Canada: Amendments To Canada's Anti-Money Laundering Legislation: The First Step

On June 17, 2016, the federal government quietly released the final version of the long-awaited amended general regulations (Regulations) under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA). For the most part, the final Regulations are similar to the July 2015 draft regulations. They will be published in the June 29, 2016 Canada Gazette, Part II.

Currently, there is some uncertainty about the effective date of the Regulations. While it is clear from the guidance released by the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) on June 17, 2016, that the new identity verification provisions under the Regulations were intended to be effective as of June 17, 2016, due to a technical glitch in the drafting of the Regulations, it appears that the new identity verification and electronic signatures provisions do not legally become effective until June 17, 2017, with the remaining provisions of the Regulations becoming effective on June 17, 2018. We understand that the Department of Finance is looking to remedy this oversight and it is likely that they will make amendments to the "in force date" of the Regulations shortly. For the purposes of this Bulletin and any references to effective dates, it is assumed that the "in force" date issue will be addressed.

As expected, the Regulations provide a regulatory framework to govern the treatment of domestic politically exposed persons (PEPs) and provide additional components to be considered in risk assessments. While some of the proposed changes will be welcomed by regulated entities as they provide more principle-based regulation in the context of identity verification, unfortunately, the Regulations do not go far enough to provide regulated entities with the ability to utilize new and innovative methods of identity verification that are now available in the marketplace, given the advances of technology.

In addition to the amendments made to the general Regulations, the Administrative and Monetary Penalties Regulations (AMP Regulations) have also been revised to include compliance obligations that were previously unaddressed. There have also been some minor amendments made to the Suspicious Transactions Reporting Regulations.


Identity Verification

The Regulations provide regulated entities with greater flexibility in how they carry out identity verification. It should be noted that all of the current identity verification methods have been replaced by the new ones, even in the credit card context. In order to address this immediate change, the Regulations provide a transition period for the new identity verification methods to bridge between the allowable verification methods that are in the previous version of the Regulations and the new ones. In that respect, the Regulations permit regulated entities to continue to utilize the previous identity verification methods for a period of one year (until June 17, 2017). After that point, only the new methods set out in the Regulations can be used.

 The new permitted methods of identity verification include the following:

  • Referring to an identification document containing a photograph (and a name) that is issued by a federal or provincial government (other than a municipal government) or by a foreign government, and by verifying that the name and photograph are those of that person. This requirement for a photograph is a new requirement; previously, a regulated entity could rely on any government-issued identification. There is also an additional requirement to verify that the name and photograph are those of that person.
  • Referring to information concerning the individual being identified on request from a federal or provincial government body that is authorized in Canada to ascertain the person's identity and by verifying that either the name and address or the name and date of birth contained in the information are those of the person whose identity is being verified. It is our understanding that at this point in time, there is no government body in Canada that is "authorized to ascertain the identity of persons" and as such, this method is not currently available.
  • Referring to a person's Canadian credit file that has been in existence for at least three years and verifying that the name, address and date of birth contained in the credit file are those of the person whose identity is being verified.
  • Confirming that an affiliated entity (including a member of the same financial services cooperative or credit union central) that is regulated under the PCMLTFA or a non-Canadian entity that carries on a similar business outside of Canada has previously ascertained the person's identity in compliance with any of the permitted methods and by verifying that the name, address and date of birth contained in such entity's records are those of the person whose identity is being verified.
  • By doing any two of the following (the "two out of three method"):

    • Referring to information from a reliable source containing the name and address of the person being identified and verifying that the name and address are those of the person.
    • Referring to information from a reliable source that contains the name and date of birth of the person being identified and verifying that the name and date of birth are those of the person.
    • Referring to information that contains the name of the person being identified and confirming that the individual has a deposit account or credit card or other loan account with a Canadian financial entity and verifying that information.

In utilizing this "two out of three" method of identity verification, the Regulations require that the information that is referred to must be from different sources and that the person whose identity is being verified cannot be utilized as a source.

While these provisions allow for greater flexibility in performing identity verification, they are still prescriptive in nature and do not permit regulated entities to utilize new innovative technological identity verification methods. Such methods include biometric methods (voice and face), verification by a review of identity documents through a live video connection, and numerous other methods that are (and will likely soon become) available. Given the advances in technology and the rise of the fintech sector, the new prescribed methods of identity verification in the Regulations, while a vast improvement from the previous regulations, are arguably already outdated.

One other drawback of the new identity verification provisions arises from the requirement that where the "two out of three" method is utilized to ascertain identity, the document used must be an original or electronic copy but cannot include an electronic image of a document. In recent guidance released by FINTRAC on "Methods to ascertain the identity of individual clients" (Guideline), FINTRAC clarifies that "an original electronic document is one the client received through email or by downloading it directly from the issuer's website". FINTRAC then goes on to provide that an original document cannot include one that has been photocopied, faxed or digitally scanned.

By doing so, FINTRAC places the burden on a regulated entity to determine the origin of an electronic document provided by the client and whether it has been scanned (not acceptable) or whether it is in its "original" PDF format (acceptable). This distinction is disappointing and does not recognize the online environment in which people and institutions operate. As evidence of this, FINTRAC notes that an acceptable electronic document is one "the client can email or show you on their electronic device ..." [emphasis added]. However, this example fails to recognize that the "two out of three" method is intended to apply in a non-face-to-face environment; if clients are able to "show" a regulated entity an email on their mobile device, they are not transacting in an online environment.

A few other matters to note:

  • In terms of what is deemed to be a "reliable source", the Guideline provides that "reliable" means that the source is well known and considered reputable, and is one that the regulated entity trusts to verify the client's identity. In that regard, FINTRAC provides that a reliable source can be the federal, provincial, territorial and municipal levels of government, crown corporations, financial entities and utility providers.
  • The Regulations require regulated entities to take a further step to "verify that the name and photograph are of that person" when engaging in non-face-to-face verification. In the Guideline, FINTRAC notes that "you must view the original document while in the presence of your client in order to compare your client with their photo". This is helpful as it clarifies that regulated entities are not required to request a second piece of identification to verify the information.

In addition to the identity verification methods outlined above, an exception has been added for banks in respect of the opening of retail deposit accounts. This carve out is designed to address the requirements of the Access to Basic Banking Services Regulation (ABBS Regulation) and will only apply to banks that open retail deposit accounts for individual customers. Under the ABBS Regulation, banks are required, subject to limited exceptions, to open an account for an individual if the individual is able to present two pieces of prescribed identification. However, the type of identification that is acceptable for the purposes of the ABBS Regulations does not, in all circumstances, satisfy the identity verification requirements of the Regulations. In order to address this inconsistency, the Regulations provide that in the context of opening a retail deposit account, if a bank cannot confirm a person's identity by one of the permitted methods set out in the Regulations, they are deemed to be in compliance with the Regulations if they satisfy the identification requirements set out in the ABBS Regulation. Implicit in this provision is the requirement for the bank to first attempt to verify the client's identity using the permitted methods set out in the Regulation. This is evidenced by the record keeping requirements in the Regulations that apply where identity is verified using the ABBS Regulations. In these circumstances, the Regulations require banks to keep a record of why the person's identity could not be ascertained by a permitted method.

The Regulations significantly expand the circumstances where a regulated entity can rely on actions taken by another in the identity verification context. Specifically, a regulated entity can now rely on measures that were previously undertaken by another person (acting independently) where that person verified the identity of a person, even if the person was doing so outside of the PCMLTFA context. In addition, if a person verified identity information for another regulated entity under a previous agency relationship, then a regulated entity can rely on that identity information as well. In all circumstances, a written arrangement needs to be in place where the regulated entity appoints the person as agent and all verification information must be obtained from the agent. In addition, the regulated entity must be satisfied that the information is valid and current and that the prescribed identity verification methods were complied with. These provisions ostensibly allow purchasers, in the context of portfolio acquisitions and for other day-to-day financial transactions, to rely on verification previously done by the vendor.

However, it should be noted that in order to utilize these provisions, the information obtained by the agent must be "current". In the Guideline, FINTRAC notes that to be considered "current", an identification card or document must not have expired. In explaining the interpretation of "current" for these agency provisions, FINTRAC notes the following:

"If the identifying information that the agent used to ascertain the client's identity has now expired, you can still rely on it, as long as your agreement or arrangement existed with the agent before the information expired. The agent would have to re-identify your client if the identification information expires before you have an agreement in that agent or mandatary".

This interpretation is problematic and, in many ways, negates the provision's utility. As a starting point, in the context of portfolio acquisitions, generally thousands of accounts, if not hundreds of thousands, may be acquired as part of a transaction. This interpretation of the Regulations requires the regulated entity that is purchasing the accounts to review each and every account to determine if the document used to confirm identity has expired prior to the date of the portfolio acquisition. Moreover, whether in the context of a portfolio acquisition or otherwise, under the previous regulations, there was no regulatory requirement imposed on regulated entities to retain a record of the expiry date of the identification used to verify identity. This is a new requirement under the Regulations. Therefore, it is reasonable to conclude that given the constraints of Canadian privacy law, the information regarding the identity document's expiry date may not actually be retained by those who are undertaking identity verification. Accordingly, it may be impossible for a regulated entity to determine with reasonable certainty if an identity documentation that was initially reviewed by the agent has expired. Moreover, this interpretation does not address previous identity verification that has been undertaken by entities on a non-face-to-face basis. This is something that regulated entities will have to wrestle with going forward.

One of the more helpful provisions in the Regulations is that they permit a regulated entity to rely on previous identity verification they performed, where they do not have any doubts about the information obtained. This will be helpful to reporting entities when dealing with clients in the online context. Additionally, in the Guideline, FINTRAC indicates that the use of micro deposits is an acceptable method of confirming that a client has a deposit account. The ability to use micro deposits represents a welcome shift in FINTRAC policy.

Electronic Signatures

The Regulations change the definition of "signature card" to include "electronic data" that constitutes the signature of a person authorized to give instructions in respect of the account. In addition, a "signature" is now defined to include an electronic signature or other information in electronic form that is created or adopted by a client and that is accepted by the regulated entity.

The effect of these changes is to allow for a true electronic signature that can be compliant with the Regulations, thereby facilitating account openings in the non-face-to-face environment. This will be a welcome change to regulated entities as the provision comes into force as of June 2016, assuming changes are made to the in force date of the Regulations.  

Politically Exposed Persons

One other matter that the Regulations accomplish is the implementation of the changes made to the PCMLTFA under Bill C-31 in respect of PEPs. For more information, see our April 2014 Blakes Bulletin: Important Changes to Canada's AML Laws: Here We Go Again.

In that regard, as anticipated, the Regulations expand certain regulatory requirements that currently apply to foreign PEPs to include domestic PEPs as well as the heads of international organizations or family members or close associates of such persons.

In respect of the requirements on account opening (for financial entities and securities dealers) the Regulations require the regulated entity to take reasonable measures to determine whether the account is being opened not only for a foreign PEP, but also for a domestic PEP, a head of an international organization, a family member of one of those persons or a person who is closely associated with a PEP (PEP Related Person).

Moreover, the requirement in the previous Regulations imposed on both financial entities and securities dealers to take reasonable measures to determine if existing high-risk account holders who are foreign PEPs have been removed. Instead, financial entities and securities dealers will be required to take reasonable measures on a periodic basis, to determine if an existing account holder is a PEP Related Person. It is significant that there is no mention of "high-risk" account holders in this provision, but rather, this periodic monitoring requirement applies to all account holders. As a result, regulated entities subject to this requirement will have to build processes and procedures to address this monitoring requirement.

In addition to the foregoing, regarding PEP Related Persons, the Regulations also provide that where a financial entity or securities dealer (or any of their employees) detects a fact that could reasonably be expected to raise reasonable grounds to suspect that a person who is an existing account holder is a PEP Related Person, the financial entity and securities dealer must take reasonable measures to determine whether the account holder is in fact such a person. Presumably, FINTRAC guidance on PEPs, when released, will provide what circumstances would raise such "reasonable grounds," but it would appear that this new provision implicitly requires regulated institutions to implement additional monitoring procedures for PEP Related Persons.

While the Regulations require securities dealers and financial entities to implement requirements to determine if account holders are PEP Related Persons, the corresponding requirements to determine the source of funds to be deposited in the account, to obtain senior management approval to keep the account open and to engage in enhanced ongoing monitoring, only apply on an absolute basis to foreign PEPs and their family members and close associates. Regarding the requirements for domestic PEPs, heads of international organizations, family members or close associates of such persons, these additional requirements will only apply where the regulated entity considers, based on their risk assessment, that the risk of a money laundering or terrorist activity financing offence is high.

Accordingly, based on these new provisions in the Regulations, it is clear that monitoring for domestic PEPs, heads of international organizations and their close associates and family members as well as the transactions that they engage in is now the "new normal" for regulated entities.

The amendments to the Regulations in respect of transactions of C$100,000 or more that apply to financial entities, money services businesses and life insurance companies parallel the changes made regarding accounts. Accordingly, regulated entities will now be required to determine if a triggering transaction for C$100,000 or more is undertaken by any PEP Related Person. However, the accompanying requirements that apply to foreign PEPs (determining the source of funds, senior management review) will only apply to domestic PEPs, heads of international organizations and their family members and close associates, if the regulated entity, based on their risk assessment, considers that there is a high risk of money laundering or terrorist financing offence.

A final change to the PEP provisions that may help to alleviate the additional regulatory burden is in respect of timing requirements in which regulated entities must make a PEP determination. While the regulations prior to implementation require the PEP determinations and accompanying review/approvals to be conducted within 14 days, the Regulations extend this period to 30 days.

There are still numerous questions that remain about the PEP requirements that are not addressed in the Regulations but will hopefully be addressed in regulatory guidance. These include:

  • What is meant by "close associate"?
  • Can a regulated entity rely exclusively on the use of databases to make a PEP determination?
  • What factors makes a domestic PEP "high risk"?
  • How far does a regulated entity need to go to investigate whether they are dealing with a PEP?
  • What is meant by a "head" of an international organization?

Assuming that the changes are made to the "in force" date of the Regulations, the new PEP requirements will not come into force until June 17, 2017.

Risk Assessments

While the regulations currently prescribe the factors that regulated entities must consider in performing their risk assessments, the Regulations add two additional factors that must be considered in performing a risk assessment. These factors are:

  • Any new developments in respect of, or the impact of new technologies on, the regulated entity's clients, business relationships, products or delivery channels or the geographic location of their activities
  • For a regulated entity that is a financial entity or securities dealer, any risk resulting from the activities of an affiliated Canadian financial entity or securities dealer or from the activities of an affiliated foreign entity that carries out similar activities

While arguably the factors set out in the first item above are already encompassed by the current regulatory requirement to consider "any other relevant factor" in the risk assessment, the additional factors that apply to financial entities and securities dealers set out in the second item above may prove to be very challenging and will likely require an in-depth analysis of their global businesses. It is noted, however, that this requirement is consistent with the concept of "enterprise wide" compliance, which is becoming the regulatory expectation of regulators in Canada and globally.

Assuming that changes are made with respect to the 'in force' date of the Regulations, these new risk assessment requirements will not come into force until June 17, 2017.

Reasonable Measures

There are numerous provisions in the Regulations that require regulated entities to take "reasonable measures" to perform certain actions or obtain certain information. Examples of these reasonable measure requirements include making third-party determinations, completing all information required on reporting forms, and making PEP Related Person determinations.

The Regulations provide that if the reasonable measures taken are unsuccessful, regulated entities must keep a record that sets out the measures taken and why they were unsuccessful. These provisions do not come into force until June 17, 2017, assuming the modifications to the "in force date" are made.

AMP Regulations

In addition to the general Regulations, amendments have also been made to the AMP Regulations to include violation classification for the new provisions of the Regulations and for other provisions of the Regulations that were previously unclassified.

It is noteworthy that some of the additions to the AMP Regulations are for violations that are classified as "serious" or "very serious", which most violations are not. These include certain beneficial ownership requirements (to take reasonable measures to verify a senior managing officer's identity where beneficial ownership information cannot be obtained and to rate the client as high risk — these are serious violations), and the failure to comply and to cause foreign subsidiaries to comply with a Ministerial directive (very serious), of which there are currently none issued.

As the Regulations address only part of the amendments contemplated by Bill C-31, there are clearly more amendments to the Regulations to come. We understand that these will be released in the fall of this year. Stay tuned.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on

Click to Login as an existing user or Register so you can print this article.

In association with
Related Video
Up-coming Events Search
Font Size:
Mondaq on Twitter
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
Email Address
Company Name
Confirm Password
Mondaq Topics -- Select your Interests
 Law Performance
 Law Practice
 Media & IT
 Real Estate
 Wealth Mgt
Asia Pacific
European Union
Latin America
Middle East
United States
Worldwide Updates
Mondaq Ltd requires you to register and provide information that personally identifies you, including what sort of information you are interested in, for three primary purposes:
  • To allow you to personalize the Mondaq websites you are visiting.
  • To enable features such as password reminder, newsletter alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our information providers who provide information free for your use.
  • Mondaq (and its affiliate sites) do not sell or provide your details to third parties other than information providers. The reason we provide our information providers with this information is so that they can measure the response their articles are receiving and provide you with information about their products and services.
    If you do not want us to provide your name and email address you may opt out by clicking here
    If you do not wish to receive any future announcements of products and services offered by Mondaq you may opt out by clicking here

    Terms & Conditions and Privacy Statement (the Website) is owned and managed by Mondaq Ltd and as a user you are granted a non-exclusive, revocable license to access the Website under its terms and conditions of use. Your use of the Website constitutes your agreement to the following terms and conditions of use. Mondaq Ltd may terminate your use of the Website if you are in breach of these terms and conditions or if Mondaq Ltd decides to terminate your license of use for whatever reason.

    Use of

    You may use the Website but are required to register as a user if you wish to read the full text of the content and articles available (the Content). You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these terms & conditions or with the prior written consent of Mondaq Ltd. You may not use electronic or other means to extract details or information about’s content, users or contributors in order to offer them any services or products which compete directly or indirectly with Mondaq Ltd’s services and products.


    Mondaq Ltd and/or its respective suppliers make no representations about the suitability of the information contained in the documents and related graphics published on this server for any purpose. All such documents and related graphics are provided "as is" without warranty of any kind. Mondaq Ltd and/or its respective suppliers hereby disclaim all warranties and conditions with regard to this information, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Mondaq Ltd and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use or performance of information available from this server.

    The documents and related graphics published on this server could include technical inaccuracies or typographical errors. Changes are periodically added to the information herein. Mondaq Ltd and/or its respective suppliers may make improvements and/or changes in the product(s) and/or the program(s) described herein at any time.


    Mondaq Ltd requires you to register and provide information that personally identifies you, including what sort of information you are interested in, for three primary purposes:

    • To allow you to personalize the Mondaq websites you are visiting.
    • To enable features such as password reminder, newsletter alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
    • To produce demographic feedback for our information providers who provide information free for your use.

    Mondaq (and its affiliate sites) do not sell or provide your details to third parties other than information providers. The reason we provide our information providers with this information is so that they can measure the response their articles are receiving and provide you with information about their products and services.

    Information Collection and Use

    We require site users to register with Mondaq (and its affiliate sites) to view the free information on the site. We also collect information from our users at several different points on the websites: this is so that we can customise the sites according to individual usage, provide 'session-aware' functionality, and ensure that content is acquired and developed appropriately. This gives us an overall picture of our user profiles, which in turn shows to our Editorial Contributors the type of person they are reaching by posting articles on Mondaq (and its affiliate sites) – meaning more free content for registered users.

    We are only able to provide the material on the Mondaq (and its affiliate sites) site free to site visitors because we can pass on information about the pages that users are viewing and the personal information users provide to us (e.g. email addresses) to reputable contributing firms such as law firms who author those pages. We do not sell or rent information to anyone else other than the authors of those pages, who may change from time to time. Should you wish us not to disclose your details to any of these parties, please tick the box above or tick the box marked "Opt out of Registration Information Disclosure" on the Your Profile page. We and our author organisations may only contact you via email or other means if you allow us to do so. Users can opt out of contact when they register on the site, or send an email to with “no disclosure” in the subject heading

    Mondaq News Alerts

    In order to receive Mondaq News Alerts, users have to complete a separate registration form. This is a personalised service where users choose regions and topics of interest and we send it only to those users who have requested it. Users can stop receiving these Alerts by going to the Mondaq News Alerts page and deselecting all interest areas. In the same way users can amend their personal preferences to add or remove subject areas.


    A cookie is a small text file written to a user’s hard drive that contains an identifying user number. The cookies do not contain any personal information about users. We use the cookie so users do not have to log in every time they use the service and the cookie will automatically expire if you do not visit the Mondaq website (or its affiliate sites) for 12 months. We also use the cookie to personalise a user's experience of the site (for example to show information specific to a user's region). As the Mondaq sites are fully personalised and cookies are essential to its core technology the site will function unpredictably with browsers that do not support cookies - or where cookies are disabled (in these circumstances we advise you to attempt to locate the information you require elsewhere on the web). However if you are concerned about the presence of a Mondaq cookie on your machine you can also choose to expire the cookie immediately (remove it) by selecting the 'Log Off' menu option as the last thing you do when you use the site.

    Some of our business partners may use cookies on our site (for example, advertisers). However, we have no access to or control over these cookies and we are not aware of any at present that do so.

    Log Files

    We use IP addresses to analyse trends, administer the site, track movement, and gather broad demographic information for aggregate use. IP addresses are not linked to personally identifiable information.


    This web site contains links to other sites. Please be aware that Mondaq (or its affiliate sites) are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of these third party sites. This privacy statement applies solely to information collected by this Web site.

    Surveys & Contests

    From time-to-time our site requests information from users via surveys or contests. Participation in these surveys or contests is completely voluntary and the user therefore has a choice whether or not to disclose any information requested. Information requested may include contact information (such as name and delivery address), and demographic information (such as postcode, age level). Contact information will be used to notify the winners and award prizes. Survey information will be used for purposes of monitoring or improving the functionality of the site.


    If a user elects to use our referral service for informing a friend about our site, we ask them for the friend’s name and email address. Mondaq stores this information and may contact the friend to invite them to register with Mondaq, but they will not be contacted more than once. The friend may contact Mondaq to request the removal of this information from our database.


    From time to time Mondaq may send you emails promoting Mondaq services including new services. You may opt out of receiving such emails by clicking below.

    *** If you do not wish to receive any future announcements of services offered by Mondaq you may opt out by clicking here .


    This website takes every reasonable precaution to protect our users’ information. When users submit sensitive information via the website, your information is protected using firewalls and other security technology. If you have any questions about the security at our website, you can send an email to

    Correcting/Updating Personal Information

    If a user’s personally identifiable information changes (such as postcode), or if a user no longer desires our service, we will endeavour to provide a way to correct, update or remove that user’s personal data provided to us. This can usually be done at the “Your Profile” page or by sending an email to

    Notification of Changes

    If we decide to change our Terms & Conditions or Privacy Policy, we will post those changes on our site so our users are always aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it. If at any point we decide to use personally identifiable information in a manner different from that stated at the time it was collected, we will notify users by way of an email. Users will have a choice as to whether or not we use their information in this different manner. We will use information in accordance with the privacy policy under which the information was collected.

    How to contact Mondaq

    You can contact us with comments or queries at

    If for some reason you believe Mondaq Ltd. has not adhered to these principles, please notify us by e-mail at and we will use commercially reasonable efforts to determine and correct the problem promptly.

    By clicking Register you state you have read and agree to our Terms and Conditions