Risk-based approach workbook
Real estate sector
December 2018
Introduction
FINTRAC has designed this workbook to help you with your risk-based approach (RBA). It is structured to help you identify risks by products, services and delivery channels; clients and business relationships; geography and other relevant factors. It will also help you implement effective measures and monitor the money laundering and terrorist financing (ML/TF) risks you may encounter as part of your activities and business relationships.
For more detailed information on implementing a risk assessment, please refer to the information contained in the FINTRAC Risk assessment and Compliance program requirements guidance.
Note: Amendments to the Proceeds of Crime (Money Laundering) and Terrorist Financing Regulations including new technologies and developments will be coming into force in June 2017. This new element will be further developed in this guidance document in the coming months.
Who should use this document?
This document was designed for a small brokerage, firm or developer in the real estate sector. The approach outlined in this document applies to you if you are a real estate broker, a sales representative or a real estate developer:
- a real estate broker or sales representative means an individual or an entity that is registered or licensed in a province to sell or purchase real estate; or
- a real estate developer means an individual or an entity other than a real estate broker or sales representative, who in any calendar year after 2007 has sold the following to the public:
- at least five new houses or condominium units;
- at least one new commercial or industrial building;
- at least one new multi-unit residential building each of which contains five or more residential units; or
- at least two new multi-unit residential buildings that together contain five or more residential units.
It is important to note that while the use of the RBA workbook is not mandatory, assessing and documenting risk is a requirement under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA). This document has been specifically designed to assist entities with the RBA process, however, entities can develop their own approach, use their own materials or create their own risk-rating scales, so long as a justification or rationale is provided as to why a specific rating was assigned to a given risk factor.
How should you assess your risks?
As part of your risk assessment, you need to identify the areas of your business that are vulnerable to being used by criminals for conducting money laundering or terrorist financing (ML/TF) activities.
This means that you need to assess the risks associated with all your business services and activities, and develop a risk assessment specific to your situation. Specifically, you must address the following four areas:
- Products, services, and delivery channels (to better reflect the reality of the real estate sector, this workbook will now only refer to services and delivery channels);
- Geography;
- Clients and business relationships; and
- Other relevant factors.
To do so, you need to consider the types of clients you deal with, the services you provide, how you deliver your services and the location of your business.
If you identify situations that represent a high risk of ML/TF activities, you need to control these risks by implementing mitigation measures, including conducting enhanced ongoing monitoring and keeping client information up to date. This will be further explained in the document.
Risk-based approach cycle
The following cycle represents the main steps of your risk-based approach:
- identification of your inherent risks;
- creating risk-reduction measures and key controls;
- implementing your risk-based approach; and
- reviewing your risk-based approach.
View the text equivalent
- Identification of your inherent risks
Products, services and delivery channels:
Products, services and delivery channels offered that may pose higher risks of ML/TF.Geography:
Location of your business and activities in relation to certain landmarks, populations or events.Other relevant factors:
Other factors that are relevant to your businessClients and business relationships:
Inherent risks linked to the nature and type of business that your clientele has with you through:- the products, services and delivery channels they utilize;
- their geography; and
- their characteristics and patterns of activities.
- Create risk-reduction measures and key controls
Risk mitigation is about implementing controls to limit the ML/TF risks you have identified while conducting your risk assessment.
When your risk assessment determines that risk is high for ML/TF, you will have to develop written risk mitigation strategies and apply them to the high-risk situations or clients you have identified. - Implement your risk-based approach:
Once you have gone through the risk assessment exercise, you will apply your risk-based approach as part of your day-to-day activities.
It is important that your compliance policies and procedures are communicated, understood and adhered to by all the staff dealing with clients. - Review your risk-based approach:
Part of your risk assessment must also include a periodic review (minimum every 2 years) to test the effectiveness of your compliance regime.
This will help evaluate the need to modify existing policies and procedures or to implement new ones. A risk-based approach is not a static exercise. The risks identified will change or evolve over time as new products or new threats enter your business context.
To better assess your inherent risks effectively, you can divide your risk assessment into two parts:
- Business-based risk assessment: your services and delivery channels; the geographical location in which your business operates along with other relevant factors.
- Relationship-based risk assessment: services your clients utilize, the geographical locations in which they operate or do business as well as their activities, transaction patterns, etc.
It is important to note that there is no prescribed methodology for the assessment of risks. What follows is FINTRAC's suggested assessment process which will need to be adapted to your business situation. Although presented separately, parts 1 and 2 could be done simultaneously. You can also create your own assessment process.
1-Business-based risk assessment
Services and delivery channel
Begin your risk assessment by taking a business-wide perspective. As a business in the real estate sector, you must assess all your services and delivery channels to determine if they pose a high risk of ML/TF.
You may want to consider the following:
- Assess the services by the type of client they are meant for (e.g. corporate, individuals, families, third party, etc.)
- Assess the services by the type of property listing (e.g. residential or commercial, vacant land, investment, high-turnover properties, agricultural land, or multi-unit properties for leasing purposes)
- Do the services you provide allow your client to engage in high-risk transactions? For example, do you provide services where clients register property in a nominee's name? Are there third party intermediaries involved in the purchase or sale of the property?
- How do you identify your client? Do you meet with your clients face-to-face or identify them by non-face-to-face means? Does the communication between the real estate agent or broker and client take place in person; or via email, fax, etc.?
Some examples of potential high-risk services and delivery channels are:
- The use of third party vehicles, such as trusts, to purchase property. There is a greater risk of ML as third party vehicles can obscure the identity of the true owner or buyer.
- Clients identified through agency or mandatary agreements. When a third party identifies clients on your behalf, there may be a greater risk that they may not be following policies and procedures to properly identify the client.
- Offering services by non-face-to-face means (phone, fax, online). These delivery channels may pose higher risks as it may be more difficult for your business to identify the client.
Geography
Assess whether your own office location or the countries in which your clients are based could pose a high risk for ML/TF activities.
In the assessment of your geography, you have to consider whether the geographic locations in which you operate or undertake activities potentially pose a high risk for money laundering and terrorist financing. Depending on your business and operations, this can range from your immediate surroundings, whether rural or urban, to a province or territory, multiple jurisdictions within Canada (domestic) or other countries.
Some examples of geographic elements that need to be reflected in your assessment are:
- Property listings in high crime areas, as they may present additional ML/TF risks.
- Property in close proximity to the border.
- Significant and unexplained geographic distance between the agent and the client.
- A rural area where clients are known to you could present a lesser risk compared to a large city where new clients and anonymity are more likely. However, the known presence of organized crime in a rural area would obviously present a higher risk.
- Transactions involving persons residing in tax havens, high-risk jurisdiction or countries lacking appropriate ML/TF laws.
- If you provide services to foreign clients who are based in countries that are subject to sanctions, embargoes or other measures, you should consider that as high-risk. For example, the United Nations will occasionally issue an advisory about a certain country. Refer to:
For more examples on how to assess risk for geographic locations, see the Risk assessment guidance.
Other factors relevant to your business (if applicable)
Assess other factors that may apply to your business that do not fall in the other categories. There may be something about your business that can make it more attractive to individuals who want to carry out ML/TF activities.
Some examples that may apply to you are:
- The size of your business, e.g. the financial value of the transactions facilitated.
- Your operational structure, number of branches, satellite offices, agents, brokers and employees.
- For example, a business with a high employee turnover may present greater risk.
- Does your business model include purchasing and selling services along with builder or developer activities?
- Trends and typologies for your respective activity sector may include specific elements of risks that your business should consider.
Business-based risk assessment worksheet
The following worksheet is for illustrative purposes only (please see additional instructions in Annex A). Using this worksheet could be an easy way for your entity to present the inherent risks related to your business, or you may develop your own worksheet.
Note: The information below is provided as an example only. Your entity may have more risk factors to consider. Furthermore, you may have different risk ratings. For more options, you can consult the matrix included in the Risk assessment guidance.
| Column A: LIST OF FACTORS Identify all the factors that apply to your business (i.e. products,services and delivery channels, geography, other relevant factors) |
Column B: Assess each factor (e.g. low, medium or high) |
Column C: Explain why you assigned that particular rating |
Column D: |
|---|---|---|---|
| Use of a mandatary to identify clients. | High risk | There is greater risk that the mandatary is not adequately following policies and procedures to properly identify the client. |
|
| Use of a mandatary to identify clients. | Low risk | The real estate broker or firm has a long-standing relationship with the mandatary and is aware of and confident in their identification processes. |
|
| Offering services through non-face-to-face means, such as by email, fax or online. | High risk | There is greater risk of third parties being used to conceal the true owner or buyer, especially if a transaction is conducted through non-face-to-face means for no apparent reason. |
|
| Offering services through non-face-to-face means, such as by email, fax or online. | Low risk | The clients are known to the broker or firm, have been identified in person previously and there is no third party involvement suspected. |
|
A high turnover of agents or brokers who deal directly with clients |
High risk | New agents or brokers may have less knowledge of certain clients and less experience with ML/TF indicators. |
|
| Etc. |
2-Relationship-based risk assessment (i.e. your clients)
If you have a business relationship, you need to make a risk assessment based on the inherent characteristics of your client. This can be done based on the combination of the following factors, some of which were identified in the previous section:
- The services and delivery channels your client uses;
- The geography related to your client (at which location is the client conducting the transaction and where does the financing come from); and
- Your client's characteristics and your client's activities and transaction patterns.
However, it is possible that your business is dealing with clients outside of a business relationship. The interactions with these clients may be sporadic (e.g. few transactions over time that are under the identification threshold requirement or even a single transaction). As such, there will not be a lot of information available for your business to fully assess this client (as opposed to a client in a business relationship with information, patterns of activities, etc.). The risk assessment of such clients will most likely focus on the monitoring of transactions as opposed to having a client file. This monitoring is basically your obligation to report a suspicious transaction if you suspect that the transaction is related to a money laundering or terrorist financing offence.
If you do not have business relationships, it is not necessary for you to complete the Relationship-based risk assessment worksheet. However, if you have high-risk clients outside a business relationship, you need to include them in the following worksheet.
Below are some examples of client and transaction characteristics that can be considered high-risk:
Clients
- A client arriving at a real estate closing with a significant amount in cash.
- A client who wants to purchase a residential property in the name of a nominee, other than a family member, for no apparent reason.
- A client who resides overseas purchases a commercial property for no apparent reason.
- A client who is contacting you to purchase or sell real estate but the reason as to why they are contacting you makes no sense (e.g. client is not a local resident or is outside your normal customer base).
- A client is based in, or conducts business in a country with known higher corruption, known organized criminal activity, is known tax haven or is known to have links to terrorist organizations.
- A client negotiates a purchase at market value or above asking price, but requests that a lower value be recorded on documents, paying the difference under the table.
- A client buys back a recently sold property, or is involved in multiple transactions (purchases and sales) for reasons unknown or that do not make sense; or a client sells a recently purchased property for no apparent reason.
- A client has been named in the media as being involved with criminal organizations is purchasing a residential property.
- The value of a property is not within the means of a client based on his stated occupation or income.
- A client insists on providing signatures for transactions through non-face-to-face means.
- A client over justifies or over explains a purchase, or exhibits unusual concerns regarding the agency's compliance with government reporting requirements and the firm's anti-money laundering principles.
Transactions
- Behaviour or transactions that are unusual compared to other similar clients. For example, high levels of assets or unusually large transactions compared to what might reasonably be expected of clients with a similar profile.
- Transactions involving an individual whose address is unknown, or is likely to be false.
- Transactions involving foundations, non-profit entities, where the characteristics of the transaction do not match the goals of the entity.
- Multiple transactions involving one party or transactions carried out by groups of legal persons that may be related, where the transactions are otherwise unusual.
- Transactions that use unusual or unnecessarily complex legal structures for no apparent legitimate business reason.
- Transactions where the parties do not show particular interest in the characteristics of the property (quality of construction, location, date on which it will be handed over, etc.).
- Transactions conducted by foreign or non-resident parties for the purpose of capital investment (e.g. clients do not show any interest in living at the property they are buying).
- Transactions that must be completed quickly, without reason.
- Transactions that make use of third party vehicles (e.g. trusts) may obscure the ownership or the buyer.
- Transactions involving complex loans or other obscure means of financing.
- Transactions involving foreign individuals where the property is paid entirely without using a mortgage.
- Transactions involving properties that are likely over- or under-valued, when compared to similar properties in the area.
- Transactions where the buyer has no interest in a property inspection, for no apparent reason.
Please note that the following indicator, when encountered, will place clients in the overall high-risk category, regardless of other factors:
- If you file a Terrorist Property Report, the client automatically becomes high-risk.
For more examples of how to assess risk for client and business relationships, see the Risk assessment guidance.
Relationship-based risk assessment worksheet
The following worksheet is for illustrative purposes (please see additional instructions in Annex B). Using this worksheet could be an easy way for your entity to present the inherent risks related to your business relationships, or you may develop your own worksheet.
This worksheet is to assess all your business relationships and high-risk clients. For more information on business relationships, see FINTRAC’s Business relationship requirements.
Note: The information below is provided as an example only. For more options, you can consult the matrix included in the Risk assessment guidance.
Column A: BUSINESS RELATIONSHIPS Identify all your business relationships or high-risk clients (individually or as groupings) |
Column B: RISK RATING Assess each business relationship (e.g. low, medium or high) |
Column C: RATIONALE Explain why you assigned that particular rating |
Column D: DESCRIBE ENHANCED MEASURES TO ASCERTAIN ID FOR HIGH-RISK BUSINESS RELATIONSHIPS |
Column E: DESCRIBE MITIGATION MEASURES FOR HIGH-RISK BUSINESS RELATIONSHIPS |
Column F DESCRIBE THE PROCESS TO KEEP CLIENT INFORMATION UP TO DATE FOR HIGH-RISK BUSINESS RELATIONSHIPS |
Column G: DESCRIBE ENHANCED ONGOING MONITORING FOR HIGH-RISK BUSINESS RELATIONSHIPS |
|---|---|---|---|---|---|---|
|
Low | A known local family purchasing a residential property with the intention of living there. | N/A | N/A | N/A | N/A |
|
High | A foreign client originating from a high-risk country who is interested in purchasing property for the sole purpose of capital investment. | Obtain additional information on the client, such as occupation, volume of assets, as well as publicly available information. Determine if there is third party involvement, and take reasonable measures to identify them. |
Increase awareness of higher-risk clients and transactions among agents and brokers. Require the first payment to be carried out from an account in the client's name through a bank subject to similar due diligence standards. |
Ask clients to confirm that their information is up to date by using the same measures taken to ascertain their identity (e.g. refer to an original birth certificate, passport, etc.). Ensure that the intended nature of the business relationship is kept up to date. |
Increase due diligence by knowing your client's motivations, purposes and objectives in purchasing property. |
|
ANNEX A
Instructions to complete the Business-based risk assessment worksheet (Products, services and delivery channels; geography; other relevant factors)
| Column A: | List of factors |
Describe your services, delivery channels, factors related to your geographical location(s) and other relevant factors. |
|---|---|---|
Column B: |
Risk rating |
Rate each risk factor (services, delivery channels, factors related to geographic location(s) and other relevant factor). Please note that the PCMLTFA and Regulations do not require you to use a low, medium and high scale. You could decide to have low and high risk categories or to have a more complex rating scale. A scale must be established, tailored to the size and type of business you have. |
Column C: |
Rationale |
Provide the reasons why you assigned a particular risk rating to each service, delivery channel, geography, or other relevant factor. You can make reference to a website, a publication, a report, etc. |
Column D: |
Describe mitigation measures for high-risk factors |
By law, all factors identified as "high-risk" must be addressed with documented mitigation measures. You have to write policies and procedures to explain how you are going to reduce and how you will control these risks in your day-to-day activities. Below are some examples of mitigation measures you may want to consider (not an exhaustive list):
For more examples of controls or ways to reduce risks, see the FINTRAC Risk assessment and Compliance program requirements guidance. |
ANNEX B
Instructions to complete the Relationship-based worksheet (clients and business relationships)
| Column A: | Business relationships or high-risk clients. |
Identify all your business relationships and high-risk clients. You may decide to risk assess each business relationship separately or to do so by groups that share similar characteristics. |
|---|---|---|
Column B: |
Risk rating |
Rate each business relationship. You can use a scale of low, medium and high to rate your business relationship. Please note that the PCMLFTA and Regulations do not require you to use a low, medium and high scale. You could decide to have low and high risk categories or to have a more complex rating scale. |
Column C: |
Rationale |
Provide the reasons why you assigned a particular risk rating to each client type/business relationship. |
Column D: |
Describe enhanced measures to ascertain the identity of high-risk clients or to confirm the existence of a high-risk entity |
You need to describe how identification was ascertained or how the existence of an entity was confirmed for each high-risk business relationship and high-risk client. Below are some examples:
For more information see Methods to identify individuals and confirm the existence of entities |
Column E: |
Describe mitigation measures for high-risk business relationship |
You need to put controls in place for each high-risk business relationship and high-risk client that you identified. Below are some examples of mitigation measures that you may want to consider (not an exhaustive list):
For more examples of controls or ways to reduce the risk, see Compliance program requirements. |
Column F: |
Describe how you will keep client information and beneficial ownership information up to date for high-risk business relationships |
You have to develop policies on how often and how you will update the client information of high-risk business relationships and high-risk clients. The information that needs to be updated generally includes:
Measures to keep client identification up to date include asking the client to provide information to confirm or update their identification information. For example, you may ask a client for an additional piece of identification. You may also confirm the information through public sources if available. For more information see When to identify individuals and confirm the existence of entities – Real Estate |
Column G: |
Describe enhanced monitoring for high-risk business relationships |
For all business relationships, you will need to conduct ongoing monitoring. This means that you will monitor your business relationships on a periodic basis for the purpose of:
However, for high-risk business relationships and high-risk clients, you need to conduct monitoring more frequently and with more scrutiny than with your other business relationships. This is called enhanced monitoring. Describe all aspects of your enhanced monitoring:
Examples of how enhanced monitoring is conducted and reviewed for high-risk business relationships:
For more information on enhanced ongoing monitoring, see Ongoing monitoring requirements . |
ANNEX C
Glossary and useful links
- Business relationship:
- You enter into a business relationship when a client opens an account or undertakes two or more transactions with you that require you to ascertain the identity of the client, regardless of whether the transactions are related to one another.
- Delivery channels:
- Medium that can be used to obtain a product or service, or through which transactions can be conducted.
- FINTRAC:
- The Financial Transactions and Reports Analysis Centre of Canada (FINTRAC), is Canada's financial intelligence unit.
- Inherent risk:
- Risk that exists before the application of controls or mitigation measures.
- Mitigation measures:
- Controls put in place to limit the potential money laundering and terrorist financing risks you have identified while conducting your risk assessment.
- Non-face-to-face transactions:
- Transactions where the client is not physically present (for example, Internet, telephone or mail)
- Risk-based approach:
-
In the context of ML/TF, a risk-based approach is a process that encompasses the following:
- The risk assessment of your business activities and clients using certain prescribed elements: Products, services and delivery channels; geography; clients and business relationships; and other relevant factors.
- The mitigation of risk through the implementation of controls and measures;
- Keeping client identification and, if required, beneficial ownership and business relationship information up to date; and
- The ongoing monitoring of transactions and business relationships.
- Third party:
- Individual or entity other than the individual who conducts the transaction. When you are determining whether a third party is involved, it is not about who "owns" the money, but rather about who gives instructions to deal with the money.
- Vulnerabilities:
- Elements of a business that could be exploited. In the ML/TF context, vulnerabilities could be weak controls within a business offering high-risk products or services.
Regulatory references:
http://laws-lois.justice.gc.ca/eng/acts/P-24.501/
http://laws-lois.justice.gc.ca/eng/regulations/SOR-2001-317/
http://laws-lois.justice.gc.ca/eng/regulations/SOR-2002-184/
http://laws-lois.justice.gc.ca/eng/regulations/SOR-2007-121/
http://laws-lois.justice.gc.ca/eng/regulations/SOR-2007-292/
Guidance References:
Guideline 1: Backgrounder
Guidance – Main Page
Real estate developers, brokers and sales representatives – Main Page
Reporting entities – Main Page
Risk-based approach
Compliance program requirements
FATF Money Laundering & Terrorist Financing Through the Real Estate Sector
http://www.fatf-gafi.org/publications/methodsandtrends/documents/moneylaunderingandterroristfinancingthroughtherealestatesector.html
FATF Guidance on the Risk-Based Approach for Real Estate Agents
http://www.fatf-gafi.org/publications/fatfrecommendations/documents/fatfguidanceontherisk-basedapproachforrealestateagents.html
- Date Modified: