8 minute read
REQUIREMENTS OF A COMPLIANCE PROGRAM FOR A REPORTING ENTITY
Do it and show it’s been done
BY RAY BASI, J.D., LL.B., DIRECTOR OF EDUCATION FOR CMBA-BC AND MBIBC
Once mortgage brokers, lenders and administrators are included as “reporting entities,” they will need to comply with the Proceeds of Crime (Money Laundering) and Terrorist Financing Act and associated Regulations (for convenience, together referred to as the Act). As such, they will be required to have a compliance program in place that addresses the non-exhaustive topics covered in this article.
The government intends to allow a six-month transition period to allow the new reporting entities to come into compliance, but before then you might want to be familiar with the framework and consider whether you can accommodate the new obligations within your existing resources. Simply put, you might need to add staff to meet the new compliance requirements.
Compliance Officer
A reporting entity must have a compliance officer. The compliance officer of a small business is generally one of its senior managers, owners or operators. For a larger business, it is someone from a senior level who has direct access to senior management and the board of directors. For a sole proprietorship, it is the sole proprietor or someone they appoint.
The compliance officer is responsible for implementing all elements of the compliance program required under the Act and so needs to: n Have the necessary authority and access to resources in order to implement an effective compliance program and make any desired changes; n Have knowledge of the business’s functions and structure; n Have knowledge of the business sector’s money laundering/terrorist financing risks and vulnerabilities as well as money laundering/terrorist financing trends and typologies; and n Understand the business sector’s requirements under the Act.
Written Compliance Policies And Procedures
There must be written compliance policies and procedures that are accessible to those persons who need to follow them. The policies and procedures must be kept up to date and approved by a senior officer of the reporting entity. The level of detail in your compliance policies and procedures will depend on your business size, structure and complexity, and degree of exposure to money laundering/terrorist financing risks.
Compliance Requirements
The compliance policies and procedures should cover, at minimum, requirements concerning the following areas (as applicable): n Compliance program (such as having an appointed compliance officer, conducting a risk assessment, having an ongoing compliance training program and plan, and conducting a two-year effectiveness review and plan); n Know your client (such as verifying the identity of clients and the beneficial ownership of property); n Business relationships (such as keeping a record of the purpose and intended nature of the business relationships with a client and describing your business dealings with them); n Record keeping (such as documenting how other requirements have been met); n Reporting (such as regarding suspicious transactions); n Travel rule (this concerns including or obtaining certain information in relation to an electronic funds transfer or a virtual currency transfer); and n Ministerial directives or restrictions (the federal Minister of Finance may issue directives or restrictions in dealing with transactions concerning a foreign jurisdiction).
Your compliance policies and procedures should also include the processes and controls put into place to meet your applicable requirements, including the following: n When an obligation is triggered; n The information that must be reported, recorded, or considered; n The procedures created to ensure a requirement is fulfilled; and n The timelines associated with your requirements and methods of reporting.
Risk Assessment
The compliance program must include policies and procedures that assess money laundering/terrorist financing risks in the course of the business’s activities.When assessing and documenting these risks, you must consider the following: n Your clients and business relationships, including their activity patterns and geographic locations; n The products, services and delivery channels you offer; n The geographic location(s) where you conduct your activities; n The risks resulting from ‘new developments’ or ‘new technologies’ you intend to carry out or introduce that may have an impact on your clients, business relationships, products, services or delivery channels, or the geographic location of your activities; and n Any other relevant factors affecting your business (for example, employee turnover, industry rules and regulations).
If, at any time, you consider the risk of a money laundering or terrorist financing offence to be high, you must take enhanced measures. Enhanced measures are the additional written controls and processes that you have put in place to be applied to manage and reduce the risks associated with your high-risk clients and business areas.
If, at any time, you consider the risk of a money laundering or terrorist financing offence to be high, you must take enhanced measures. Enhanced measures are the additional written controls and processes that you have put in place to be applied to manage and reduce the risks associated with your high-risk clients and business areas.
Enhanced measures to mitigate risk can include: n Obtaining additional information on a client (for example, information from public databases and the internet); n Obtaining information on the client’s source of funds or source of wealth; n Obtaining information on the reasons for attempted or conducted transactions; or n Any other measures you deem appropriate.
Training Program
If you have employees, agents or other persons authorized to act on your behalf, you must develop and maintain a written, ongoing compliance training program. Your training program should explain what your employees, agents or other persons authorized to act on your behalf need to know and understand, including: n Your requirements under the Act; n Background information on money laundering and terrorist financing (such as the definitions of the terms and how to detect such activity); n How your business or profession could be vulnerable (provide indicators and examples); n The compliance policies and procedures you have developed to help meet your requirements under the Act for preventing and detecting money laundering and terrorist financing including your reporting, record keeping and know-your-client requirements; and n Their roles and responsibilities in detecting and deterring money laundering and terrorist financing activities, and when dealing with potentially suspicious activities or transactions.
You must institute and document a plan for your ongoing compliance training program and for delivering the training, including how it will be implemented and delivered. This includes documenting the steps you will take to ensure your employees, agents or other persons authorized to act on your behalf receive an appropriate level of training relevant to their duties and position, on an ongoing basis.
TWO-YEAR COMPLIANCE REVIEW
You must, at least every two years, conduct an effectiveness review to test the effectiveness of the elements of your compliance program (policies and procedures, risk assessment, and ongoing training program and plan).
You must start your effectiveness review no later than 24 months from the start of your previous review. You must also ensure that you have completed your previous review before you start the next review.
The purpose of an effectiveness review is to determine whether your compliance program has gaps or weaknesses that may prevent your business from effectively detecting and preventing money laundering and terrorist financing.
Your plan should not only describe the scope of the review, but it should include the rationale that supports the areas of focus, the time period that will be reviewed, the anticipated evaluation methods and sample sizes. The evaluation methods can include, but are not limited to, interviewing staff, sampling records and reviewing documentation. The review must be carried out and the results documented by an internal or external auditor, or by yourself if you do not have an auditor. The auditor should be someone who is knowledgeable of your requirements under the Act.
You must report, in writing, the following to a senior officer no later than 30 days after the completion of the effectiveness review: n The findings of the review (for example, deficiencies, recommendations and action plans); n Any updates made to the policies and procedures during the reporting period (the period covered by the two-year review) that were not made as a result of the review itself; and n The status of the implementation of the updates made to your policies and procedures.
POSSIBLE CONSEQUENCES FOR NON-COMPLIANCE
Administrative monetary penalties are being contemplated regarding non-compliance. The range of the penalty will depend on the harm done by the violation and the reporting entity’s history of compliance. The penalty for a minor violation would range from $1 to $1,000 per violation, a serious violation would be from $1 to $100,000 per violation, and a very serious violation would be from $1 to $100,000 per violation for an individual and from $1 to $500,000 per violation for an entity.
Takeaways
If mortgage brokers, lenders and administrators are included as reporting entities for purposes of the Act, and it is almost certain they will be, compliance efforts and costs are bound to increase. While there is no need to think the weight of compliance will be unbearable, it will certainly be lighter for mortgage brokers who anticipate the future, familiarize themselves with the likely changes, and plan accordingly.
This article is not intended as legal advice. You are advised to obtain legal advice in specific instances.
