On June 17, 2016, the federal government quietly released the final version of the long-awaited amended general regulations (Regulations) under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA). For the most part, the final Regulations are similar to the July 2015 draft regulations. They will be published in the June 29, 2016 Canada Gazette, Part II.
Currently, there is some uncertainty about the effective date of the Regulations. While it is clear from the guidance released by the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) on June 17, 2016, that the new identity verification provisions under the Regulations were intended to be effective as of June 17, 2016, due to a technical glitch in the drafting of the Regulations, it appears that the new identity verification and electronic signatures provisions do not legally become effective until June 17, 2017, with the remaining provisions of the Regulations becoming effective on June 17, 2018. We understand that the Department of Finance is looking to remedy this oversight and it is likely that they will make amendments to the "in force date" of the Regulations shortly. For the purposes of this Bulletin and any references to effective dates, it is assumed that the "in force" date issue will be addressed.
As expected, the Regulations provide a regulatory framework to govern the treatment of domestic politically exposed persons (PEPs) and provide additional components to be considered in risk assessments. While some of the proposed changes will be welcomed by regulated entities as they provide more principle-based regulation in the context of identity verification, unfortunately, the Regulations do not go far enough to provide regulated entities with the ability to utilize new and innovative methods of identity verification that are now available in the marketplace, given the advances of technology.
In addition to the amendments made to the general Regulations, the Administrative and Monetary Penalties Regulations (AMP Regulations) have also been revised to include compliance obligations that were previously unaddressed. There have also been some minor amendments made to the Suspicious Transactions Reporting Regulations.
The Regulations provide regulated entities with greater flexibility in how they carry out identity verification. It should be noted that all of the current identity verification methods have been replaced by the new ones, even in the credit card context. In order to address this immediate change, the Regulations provide a transition period for the new identity verification methods to bridge between the allowable verification methods that are in the previous version of the Regulations and the new ones. In that respect, the Regulations permit regulated entities to continue to utilize the previous identity verification methods for a period of one year (until June 17, 2017). After that point, only the new methods set out in the Regulations can be used.
The new permitted methods of identity verification include the following:
- Referring to an identification document containing a photograph (and a name) that is issued by a federal or provincial government (other than a municipal government) or by a foreign government, and by verifying that the name and photograph are those of that person. This requirement for a photograph is a new requirement; previously, a regulated entity could rely on any government-issued identification. There is also an additional requirement to verify that the name and photograph are those of that person.
- Referring to information concerning the individual being identified on request from a federal or provincial government body that is authorized in Canada to ascertain the person's identity and by verifying that either the name and address or the name and date of birth contained in the information are those of the person whose identity is being verified. It is our understanding that at this point in time, there is no government body in Canada that is "authorized to ascertain the identity of persons" and as such, this method is not currently available.
- Referring to a person's Canadian credit file that has been in existence for at least three years and verifying that the name, address and date of birth contained in the credit file are those of the person whose identity is being verified.
- Confirming that an affiliated entity (including a member of the same financial services cooperative or credit union central) that is regulated under the PCMLTFA or a non-Canadian entity that carries on a similar business outside of Canada has previously ascertained the person's identity in compliance with any of the permitted methods and by verifying that the name, address and date of birth contained in such entity's records are those of the person whose identity is being verified.
- By doing any two of the
following (the "two out of three method"):
- Referring to information from a reliable source containing the name and address of the person being identified and verifying that the name and address are those of the person.
- Referring to information from a reliable source that contains the name and date of birth of the person being identified and verifying that the name and date of birth are those of the person.
- Referring to information that contains the name of the person being identified and confirming that the individual has a deposit account or credit card or other loan account with a Canadian financial entity and verifying that information.
In utilizing this "two out of three" method of identity verification, the Regulations require that the information that is referred to must be from different sources and that the person whose identity is being verified cannot be utilized as a source.
While these provisions allow for greater flexibility in performing identity verification, they are still prescriptive in nature and do not permit regulated entities to utilize new innovative technological identity verification methods. Such methods include biometric methods (voice and face), verification by a review of identity documents through a live video connection, and numerous other methods that are (and will likely soon become) available. Given the advances in technology and the rise of the fintech sector, the new prescribed methods of identity verification in the Regulations, while a vast improvement from the previous regulations, are arguably already outdated.
