Transcript: New obligations webinars - Financial Entities

Good afternoon everyone. Good morning to those of you joining us from Western Canada.

Welcome to FINTRAC's presentation to reporting entities covering the new PCMLTFA obligations for financial entities.

This webinar is part of a series of seminars that will explain new legislative requirements of the Proceeds of Crime (Money Laundering) and Terrorist Financing Act or PCMLTFA. Many of these changes will come into force in 2008 and 2009.

Today's presentation for the financial entities sector will be made by Marilyne Landry, FINTRAC's Manager for Program Development.

I would like to remind participants that it is possible to ask questions during the presentation by using the email address on your screen. We will pause, from time to time, to take questions during the presentation and answer them.

I should also point out that this presentation will be available later in its full form. You can listen to it later if you like. It will be archived on the FINTRAC Web site once we have it packaged and posted.

Now, I will turn things over to Marilyne Landry.

Thank you so much Peter and thank you to everyone who has tuned in this afternoon or morning.

Also, a reminder that if you want to follow with a paper copy of the presentation, the slide presentation is posted on our Web site at www.fintrac-canafe.gc.ca. There is a link to Presentations to Reporting Entities.

Also a reminder that the presentation you have in front of you on your screen will not move automatically. You have the control, in terms of when you want to move the slides. So, when I speak about the various slides, I will tell you where I am in the presentation and you can follow along at your leisure.

Presentation Overview

This is a presentation overview. We will provide you with an introduction as to the background behind the changes and the obligations. We will talk about what the objectives of the new requirements are and then we will focus on what the changes are.

So, first of all changes to reporting, and then looking at client identification and record keeping, taking a look at new due diligence measures that reporting entities will have to comply with, changes to the compliance regime, and then a quick overview of the administrative monetary penalty regime and then finally some information about communication tools that we have available for you.

Introduction

In December of 2006, the Parliament of Canada amended the Proceeds of Crime (Money Laundering) and Terrorist Financing Act. Following those amendments, changes were also made to related regulations, to both the Proceeds of Crime (Money Laundering) and Terrorist Financing Regulations and the Suspicious Transaction Reporting Regulations.

If you want to access a copy of the text of your obligations - the law and the official regulations - you can find them at three different places. One, the Act - the Proceeds of Crime (Money Laundering) and Terrorist Financing Act and its related regulations, and there is a regulation that is dedicated to suspicious transaction reporting (STR). So, if you review these three documents, you will find out exactly what your obligations are.

This presentation today will focus on those requirements that are coming into effect on June 23, 2008, roughly in about two months time.

It is important to note that as a reporting entity, so you won't start working on this on June 23, 2008. All of the requirements should be in force by June 23, 2008. If you are subject to a FINTRAC examination, following June 23, (2008), FINTRAC will expect all of the requirements to be in place.

Now, I'll just provide some context to all of these changes.

Objectives of New PCMLTFA Requirements

Why all of these new requirements and what are we trying to achieve?

On slide 5, we have a series of objectives with respect to these new requirements. But before I talk about the objectives, it is important to provide a little bit of context as to why these changes occurred.

FINTRAC and the broader money laundering anti-terrorist financing initiative were subject to a number of reviews over the last two to three years, starting with the Office of the Auditor General. We had the Auditor General evaluate the initiative and put forward a series of recommendations. There was also a mandated parliamentary review that was conducted by the Senate Banking Committee in 2006 and this resulted in a series of recommendations as well as a mandated evaluation that was conducted by the firm ECOS. When the Department of Finance presented the Bill to Parliament, it took into consideration all of the recommendations and determined what was in the best interest, what made sense in the Canadian context. The changes that we are presenting today are a result of this process.

FINTRAC has been in existence for about eight years. In those years, FINTRAC has benefited from its initial years of building and the experience it has had in terms of creating disclosure cases and disclosing them to law enforcement agencies. Many of the changes that you will see today are a result of that experience and the desire to improve on the already existing obligations.

This forms the context of the domestic influences. Internationally, there was also a series of recommendations by the Financial Action Task Force (FATF), an inter-governmental body whose purpose is the development and promotion of national and international policies to combat money laundering (ML) and terrorist financing (TF), recommendations that Canada has agreed to comply with. Many of the changes that you will see today also reflect a desire for Canada to comply with those recommendations.

So, all of that context fed into the obligations that we will be talking about today. What do these changes try to achieve?

First, they are an attempt to strengthen anti-money laundering and anti-terrorist financing regimes and build on FINTRAC's and their partners' experiences in the fight against ML and TF, look at existing gaps in the legislation, and try to address those, enhance the detection and deterrence of ML and TF.

Also, it is important to note that at a transaction level, a lot of the record keeping, client identification and enhanced due diligence measures that we will be talking about today make illicit transactions that much harder to conduct. So, when we talk about someone who is trying to launder money or finance terrorism, it is much harder for them to conduct their transaction in an anonymous way. The harder we make it for them, the more we are deterring the activity. Our ultimate goal is to have the greatest impact against both organized crime and terrorism.

That gives you an idea of what we are trying to achieve with all of the changes that you see here today.

Suspicious Attempted Transactions

We are now going to focus on specific changes, changes to reporting requirements.

The biggest change having to do with reporting requirements has to do with Suspicious Attempted Transactions (SATs). When I talk about FINTRAC's experience coming to bare with some of the changes that we see today, SATs is a perfect example of that.

FINTRAC receives from reporting entities notification of suspicious attempted transactions. However, the way it stands now with the legislation and the regulations, FINTRAC doesn't have the authority to disclose that information to law enforcement agencies. A key piece of the puzzle is not available to our law enforcement partners. This particular provision tries to address that by requiring all reporting entities to report SATs to FINTRAC.

The most common question that we get with respect to this requirement is "What is an attempt?" I will now go to slide number 8.

Suspicious Attempted Transactions (cont'd)

Here we identify two main criteria to determine if something is a SAT. First and foremost, you need to determine if there is a suspicion of ML or TF. That is your first step. If the answer is no, your job is done with respect to that particular transaction.

However, if you do think that the transaction is related to money laundering or terrorist financing, then the second question you need to ask is whether there was a concrete action taken. Was there negotiation? Was there direction surrounding the transaction? If so, it could be considered an attempt. Many sectors have asked FINTRAC if we can provide them with concrete examples. Certainly we can, but always remember that every situation is different. The basis of reporting is "Do you think there is a suspicion of ML and/or TF?"

Suspicious Attempted Transactions (cont'd)

Moving on to slide 9 and a concrete example of what could be considered as a SAT.

Someone comes and provides you with a cash deposit of over $10,000. You think that something is suspicious with that request because your records indicate that there is no reason why this particular individual should have that much money. You ask for a piece of ID and they do not provide it, so the transaction is not completed. This type of situation meets the two requirements of a suspicious transaction.

One, you think that it is suspicious because you are not sure about the origins of the funds (it's inconsistent with the normal account activity that you see for that particular client) and you know that large cash transactions are an indicator of potential money laundering. Then, the second criteria: Was it an attempt? Was there concrete action taken? In this case, yes, because they provided you with the funds. There was a discussion regarding what the service fee was. So, this situation meets the two criteria: there was suspicion and there was a concrete action taken.

I will talk about what is NOT considered a suspicious transaction. Perhaps a client asks what the exchange rate is; that is just asking for information. There is no concrete action taken to initiate a transaction. The client is just asking a question. It is important to make the distinction between concrete action and an information request.

I would indicate that Guideline 2 on suspicious transactions and suspicious attempted transactions has been updated with a section on attempted transactions to help you clarify what they are.

Once you determine that a SAT has been made, you must report it to FINTRAC. You will use the same form that you are currently using to report suspicious completed transactions and there are two new fields on the form.

  • Whether the suspicious transaction was completed and if it was an attempt;
  • If not, the reason why it was not completed.

Beneficiary Information

Moving on to slide 10. This is a new requirement having to do with electronic funds transfers (EFTs) and the required beneficiary information.

The first rule with respect to EFTs; if you are the first Canadian reporting entity to receive an EFT coming from abroad, you must report that EFT to FINTRAC.

The new rule, is rule number 2, where more than one reporting entity is involved in the EFT. So, let's say the EFT comes from France, it goes to financial institution number one, and financial institution number one sends it to credit union number two. The credit union must see that the beneficiary's name and address is contained in the EFT. If the name and address of the beneficiary is not in the EFT, the second reporting entity, in this case the credit union, must report the name and address to FINTRAC. The logic behind that is that the initial financial institution doesn't have a full picture of the financial transaction. It just knows that the EFT went to a credit union. FINTRAC wants to know exactly who received the money because it is very important in terms of our financial analysis. We want to make sure that the beneficiary's name and address is obtained by FINTRAC.

If you are the final reporting entity that has received the EFT and the name and address of the beneficiary is not included in the EFT, then you must report it to FINTRAC.

Bundled EFTs

The final change in reporting has to do with bundled EFTs. This is guidance that FINTRAC has provided in the past and it has just been codified in the regulations.

I'll remind you of the 24-hour rule. If you have several EFTs that have occurred within a 24-hour period and those multiple EFTs add up to more than $10,000, then they must be reported to FINTRAC.

We have exceptions to that which are lower risk situations. Slide 11 identifies those lower risk situations. If the EFTs are requested by a public body, a very large corporation or an administrator of a pension fund, the 24-hour rule does not apply. All you have to do is report transactions that are over $10,000. The logic being that those particular bodies would send several EFTs during the same day for payroll, or to reconcile accounts in the case of pension funds. They are considered lower risk. Bundle all of those EFTs and report them to FINTRAC, because there is less vulnerability with transactions below $10,000. So, only transactions over $10,000 would be required to be reported.

That sums up the section on changes to reporting. I'll remind everybody that if you have any questions or want any clarification on anything I present today, use the email link to send questions. I'll turn it over to Peter to see if we have received any questions.

Questions?

We have one.

Question:
Should risky transactions be completed?

Answer:
The answer is, it is completely up to you. I will talk about risk-based approach a little bit further into the presentation. Certainly, if you determine that transactions are too risky and you want to establish a risk mitigation to say that you are not going to conduct the transaction, that is at your discretion. But FINTRAC will never tell you not to complete a transaction. That is for you to determine. The only exception to that is if you are opening an account for a client that you can't identity: you are prohibited from opening the account. That is the only exception. Otherwise, you use your own judgment to determine if you want to conduct risky transactions or not.

Record Keeping: New Exemption

The are lots of changes in the area of record keeping and client identification.

On slide 13, we will speak to a general exemption that applies to all reporting entities and that is intended to make things a little easier. The new exemption states that if, as a reporting entity, you keep (information) in a record that is already readily available with any other record kept under the PCMLTFA, you do not have to keep that information again. This has been in effect since June 30, 2007. The logic being that if you are already keeping the information in one place, you don't have to duplicate it in any other place.

EFTs of $1,000 or More

Here we talk about what the record keeping and client identification are for EFTs. There is a change in the threshold at which you need to keep documents and identify (the client). In the past, you had to identify at $3,000 and keep a record. Now that threshold has been lowered to $1,000. For any EFT of $1,000 or more at the request of a client, you must acquire the information as indicated on slide 14 and you must identify the client.

It is important that you apply this to international EFTs as well as domestic SWIFT EFTs and T103s.

This is a little broader and it only applies to international EFTs, and to SWIFT 103s. This was being done at a $3,000 threshold; as of June 23, (2008), you will have to do it at $1,000 for EFTs.

Travellers' Cheques and other Instruments of $3,000 or More

Moving on to slide 15. Some of these requirements were already in effect but there has been a consolidation of all of the requirements for financial entities. We just wanted to highlight that the change had occurred in terms of where it is codified in the regulations.

Slide 15 is just a reminder that if you receive $3,000 of travellers' cheques, money orders, or other negotiable instruments, this is the information that you need to keep and you need to identify the client if you do not have a signature card signed.

Redemption of Money Orders of $3,000 or More

Here we highlight what is a similar obligation relative to money orders. It is not only the receipt of one money order of $3,000 or more. If you actually receive several money orders that total $3,000 or more, the record keeping and client ID requirements kick in. You don't have to ID the client if you have a signature card on file for them.

Intended Use of Account

There is a new requirement in terms of documenting the intended use of an account. For every account that is open, you must have a record of how the account is going to be used. It is really important that when you are reporting the intended use, you provide as much detail as possible. It is not sufficient to only say what kind of account it is, but you need to provide more detail as to how that account is going to be used, so that we can evaluate whether there is a divergence in terms of how the account is used. So, when you look at a personal account, for general cheques, services for payment of household expenses, if someone were to use a household account to wire a large amount of money to Europe, then alarm bells should go off.

Another example: if you receive direct deposits for employment, pension income or to save for retirement. In terms of a commercial account, examples would be deposits of daily receipts, for payroll, and operating expenses. The idea here is to gather enough detail so that if there are variances in the use of the account, a red flag will come up. The detail is important when documenting the intended use of an account.

Suspicious Transaction Reports

As of June, 2008, you will be required to keep copies of STRs concerning both attempted and completed transactions. You can keep those records either electronically or in paper. In addition, reporting entities must take reasonable measures to determine the identity of an individual who is the subject of a suspicious completed transaction. The exception to this is, if you are going to tip off the client, then you do not have to identify.

Credit Card Accounts: Record Keeping

These are not entirely new obligations. I should highlight that in the regulations, the requirements for credit card accounts have been separated from the other types of accounts that financial entities open.

Slide 19 highlights what information you need to document when opening a credit card account for an individual.

Credit Card Accounts: Record Keeping (cont'd)

Here we highlight what information needs to be kept when opening a credit card account for a corporation. You have to keep things like a copy of official corporate records, name, address, telephone number of every card holder under the corporate account and date of birth, if possible. This is a reasonable measures field. Copies of every credit card application and credit card statement.

Credit Card Accounts: Record Keeping (cont'd)

This is a separate requirement for entities other than a corporation. Essentially, the information that you have to gather is very similar to the information required for corporations.

Credit Card Accounts: Client Identification

Here we are highlighting what identification is required from a client ID for the opening of a credit card account.

For credit card accounts for individuals, you must identify the individual under which the name of the account is open. For corporate credit card accounts, you need to confirm the existence of the corporation and determine the names and addresses of all the directors. It is important to note that there is a difference between identifying and ascertaining the names. When we say ascertaining the names, you have to actually get the list. You don't actually have to identify the directors, but you do have to confirm the existence of the corporation. Then for credit card accounts that are opened for entities, you need to confirm the existence of the entity.

Given that the client identification and record keeping section is a long one, I thought I would pause here to ask if there are any questions from the audience.

Question:
Should non monetary attempted transactions be reported as suspicious?

Answer:
Non monetary? There needs to be an attempt of a transaction. I am not sure what non monetary means in this context. But if someone comes in to the financial institution with... actually, I can't think of a non monetary situation. I'll say that it is very much linked to the attempt at a transaction. If someone comes into the bank with a big hockey bag full of money, but doesn't actually go to the teller, that would not be considered an attempted transaction and would not be reportable to FINTRAC. I am not sure if that is what the questioner was trying to get to, but hopefully that clarifies it a little bit.

Question:
If we have a signature card completed years prior to the new requirements in 2001 for identifying as per anti-money laundering, is this considered adequate for client identification purposes?

Answer:
The client's identification purposes aren't retroactive. So, when we say if there is a signature card on file, we don't check whether it was signed in 1992 or 1972. If you have a signature card on file, you're fine. There is a requirement, and I will talk about it when I talk about the risk-based approach, to keep client information up to date. That is not to say that you have to re-identify the client, but if someone is considered higher risk, you will need to keep their information up to date. In terms of the signature card, there is no requirement to go back, but there will be when I talk about risk-based approach, an obligation to keep a higher risk client's information up to date.

Question:
For two or more money orders totaling $3,000, what is the time frame that FINTRAC is looking at when it comes to reporting that?

Answer:
It is at the time of the transaction. So, two things there: when we talk about money orders (slide 16) we are not talking about reporting, we are talking about client identification and record keeping. At that particular time of the transaction where there are many, many money orders, we are not talking about the 24-hour rule, we are talking about at the time of that particular transaction. Were there multiple money orders to complete the transaction?

Question:
We have a couple of questions on the beneficiary information for the EFTs; I will group them together. If there are ten banks in the chain of an EFT, does the new beneficiary information requirement apply to only the final bank in the chain?

Answer:
That's right. It would apply only to the last bank because the last bank would be the one to have the information on the beneficiary.

Question:
This question involves the beneficiary information requirement on an incoming EFT received by the bank, where the address and the beneficiary information are missing. The wire is put on hold and the missing information is asked for from the sending institution. Does that wire still have to be reported to FINTRAC?

Answer:
It is the transmission of instruction, when the bank receives the transmission of instructions, so yes, it would be reportable.

Client Identification

Here we highlight that there is a whole new section having to do with non face to face transactions. We recognize that reporting entities need a little bit more flexibility to conduct client identification when the client is not right in front of them.

I will start by saying that the standard method to identify is face to face using government issued ID. If you are using non face to face delivery channels, you have more flexibility in terms of identification.

I will also highlight that at the bottom of slide 23, the last point indicates that there is a prohibition to open an account if you cannot establish the identity of the client.

There was an earlier question about turning down risky transactions: the answer is no, but this is the exception. You are prohibited by the regulations to open an account if you cannot identify the client. So, this is a new provision and an important one to note.

In terms of non face to face transactions, we will be talking about three major categories of methods that can be used. You can only use these options in non face to face situations.

Client Identification: Non Face to Face Methods

When we take a look at this slide, there are two broad categories related to non face to face methods.

The first one is that you can use an affiliate or co-member. I will explain that in greater detail. Then there are specific combinations of identification methods that we will review. You will be required to use two of these methods and I will speak about each of the different methods individually. The third category of non face to face identification method is to use an agent or mandatory.

Affiliate or Co-member Method

This method can be used by an affiliate or a co-member of an association. It only applies to affiliates or co-members of the following sectors: banks, credit unions, caisse populaires, trust companies, loan companies, securities dealers and life insurance companies. The question you have to ask is "Is your affiliate in one of those sectors?"

The second question you need to ask is "Are they wholly owned by you, do they wholly own you, or are you owned by the same entity?" That is the second condition. In the case of credit union centrals, if you are co-members of the same association, you can also rely on the identification efforts of co-members.

Either they are an affiliate from one of these sectors and there is a wholly owned relationship as indicated in slide 25, or they are members of the same association such as a credit union central.

Affiliate or Co-member Method (cont'd)

Once you have met the two criteria and you have determined that they are an affiliate and from one of the prescribed sectors, then ask the client to provide you with their personal ID information: name, address, and date of birth. Then you confirm with your affiliate or co-member that the ID has been verified properly using government issued valid identification - using the standard method. Then make sure that what your co-member or affiliate provided to you corresponds with the information that the client provided you with.

To review the three steps: get the information from the client, make sure that the standard identification method was used, and make sure that the information corresponds with what the affiliate gathered and what the client provided.

New Non Face to Face Combination Methods

Here we outline the second category of options available in non face to face situations. Two methods must be combined. We will review the five methods.

I will go through the five methods first and explain what they are. Then I will talk about what combinations of methods are available to you.

The first one is an identification product (ID Product). This is an independent and reliable identification product that is based on personal information and information derived from a Canadian credit history that has been in existence for at least
six months.

There are many products that ask questions with respect to your credit history. For example, they might ask: "Marilyne Landry, do you have a car loan?" I will tell them that I do and then they might ask what the monthly payment is on that car loan. When will you finish paying off your car loan? All these questions are intended to ascertain whether or not the person is indeed Marilyne Landry.

That is the first method. The second method is referring to a credit file that has been in existence for at least six months. Now, if you are going to use the credit file method, you have to obtain the consent of the client before doing so.

These two products are commercially available and they are usually used for credit rating purposes.

New Non Face to Face Combination Methods (cont'd)

Here we review the three other methods.

In terms of the attestation method, this is where either a commissioner of oath or a guarantor has seen a valid form of ID. Who is considered a guarantor? A list of those who can act as guarantor is similar to that of someone who can sign a passport application. Guideline 6 provides details on who can act as a guarantor. A guarantor can be a dentist, medical doctor, chiropractor, judge, magistrate, lawyer, notary, notary public, optometrist, pharmacist, professional accountant, professional engineer, or veterinarian.

You are not required to verify the credentials of the guarantor. The obligation is to get their name, their profession, the address, and signature of the person providing the attestation. They need to sign a legible photocopy of the government issued ID and also include the type of and number of the identification document provided. So, you do not have to go and investigate if the guarantor is a dentist.

You can use the cleared cheque method. The clear cheque method confirms that the cheque has cleared at a Canadian financial institution.

You can receive confirmation of a deposit account. This confirms that the client has a deposit with a financial entity. You need to receive confirmation from the financial entity itself. Receiving confirmation from the client is not sufficient.

So, we've gone through the five methods that exist in terms of trying to combine various options.

Client Identification: Non Face to Face (NFTF) Methods

Slide 29 tells you what combinations you are allowed to use.

It is important to note that you cannot combine all of the methods or combine methods that use the same source of information. You cannot use information from an identification product and a credit file. It is from the same source, therefore you cannot combine them. This is the same thing for a cleared cheque method and a confirmation of a deposit method.

Slide 29 of this presentation indicates the combinations that are available and acceptable. Some of you have already indicated that this seems complicated. But I just want to note that there is no requirement for you to use any of these new methods. If you want to continue to identify your clients in a face to face environment, you may continue to do so. These methods are to provide you with more flexibility in non face to face situations.

Client Identification: NFTF for Credit Card Accounts -
Option 1

Now I will highlight some of the differences with credit card accounts. There is a little bit more flexibility with conducting client identification for credit cards. On slide 29, I indicated that you can't actually combine methods that come from the same source. For credit card accounts you have that flexibility and, in addition, there is a sixth method that we have added which is using an independent data source method; reverse lookup sites that are available on these. It is important to note that the data source needs to be linked to a telephone directory or something of that nature. So, you have to use a reverse lookup, but not just anyone. Note that for credit card accounts you must ID the client before the credit card is issued.

Client Identification: NFTF for Credit Card Accounts -
Option 2

Here we address the circumstance where the credit card account cannot exceed a credit limit of $1,500. For smaller credit card accounts, you have available to you all the options that were listed on slide 30 and, in addition to those methods, you can also combine with a copy of the utility invoice or a photocopy of the ID and a deposit account confirmation.

It is important to note that the limit is $1,500. If the limit is increased beyond this amount, the reporting entity must re-identify the client as per options on slide 30. The options that are on slide 31 are only for credit card accounts that are less than $1,500. As soon as you go beyond the $1,500, in terms of credit limit, you need to use one of the methods as indicated on slide 30.

Client Identification: Use of Agents

Regarding the use of an agent, use whomever you deem appropriate as an agent. You must have a signed agreement with the agent. As well, you have an obligation to obtain the customer information from the agent. Slide 32 explains how the use of an agent works in the context of our regulations.

To summarize, the three options you can apply in non-face-to-face transactions; the use of an affiliate or co-member, the combination of method, and finally using an agent.

Client Identification: Doubts about Identification

There is a general rule in terms of client identification, that if you have identified someone, and you recognize them, you do not have to re-identify, unless you have doubts about information that they have provided you or the accuracy of the information that they have provided you.

Record Keeping and Client Identification Exemptions

Here we give you an example of some of the new exemptions that have been added to the record keeping and client identification requirements. The list of new exemptions is long, they target lower risk situations. One is listed on slide 34, so it is actually an entity that is a subsidiary of large corporation and has its financial statements consolidated with the large corporation. In this case, you don't have to ask for client identification or record keeping. It's one of the many exemptions, I would refer you to Guideline 6 for financial entities. All of the exemptions that exist for client identification and record keeping requirements are listed there.

Exemptions: Credit Card Acquiring Activities

Looking at slide 35, we talk about credit card acquiring activities and highlight that those activities are exempted from client identification and record keeping requirements only for those activities.

If you are a financial entity that provides credit card acquiring services, you do not have to do client identification and record keeping for those particular activities. However, you still have the requirement to report suspicious transactions and follow compliance regime obligations including conducting a risk assessment.

Third Party Determination

Here we address a clarification with respect to third party determination. An employee depositing cash in an employer's business account is not considered to be acting on behalf of a third party. Therefore, no third party determination is required.

Foreign Branches and Subsidiaries

Here talk about foreign branches and subsidiaries located in non FATF countries. If you have branches or subs that are located in a country that is not listed in the FATF, you must develop policies and procedures that are consistent with your client identification, record keeping, and compliance regime obligations here in Canada. They don't have to be identical, but they need to be consistent in three areas: client identification, record keeping, and compliance regime. If local laws of the country prohibit you from applying these policies and procedures, you need to document this. I will also highlight that the foreign branch or subsidiary needs to be located in a non-FATF country.

So, that wraps up the section on client identification and record keeping. I will pause to see if we have any questions from the audience.

Question:
If we use a credit (file) product to identify a client, is it required that we keep a copy of it?

Answer:
I have to say that the particular details of what is required for each of the different methods, I don't have in front of me. However, Guideline 6 will provide you with exactly what you will need to keep for your records.

Question:
For a financial institution issuing corporate credit cards, do the rules on slide 20 apply when a corporate credit card is in the name of an employee of the corporation?

Answer:
If it is a corporate credit card, the determination is under whose name is the account. If it is under the corporation's name, then yes, the rules in slide 20 would apply.

Question:
How many pieces of ID should be obtained: one or two? Are you required to obtain photo ID?

Answer:
I will say that for the PCMLTFA, your obligation is one piece of government issued ID and it does not have to be photo ID. However, you might have other requirements through other regulators that might impose broader requirements. But for the context of our regulations and our Act, it is one piece of government issued ID and you do not need a photo.

Question:
Is a bank required to provide us with information to confirm a deposit account and might this not violate privacy laws?

Answer:
They are not required to do so and obviously if they are going to share that type of information, they would need to comply with privacy laws. Given that you would be ascertaining the identity of the client, the client could provide their authorization to the financial institution, but there is no requirement to do so. All financial institutions would need to comply with existing privacy laws.

Question:
If a financial entity conducts transactions for non account holders or non clients, are we then considered to be engaged in a money services business?

Answer:
The answer to that today is less clear because some of the requirements for financial entities are found in both silos of the regulations; both the money services businesses and the financial entity silo. However, you would not be considered a money services business. As of June 23 (2008), all of your requirements with respect to financial entities are in the financial entity silo and the definition of a money services business specifically excludes financial entities. So, the answer is no, it would not be considered a money services business, even though you might offer similar services to a money services business to non clients.

New Due Diligence Measures

On to slide 39, here we begin a review of the section on due diligence.

Correspondent Banking

Here we talk about correspondent banking. I won't spend a lot of time on this requirement considering that it has been in effect since June 2007 and those who have correspondent banking relationships are already complying with this.

This highlights that there are record keeping requirements and due diligence measures when a financial entity enters into a correspondent banking relationship with a foreign financial institution. If you want more details on what those requirements are, refer to Guideline 6G for financial entities. This guideline will provide you with those details.

Title Slide, Beneficial Owners

Beneficial Owners

Regarding what a beneficial owner is. Slide 42 gives the definition of a beneficial owner. It is a person who owns or controls more than 25% of a corporation or an entity.

When do you need to determine beneficial ownership? You need to do it each time you need to confirm the existence of a corporation or an entity. You must also make a determination with respect to beneficial ownership. This will apply mostly at account opening, but also to any other situation where you need to confirm the existence of a corporation or entity.

Note that we understand that the ownership of a corporation is complex. Is it sufficient to just provide the name of the corporation that owns the entity? The answer is no, you need to get at living, breathing person. What we are trying to do here is get behind the corporate veil to understand who owns or controls more than 25% of the corporation.

The other question that we get is "How much digging do I have to do?" It is a reasonable measure obligation. You can take a look at corporate registries. Or, you can ask the client that is opening the corporate accounts, who owns or controls more than 25%. If this individual does not have that answer, document the fact and your requirement will have been met.

However, I would argue that if the person you are dealing with does not understand the corporate structure of the organization, that account should be higher risk. Asking the question is sufficient, but if the person that is representing the corporation cannot answer the question, the account should be considered higher risk.

Beneficial Owners: Record Keeping

Slide 43 indicates exactly what you have to document if it's for a corporation, an entity other than a corporation, or a non profit (organization).

Politically Exposed Foreign Persons

What is a PEFP?

A politically exposed foreign person (PEFP) is an individual who holds or has held a senior position in a foreign state. Slide 45 lists all of the various positions. These are positions linked to the government, the judiciary, or the military.

Why this obligation? This obligation follows the situations that we have seen with Pinochet for example, where people in senior position took national funds and transferred them outside of the country for their personal benefit. So, this obligation focuses on foreign positions, trying to identify any types of transactions that would be suspicious from that perspective.

For your purposes, if it's an individual that holds a position with the Canadian government, they are not a PEFP, including if they have held a position abroad with the Canadian government. But any foreign clients or any domestic client who has held a foreign position does apply.

Many business entities have asked if this applies to Canadian positions? And the answer is that it does not. The logic being that if every country has PEFP obligations for foreign positions, a Canadian politician would not be considered a PEFP here in Canada, but they would be in the United States. I want to specify that it is not only the individual who holds the position, but also the individual's prescribed family members.

Politically Exposed Foreign Persons (cont'd)

Now, among all of these types of individuals, their family members are considered PEFPs. So, this applies to the individual's prescribed family members which include:

  • spouse or common-law partner;
  • their child;
  • their mother and father, mother-in-law and father-in-law, brother, sister,
    step-brother, step-sister.

All of these individuals are deemed to be PEFPs in respect to that relationship and will be considered so even if the person leaves the position. You do not have to report to FINTRAC if you have clients that are PEFP.

Could a PEFP be a Canadian? The answer is yes. Let's say that Marilyne's father was a judge in a foreign country; Marilyne would be considered a PEFP. So note that it could apply to a Canadian.

Politically Exposed Foreign Persons (cont'd)

When do you need to make a PEFP determination? This is indicated on slide 47. You make a PEFP determination when you open an account, if you deem a client to be higher risk. Only for those existing clients whom you deem higher risk do you need to make a PEFP determination and for any client that is initiating or receiving an international funds transfer of $100,000 or more. There are three situations in which you are required to determine if someone is a PEFP. You have 14 days from account activation or 14 days from the date of the transaction to make the determination.

PEFP: How to Make the Determination?

Consult a commercial database. How do I determine if a commercial database is adequate? You need to make sure that the database covers all of the categories that we have listed on slides 45 and 46. If the database covers all of those categories, then FINTRAC will be comfortable with you using that database. Alternatively, you can just ask the client whether or not they have held a foreign position or if they are a family member of someone who has that type of position. Now, in terms of asking the client, I will indicate that FINTRAC is developing material for reporting entities so that they can more easily explain to a client why you are asking questions about them being a PEFP.

Politically Exposed Foreign Persons (cont'd)

Slide 49 highlights the three requirements that must be met once you have determined if the individual is a PEFP.

  • You need to document the source of funds;
  • Obtain senior management approval to maintain the account open or if it is with respect to a transaction, you need to make sure that senior management reviews the transaction within 14 days of account activation or the EFT transaction;
  • Then you need to conduct ongoing monitoring to identify suspicious transactions.

Note that you have a total of 14 days to determine if someone is a PEFP and to get approval from senior management; it is not a total of 28 days.

Politically Exposed Foreign Persons: Senior Management

What is considered senior management? The criteria is listed in slide 50. Senior management is someone who has the authority to make or be accountable for management decisions about this type of account or transaction. Senior management needs to be aware of money laundering or terrorist financing risks to which the financial entity or this type of account can be exposed to. They need to have an awareness of what is a PEFP. Those are the three criteria in terms of determining who is at the appropriate level of management that should review or approve these types of accounts.

Politically Exposed Foreign Persons: Record Keeping

Here we indicate the five elements to keep on record once PEFP determination is made. You need to document:

  • The office or position of the PEFP;
  • The source of funds;
  • The date you determined that person was a PEFP;
  • The name of the member of senior management who approved the account opening or reviewed the transaction and the date of the approval or the review.

EFT: Originator Information and Travel Rule

We will continue with other enhanced due diligence measures. We turn to slide 53 and talk about originator information and travel rule requirements with respect to EFTs.

Financial entities that send EFTs, should include the full name, full address, the account number and the reference number if any - that is the originator information. Make sure that those four pieces of information are included in the transfer itself. Financial entities that receive the EFTs must take reasonable measures to ensure that originator information is included in the transfer.

You may have in mind that you have a little bit less control in terms of what information is being sent to you, when EFTs are received. And that is why it is a reasonable measure provision with respect to incoming EFTs.

Reasonable measures means contacting the entity that sent you the EFT and trying to acquire the necessary information and documenting the fact that they have not provided you with the required information. This is not a reporting requirement; it is a requirement to ensure that the information is contained in the transfer itself. The logic being that the more information is contained in a transfer, the more information financial entities will have to make a determination about whether it is suspicious and if it gets reported to a financial intelligence organization such as FINTRAC. A clearer picture is drawn in terms of the EFT transaction.

EFT: Originator Information and Travel Rule (cont'd)

On to slide 54, we highlight to which EFT this applies to. It applies to all international funds transfers, regardless of the amount, as well as to domestic SWIFT and T103s. So, not all domestic EFTs, only the domestic SWIFT and T103s. It is important to note that there is no threshold for this particular obligation. It is for all international EFTs and all domestic SWIFT and T103s.

The last two bullets highlight an exemption that will be in place until June 23, 2009 saying that if your IT system does not allow you to transmit the four pieces of information, you have until June 2009 to modify your system. However, whatever information your IT systems can contain as of June 23, 2008, in a little less than two months, you will be required to include. As of June 23, 2009, whether or not your systems allow for it, (the information) will need to be there. If the info is not there by June 23, 2009, you will be considered non compliant.

That sums up our section on enhanced due diligence measures. So, I will check in with Peter to see if there are any questions.

Question:
For existing clients, do we have to have all of the PEFP determinations made by
June 23?

Answer:
There are two elements to my answer. The first thing is for existing clients; it only applies to whom you determine as high risk. Certainly, in a best case scenario, the determination would be completed by June 23, 2008. However, FINTRAC recognizes that depending on the size of your entity, that may not be possible. So, if it is not possible, what we would require is that you document a plan saying how quickly you plan to make that determination for high risk clients. The important thing is that you have something clearly documenting that by January, 2009, it will all be complete. However, we recognize that that may vary according to the size of the entity. If someone were to tell us that it would take 7, 8 or 9 years to make a determination of existing high risk clients, FINTRAC would say that that was not efficient. However, we will take into consideration the size of the entity when evaluating if the plan is adequate or not. It will be an evaluation made by the FINTRAC Compliance officer and certainly you should feel free to have a discussion with your FINTRAC compliance officer in terms of what is acceptable if you cannot meet the June 23, (2008) deadline.

Question:
If the PEFP becomes a citizen of Canada; do they still fall under the definition?

Answer:
The answer is yes. Essentially, once a PEFP, always a PEFP. Canadians can be considered PEFPs.

Question:
This is a question about the types of positions that would qualify to be a PEFP. Is it a federal level position or do state or lesser levels of government apply?

Answer:
I would say both. If I look at the list on slide 45: head of state, head of government, member of executive council of government or member of a legislature. So, member of a legislature, I think, would apply to provincial or state as well.

Question:
If we have deemed an existing client as high risk, following a previous suspicious transaction; do we still have to determine if they are a PEFP if it risks tipping them off?

Answer:
In that case, yes you would. There is no exemption in terms of PEFP if they are high risk. You need to make the determination.

Question:
If a potential corporate client is located overseas and its representative is also located overseas; is the agreement with an agent the only client identification method, and if so, what can be contained in this agreement? Can anyone take on the role of agent?

Answer:
The answer is yes. Anyone can take on the role of the agent. We will leave it to your discretion and good judgment to determine who you think is in the best position to be able to make that client identification on your behalf. You do need a written agreement and we leave it up to you to determine who you have that agreement with.

Title Slide, Changes to Compliance Regime

Going towards the end of the presentation, slide 55 focuses on the changes to the compliance regime.

The Compliance Regime and New Changes

Slide 56 highlights what the new changes are to the compliance regime. A reminder that there are currently four elements to the compliance regime. With the changes, we will be expanding that to a fifth element to be included in the compliance regime. The changes to the client regime attempt to make it systematic and robust.

The first element is the appointment of a compliance officer. You need to do that today. You will need to continue to do that. There are no substantive changes there.

In terms of developing policies and procedures, as of June 23, (2008), they will need to be in writing, approved by a senior officer, and kept up to date.

So, when we say in writing, we mean that policies and procedures are documented so that when FINTRAC comes and conducts an examination, it is clear what the policies and procedures governing your entity are.

Approval by a senior officer is important mainly because it ensures that within the organization, senior management is aware of the compliance activities that are going on and are comfortable with the policies and procedures that have been put in place with respect to your obligations.

Also, it is important that those policies and procedures are kept up to date and reflect any changes either to the legislation or the regulations. So, if we conduct an exam as of June 23, (2008), and your policies and procedures do not reflect any of the changes that we have discussed today, that would be a deficiency because they are not reflective of your current obligations

When we talk about keeping policies and procedures up to date, keep in mind that if you've recently made an important acquisition or added a business line, that should also be reflected in your policies and procedures and the policies and procedures should be updated accordingly.

The Compliance Regime and New Changes (cont'd)

The risk-based approach will now be the fifth element of the compliance regime. I'll be spending a little bit more time on this particular requirement given that it is new and expansive. I will put that one aside and talk about it in upcoming slides.

Just to continue in terms of your obligations having to do with training. You must have a training program and if you have employees or agents, it must be in writing, maintained, and kept up to date. In writing means documenting what training was done. It does not mean that you have to deliver the training in writing. It means that you have to document who has received the training, how often, what was contained in the training. It doesn't obligate you to actually deliver the training in writing; if you want to have someone watch a presentation that is okay. You just need to document the training program and outline exactly what you have done.

You have to make sure that your training program is maintained so that any changes to your existing requirements are reflected in your training program. Often people ask us if employees need to be trained by June 23, 2008 on new regulations. The answer is yes. You should be hitting the ground running as of June 23, 2008. All of your employees that are involved in activities related to transactions that could be vulnerable to money laundering and terrorist financing should be completed by June 23, 2008.

The fifth element of the compliance regime has to do with completing a review of your policies and procedures. That is already in place today. That review has been expanded to include a review of your training program and the risk assessment that we will be talking about in a moment. The review must be conducted at least every two years. The findings of the review must be documented and reported to a senior officer, and highlight updates and implementation status with respect to addressing any deficiencies that you have identified in the context of the review.

The review needs to be documented. It needs to include a review of the policies and procedure, the training, and the risk assessment. It needs to be conducted every two years and reported to a senior officer.

So, that is a quick overview of the changes to the compliance regime.

Risk-based Approach

We will now talk about risk-based approach and the requirements surrounding it.

What is a risk-based approach? A risk-based approach is asking reporting entities to evaluate the risk of money laundering and terrorist financing of their operations, of their activities, and of their clients. Once you have determined what is high risk, you must develop and put in place relative risk mitigation methods, do ongoing monitoring, and keep client information up to date.

There are two major components:

  1. Doing an evaluation;
  2. Putting into place risk mitigation measures. There is a little bit of a different approach in terms of requirements.

Currently, requirements are generally black and white, and their requirements are very objective. For instance, you need to report when you receive $10,000 in cash and you need to identify a client when you open an account. So, fairly descriptive and fairly objective in terms of the requirements.

A risk-based approach is more subjective. The idea being that you, as the reporting entity, are in the best position to tell us where the risks are in your business. Rather than having reporting entities focus enhanced due diligence efforts on all situations, target due diligence measures to high risk situations.

In the context of the PCMLTFA, the risk-based approach is in addition to core requirements having to do with client identification and record keeping, compliance regime requirements, as well as reporting requirements. It is enhanced due diligence measures put on top of the core requirements.

When I talk about conducting a risk assessment, establishing risk mitigation measures, implementing risk mitigation measures, and documenting all of this, there is not a one size fits all approach to this. Note that the risk-based approach varies in size and complexity of the reporting entity. A risk assessment needs to be responsive to your reality.

For instance, if you are a small real estate agent, you're a sole proprietor, there is only you in the office, obviously your documentation of risk and your risk analysis will be slightly different than a large financial institution's. Always keep in mind that the risk- based approach is reflective of the size of your operation.

Risk-based Approach: Requirements

The first step of a risk-based approach is to conduct an evaluation of the risks of your clients and operations. How would you do that? First of all, it is important to document your risk analysis and you are required by the regulations to consider a series of factors as indicated on slide 59.

I will group them into two broad categories. There is your client risk and your relationship, and then there are risks related to your operations. We have clients and business relationships. That is the first category. Then in the risks associated to your operations, there are the risks associated to your products and services, your delivery channels, geographic location of your activities and your clients' activities, and then any other relevant factors that isn't captured in the previous list.

Make sure that all of these elements are considered when you are preparing your risk evaluation. For tools that will help you conduct a risk evaluation, we direct you to Guideline 4; this is the compliance regime guideline. It contains a very extensive section on the risk-based approach, which includes appendices with checklists for both client and operational risk. There is a risk matrix that gives you examples of what FINTRAC considers to be a low, medium, or high risk situation.

In terms of the checklists, I will indicate that it should be a starting point. If you are a larger reporting entity, it should only be a starting point and a guide to what could be considered higher risk. Again, the checklist would be sufficient for a very small reporting entity, but more would be expected from a medium or larger size entity. However, the risk evaluation of clients should only be conducted for ongoing relationships. If you do not have an ongoing relationship, if there is no account, there is no obligation to risk assess that particular client. Every client should have a risk rating, but you are not required to conduct a detailed checklist for each client. You could create clusters of risks for clients; that would be sufficient in terms of meeting your requirements having to do with conducting a risk assessment.

We recognize that this may be new for some reporting entities and that's why
Guideline 4 is useful and provides you with the tools you need to help you fulfill that particular requirement.

Risk-based Approach: Requirements (cont'd)

What do you do when you have conducted your risk assessment and identified a series of high risk situations? You need to do three things. You need to establish risk mitigation strategies and develop and implement policies and procedures supporting the risk mitigation. You must take reasonable measures to keep client information and beneficial ownership information up to date and review at least every two years. Let me clarify a few things here. Keeping client identification up to date and beneficial ownership information up to day only applies to high risk situations. It does not require you to have to identify the client once again. Getting the information from the client, when you are sending out the account information and including a little paper saying please provide an update, would be sufficient due diligence. You do not have to re-identify the client. The third requirement is to conduct ongoing monitoring to detect suspicious transactions.

Now, on that I would say, that it is a minimum requirement for reporting entities to document how they track suspicious transactions. Then there are a series of other risk mitigation measures that you can apply and that are contained in Guideline 4. A reminder that, for those high risk situations, transactions and clients, you need to conduct ongoing monitoring to detect suspicious transactions.

Risk-based Approach: Tools

Now, going to slide 61, we talk a little bit about what information is in Guideline 4. As I indicated, we have very detailed guidance with respect to risk-based approach. It includes the checklists and the matrices. These are to help you to complete a risk evaluation, then a list of potential risk mitigation measures, so you can pick and choose to see what is appropriate for your activities, and suggestions on how to monitor. Again, Guideline 4 is a very important resource. I will also highlight that we actually provided a webinar on Monday on the risk-based approach. That webinar will be posted and made available to you. Certainly, if you want more information on the risk-based approach, we invite you to view that webinar. I should also mention that there is a presentation to reporting entities on risk-based approach on our Web site under our webinar link. If you want to take a look and get a little more information with respect to the risk-based approach that, would be another source of information.

Administrative Monetary Penalty (AMP) Regime

Now, coming to the end of the presentation, just a quick mention regarding administrative monetary penalty regime or AMP. As of December 30, 2008, FINTRAC will have the authority to apply administrative monetary penalties related to non compliance infractions. The intent of the AMP is not to be punitive; it is not to go on a penalty spree and apply penalties to all instances of non compliance. Our focus would be on those entities that have very, very, very serious non compliance issues from the get go and that non compliance comprises the integrity of the regime. Or, an entity that we've tried to work with over the years and despite our efforts is still non compliant.

It is important to note that many of you that have logged in today are making efforts to comply. It is fundamentally unfair if your competitors aren't putting in the same level of effort to comply with these requirements. The monetary penalty scheme will allow us to address that unlevel playing field and ensure that competitors will not have an economic advantage for not complying with these particular requirements.

FINTRAC's Approach to Compliance

It is important to stress that FINTRAC is committed to a cooperative approach regarding compliance. We realize how dependent FINTRAC is on reporting entities. If reporting entities don't give us information, FINTRAC can't do its job. It is in our best interests to help you understand what your obligations are and to get you into compliance, if there ever is non compliance that is detected. With that in mind, we have provided you with as many tools as possible to try and comply with various obligations.

Key Dates

This is a summary of the activities that we have undertaken in the last few months to provide you with information on your new requirements. If we take a look at the Guidelines, all the key Guidelines that summarize your requirements with respect to client identification, compliance regime, and suspicious transactions have been updated and are on our Web site.

I just want to highlight that if you go to our guidelines page, you will find the updated guidelines.

Again, very important, Guideline 2 on suspicious transactions, Guideline 4 on compliance regime, and Guideline 6G on record keeping and client identification; those are your core sort of documents in terms of providing you with an overview of all your obligations and what kicks in on June 23, (2008).

I will also highlight that the other Guidelines, mostly those that have to do with reporting, will be updated in June so that when the new reporting mechanism kicks in as of June 23, (2008), you will have an updated guide to help walk you through, so that you can report the new requirements.

There were information sessions in ten different cities in February. The content of those presentations are exactly the same content as what we covered today. We have held webinars throughout April and will continue in May. All of the webinars will be archived in the coming weeks and you will be able to access them online. If you want to listen to this presentation again, or conversely if some of your colleagues were not able to attend today, they will be able to log on in the coming weeks. I should also mention that all of the PDF presentations are up on our Web site under our webinar icon. If you want to take a look, print out the presentation that we went through today, or if you want to look at the risk-based approach presentation, you can certainly do so.

A reminder that all of these provisions will be effective on June 23, 2008, and we expect that these requirements be in place by that time.

Now, we have about 15 minutes until the webinar wraps up. I encourage you to send us questions and I will turn it over to Peter to see if additional questions were received.

Question:
Please clarify the requirements, if there are, for financial institutions. For example, if there is a mortgage brokering business that is not owned by a financial institution, is the financial institution only obligated to inquire if the agent has training?

Answer:
I think it depends on the relationship between the financial entity and the broker. If the financial entity is actually an agent of the financial entity, then it is the financial entity's responsibility to train them. If there is not an agency relationship there, then there is no requirement for the financial entity.

Question:
If a client asks us to produce our risk rating for them; must we provide it to them or explain the process that we use to determine it?

Answer:
You are not required to, as far as there is no requirement in the regulations obligating you to share that risk rating with the client. It is really at your discretion as to whether or not you want to share that information with your client, but there is no requirement to do so.

Question:
What if the intended use of an account changes over time? Are we required to keep this information current and to what degree are we expected to go back?

Answer:
There is no requirement for you to go back. The intended use of the account must be documented at account opening. If you want that to be one of your risk mitigation methods related to the risk-based approach in terms of keeping that information up to date so that you can better assess the activities of your clients, that would be an excellent risk mitigation measure, but you do not have the requirement to go back to determine if the intended use of the account has changed.

Question:
Does FINTRAC give any guidance on what it would consider to be a small, medium, and large reporting entity for the purposes of determining how extensive the risk assessment should be?

Answer:
We don't in a documented fashion, simply because we have over 300,000 reporting entities in up to 11 different sectors. To try to encompass what small, medium, and large would be in all of those various permutations would be difficult. However, I guess the test is "Do you think the risk assessment is sufficient for the type of activities you conduct?" I would say, you know the checklist shouldn't be used by anybody that has dozens of employees, it shouldn't be used if you have a whole elaborate network. However, in terms of an exact definition for small, medium, and large, no just because of the span of the entities that we cover.

Question:
Given the 25% beneficial ownership threshold; does this mean where no person or entity owns more than 25%, the record keeping requirement does not apply? For example, if five people each own 20% of the entity or the business; would it negate the obligations?

Answer:
It wouldn't negate the obligation to keep records. I would just keep a record of the fact that no one person has more than 25%.

Question:
How do we get a copy of the PEFP pamphlet?

Answer:
It will be available prior to June 23, (2008). Now I am going to turn it over to you Peter. I know that one way is that you can contact your compliance officer but I am not sure if it is actually available or if you can order it directly from our Web site.

You can send an email to publications@fintrac-canafe.gc.ca and we have a Publications section on our Web site. You won't see the pamphlet there. It still has to be printed. But once it is printed, we will have it visible for you there and you will be able to download copies. But you will also be able to order them directly in paper format for you to give to your clients. You can order them in advance, if you like, again, by sending an email to publications@fintrac-canafe.gc.ca.

Just checking that no further questions have been received before we wrap up. We do have one last question.

Question:
Please clarify the following: Do we have to risk rate every member of our credit union individually, or must we only rate new and existing customers?

Answer:
Do you need to risk rate every member? The answer is yes. It does not apply to only new customers; it applies to all members. However, I was saying, a little bit earlier, that when you conduct your risk rating for each individual client, you can actually cluster them into categories as opposed to conducting a individual risk assessment for each. I would argue that doing the very detailed risk analysis of each client is a lot more robust, but that is not a requirement. Ultimately, if you just want to say "Okay, it is a new client with account activities below $5,000, we consider that medium risk because they are new clients, and I don't know that much about them", that is fine. If you want to use clusters, you can certainly do that; but you have to risk rate every customer or member in the case of a credit union.

Well, thank you Marilyne for the presentation. Thank you all for participating. This concludes the webinar for financial entities.