you are only involved in cashing cheques made out to a particular person or entity, you are not subject to this requirement. If you are an employee of a money services business, it is your employer who is engaged in the business and therefore responsible for the compliance regime. If you are an agent of (or you are authorized to act on behalf of) another person or entity that is a money services business, that other person or entity is responsible for the compliance regime for the relevant activities that you perform on their behalf. 2.9 Accountants and Accounting FirmsIf you are an accountant or an accounting firm, you are required to implement a compliance regime if you engage in any of the following activities on behalf of any person or entity (other than your employer) or give instructions in respect of those activities on behalf of any person or entity (other than your employer):
You are also subject to this if you receive professional fees to engage in any of these accountant activities. These do not include audit, review or compilation work carried out according to the recommendations in the Canadian Institute of Chartered Accountants (CICA) Handbook. If you are an employee of a person or entity who is also subject to these requirements, your employer is responsible for the compliance regime. For example, if you are an accountant who is an employee of an accounting firm, the compliance regime requirement is the responsibility of the firm. Similarly, if you are an agent of (or you are authorized to act on behalf of) a person or entity who is also subject to these requirements, that other person or entity is responsible for the compliance regime. 3. What is a Compliance Regime?The implementation of a compliance regime is good business practice for anyone subject to the Act and its Regulations. A well-designed, applied and monitored regime will provide a solid foundation for compliance with the legislation. As not all persons and entities operate under the same circumstances, your compliance regime will have to be tailored to fit your individual needs. It should reflect the nature, size and complexity of your operations. If you are a member of an association within your sector of activity, you may wish to check with them to find out if any information sharing about any aspect of compliance regime implementation is available. You may also check with any regulatory body covering your sector in this regard. Your compliance regime should include the following, as far as practicable:
These four elements are key to any effective system of internal controls and are expanded upon in Section 4. 4.Basics of a Compliance Regime4.1 Appointment of the Compliance Officer The individual you appoint will be responsible for the implementation of your compliance regime. Your compliance officer should have the authority and the resources necessary to discharge his or her responsibilities effectively. Depending on your type of business, your compliance officer should report, on a regular basis, to the board of directors or senior management, or to the owner or chief operator. If you are a small business, the appointed officer could be a senior manager or the owner or operator of the business. If you are an individual, you can appoint yourself as compliance officer or you may choose to appoint another individual to help you implement a compliance regime. In the case of a large business, the compliance officer should be from a senior level and have direct access to senior management and the board of directors. Further, as a good governance practice, the appointed compliance officer in a large business should not be directly involved in the receipt, transfer or payment of funds. For consistency and ongoing attention to the compliance regime, your appointed compliance officer may choose to delegate certain duties to other employees. For example, the officer may delegate an individual in a local office or branch to ensure that compliance procedures are properly implemented at that location. 4.2 Compliance Policies and ProceduresAn effective compliance regime includes policies and procedures and shows your commitment to prevent, detect and address non-compliance. The formality of these policies and procedures depends on your needs. Generally, the degree of detail, specificity and formality of the regime varies according to the complexity of the issues and transactions you are involved in. It will also depend on your risk of exposure to money laundering or terrorist financing. For example, the compliance policies and procedures of a small business may be less formal and simpler than those of a bank. What is important for your compliance policies and procedures is that they are communicated, understood and adhered to by all within your business who deal with clients or any property owned or controlled on behalf of clients. This includes those who work in the areas relating to client identification, record keeping, and any of the types of transactions that have to be reported. They need enough information to process and complete a transaction properly as well as identify clients and keep records as required. They also need to know when an enhanced level of caution is required in dealing with transactions, such as those involving countries or territories that have not yet established adequate anti-money laundering regimes consistent with international standards. Information about this, including updates to the list of non-cooperative countries and territories issued by the Financial Action Task Force on Money Laundering is available from the "What's New?" section of FINTRACs Web site or at the following link: http://www.fintrac.gc.ca/publications/avs/2003-11-07_e.asp. Your compliance policies and procedures should incorporate, at a minimum, the reporting, record-keeping, and client identification requirements applicable to you. For more information about these, see Appendix 1 of this guideline for each sector of activity that you are involved in. For example, in the case of your reporting obligations relating to terrorist property or suspicions of terrorist financing, your policies and procedures should reflect the verification of related lists published in Canada. These are available on the Office of the Superintendent of Financial Institutions Web site at http://www.osfi-bsif.gc.ca, by referring to the Suppression of Terrorism link. Although directors and senior officers may not be involved in day-to-day compliance, they need to understand the statutory duties placed upon them, their staff and the entity itself. 4.3 Review of the Compliance Policies and ProceduresAnother component of a comprehensive compliance regime is a review of your compliance policies and procedures, as often as is necessary, to test their effectiveness. This will help evaluate the need to modify existing policies and procedures or to implement new ones. Your appointed compliance officer will play a key role in assessing the need for a review. Several factors could trigger this need, such as changes in legislation, non-compliance issues, or new services or products. If you are in a sector that is regulated at the federal or provincial level, the need for review of your compliance policies and procedures could also be triggered by requirements administered by your regulator. The review is to be conducted by an internal or external auditor, if you have one. The review by an internal or external auditor could include interviews, tests and samplings, such as the following:
