Risk-based approach workbook
FINTRAC has designed this workbook to help you with your risk-based approach (RBA). It is structured to help you identify risks by products, services and delivery channels; clients and business relationships; geography and other relevant factors. It will also help you implement effective measures and monitor the money laundering and terrorist financing (ML/TF) risks you may encounter as part of your activities and business relationships.
For more detailed information on implementing a risk assessment, please refer to the information contained in the FINTRAC Risk assessment and Compliance program requirements guidance.
Note: Amendments to the Proceeds of Crime (Money Laundering) and Terrorist Financing Regulations including new technologies and developments as well as risk resulting from the activities of affiliates will be coming into force in June 2017. These new elements will be further developed in this guidance document in the coming months.
Who should use this document?
This document was designed for a business in the securities sector. A securities dealer is an individual or entity that is authorized under provincial legislation to engage in the following activities:
- dealing securities or other financial instruments; or
- providing portfolio management or investment advising services.
If you are an individual who is authorized to deal in securities or other financial instruments, but do so exclusively on behalf of another entity or individual who is a securities dealer, you are not considered to be a securities dealer under this definition.
How should you assess your risks?
As part of your risk assessment, you need to identify the areas of your business that are vulnerable to being used by criminals for conducting money laundering or terrorist financing (ML/TF) activities.
This means that you need to assess the risks associated with all your business services and activities. Specifically, you must address the following four areas:
- Products, services, and delivery channels;
- Clients and business relationships; and
- Other relevant factors.
To do so, you need to consider the types of clients you deal with, the products and services you provide, how you deliver your products or services and the location of your business and clients.
If you identify situations that represent a high risk for ML/TF activities, you need to control these risks by implementing mitigation measures, including conducting enhanced ongoing monitoring and keeping client information up to date. This will be explained further in the document.
Risk-based approach cycle
The following cycle represents the main steps of your risk-based approach:
- identification of your inherent risks;
- creating risk-reduction measures and key controls;
- implementing your risk-based approach; and
- reviewing your risk-based approach.
View the text equivalent
Identification of your inherent risks
Products, services and delivery channels:
Products, services and delivery channels offered that may pose higher risks of ML/TF.
Location of your business and activities in relation to certain landmarks, populations or events.
Other relevant factors:
Other factors that are relevant to your business
Clients and business relationships:
Inherent risks linked to the nature and type of business that your clientele has with you through:
- the products, services and delivery channels they utilize;
- their geography; and
- their characteristics and patterns of activities.
- Create risk-reduction measures and key controls
Risk mitigation is about implementing controls to limit the ML/TF risks you have identified while conducting your risk assessment.
When your risk assessment determines that risk is high for ML/TF, you will have to develop written risk mitigation strategies and apply them to the high-risk situations or clients you have identified.
- Implement your risk-based approach:
Once you have gone through the risk assessment exercise, you will apply your risk-based approach as part of your day-to-day activities.
It is important that your compliance policies and procedures are communicated, understood and adhered to by all the staff dealing with clients.
- Review your risk-based approach:
Part of your risk assessment must also include a periodic review (minimum every 2 years) to test the effectiveness of your compliance regime.
This will help evaluate the need to modify existing policies and procedures or to implement new ones. A risk-based approach is not a static exercise. The risks identified will change or evolve over time as new products or new threats enter your business context.
To better assess your inherent risks effectively, you can divide your risk assessment into two parts:
- Business-based risk assessment: your products, services and delivery channels; the geographical location in which your business operates along with other relevant factors.
- Relationship-based risk assessment: products and services your clients utilize, the geographical locations in which they operate or do business as well as their activities, transaction patterns, etc.
It is important to note that there is no prescribed methodology for the assessment of risks. What follows is FINTRAC's suggested assessment process which will need to be adapted to your business situation. Although presented separately, parts 1 and 2 could be done simultaneously. You can also create your own assessment process.
1 - Business-based risk assessment
Products, services and delivery channel
Begin your risk assessment by taking a business-wide perspective. As a securities dealer, you must assess all your products, services and delivery channels to determine if they pose a high risk of ML/TF. This may include, but is not limited to:
- Stock, bond or derivatives trading
- Portfolio management
- Investment funds distribution
- Non-face-to-face client identification (such as online or with the use of agents in foreign jurisdictions)
- Bearer securities
- Special programs or account types
- Order execution only services or accounts
- Underwriting activity for issuers based in emerging markets
- Private placements and other prospectus-exempt products
- Custody of client assets
- Lending money (providing margin) to clients
- Transfers of client cash (e.g. wire transfers) or securities
You may want to consider the following:
- Assess the products and services by the type of client they are meant for, such as institutional or retail (e.g. small corporate, individuals, registered vs non-registered accounts, etc.)
- Do the products and services you provide allow your client to engage in high-risk transactions? For example, can your clients transfer OTC certificates, or wire funds to or from offshore jurisdictions?
- How do you provide your products and services? Do clients have to come to your location to access products and services or can they conduct a transaction or open an account over the phone or online?
Some examples of potentially high-risk products, services and delivery channels are:
- Non-face-to-face transactions or accounts that are opened online especially when this differs from your normal business practices. These transactions and accounts can pose a higher risk because of greater client anonymity.
- High-value transactions, especially when third-party involvement is suspected.
- Offering clients the ability to transfer securities electronically. This poses a higher ML risk because of the ease of transfer of the instrument, the potential lack of transparency associated with transfers and the ability to transfer across borders.
For examples on how to assess risk for products, services and delivery channels, see the Risk assessment guidance.
Assess whether your own office location, the countries to which you transfer funds, and the countries from which you receive funds could pose a high risk for ML/TF activities.
In the assessment of your geography, you have to consider whether the geographic locations in which you operate or undertake activities potentially pose a high risk for money laundering and terrorist financing. Depending on your business and operations, this can range from your immediate surroundings, whether rural or urban, to a province or territory, multiple jurisdictions within Canada (domestic) or other countries.
Some examples of geographic elements that need to be reflected in your assessment are:
- The location of clients in relation to your business. You should consider the client's reason for using the firm's services at a particular location (e.g. whether the client has gone out of their way to use the firm).
- Motivations of foreign clients, who may use Canadian securities accounts to legitimize the source of funds in their own countries because of Canada's financial stability.
- The jurisdictions across which your securities transactions occur, and particularly high-risk jurisdictions.
- If you provide services to foreign clients who are based in countries subject to sanctions, embargoes or other measures, you should consider that as high-risk. For example, the United Nations will occasionally issue an advisory about a certain country. Refer to:
For more examples on how to assess risk for geographic locations, see the Risk assessment guidance.
Other factors relevant to your business (if applicable)
Assess other factors that may apply to your business that do not fall in the other categories. There may be something about your business that can make it more attractive to individuals who want to carry out ML/TF activities.
Some examples that may apply to you are:
- Your operational structure, size, number of branches, and employees, such as:
- A business experiencing a period of high employee turnover.
- The use of identification agents or mandataries to confirm the identity of clients, which can lead to an overreliance on the Know Your Client (KYC) assessments done by others.
- As part of the compliance program, securities dealers will have to consider any risk resulting from the activities of:
- an entity that is affiliated with them and that is a securities dealer (or another type of RE affiliate such as life insurance);
- a foreign entity that is affiliated with them and that carries out securities dealer activities (or another type of RE affiliate such as life insurance).
Note: Further guidance will be developed on this element in the coming months.
Business-based risk assessment worksheet
The following worksheet is for illustrative purposes only (please see additional instructions in Annex A). Using this worksheet could be an easy way for your entity to present the inherent risks related to your business, or you may develop your own worksheet.
Note: The information below is provided as an example only. Your entity may have more risk factors to consider. Furthermore, you may have different risk ratings. For more options, you can consult the matrix included in the Risk assessment guidance.
LIST OF FACTORS
Identify all the factors that apply to your business (i.e. products, services and delivery channels, geography, other relevant factors)
Assess each factor (e.g. low, medium or high)
Explain why you assigned that particular rating
DESCRIBE MITIGATION MEASURES FOR HIGH RISKS IDENTIFIED IN COLUMN A.
Connections with banks, lawyers or accountants can be exploited for ML / TF. This is especially true for junior professionals lacking AML experience and banks that allow clients to transfer securities revenues electronically.
Bearer securities are easily transferrable and can provide a certain level of anonymity.
Online services pose a higher risk in terms of client identification.
2 - Relationship-based risk assessment (i.e. your clients)
If you have a business relationship, you need to make a risk assessment based on the inherent characteristics of your client. This can be done based on the combination of the following factors, some of which were identified in the previous section:
- The products, services and delivery channels your client uses;
- The geography related to your client (at which location is the client conducting the transaction and to/from which country is the client sending/receiving money); and
- Your client's characteristics and your client's activities and transaction patterns.
However, it is possible that your business is dealing with clients outside of a business relationship. The interactions with these clients may be sporadic (e.g. few transactions over time that are under the identification threshold requirement or even a single transaction). As such, there will not be a lot of information available for your business to fully assess this client (as opposed to a client in a business relationship with information, patterns of activities, etc.). The risk assessment of such clients will most likely focus on the monitoring of transactions as opposed to having a client file. This monitoring is basically your obligation to report a suspicious transaction if you suspect that the transaction is related to a money laundering or terrorist financing offence.
If you do not have business relationships, it is not necessary for you to complete the Relationship-based risk assessment worksheet. However, if you have high-risk clients outside a business relationship, you need to include them in the following worksheet.
Below are some examples of client and transaction characteristics that can be considered high-risk:
Note: This list is not exhaustive.
- Client Due Diligence (CDD) / Know Your Client (KYC)
- The client is interested in paying higher charges to the securities firm in order to keep some of his or her information secret.
- The client acts through intermediaries, such as money managers or advisers, lawyers or accountants, in order not to have his or her identity registered.
- The client (person or entity), is reluctant to provide the securities firm with complete information about the nature and purpose of their business, prior financial relationships, anticipated account activity or the entity's directors or business location.
- The client insists on investing in securities that are inconsistent with his or her profile, even when more suitable securities are suggested.
- The client refuses to identify the source of funds or provides the securities firm with information that is false, misleading or substantially incorrect.
- The client is reluctant to meet personnel from the securities firm in person, is very secretive or evasive, or becomes defensive when asked to provide more information.
- The person or entity is located in a jurisdiction that is known as a bank secrecy haven, a tax shelter, or a high-risk geographic location.
- A client who is not a local resident or is outside your normal customer base.
- A client that uses firms located in numerous jurisdictions to open multiple accounts.
- A foreign-based client that uses domestic accounts to trade on foreign exchanges through a foreign affiliate with different AML controls and identification practices.
- The client has a history of changing financial advisors or using multiple firms or banks.
- The client's account is not used for its intended purpose, or the client's transaction patterns suddenly change in a manner that is inconsistent with their normal activities (e.g. client makes extremely complex transactions or deposits securities in amounts that are inconsistent with their profile).
- The company has no apparent business, revenues or products, suggesting that a shell company may be in use for securities purposes.
- Individuals with known predicate offenses such as insider trading, market manipulation or securities fraud.
- The value of the securities deposited into the account does not correspond with the client profile.
- The client exhibits unusual concern with the firm's compliance with government reporting requirements or the firm's anti-money laundering or anti-terrorist financing policies.
- You are aware or you become aware, from a reliable source (that can include media or other open sources), that a client is suspected of being involved in illegal activity.
- The client's address is associated with multiple accounts that do not appear to be related.
- A client's trading patterns suggest that he or she may have inside information.
- The client receives many incoming cheques or wire transfers from unrelated third parties when their profile does not suggest a legitimate business reason for receiving third party deposits.
- The client makes numerous outgoing payments to third parties shortly before or after receiving multiple third party cheques or wire transfers.
- Domestic Politically Exposed Person and Head of an International Organization
- Once you have determined that a person is a domestic PEP, a HIO, or the family member or close associate of them, you must assess to determine if that person poses a high risk for committing a money laundering or a terrorist activity financing offence.
- If you assess the risk to be high, then the person must be treated as a high-risk client.
- Securities or funds transfers between apparently unrelated parties.
- Physical securities titles do not correspond to the name on the account.
- Transfers of funds to financial or banking institutions other than those initially identified, specifically when other countries are involved.
- Wire transfers or payments to or from unrelated third parties (foreign or domestic), especially when the name or account number of the beneficiary or remitter has not been supplied.
- Securities accounts used for payments or outgoing wire transfers with little or no securities activities.
- Cashing bearer securities without first depositing them or withdrawals of funds after a very short period in the account.
- The deposit of bearer securities together with a request to journal the shares into multiple accounts that do not appear to be related, or to sell or otherwise transfer ownership of the shares.
- Transactions where one party purchases securities at a high price and then sells them at a considerable loss to another party. This may be indicative of transferring value from one party to another (could also be indicative of market manipulation).
- A dormant account that suddenly becomes active without a plausible explanation (e.g. large cash deposits that are suddenly wired out).
- Transactions showing that the client is acting on behalf of a third party, or transactions involving an unknown counterparty.
- A client purchases an investment product with no concern for investment objective or performance, or who exhibits a lack of concern about higher than normal transaction costs.
- A client's explanation regarding the method of acquiring physical securities does not make sense or changes, especially when depositing a large number of physical securities.
- A client who has a significant history with a securities firm abruptly liquidates all of his or her assets in order to remove wealth from the jurisdiction, regardless of fees or penalties.
Please note that the following indicators, when encountered, will place clients in the overall high-risk category, regardless of other factors:
- If you file a Terrorist Property Report, the client automatically becomes high-risk;
- An individual with foreign government connections (Politically Exposed Foreign Persons);
- The entity has a complex structure that conceals the identity of beneficial owners.
For more examples of how to assess risk for client and business relationships, see the Risk assessment guidance.
Relationship-based risk assessment worksheet
The following worksheet is for illustrative purposes (please see additional instructions in Annex B). Using this worksheet could be an easy way for your entity to present the inherent risks related to your business relationships, or you may develop your own worksheet.
This worksheet is to assess all your business relationships and high-risk clients. For more information on business relationships, see FINTRAC’s Business relationship requirements.
Note: The information below is provided as an example only. For more options, you can consult the matrix included in the Risk assessment guidance.
Identify all your business relationships or high-risk clients (individually or as groupings)
Assess each business relationship (e.g. low, medium or high)
Explain why you assigned that particular rating
DESCRIBE ENHANCED MEASURES TO ASCERTAIN ID FOR HIGH-RISK BUSINESS RELATIONSHIPS
DESCRIBE MITIGATION MEASURES FOR HIGH-RISK BUSINESS RELATIONSHIPS
DESCRIBE THE PROCESS TO KEEP CLIENT INFORMATION UP TO DATE FOR HIGH-RISK BUSINESS RELATIONSHIPS
DESCRIBE ENHANCED ONGOING MONITORING FOR HIGH-RISK BUSINESS RELATIONSHIPS
Clients with consistent transaction patterns whose accounts are used for their intended purposes.
A foreign client based in a high-risk jurisdiction who uses a Canadian account for securities purposes.
Gather additional documents, data or information; or take additional steps to verify the documents obtained.
Determine if there is third party involvement in a transaction, and take reasonable measures to identify and record the individual's, entity's or corporation's information.
Obtain the approval of senior management to enter into or maintain the business relationship.
Obtain information on the source of wealth of the client.
Establish transaction limits for certain high-risk business relationships.
Ask the client to provide information to confirm or update their identification information at every transaction that requires ID.
Obtain additional information on the client (e.g. occupation, volume of assets, information available through public databases, internet, etc.)
Obtain information on your client's motivations, purposes and objectives in utilizing your services.
Set parameters for transactions that will trigger early warning signals and require a mandatory review.
Instructions to complete the Business-based risk assessment worksheet (Products, services and delivery channels; geography; other relevant factors)
List of factors
Describe your products, services, delivery channels, factors related to your geographical location(s) and other relevant factors.
Rate each risk factor (products, services, delivery channels, factors related to geographic location(s) and other relevant factor).
Please note that the PCMLTFA and Regulations do not require you to use a low, medium and high scale. You could decide to have low and high risk categories or to have a more complex rating scale. A scale must be established, tailored to the size and type of business you have.
Provide the reasons why you assigned a particular risk rating to each product, service, delivery channel, geography, or other relevant factor. You can make reference to a website, a publication, a report, etc.
Describe mitigation measures for high-risk factors
By law, all factors identified as “high-risk” must be addressed with documented mitigation measures. You have to write policies and procedures to explain how you are going to reduce and how you will control these risks in your day-to-day activities.
Below are some examples of mitigation measures you may want to consider (not an exhaustive list):
Instructions to complete the Relationship-based worksheet (clients and business relationships)
Business relationships or high-risk clients.
Identify all your business relationships and high-risk clients. You may decide to risk assess each business relationship separately or to do so by groups that share similar characteristics.
Rate each business relationship.
You can use a scale of low, medium and high to rate your business relationship. Please note that the PCMLFTA and Regulations do not require you to use a low, medium and high scale. You could decide to have low and high risk categories or to have a more complex rating scale.
Provide the reasons why you assigned a particular risk rating to each client type/business relationship.
Describe enhanced measures to ascertain the identity of high-risk clients or to confirm the existence of a high-risk entity
You need to describe how identification was ascertained or how the existence of an entity was confirmed for each high-risk business relationship and high-risk client.
Below are some examples:
For more information see Methods to identify individuals and confirm the existence of entities and beneficial ownership requirements.
Describe mitigation measures for high-risk business relationship
You need to put controls in place for each high-risk business relationship and high-risk client that you identified,
Below are some examples of mitigation measures that you may want to consider (not an exhaustive list):
For more examples of controls or ways to reduce the risk, see Compliance program requirements.
Describe how you will keep client information up to date for high-risk business relationships
You have to develop policies on how often and how you will update the client information of high-risk business relationships and high-risk clients.
The information that needs to be updated generally includes:
Measures to keep client identification up to date include asking the client to provide information to confirm or update their identification information. For example, you may ask a client for an additional piece of identification. You may also confirm the information through public sources if available.
Keep beneficial ownership up to date
You need to keep the beneficial ownership of all your high-risk business relationships up to date. Describe the frequency and your process to update this information in this section of the worksheet.
For more information see When to identify individuals and confirm the existence of entities – Securities and Beneficial ownership requirements.
Describe enhanced monitoring for high-risk business relationships
For all business relationships, you will need to conduct ongoing monitoring. This means that you will monitor your business relationships on a periodic basis for the purpose of:
However, for high-risk business relationships and high-risk clients, you need to conduct monitoring more frequently and with more scrutiny than with your other business relationships. This is called enhanced monitoring.
Describe all aspects of your enhanced monitoring:
Examples of how enhanced monitoring is conducted and reviewed for high-risk business relationships:
For more information on enhanced ongoing monitoring, see Ongoing monitoring requirements.
Glossary and useful links
- An entity is affiliated with another entity if one wholly owns the other, if both are wholly owned by the same entity, or if their financial statements are consolidated.
- Beneficial ownership:
- Beneficial ownership refers to the identity of the individuals who ultimately control a corporation or entity. You must search through as many levels of information as necessary in order to determine beneficial ownership.
- Business relationship:
- You enter into a business relationship when a client opens an account or undertakes two or more transactions with you that require you to ascertain the identity of the client, regardless of whether the transactions are related to one another.
- Delivery channels:
- Medium that can be used to obtain a product or service, or through which transactions can be conducted.
- The Financial Transactions and Reports Analysis Centre of Canada (FINTRAC), is Canada's financial intelligence unit.
- Inherent risk:
- Risk that exists before the application of controls or mitigation measures.
- Mitigation measures:
- Controls put in place to limit the potential money laundering and terrorist financing risks you have identified while conducting your risk assessment.
- Non-face-to-face transactions:
- Transactions where the client is not physically present (for example, Internet, telephone or mail).
- Politically exposed persons and Head of an international organization:
- A politically exposed person (PEP) or the head of an international organization (HIO) is a person entrusted with a prominent position that typically comes with the opportunity to influence decisions and the ability to control resources. The influence and control a PEP or HIO has puts them in a position to impact policy decisions, institutions and rules of procedure in the allocation of resources and finances, which can make them vulnerable to corruption.
- Risk-based approach:
- In the context of ML/TF, a risk-based approach is a process that encompasses the following:
- The risk assessment of your business activities and clients using certain prescribed elements: Products, services and delivery channels; geography; clients and business relationships; and other relevant factors.
- The mitigation of risk through the implementation of controls and measures;
- Keeping client identification and, if required, beneficial ownership and business relationship information up to date; and
- The ongoing monitoring of transactions and business relationships.
- Third party:
- Individual or entity other than the individual who conducts the transaction. When you are determining whether a third party is involved, it is not about who "owns" the money, but rather about who gives instructions to deal with the money.
- Elements of a business that could be exploited. In the ML/TF context, vulnerabilities could be weak controls within a business offering high-risk products or services.
Guideline 1: Backgrounder
Guidance – Main Page
Securities – Main Page
Reporting entities – Main Page
Politically exposed persons and head of international organizations: Securities
Compliance program requirements
FATF Report: Money Laundering and Terrorist Financing in the Securities Sector:
- Date Modified: