Written compliance policies and procedures must be developed and applied by all individuals and entities subject to the PCMLTFA and associated Regulations. This is an important component of your overall compliance program as it will guide your decisions and actions with respect to how you will comply with your legislative obligations.
Your compliance policies and procedures must be:
- written and should be in a form/format that is accessible to its intended audience;
- kept up-to-date (several factors could trigger the need to update, such as changes in legislation, non-compliance issues, new services or products, or the two year effectiveness review); and
- approved by a senior officer, if you are an entity.
FINTRAC expects that your written policies and procedures outline all obligations applicable to your business under the PCMLTFA and associated Regulations and the corresponding processes and controls you have put in place, including:
- when your obligation is triggered;
- the information that must be reported/recorded or considered;
- the procedures created by you to ensure that you fulfill the obligation; and
- the timelines associated to your obligations and methods of reporting (if applicable).
Your policies and procedures, at a minimum, should cover the following requirements:
- Compliance program requirements covering your (a) risk assessment activities, including the risk mitigation measures you use, (b) your written ongoing compliance training program and (c) your two-year effectiveness review activities, which consist of reviewing the three cornerstones of your compliance program, namely your policies and procedures, ongoing training and risk assessment.
- Know your client and other requirements where applicable: verifying client identity, politically exposed persons, heads of international organizations, their family members and close associates requirements, beneficial ownership, and third party determination.
- Ongoing monitoring and business relationship requirements, as well as the special measures you have implemented based on your risk assessment. Your special measures instructions must address:
- taking enhanced measures to verify the identity or confirm the existence of high risk clients;
- taking enhanced measures to keep client information up-to-date;
- taking enhanced measures to keep beneficial ownership information up-to-date;
- taking enhanced measures to conduct ongoing monitoring of business relationships for the purposes of detecting transactions that are required to be reported under section 7 of the PCMLTFA (i.e., Suspicious Transaction Reports); and
- taking any other enhanced measures to mitigate the risks identified.
- Record keeping requirements, including, but not limited to, retaining copies of suspicious transaction reports and casino disbursement reports and maintaining large cash transaction records.
- Transaction reporting requirements, including all applicable report types. These include the filing of suspicious transaction reports, terrorist property reports, large cash transactions reports, electronic fund transfer reports and casino disbursement reports.
You must also document how you will handle ministerial directives and transaction restrictions, which are targeted measures issued by the Minister of Finance to protect Canada’s financial system from being used for ML/TF purposes. You are not required to have a separate and distinct policy/procedure for this type of requirement. It is acceptable to detail how you will know or become aware that one has been issued and the process of what you will do when one is issued through your regular policies and procedures.
The level of detail in your policies and procedures depends on the size, structure and complexity of your business. It also depends on your level of exposure to ML/TF risks.
For example, the compliance policies and procedures of a small business may be less complex than those of a large business. It is important to note that, if your sector has an industry association or another governing body that has provided you with a generic set of policies and procedures, you must tailor them to your specific business and its inherent requirements (i.e. location, clientele, etc.).
The policies and procedures you develop will play a pivotal role in your compliance program as they set out the standards that employees, agents, and others authorized to act on your behalf must meet. They should be clearly communicated, understood and followed by all those authorized to act on your behalf, including employees, agents and any others that deal with clients, transactions or other activities.
For example, relevant employees need to know how to collect the required information to identify clients, keep records and report in accordance with the PCMLTFA and associated Regulations. Furthermore, relevant employees must know how to recognize, assess, escalate and report suspicious transactions.
All your policies and procedures should be easily accessible to the appropriate audience. It is important to note that FINTRAC will not only look at your policies and procedures, but will also focus on their completeness and will expect that you can demonstrate how they are effectively implemented during an examination.