The scope and the results of the review should be documented. Any deficiencies should be identified and reported to senior management or the board of directors. This should also include a request for a response indicating corrective actions and a timeline for implementing such actions. If you do not have an internal or external auditor, you can do a self-review. If feasible, this self-review should be conducted by an individual who is independent of the reporting, record-keeping and compliance-monitoring functions. This could be an employee or an outside consultant. The objective of a self-review is similar to the objectives of a review conducted by internal or external auditors. It should address whether policies and procedures are in place and are being adhered to, and whether procedures and practices comply with legislative and regulatory requirements. The scope and details of the review will depend on the nature, size and complexity of your operations. The review process should be well documented and should identify and note weaknesses in policies and procedures, corrective measures and follow-up actions. 4.4 Ongoing Compliance TrainingIf you have employees, agents or other individuals authorized to act on your behalf, your compliance regime has to include training. This is to make sure that all those who have contact with customers, who see customer transaction activity, or who handle cash in any way understand the reporting, client identification and record-keeping requirements. This includes those at the front line as well as senior management. In addition others who have responsibilities under your compliance regime, such as information technology and other staff responsible for designing and implementing electronic or manual internal controls should receive training. This could also include the appointed compliance officer and internal auditors. Standards for the frequency and method of training, such as formal, on-the-job or external, should be addressed. New people should be trained before they begin to deal with customers. All should be periodically informed of any changes in anti-money-laundering or anti-terrorism legislation, policies and procedures, as well as current developments and changes in money laundering or terrorist activity financing schemes particular to their jobs. Those who change jobs within your organization should be given training as necessary to be up-to-date with the policies, procedures and risks of exposure to money laundering or terrorist financing that are associated with their new job. The method of training may vary greatly depending on the size of your business and the complexity of the subject matter. The training program for a small business may be less sophisticated and not necessarily formalized in writing. When assessing your training needs, consider the following elements:
All businesses should consult, if possible, training material available through their associations. In addition, FINTRAC makes material available on its Web site that can provide help with training. For example, a simulation facility is available within the reporting section of FINTRACs Web site that can be used for training. You can use this to complete simulated electronic reports. 5. FINTRAC's Approach to Compliance MonitoringFINTRAC has a responsibility to ensure compliance with your legislative requirements under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act. To do this, FINTRAC can examine your compliance regime and records. FINTRAC may also periodically provide you with feedback about the adequacy, completeness and timeliness of the information you have reported. FINTRAC favours a co-operative approach to monitoring. The emphasis will be on working with you to achieve compliance. When compliance issues are identified, FINTRAC intends to work with you in a constructive manner to find reasonable solutions. If this is not successful, FINTRAC has the authority to refer non-compliance cases to the appropriate law enforcement agencies. FINTRACs compliance program will use risk management strategies to identify those most in need of improving compliance. Efforts will be focused on areas where there is greater risk of non-compliance and in which the failure to comply could have significant impact on the ability to detect and deter money laundering and terrorist financing. Finally, FINTRAC will work with other regulators at the federal and provincial levels to identify areas of common interest and address the potential for overlap in some areas of its responsibilities. In that context, FINTRAC will explore avenues for cost efficiencies, consistency of approach and information sharing. 6. Penalties for Non-ComplianceAs stated above, FINTRAC favours a co-operative approach to monitoring and to finding co-operative solutions. However, if this is not successful, FINTRAC has the authority to refer non-compliance cases to the appropriate law enforcement agencies. Failure to comply with your legislative requirements can lead to criminal charges against you if you are a person or entity described in Section 2. The following are some of the penalties:
These guidelines will be reviewed on a periodic basis. If you have any comments or suggestions to help improve them, please send your comments to the mailing address provided below, or by email to guidelines@fintrac.gc.ca. 8. How to Contact FINTRACFor further information on FINTRAC and its activities, and on implementing a compliance regime, please go to FINTRACs website (http://www.fintrac.gc.ca) or contact FINTRAC: Financial Transactions and Reports
Analysis Centre of Canada Toll-free: 1-866-346-8722 APPENDIX 1: Reporting, Record Keeping, Client Identification and Third Party Determination Requirements by Reporting Person or Reporting Entity Sector |
|