Guide on harm done assessment for compliance program violations

Table of contents

  1. Introduction
  2. Violations related to compliance program requirements
  3. Violation related to the appointment of a compliance officer
  4. Violations related to compliance policies and procedures, including policies and procedures in respect of prescribed special measures for high risks
  5. Violation related to assessing and documenting the risks of ML/TF
  6. Violation related to the ongoing training program
  7. Violations related to the prescribed review

1. Introduction

This page presents how we assess the harm done and calculate the base penalty amount applied to compliance program violations.

1.1 Purpose of this guide

This guide presents how FINTRAC approaches the harm done criterion and the base penalty amount for violations under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (the Act) and its regulations. According to section 73.11 of the Act, FINTRAC must consider the harm done by a violation, that the purpose of an administrative monetary penalty (AMP) is to encourage compliance rather than to punish, and all other criteria prescribed in the regulations, including a reporting entity's (RE) history of compliance, when determining the amount of a penalty. Considerations for the non-punitive nature of an AMP and an RE's compliance history are assessed in another step in the penalty calculation and are outlined separately in FINTRAC's AMP policy.

1.2 Definition of harm

FINTRAC defines "harm" as the degree to which a violation interferes with achieving the objectives of the ActFootnote 1 or with FINTRAC's ability to carry out its mandateFootnote 2. Therefore, the consequences of non-compliance, when an AMP is imposed, are linked to its effects on Canada's efforts to combat money laundering and terrorist activity financing (ML/TF).

Compliance enforcement activities are undertaken to prevent and correct the harm that comes from non-compliance with the Act and regulations. REs' adherence to requirements such as record keeping and verifying client identity assists in the deterrence of ML/TF and supports police investigations and criminal prosecutions. The requirements related to reporting ensure that FINTRAC is supplied with the high-quality, timely financial transaction reports it needs to produce the financial intelligence that helps with the investigation and prosecution of ML/TF offences.

1.3 Considering harm in AMP calculations

When determining a penalty, FINTRAC considers the harm caused, that is, the degree to which the non-compliance interferes with the objectives of the Act and/or with FINTRAC's mandate. Non-compliance and harm are measured using the standards described in this guide, which outline the benchmark amounts for the corresponding levels of harm for a specific violation. FINTRAC considers the specific circumstances of each case, including the extent of the non-compliance and mitigating factors, which may further reduce the actual amounts applied.

2. Violations related to compliance program requirements

The fulfillment of the objectives of the Act and FINTRAC's ability to carry out its mandate depend upon REs successfully implementing a compliance program that allows them to identify clients, monitor business relationships, keep records and report certain financial transactions. The compliance program itself requires the appointment of a compliance officer, the development of policies and procedures, the assessment of ML/TF risks, the maintenance of a training program, and a review of the program's effectiveness every two years. These requirements not only ensure that REs have the structure in place to comply with the Act and its regulations, but they also establish a framework that helps facilitate the detection, prevention and deterrence of ML/TF offences in the normal course of business, which serves the objectives of the Act under paragraph 3(a).

Failing to establish and implement a compliance program can signify a serious deficit in anti-money laundering/anti-terrorist activity financing (AML/ATF) measures, leaving REs vulnerable to ML/TF offences, and ultimately impeding achievement of the Act's objectives under paragraph 3(a), or impacting FINTRAC's ability to carry out its mandate under section 40 of the Act. A compliance program requirement violation can signify gaps and weaknesses that result in not meeting other requirements such as reporting, record keeping or verifying client identity.

Therefore, FINTRAC assesses the potential harm that a compliance program violation may cause.

For example:

In situations where the absence of policies and procedures to report the receipt of $10,000 or more in cash also results in the failure to submit Large Cash Transactions Reports (LCTRs), FINTRAC may assess two distinct violations. The total penalty would be comprised of two amounts: the amount levied for the incomplete policies and procedures and the amount levied for the failure to submit LCTRs to FINTRAC. The penalty amount for incomplete policies and procedures represent the potential harm, while the actual failure to submit the LCTRs represents the concrete harm.

For guidance on how to calculate the penalty amount for other compliance requirements such as reporting, verifying client identity and record keeping, please refer to the Penalties for non-compliance page which lists all the harm done guides by violation.

2.1 Harm consideration framework for violations related to the compliance program

FINTRAC assesses the potential harm caused by a violation and takes into account the relative importance of the requirement to achieving the objectives of the Act or FINTRAC's mandate when it considers the harm done by a compliance program violation. FINTRAC also considers the extent of the non-compliance and mitigating factors.

When assessing the extent of the non-compliance of compliance program violations, FINTRAC considers the degree to which the documentation and application of a requirement meet the Act and its regulations. More importance (weight) is given to the application of a requirement because it is the action of putting something into practice that is most effective to achieve the objectives of the Act and FINTRAC's mandate. For example, when compliance policies and procedures, documented in a comprehensive manner, are not put into practice, there is a big risk of non-compliance, which prevents the objectives of the Act and FINTRAC's mandate from being achieved.

2.1.1 Types of non-compliance for violations related to the compliance program

There are two types of compliance program violations: complete or widespread non-compliance and partial non-compliance.

"Complete" or "widespread" non-compliance is when a requirement has not been met because an RE has not put in place measures to meet the requirement to any degree, or what is in place is too rudimentary. This poses the highest harm to the achievement of the objectives of the Act and FINTRAC's mandate. For example, an RE is in complete violation of the requirement under paragraph 71(1)(b) the Proceeds of Crime Money Laundering and Terrorist Financing Regulations (PCMLTFR) if there are no policies and procedures whatsoever documented or put into practice. This poses the highest harm because there would be no measures in place to comply with any of the requirements under the Act and its regulations.

"Partial" non-compliance is when only parts, or elements, of a requirement have not been met. For example, an RE that has incomplete policies and procedures when it comes to the detection and reporting of suspicious transactions would be in partial violation of the requirement under PCMLTFR 71(1)(b). This poses less harm than the previous example and poses varying levels of harm, depending on the issue.

Penalty amounts for complete or widespread violations and partial violations are calculated based on their associated levels of harm, as described below. 

2.2 Levels of harm and penalty amounts for violations related to the compliance program

Compliance program violations are classified as a "serious" under the Proceeds of Crime (Money Laundering) and Terrorist Financing Administrative Monetary Penalties Regulations(AMP Regulations) with penalties ranging from $1—$100,000.

For these violations, FINTRAC has identified four levels of harm. Each level of harm incurs a penalty of either $100,000, $75,000, $50,000 or $25,000.  

The table below lists the four levels of harm in descending order, the types of non-compliance and the descriptions of harm along with their corresponding penalty.

Table 1—Levels of harm and penalties for violations related to compliance program
Level of harm

Type of non-compliance

Description of harm

Penalty (not considering mitigating factors)

Level 1

The requirement is not met, to any degree, or what is in place is not functional, causing widespread non-compliance.

This is complete or widespread non-compliance.

Prevents the achievement of the objectives of the Act and of FINTRAC's mandate because a core AML/ATF measure is absent or non-functional.

$100,000

Level 2

An element that is priority for achieving the objectives of the Act or FINTRAC's mandate is not met.

This is partial non-compliance with important weaknesses.

Prevents the achievement of results that are priority for meeting the objectives of the Act and FINTRAC's mandate.

$75,000

Level 3

An element that forms the basis for achieving the objectives of the Act or FINTRAC's mandate is not met.

This is partial non-compliance with moderate weaknesses.

Prevents the achievement of results that form the basis for meeting the objectives of the Act and FINTRAC's mandate.

$50,000

Level 4

An element that enables the efficient achievement of the objectives of the Act or FINTRAC's mandate is not met.

This is partial non-compliance with lesser weaknesses.

Diminishes the efficient achievement of the objectives of the Act and FINTRAC's mandate.

$25,000

The highest level of harm (Level 1) applies to situations of complete or widespread non-compliance because they have the greatest potential impact on the Act's objectives or FINTRAC's mandate. As such, they incur the prescribed maximum penalty which is $100,000.

Levels of harm 2, 3 and 4 apply to situations of partial non-compliance and incur penalty amounts decreasing in intervals from $75,000 to $50,000 and to $25,000 respectively.  

FINTRAC will consider relevant mitigating factors that could reduce the penalty down to the prescribed minimum penalty amount of $1, regardless of the violation's level of harm.

The remainder of this guide describes how FINTRAC applies the levels of harm to the compliance program violations.

3. Violation related to the appointment of a compliance officer

This section outlines FINTRAC's approach for failing to appoint a compliance officer, including the harm assessment and penalty calculation.

Table 2— Violation related to the appointment of a compliance officer
Provision of the Act Provision of the PCMLTFR Description Classification of violation

9.6(1)

71(1)(a)

Failure of a person or entity to appoint a person to be responsible for the implementation of a compliance program

Serious
$1-$100,000

3.1 Harm done in the case of a violation related to the appointment of a compliance officer

The purpose of appointing a person responsible for the implementation of a compliance program is to ensure that an RE has the necessary oversight to effectively comply with the requirements of the Act. The person in this role, typically referred to as the compliance officer, is responsible for putting into practice the compliance policies and procedures, ML/TF risk assessment, ongoing compliance training program and the prescribed review of the compliance program. 

An effective compliance program begins with the appointment of a compliance officer; but simply appointing a person to this position is not sufficient to meet the objectives of the Act. In order for an RE to meet the requirement, it must ensure that the compliance officer has adequate knowledge of the Act and its regulations, possesses the authority and has access to adequate resources to implement the compliance program. 

Failing to appoint a person responsible for the implementation of the compliance program may result in the RE not meeting the reporting, record keeping, verifying identity, and applying other compliance measures requirements. This could result in structural gaps that leave the RE vulnerable to ML/TF offences, which affects the achievement of the objectives of the Act and FINTRAC's ability to carry out its mandate, which potentially exposes Canada's financial system and Canadians to ML/TF risks. 

Deficiencies in other compliance requirements, such as reporting, record keeping and verifying identity, may be the result of the deficient implementation of a compliance program. FINTRAC will consider the overall effectiveness of the compliance program and the fulfillment of other compliance requirements when it assesses an RE's compliance with the requirement to appoint a compliance officer.

3.2 Penalty determination for a violation related to the appointment of a compliance officer

FINTRAC will assess the level of harm and penalty for failing to appoint a compliance officer using the criteria listed below.

Table 3—Levels of harm and penalties for a violation related to the appointment of a compliance officer
Level of harm

Type of non-compliance

Description of non-compliance with the compliance officer requirement

Penalty (not considering mitigating factors)

Level 1

The requirement is not met to any degree, or what is in place is not functional, causing widespread non-compliance.

This is complete or widespread non-compliance.

No one is carrying out the duties of implementing any part of the compliance program. As such, there is widespread and serious non-compliance.

$100,000

Level 2

An element that is priority to achieving the objectives of the Act or FINTRAC's mandate is not met.

This is partial non-compliance with important weaknesses.

The RE has not ensured that the appointed person performs all the necessary duties related to the:  

  1. Implementation of the compliance policies and procedures;
  2. Implementation of the policies and procedures related to mitigating high risks
  3. Implementation of the risk-based approach in accordance with the risk assessment;
  4. Implementation of the ongoing training program;
  5. Implementation of the prescribed review of the compliance program every 2 years; and
  6. Implementation of other applicable requirements under the Act and its regulations.

$75,000

Level 3

An element that forms the basis for achieving the objectives of the Act or FINTRAC's mandate is not met.

This is partial non-compliance with moderate weaknesses.

The RE has not provided the appointed person with the authority to implement the compliance program, including the authority to make any necessary changes.

The RE has not provided the appointed person with adequate resources to implement the compliance program.

$50,000

Level 4

An element that enables the efficient achievement of the objectives of the Act or FINTRAC's mandate is not met.

This is to partial non-compliance with lesser weaknesses.

The RE has not ensured that the appointed person has adequate knowledge of the Act and its regulations, and how the requirements apply to the business.

$25,000

3.2.1 Level 1 harm: Failure to appoint a person responsible for the implementation of the compliance program

When an RE fails to assign the duties related to the implementation of the compliance program to a person, the objectives of the Act and FINTRAC's mandate suffer from the highest level of harm. This is because there would be no oversight to ensure that, for example, policies and procedures are followed, or that ongoing training is provided. This lack of oversight means that there is a high risk that the existing compliance program will become out-of-date or ineffective. Over time, this would likely have an important impact on an RE's compliance with the Act and its regulations, and would likely result in other requirements not being met, such as reporting, record keeping and verifying client identity. As a result, the associated penalty is the prescribed maximum of $100,000.

3.2.2 Level 2 harm: Failure to ensure that the appointed person performs all the necessary duties  

The second-highest level of risk is attributed when an RE has appointed a compliance officer with the proper authorities and resources but it has not made sure that this person performs all the duties related to the implementation of the compliance program. As a result, the associated penalty is $75,000.

3.2.3 Level 3 harm: Failure to provide the appointed person with authority and resources

When the appointed person lacks the authority and resources to carry out the duties and measures that are necessary for the implementation and maintenance of the compliance program,  this can result in inefficiencies in detecting and correcting non-compliance with the requirements of the Act and its regulations. As a result, the associated penalty is $50,000.

3.2.4 Level 4 harm: Failure to ensure that the appointed person has adequate knowledge

At a minimum, the RE must ensure that the compliance officer has sufficient knowledge of the Act and its regulations, of ML/TF concepts and risks and of how they relate to the business. The compliance officer must have a good understanding of the risks most relevant to the RE and frequently encountered by the industry. Without this knowledge, the measures adopted may not be the most effective or efficient to addressing the RE's compliance needs, thereby affecting the implementation of the compliance program. As a result, the associated penalty is $25,000.

4. Violations related to compliance policies and procedures, including policies and procedures in respect of prescribed special measures for high risks

This section outlines FINTRAC's approach for failing to develop and apply compliance policies and procedures, including the harm assessment and penalty calculation.

Table 4— Violations related to compliance policies and procedures, including policies and procedures in respect of prescribed special measures for high risks
Provision of the Act

Provision of the PCMLTFR

Description

Classification of violation

9.6(1)

71(1)(b)

Failure of a person or entity to develop and apply written compliance policies and procedures that are kept up to date and, in the case of an entity, are approved by a senior officer

Serious
$1-$100,000

9.6(3)

71.1

Failure of a person or entity to take the prescribed special measures

Serious
$1-$100,000

4.1 Harm done in the case of violations related to compliance policies and procedures

The development, documentation and application of compliance policies and procedures, including those for enhanced measures to mitigate high risk, ensure that a comprehensive framework and robust controls are in place to comply with the Act and its regulations.

Policies guide REs' decisions and actions with respect to AML/ATF requirements, and ensure that all activities take place within set boundaries. Procedures are the specific methods employed to put policies in action in day-to-day operations.

Policies and procedures are critical because they set out important principles and standards that staff and delegated persons with compliance responsibilities must meet in a consistent manner. Documented policies and procedures also serve to ensure clarity and consistency in business operations for instance, when there are changes in personnel. For each requirement under the Act and its regulations, the policies and procedures documents must include a description of when the requirement is triggered; the information that must be reported, recorded or considered; the step-by-step procedures to ensure that the requirement is fulfilled; and where applicable, the timelines associated to the requirement.

Failing to develop, apply, and keep written policies and procedures up to date can result in not meeting other requirements under the Act and its regulations, and undervalues sound business practices designed to minimize ML/TF.

4.2 Penalty determination for a violation related to compliance policies and procedures

FINTRAC will assess the level of harm and penalty for failing to develop, document and apply written compliance policies and procedures using the criteria listed below.

Table 5—Levels of harm and penalties for violations related to compliance policies and procedures
Level of harm

Type of non-compliance

Description of the non-compliance with the compliance policies and procedures requirement

Penalty (not considering mitigating factors)

Level 1

The requirement is not met to any degree, or what is in place is not functional, causing widespread non-compliance.

This is complete or widespread non-compliance.

Policies and procedures for all, or most, of the requirements are not developed or applied.

$100,000

Level 2

An element that is priority for achieving the objectives of the Act or FINTRAC's mandate is not met.

This is partial non-compliance with important weaknesses.

Policies and procedures for priority requirements are not developed or applied, including:

  1. Know your client requirements:
    1. verifying client identity
    2. determination of politically exposed persons and heads of international organizations, and their family members and close associates
    3. obtaining beneficial ownership information
    4. third party determination
  2. Suspicious transaction and terrorist property reporting; and
  3. Compliance with Ministerial Directives.

$75,000

Level 3

An element that forms the basis for achieving the objectives of the Act or FINTRAC's mandate is not met.

This is partial non-compliance with moderate weaknesses.

Policies and procedures for basic requirements are not developed or applied, including:

  1. Reporting large cash transactions, and if applicable electronic funds transfers, and casino disbursements;
  2. Ongoing monitoring of business relationships
  3. Keeping prescribed records, except copies of submitted Suspicious Transaction Reports (STRs) and Casino Disbursement Reports (CDRs); and
  4. Performing the prescribed risk assessment and the prescribed review every 2 years.

$50,000

Level 4

An element that enables the efficient achievement of the objectives of the Act or FINTRAC's mandate is not met.

This is partial non-compliance with lesser weaknesses.

Policies and procedures for requirements that enable efficiency are not developed or applied, including keeping copies of submitted STRs and CDRs.

$25,000

4.2.1 Level 1 harm: Policies and procedures are not developed or applied

When policies and procedures have not been developed or are not applied, the foundational framework and controls that are required to comply with the requirements of the Act and its regulations are absent. This creates an environment where widespread non-compliance and systemic weaknesses in detecting, preventing and deterring ML/TF is possible, and therefore poses the most harm to the objectives of the Act and FINTRAC's mandate. As a result, the associated penalty is the prescribed maximum of $100,000.

4.2.2 Level 2 harm: Policies and procedures for priority requirements are not developed or applied

Reporting suspicious transactions and terrorist property, performing know your client procedures and complying with the minister's directives are priority requirements for Canada's AML/ATF efforts, because they are essential for the detection, prevention and deterrence of ML/TF offences. Non-compliance with these requirements is assessed as posing Level 2 harm because, while other measures may be in place, failing to meet priority requirements can pose high levels of harm to the objectives of the Act and FINTRAC's ability to fulfill its mandate. As a result, the associated penalty is $75,000.

The detection and reporting of transactions that are suspected of being related to ML/TF is therefore critical for FINTRAC's analysis and disclosure of financial intelligence that supports the investigation and prosecution of the crimes.  Performing know your client procedures such as identifying clients and obtaining information on those controlling or benefitting from the movement of funds deter criminals from using Canada's financial system for ML/TF; they are also necessary to identify high-risk clients, business relationships and transactions for the purpose of reporting to FINTRAC. When proper client identification, and information on the individuals owning or controlling entities measures are not taken by REs, the objectives of the Act and FINTRAC's mandate are harmed significantly since it is then not possible for the RE to mitigate risks; for FINTRAC to conduct analysis on particular subjects; for law enforcement to investigate individuals for ML/TF offences.

Ministerial directives are targeted measures to protect Canada's financial system from being used as a vehicle for ML/TF. Compliance policies and procedures that do not meet the measures set out in a ministerial directive can result in the failure to comply with priority areas intended to detect, prevent and deter specific threats to Canada's financial system and the safety of Canadians. As a result, such a failure represents very significant harm to the achievement of the objectives set out in paragraph 3(d) of the Act. 

4.2.3 Level 3 harm: Policies and procedures for basic requirements are not developed or applied

Requirements that form the basis for the detection, prevention and deterrence of ML/TF are: reporting large cash transactions, reporting electronic funds transfers and casino disbursements (as required), monitoring business relationships, record keeping, assessing risk, and reviewing the effectiveness of the compliance program. Record keeping requirements are in place to ensure that the information necessary to meet other requirements of the Act and its regulations is kept. Ultimately, the information can serve as evidence in support of investigations and prosecutions of ML/TF offences.

The measures to implement these requirements are fundamental because they support Canada's AML/ATF regime by identifying and mitigating the risks related to transactions at risk of being used for ML/TF, and by helping to detect and deter those inclined to abuse the financial system for ML/TF purposes. Non-compliance with these requirements is assessed as Level 3 harm because it can pose moderate harm to the objectives of the Act and FINTRAC's mandate. Therefore, the associated penalty is $50,000.

4.2.4 Level 4 harm: Policies and procedures for requirements that enable efficiency are not developed or applied

Efficiency in the fight against ML/TF is found in those elements that assist in achieving the objectives of the Act and FINTRAC's mandate and support Canada's AML/ATF regime by maximizing its performance. Non-compliance with these elements poses Level 4 harm because it diminishes the efficiency of Canada's AML/ATF regime, but does not affect priority or basic elements. Therefore, the associated penalty is $25,000.

Keeping complete and accurate records, including copies of STRs, and CDRs (as required), ensures that REs, police, law enforcement and FINTRAC have quick and easy access to reports related to transactions or financial activities. The information captured in STRs and CDRs is required in other records under the Act. Since the information in these copies is likely kept elsewhere, failing to keep these records poses lower harm to the objective of the Act and FINTRAC's mandate.

4.3 Penalty determination for a violation related to compliance policies and procedures for taking enhanced measures to mitigate high risks

FINTRAC will assess the level of harm and penalty for failing to develop, document and apply compliance policies and procedures on taking enhanced measures to mitigate high risks using the criteria listed below.

Table 6—Levels of harm and penalties for a violation related to compliance policies and procedures for taking enhanced measures to mitigate high risks violations
Level of harm

Type of non-compliance

Description of the non-compliance with the policies and procedures for taking enhanced measures to mitigate high risks requirement

Penalty (not considering mitigating factors)

Level 1

The requirement is not met to any degree, or what is in place is not functional, causing widespread non-compliance.

This is complete or widespread non-compliance.

Policies and procedures for taking enhanced measures for high risk are not developed or applied for any, or most, of the prescribed elements.

$100,000

Level 2

An element that is priority for achieving the objectives of the Act or FINTRAC's mandate is not met.

This is partial non-compliance with important weaknesses.

Policies and procedures relating to priority  requirements for enhanced measures are not developed or applied for:

  1. Verifying client identity;
  2. Keeping client and beneficial ownership information up to date; and;
  3. Conducting ongoing monitoring of business relationships to identify suspicious transactions.

$75,000

Level 3

An element that forms the basis for achieving the objectives of the Act or FINTRAC's mandate is not met.

This is partial non-compliance with moderate weaknesses.

Policies and procedures relating to basic requirements for enhanced measures are not developed or applied, which includes any other measures needed to mitigate high risk.

$50,000

Note: Level 4 harm is not applicable in the case of this violation, as the measures related to addressing high-risk situations do not play a supporting role; they are either priority or basic elements to mitigate the risks of ML/TF.

4.3.1 Level 1 harm: Policies and procedures for taking enhanced measures to mitigate high risks are not developed or applied for any, or most, of the prescribed elements 

The development and application of policies and procedures for taking prescribed enhanced measures to mitigate high risk is critical to the AML/ATF regime in the detection, prevention and deterrence of ML/TF offences. These enhanced measures are meant to address the risks posed by those elements that have been expressly identified as being the most vulnerable to ML/TF. When policies and procedures for taking enhanced measures to mitigate high risks have not been developed for any, or most of the prescribed requirements, the controls and framework that are required to mitigate high risks are absent. There is a high likelihood that the highest-risk situations are not being mitigated and identified for reporting to FINTRAC, leaving the RE and Canada's financial system vulnerable to ML/TF offences. This poses the highest harm and incurs a penalty of $100,000.

4.3.2 Level 2 harm: Policies and procedures related to priority enhanced measures are not developed or applied

Taking enhanced measures to identify persons and entities controlling and benefitting from the movement of funds, keep their information up to date, and conduct ongoing monitoring to detect suspicious transactions are priority measures for ML/TF risk mitigation as they help make the most current information available in situations of high risk. Policies and procedures that do not address these elements are incomplete and can result in inadequate risk mitigation; and have a substantial impact on the detection and mitigation of high risks, including reporting related to high-risk transactions. This represents an important weakness in an RE's compliance program, which could have an important impact on the objectives of the Act and FINTRAC's mandate; and therefore poses Level 2 harm, which incurs a penalty of $75,000. 

4.3.3 Level 3 harm: Policies and procedures relating to any other enhanced measures needed to mitigate high risks are not developed or applied

In addition to the specific enhanced measures prescribed for high-risk mitigation, other mitigation measures may also be necessary to reduce ML/TF vulnerabilities. Policies and procedures that do not consider other measures specific to the RE's assessment of risks can result in ineffective or incomplete strategies to reduce ML/TF vulnerabilities. Depending on the nature of the risk and the RE's size and complexity, this type of non-compliance could have an impact on the objectives of the Act and FINTRAC's mandate. This type of non-compliance poses Level 3 harm and incurs a penalty of $50,000.

5. Violation related to assessing and documenting the risks of ML/TF

This section outlines FINTRAC's approach to failing to assess and document the risks of ML/TF, including the harm assessment and penalty calculation.

Table 7— Violation related to assessing and documenting the risks of ML/TF
Provision of the Act

Provision of the PCMLTFR

Description

Classification of violation

9.6(1)

71(1)(c)

Failure of a person or entity to assess and document the risk referred to in subsection 9.6(2) of the Act, taking into consideration prescribed factors

Serious
$1-$100,000

5.1 Harm done in the case of a violation related to assessing and documenting the risks of ML/TF

Assessing and documenting ML/TF risks ensures that REs are aware of their potential exposure and vulnerability to ML/TF. By identifying areas and levels of risk, REs may apply appropriate mitigation measures to reduce those risks. REs are able to turn more attention to higher-risk areas, thereby effectively contributing to the objectives of the Act and FINTRAC's ability to carry out its mandate.

Failing to assess and document the risks of ML/TF prevents REs from identifying areas of its operations that are vulnerable to being exploited for ML/TF purposes, and prevents appropriate mitigation measures from being put in place. This can also lead to failing to identify high-risk clients and business relationships for which enhanced risk mitigation measures must be applied. This can further result in the failure to detect and report suspicious transactions to FINTRAC.

5.2 Penalty determination for a violation related to assessing and documenting the risks of ML/TF

FINTRAC will assess the level of harm and penalty for failing to assess and document the risks of ML/TF offences using the criteria listed below.

Table 8—Levels of harm and penalties for a violation related to assessing and documenting the risks of ML/TF
Level of harm

Type of non-compliance

Description of the non-compliance for the risk assessment requirement

Penalty (not considering mitigating factors)

Level 1

The requirement is not met, to any degree, or what is in place is not functional, causing widespread non-compliance.

This is complete or widespread non-compliance

An assessment of ML/TF risks has not been conducted or documented for any, or most, of the prescribed factors.

$100,000

Level 2

An element that is priority for achieving the objectives of the Act or FINTRAC's mandate is not met.

This is partial non-compliance with important weaknesses.

The risk assessment does not include priority elements, including those for high-risk situations, such as:

  1. Politically exposed foreign persons, their family members and close associates;
  2. Entities for which beneficial ownership information cannot be obtained or confirmed;
  3. Clients who are mentioned in a submitted TPR; and
  4. Products, services, delivery channels, geographic locations or types of persons or entities, that are identified as posing a high risk by a ministerial directive, by FINTRAC, or by criteria established by the RE.

$75,000

Level 3

An element that forms the basis for achieving the objectives of the Act or FINTRAC's mandate is not met.

This is partial non-compliance with moderate weaknesses.

The risk assessment does not include basic elements such as:

  1. Products, services and delivery channels offered;
  2. Clients and business relationships;
  3. Geographic locations, (including foreign and domestic activities, clients, and business relationships); and
  4. New technologies.

$50,000

Level 4

An element that enables the efficient achievement of the objectives of the Act or FINTRAC's mandate is not met.

This is to partial non-compliance with lesser weaknesses.

The risk assessment does not include other relevant factors that could impact ML/TF risks.

$25,000

5.2.1 Level 1 harm: An assessment of ML/TF risks has not been conducted or documented for any, or most, of the prescribed factors

When an assessment of ML/TF risks has not been conducted or documented, or the assessment does not address any of the prescribed requirements, there is complete or widespread non-compliance with the regulations. Failing to assess and identify ML/TF risks prevents REs from putting in place mitigation measures, leaving them vulnerable to being used for ML/TF, especially in those areas that pose the highest risk. This is assessed as posing the highest level of harm, as it has the highest impact on achieving objectives of the Act and FINTRAC's mandate, and incurs a penalty of $100,000.

5.2.2 Level 2 harm: The risk assessment does not include priority elements including those for high-risk situations

The regulations, ministerial directives, FINTRAC and other AML/ATF authorities have identified situations that inherently present a high risk of ML/TF, which are key for the prescribed risk assessment. It is critical for REs to consider and assess them where applicable. Failing to consider high-risk situations may result in important weaknesses in the compliance program such as poor mitigation measures and high-risk situations potentially not being detected and reported to FINTRAC on suspicion of ML/TF offences. Non-compliance with this requirement poses Level 2 harm and incurs a penalty of $75,000.

5.2.3 Level 3 harm: The risk assessment does not include the basic elements

ML/TF risk assessments allow REs to understand the vulnerabilities they are exposed to. Comprehensive risk assessments must include the prescribed elements as their basis in order to support risk mitigation. A risk assessment that does not include one or more of the prescribed elements may lead to weaknesses in the identification and mitigation of common risks, leaving the RE vulnerable to ML/TF offences and unable to effectively identify transactions that must be reported. Non-compliance with this requirement poses Level 3 harm and incurs a penalty of $50,000.

5.2.4 Level 4 harm: The risk assessment does not include any other relevant factors that could impact ML/TF risks

Assessing other relevant factors allows REs to understand the ML/TF risks applicable to their operations and contributes to the efficiency of the risk assessment and mitigation strategies. Non-compliance with this requirement poses Level 4 harm and incurs a penalty of $25,000.

6. Violation related to the ongoing training program

This section outlines FINTRAC's approach to failing to develop and maintain a written ongoing training program, including the harm assessment and penalty calculation.

Table 9— Violation related to the ongoing training program
Provision of the Act

Provision of the PCMLTFR

Description

Classification of violation

9.6(1)

71(1)(d)

Failure of a person or entity that has employees, agents or mandataries or other persons authorized to act on their behalf to develop and maintain a written ongoing compliance training program for those employees, agents or mandataries or persons

Serious
$1-$100,000

6.1 Harm done in the case of a violation related to the ongoing training program

The purpose of a written ongoing compliance training program is to ensure that all employees, agents, mandataries and other persons authorized to act on an RE's behalf understand the requirements of the Act and its regulations and follow the policies and procedures that have been established for compliance. It also ensures that employees, agents, mandataries and other persons authorized to act on an RE's behalf understand ML/TF matters enough to be able to identify facts that may indicate financial transactions or activities related to ML/TF offences. 

Failing to develop and maintain a written ongoing training program may result in the above listed purposes not being met over time, and consequently, an RE failing to comply with the requirements under the Act and its regulations. In turn, this non-compliance could ultimately affect the objectives of the Act and FINTRAC's ability to deliver on its mandate.

6.2 Penalty determination for a violation related to the ongoing training program

FINTRAC will assess the level of harm and penalty for failing to develop and maintain a written ongoing training program using the criteria listed below.

Table 10—Levels of harm and penalties for a violation related to the ongoing training program
Level of harm

Type of non-compliance

Description of the non-compliance for the training program requirement

Penalty (not considering mitigating factors)

Level 1

The requirement is not met to any degree, or what is in place is not functional, causing widespread non-compliance.

This is complete or widespread non-compliance.

A documented training program is not developed or maintained to cover all, or most, of the elements to comply with the Act and its regulations.

$100,000

Level 2

An element that is priority for achieving the objectives of the Act or FINTRAC's mandate is not met.

This is partial non-compliance with important weaknesses.

The training program is missing priority elements, such as maintaining training on the:

  1. Compliance policies and procedures established;
  2. Responsibilities of employees, agents and those acting on behalf of the RE when dealing with suspicious transactions; and
  3. Key ML/TF concepts including background information on how ML/TF related to the business.

$75,000

Level 3

An element that forms the basis for achieving the objectives of the Act or FINTRAC's mandate is not met.

This is partial non-compliance with moderate weaknesses.

The training program is missing basic elements, such as:

  1. Frequency or timing of the training to be delivered; and
  2. Content that is relevant and specific for all employees, agents, and those acting on the RE's behalf.

$50,000

Level 4

An element that enables the efficient achievement of the objectives of the Act or FINTRAC's mandate is not met.

This is to partial non-compliance with lesser weaknesses.

The training program is not maintained on an ongoing basis.

$25,000

6.2.1 Level 1 harm: A documented training program is not developed or maintained

When a training program has not been developed or maintained, or has been but only to a minimal degree, the foundational framework and controls that are required to comply with the requirements of the Act and its regulations are absent. This can potentially lead to widespread non-compliance and systemic weaknesses in the detection, prevention and deterrence of ML/TF, posing the highest possible harm to the Act's objectives and FINTRAC's mandate. Therefore, the penalty is $100,000, the prescribed maximum amount.

6.2.2 Level 2 harm: The training program is missing elements that are priority

Priority elements for the training program include covering the established policies and procedures to comply with all the requirements of the Act and its regulations, the responsibilities of employees, agents and those acting on the RE's behalf when dealing with suspicious transactions, and key ML/TF concepts including background information on how they relate to the business. Non-compliance with these elements is assessed as Level 2 harm because a lack of training in these elements could cause failures in meeting other requirements such as reporting, record keeping and verifying client identity. As a result, the penalty is $75,000.

6.2.3 Level 3 harm: The training program is missing elements that are basic

A plan that addresses the timing and frequency of delivery of the training program, that identifies who will receive the training and that includes content that is relevant and specific to different roles in the organization is forms the basis for the delivery of the training program. Not only does it help to comply with the requirement to maintain an ongoing training program, but it clearly lays out which employees, agents and those acting on an RE's behalf are to be provided with relevant training to effectively comply with all the requirements. The likelihood of exposure to ML/TF offences and associated risks varies for employees, depending on their roles. For example, tailored training for employees that detect transactions that need to be reported, that verify client identity, that keep records, and perform other customer due diligence measures will have a greater impact on compliance. Non-compliance with these requirements poses Level 3 harm, which incurs a penalty of $50,000.

6.2.4 Level 4 harm: The training program is not maintained on an ongoing basis

Efficiency in the fight against ML/TF is found in those elements that assist in achieving the objectives of the Act and FINTRAC's mandate, and support Canada's AML/ATF regime by maximizing its performance. Guidelines dictating the frequency of training ensure that personnel receive information and training on new compliance requirements and are provided with reminders on existing requirements. Failing to establish clear guidelines for ongoing compliance training may result in program weaknesses over time, for example, due to changes to regulatory requirements, or changes in staff or organizational structure. This may lead to the RE not meeting its requirements to report, identify clients and keep records. Non-compliance with this requirement is assessed as posing Level 4 harm and incurs a penalty of $25,000.

7. Violations related to the prescribed review

This section outlines FINTRAC's approach to failing to institute and document the prescribed review, including the harm assessment and penalty calculation.

Table 11—Violations related to the prescribed review
Provision of the Act

Provision of the PCMLTFR

Description

Classification of violation

9.6(1)

71(1)(e)

Failure of a person or entity to institute and document the prescribed review

Serious
$1-$100,000

9.6(1)

71(2)

Failure of a person or entity to report prescribed information within 30 days after assessment

Serious
$1-$100,000

7.1 Harm done in the case of violations related to the prescribed review

Changes to an organization's structure, personnel, policies and processes, and environment may over time, if not immediately, require revisions to the compliance program that is in place. The purpose of the prescribed review is to ensure that the RE's compliance program is continuously adapted to continue to comply with the requirements of the Act and its regulations. The prescribed review of the compliance policies and procedures, and that of the ongoing training program tests the reporting, client identity verification, record keeping and appropriate mitigation measures application. The prescribed review of the risk assessment ensures that the RE is adequately assessing, identifying and mitigating the risks of ML/TF over time.

Failing to conduct the prescribed review signals that the RE may not be fulfilling one or more of its other requirements under the Act and its regulations, by not having kept up to date with changes in the organization or external changes such as new technologies in the financial sector and regulatory updates. Additionally, any gaps or ineffective processes in the existing compliance program may go undetected, leading to uncorrected non-compliance. For example, the RE's existing risk assessment may not identify its most vulnerable areas, making it difficult to apply appropriate mitigating measures, to reduce the risks of ML/TF and contribute to safety of Canada's financial system and that of Canadians. Ultimately, undetected non-compliance and inefficiencies could result in harming the achievement of the objectives of the Act and FINTRAC's mandate.

7.2 Penalty determination for violations related to the prescribed review

FINTRAC will assess the level of harm and penalty for failing to institute and document the prescribed review using the criteria listed below.

Table 12—Levels of harm and penalties for violations related to the prescribed review
Level of harm

Type of non-compliance

Description of the non-compliance with the prescribed review requirement

Penalty (not considering mitigating factors)

Level 1

The requirement is not met to any degree, or what is in place is not functional, causing widespread non-compliance.

This is complete or widespread non-compliance.

The RE has not conducted any part or most of the prescribed review.

$100,000

Level 2

An element that is priority for achieving the objectives of the Act or FINTRAC's mandate is not met.

This is partial non-compliance with important weaknesses.

The review does not include testing for effectiveness; and

The scope of the review does not cover the compliance policies and procedures, risk assessment, and training program.

$75,000

Level 3

An element that forms the basis for achieving the objectives of the Act or FINTRAC's mandate is not met.

This is partial non-compliance with moderate weaknesses.

The review does not evaluate the compliance program documentation, such as policies and procedures, to ensure that they are complete and up to date.

 

$50,000

Level 4

An element that enables the efficient achievement of the objectives of the Act or FINTRAC's mandate is not met.

This is to partial non-compliance with lesser weaknesses.

The review is conducted beyond the prescribed two-year period.

The review methods are not clearly documented and do not demonstrate how the compliance program is tested for effectiveness.

When required, an internal or external auditor did not conduct the review.

$25,000

7.2.1 Level 1 harm: The RE has not conducted any part or most of the prescribed review

When an RE does not conduct the prescribed review, or when the review is absolutely minimal, this poses the highest harm to the objectives of the Act and FINTRAC's mandate. It is highly possible that policies, procedures, training, and risk assessments are outdated, inaccurate or ineffective, and therefore non-compliance with reporting, record keeping and client identification requirements is also more likely. This represents Level 1 harm, which incurs a penalty of $100,000 as the requirement has not been met to any degree, or in a manner that is too minimal for the requirement to be considered as being met.

7.2.2 Level 2 harm: The review does not include testing for effectiveness; and the scope of the review does not cover the compliance policies and procedures, risk assessment, and training program

Effectiveness testing and a comprehensive review are key to meeting the requirement. Next to not instituting the prescribed review, the second-highest level of harm comes from reviews that do not include testing the effectiveness of the compliance program, and reviews that do not cover key elements of the compliance policies and procedures, risk assessment, and training program. This type of non-compliance poses Level 2 harm and incurs a penalty of $75,000.

A review that does not include effectiveness testing does not look at how the compliance program is applied in practice. It is essentially only a theoretical review of the documentation that has been developed. Even if the documentation were in order, there is still the potential that the policies and procedures are not being put into practice and this poses a high risk of errors and inadequacies in the compliance program that are not detected.  

Additionally, when the review is incomplete, meaning that key elements are overlooked from the assessment, large gaps and weaknesses in the compliance program can go undetected. For example, if the review omitted to assess the training program, the staff may not be trained properly to carry out their duties. In turn, this could result in non-compliance with requirements of the Act and its regulations, despite having policies and procedures, and risk assessments.

7.2.3 Level 3 harm: The review does not evaluate the compliance program documentation to ensure that they are complete and up to date

The documentation of the compliance program is the basis from which compliance is achieved. To this end, the prescribed review should at a minimum assess the documented policies and procedures, training program and risk assessment to ensure that the standards established by the RE is clear, complete and up to date, in accordance with the requirements of the Act and its regulations. A review that does not evaluate the compliance program documentation for completeness and accuracy could lead to processes that are not clearly understood, or are applied inconsistently. This type of non-compliance poses Level 3 harm and incurs a penalty of $50,000.

7.2.4 Level 4 harm: The review is conducted beyond the prescribed two-year frequency; the review methods are not clearly documented and do not demonstrate how the compliance program is tested for effectiveness; and when required, an internal or external auditor did not conduct the review

Efficiency in the fight against ML/TF is found in those elements that assist in achieving the objectives of the Act and FINTRAC's mandate, and support Canada's AML/ATF regime by maximizing its performance. Non-compliance with these elements poses Level 4 harm and incurs a penalty of $25,000.

In order to identify and correct gaps in the compliance program in a timely manner, the prescribed frequency of the review is every two years. Failing to institute a review that respects this frequency could result in unidentified deficiencies that remain uncorrected for an undetermined period of time. If the period between reviews is extensive, undetected deficiencies could be exploited for ML/TF purposes.

Clearly documenting the methods used to conduct the review and demonstrating how program effectiveness will be tested contributes to the efficiency of the review and the RE's AML/ATF efforts. For example, the method for sampling and testing should reflect the size and complexity of the RE's operations to ensure that the review's findings are representative.

Where applicable, an internal or external auditor is to perform the review. This is to ensure an independent assessment of the compliance program's effectiveness and that the findings are neutral and objective. The expertise of an auditor also ensures that the scope and the effectiveness testing are adequate and comprehensive.

7.3 Harm done in the case of a violation related to prescribed review reporting

Reporting prescribed information following the compliance program's review provides an RE's senior officer with a timely understanding and oversight of the RE's overall compliance with the Act and its regulations, and of changes that would be required to improve or ensure compliance and risk mitigation. Failing to report the results of the prescribed review to an RE's senior officer within 30 days of the assessment impedes the senior officer's ability to oversee the effective application of policies and procedures and to manage ML/TF risks. This can undermine risk mitigation, leaving the RE vulnerable to ML/TF offences.

7.4 Penalty determination for a violation related to prescribed review reporting

FINTRAC will assess the level of harm and penalty for a failing to report prescribed information on the review using the criteria listed below.

Table 13—Levels of harm and penalties for a violation related to prescribed review reporting
Level of harm

Type of non-compliance

Description of the non-compliance with the reporting on the prescribed review requirement

Penalty (not considering mitigating factors)

Level 1

The requirement is not met to any degree, or what is in place is not functional, causing widespread non-compliance.

This is complete or widespread non-compliance.

There is no reporting, or minimal reporting, of the results of the review to a senior officer.

$100,000

Level 2

An element that is key to achieving the objectives of the Act or FINTRAC's mandate is not met.

This is partial non-compliance with important weaknesses.

Priority elements of the prescribed review are not reported to a senior officer, including:

  1. Results;
  2. Updates to policies and procedures, if applicable; and
  3. The implementation status of the updates to policies and procedures.

 

$75,000

Level 3

An element that forms the basis for achieving the objectives of the Act or FINTRAC's mandate is not met.

This is partial non-compliance with moderate weaknesses.

The prescribed information was reported to an individual who is not a senior officer and does not have the authority to ensure that the changes to the compliance program are implemented.

$50,000

Level 4

An element that enables the efficient achievement of the objectives of the Act or FINTRAC's mandate is not met.

This is to partial non-compliance with lesser weaknesses.

The prescribed information was reported beyond the 30-day period following the assessment, delaying the implementation of the required compliance program changes.

$25,000

7.4.1 Level 1 harm: There is no reporting, or minimal reporting, of the results to a senior officer

Reporting to senior staff helps to ensure that those responsible for the RE's compliance are aware of the program's performance, including the weaknesses that must be addressed and oversight of the compliance officer's implementation of the compliance program. The harm is the greatest when the results of the review are not reported, or when minimal results are reported to a senior officer because there is a high likelihood that those responsible for the business would not be aware the compliance challenges, making it impossible to adequately assess their seriousness, manage risks, and take corrective measures where needed. Non-compliance of this type poses Level 1 harm and incurs a penalty of $100,000.

7.4.2 Level 2 harm: Priority elements of the prescribed review are not reported to a senior officer

The priority elements of the prescribed review that must be reported to senior management include: the findings of the review, updates to policies and procedures, and the implementation status of the updates. These elements give senior management a comprehensive picture of the RE's state of compliance; with this information, management can take the appropriate actions to mitigate risks and correct non-compliance. When the reporting does not cover one or more of these priority elements, it is incomplete and poses Level 2 harm, incurring a penalty of $75,000.

7.4.3 Level 3 harm: The prescribed information was reported to an individual who is not a senior officer and does not have the authority to ensure that the changes to the compliance program are implemented

If the results are reported to someone who is not a senior officer, or if they are reported to a senior officer who is not in the position to bring about changes to improve the compliance program, there is a risk that nothing will come of the review. Without a senior officer's involvement, the proper attention and resources will not be given to the compliance program. As result, non-compliance issues and ML/TF risks could remain and increase in gravity over time. This type of non-compliance poses Level 3 harm and incurs a penalty of $50,000.

7.4.4 Level 4 harm: The prescribed information was reported beyond the 30-day period following the assessment, delaying the implementation of the required compliance program changes

Timely communication allows senior management to make informed strategic decisions. When the prescribed information was reported to a senior officer beyond the 30-day period following the assessment, the delay affects the changes to the compliance program, which diminishes the efficient achievement of the objectives of the Act and FINTRAC's mandate. Those in charge of an RE's governance are unable to oversee the timely and efficient improvement of the compliance program and manage the ML/TF risks. This type of non-compliance poses Level 4 harm and incurs a penalty of $25,000.

Date Modified: