A two-year effectiveness review is an evaluation that is conducted every two years (at a minimum) to test the effectiveness of the elements of your compliance program: policies and procedures, risk assessment and ongoing training program. The review must be started no later than 24 months from the start of the previous review and completed prior to the start of the next review.
The review must be designed to allow for the identification and documentation of any gaps and weaknesses within your compliance program to ensure that your business is effectively detecting and preventing ML/TF.
In the case of your policies and procedures and ongoing training program, a review is required to assess that you are effectively meeting your requirements under the PCMLTFA and associated Regulations.
In the case of your risk assessment, a review is required to determine whether your risk assessment is effective at identifying and mitigating the risks of ML/TF as it relates to the clients, affiliates, products, services, delivery channels and geographic locations where you do business.
The methods and scope used to test the effectiveness of your compliance program will depend on the nature, size and complexity of your business and must be documented as part of your review. The review should consider the completeness of all the components of your compliance program in addition to their effectiveness.
The findings, frequency and timing of your review must be sufficiently documented and identify the root cause of the deficiencies identified by your review, if any. If changes are necessary and could impact your compliance policies and procedures, risk assessment or training program (such as changes to your business model or the introduction of new products or services) you should ensure that all your compliance documents are up to date before your next planned review.
If your business is regulated at the federal or provincial level, your review may be triggered by requirements determined by your regulator.
When conducting the review, you will have to determine the design and application of testing and sampling as part of your methods.
Examples of what can be included in your review:
- Interviews with those handling transactions to evaluate their knowledge of your policies and procedures and related record keeping, client identification and reporting obligations.
- A review of your criteria and process for identifying and reporting suspicious transactions.
- A sample of your account opening records followed by a review to ensure that your client identification policies and procedures are being followed.
- A sample of large cash transactions followed by a review of the reporting of these transactions.
- A sample of electronic funds transfers followed by a review of the reporting of these transactions.
- A sample of your clients followed by a review to see if the risk assessment was applied correctly.
- A sample of your clients followed by a review to see if the frequency of your ongoing monitoring is adequate.
- A sample of high-risk clients followed by a review to ensure that enhanced mitigation measures were taken.
- A review of a sample of your records to ensure proper record keeping procedures are being followed.
- A review of your risk assessment to ensure it reflects your current operations.
- A review of your policies and procedures to ensure they are up-to-date with the current legislative requirements.
Who should conduct the review?
The review should be done by an individual who is not directly involved in your compliance program activities, and has an adequate working knowledge of your obligations under the PCMLTFA and associated regulations. You may have an internal or an external auditor complete your review but it is not required as long as the review is completed and your documentation specifies who conducted the review.
The effectiveness review must address whether your policies and procedures, risk assessment and training program are effective, and whether your practices comply with legislative and regulatory requirements, no matter who performs it.
Reporting your review results
For entities, the following must be reported in writing to a senior officer no later than 30 days after the completion of the review:
- the findings of the review (e.g. deficiencies identified, planned corrective actions, an implementation timeline, etc.);
- any updates that were made to your policies and procedures during the reporting period; and
- the status of the implementation of the updates made to your policies and procedures.