Canada is the second-largest financial destination in North America after the United States and hosts diverse business interests from across the world including commercial fintech service providers. While Canada has a developed a modern financial system, recent high-profile criminal incidents have exposed structural vulnerabilities to a range of money laundering and terrorism financing activities including many that affect the fintech industry.
In 2016, the Financial Action Task Force (FATF) pointed out Canada’s shortcomings in an evaluation, prompting the Canadian government to increase its focus on addressing AML/CFT compliance in the fintech industry at a federal and provincial level.
Given that increased focus, and the significant penalties for noncompliance, fintech firms in Canada should be familiar with their regulatory obligations, and how to deploy appropriate AML/CFT measures to detect and prevent money laundering.
Like banks and other financial institutions, fintech service providers in Canada must abide by both public and private legislation at the federal and provincial levels. These laws include:
- The Canadian Payments Act
- The Payment Clearing and Settlement Act (Canada)
- The Bank Act
- The Bills of Exchange Act (Canada)
Fintech regulations: Certain Canadian financial regulations are specifically relevant to fintech service providers. These include the Personal Information Protection and Electronic Documents Act (PIPEDA) which protects personal information handled by private sector firms, and the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA).
The PCMLTFA is particularly important because sets out the regulations for AML/CFT compliance in Canada and requires all firms, including fintech service providers, to:
- Establish a risk-based AML/CFT compliance program.
- Establish and verify the identities of their customers and clients.
- Maintain records on customers and clients.
- Report suspicious activity to the authorities.
PCMLTFA Amendments: In 2018, the PCMLTFA was amended to modernize and align Canada’s AML regime with international standards. The amendments introduce a definition of virtual currency and expand the scope of the legislation to cryptocurrency exchange and wallet providers. The amendments will come into force in Canada in 2021.
Fintechs may also be subject to provincial AML/CFT laws that vary based on the sector in which they operate. Fintech firms that are involved in the securities market, for example, are regulated at the provincial level by securities commissions. Similarly, provinces may impose their own data privacy and cybersecurity regulations.
Canada’s primary financial regulator is the Financial Transactions and Reports Analysis Centre (FINTRAC), which is responsible for identifying incidents of money laundering and terrorism. Fintech firms in Canada must report to FINTRAC when they detect suspicious activity that could indicate money laundering is taking place. FINTRAC maintains a national register of money services businesses and works with other law enforcement agencies to conduct investigations into fintech firms and other financial institutions that are suspected of wrongdoing.
Fintech firms may face specific AML/CFT risks depending on the sector in which they operate. Certain weaknesses in the industry, presented by products such as prepaid cards or remittance services, may also present opportunities for money launderers. With that in mind, specific AML risks and vulnerabilities for fintech firms include:
- Anonymity: Many fintech services offer criminals a level of anonymity that conventional services do not. Money launderers may seek to use fintech products to conceal their identities, use stolen identities, or engage third parties to act on their behalf in order to access the legitimate financial system.
- Speed: Electronic money transfers can take place at much greater speed and in greater volume than transfers using traditional banking products. That capacity allows criminals in Canada to use fintech products to disguise and transfer large amounts of illegal funds and avoid AML investigations by moving those funds around rapidly.
- Regulatory disparity: Canada does not have any dedicated fintech regulators or legislation. Criminals may seek to exploit blindspots or disparities in AML/CFT regulations by using fintech services to move funds into or out of Canada. Similarly, criminals may seek to exploit disparities in provincial jurisdictions.
- Structuring: Criminals may seek to take advantage of different Canadian fintech products or service providers in order to engage in multiple transactions, structing the introduction of their illegal money into the legitimate financial system without triggering AML measures.
Fintech firms should be alert to a range of characteristic behaviours or red flags that indicate criminals are attempting to exploit their services to launder money or finance terrorist activities. Those red flags include:
- Customers that attempt to conceal their identities when using fintech services.
- Discrepancies in customer identity verification.
- Transactions that consistently exceed or fall just below regulatory reporting thresholds.
- Unusual transactional behavior such as unusually high frequencies of transactions or transactions with high-risk countries.
- Transactions that seem connected to each other or multiple account registrations that share identifying information.
Under FATF recommendations and the requirements of the updated PCMLTFA, fintech firms in Canada must put a risk-based AML/CFT program in place in order to achieve regulatory compliance. In the fintech industry, it is particularly important that firms deploy suitable Know Your Customer (KYC) measures in order to verify customer identities and understand the ways in which those customers use and interact with their fintech products. Accordingly, an AML program must include the following due diligence, screening and monitoring measures:
- Customer due diligence: Fintech firms should put CDD measures in place in order to accurately establish and verify their customers’ identities. Customers that present a higher AML risk should be subject to enhanced due diligence (EDD).
- Transaction monitoring: Firms should monitor their customers’ transactions for suspicious activity on an ongoing basis. When suspicious activity is detected, firms should submit suspicious activity reports (SAR) to FINTRAC in a timely manner.
- Sanctions screening: Fintech services may be misused in order to avoid international sanctions. Accordingly, firms should screen their customers against the relevant international sanctions lists.
- PEP screening: Politically exposed persons (PEP) may present a greater risk of money laundering to fintech firms. With that in mind, firms should screen their customers on an ongoing basis to establish their PEP status.
- Adverse media monitoring: Adverse or negative news stories often indicate that a customer is involved in money laundering or terrorism financing activities. Fintech firms should monitor for adverse media on traditional screen and print media and from online sources.