FINTRAC Policy Interpretations

Ongoing Monitoring

Real Estate - Ongoing monitoring starts at the third transaction, unless high risk

Question:

What are the ongoing monitoring requirements of a business relationship for the real estate sector?

Answer:

Pursuant to subsection 1(2) of the Proceeds of Crime (Money Laundering) and Terrorist Financing Regulations (PCMLTFR), a business relationship is defined as “any relationship with a client, established by a person or entity to which section 5 of the Act applies, to conduct financial transactions or provide services related to those transactions and, as the case may be,

  1. if the client holds one or more accounts with that person or entity, all transactions and activities relating to those accounts; or
  2. if the client does not hold an account, only those transactions and activities in respect of which that person or entity is required to ascertain the identity of a person or confirm the existence of an entity under these Regulations.”

Given that real estate brokers and sales representatives do not have accounts, we have specified in FINTRAC's Guideline 6B: Record Keeping and Client Identification for Real Estate that a business relationship is formed when two transactions, that require the broker or sales representative to ascertain identity, occur within a maximum of five years from one another. 

Section 59.21 of the PCMLTFR specifies that “Any real estate broker or sales representative that is required to ascertain the identity of any person or confirm the existence of any entity in accordance with section 59.2 shall

  1. conduct ongoing monitoring of its business relationship with that person or entity; and
  2. keep a record of the measures taken and the information obtained under paragraph (a).”

Ongoing monitoring is defined at subsection 1(2) of the PCMLTFR as “monitoring on a periodic basis based on the risk assessment undertaken in accordance with subsection 9.6(2) of the Act and subsection 71(1) of these Regulations, by a person or entity to which section 5 of the Act applies of their business relationship with a client for the purpose of

  1. Detecting any transactions that are required to be reported in accordance with section 7 of the Act;
  2. Keeping client identification information and the information referred to in sections 11.1 and 52.1 up to date;
  3. Reassessing the level of risk associated with the client's transactions and activities; and
  4. Determining whether transactions or activities are consistent with the information obtained about their client, including the risk assessment of the client.”

Therefore, once a real estate broker or sales representative engages in two transactions with a client for which it is required to ascertain the identity of that client, regardless of whether or not the client's identity is actually ascertained (e.g. in the case of a suspicious transaction report (STR), if the exceptions to ascertain the identity of a client are applied), a business relationship is formed and ongoing monitoring of that business relationship must be performed on a periodic basis in relation to the risk assessment.

The purpose of monitoring the business relationship, as specified in the definition of ongoing monitoring, is to:

  • detect suspicious transactions that must be reported;
  • keep the client identification information, any beneficial ownership information, and the purpose and intended nature of the business relationship up to date;
  • reassess the level of risk associated with the client; and,
  • determine whether the client's activity is consistent with the information obtained, including the risk assessment.   

The FINTRAC Guidelines indicate that, once a business relationship is formed, a reporting entity may update the client information it has on record every time the client conducts a transaction that requires their identity to be ascertained. In the case of non-account based business relationships (formed after two transactions for which the client's identity is required to be ascertained), this would occur at the time of the next transaction. As a result, at the time of the third transaction, ongoing monitoring of a non-account based business relationship must begin, which includes updating the client identification information, reassessing the risk of the client, detecting reportable suspicious transactions, and determining if the client's transactions are in line with the information on record. FINTRAC's expectation is that this monitoring activity would include the previous two transactions that triggered the business relationship.

However, for high risk clients, ongoing monitoring must be conducted more frequently, and enhanced measures must be taken to update the client identification information. Other appropriate enhanced measures must also be adopted as necessary. 

Date answered: 2016-09-23

PI Number: PI-6905

Activity Sector(s): Real estate

Obligation(s): Ongoing Monitoring

Guidance: 4, 6B

Regulations: 1(2), 59.21

Monitoring of financial transactions conducted by high-risk clients outside a business relationship.

Question:

For application of the obligation to ensure ongoing monitoring of business relationships pursuant to subparagraph 71.1(b)(ii), must the entity include all its high-risk clients or only those with which it has a business relationship?

Answer:

Pursuant to subsection 9.6(3) of the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (the Act), if the reporting entity considers that the risk of money laundering or terrorist financing is high, it must take prescribed special measures for identifying clients, keeping records and monitoring financial transactions in respect of the activities that pose the high risk.

The prescribed special measures are those described in section 71.1 of the Proceeds of Crime and Money Laundering Regulations (PCMLTFR). In addition to taking enhanced measures to ascertain identify, pursuant to subsection 71.1(b), reporting entities must take any other enhanced measure to mitigate the risks identified, including those described in subparagraphs 71.1(b)(i) and 71.1(b)(ii). However, you will notice that, because of the use of the word "including" in subsection 71.1(b), the prescribed special measures described represent the basic mitigation measures which the reporting entity must have, according to FINTRAC.

While FINTRAC does not expect ongoing monitoring, as defined in section 1(2) of the PCMLTFR, to be ensured for clients outside a business relationship, FINTRAC does expect enhanced measures to be taken to monitor their financial transactions for activities that pose a high risk.

FINTRAC is not able to cite the lack of specific measures, other than those indicated in paragraphs 71.1(b)i) and 71.1(b)ii), but it can cite if a high risk was identified and no enhanced mitigation measure was taken. That includes failure to monitor financial transactions as a mitigation measure, if this is a special measure for a specific risk. In such a case, FINTRAC can cite under section 71.1 of the PCMLTFR (OR paragraph 9.6(3) of the Act) for failure to take the prescribed special measures required to be taken by a person or entity established by the Regulations.

Date answered: 2014-09-25

PI Number: PI-6240

Obligation(s): Ongoing Monitoring

Guidance: 6

Regulations: 1(2), 71.1

Act: 9.6(3)

Obligation to confirm any new information obtained when updating information on beneficial ownership

Question:

Do we have to repeat the above-mentioned procedures for every update?

"Keeping the information referred to in sections 11.1" from the definition of "ongoing monitoring", are we required to validate each requirement, namely names of all directors of the corporation and the names and addresses of all persons who own or control, directly or indirectly, 25 per cent or more of the shares of the corporation + ascertain the identity of persons authorised to act on the account + information establishing the ownership, control and structure of the entity each time the information is being updated?

Answer:

  1. The Proceeds of Crime (Money Laundering) and Terrorist Financing Regulations (PCMLTFR) do not require the client identification information and the information specified in sections 11.1 and 52.1 to be updated at the same time. The frequency with which the required information must be updated varies in accordance with the risk assessment of the reporting entity's client, and the entity's policies and procedures must specify which information must be updated and when.
     
  2. Under subsection 11.1(1) of the PCMLTFR, every reporting entity that is required to confirm the existence of an entity in accordance with the Regulations when it opens an account must, at the time the existence of the entity is confirmed, obtain the following information:
    (a) in the case of a corporation, the names of all directors of the corporation and the names and addresses of all persons who own or control, directly or indirectly, 25 per cent or more of the shares of the corporation;
    (b) in the case of a trust, the names and addresses of all trustees and all known beneficiaries and settlors of the trust;
    (c) in the case of an entity other than a corporation or trust, the names and addresses of all persons who own or control, directly or indirectly, 25 per cent or more of the entity; and
    (d) in all cases, information establishing the ownership, control and structure of the entity.

The reporting entity must also take reasonable measures to confirm the accuracy of the information obtained under subsection 11.1(1) of the PCMLTFR (subsection 11.1(2) of the PCMLTFR), and keep a record that sets out the information obtained and the measures taken to confirm the accuracy of that information (subsection 11.1(3) of the PCMLTFR).

Under subsection 1(2), ongoing monitoring is undertaken to keep client identification information and the information referred to in sections 11.1 and 52.1 up to date. When the reporting entity updates this information, or does not update it, as the case may be, it is not subsequently required to confirm it. Thus, when the client indicates that the information is not up to date and the reporting entity takes measures to update the information on beneficial ownership, the entity is not required to confirm this information.

Date answered: 2014-09-17

PI Number: PI-6237

Activity Sector(s): Securities dealers

Obligation(s): Ongoing Monitoring

Guidance: 6E

Regulations: 1(2), 11.1 , 52.1

Risk Assessment – Clients Outside of a Business Relationship

Question:

What does a risk assessment look like for a non-customer who does a triggering transaction? Is there still a need for a business record?

Answer:

In accordance with subsection 9.6(1) of the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA), all credit unions must establish and implement, in accordance with the regulations, a program intended to ensure their compliance with the Act.

This program must include the development and application of policies and procedures for the credit union to assess, in the course of their activities, the risk of a money laundering or a terrorist activity financing offence. This assessment must consider the credit union's clients and business relationships, products and delivery channels, geographic location, and any other relevant factor. Guideline 4 – Implementation of a Compliance Regime, outlines some of the items a credit union might consider when assessing its clients.

Even if your dealings with a client are limited to a single transaction, the client does not have an account, and the client is not opening an account, you still need to complete a risk assessment of that client, to determine the risk of a money laundering offence or a terrorist activity financing offence. Furthermore, you will have to determine if you suspect that the transaction is related to a money laundering or terrorist financing offence. If this is the case, you will have to report it to FINTRAC.

Guideline 2 – Suspicious Transactions, outlines some of the indicators to consider or assess when determining whether or not an attempted or completed transaction is suspicious. Credit unions should factor these indicators into any risk assessment developed for single-transaction clients. The credit union should consider clients they do not know as higher-risk than those that they know.

Even if a business relationship does not exist, there may be record keeping requirements depending on the transaction; however there is no need to record the purpose and intended nature of the business relationship.

Date answered: 2014-07-18

PI Number: PI-6199

Activity Sector(s): Financial entities

Obligation(s): Ongoing Monitoring

Guidance: 4, 6G

Act: 9.6(1)

Requirement of “keeping the records up-to-date

Question:

What does the regulatory requirement of “keeping the records up-to-date” mean?

Answer:

Pursuant to paragraph 1(2)(b) of the Proceeds of Crime (Money Laundering) and Terrorist Financing Regulations (PCMLTFR), ongoing monitoring is conducted for the purpose, among others, of keeping client identification information and the information referred to in sections 11.1 and 52.1 up to date.

Keeping prescribed information up to date means ensuring that the information contained in a record continues to be applicable. The frequency with which records are to be kept up to date will vary depending on a credit union's risk assessment of a client. As part of ongoing monitoring obligations, a credit union has to keep all records up to date. For high-risk clients, a credit union must update those records more frequently and perform more frequent monitoring, as well as adopt any other appropriate enhanced monitoring measures.

Date answered: 2014-07-18

PI Number: PI-6198

Activity Sector(s): Financial entities

Obligation(s): Ongoing Monitoring

Guidance: 6G

Regulations: 1(2)(b), 11.1, 52.1

Ongoing Monitoring of Business Relationship

Question:

For credit unions that do not use an electronic monitoring system is it acceptable to complete ongoing monitoring only in situations where the Risk Assessment or other triggers determine the risk to be high?

Answer:

As per section 54.3 of the Proceeds of Crime (Money Laundering) and Terrorist Financing Regulations (PCMLTFR), the credit union must conduct ongoing monitoring of a business relationship established with a person or entity and must keep a record of the measures taken and the information obtained under the ongoing monitoring. The requirement to conduct ongoing monitoring applies to all business relationships, not just those relationships determined to be high risk.

Date answered: 2014-07-18

PI Number: PI-6197

Activity Sector(s): Financial entities

Obligation(s): Ongoing Monitoring

Guidance: 6G

Regulations: 54.3

Ongoing Monitoring of Business Relationship

Question:

If the business relationship only ceases five years after the client closes the account, how is a credit union expected to monitor the relationship for those five years?

Answer:

Subsection 1(2) of the Proceeds of Crime (Money Laundering) and Terrorist Financing Regulations (PCMLTFR) defines business relationship as “any relationship with a client, established by a person or entity to which section 5 of the Act applies, to conduct financial transactions or provide services related to those transactions and, as the case may be,
(a) if the client holds one or more accounts with that person or entity, all transactions and activities relating to those accounts; or
(b) if the client does not hold an account, only those transactions and activities in respect of which that person or entity is required to ascertain the identity of a person or confirm the existence of an entity under these Regulations.

It does not include any transaction or activity to which any of paragraphs 62(1)(a), (b) and (d) or any of subsections 62(2) to (4) apply.”

Pursuant to subsection 54.3(1) of the PCMLTFR, “any financial entity that is required to ascertain the identity of any person or confirm the existence of any entity in accordance with section 54 or 54.1 shall
(a) conduct ongoing monitoring of its business relationship with that person or entity; and
(b) keep a record of the measures taken and the information obtained under paragraph (a).”

“Ongoing monitoring” is defined in subsection 1(2) of the PCMLTFR to mean monitoring on a periodic basis based on the risk assessment undertaken in accordance with subsection 9.6(2) of the Act and subsection 71(1) of these Regulations, by a person or entity to which section 5 of the Act applies of their business relationship with a client for the purpose of
(a) detecting any transactions that are required to be reported in accordance with section 7 of the Act;
(b) keeping client identification information and the information referred to in sections 11.1 and 52.1 up to date;
(c) reassessing the level of risk associated with the client's transactions and activities; and
(d) determining whether transactions or activities are consistent with the information obtained about their client, including the risk assessment of the client.

As indicated in Guideline 6G: Record Keeping and Client Identification for Financial Entities, in the case of clients who hold an account, the business relationship ceases five years after the client closes that account.

As such, until the business relationship ceases 5 years after account closure the credit union must conduct ongoing monitoring.

It is for the credit union to determine, and outline in their policies and procedures, the risk level assessed for a closed account. Furthermore, the financial entity's policies and procedures should outline the periodic monitoring required for the various levels of risk of the business relationships. A closed account must be monitored in accordance with the risk assessment and the monitoring policies and procedures for that assessed risk.

In order to keep client and beneficial ownership information up to date, you may ask clients with account-based business relationships to confirm the information you have on record periodically throughout your regular interactions with them.

In the case of an individual client, measures can also include confirming or updating the information through the options available to ascertain the identity of individuals who are not physically present.

In the case of clients that are entities, measures to keep client identification up to date include consulting a paper or an electronic document to confirm information or obtaining the information verbally from the client.

Date answered: 2014-07-18

PI Number: PI-6196

Activity Sector(s): Financial entities

Obligation(s): Ongoing Monitoring

Guidance: 6G

Regulations: 1(2), 54.3(1)

General expectations for the minimum timeframes for Ongoing Monitoring

Question:

What are the general expectations for the minimum timeframes for Ongoing Monitoring of low, medium, and high risk Business Relationships?

Answer:

Pursuant to subsection 54.3(1) of the Proceeds of Crime (Money Laundering) and Terrorist Financing Regulations (PCMLTFR), “any financial entity that is required to ascertain the identity of any person or confirm the existence of any entity in accordance with section 54 or 54.1 shall
(a) conduct ongoing monitoring of its business relationship with that person or entity; and
(b) keep a record of the measures taken and the information obtained under paragraph (a).”

“Ongoing monitoring” is defined in subsection 1(2) of the PCMLTFR to mean monitoring on a periodic basis based on the risk assessment undertaken in accordance with subsection 9.6(2) of the Act and subsection 71(1) of these Regulations, by a person or entity to which section 5 of the Act applies of their business relationship with a client for the purpose of
(a) detecting any transactions that are required to be reported in accordance with section 7 of the Act;
(b) keeping client identification information and the information referred to in sections 11.1 and 52.1 up to date;
(c) reassessing the level of risk associated with the client's transactions and activities; and
(d) determining whether transactions or activities are consistent with the information obtained about their client, including the risk assessment of the client.

As per section 71.1 of the PCMLTFR, if a credit union considers that the risk of a money laundering offence or a terrorist financing offence is high, the credit union must develop and apply written policies and procedures for conducting ongoing monitoring of business relationships for the purpose of detecting transactions that are required to be reported to the Centre under section 7 of the Act, that go beyond the ongoing monitoring requirements of section 54.3 of the PCMLTFR.

In the context of monitoring on a periodic basis, a credit union's monitoring will vary depending on the risk assessment of the client. For example, a credit union may choose to reassess the level of risk associated with a client's transactions and activities of low-risk clientele every two years, while performing the same monitoring of high-risk clients on a more frequent basis. However, depending on the circumstances of a credit union's business operations, a different ongoing monitoring period for low-risk clients may be appropriate. As part of ongoing monitoring obligations, a credit union must monitor all business relationships, and must monitor business relationships considered high-risk more frequently, as well as update client identification information and adopt any other appropriate enhanced measures.

In order to keep client and beneficial ownership information up to date, a credit union may ask clients with account-based business relationships to confirm the information that the credit union has on record. This can be done periodically throughout a credit union's regular interactions with clients. For clients in non-account-based business relationships, a credit union may update the information it has on record every time the client conducts a transaction that requires the credit union to ascertain the client's identity.

Date answered: 2014-07-18

PI Number: PI-6195

Activity Sector(s): Financial entities

Obligation(s): Ongoing Monitoring

Guidance: 6G

Regulations: 1(2), 54.3(1), 71.1

Expiry date of identification

Question:

Is there an expectation that a credit union follows up on expired identification documents? How does this play into ongoing monitoring obligations that require client identification information to be kept up-to-date?

Answer:

As per subsection 64(3) of the Proceeds of Crime (Money Laundering) and Terrorist Financing Regulations (PCMLTFR), unless otherwise specified in the Regulations, only original documents that are valid and have not expired can be used to ascertain identity in accordance with paragraph 64(1)(a) or 64(1.1)(a) of the PCMLTFR.

The requirement to use a valid document is specific to ascertaining of identification. Where a credit union is required to keep information up to date, they are not necessarily required to ascertain identification again. Rather, they must confirm that, in accordance with the PCMLTFR, the information on file continues to be applicable; this includes the name, address, date of birth and occupation or principal business of an individual.

Should the identity of an individual need to be ascertained again, pursuant to a requirement in the PCMLTFA or its associated Regulations, then the credit union must again use a valid document.

Date answered: 2014-07-18

PI Number: PI-6194

Activity Sector(s): Financial entities

Obligation(s): Ongoing Monitoring

Guidance: 6G

Regulations: 64(1), 64(1.1), 64(3)

Periodic review and ongoing monitoring

Question:

We use the terms "periodic review of information concerning business relationships" or "ongoing monitoring of business relationships":

  1. What frequency is recommended?
  2. In a compliance examination, is the ongoing monitoring frequency of five (5) years for low-risk accounts acceptable to FINTRAC?
  3. Is it sufficient to do this when account opening forms are updated, or should it be done ahead of time in the case of doubt?

Answer:

Subsection 1(2) of the Proceeds of Crime (Money Laundering) and Terrorist Financing Regulations (the Regulations) defines ongoing monitoring as monitoring on a periodic basis based on the risk assessment undertaken in accordance with subsection 9.6(2) of the Act and subsection 71(1) of these Regulations, by a person or entity to which section 5 of the Act applies of their business relationship with a client. This is intended to keep client identification information and the information referred to in sections 11.1 and 52.1 of the Regulations up to date and to assess the risk of money laundering and terrorist financing associated with them.

Periodic monitoring varies, depending on the risk assessment of the client of the reporting entity. As part of the periodic monitoring obligations of the reporting entity, the entity must monitor all its business relationships and is required to monitor business relationships considered high risk more frequently. While FINTRAC has given two years as an example of periodic monitoring of clients deemed low risk, it has taken the position that reporting entities are in the best position to determine the monitoring frequency to be used with their clients. We ensure that reporting entities increase the frequency of periodic monitoring for high-risk clients, update client identification information and take other, more stringent, measures where required.

However, it is important for the reporting entity to bear in mind that more is involved than updating information related to client identity and beneficial owners. Periodic monitoring is also implemented to detect suspicious transactions which must be reported, reassess the level of risk associated with the clients transactions and activities, determine whether the transactions or activities are consistent with the information previously obtained about the client, including the risk assessment of the client.

Date answered: 2014-06-16

PI Number: PI-6163

Activity Sector(s): Securities dealers

Obligation(s): Ongoing Monitoring

Guidance: 6E

Regulations: 1(2)

Date Modified: