Ongoing monitoring requirements

Ongoing monitoring requirements under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA) and associated Regulations

June 2017

What is ongoing monitoring?

For the purposes of the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA) and its associated Regulations, ongoing monitoring is a process whereby you determine and implement a periodic review of all information regarding the clients with whom you have a business relationship. You are automatically in a business relationship with any client that holds an account with you or with any person or entity once you have conducted two transactions or activities, within five years, where you were required to verify the identity of the individual or confirm the existence of the entity.  

The purpose of ongoing monitoring as defined by the Regulations is to:

  1. detect suspicious transactions that are required to be reported to FINTRAC;
  2. keep client identification, beneficial ownership information, and the purpose and intended nature of the business relationship record up to date;
  3. re-assess your client-risk based on their transactions and activities; and
  4. determine whether the transactions or activities are consistent with your information and risk assessment of the client.

How often you conduct your periodic review will be determined as a result of where your clients are placed in your risk assessment.

Risk assessment of business relationships

The PCMLTFA requires that you develop a risk-based approach, which means that you must conduct a risk assessment for each client in order to determine the level of risk they pose in relation to committing a money-laundering or terrorist activity financing offence. You need to determine a risk level for each client in order to determine how often you must conduct your ongoing monitoring.

It is possible to assess clients individually or by groups. For example, a client group sharing similar characteristics may be deemed to pose a lower risk because of the low-risk products or services they use, their expected activity or the intended use of their accounts.  You are not required to write a risk assessment for each client, but you need to be able to demonstrate how you determine the risk category in which a client is placed and how your ongoing monitoring measures are implemented according to your compliance policies, procedures and risk assessment. FINTRAC has developed specific guidance for risk assessments, which includes workbooks that describe how you can set up this approach in your sector.

In addition, you must reassess the level of risk associated with your client’s transactions and activities as part of your obligations. This is done to ensure that the transactions and activities align with what you know about your client which, in turn, will help you detect suspicious transactions that may need to be reported to FINTRAC.

The following are examples of when a business relationship is established with a person or entity posing a higher risk. This is not an exhaustive list.

How do you conduct ongoing monitoring?

You must conduct ongoing monitoring of all individuals and entities with which you have a business relationship. You are automatically in a business relationship with a client that holds an account with you; or with any person or entity once you have conducted two transactions or activities, within five years, where you were required to verify the identity of the individual or confirm the existence of the entity.  

The Regulations require ongoing monitoring of your business relationships to be carried out on a periodic basis, for as long as you have a business relationship with a client.  You will need to define the frequency of this ‘periodic’ basis in your compliance policies and procedures. For example, clients identified as posing a low risk will require less frequent monitoring whereas those in your high-risk category will require that you take enhanced measures, which include conducting more frequent ongoing monitoring activities.  Therefore, the frequency of your ongoing monitoring activities will be determined by your risk assessment.

You must conduct ongoing monitoring for the purposes of:

  1. detecting suspicious transactions that are required to be reported to the FINTRAC;
  2. keeping client identification, beneficial ownership information, and the purpose and intended nature of the business relationship record up to date;
  3. re-assessing your client’s risk based on their transactions and activities; and
  4. determining whether the transactions or activities are consistent with your information and risk assessment of that client.

The processes to monitor your business relationships must be part of your policies and procedures. You must also update your client records with any information you obtain as a result of your ongoing monitoring activities.   

During a FINTRAC examination, your policies and procedures will be reviewed to ensure that your ongoing monitoring process is documented and you will also be asked to demonstrate how the processes are implemented for every client risk-level. For example, you could provide a list of higher risk clients, the procedures you carry out, and the schedule that you use to monitor those business relationships. 

You do not need to perform all review elements related to ongoing monitoring at the same time. For example:

Regardless of how you choose to schedule your periodic reviews, during a FINTRAC examination you will need to demonstrate that you have defined and respected the timing of your periodic review for all business relationships, as part of your compliance policies and procedures.  

Measures to take for high-risk clients

If, as a result of your ongoing monitoring of a business relationship, you identify a client as posing a high-risk, you must take enhanced measures with that client. Enhanced measures mean that you must take extra steps in addition to what is required. This includes taking additional measures for client identification, conducting enhanced ongoing monitoring, and taking any other enhanced measure you identify as appropriate.

Enhanced ongoing monitoring means you conduct your ongoing monitoring more frequently.

You must develop, and document in your compliance policies and procedures, the enhanced measures that you will take with high-risk clients.

Enhanced measures can include any additional policy or procedure you develop and implement to mitigate the risks identified, such as:

During a FINTRAC examination, you will need to demonstrate that you review your high risk client information more frequently and keep all client information up to date. You must also be able to demonstrate the measures you have in place to mitigate risk where required.  

It is important to note that high-risk activities can occur outside of business relationships. As such, any client not in a business relationship that is assessed as posing a high risk of committing a money laundering or terrorist financing offence must also be subjected to enhanced measures. 

You could consider the following methods to monitor high-risk situations:

Ongoing monitoring for correspondent banking relationships

A correspondent banking relationship is created by an agreement or arrangement between a bank, credit union, caisse populaire or trust company and a foreign financial institution. It applies when a financial entity in Canada is to provide services, such as international electronic funds transfers, cash management and cheque clearing, to a foreign financial institution. A foreign financial institution does not have obligations under the PCMLTFA and associated Regulations if it provides correspondent banking services to a Canadian financial entity through an agreement.

If the foreign financial institution does not have anti-money laundering and anti-terrorist financing policies and procedures in place, you have to take reasonable measures to conduct the ongoing monitoring of all transactions within the correspondent banking relationship, in order to detect suspicious transactions. You must also conduct ongoing monitoring of the correspondent banking relationship if, after taking reasonable measures based on publicly available information, you determine that civil or criminal penalties have been imposed on the foreign financial institution related to anti-money laundering or anti-terrorist financing requirements.

Ongoing monitoring of your correspondent banking relationship may consist of:

Are there records you have to keep about ongoing monitoring?

Yes. You have to keep a record of the measures you take for ongoing monitoring, which includes:

  1. the procedures that are in place to perform periodic ongoing monitoring;
  2. the procedures that are in place to perform the enhanced measures for high-risk clients;
  3. the information that is gathered as a result of the ongoing monitoring; and
  4. the information that is gathered as a result of the enhanced measures for high-risk clients.

Because the ongoing monitoring measures your organization takes must be outlined in your policies and procedures, this can form part of your record, or you could document, on a case-by-case basis, the measure taken in each record.

However, the information you obtain through your ongoing monitoring activities is likely to be specific to the client or business relationship and outside of the information captured in your policies and procedures, so should be recorded separately. For example, any updates to the client identification, beneficial ownership or business relationship information, could be recorded as part of any file you maintain on that client.

You must keep a record of the ongoing monitoring measures taken for five years from the date they were created.

The various records you update through ongoing monitoring will have specific retention requirements. 

That said, the purpose of enhanced ongoing monitoring is still meant to ensure that you have a documented and applied process to assess your client’s transactions for the purpose of reporting suspicious transactions. It can also be used to meet other requirements for high- risk clients, such as keeping client identification and beneficial ownership information up-to-date, reassessing the risk level of your clients on a regular basis, and understanding the purpose of the business relationship so that you can better understand and assess your client’s activities and transactional behaviours.

Exceptions to ongoing monitoring

Financial entities - The requirement to conduct ongoing monitoring does not apply to a group plan account held within a dividend or a distribution reinvestment plan, if the sponsor of the plan:

Dealers in precious metals and stones - You are not required to perform ongoing monitoring or keep a record of monitoring activities for business relationships that are not high-risk. However, for high-risk business relationships, you are required to monitor the business relationship, and take any other appropriate enhanced measures to mitigate risk. In case of a FINTRAC examination, you need to be able to demonstrate how you determine the risk category that a client is placed in.

When can you stop monitoring business relationships?

Ongoing monitoring stops when the business relationship ends.

In the case of clients who hold an account, the business relationship ends five years after the client closes that account. It is for you to determine, and outline in your policies and procedures, the level of risk posed by closed accounts, and to conduct ongoing monitoring accordingly.

In the case of a non-account-based business relationship, the business relationship ceases five years after the last transaction the client carries out.  If a client conducts a transaction four years after conducting their last transaction with you, the timing requirement starts over.

Date Modified: