Risk-based approach workbook
Dealers in Precious Metals and Stones (DPMS)
FINTRAC has designed this workbook to help you with your risk-based approach (RBA). It is structured to help you identify your risks by products, services and delivery channels; clients and business relationships; geography and other relevant factors. It will also help you implement effective measures and monitor the money laundering and terrorist financing (ML/TF) risks you may encounter as part of your activities and business relationships.
For more detailed information on implementing a risk assessment, please refer to the information contained in the FINTRAC Risk assessment and Compliance program requirements guidance.
Note: Amendments to the Proceeds of Crime (Money Laundering) and Terrorist Financing Regulations including new technologies and developments will be coming into force in June 2017. This new element will be further developed in this guidance document in the coming months.
Who should use this document?
This document was designed for a small business in the dealers in precious metals and stones (DPMS) sector.
- A DPMS means an individual or an entity that buys or sells precious metals, precious stones or jewellery, in the course of its business activities. You are subject to the risk-assessment requirements outlined below if you ever engage in the purchase or sale of precious metals, precious stones or jewellery in an amount of $10,000 or more in a single transaction. These requirements then remain in effect for your business from the day of such a purchase, sale or transaction and for the future. In other words, you are not subject to these requirements if you have never made purchases or sales of $10,000 or more per transaction.
For more detailed information on who is subject to the requirements and an explanation of possible exclusions, please refer to the DPMS page on the FINTRAC website.
How should you assess your risks?
As part of your risk assessment, you need to identify the areas of your business that are vulnerable to being used by criminals for conducting money laundering or terrorist financing (ML/TF) activities.
This means that you need to assess the risks associated with all your business services and activities. Specifically, you must address the following four areas:
- Products, services, and delivery channels (to better reflect the reality of the DMPS sector, this workbook will now only refer to products and delivery channels);
- Clients and business relationships; and
- Other relevant factors.
To do so, you need to consider the types of clients you deal with, the products you provide, how you deliver your products and the location of your business.
If you identify situations that represent a high risk for ML/TF activities, you need to control these risks by implementing mitigation measures, including conducting enhanced monitoring and keeping client information up to date. This will be explained further in the document.
Risk-based approach cycle
The following cycle represents the main steps of your risk-based approach:
- identification of your inherent risks;
- creating risk-reduction measures and key controls;
- implementing your risk-based approach; and
- reviewing your risk-based approach.
View the text equivalent
Identification of your inherent risks
Products, services and delivery channels:
Products, services and delivery channels offered that may pose higher risks of ML/TF.
Location of your business and activities in relation to certain landmarks, populations or events.
Other relevant factors:
Other factors that are relevant to your business
Clients and business relationships:
Inherent risks linked to the nature and type of business that your clientele has with you through:
- the products, services and delivery channels they utilize;
- their geography; and
- their characteristics and patterns of activities.
- Create risk-reduction measures and key controls
Risk mitigation is about implementing controls to limit the ML/TF risks you have identified while conducting your risk assessment.
When your risk assessment determines that risk is high for ML/TF, you will have to develop written risk mitigation strategies and apply them to the high-risk situations or clients you have identified.
- Implement your risk-based approach:
Once you have gone through the risk assessment exercise, you will apply your risk-based approach as part of your day-to-day activities.
It is important that your compliance policies and procedures are communicated, understood and adhered to by all the staff dealing with clients.
- Review your risk-based approach:
Part of your risk assessment must also include a periodic review (minimum every 2 years) to test the effectiveness of your compliance regime.
This will help evaluate the need to modify existing policies and procedures or to implement new ones. A risk-based approach is not a static exercise. The risks identified will change or evolve over time as new products or new threats enter your business context.
To better assess your inherent risks effectively, you can divide your risk assessment into two parts:
- Business-based risk assessment: your products and delivery channels; the geographical location in which your business operates along with other relevant factors.
- Relationship-based risk assessment: products your clients utilize, the geographical locations in which they operate or do business as well as their activities, transaction patterns, etc.
It is important to note that there is no prescribed methodology for the assessment of risks. What follows is FINTRAC's suggested assessment process which will need to be adapted based on your business situation. Although presented separately, parts 1 and 2 could be done simultaneously. You can also create your own assessment process.