One other drawback of the new identity verification provisions arises from the requirement that where the "two out of three" method is utilized to ascertain identity, the document used must be an original or electronic copy but cannot include an electronic image of a document. In recent guidance released by FINTRAC on "Methods to ascertain the identity of individual clients" (Guideline), FINTRAC clarifies that "an original electronic document is one the client received through email or by downloading it directly from the issuer's website". FINTRAC then goes on to provide that an original document cannot include one that has been photocopied, faxed or digitally scanned.
By doing so, FINTRAC places the burden on a regulated entity to determine the origin of an electronic document provided by the client and whether it has been scanned (not acceptable) or whether it is in its "original" PDF format (acceptable). This distinction is disappointing and does not recognize the online environment in which people and institutions operate. As evidence of this, FINTRAC notes that an acceptable electronic document is one "the client can email or show you on their electronic device ..." [emphasis added]. However, this example fails to recognize that the "two out of three" method is intended to apply in a non-face-to-face environment; if clients are able to "show" a regulated entity an email on their mobile device, they are not transacting in an online environment.
A few other matters to note:
- In terms of what is deemed to be a "reliable source", the Guideline provides that "reliable" means that the source is well known and considered reputable, and is one that the regulated entity trusts to verify the client's identity. In that regard, FINTRAC provides that a reliable source can be the federal, provincial, territorial and municipal levels of government, crown corporations, financial entities and utility providers.
- The Regulations require regulated entities to take a further step to "verify that the name and photograph are of that person" when engaging in non-face-to-face verification. In the Guideline, FINTRAC notes that "you must view the original document while in the presence of your client in order to compare your client with their photo". This is helpful as it clarifies that regulated entities are not required to request a second piece of identification to verify the information.
In addition to the identity verification methods outlined above, an exception has been added for banks in respect of the opening of retail deposit accounts. This carve out is designed to address the requirements of the Access to Basic Banking Services Regulation (ABBS Regulation) and will only apply to banks that open retail deposit accounts for individual customers. Under the ABBS Regulation, banks are required, subject to limited exceptions, to open an account for an individual if the individual is able to present two pieces of prescribed identification. However, the type of identification that is acceptable for the purposes of the ABBS Regulations does not, in all circumstances, satisfy the identity verification requirements of the Regulations. In order to address this inconsistency, the Regulations provide that in the context of opening a retail deposit account, if a bank cannot confirm a person's identity by one of the permitted methods set out in the Regulations, they are deemed to be in compliance with the Regulations if they satisfy the identification requirements set out in the ABBS Regulation. Implicit in this provision is the requirement for the bank to first attempt to verify the client's identity using the permitted methods set out in the Regulation. This is evidenced by the record keeping requirements in the Regulations that apply where identity is verified using the ABBS Regulations. In these circumstances, the Regulations require banks to keep a record of why the person's identity could not be ascertained by a permitted method.
The Regulations significantly expand the circumstances where a regulated entity can rely on actions taken by another in the identity verification context. Specifically, a regulated entity can now rely on measures that were previously undertaken by another person (acting independently) where that person verified the identity of a person, even if the person was doing so outside of the PCMLTFA context. In addition, if a person verified identity information for another regulated entity under a previous agency relationship, then a regulated entity can rely on that identity information as well. In all circumstances, a written arrangement needs to be in place where the regulated entity appoints the person as agent and all verification information must be obtained from the agent. In addition, the regulated entity must be satisfied that the information is valid and current and that the prescribed identity verification methods were complied with. These provisions ostensibly allow purchasers, in the context of portfolio acquisitions and for other day-to-day financial transactions, to rely on verification previously done by the vendor.
However, it should be noted that in order to utilize these provisions, the information obtained by the agent must be "current". In the Guideline, FINTRAC notes that to be considered "current", an identification card or document must not have expired. In explaining the interpretation of "current" for these agency provisions, FINTRAC notes the following:
"If the identifying information that the agent used to ascertain the client's identity has now expired, you can still rely on it, as long as your agreement or arrangement existed with the agent before the information expired. The agent would have to re-identify your client if the identification information expires before you have an agreement in that agent or mandatary".
This interpretation is problematic and, in many ways, negates the provision's utility. As a starting point, in the context of portfolio acquisitions, generally thousands of accounts, if not hundreds of thousands, may be acquired as part of a transaction. This interpretation of the Regulations requires the regulated entity that is purchasing the accounts to review each and every account to determine if the document used to confirm identity has expired prior to the date of the portfolio acquisition. Moreover, whether in the context of a portfolio acquisition or otherwise, under the previous regulations, there was no regulatory requirement imposed on regulated entities to retain a record of the expiry date of the identification used to verify identity. This is a new requirement under the Regulations. Therefore, it is reasonable to conclude that given the constraints of Canadian privacy law, the information regarding the identity document's expiry date may not actually be retained by those who are undertaking identity verification. Accordingly, it may be impossible for a regulated entity to determine with reasonable certainty if an identity documentation that was initially reviewed by the agent has expired. Moreover, this interpretation does not address previous identity verification that has been undertaken by entities on a non-face-to-face basis. This is something that regulated entities will have to wrestle with going forward.
One of the more helpful provisions in the Regulations is that they permit a regulated entity to rely on previous identity verification they performed, where they do not have any doubts about the information obtained. This will be helpful to reporting entities when dealing with clients in the online context. Additionally, in the Guideline, FINTRAC indicates that the use of micro deposits is an acceptable method of confirming that a client has a deposit account. The ability to use micro deposits represents a welcome shift in FINTRAC policy.
The Regulations change the definition of "signature card" to include "electronic data" that constitutes the signature of a person authorized to give instructions in respect of the account. In addition, a "signature" is now defined to include an electronic signature or other information in electronic form that is created or adopted by a client and that is accepted by the regulated entity.
The effect of these changes is to allow for a true electronic signature that can be compliant with the Regulations, thereby facilitating account openings in the non-face-to-face environment. This will be a welcome change to regulated entities as the provision comes into force as of June 2016, assuming changes are made to the in force date of the Regulations.
Politically Exposed Persons
One other matter that the Regulations accomplish is the implementation of the changes made to the PCMLTFA under Bill C-31 in respect of PEPs. For more information, see our April 2014 Blakes Bulletin: Important Changes to Canada's AML Laws: Here We Go Again.
In that regard, as anticipated, the Regulations expand certain regulatory requirements that currently apply to foreign PEPs to include domestic PEPs as well as the heads of international organizations or family members or close associates of such persons.
In respect of the requirements on account opening (for financial entities and securities dealers) the Regulations require the regulated entity to take reasonable measures to determine whether the account is being opened not only for a foreign PEP, but also for a domestic PEP, a head of an international organization, a family member of one of those persons or a person who is closely associated with a PEP (PEP Related Person).
Moreover, the requirement in the previous Regulations imposed on both financial entities and securities dealers to take reasonable measures to determine if existing high-risk account holders who are foreign PEPs have been removed. Instead, financial entities and securities dealers will be required to take reasonable measures on a periodic basis, to determine if an existing account holder is a PEP Related Person. It is significant that there is no mention of "high-risk" account holders in this provision, but rather, this periodic monitoring requirement applies to all account holders. As a result, regulated entities subject to this requirement will have to build processes and procedures to address this monitoring requirement.
In addition to the foregoing, regarding PEP Related Persons, the Regulations also provide that where a financial entity or securities dealer (or any of their employees) detects a fact that could reasonably be expected to raise reasonable grounds to suspect that a person who is an existing account holder is a PEP Related Person, the financial entity and securities dealer must take reasonable measures to determine whether the account holder is in fact such a person. Presumably, FINTRAC guidance on PEPs, when released, will provide what circumstances would raise such "reasonable grounds," but it would appear that this new provision implicitly requires regulated institutions to implement additional monitoring procedures for PEP Related Persons.
While the Regulations require securities dealers and financial entities to implement requirements to determine if account holders are PEP Related Persons, the corresponding requirements to determine the source of funds to be deposited in the account, to obtain senior management approval to keep the account open and to engage in enhanced ongoing monitoring, only apply on an absolute basis to foreign PEPs and their family members and close associates. Regarding the requirements for domestic PEPs, heads of international organizations, family members or close associates of such persons, these additional requirements will only apply where the regulated entity considers, based on their risk assessment, that the risk of a money laundering or terrorist activity financing offence is high.
Accordingly, based on these new provisions in the Regulations, it is clear that monitoring for domestic PEPs, heads of international organizations and their close associates and family members as well as the transactions that they engage in is now the "new normal" for regulated entities.
The amendments to the Regulations in respect of transactions of C$100,000 or more that apply to financial entities, money services businesses and life insurance companies parallel the changes made regarding accounts. Accordingly, regulated entities will now be required to determine if a triggering transaction for C$100,000 or more is undertaken by any PEP Related Person. However, the accompanying requirements that apply to foreign PEPs (determining the source of funds, senior management review) will only apply to domestic PEPs, heads of international organizations and their family members and close associates, if the regulated entity, based on their risk assessment, considers that there is a high risk of money laundering or terrorist financing offence.
A final change to the PEP provisions that may help to alleviate the additional regulatory burden is in respect of timing requirements in which regulated entities must make a PEP determination. While the regulations prior to implementation require the PEP determinations and accompanying review/approvals to be conducted within 14 days, the Regulations extend this period to 30 days.
There are still numerous questions that remain about the PEP requirements that are not addressed in the Regulations but will hopefully be addressed in regulatory guidance. These include:
- What is meant by "close associate"?
- Can a regulated entity rely exclusively on the use of databases to make a PEP determination?
- What factors makes a domestic PEP "high risk"?
- How far does a regulated entity need to go to investigate whether they are dealing with a PEP?
- What is meant by a "head" of an international organization?
Assuming that the changes are made to the "in force" date of the Regulations, the new PEP requirements will not come into force until June 17, 2017.
While the regulations currently prescribe the factors that regulated entities must consider in performing their risk assessments, the Regulations add two additional factors that must be considered in performing a risk assessment. These factors are:
- Any new developments in respect of, or the impact of new technologies on, the regulated entity's clients, business relationships, products or delivery channels or the geographic location of their activities
- For a regulated entity that is a financial entity or securities dealer, any risk resulting from the activities of an affiliated Canadian financial entity or securities dealer or from the activities of an affiliated foreign entity that carries out similar activities
While arguably the factors set out in the first item above are already encompassed by the current regulatory requirement to consider "any other relevant factor" in the risk assessment, the additional factors that apply to financial entities and securities dealers set out in the second item above may prove to be very challenging and will likely require an in-depth analysis of their global businesses. It is noted, however, that this requirement is consistent with the concept of "enterprise wide" compliance, which is becoming the regulatory expectation of regulators in Canada and globally.
Assuming that changes are made with respect to the 'in force' date of the Regulations, these new risk assessment requirements will not come into force until June 17, 2017.
There are numerous provisions in the Regulations that require regulated entities to take "reasonable measures" to perform certain actions or obtain certain information. Examples of these reasonable measure requirements include making third-party determinations, completing all information required on reporting forms, and making PEP Related Person determinations.
The Regulations provide that if the reasonable measures taken are unsuccessful, regulated entities must keep a record that sets out the measures taken and why they were unsuccessful. These provisions do not come into force until June 17, 2017, assuming the modifications to the "in force date" are made.
In addition to the general Regulations, amendments have also been made to the AMP Regulations to include violation classification for the new provisions of the Regulations and for other provisions of the Regulations that were previously unclassified.
It is noteworthy that some of the additions to the AMP Regulations are for violations that are classified as "serious" or "very serious", which most violations are not. These include certain beneficial ownership requirements (to take reasonable measures to verify a senior managing officer's identity where beneficial ownership information cannot be obtained and to rate the client as high risk — these are serious violations), and the failure to comply and to cause foreign subsidiaries to comply with a Ministerial directive (very serious), of which there are currently none issued.
As the Regulations address only part of the amendments contemplated by Bill C-31, there are clearly more amendments to the Regulations to come. We understand that these will be released in the fall of this year. Stay tuned.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.