Transcript: New obligations webinars - Risk-based Approach

Good afternoon everyone, and welcome to FINTRAC's presentation to reporting entities covering the risk-based approach.

This risk-based approach webinar is part of a series of seminars that will explain new legislative requirements of the Proceeds of Crime (Money Laundering) and Terrorist Financing Act. Many of these changes will come into force in 2008 and 2009. Today's presentation will be made by Marilyne Landry, FINTRAC's Manager for Program Development.

I'd like to remind participants that it is possible to ask questions by using the email address that appears on the screen. We'll pause from time to time to answer questions that have come in.

I will now turn things over to Marilyne Landry, and begin today's seminar.

Thank you, Peter. A reminder to everyone that the presentation that you have in front of you, is also available on FINTRAC's Web site, and that the file that you have will not be moving; you'll actually have to click to move on to the next slide. So as I walk through the presentation, I will tell you which slide I'm at for ease of reference.

Presentation Overview

On slide 2, we have our presentation overview, so essentially what we will be dealing with today, in the next hour and a half.

A quick introduction as to why the risk-based approach and how it came about, then a quick description about what is a risk-based approach, a review of the legislative and regulatory requirements, then going into each of the risk-based approach requirements in detail, talking a little bit about higher risk situations, providing you with some examples of poor risk assessments and things that you should look for, and then additional considerations as you're implementing this new requirement.

Introduction

Moving on to slide 3, as you may know, the Proceeds of Crime (Money Laundering) and Terrorist Financing Act was amended by Parliament of Canada in December 2006. In the Act, there were changes relating to risk-based approach and indicating that reporting entities would now be required to conduct a risk-based approach, as of June 23, 2008.

A reminder that all of the obligations that we'll be discussing today, FINTRAC will expect that they will be in place as of June 23, 2008, slightly less than two months away in terms of when these provisions need to be in place within your organization.

What is a Risk-based Approach?

Moving on to slide 4, we get into the details of what a risk-based approach is. Essentially, it's the process that allows reporting entities to identify areas that are potentially higher risk of money laundering or terrorist financing. It allows you to develop strategies to mitigate those risks, and it also allows you to focus resources in areas that are deemed of higher risk. So, a little bit of a shift with respect to current obligations (current reporting and client identification obligations, record keeping obligations), they are largely black and white: "Did you report the large cash transaction that was of $10,000 or more?" "Did you identify a client in a particular situation?"

The risk-based approach is slightly different in that there is a little bit more subjectivity that applies. The logic behind that is, when we are talking about enhanced due diligence measures that the risk-based approach talks about, it could be applied to generally everything. So, we are going to be talking about keeping client information up to date. We could have said that all client information should be kept up to date on a particular cycle or frequency. But that being said, we felt the focus should be on higher risk situations, rather than treating all situations the same.

We thought that reporting entities were in the best situation to indicate what was higher risk in their operations. The idea is that you'll focus your attention on higher risk situations and if something is lower or medium risk, that enhanced due diligence would not be required.

Also, the idea behind the risk-based approach is to allow reporting entities to have a really solid knowledge of money laundering and terrorist financing. Certainly many of you already have an understanding of your current obligations, but to intensify that knowledge with the goal of being able to identify high risk situations and suspicious transactions more readily so that, ultimately, FINTRAC would get that much better information, but also that reporting entities would be conscious of the risks that exist within their organization and allow them to address it.

Legislative and Regulatory Requirements

As we move to slide 5, to the Act and the Regulations. If you are looking for the original text of your obligations, it can be found both in the Act as well as in the Regulations. They prescribe a series of measures that you have to complete with respect to risk-based approach.

The first step is to conduct a documented risk assessment. We will spend a fair amount of time during this presentation taking a look at what a risk assessment should look like and what it should include. The Act indicates that you should consider a number of factors when you conduct a risk assessment, largely in two categories: one with respect to your client and business relationships, and the second category has to do with your operations, the products and services that you offer, the delivery channels, the geographic location of where the activities are conducted. In addition to those two broad categories, you should consider any other relevant factors. We will be spending, in a few minutes, some time on each of these requirements and what they mean in the context of a risk assessment.

Legislative and Regulatory Requirements (cont'd)

Now moving on to slide 6, to additional requirements that pertain to the risk-based approach. If you are familiar with the new requirements having to do with your compliance regime, you know that you have to review your policies and procedures, but also your risk assessment every two years. That review needs to be documented and it also needs to be reported to senior management. When we talk about risk assessment, you'll need to complete one by June 23, 2008, and then, at least every two years, you'll need to do a review to make sure that that risk assessment is still pertinent and relevant. The results of that review need to be reported to a senior officer in writing, including the status of any implementation that's related to addressing any deficiencies that were found during the review.

Legislative and Regulatory Requirements (cont'd)

In terms of the final requirements having to do with risk-based approach, we talked about conducting the risk assessment, that's the first step. The second step is, once you've identified high risk situations, there are three requirements: you need to develop policies and procedures, develop and implement policies and procedures to mitigate the high risk situations; keep high risk type information up to date on a two year frequency; and then conduct ongoing monitoring of higher risk clients or situations and transactions. So, three things that you'll need to do once you've determined that something is of high risk. As I indicated, this too will be addressed in the current presentation.

Risk-based Approach

Slide 8 just summarizes what I've just said; it highlights the four components of the risk-based approach: the risk assessment, the risk mitigation, ongoing monitoring, and keeping client information up to date.

Risk Assessment

If we flip to slide 9, the next ten slides will focus on what a risk assessment is and how you conduct one. In terms of what a risk assessment is, it's an analysis of potential threats and vulnerabilities related to money laundering and terrorist financing to which you, as reporting entities, are exposed. First and foremost, when we talk about risk assessment, essentially they will vary for each reporting entity. Even if you are in the same reporting sector, if you are a financial entity within the financial entity community, your risk assessment will be different depending on the size of the reporting entity, the complexity of your operations, and the nature of your operations. The first thing that I would like you to get from this presentation is there is not a one size fits all solution; each reporting entity will have its own version of a risk assessment.

The goal of this approach is to ensure that the analysis makes sense in the context of your operations, so that you can develop not only a unique assessment, but also the mitigation measures.

In terms of the factors to consider, this is not a suggestion and it is really important to note that you are required to factor all of the elements in, because the regulations stipulate that you must do so. As I indicated, there are two big categories that need to be considered. The first one is related to client and business relationships, the second one having to do with your particular business operations. In that big heading, there are things like the products and services you offer, what delivery channels you use to deliver your services, where your activities are located, where your client's activities are located, and other relevant factors that would inform your risk assessment.

Moving on to slide 10, essentially, there is not one way to conduct a risk assessment.

Risk rating methodologies will vary according to the size of the entity. So, there is no one way to complete a risk assessment.

Risk Assessment as a Two-stage Process

Moving on to slide 11, risk assessment has two major components that need to be considered, the first one being factors related to your operations.

It's important to note that on slide 11, we make reference to Guideline 4, which is dedicated to the establishment and the implementation of a compliance regime. When we talk about the compliance regime and the four elements that already exists, that you no doubt know well (naming a compliance officer, developing policies and procedures, conducting a review as well as conducting a training program if you have employees or agents), there is a fifth element to the compliance regime which is the risk-based approach. The revised Guideline 4 has extensive guidance on how to conduct a risk assessment. It also has various appendices on the various risk factors, and there is one that is exclusively dedicated to products and services, delivery channels, and geographic location. The checklist has a series of questions that you can ask yourself as you're developing your risk assessment. Questions such as: Do you offer electronic cash services? Funds transfers? Automated banking services? So questions with respect to your operations that will help you determine whether or not you have some high risk activities. When we take a look at the checklist that's available in Guideline 4, it may be vary appropriate for smaller entities that don't have a huge client base or many employees, where the complexity of their operations is very simple. That being said, even for larger entities where a checklist might not be appropriate given the size of your operations, it still provides a good base in terms of what could be a potentially higher risk situation in your sector or for your particular type of activities.

Stage 1: Risk Assessment

Moving on to slide 12, going through each of the various factors more specifically. When we talk about products and services; what could be considered higher risk? Products and services that can support movement and conversion of assets through the financial systems may pose high risk. For example, international or domestic funds transfers are really good examples of products that can be high risk because funds transfers can be very, very quick and can result in money going just about anywhere in the world. From a money laundering perspective, obviously if money moves rapidly across nations, it may be a factor that might be considered higher risk, because launderers can use this mechanism to move money outside of Canada and possibly transfer it to a haven where access to those funds would be much more difficult from an authority's perspective.

Take a look at your products and services, and determine, one by one, how risky they would be considered. Within a big category like wire transfers, you might want to evaluate the different transactions within that category. Determine what types of transfers are high in risk and to what degree, within that broad category. It's important for you to look at your products and services generally and see how wired transfers may be of higher risk, recognizing that in that broad category, there might be different gradations, and that you may have low risk wired transfers, for example somebody wiring money for their daughter and university, such as an extra $200. Again, everything should be specific to your reality.

Stage 1: Risk Assessment: Delivery Channels

If we take a look at slide 13, it focuses on the second factors which are the delivery channels. How do you deliver your services? In terms of delivery channels, the further away you are from your client, the more difficult it is to know your client and the higher risk that client is.

If you have an ongoing relationship with someone who comes to their financial institution on a weekly basis, you will likely know their operations. So, the delivery channels can be less risky depending on the situations, than if you have never met the client and use a third-party, for example. Keep in mind that the further away your relationship with the client is, the riskier it is, and any delivery channel that provides the client with anonymity would be considered higher risk.

So, distance from the client and anonymity are very key in determining whether a delivery channel is considered higher risk.

Stage 1: Risk Assessment: Geographic Locations

Moving on to slide 14, the other factor that you are required to consider when you are looking at the risks of your operations, is geographic locations. Are there geographic locations in which you operate, or where your clients operate, that are considered higher risk?

For example, Peter and I are here in Ottawa. It's fairly well known that the Market area in Ottawa has a drug problem, which has been the subject of many media articles and interviews. It is important to note that it is not a requirement to have to go and conduct an investigation into what the higher crime zones are across the country or the city, but if there is information available that indicates that you operate in a high crime area, like drug trafficking, then you might want to take that into consideration, if it has an impact on your operations and if you are operating in that location.

From an international perspective, there are also lists provided by either the United Nations or the Financial Action Task Force (FATF) that you might want to take a look at, in terms of determining which countries are considered high risk. Certainly any countries that are subject to sanctions related to money laundering and terrorist financing should be considered higher risk.

Recently, the FATF issued a notice with respect to countries that have weaker regimes with respect to anti-money laundering and terrorist financing measures. All of that information should influence and feed into your risk assessment regarding geographic locations. It would be considered a best practice to check some of these key Web sites, certainly the FATF is a good example, at times, (OSFI) the Office of the Superintendant of Financial Institutions (OSFI) also issues notices. In the past, FINTRAC has issued notices as well. It would be a best practice to take a look at those Web sites on a fairly regular basis to make sure that you keep up to date on sanctions or notices issued with respect to various jurisdictions so that it can feed into your geographic location risk assessment.

Stage 1: Risk Assessment: Other Relevant Factors

Slide 15 wraps up the section on what you need to consider when you look at the risks related to your operations, your organization. Essentially, it is a catch-all for all other relevant factors. If you think that there is anything else that would be relevant as you are conducting your risk assessment, make sure that those results are incorporated and documented.

Risk Assessment as a Two-stage Process (cont'd)

Slide 16, talks about the second stage of risk assessment, which is looking at client and business relationships.

Guideline 4 offers information on what could be considered high risk relationships. Appendix 2 of the Guideline 4 focuses exclusively on client relationships and asks questions such as: Is a client in a cash intensive business? Is the client an intermediary to an account where the identity of a client is not disclosed to you?

Stage 2: Risk Assessment of Client and Business Relationships

If we take a look at slide 17, it is very important to note that the risk assessment of a client should only occur if you have an ongoing relationship with that client. By ongoing relationship, we mean a client that's undertaken multiple transactions over a period of time with you, regardless of whether or not the transactions are related to each other, or in the context of financial institutions or securities, someone that opens an account with you. There is a general assumption that, if an account's open, well the very nature of the relationships is that they are ongoing.

I've had reporting entities ask: What is a reasonable period of time? Unfortunately, we can't give exact parameters around that question, simply because every sector is different in this regard. For example, in the context of financial institutions, many transactions could occur within a six‑month period. However, if you are in the real estate sector, you might only sell a house to a client every four or five years. So, when we talk about a 'period of time' and what is considered a reasonable period of time depends on your particular business activities and also on the sector in which you are involved.

If you do not have an ongoing business relationship, let's say that you are a real estate agent and you have just sold a house once to a person, this is not an ongoing relationship. If they come back and ask you to sell their house three or four years later, then it might be considered an ongoing relationship. The same thing applies to a tourist coming in for foreign currency transactions, that wouldn't be an ongoing business relationship. However, if the tourist moves to Canada, and comes to you on a monthly basis to wire money home, then that might too be considered as an ongoing business relationship.

I should also mention that the definition of an ongoing relationship that I have provided is found in Guideline 4.

Stage 2: Risk Assessment of Client and Business Relationships (cont'd)

On slide 18, a few things to consider if you do have an ongoing relationship with your client. Take a look at how long you have had this relationship: has it been a long standing relationship? How many accounts? (if you are a financial entity or securities) What types of products does the client use and what kinds of services are used by the client?

If at all possible, the risk assessment should be done at the onset of a new relationship. If you cannot risk assess, which you should do right at the beginning of the relationship, if you do not have enough info about the client, then FINTRAC will consider that client high risk, simply because you don't know enough about their operations and activities. Essentially, the more you know about your client, the better you can assess your client's risk level.

Consider that if there are third parties involved, those clients should be considered higher risk, as well as if beneficial ownership information cannot be ascertained, that should also be considered a higher risk relationship. For those two requirements, I'll just mention that for some sectors such as financial entities, securities, life insurance, beneficial ownership requirements apply. For other sectors where beneficial ownership requirements don't apply, it is still a good indicator. If you can't find out who is behind the corporate veil, who owns the corporation, that could be an indicator the client is higher risk. Doing an assessment of third-party involvement and beneficial ownership, even when it is not required, might be considered a best practice or a risk mitigation measure.

Stage 2: Risk Assessment of Client and Business Relationships (cont'd)

Here we talk about conducting risk assessment for larger entities. We talked about the checklist for smaller entities, but that might not be appropriate for medium to larger size entities.

That being said, certainly larger size companies can use clusters to group clients through various risk variables. It is important to note that although you can conduct a detailed risk assessment for each client if you choose to do so there is no requirement to complete a checklist for each client. What is required is that each client should have a risk rating. They should fall into one of the risk clusters.

For example, you might have a cluster that gathers all new clients. Within that cluster you might have new clients that conduct transactions of small amounts and consider that low risk. Then you take a look at new clients that conduct larger transactions and you decide that is high risk, until you have more information about the client's activities and intended use of accounts.

You might have a cluster for wire transfers of small amounts, as opposed to clients who conduct large amounts and also transfer monies to countries of concern. I want to emphasize that if you are a medium to larger size entity, certainly there is no requirement to conduct an individual risk assessment for each client with whom you have an ongoing relationship. The use of clusters is very appropriate. Ultimately, always provide the rationale behind the clusters that you have developed in the context of your risk assessment.

In Guideline 4, the final appendices provide a breakdown of what FINTRAC considers to be a low, moderate and high risk. Appendix 3 provides a risk level assessment matrix and provides gradation. For example, if we are talking about client base, a low risk might be a known client base; moderate might be a client base with increasing branches, mergers or acquisitions; a high risk might be a large growing client in a diverse geographic area. Appendix 3 gives you an idea of where FINTRAC is at in terms of what we consider to be a low, medium, or high risk. It should help inform how you conduct a risk assessment, not only with respect to client and business relationships, but also more broadly to your operations.

As I indicated, the first step in the risk-based approach is conducting a risk assessment. So, that concludes that section on risk assessment. I will just pause for a minute to see if there are any questions that have been received on this last section.

Question
If you are a reporting entity and you are dependent on another reporting entity, the example given is a delivery channel to transact on behalf of your business, you have a separate entity that is conducting business, should you assume that the risk level relative to that client should be lower since it is filtered through two reporting entities?

Answer
I wouldn't necessarily assume that, given that because there is a layer between you and the client, and again not knowing the specific situation that might mitigate things and the response might be different, but I think that even if there is another reporting entity involved and the fact that you're one step removed from the client (that is indeed the situation) would potentially indicate that the situation is higher risk. So again, it is always a big caveat to say that every situation is specific and it is hard to talk in generalities.

For example, certainly in our checklists we have indicated that the use of gatekeepers - accountants, lawyers, real estate agents, and notaries might actually be higher risk because you are one step removed from the transaction.

Question
There is one question that has come in about June 23, 2008, and the question is, did you say that the risk assessment has to be completed by June 23, 2008?

Answer
That is correct. The first risk assessment should be completed by June 23 (2008). Certainly, if we conduct an exam following June 23 (2008), FINTRAC will expect a risk assessment to be in place. We fully expect that for the first year or so, there will be a dialogue as to what that risk assessment will contain, whether the risk mitigation measures will be appropriate. If there is nothing in place, or if it is not completed by June 23 (2008), it would be considered a deficiency.

Question
Would you consider a $50,000 cheque to catch up on an RRSP as high risk?

Answer
Again, it depends on the client. So, what is the client's situation? Are they students? What's their income? What is their source of funds? All of this information would feed into whether or not something is considered high risk. Much the same when a situation is considered suspicious, in some circumstances it may not be. Maybe someone is close to retirement, it makes sense that they would want to put in a large investment and therefore might not be suspicious. I would say, depending on how much information you have behind that $50,000, if you didn't have a lot of information and this was very much exceptional, maybe the normal contribution would be $1,000 or $2,000, it could be considered high risk. Or conversely, if this is something that your client has talked about all these years, they have just sold their house and you know all this, it might be considered low risk. It is very difficult to give a black and white answer. Essentially, every situation would be different.

Question
Can you, if you have decided that clients can be considered low risk due to the underwriting process or other controls or factors, omit it from the risk assessment, or would it at least have to be documented? So, if you have a group of clients that are low risk, can you omit them from the risk assessment?

Answer
I would say no. The risk assessment process is there to document all risks and to document the rationale behind why you think something is low or medium risk. So, if that rationale is not contained in the risk assessment, it is very difficult for anyone coming to examine to guess what the rationale is. So, it is very important to document that.

Risk Mitigation (cont'd)

What do you do when the risk assessment is completed and you have identified high risk situations? Risk mitigation is key to the second stage of the process. The goal is to implement controls to limit or reduce the risk identified during the risk assessment to an acceptable level.

So, essentially, FINTRAC will come in and note that you have identified high risk, but then they will ask if you have put in place measures that are effective in reducing the risk related to those particular transactions.

Risk Mitigation (cont'd)

We mentioned previously that, when we talk about risk mitigation, we mean the legislative and regulatory requirements. There are three, as indicated on slide 21.

The first one is to develop and implement policies and procedures that document how you are going to mitigate high risk situations. The second one is having to keep client information up to date only for high risk clients. Finally, there is a new requirement to conduct ongoing monitoring of financial transactions to help detect suspicious transactions.

So, to recap, there are three things that you need to do: risk mitigation, keeping client information up to date for high risk clients, and ongoing monitoring for high risk situations.

We will take a look at each one of those in greater detail.

Risk Mitigation (cont'd)

When we talk about risk mitigation, there are three broad categories of key risk management controls and measures, as indicated on slide 22: generic measures, risk-focused measures, and enhanced internal controls. So, during the next few slides, we will provide, within those three broad categories, some very concrete measures, which you can apply to higher risk situations.

1. Generic Measures

Regarding increased awareness within business lines of high risk situations, make sure that a business line is interacting in the context of a high risk business situation, that they are aware of it. If there is increased awareness, then there is likelihood that people can pick up on anything suspicious.

Regarding escalating approval, either in terms of account openings or with respect to higher risk transactions, possibly involve senior management as well as other measures.

Regarding increasing the levels of knowledge of your client and enhancing due diligence at account opening, ask your clients more questions, if you think that that is appropriate.

Review monetary transactions which we will talk about later on, increasing levels of ongoing controls, and reviews of relationships. These will all be considered generic measures which can be applied to all sectors.

2. Risk-focused Controls

Essentially, go beyond client identification requirements. For example, if you are only required to identify the client at $3,000, but something seems odd at $1,000, you might want to ask for a piece of identification.

In terms of risk-focused controls, information is key. Ask for more information, whether it is the nature of the relationship between two clients, reviewing the source of funds, asking about the intended use of the account, what the transaction is helping to facilitate, etc. These are all appropriate risk mitigation measures that may be appropriate in the context of mitigating high risk situations.

2. Risk-focused Controls (cont'd)

Here we look at additional risk-focused controls.

Looking at implementing senior management approval of all relationships identified as high risk, also taking a look at whether or not, depending on the risk tolerance of your particular organization, in some cases your organization actually wants to cease dealing with a particular client. Here it is important to note that FINTRAC will never tell you not to conduct a transaction or more importantly to cease dealing with a client. That being said, in terms of risk mitigation, the business entity must determine if a client is too risky to conduct business with, but that needs to be determined by the entity itself.

When you acquire new line of business or you have new products or services, conduct a risk analysis of those activities, those products, those services, to determine if there are vulnerabilities to money laundering and terrorist financing. As I indicated earlier, another risk mitigation measure would be to conduct third-party determination or to update third-party or corresponding banking information, even if you are not required to do so. Getting as much information as you can is one of the key risk mitigation measures. The more you know, the better able you are to determine if something is of low, medium or high risk.

3. Enhanced Internal Controls

When we talk about enhanced internal controls on slide 27, essentially it is about ensuring that there is a proper culture of compliance in the client's organization and making sure that there are proper controls so that compliance with the PCMLTFA is solid.

When you are talking about employees and personnel, and lines of authority and responsibility, providing for compliance program continuity is very important. If a reporting entity has had four compliance officers over a span of two years, this could be considered a lack of continuity and there might be vulnerabilities there. So, being very conscious that if there is that lack of continuity, that you might want to add more controls to make sure that nothing has slipped through the cracks of various transitions.

Make sure that there is an adequate segregation of duties, again clarity is important, establish proper procedures for when transactions are authorized, when accounts are accepted. Documenting all of that will ensure that there are proper internal controls so that everyone knows when something should be escalated. And then take a look at internal reviews to validate whether your risk assessment is adequate or not.

3. Enhanced Internal Controls (cont'd)

Controls involving senior management are very key. Ultimately, no compliance program can be effective if senior management is not involved in the decision. Making sure that senior management is informed and involved in decisions is critical in terms of creating the right culture that we are looking for.

Focusing on PCMLTFA requirements, as we talk about all your compliance obligations, the regime has been designed to focus on higher risk situations. So, when we talk about large cash transactions, or the reporting of wire transfers, or the identification of certain thresholds, all of these requirements have been informed by what is considered high risk. Just by complying with your obligations, it automatically reduces some of the risk that exists with respect to some of those transactions.

The most important risk mitigation measure to put in place for every reporting entity is a system to identify suspicious transaction. This would be considered a minimum, in terms of risk mitigation measures. Every reporting entity should have a system documented that says how they identify suspicious transactions.

3. Enhanced Internal Controls (cont'd)

Here we review additional internal controls which deal with adequate supervision of employees that deal with transactions that would be higher risk, and incorporating AML and ATF roles and responsibilities into the job descriptions and performance evaluations of employees that have a role in identifying transactions, reporting transactions, and conducting compliance reviews.

This past action provides you with ideas about what could be considered as risk mitigation measures. As I indicated previously, Guideline 4 also outlines additional suggestions in terms of risk mitigation. Keep in mind that, at a minimum, every reporting entity should start by identifying suspicious transactions.

Question
Are we supposed to do a risk assessment or review of all our clients, or complete a client base review of just the new clients?

Answer
It's of all clients, not only new clients. FINTRAC recognizes that implementing a risk-based approach on a go-forward basis is a lot simpler. So, there would be some latitude with respect to what FINTRAC would look for with existing clients. We would want to know how you are going to risk evaluate your clients on a longer term basis, but we would not expect all the assessments to be completed by June 23, 2008.

So, the answer is that all clients should be risk assessed at some point. By
June 23, 2008, you should have a process in place telling us how you are going to do it on a go-forward basis, and you should also have a plan to say that this is how you are going to complete a risk assessment of your entire client base and time lines associated with that.

Question
If a client is considered low risk; can you omit it completely from ongoing account monitoring for suspicious transactions?

Answer
You could. There is a danger in doing that because you want to make sure that, in case any of the clients' circumstances change, that their risk assessment changes. But the obligation to monitor on an ongoing basis only applies to high risk clients. So, if you omit it from ongoing monitoring, just know that you run the risk that, if circumstances change, you are not monitoring and you might not pick it up. And if FINTRAC comes in and conducts a risk assessment and circumstances have changed, we will ask this question: "Their circumstances have changed; why aren't they considered medium or high risk?" But can you? Yes you can, but whether or not an entity has that risk tolerance, is for them to determine.

Question
If a client is identified as a high risk at the account opening stage; does FINTRAC recommend denying the account at the outset or could the reporting entity open the account and practice enhanced due diligence within the 30-day window?

Answer
FINTRAC will never tell you not to conduct or transact with clients. That is something for the reporting entity to determine. Certainly if something if very high risk and you want to conduct enhanced due diligence within the 30 days, I think that would be an excellent risk mitigation measure. I am not recommending not opening the account. I will just mention that the only exception to that is if client identification is not completed; but outside of that particular circumstance, FINTRAC will not tell you not to open the account. However, applying enhanced due diligence measures would be a prudent risk mitigation measure.

Question
Regarding informing senior management about certain high risk items (you make reference to this requirement); is there a specific board of director's reporting? Is there a reporting that goes to a particular level in the organization?

Answer
There is a definition of what is considered a senior officer. So, if I take a look at, and I want to make sure that I am referring to the right definition, but essentially a senior officer, and I am going to get very technical and read the definition, is a director of the entity who is one of its full time employees, the entity's CEO, COO, President, Secretary, Controller, Chief Financial Officer, Chief Accountant, Chief Auditor, Chief Actuary, or any person who performs any of those functions, and then finally, an officer who reports directly to the Board, CEO or chief Operating Officer. In terms of whom that report needs to go to, it is very specific and that can be found in Guideline 4.

Question
What systems are necessary, or IT systems are necessary to be put in place in order to have adequate risk assessment? But also the issue here is, when you say that the reporting entity must have a system to identify suspicious transactions, by system, do you mean an automated back office database or something of that nature? Or can we have a manual process in place for the identification of suspicious transactions?

Answer
If I may, I will turn to slide 30 and I believe that slide 30 will provide the answer to that question.

Ongoing Monitoring

First of all, when we talk about risk mitigation measures, you have to have policies and procedures in place to mitigate risk. Secondly, you need to have an ongoing monitoring system. Now, does that system need to be IT based? The answer is, 'No, it does not'.

For larger entities, a manual system would be ineffective. That being said, if a larger entity chooses to implement a manual process, that is at their discretion. There is no requirement to have an IT system; the manual process is acceptable.

When you are taking a look at what needs to be documented with respect to the ongoing monitoring process, the kind of monitoring that you are going to be doing for high risk situations may vary according to the high risk situation. You might determine that a manual process is more appropriate in a high risk situation, but use the IT system for the rest of the ongoing monitoring.

Document when the monitoring is done and the frequency. How often are you monitoring? Is it reviewed and approved, and is it applied on a consistent basis? Consistency, at a minimum, would need to be applied to all high risk situations. The reporting entity can determine whether or not they want to apply ongoing monitoring.

Ongoing Monitoring (cont'd)

Essentially, you might want to review transactions more frequently against suspicious transaction indicators. You might want to take a look at transactions based on an approved schedule that involves management sign-off. If you are a smaller entity, management may actually conduct the review. Take a look at reports or perform more frequent reviews of the current reports. You might want to set business limits with respect to transactions.

For example, if you conduct wire transfers of $100,000, you may choose to say that for every wire transfer over $100,000, we will review on a daily basis. It is important to note that systems are not mandatory; manual processes are acceptable. But you need to keep in mind the four bullets that appear at the bottom of slide 30: take a look at what kind of monitoring, the frequency, if it is reviewed and approved, and at how consistently is it applied.

For those sectors that are less likely to implement IT systems, I just wanted to provide an example of what ongoing monitoring might mean.

I must mention that a MSB might want to do a weekly review of wire transfers over a certain amount, let's say $10,000. In real estate, the broker might want to review on a monthly basis. Non face to face transactions might be considered higher risk in the real estate sector, and again the frequency will vary according to the number of transactions.

If you have a large number of transactions to review and are doing it manually, you might decide that a monthly review would not be the most efficient way to review the transactions. You might do daily reviews or consider whether or not it would be more appropriate to have an IT system to reduce the manual burden.

The idea is not a one size fits all and it will vary according to the sectors.

Hopefully, that answers the question that was stated a bit earlier. Certainly there will be other opportunities at the end of the presentation if there are more questions on ongoing monitoring.

Keeping Client Information and Beneficial Ownership Up to Date

If you consider a client to be high risk, you need to update your client information. How often do you have to update and do you have to identify the client again?

In terms of how often, FINTRAC recommends every two years so that it can feed into your risk assessment that is mandated to be reviewed every two years. In terms of having to identify, you do not have to re-identify the client; you just need to ask for the information from the client, such as their last address and other appropriate contact information.

How can you do that? Certainly if you have face to face transactions with the client, just asking them would be sufficient. In the context of sectors that have accounts, including a sheet when mailing account statements and asking the client to mail that back. What reasonable measures you will have to take will vary according to the sector, but as a general rule, asking the client directly is always considered to be a good reasonable measure.

A reminder that, if you have beneficial ownership obligation, it is considered essentially high risk if you do not know who the owner of the entity or the corporation is. So, beneficial ownership information should be kept up to date if you think that the corporation is higher risk.

High Risk Situations

Some sectors, most notably financial entities, have corresponding banking relationships, and those are considered inherently higher risk. The consideration is the same with respect to politically exposed foreign persons (PEFP).

Not all sectors have obligations with respect to identifying PEFPs. PEFPs are people who have held or are holding senior positions within a foreign government. They are considered high risk because, depending on their position, they might have access to their national funds and could transfer funds out of the country to the benefit of the person holding the position. Because of that, PEFPs are considered high risk. This is something to keep in mind when you are conducting your risk assessment and it is also something to keep in mind for those sectors which have obligations regarding corresponding banking and PEFP.

Examples of Poor Risk Assessments

Any risk assessment where all clients have the same rating would be considered ineffective. We would expect variations between both products and services, as well as clients. So, if everyone has the same risk rating, that might be an indication that you might want to take a closer look at your risk assessment.

Another indication is if the compliance officers cannot explain the risk categories or the risk ratings; this is a fairly good indication that risk assessment is probably inadequate, if the people responsible for its implementation can't actually explain why they are applying a particular risk rating.

Also, customers who are the subject of suspicious transactions reporting, but are considered low risk, this might be an indication that the risk assessment is inadequate and needs to be reviewed and re-evaluated. It would be considered inadequate, if you can't justify a particular risk rating, such as when high risk customers are assessed as low risk because they are involved in low risk businesses. The reverse also applies.

These are just some of the indications that, if you are conducting a risk assessment, you might want to review some of the questions as listed on slide 34. If any of these situations are occurring, you might want to take a look at your risk assessment a little more closely.

That wraps up the section on what risk assessment and mitigation measures need to be applied to. So, I will turn it over to Peter to see if we have received any additional questions.

Question
This one deals with beneficial ownership. For existing clients who are currently active, are we required to obtain beneficial ownership information in addition to new client information after June 23, 2008?

Answer
Beneficial ownership requirements apply differently to different sectors. Depending on what sector you're in, it would apply to existing clients, but it would vary according to the sector. I would direct you to Guideline 6, which will tell you what your particular requirements are depending on the sector you are in.

Question
How far is one required to identify the beneficial owners, especially when dealing with corporations or multiple corporations?

Answer
Essentially, less having to do with the risk-based approach, but with respect to beneficial ownership requirements, your obligation is to ask the question. So, if the person represents a corporation or an entity, you just ask the question. If it is a very complex corporate structure and the person representing the corporation doesn't know the answer, I would argue, that from a risk-based approach, that should be considered higher risk. If the person that you are transacting with doesn't fully understand the ownership structure and can't give you that answer, I would consider that higher risk just because the person you are dealing with is not in the know.

Question
We have a question that has come in from a credit union and it deals with ongoing monitoring. As a smaller credit union, we have a monthly board meeting; all of the new accounts opened are part of that board package for the board meeting. Managers and compliance officers are present at the board meeting, and the board reviews the names of all new members. Is this considered sufficient measurement in identifying members and monitoring new members who have joined up with our credit union?

Answer
I would say certainly that would be considered a risk mitigation measure, depending on the circumstances surrounding the clients, because you do not want to treat all clients the same. Within that category of new clients, you might have some that are higher risk and some that are lower risk. So, certainly that would be a very appropriate risk mitigation method in terms of dealing with all clients, but you also want to take a look within that broad category of new clients to see if some are higher risk because of the type of products they use, the activities that they are involved in, and you may want to apply additional measures depending on what the answers to those questions are. So, certainly it is a very good example of what a risk mitigation method is. Is it sufficient? Again, and I hesitate to give a blanket, yes, depending on the circumstances of each individual client.

That concludes the questions that came in for that section.

Additional Considerations in Implementing a Risk-based Approach

I want to provide reporting entities with a few things to keep in mind as they implement their risk-based approach. You need to want to make sure that you have monitoring capabilities that match customer risk ratings. Ultimately, you do less for lower risk clients and you do more for higher risk clients.

It is important to establish what your risk tolerance is within your particular organization and that might inform the earlier question on whether or not you want to continue transacting with higher risk clients. Depending on what your entity's risk tolerance is will, determine whether the use of manual systems or automation is appropriate, taking into consideration the time and the cost that a manual process would cost, compared to an automated system. Again, to that question, there is no one size fits all answer. In some circumstances, an automated system will make a lot of sense; in other situations, it won't make sense at all. Determine what will make sense for your organization.

Additional Considerations in Implementing a Risk-based Approach

Looking at the accuracy of initial customer provided information… If you have good information on your existing customers, then take a look at when you should rate your customers. Do you want to do that at account opening or in the back office? It is important to note that it needs to be done very early in the process so that it can be included in the risk assessment almost as soon as you acquire the new customer. Do you have enough information on long time customers? Are you gathering enough information at account opening? Do you want to expand the amount of information that you are actually collecting during that initial account opening process? How are you going to keep customer info up to date?

How are you going to make sure that customer risk profiles evolve?

For example, if someone is high risk, they might very well be considered low risk a year later into your business relationship. As well, if someone is considered low risk, how do you make sure that you review their risk profile to make sure that if they conduct high risk activities, that notion is captured?

Additional Considerations in Implementing a Risk-based Approach

Keep in mind that you need to keep your risk assessment up to date. How are you going to deal with new products and services, and how do they impact your risk assessment? Similarly, with respect to geographic change, are you dealing with the same type of region? How will you deal with staffing changes and training?

Risk-based Approach: Tools

Guideline 4 provides the best source of information on how to implement a risk-based approach. It provides you with an overview of what the legislative and regulatory requirements are. I've talked about the check lists and risk matrices that help you conduct a risk assessment. There is a section dedicated only to risk mitigation measures. It is a very complete overview of what your obligations are with respect to the risk-based approach.

In addition to the presentation that you have in front of you, I would say that
Guideline 4 is the other key tool in terms of helping you be compliant by June 23, 2008.

FINTRAC's Approach to Compliance

We want a cooperative approach to compliance. We expect that over the next year or two, there will be a very active dialogue on what needs to be in a risk assessment. If a reporting entity does not have anything in place by June 23, 2008, they will be found non-compliant. As with other obligations, FINTRAC is committed to a cooperative approach with reporting entities and we fully expect that over the next year or two, there will be a very active dialogue as to what needs to be contained in a risk assessment and what needs to be contained in terms of policies and procedures, talking about risk mitigation measures.

Also important to note, what happens when we talk about risk assessing new clients. We don't expect all of that work to be done by June 23, 2008. However, you should have a plan in place telling us how you are going to develop your plan. Depending on how big your client base is, essentially, if you have a client base of millions of clients, obviously we would expect that that would take more time than if you have 100 clients. So keep that in mind when you are actually establishing the timeline by which you will have all of these regulations in place.

We are committed to providing you guidance on this and other obligations. The best place to get information on all of your requirements, including your risk-based approach, is our Web site at www.fintrac-canafe.gc.ca.

I want to remind people that this particular presentation is posted on the FINTRAC Web site. If you want to use the presentation for training purposes, feel free to do so. This webcast will be archived.

I would say that Guideline 2, Guideline 4, on the compliance regime, and Guideline 6 on client identification would be the key ones to be reviewed before June 23, 2008, to help you comply with your requirements.

Question
Does FINTRAC expect to see a list of high risk clients when they come on site to do a compliance examination?

Answer
I hesitate to answer that. Initially, we will be focusing on the risk assessment itself. Not to say that down the road we would not ask for a list of that nature. But in the coming months, our focus will be on what are the risk categories and what is the logic behind the risk assessment, rather than actually seeing a list of high risk customers. What we want to know is what is the process that leads you to determine if someone is high risk or low risk.

Question
Is there a short and easy formula to follow in terms of, would a client who the reporting entity receives a request from Revenue Canada for, an inquiry for information from Revenue Canada fall into a high risk category, is that an automatic?

Answer
And again, I don't know if there are any automatics; it depends on the circumstances. I think that there is certainly the potential for the client to be considered high risk. I don't know - the other question is how much information, as a financial entity, would you have? Let's say that you are a financial entity, in terms of the request that was generated by CRA and the context surrounding that request would certainly warn, but it could certainly be considered high risk. But depending on the situation, it might not. Certainly it would tend to go towards the high risk cluster initially, not having more information.

Question
It deals with politically exposed foreign persons; are all PEFP considered high risk regardless of the business they conduct?

Answer
The answer is yes. If you take a look at our AML and ATF regime, you will see that the very prescriptive requirements are focused on situations that are deemed higher risk by the government. So, for instance, if we take a look at high risk transactions dealing with money laundering, anyone dealing with more than $10,000 in cash is not automatically high risk, just higher risk. The same logic applies to a PEFP. Essentially, the government has deemed that category as higher risk. So, all PEFPs should be considered higher risk.

That being said, depending on the activities that they are involved in, the risk mitigation methods would be different if they are involved in lower risk activities. So, I think that is where the distinction comes, but essentially they would all be considered high risk.

That concludes the questions.

I would like to thank everyone for taking the time out of there very busy schedules for tuning in this afternoon.

A reminder, once again, that the coming into force of the obligations is June 23, 2008. If you want more information - we have talked about the guidelines, we have talked about the Web site, you can also contact your Regional Compliance Officer who would have additional information to questions that you have put forward. Certainly, as I have indicated, this particular obligation will be the subject of dialogue over the coming weeks, months and years. We want to be as supportive and helpful as possible.

So, I will turn over to Peter.

Thank you everyone and thank you Marilyne for your presentation.