1-Business-based risk assessment
Products and delivery channel
Begin your assessment by taking a business-wide perspective. As a DPMS, you must assess all your products and delivery channels to determine if they pose a high risk of ML/TF. This may include, but is not limited to:
- Purchase of precious metals, precious stones or jewellery
- Sale of precious metals, precious stones or jewellery
- Non face-to-face transactions with unknown clients (through internet, mail or telephone)
You may want to consider the following:
- Assess the products by the type of market and the type of client they are meant for (e.g. corporate, individuals, wholesale, retail, etc.).
- The physical characteristics of the products on offer: can a very high value be concealed, are they easily portable, or is their origin difficult to determine?
- Unless transactions involve very large quantities, lower value products are likely to carry less risk than higher value products.
- How do you identify your client? Do you meet your clients face-to-face or do you identify your clients through other methods (e.g. non-face-to-face)?
- How do you provide your product? Do clients have to come to your location to buy a product or can they conduct a transaction over the phone, by fax or online?
Some examples of potentially high-risk products and delivery channels are (please note that some indicators may apply to a retail location, while others may apply at a wholesaler level):
Gold can be a high-risk product, as it is transformable, easily exchangeable and potentially provides anonymity in transactions. It has a universal price standard and can be used as a currency.
Certain red flags for high-risk activity include:
- An established customer purchasing much larger than usual quantities of gold bullion for no apparent reason, or a previously unknown customer requesting that a refiner turn gold into bullion.
- A client using cash to purchase bullion, especially in large amounts.
- Foreign nationals purchasing gold bullion through multiple transactions over a short period.
- Gold purity, weight, origin and value are misclassified on customs declaration forms.
- Unlicensed persons or businesses producing and commercializing gold.
- Bullion that has physical characteristics inconsistent with industry standards.
- Gold prices higher than in the local gold market.
Diamonds can be higher-risk products, as they are easily transported and concealed, can carry enormous value, provide anonymity in transactions and are difficult to trace.
Certain red flags for high-risk activity include:
- Purchases or sales which are unusual for the customer, illogical from a business or economic point of view or not in line with standard industry practices.
- The purchase or sale of diamonds whose origin seems to be fictitious. This is particularly true for rough diamonds that are not accompanied by a valid Kimberly Process certificate.
- A Kimberley Process certificate that seems to be forged, or that has an exceptionally long validity.
- A customer or supplier who is known for their involvement in trafficking conflict diamonds.
- A customer or supplier who is not familiar with trade practices, or who consults a third party while conducting transactions.
- High-value cash purchases of diamonds, particularly in jurisdictions or stages of trade where the use of cash as a method of payment is less common.
- The customer or supplier seems to be indifferent to the date of payment (which could be upon the delivery of the diamonds, or several months later).
- A customer who requests to purchase polished diamonds in bulk, for no apparent legitimate business reason.
Behaviour of the counterparty in some transactions:
- A counterparty that proposes a transaction which makes no sense or that is excessive in value or potential profit.
- Counterparty that uses money service businesses or other non-bank financial institutions for no apparent legitimate business purpose.
- A counterparty that frequently and inexplicably changes bank accounts, especially when using banks in other countries.
- A counterparty that seeks anonymity by conducting ordinary business through accountants, lawyers, or other intermediaries.
Other indicators of high risk:
- Offering products through non-face-to-face means (internet, mail or telephone). These delivery channels may pose higher risks, because it may be more difficult to identify the client.
- Offering products such as loose diamonds or precious metals that retain their wholesale value because they can be easily liquidated.
- A supplier who is unwilling to provide complete or accurate contact information, financial references or business affiliations.
For examples on how to assess risk for products and delivery methods, see the Risk assessment guidance.
Assess whether your own store or business location, the countries to which you transfer funds, and the countries from which you receive funds could pose a high risk for ML/TF activities.
In the assessment of your geography, you have to consider whether the geographic locations in which you operate or undertake activities potentially pose a high risk for money laundering and terrorist financing. Depending on your business and operations, this can range from your immediate surroundings, whether rural or urban, to a province or territory, multiple jurisdictions within Canada (domestic) or other countries.
Some examples of geographic elements that need to be reflected in your assessment are:
- High crime areas as they may present additional ML/TF risks.
- A rural area where clients are known to you could present a lesser risk compared to a large city where new clients and anonymity are more likely. However, the known presence of organized crime in a rural area would obviously present a higher risk.
- Is your business close to a border-crossing? Proximity to a border-crossing could increase the risk due to the fact that your business may be the first point of entry into the financial system.
- If you conduct transactions with foreign clients who are based in countries subject to sanctions, embargoes or other measures, you should consider that as high-risk. For example, the United Nations will occasionally issue an advisory about a certain country. Refer to:
For more examples on how to assess risk for geographic locations, see the Risk assessment guidance.
Other factors relevant to your business (if applicable)
Assess other factors that may apply to your business that do not fall in the other categories. There may be something about your business that can make it more attractive to individuals who want to carry out ML/TF activities.
Some examples that may apply to you are:
- Your operational structure, size, number of branches, and employees, such as:
- A business with a high employee turnover.
- A business where newer staff are not adequately supervised.
Business-based risk assessment worksheet
The following worksheet is for illustrative purposes only (please see additional instructions in Annex A). Using this worksheet could be an easy way for your entity to present the inherent risks related to your business, or you may develop your own worksheet.
Note: The information below is provided as an example only. Your entity may have more risk factors to consider. Furthermore, you may have different risk ratings. For more options, you can consult the matrix included in the Risk assessment guidance.
LIST OF FACTORS
Identify all the factors that apply to your business (i.e. products and delivery channels, geography, other relevant factors)
Assess each factor (e.g. low, medium or high)
Explain why you assigned that particular rating
DESCRIBE MITIGATION MEASURES FOR HIGH RISKS IDENTIFIED IN COLUMN A.
||High risk||High value products that can be easily concealed, transported or liquidated.||
||High risk||Possibility of third party involvement in the payment or receipt of products.||
||High risk||The business may be the first point of entry into the financial system.||
2-Relationship-based risk assessment (i.e. your clients)
As a DMPS, you enter into a business relationship when a client conducts two or more reportable transactions with you that require you to ascertain their identity, regardless of whether the transactions are related to each other. If you have a business relationship, you need to make a risk assessment based on the inherent characteristics of your client. This can be done based on the combination of the following factors, some of which were identified in the previous section:
- The products and delivery channels your client purchases or uses;
- The geography related to your client (at which location is the client conducting the transaction and to/from which country is the client sending/receiving money); and
- Your client's characteristics and your client's activities and transaction patterns.
However, it is possible that your business is dealing with clients outside of a business relationship. The interactions with these clients may be sporadic (e.g. few transactions over time that are under the identification threshold requirement or even a single transaction). As such, there will not be a lot of information available for your business to fully assess this client (as opposed to a client in a business relationship with information, patterns of activities, etc.). The risk assessment of such clients will most likely focus on the monitoring of transactions as opposed to having a client file. This monitoring is basically your obligation to report a suspicious transaction if you suspect that the transaction is related to a money laundering or terrorist financing offence.
If you do not have business relationships, it is not necessary for you to complete the Relationship-based risk assessment worksheet. However, if you have high-risk clients outside a business relationship, you need to include them in the following worksheet.
Below are some examples of client and transaction characteristics that can be considered high-risk:
- A client who appears to be unconcerned about price.
- A client paying for expensive jewellery in cash.
- A client attempting to use a third party cheque or a third party credit card.
- A client indiscriminately purchasing merchandise without regard for value, size or colour.
- A client who has a significant and unexplained geographic distance from the dealer.
- A client who orders items, pays for them in cash, cancels the order and then receives a large refund (particularly if the refund is issued in the form of a cheque).
- A purchase appears to be beyond the means of the client, based on their stated or known occupation or income.
- A client who is reluctant to provide adequate identification information when making a purchase, or who wishes to maintain a high degree of secrecy with regard to the transaction, such as requesting that normal business records not be kept.
- A client who does not understand the industry in which they propose to deal, or lack the appropriate equipment or finances for such an engagement.
- You are aware or you become aware, from a reliable source (that can include media or other open sources), that a client is suspected of being involved in illegal activity.
- Transactions that appear to be structured to avoid reporting requirements.
- Transactions in which third parties are involved, either as payers or as recipients of payment or product, without apparent legitimate purpose.
- The use of non-bank financial mechanisms, such as currency exchange or money remitters, instead of the banking system.
- Transactions that differ from those initially anticipated or outlined in the purpose of a business relationship.
- Unusual payment methods, such as large amounts of cash, multiple or sequentially numbered money orders, traveler's checks or cashier's checks, or payment from third parties.
- Large or frequent payments made in funds other than Canadian dollars.
- Transactions that do not make sense, or where there the source of funds cannot be established.
- Funds that come from an offshore financial centre rather than a local bank.
- There are a number of affiliated entities in the payments chain.
Please note that the following indicator, when encountered, will place clients in the overall high-risk category, regardless of other factors:
- If you file a Terrorist Property Report, the client automatically becomes high-risk.
For more examples of how to assess risk for client and business relationships, see the Risk assessment guidance.
Relationship-based risk assessment worksheet
The following worksheet is for illustrative purposes (please see additional instructions in Annex B). Using this worksheet could be an easy way for your entity to present the inherent risks related to your business relationships, or you may develop your own worksheet.
This worksheet is to assess all your business relationships and high-risk clients. For more information on business relationships, see FINTRAC's Business relationship requirements.
Note: The information below is provided as an example only. For more options, you can also consult the matrix included in the Risk assessment guidance.
Identify all your business relationships or high-risk clients (individually or as groupings)
Assess each business relationship (e.g. low, medium or high)
Explain why you assigned that particular rating
DESCRIBE ENHANCED MEASURES TO ASCERTAIN ID FOR HIGH-RISK BUSINESS RELATIONSHIPS
DESCRIBE MITIGATION MEASURES FOR HIGH-RISK BUSINESS RELATIONSHIPS
DESCRIBE PROCESS TO KEEP CLIENT INFORMATION UP TO DATE FOR HIGH-RISK BUSINESS RELATIONSHIPS
DESCRIBE ENHANCED MONITORING FOR HIGH-RISK BUSINESS RELATIONSHIPS
||Low||Client conducts two or more large cash transactions that are within their means, and make sense (for example buying an engagement ring with cash that has been saved).||N/A – regular identification procedures are applied||N/A||N/A||N/A|
||High||Client conducts several large cash transactions that seem to be beyond their means.||
Take additional steps to verify documents previously obtained from these clients or request additional identification documents.
Identification information is updated more frequently.
|Request source of funds for any cash amount.||Ask the client to provide information to confirm or update their identification information (address, date of birth, occupation, nature and purpose of business relationship, etc.) at every identification threshold transaction.||
Review transactions conducted by client quarterly.
Where feasible, obtain additional client information through public databases or other sources of information.
Set parameters for transactions that will trigger early warning signals and require a mandatory review at the threshold for transactions requiring ID.
Instructions to complete the Business-based risk assessment worksheet (Products and delivery channels; geography; other relevant factors)
|Column A:||List of factors||
Describe your products, delivery channels, factors related to your geographical location(s) and other relevant factors.
|Column B:||Risk rating||
Rate each risk factor (products, delivery channels, factors related to geographic location(s) and other relevant factors).
Please note that the PCMLTFA and Regulations do not require you to use a low, medium and high scale. You could decide to have low and high risk categories or to have a more complex rating scale. A scale must be established, tailored to the size and type of business you have.
Provide the reasons why you assigned a particular risk rating to each product, delivery channel, geographic location, or other relevant factor. You can make reference to a website, a publication, a report, etc.
|Column D:||Describe mitigation measures for high-risk factors||
By law, all factors identified as “high-risk” must be addressed with documented mitigation measures. You have to write policies and procedures to explain how you are going to reduce and how you will control these risks in your day-to-day activities.
Below are some examples of mitigation measures you may want to consider (not an exhaustive list):
Instructions to complete the Relationship-based worksheet (high-risk clients and business relationships)
|Column A:||Business Relationships or high risk clients.||Identify all your business relationships and high-risk clients. You may decide to risk assess each individual business relationship separately or to do so in groups that share similar characteristics.|
|Column B:||Risk rating||
Rate each business relationship.
You can use a scale of low, medium and high to risk rate your business relationship. Please note that the PCMLFTA and Regulations do not require you to use a low, medium and high scale. You could decide to segregate between low and high risk categories or have a more complex rating scale.
Provide the reasons why you assigned a particular risk rating to each client type/business relationship.
|Column D:||Describe enhanced measures to ascertain the identity of high-risk clients or to confirm the existence of a high-risk entity||
You need to describe how identity was ascertained or how the existence of an entity was confirmed for each high-risk business relationship and each high-risk client.
Below are some examples:
For more information see Methods to identify individuals and confirm the existence of entities
|Column E:||Describe mitigation measures for high-risk business relationship||
You need to put controls in place for each high-risk business relationship and high-risk client that you identified.
Below are some examples of mitigation measures that you may want to consider (not an exhaustive list):
For more examples of controls or ways to reduce the risk, see Compliance program requirements.
|Column F:||Describe how you will keep client information up to date for high-risk business relationships or high-risk clients||
You have to develop policies on how and how often you will update the client information of high-risk clients and high-risk business relationships.
The information that needs to be updated generally includes:
Measures to keep client identification up to date include asking the client to provide information to confirm or update their identification information. For example, you may ask a client for an additional piece of identification. You may also confirm the information through public sources.
|Column G:||Describe enhanced monitoring for high-risk business relationships||
High-risk business relationships
For high-risk business relationships, you need to conduct enhanced monitoring.
Enhanced monitoring process
Describe all aspects of your enhanced monitoring:
Examples of how enhanced monitoring is conducted and reviewed for high-risk business relationships:
For more information on enhanced monitoring, see Ongoing monitoring requirements
Glossary and useful links
- Business relationship:
- As a DMPS, you enter into a business relationship when a client conducts two or more reportable transactions with you that require you to ascertain the identity of the client, regardless of whether the transactions are related to each other. You also enter into a business relationship if you submit two or more Suspicious Transaction Reports (STRs) on a client.
- A person or entity that is party to a transaction such as the purchase or sale of precious metals or precious stones, including both suppliers and retail customers.
- Delivery channels:
- Medium that can be used to obtain a product, or through which transactions can be conducted.
- The Financial Transactions and Reports Analysis Centre of Canada (FINTRAC), is Canada's financial intelligence unit.
- Inherent risk:
- Risk that exists before the application of controls or mitigation measures.
- Objects made of precious metals, precious stones or pearls, intended for personal adornment, such as earrings, bracelets, rings, necklaces, brooches, watches, etc.
- Mitigation measures:
- Controls put in place to limit the potential money laundering and terrorist financing risks you have identified while conducting your risk assessment.
- Non-face-to-face transactions:
- Transactions where the client is not physically present (for example, Internet, telephone or mail).
- Precious metals:
- Gold, silver, palladium or platinum, whether in coins, bars, ingots, granules or in any other form.
- Precious stones:
- Diamonds, sapphires, emeralds, tanzanites, rubies or alexandrites.
- Risk-based approach:
- In the context of ML/TF, a risk-based approach is a process that encompasses the following:
- The risk assessment of your business activities and clients using certain prescribed elements: Products and delivery channels; geography; clients and business relationships; and other relevant factors.
- The mitigation of risk through the implementation of controls and measures;
- Keeping client identification and business relationship information up to date; and
- The monitoring of high-risk business relationships.
- Third party:
- Individual or entity other than the individual who conducts the transaction. When you are determining whether a third party is involved, it is not about who "owns" the money, but rather about who gives instructions to deal with the money.
- Elements of a business that could be exploited. In the ML/TF context, vulnerabilities could be weak controls within a business offering high-risk products.
Guideline 1: Backgrounder
Guidance – Main Page
Dealer in Precious Metals and Stones (DPMS) – Main Page
Reporting entities – Main Page
Compliance program requirements
FATF Money Laundering and Terrorist Financing Risks and Vulnerabilities Associated with Gold
FATF Money Laundering and Terrorist Financing Through Trade in Diamonds
FATF RBA Guidance for Dealers in Precious Metals and Stones
- Date Modified: