FINTRAC Policy Interpretations

Ongoing Monitoring

Updating client identification information for ongoing monitoring

Question:

Do we have to check ID again when we update client information as part of the ongoing monitoring?

Answer:

With respect to ongoing monitoring (OM), REs are required to keep client identification information, beneficial ownership information, and the purpose and intended nature of the business relationship record up-to-date (see subsection 1(2) of the PCMLTFR). The requirement to re-verify identity only applies when an RE has doubts about previously gathered information (see section 63 of the PCMLTFR).

FINTRAC has said in the past that in order to meet the requirement to keep up-to-date information on the identities of clients, it is not necessary to re-verify the client’s identity according to the methods to ID. It is only necessary to update the information on the client’s identity. While neither the PCMLTFA nor its associated Regulations specify the elements of client identification information that must be updated, the elements that an RE updates should be identified in its policies and procedures and need to support what is required for its documented risk-based approach (e.g. name, address, DOB, etc.).

Therefore, to answer your question, you would not be required to re-do the credit-file method of ID in order to meet your OM obligations. All you are required to do is keep the information up-to-date. In an online environment, you could do this, for example, by prompting the client to confirm their account information periodically. Alternatively, you could re-do the credit file method of ID to review/update the client’s identification information.

Date answered: 2019-11-26

PI Number: PI-10458

Activity Sector(s): Accountants, British Columbia notaries, Casinos, Dealers in precious metals and stones, Financial entities, Life insurance, Money services businesses, Real estate, Securities dealers

Obligation(s): Ongoing Monitoring

Regulations: 1(2)

Ongoing Monitoring - triggers vs. schedule

Question:

The guidance doesn’t specifically say how often we’re supposed to be doing ongoing monitoring, or on what schedule. Does it have to be on a specific schedule?

In our business, it makes more sense to put in place a system that makes us consider each part of ongoing monitoring at different times, based on certain triggering events or activities. For example, it doesn’t makes sense for us to update client identification information every time the client conducts a transaction with us, but every transaction is checked against the what we know about the client to see if we have to reassess their risk, and is considered for suspicious reporting purposes.

Are we allowed to use triggers or alerts to determine when we should be considering each part of ongoing monitoring? Can these be different triggers for different reasons, at different points during the business relationship?

Answer:

Subsection 1(2) of the Proceeds of Crime (Money Laundering) and Terrorist Financing Regulations (PCMLTFR) defines “ongoing monitoring” as the monitoring of a business relationship on a periodic basis based on the risk assessment undertaken. In accordance with the definition, the purpose of ongoing monitoring is to:

  1. detect any suspicious transactions that are required to be reported to FINTRAC;
  2. keep client identification information, beneficial ownership information, and the purpose and intended nature of the business relationship record up to date;
  3. re-assess the level of risk associated with a client’s transactions and activities; and
  4. determine whether the transactions or activities are consistent with the information obtained about a client, including the risk assessment of the client.

A record must be kept of the measures taken for ongoing monitoring and the information obtained as a result of the ongoing monitoring of a business relationship. The record for the measures taken can be part of your overall policies and procedures. However, if you use a different monitoring process, other than what is documented in the policies and procedures, you have to record these measures separately.

Any information obtained as a result of ongoing monitoring will generate its own record associated with the client for which ongoing monitoring was conducted.

Because you must monitor business relationships periodically, based on the risk assessment of the business relationship, keeping in mind the purpose of ongoing monitoring, periodic cannot be never.

The PCMLTFA and its associated Regulations do not, however, specify how to fulfill the ongoing monitoring requirements. While the ongoing monitoring process can be based on a set schedule, it can also be a process that relies on transactions, alerts or triggering events that signify when each element of the definition must occur. For example, you could have a system in place that relies on specific alerts or triggering events to signify when to assess a transaction to determine if an STR should be submitted to FINTRAC. The same type of triggering system may also work to identify when you need to reassess client risk and determine if their activities remain consistent with what is known about that client.

It is also possible to rely on a system of alerts or triggers to fulfil the requirements related to keeping client identification information, beneficial ownership information and the purpose and intended nature of the business relationship up to date. For example, it is possible for client identification information to be updated every time the client requests a new product or service, enters a branch, opens an account, or is queried as part of an online process, etc.

The use of this type of process, that relies on trigger events/alerts and allows ongoing monitoring to occur outside of a set frequency or schedule, would meet the requirement to conduct ongoing monitoring of a business relationship on a periodic basis.

Whether the process is based on a schedule, alerts, or triggering events, it must be comprehensive enough to address ALL four elements of ongoing monitoring for all of your business relationships. For example, if you are relying on triggers to keep client identification information up to date, you will be assessed on the comprehensive and consistent nature of these triggers across all business lines and how effective they are at prompting you to keep client identification information up to date. In the event that lower risk clients are not conducting any of the triggering activities that would prompt you to update client identification information, you are required to have a process in place to ensure that you update client identification information at some point within the duration of the business relationship.

Furthermore, it should be noted that if you consider there is a high risk of a money laundering or terrorist activity financing offence, then as per section 71.1 of the PCMLTFR you must take special measures to mitigate the risks identified. These measures include: keeping client identification information and beneficial ownership information up to date, conducting ongoing monitoring more frequently for the purpose of detecting reportable suspicious transactions, and taking any other enhanced measure to mitigate the risks.The reference to frequency in the FINTRAC ongoing monitoring guidance is meant to convey the expectations for special measures that must be taken for high-risk clients. Some examples of how this might work could include, but are not limited to the following.

  • relying on a schedule for all or part of your ongoing monitoring, where you would monitor high-risk business relationships more frequently
  • a system of triggers or alerts that runs continuously against your database and across all business lines , which means that the frequency cannot be increased, but you are still required to conduct enhanced ongoing monitoring which includes taking measures to mitigate the identified risk.

 

During an assessment, FINTRAC will look at overall ongoing monitoring processes to assess whether they are effective, provide adequate coverage, and are aligned with your risk-based approach. We will apply reasonability for lower risk clients that pose little risk of a money laundering offence or a terrorist activity financing offence, as long as you can demonstrate that your policies and procedures adequately capture how you monitor low-risk clients and that procedures cover and are effective across all of your business lines.

It is worth noting that the requirement to update client identification information does not require that you re-identify the client in accordance with the methods to ascertain identity; only that client identification information is to be kept up to date. The PCMLTFA and its associated Regulations do not specify the elements of client identification information that must be updated, but the elements that you update should be identified in your policies and procedures and need to support what is required for your documented risk-based approach. For all elements of the ongoing monitoring requirement, the measures in place must be sufficiently comprehensive and provide coverage across all business lines, products and services to ensure that monitoring will occur for all clients.

 

Date answered: 2018-05-01

PI Number: PI-8446

Activity Sector(s): Accountants, British Columbia notaries, Casinos, Dealers in precious metals and stones, Financial entities, Life insurance, Money services businesses, Real estate, Securities dealers

Obligation(s): Ongoing Monitoring

Guidance: Ongoing monitoring requirements

Regulations: 11.1(1)

Business relationship and ongoing monitoring

Question:

We are seeking clarification regarding the establishment of a business relationship and the related ongoing monitoring requirements of real estate brokers and sales representatives, and when these must occur.

Answer:

As per subsection 1(2) of the Proceeds of Crime (Money Laundering) and Terrorist Financing Regulations (PCMLTFR), a business relationship means “any relationship with a client, established by a person or entity to which section 5 of the Act applies, to conduct financial transactions or provide services related to those transactions and, as the case may be,

(a) if the client holds one or more accounts with that person or entity, all transactions and activities relating to those accounts; or

(b) if the client does not hold an account, only those transactions and activities in respect of which that person or entity is required to ascertain the identity of a person or confirm the existence of an entity under these Regulations.

It does not include any transaction or activity referred to in paragraph 62(1)(a), (b) or (d) or subsection 62(2) or (3).”

The FINTRAC guidance: Business relationship requirements, explains that in the case of real estate brokers and sales representatives, non-account-based business relationships are formed when two transactions or activities occur within a period of 5 years that require a person’s identity be ascertained or, in the case of an entity, that its existence be confirmed. This is the case regardless of whether an exception applies, such as, if the real estate broker or sales representative believes that taking reasonable measures to ascertain the identity of a person who conducts or attempts to conduct a suspicious transaction would inform them that a suspicious transaction report (STR) will be made. The terms “transaction” and “activity” are to be understood within the context of the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA) and its associated Regulations. Consequently, for real estate brokers and sales representatives the forming of a business relationship is not limited to the single purchase or sale transaction, but rather any transaction or activity that may occur during the course of the purchase or sale of real estate for which the identity of the client must be ascertained or its existence confirmed.

Pursuant to subsection 63(1) of the PCMLTFR, a real estate broker or sales representative is not required to ascertain the identity of a person or confirm the existence of an entity again if they have already done so in accordance with the PCMLTFR, have kept the associated records, and have no doubts about the information used for that purpose. Therefore, for a purchase or sale of real estate, if a real estate broker or sales representative ascertained the identity of a person because they were required to keep a client information record, and the person provides a deposit that requires a receipt of funds record to be kept, the real estate broker or sales representative is not required to re-ascertain the identity of the person for the receipt of funds record, unless they have doubts. That said, a business relationship is formed because the real estate broker or sales representative, despite using the exemption found at subsection 63(1) of the PCMLTFR, was required to ascertain the person’s identity in these two instances. As explained above, it is the number of obligations to ascertain the identity of a person that counts towards the establishment of a business relationship.

Once a business relationship is formed, section 52.1 of the PCMLTFR requires that a record be kept of the purpose and intended nature of the business relationship. Additionally, section 59.21 of the PCMLTFR states that “a real estate broker or sales representative that is required to ascertain a person’s identity or confirm an entity’s existence shall
(a) conduct ongoing monitoring of their business relationship with that person or entity; and
(b) keep a record of the measures taken and the information obtained under paragraph (a).”

Ongoing monitoring is defined at subsection 1(2) of the PCMLTFR as “monitoring on a periodic basis based on the risk assessment undertaken in accordance with subsection 9.6(2) of the Act and subsection 71(1) of these Regulations, by a person or entity to which section 5 of the Act applies of their business relationship with a client for the purpose of
(a) Detecting any transactions that are required to be reported in accordance with section 7 of the Act;
(b) Keeping client identification information and the information referred to in sections 11.1 and 52.1 up to date;
(c) Reassessing the level of risk associated with the client’s transactions and activities; and
(d) Determining whether transactions or activities are consistent with the information obtained about their client, including the risk assessment of the client.”

In this regard, it is FINTRAC's expectation that the requirement set out at paragraph (a), to detect transactions that are to be reported in accordance with section 7 of the PCMLTFA (i.e. STRs), must occur with every transaction or attempted transaction, regardless of whether it is the first, second, or any subsequent transaction. The same is true for the requirement at paragraph (c), to assess the level of risk associated with a client’s transactions and activities. The requirement at paragraph (d), to determine whether the transactions or activities are consistent with the information obtained about the client, must begin when the business relationship is formed. Lastly, the ongoing monitoring requirements in relation to paragraph (b), keeping client identification information up to date, could occur at the transaction subsequent to the forming of the business relationship.

It is important to note that, pursuant to subsection 9.6(3) of the PCMLTFA, if at any time (in or out of a business relationship), a real estate broker or sales representative considers the level of risk associated with a client to be high, the prescribed special measures at section 71.1 of the PCMLTFR must be taken, which includes the requirement to conduct ongoing monitoring more frequently and the requirement to keep client identification information up to date.

The forming of a business relationship and the related ongoing monitoring requirements help reporting entities to know who they are dealing with and to determine any risks or suspicions that may arise. This not only helps to strengthen a business’ practices, but also contributes to the fight against money laundering and terrorist financing within Canada.

Date answered: 2017-09-27

PI Number: PI-8126

Activity Sector(s): Real estate

Obligation(s): Business Relationship, Ongoing Monitoring

Guidance: Business relationship requirements

Regulations: 1(2),63(1), 52.1,

Act: 9.6(3)

Recognizing a client

Question:

I am seeking clarification in regards to the exception to ascertain the identity of an existing client that is recognized by the financial entity. Specifically, FINTRAC's guidance indicates that a financial entity does not need to obtain, for a second time, the identification information of an individual as long as they recognize the individual (visually or by voice).

However, we do not meet our clients face-to-face to ascertain their identity, as we rely on our solicitors to ensure the proper steps have taken place. For example, the original loan funded with a Solicitor and the Solicitor (most often by Borrower's solicitors) verifies the ID and meets with the client, at renewal, the client comes to us directly unless new security documents are required. At the renewal stage, the people involved in processing the loan cannot confirm whether or not they recognize the client. In some cases, our team whom brought in the client may recognize the Borrower but they are not processing the loan, would this qualify as recognizing them, as long as a member of the financial entity can confirm that the client is who they say they are?

Can you please provide some clarification as to what is expected of the financial entity and some guidance in this matter?

Answer:

Amendments have been made to the Proceeds of Crime (Money Laundering) and Terrorist Financing Regulations (PCMLTFR). Previously, subsection 63(1) of the PCMLTFR specified that “where a person has ascertained the identity of another person in accordance with section 64, the person is not required to subsequently ascertain that same identity again if they recognize that other person”. Subsection 63(1.1) of the PCMLTFR further stated that “Subsection (1) does not apply where the person has doubts about the information collected”. Guideline 6G indicated that an individual could be recognized visually or by voice. However, subsection 63(1) of the PCMLTFR has since been amended, and now explains, “If a person or entity ascertains a person’s identity in accordance with subsection 64(1) and complies with section 64.2 — or if, before the coming into force of this subsection, they ascertained a person’s identity in accordance with subsection 64(1) or (1.1) and complied with section 67, as they read at the time the identity was ascertained — they are not required to ascertain the person’s identity again unless they have doubts about the information that was used for that purpose.” Therefore, pursuant to the amended subsection 63(1) of the PCMLTFR, and in relation to your example – where an existing client wishes to renew a loan, and their identity was previously ascertained – so long as the financial entity (with the obligation to ascertain the client’s identity) has no doubts about the information previously used to ascertain the identity of the client, and a related record was kept, this exception may be applied.

The obligation to ascertain the identity of a client is separate from the obligation to conduct ongoing monitoring of a business relationship. Pursuant to subsection 54.3(1) of the PCMLTFR, “A financial entity that is required to ascertain a person’s identity or confirm an entity’s existence shall (a) conduct ongoing monitoring of its business relationship with that person or entity; and (b) keep a record of the measures taken and the information obtained under paragraph (a).”

A business relationship is defined at subsection 1(2) of the PCMLTFR as “any relationship with a client, established by a person or entity to which section 5 of the Act applies, to conduct financial transactions or provide services related to those transactions and, as the case may be,
(a) if the client holds one or more accounts with that person or entity, all transactions and activities relating to those accounts; or
(b) if the client does not hold an account, only those transactions and activities in respect of which that person or entity is required to ascertain the identity of a person or confirm the existence of an entity under these Regulations.
It does not include any transaction or activity referred to in paragraph 62(1)(a), (b) or (d) or subsection 62(2) or (3).”

Ongoing monitoring is also defined at subsection 1(2) of the PCMLTFR, and means “monitoring on a periodic basis based on the risk assessment undertaken in accordance with subsection 9.6(2) of the Act and subsection 71(1) of these Regulations, by a person or entity to which section 5 of the Act applies of their business relationship with a client for the purpose of
(a) detecting any transactions that are required to be reported in accordance with section 7 of the Act;
(b) keeping client identification information and the information referred to in sections 11.1 and 52.1 up to date;
(c) reassessing the level of risk associated with the client’s transactions and activities; and
(d) determining whether transactions or activities are consistent with the information obtained about their client, including the risk assessment of the client.”

Once a business relationship is established, ongoing monitoring of that business relationship must be performed on a periodic basis in relation to the risk assessment of that client. High-risk clients must be monitored more frequently. As indicated in the definition, one of the purposes of conducting ongoing monitoring is to keep client identification information up to date. This is not the same as the requirement to ascertain the identity of a client as per the specified methods outlined in the PCMLTFR. Instead, to update client information a reporting entity could periodically ask the client to confirm the identification information it has on record. 

Date answered: 2016-11-09

PI Number: PI-7676

Activity Sector(s): Financial entities

Obligation(s): Verifying identity, Business Relationship, Ongoing Monitoring

Guidance: Know your client requirements

Regulations: 1(2), 54.3(1), 63(1), 63(1.1)

Obligation to confirm any new information obtained when updating information on beneficial ownership

Question:

Do we have to repeat the above-mentioned procedures for every update?

"Keeping the information referred to in sections 11.1" from the definition of "ongoing monitoring", are we required to validate each requirement, namely names of all directors of the corporation and the names and addresses of all persons who own or control, directly or indirectly, 25 per cent or more of the shares of the corporation + ascertain the identity of persons authorised to act on the account + information establishing the ownership, control and structure of the entity each time the information is being updated?

Answer:

  1. The Proceeds of Crime (Money Laundering) and Terrorist Financing Regulations (PCMLTFR) do not require the client identification information and the information specified in sections 11.1 and 52.1 to be updated at the same time. The frequency with which the required information must be updated varies in accordance with the risk assessment of the reporting entity’s client, and the entity’s policies and procedures must specify which information must be updated and when.
     
  2. Under subsection 11.1(1) of the PCMLTFR, every reporting entity that is required to confirm the existence of an entity in accordance with the Regulations when it opens an account must, at the time the existence of the entity is confirmed, obtain the following information:
    (a) in the case of a corporation, the names of all directors of the corporation and the names and addresses of all persons who own or control, directly or indirectly, 25 per cent or more of the shares of the corporation;
    (b) in the case of a trust, the names and addresses of all trustees and all known beneficiaries and settlors of the trust;
    (c) in the case of an entity other than a corporation or trust, the names and addresses of all persons who own or control, directly or indirectly, 25 per cent or more of the entity; and
    (d) in all cases, information establishing the ownership, control and structure of the entity.

The reporting entity must also take reasonable measures to confirm the accuracy of the information obtained under subsection 11.1(1) of the PCMLTFR (subsection 11.1(2) of the PCMLTFR), and keep a record that sets out the information obtained and the measures taken to confirm the accuracy of that information (subsection 11.1(3) of the PCMLTFR).

Under subsection 1(2), ongoing monitoring is undertaken to keep client identification information and the information referred to in sections 11.1 and 52.1 up to date. When the reporting entity updates this information, or does not update it, as the case may be, it is not subsequently required to confirm it. Thus, when the client indicates that the information is not up to date and the reporting entity takes measures to update the information on beneficial ownership, the entity is not required to confirm this information.

Date answered: 2014-09-17

PI Number: PI-6237

Activity Sector(s): Securities dealers

Obligation(s): Ongoing Monitoring

Guidance: Business relationship requirements

Regulations: 1(2), 11.1 , 52.1

Risk Assessment – Clients Outside of a Business Relationship

Question:

What does a risk assessment look like for a non-customer who does a triggering transaction? Is there still a need for a business record?

Answer:

In accordance with subsection 9.6(1) of the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA), all credit unions must establish and implement, in accordance with the regulations, a program intended to ensure their compliance with the Act.

This program must include the development and application of policies and procedures for the credit union to assess, in the course of their activities, the risk of a money laundering or a terrorist activity financing offence. This assessment must consider the credit union’s clients and business relationships, products and delivery channels, geographic location, and any other relevant factor. 

Even if your dealings with a client are limited to a single transaction, the client does not have an account, and the client is not opening an account, you still need to complete a risk assessment of that client, to determine the risk of a money laundering offence or a terrorist activity financing offence. Furthermore, you will have to determine if you suspect that the transaction is related to a money laundering or terrorist financing offence. If this is the case, you will have to report it to FINTRAC.

FINTRAC's suspicious transaction guidance, outlines some of the indicators to consider or assess when determining whether or not an attempted or completed transaction is suspicious. Credit unions should factor these indicators into any risk assessment developed for single-transaction clients. The credit union should consider clients they do not know as higher-risk than those that they know.

Even if a business relationship does not exist, there may be record keeping requirements depending on the transaction; however there is no need to record the purpose and intended nature of the business relationship.

Date answered: 2014-07-18

PI Number: PI-6199

Activity Sector(s): Financial entities

Obligation(s): Ongoing Monitoring

Guidance: Compliance Program

Act: 9.6(1)

Requirement of “keeping the records up-to-date

Question:

What does the regulatory requirement of “keeping the records up-to-date” mean?

Answer:

Pursuant to paragraph 1(2)(b) of the Proceeds of Crime (Money Laundering) and Terrorist Financing Regulations (PCMLTFR), ongoing monitoring is conducted for the purpose, among others, of keeping client identification information and the information referred to in sections 11.1 and 52.1 up to date.

Keeping prescribed information up to date means ensuring that the information contained in a record continues to be applicable. The frequency with which records are to be kept up to date will vary depending on a credit union’s risk assessment of a client. As part of ongoing monitoring obligations, a credit union has to keep all records up to date. For high-risk clients, a credit union must update those records more frequently and perform more frequent monitoring, as well as adopt any other appropriate enhanced monitoring measures.

Date answered: 2014-07-18

PI Number: PI-6198

Activity Sector(s): Financial entities

Obligation(s): Ongoing Monitoring

Guidance: Ongoing monitoring requirements

Regulations: 1(2)(b), 11.1, 52.1

Date Modified: