Compliance program requirements under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA) and associated Regulations

December 2017

Please note that FINTRAC's Guideline 4 has been replaced by “Compliance program requirements”.

This guidance on the compliance program requirements is applicable to all individuals and entities that are subject to the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA) and associated Regulations.

Compliance program requirements

Establishing and implementing a comprehensive and effective compliance program is the basis for meeting all of your reporting, record keeping, client identification and know-your-client requirements under the PCMLTFA and associated Regulations. 

There are five required elements of a compliance program. Each is considered to be a pillar of an effective anti-money laundering/anti-terrorist financing (AML/ATF) program. The five pillars are:

  1. The appointment of a person who is responsible for the implementation of the compliance program - compliance officer;

  2. The development and application of written compliance policies and procedures that are kept up-to-date, and include enhanced measures to mitigate high risks;

  3. A risk assessment of your business activities and relationships;

  4. The development and maintenance of a written ongoing compliance training program for employees, agents, and others authorized to act on your behalf; and

  5. The institution and documentation of an effectiveness review of your compliance program (policies and procedures, risk assessment and training program) every two years (minimum) for the purpose of testing its overall effectiveness.

The level of detail and sophistication of your compliance program must reflect the size, complexity, structure and risk of exposure of your business to money laundering (ML) and terrorist activity financing (TF).

During a FINTRAC examination, it is important to demonstrate that:

1. Compliance officer

Your appointed compliance officer is responsible for effectively implementing all of the elements within your compliance program: policies and procedures, ongoing training, risk assessment, and effectiveness review conducted every two years (minimum).

Appointing a designated person to be your compliance officer alone does not fulfil your compliance program requirements or the overall objectives of the PCMLTFA and associated Regulations.

In order to implement an effective AML/ATF program your compliance officer needs to:

While the compliance officer is appointed, it is the reporting entity's responsibility to meet its compliance program requirements under the PCMLTFA and associated Regulations.

Depending on the size of your business, you could be the compliance officer or it could be another individual, such as:

If you are an individual, such as in the case of a sole proprietorship, you can appoint yourself as the compliance officer, or you may choose to appoint another individual to help you implement the compliance program.

As a best practice, the appointed compliance officer of a larger business should not be directly involved in the receipt, transfer or payment of funds.

A compliance officer may choose to delegate certain duties to other employees. For example, a compliance officer may delegate responsibility to an individual in another office or branch. However, where such a delegation is made, the compliance officer remains responsible for the implementation of the compliance program.

As a best practice, the compliance officer should have the ability to report compliance related issues to, and meet with the board of directors, senior management or owner/chief operator on a regular basis.

2. Compliance policies and procedures

Written compliance policies and procedures must be developed and applied by all individuals and entities subject to the PCMLTFA and associated Regulations. This is an important component of your overall compliance program as it will guide your decisions and actions with respect to how you will comply with your legislative obligations.

Your compliance policies and procedures must be:

FINTRAC expects that your written policies and procedures outline all obligations applicable to your business under the PCMLTFA and associated Regulations and the corresponding processes and controls you have put in place, including:

Your policies and procedures, at a minimum, should cover the following requirements:

  1. Compliance program requirements covering your (a) risk assessment activities, including the risk mitigation measures you use, (b) your written ongoing compliance training program and (c) your two-year effectiveness review activities, which consist of reviewing the three cornerstones of your compliance program, namely your policies and procedures, ongoing training and risk assessment.
  2. Know your client and other requirements where applicable: verifying client identity, politically exposed persons, heads of international organizations, their family members and close associates requirements, beneficial ownership, and third party determination.
  3. Ongoing monitoring and business relationship requirements, as well as the special measures you have implemented based on your risk assessment. Your special measures instructions must address:
    • taking enhanced measures to verify the identity or confirm the existence of high risk clients;
    • taking enhanced measures to keep client information up-to-date;
    • taking enhanced measures to keep beneficial ownership information up-to-date;
    • taking enhanced measures to conduct ongoing monitoring of business relationships for the purposes of detecting transactions that are required to be reported under section 7 of the PCMLTFA (i.e., Suspicious Transaction Reports); and
    • taking any other enhanced measures to mitigate the risks identified.
  4. Record keeping requirements, including, but not limited to, retaining copies of suspicious transaction reports and casino disbursement reports and maintaining large cash transaction records.
  5. Transaction reporting requirements, including all applicable report types. These include the filing of suspicious transaction reports, terrorist property reports, large cash transactions reports, electronic fund transfer reports and casino disbursement reports.

You must also document how you will handle ministerial directives and transaction restrictions, which are targeted measures issued by the Minister of Finance to protect Canada's financial system from being used for ML/TF purposes. You are not required to have a separate and distinct policy/procedure for this type of requirement. It is acceptable to detail how you will know or become aware that one has been issued and the process of what you will do when one is issued through your regular policies and procedures.

The level of detail in your policies and procedures depends on the size, structure and complexity of your business. It also depends on your level of exposure to ML/TF risks.

For example, the compliance policies and procedures of a small business may be less complex than those of a large business. It is important to note that, if your sector has an industry association or another governing body that has provided you with a generic set of policies and procedures, you must tailor them to your specific business and its inherent requirements (i.e. location, clientele, etc.).

The policies and procedures you develop will play a pivotal role in your compliance program as they set out the standards that employees, agents, and others authorized to act on your behalf must meet. They should be clearly communicated, understood and followed by all those authorized to act on your behalf, including employees, agents and any others that deal with clients, transactions or other activities.

For example, relevant employees need to know how to collect the required information to identify clients, keep records and report in accordance with the PCMLTFA and associated Regulations. Furthermore, relevant employees must know how to recognize, assess, escalate and report suspicious transactions.

All your policies and procedures should be easily accessible to the appropriate audience. It is important to note that FINTRAC will not only look at your policies and procedures, but will also focus on their completeness and will expect that you can demonstrate how they are effectively implemented during an examination.

3. Risk assessment

A risk assessment is an analysis of potential risks and vulnerabilities that could expose your business to ML/TF activities. This assessment will allow you to identify your inherent risk and will assist you and those authorized to act on your behalf in developing mitigation measures to deal with these risks.

The outcome of your risk assessment should reflect the reality of your business, be documented and as a best practice include all the elements, applicable to you, in FINTRAC's Guidance on the risk-based approach to combatting money laundering and terrorist financing. FINTRAC has also published risk-based approach workbooks that expand on the guidance to include a "how to" methodology to assist different sectors in implementing an effective risk-based approach cycle.  Workbooks have been developed for the following sectors:  accountants, British Columbia notaries, credit unions/caisses populaires, dealers in precious metals and stones, life insurance companies, brokers and agents, money services businesses, real estate, and securities dealers.

The complexity of your risk assessment will depend on the size and risk factors of your business. However you must consider the following:

How do you document the risk assessment?

How you document your risk assessment will depend on what makes sense for your business. However, FINTRAC expects that you can demonstrate that you have considered all facets of your business's exposure to ML/TF activities. To do this, you can document all the risks you have considered and the mitigation measures you have developed for those that are high risk.

You also need to be able to demonstrate to a FINTRAC compliance officer that you have reviewed and, if necessary, updated your risk assessment and mitigation measures as applicable. For example, if you offer a new product, FINTRAC expects that you have considered and documented any potential or actual ML/TF risks associated with the new product and therefore, have identified and applied measures to deal with your identified risks.

What are enhanced measures?

Enhanced measures are the development and application of written policies and procedures to mitigate high risks identified within your business and your clients.

If you identify a client as posing a high-risk, you must:

4. Ongoing compliance training program

The development, implementation and maintenance of an ongoing compliance training program is required if you have employees, agents or other individuals authorized to act on your behalf. Individuals who deal with clients and/or transactions must be trained in relation to their function/duties within your business.

Your training program must be in writing, must be reviewed and kept up to date. If you are a sole proprietor with no employees, agents or other individuals authorized to act on your behalf, you are not required to have a training program in place for yourself. However, you must still be able to demonstrate that you have all the other required elements of a compliance program.

All those authorized to act on your behalf need to be trained in relation to their specific duties/function that they are performing, so they understand:

Who do I need to provide training to?

Your training program should be delivered and tailored to people who:

What do I need to provide training on?

At a minimum, FINTRAC expects that your training program will include:

Your training materials should include examples of how your particular type of business could be used to launder illicit funds or fund terrorist activity. This should help with the identification of suspicious transactions and may provide you some assurance that your services are not being abused for ML/TF purposes.

Does my training have to be delivered in writing?

While your training program has to be documented, the method used to deliver your training does not have to be in writing. For example, you could deliver your training program using a software, information sessions, face-to-face meetings, attending conferences, etc. However, it is a requirement that you document the following elements in writing:

During an examination, FINTRAC may review the documentation you have in relation to your training program and may conduct interviews to assess the effectiveness of your training program, i.e. your staff's understanding of your policies and procedures, their knowledge of ML/TF activities in relation to your business, etc.

What training method should I use?

The method of training you choose (such as formal, on-the-job, external, etc.) will depend on the complexity and size of your business, but it is ultimately up to you to determine the method that is most suitable. For example, a business with hundreds of branches and thousands of employees will have different training needs than a business that has one location and two employees.

5. Two-year effectiveness review

A two-year effectiveness review is an evaluation that is conducted every two years (at a minimum) to test the effectiveness of the elements of your compliance program: policies and procedures, risk assessment and ongoing training program. The review must be started no later than 24 months from the start of the previous review and completed prior to the start of the next review.

The review must be designed to allow for the identification and documentation of any gaps and weaknesses within your compliance program to ensure that your business is effectively detecting and preventing ML/TF.

The methods and scope used to test the effectiveness of your compliance program will depend on the nature, size and complexity of your business and must be documented as part of your review. The review should consider the completeness of all the components of your compliance program in addition to their effectiveness. 

The findings, frequency and timing of your review must be sufficiently documented and identify the root cause of the deficiencies identified by your review, if any. If changes are necessary and could impact your compliance policies and procedures, risk assessment or training program (such as changes to your business model or the introduction of new products or services) you should ensure that all your compliance documents are up to date before your next planned review.

If your business is regulated at the federal or provincial level, your review may be triggered by requirements determined by your regulator.

When conducting the review, you will have to determine the design and application of testing and sampling as part of your methods.

Examples of what can be included in your review:

Who should conduct the review?

Your internal or external auditor must conduct the review. However, if you do not have such an auditor, you can conduct your own review, which should be done by an individual who is not directly involved in your compliance program activities, and who has an adequate working knowledge of your obligations under the PCMLTFA and its associated Regulations. Your documentation should also specify who conducted the review.

The effectiveness review must address whether your policies and procedures, risk assessment and training program are effective, and whether your practices comply with legislative and regulatory requirements, no matter who performs it.

Reporting your review results

For entities, the following must be reported in writing to a senior officer no later than 30 days after the completion of the review:

Date Modified: