Amendments to regulations under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA)
This guidance provides information about certain amendments to the Proceeds of Crime (Money Laundering) and Terrorist Financing Regulations (the Regulations) which were made in June 2016. Please note that guidance relating to client identification and Politically Exposed Persons (PEP) and Heads of International Organizations (HIO) is already published on FINTRAC’s guidance webpage and are therefore not covered in this document. Some of the regulatory changes came into force in June 2016, while others will come into force in June 2017.
What changes were made?
The changes relate to the following:
- signature (in force June 2016);
- signature card (in force June 2016);
- the definition of:
- securities dealer (in force June 2016);
- casino (in force June 2017);
- affiliate (in force June 2016);
- client credit file (in force June 2017);
- elements that must be considered in your risk assessment:
- new technologies and developments (in force June 2017);
- risk resulting from the activities of affiliates (in force June 2017); and
- records you must keep of “reasonable measures” that you have taken (in force June 2017)
Why were these changes made?
The changes were made to clarify the type of client information that reporting entities must obtain and keep as part of the client due diligence process, to strengthen Canada’s Anti-money Laundering and Anti-Terrorist Financing Regime, to strengthen information sharing and to address technical issues.
What is a signature?
A signature can now include a handwritten signature or an electronic signature which is numeric, character-based, or even biometric, so long as it is unique to the client and a record of it can be kept. The definition of signature was amended in the Regulations to include an electronic signature as long as it is unique to an individual or entity. Prior to this amendment, a signature was limited to the handwritten form.
Why is this change being made?
This change provides increased flexibility in non-face-to-face situations, such as online account openings.
What is an example of an electronic signature?
An electronic signature can be a personal identification number (PIN), since it is unique to the individual client and used to authorize transactions and provide account access. Another example is a password for an online bank account.
What is NOT an electronic signature?
The electronic signature must be unique to the person or entity, so merely clicking on something like a “click to accept” button would not meet the requirement of “uniqueness” for an electronic signature.
How has the definition of signature card changed?
The definition of signature card was amended to include electronic data that constitutes the signature of a person. This change would be relevant for financial entities, securities dealers and casinos at account opening when they create a signature card.
Why has the definition of signature card changed?
The definition has changed as a result of the modification of the definition of signature, which now includes electronic signatures. The changes to the definition provide increased flexibility in non-face-to-face situations, such as online account openings.
What is an example of an electronic signature card?
An electronic signature card can be an electronic record of your client’s PIN. As another example, an electronic record of your client’s password to their online banking account is an electronic signature. The data for the PIN and password could be encrypted. FINTRAC would expect you to provide a record that demonstrates you have met the requirements of a signature card even if it is on a computer system (versus a physical copy). The electronic signature on a computer system does not need to be available in unencrypted format.
Definition of securities dealer
How has the definition of securities dealer changed?
The definition of securities dealer was changed to align with the definition in the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (the Act).
Why was the definition of securities dealer amended?
The definition of securities dealer in the Regulations was updated to align with the recently amended definition of securities dealer in the Act. The definition was amended to clarify that any broker employed by a securities dealer is not considered a reporting entity.
If you are a broker-dealer employed by and authorized to sell securities on behalf of a securities dealer firm such as XYZ Wealth Management, it is your employer, XYZ Wealth Management, that is considered to be the securities dealer according to the Regulations. Therefore, XYZ Wealth Management is the reporting entity in this example.
Definition of casino
How has the definition of casino changed?
The definition of casino in the Regulations has been amended to clarify who is the reporting entity under the Act when it relates to casino or lottery schemes for which they are legally responsible. A lottery scheme is a term used in Canada’s Criminal Code which can generally be defined as anything related to casino games or betting.
The Regulations refer to the term ‘conduct and manage’ to identify the entity legally responsible for the gaming activities at a casino. The revised definition is now in line with the Criminal Code terminology that sets out who can oversee, carry out or license out the gaming activities. The entities that conduct and manage, as authorized by the Criminal Code, must do so in line with the provincial legislation on gaming.
In Canada, the provincial and territorial governments delegate legal responsibility to entities that can conduct and manage the gaming activities at a casino. The reporting entity subject to the Act, is the entity that is authorized by the province to conduct and manage a casino.
In some cases, the entity that conducts and manages a casino is not necessarily the same person or entity that operates the casino activities on a day-to-day basis.
A provincial entity that conducts and manages a casino, such as a lottery corporation, has obligations under the Act when the casino is:
- located at a fixed place of business that includes games of roulette or card games; or
- located at a fixed place of business, where there are more than 50 slot machines or similar electronic games in the establishment.This could include a place of business such as a restaurant that has these electronic gaming machines; or
- accessible to the public through the Internet or another digital network.This does not include an entity if it is solely offering online bingo or the sale of lottery tickets.
It should be noted that if a provincial lottery corporation has been delegated the conduct and manage authority by the province, and that it then further delegates its reporting obligations to another entity, the lottery corporation remains the reporting entity responsible for ensuring compliance with the Act.
Why was the definition of casino amended?
The definition of casino was updated in both the Act and the Regulations to align with the conduct and manage provisions outlined in the Criminal Code. It was also amended to clarify that online casinos are subject to the Act.
Examples of casinos as defined in the Regulations
- A provincial government entity that conducts and manages a casino in a fixed place of business, and has 51 electronic gaming machines.
- A charitable organization that conducts and manages a casino in a fixed place of business for more than two days. The casino has, among other activities, games of roulette and card games.
- The board of a fair that decides to open their community fair year-round, if they conduct and manage two games of roulette and card games in a permanent establishment, i.e. a fixed place of business.
- A provincial casino that offers online slot and table games, such as poker and roulette, which are accessible from any network or the internet.
Casino client identification
Under the changes relating to casinos, the language of the obligation was changed so that you now must ascertain the identity of every person for whom a signature card is created in respect of an account that your casino opens.
The timing of when the obligation must be fulfilled was also changed. Now you must identify every person for whom a signature card is created before any funds are disbursed from the account. For example, a client has to be identified before an online casino can disburse funds to that client.
Definition of affiliate
How has the definition of affiliate changed?
Previously there were two definitions of affiliate. The Regulations have been revised to include just one definition, as follows: an entity is affiliated with another entity if one wholly owns the other, if both are wholly owned by the same entity, or if their financial statements are consolidated.
The reporting entities required to consider their affiliates are those referred to in paragraphs 5(a) to (g) of the Act, which include banks, credit unions, caisses populaires, financial services cooperatives, credit union centrals, trust and/or loan companies, life insurance companies regulated by provincial legislation, or a life company or foreign life company to which the Insurance Companies Act applies, and securities dealers.
What are some examples of affiliates?
The following are examples of affiliated entities:
- if ABC life insurance company wholly owns XYZ life insurance company, then ABC company and XYZ company are affiliated;
- if Bank D and securities dealer ABC are both owned by Bank E, then Bank D, securities dealer ABC, and Bank E are all affiliated; and
- if the financial statements of one bank are consolidated with those of another bank, then these two banks are affiliated with one another.
Client credit file
Financial entities must keep a record of every client credit file they create in the course of normal business.
How has the definition of client credit file changed?
The definition of client credit file has been repealed from the Interpretation section of the Regulations. Record keeping obligations now specifically set out what information must be collected when entering into a credit arrangement with a client.
What specific information are you required to keep?
You are required to keep the following information with respect to a credit arrangement that you have entered into with a client:
- a record of your client’s financial capacity;
- the terms of the credit arrangement; and
- if your client is a person, the address of their business or place of work.
Please note that it continues to be a good practice to also keep a record of the name of the business or place of work.
Elements that must be considered in your risk assessment
Developments relating to new technologies and their impact
As part of your compliance program, you have to assess and document your exposure to the risk of money laundering offences or terrorist activity financing offences. You will also have to consider money laundering or terrorist financing risks that may arise because of new products and new business practices, including new delivery channels, and the use of new or developing technologies for both new and existing products.
Why was this requirement added?
The requirement was added to ensure that reporting entities are aware of the money laundering and terrorist financing vulnerabilities posed by implementing new technologies, in order for them to mitigate the risk. This regulatory requirement was added to strengthen Canada’s Anti-Money Laundering and Anti-Terrorist Financing Regime and bring it in line with international standards.
Consideration of affiliates – financial entities, life insurance companies, securities dealers
Risk-based assessments relating to your affiliates
As part of the compliance program, financial entities, life insurance companies and securities dealers will have to consider any risk resulting from the activities of:
- an entity that is affiliated with them and that is a financial entity, life insurance company, or securities dealer;
- a foreign entity that is affiliated with them and that carries out financial entity, life insurance company, or securities dealer activities.
The implementation of new technology and the activities of affiliates should be included as part of the overall risk-based approach.
Keep a record of any “reasonable measures” you have taken
What are reasonable measures?
The term “reasonable measures” refers to activities you are expected to undertake in order to meet certain obligations. The Regulations explicitly state when you must take reasonable measures to meet an obligation. For example, every person or entity that is required to keep a large cash transaction record must take reasonable measures to determine whether or not an individual is acting on behalf of a third party when conducting a large cash transaction, and then keep a record of that information. If, even after taking reasonable measures, certain information cannot be determined, gathered or confirmed; you have met the obligation.
It should be noted that reasonable measures must not be confused with, and do not apply to data elements that are mandatory, that is, where information must be obtained before the transaction or activity can be completed. For example, if you are unable to obtain the name of the conductor in a large cash transaction, then that transaction cannot be completed.
Documenting reasonable measures
The Regulations have been changed to require that a record be kept when reasonable measures were taken, but were unsuccessful. A reasonable measure is unsuccessful when you do not obtain a response, such as a yes or no and you are unable to make a conclusive determination. When reasonable measures are unsuccessful, you must record the following information:
- the measure(s) taken;
- the date on which the measure(s) was taken; and
- the reason why the measure(s) was unsuccessful.
You must outline the reasonable measures that you take in your compliance policies and procedures.
Examples of documenting reasonable measures when they are unsuccessful:
- If you, as a casino, are making a disbursement to a person and you ask if the person is receiving the funds on behalf of a third party and the individual refuses to answer yes or no.You would need to record that you asked the person, the date you asked and the fact that the person refused to answer.
- If you have already asked, and know that a foreign bank will not provide information on a client ordering an EFT to be received in Canada, you may document this once for all the transactions related to this foreign bank to demonstrate that reasonable measures were taken. In other words, you do not need to document this for every single EFT. However, as part of the underlying obligation to take reasonable measures, you are expected to follow up with the foreign bank periodically to see if you are able to obtain information on the client ordering the EFT.
You are required to assess any potential threats and vulnerabilities to money laundering and terrorist financing to which your business is exposed. You should consider a client’s refusal to provide, or your inability to obtain certain information as part of your overall assessment of client risk. Even if you have met your obligation to obtain information based on reasonable measures, the refusal or unwillingness to provide information may form part of your reasonable grounds to suspect that a transaction is related to a money laundering or terrorist financing offence and therefore, a Suspicious Transaction Report (STR) may be required to be submitted to FINTRAC.
Retention: You must keep records of your unsuccessful reasonable measures for at least five years following the date they were created.