Ongoing monitoring requirements

Ongoing monitoring requirements under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA) and associated Regulations

June 2017

What is ongoing monitoring?

For the purposes of the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA) and its associated Regulations, ongoing monitoring is a process whereby you determine and implement a periodic review of all information regarding the clients with whom you have a business relationship. You are automatically in a business relationship with any client that holds an account with you or with any person or entity once you have conducted two transactions or activities, within five years, where you were required to verify the identity of the individual or confirm the existence of the entity.  

The purpose of ongoing monitoring as defined by the Regulations is to:

1. detect suspicious transactions that are required to be reported to FINTRAC;
2. keep client identification, beneficial ownership information, and the purpose and intended nature of the business relationship record up to date;
3. re-assess your client-risk based on their transactions and activities; and
4. determine whether the transactions or activities are consistent with your information and risk assessment of the client.

How often you conduct your periodic review will be determined as a result of where your clients are placed in your risk assessment.

Risk assessment of business relationships

The PCMLTFA requires that you develop a risk-based approach, which means that you must conduct a risk assessment for each client in order to determine the level of risk they pose in relation to committing a money-laundering or terrorist activity financing offence. You need to determine a risk level for each client in order to determine how often you must conduct your ongoing monitoring.

It is possible to assess clients individually or by groups. For example, a client group sharing similar characteristics may be deemed to pose a lower risk because of the low-risk products or services they use, their expected activity or the intended use of their accounts.  You are not required to write a risk assessment for each client, but you need to be able to demonstrate how you determine the risk category in which a client is placed and how your ongoing monitoring measures are implemented according to your compliance policies, procedures and risk assessment. FINTRAC has developed specific guidance for risk assessments, which includes workbooks that describe how you can set up this approach in your sector.

In addition, you must reassess the level of risk associated with your client’s transactions and activities as part of your obligations. This is done to ensure that the transactions and activities align with what you know about your client which, in turn, will help you detect suspicious transactions that may need to be reported to FINTRAC.

The following are examples of when a business relationship is established with a person or entity posing a higher risk. This is not an exhaustive list.

• When the business relationship is determined to pose a higher risk as a result of your risk assessment of the relationship, person or entity.
• When the business relationship is with foreign politically exposed persons (PEPs).
• When the business relationship is with a family member or close associate of a foreign PEP.
• When the business relationship is with high-risk domestic PEPs, heads of international organizations (HIOs), or their family members or close associates.
• When the business relationship with the client is determined to pose a higher risk based on the information you obtained through your ongoing monitoring.

How do you conduct ongoing monitoring?

You must conduct ongoing monitoring of all individuals and entities with which you have a business relationship. You are automatically in a business relationship with a client that holds an account with you; or with any person or entity once you have conducted two transactions or activities, within five years, where you were required to verify the identity of the individual or confirm the existence of the entity.  

The Regulations require ongoing monitoring of your business relationships to be carried out on a periodic basis, for as long as you have a business relationship with a client.  You will need to define the frequency of this ‘periodic’ basis in your compliance policies and procedures. For example, clients identified as posing a low risk will require less frequent monitoring whereas those in your high-risk category will require that you take enhanced measures, which include conducting more frequent ongoing monitoring activities.  Therefore, the frequency of your ongoing monitoring activities will be determined by your risk assessment.

You must conduct ongoing monitoring for the purposes of:

1. detecting suspicious transactions that are required to be reported to the FINTRAC;
2. keeping client identification, beneficial ownership information, and the purpose and intended nature of the business relationship record up to date;
3. re-assessing your client’s risk based on their transactions and activities; and
4. determining whether the transactions or activities are consistent with your information and risk assessment of that client.

The processes to monitor your business relationships must be part of your policies and procedures. You must also update your client records with any information you obtain as a result of your ongoing monitoring activities.   

During a FINTRAC examination, your policies and procedures will be reviewed to ensure that your ongoing monitoring process is documented and you will also be asked to demonstrate how the processes are implemented for every client risk-level. For example, you could provide a list of higher risk clients, the procedures you carry out, and the schedule that you use to monitor those business relationships. 

You do not need to perform all review elements related to ongoing monitoring at the same time. For example:

• you could have a process by which you update the client identification information on one schedule and reassess the level of risk associated with a client’s transactions and activities on a different schedule; or
• for a non-account-based business relationship, you may choose to update the information you have on record every time the client conducts a transaction that requires you to ascertain their identity, but for an account-based business relationship, you may choose to ask the client to confirm the information you have on record periodically through your regular interactions.

Regardless of how you choose to schedule your periodic reviews, during a FINTRAC examination you will need to demonstrate that you have defined and respected the timing of your periodic review for all business relationships, as part of your compliance policies and procedures.

Measures to take for high-risk clients

If, as a result of your ongoing monitoring of a business relationship, you identify a client as posing a high-risk, you must take enhanced measures with that client. Enhanced measures mean that you must take extra steps in addition to what is required. This includes taking additional measures for client identification, conducting enhanced ongoing monitoring, and taking any other enhanced measure you identify as appropriate.

Enhanced ongoing monitoring means you conduct your ongoing monitoring more frequently.

You must develop, and document in your compliance policies and procedures, the enhanced measures that you will take with high-risk clients.

Enhanced measures can include any additional policy or procedure you develop and implement to mitigate the risks identified, such as:

• Obtaining additional information on the client (e.g. occupation, volume of assets, information available through public databases, Internet, etc.).
• Obtaining information on the source of funds or source of wealth of the client.
• Obtaining information on the reasons for intended or conducted transactions.
• Increased monitoring of transactions of higher-risk products, services and channels.
• Gathering additional documents, data or information; or taking additional steps to verify the documents obtained.
• Establishing transaction limits.
• Increasing internal controls of high-risk business relationships.
• Obtaining the approval of senior management at the transaction level for products and services that are new for that client.

During a FINTRAC examination, you will need to demonstrate that you review your high risk client information more frequently and keep all client information up to date. You must also be able to demonstrate the measures you have in place to mitigate risk where required. 

It is important to note that high-risk activities can occur outside of business relationships. As such, any client not in a business relationship that is assessed as posing a high risk of committing a money laundering or terrorist financing offence must also be subjected to enhanced measures. 

You could consider the following methods to monitor high-risk situations:

• review transactions based on an approved schedule that involves management sign-off;
• develop reports and perform more frequent reviews of reports that list high-risk transactions;
• flag certain activities or activities that deviate from your expectations and elevate concerns as necessary;
• set business limits or parameters regarding accounts or transactions that would trigger early warning signals and require a mandatory review; and
• review transactions more frequently against suspicious transaction indicators relevant to the business relationship.

Ongoing monitoring for correspondent banking relationships

A correspondent banking relationship is created by an agreement or arrangement between a bank, credit union, caisse populaire or trust company and a foreign financial institution. It applies when a financial entity in Canada is to provide services, such as international electronic funds transfers, cash management and cheque clearing, to a foreign financial institution. A foreign financial institution does not have obligations under the PCMLTFA and associated Regulations if it provides correspondent banking services to a Canadian financial entity through an agreement.

If the foreign financial institution does not have anti-money laundering and anti-terrorist financing policies and procedures in place, you have to take reasonable measures to conduct the ongoing monitoring of all transactions within the correspondent banking relationship, in order to detect suspicious transactions. You must also conduct ongoing monitoring of the correspondent banking relationship if, after taking reasonable measures based on publicly available information, you determine that civil or criminal penalties have been imposed on the foreign financial institution related to anti-money laundering or anti-terrorist financing requirements.

Ongoing monitoring of your correspondent banking relationship may consist of:

• real time monitoring of transactions in higher risk scenarios, to ensure that controls are effective in detecting any unusual activity that may be occurring through the correspondent relationship;
• having internal processes to further review certain activities or triggers, which may involve requesting transaction information from the foreign institution in order to clarify the situation and possibly clear the trigger;
• requesting access to information about the customer from the foreign institution as a means to get a proper understanding of the reasonableness of transactions.

Are there records you have to keep about ongoing monitoring?

Yes. You have to keep a record of the measures you take for ongoing monitoring, which includes:

1. the procedures that are in place to perform periodic ongoing monitoring;
2. the procedures that are in place to perform the enhanced measures for high-risk clients;
3. the information that is gathered as a result of the ongoing monitoring; and
4. the information that is gathered as a result of the enhanced measures for high-risk clients.

Because the ongoing monitoring measures your organization takes must be outlined in your policies and procedures, this can form part of your record, or you could document, on a case-by-case basis, the measure taken in each record.

However, the information you obtain through your ongoing monitoring activities is likely to be specific to the client or business relationship and outside of the information captured in your policies and procedures, so should be recorded separately. For example, any updates to the client identification, beneficial ownership or business relationship information, could be recorded as part of any file you maintain on that client.

You must keep a record of the ongoing monitoring measures taken for five years from the date they were created.

The various records you update through ongoing monitoring will have specific retention requirements. 

That said, the purpose of enhanced ongoing monitoring is still meant to ensure that you have a documented and applied process to assess your client’s transactions for the purpose of reporting suspicious transactions. It can also be used to meet other requirements for high- risk clients, such as keeping client identification and beneficial ownership information up-to-date, reassessing the risk level of your clients on a regular basis, and understanding the purpose of the business relationship so that you can better understand and assess your client’s activities and transactional behaviours.

Exceptions to ongoing monitoring

Financial entities - The requirement to conduct ongoing monitoring does not apply to a group plan account held within a dividend or a distribution reinvestment plan, if the sponsor of the plan:

• is an entity whose shares or units are traded on a Canadian stock exchange;
• operates in a country that is a member of the Financial Action Task Force.

Dealers in precious metals and stones - You are not required to perform ongoing monitoring or keep a record of monitoring activities for business relationships that are not high-risk. However, for high-risk business relationships, you are required to monitor the business relationship, and take any other appropriate enhanced measures to mitigate risk. In case of a FINTRAC examination, you need to be able to demonstrate how you determine the risk category that a client is placed in.

When can you stop monitoring business relationships?

Ongoing monitoring stops when the business relationship ends.

In the case of clients who hold an account, the business relationship ends five years after the client closes that account. It is for you to determine, and outline in your policies and procedures, the level of risk posed by closed accounts, and to conduct ongoing monitoring accordingly.

In the case of a non-account-based business relationship, the business relationship ceases five years after the last transaction the client carries out.  If a client conducts a transaction four years after conducting their last transaction with you, the timing requirement starts over.

Date Modified:

2019-08-16