KYC.IO

Global Regulations and Requirements for KYC Onboarding
(powered by KYC-Chain)

KYC to onboard domestic persons

namedate of birthaddressoccupationdriving licensepassport

KYC to onboard international persons

namedate of birth

corporate requirements

name and address legal documentationarticles of incorporationarticles of association

National ID card name

Canadian citizenship cards

Does the country have Esignature Laws?

The Personal Information Protection and Electronic Documents Act (PIPEDA); the Uniform Electronic Commerce Act (UECA); the Act to Establish a Legal Framework for Information Technology;

E-sig law files

What year did the relevant AML laws and regulations become effective?

2000

Further details on AML regime

Proceeds of Crime (Money Laundering) and Terrorist Financing Act (“PCMLTFA”) was passed in 2000, and amended in 2001, 2006, 2008, 2010, 2013 and 2014

Who is the regulator for AML controls for Banking

In 2000, the Financial Transactions Reports Analysis Centre of Canada (“FINTRAC”) was established under the PCMLTFA to serve as Canada’s financial intelligence unit. FINTRAC is responsible for ensuring compliance with AML/AFT requirements by all Reporting Entities, including financial entities (banks, trust companies, credit unions, etc.), life insurance companies, securities dealers (including asset managers/investment advisers), casinos, money services businesses, dealers in precious metals and stones, real estate agents and certain developers, accountants and notaries public based in the province of British Columbia

Link to site

http://www.fintrac.gc.ca/

Other financial Services

The Office of the Superintendent of Financial Institutions (“OSFI”), established in 1987, is the federal agency responsible for the supervision and regulation of all federally incorporated or registered banks, life

Website of Regulator

http://www.osfi-bsif.gc.ca/

Financial Sector regulator

http://www.iiroc.ca/Pages/default.aspx

Practical Guidance for AML

Yes, the FINTRAC has published plain language interpretations and guidelines as well as interpretation notices, OSFI Guideline B-8: Deterring and Detecting Money Laundering was issued in December 2008, and IIROC issued Anti-Money Laundering Compliance Guidance in October 2010

Practical guidance PDF's

pub-eng.asp

Is there a requirement to verify the identity of customers retroactively?

No.

Retroactive details

No, however pursuant to the adoption of a Risk Based Approach to ML/TF governance, customers considered to be a higher ML/TF risk are required to be identified.

Has the country been the subject of FATF mutal evaluation in the last 3 years?

Yes, FATF released its third evaluation of Canada in February 2008, The fourth evaluation of Canada is in process with on-site visits occurring in October and November 2015, and In 2014, FATF recognised that Canada had made significant progress in addressing deficiencies identified in the 2008 report and removed Canada from the regular follow-up process

PDF of FATF review

Are there minimum transaction thresholds (Y/N)

Yes

More details on minimum transaction thresholds.

Yes, Customer identification is not required for: a) electronic Funds Transfer (“EFT”) transactions less than CAD1,000 (approx. USD710); b) foreign currency exchange transactions less than CAD3,000 (approx. USD2,130); c) issuance/redemption of traveller’s cheques, money orders or other similar negotiable instruments less than CAD3,000 (approx. USD2,130); and d) cash transactions less than c (approx. USD7,100) (other than when multiple (two or more) transactions occur over a 24 hour time period aggregate to more than CAD10,000 (approx. USD7,100) and are believed to be conducted by or on behalf of the same individual or entity). Customer identification is not required when the transaction exceeds the thresholds noted above provided a signed signature card for an account exists with the institution. In 2014, amendments were introduced to require ongoing monitoring once a business relationship has been established. Non-account-based business relationships are established when the entity conducts two or more transactions in which the identity of an individual must be ascertained or the organization’s existence must be confirmed.

What are the requirements for customer identification information for individuals

Individuals: Reporting Entities must obtain, verify and maintain the following records of an individual’s identity: customer name, date of birth, address, the nature of the customer’s principal business or occupation and intended use of the account. Regulations state that the identity of a person should be ascertained by referring to a birth certificate, driver’s licence, passport, permanent resident card or any similar record. You can refer to a provincial/territorial health insurance card, but only if it is not prohibited by provincial/territorial legislation. The original document (not a copy) must be reviewed.

Details to be Collected on Corporates

Legal entities: Reporting Entities must confirm the existence, name and address of any legal entity for which it opens a business account by obtaining such legal documentation as Articles of Incorporation, Articles of Association, Partnership Agreement or other similar record. The record used to confirm the corporation’s existence can be in paper or electronic format. If the record is an electronic version, entities must keep a record of the corporation’s registration number, the type and source of the record. Furthermore, depending on legal entity type, additional documentation may be required. For example, in the case of a corporation, the name of the corporation’s directors, the name, address and principal occupation of all individuals who directly or indirectly own or control 25% or more of the shares of the corporation and information on the ownership, control and structure of the corporation must also be obtained. The identity of up to 3 individuals authorised to transact on behalf of the legal entity must also be verified as well as the evidence of the individuals’ authorisation to transact on behalf of the legal entity such as articles of incorporation or the bylaws.

What are the high level requirements around beneficial ownership (identification and verification)?

When a firm has to identify an entity, it must obtain, take reasonable measures to confirm and keep records of the information relating to the entity’s beneficial ownership. For a corporation, this includes the name and address of all individuals who directly or indirectly own or control 25% or more of the shares of the corporation. In cases where there is no individual who owns or controls 25% or more of an entity, a record must be kept of the measures taken and the information obtained in order to reach that conclusion. If the information cannot be obtained or its accuracy confirmed, reasonable measures must be taken to ascertain the identity of the most senior managing officer of the entity and treat the entity as high-risk and subject to more frequent monitoring. A record must be maintained explaining why beneficial ownership could not be determined as well as the information pertaining to the most senior managing officer.

What circumstances are enhanced customer due diligence measures required?

A firm's compliance program must include the development and application of policies and procedures to assess the risk of a money laundering offence or a terrorist activity financing offence. Special measures should be taken in high risk situations for identifying customers and monitoring transactions. When a risk assessment determines that the risk is high for money laundering or terrorist financing, policies and procedures to keep customer identification information up to date must be developed and more frequent monitoring must be performed. For a financial entity, a securities dealer, a life insurance company, broker or agent, or a money services business, this also applies to keeping beneficial ownership information up to date. All Reporting Entities must develop and apply policies and procedures to keep information on business relationships up to date. This information should be reviewed at a minimum at least every two years. OSFI Guidance states that federally registered or incorporated firms that conduct business in offshore jurisdictions or that have customers that operate in those jurisdictions, need to be especially vigilant. Certain customers may merit additional due diligence, and examples given include businesses that handle large amounts of cash or those that hold important public positions.

How should FI's deal with Politically exposed persons

When dealing with PEPs, the following additional due diligence measures must be taken: a) enhanced account monitoring; b) senior management approval to maintain the account or senior management review of transaction within 14 days of account activation or EFT transaction; and c) reasonable measures to obtain source of funds.

What enhanced due diligence must be performed for correspondent banking relationships?

The following due diligence requirements are required for correspondent banking relationships: a) obtaining personal information about the foreign entity and its activities; b) ensuring that the foreign entity is not a shell bank; c) obtaining the approval of senior management; and d) setting out in writing the firm's obligations and those of the foreign entity in respect of the correspondent banking services.

Are relationships with banks who might be considered a 'shell' and without substance permitted?

Yes

In what circumstances is additional due diligence required for non face-to-face transactions and/or relationships?

Recent amendments have introduced a broader and more flexible set of identification requirements related to non-face-to-face transactions. The requirements set out the following two options for identification of individuals not physically present: a) Confirmation from an affiliated entity that they have ascertained the identity by referring to an original identification document and verify the name, address and date of birth received; or b) Combination of two of the following methods: referring to an independent identification product or, with the individual’s permission, referring to a credit file; obtaining an attestation concerning an identification document for the individual from a Commissioner of Oaths or a guarantor; confirming that a cheque drawn on a deposit account with a financial entity (other than one that is exempt from identification requirements) has cleared; and confirming that the individual has a deposit account with a financial entity (other than one that is exempt from identification requirements).

To whom are SAR's made? (suspicious activity reports)

FINTRAC

Link to website of SAR reporting

http://www.fintrac.gc.ca/intro-eng.asp

Other Suspicious or unusual transactions obligations.

Yes. Under the PCMLTFA, all reporting entities are required to report to FINTRAC transactions for which they have reasonable grounds to suspect that the transactions are related to money laundering or terrorist financing (this includes attempted suspicious transactions). In addition, all reporting entities must report the following transactions to FINTRAC, unless stated otherwise: a) large cash transactions – receipt of an amount of CAD10,000 (approx. USD7,100) or more in the course of a single transaction, or multiple transactions over a 24 hour time period by or on behalf of the same individual or entity; b) electronic funds transfers – international ingoing and outgoing EFTs valued at CAD10,000 (approx. USD7,100) or more in the course of a single transaction, or multiple transactions in a 24 hour time period by or on behalf of the same individual or entity. This requirement applies to financial entities, MSBs (Money Service Business) and casinos; c) terrorist property – a report must be submitted to FINTRAC if a reporting entity has property in its control or possession that is owned or controlled by or on behalf of a terrorist, a terrorist group, or listed person. Nil reports must also be filed by certain reporting entities on a monthly basis with their principal regulators such as OSFI or IIROC. The monthly reporting requirement is separate and distinct from the requirements to immediately disclose detailed information to law enforcement agencies such as the Royal Canadian Mounted Police and the Canadian Security Intelligence Service; and d) casino disbursements – a casino must file a report when it makes a disbursement valued at CAD10,000 (approx. USD7,100) or more in the course of a single transaction, or over the course of multiple transactions in a 24 hour time period by or on behalf of the same individual or entity.

Are there any de-minimis thresholds below which transactions do not need to be reported?

CAD10,000

Are there any penalties for non compliance with reporting requirements e.g. tipping off?

Yes. There are criminal or administrative penalties associated with non-compliance with reporting requirements, including tipping off. Both criminal and administrative monetary penalties (“AMPs”) cannot be issued against the same instance of non-compliance. AMPs violations are classified by the PCMLTF Regulations as “Minor”, “Serious” or “Very Serious” and multiple violations can result in a total amount that exceeds the individual violation limits. a) minor violation: from CAD1 (approx. USD0.71) to CAD1,000 (approx. USD710) per violation; b) serious violation: from CAD1 (approx. USD0.71) to CAD100,000 (approx. USD70,990) per violation; and c) very Serious violation: from CAD1 (approx. USD0.71) to CAD100,000 (approx. USD70,990) per violation for an individual; and from CAD1 (approx. USD0.72) to CAD500,000 (approx. USD354,940) per violation for an entity. FINTRAC may disclose cases of non-compliance to law enforcement when there is extensive non-compliance or little expectation of immediate or future compliance. Criminal penalties may include the following: a) failure to report suspicious transactions: up to CAD2 million (approx. USD1.4m) and/or 5 years imprisonment; b) failure to report a large cash transaction or an electronic funds transfer: up to CAD500,000 (approx. USD354,940) for the first offence, CAD1 million (approx. USD709,870) for subsequent offences; c) failure to meet record keeping requirements: up to CAD500,000 (approx. USD354,940) and/or 5 years imprisonment; d) failure to provide assistance or provide information during compliance examination: up to CAD500,000 (approx. USD354,940) and/or 5 years imprisonment; and e) disclosing the fact that a suspicious transaction report was made, or disclosing the contents of such a report, with the intent to prejudice a criminal investigation: up to 2 years imprisonment.

Are there any requirements (legal or regulatory) to use automated Suspicious Transaction monitoring technology?

No.

Is there a requirement to obtain authority to proceed with a current/ongoing transaction that is identified as suspicious?

No.

Does the local legislation allow transactions to be monitored outside the jurisdiction?

The regulations do not specify whether transaction monitoring can be performed outside of Canada.

Is there a legal requirement for a bank’s external auditor/other external organisation to report on the bank’s AML systems and controls?

No however, federally registered or incorporated financial institutions are required to test all key AML/ATF program components at least every two years.

If an external report on the bank’s AML systems and controls is required: a) how frequently must the report be provided?

N/A

To whom should the report on AML systems be submitted?

N/A

Is an AML system part of the financial statement audit?

N/A

What are the requirements for the content of this external report on a bank’s AML systems and controls? Does it require: a) sample testing of KYC files? b) sample testing of SAR reports? c) examination of risk assessments?

N/A

Data Protection Laws And Personal Data

Yes.

Data Protection for Corporate Data

does not apply – only personally identifiable information is covered under Canada’s Privacy laws

Data protection for "sensitive Data" and additional protections.

not explicitly defined, however examples are provided in the Schedule 1 PIPEDA, Section 4.3.4 (Canada’s Privacy Law). Sensitivity of information is considered, in some cases, to be dependent on

Do any restrictions on the transfer of credit reports exist?

Prohibited unless the customer allows the transfer of this information based on the premise of informed consent.

Regulator Acronym

BCB, CVM, CFC,

Year of last FATF mutual evaluation

2014, 2014, 2008

Field 67

Confirmation from an affiliatedidentification documentsverify the nameaddress and date of birth received;

National ID card details

No national identity card.

National ID source

N/A

Passport Photo

practical Guidance yes / no

Is there a risk based approach

Legal Requirement

Requirement to proceed

requirement to use automated suspicious transaction tools

Who are SARS made to?

FINTRAC

shell banks

Yes

EDD for correspondent banking

Yes

Minimum transactions

CAD 10,000

Min transaction USD

7100

Personal Data protection

key restrictions

Some real estate agreements, wills, estate agreements and powers of attorney are excluded from the law. There is some variation among the provinces respecting restrictions. See, for example, Quebec’s Act to Establish a Legal Framework for Information Technology.

Summary

The laws of Canada and each of its provinces explicitly grant electronic signatures the same status as handwritten signatures. Summary of law Canada’s laws follow the permissive approach. These minimalist, or permissive, laws permit the use of electronic signatures for virtually all types of agreements. However, it is important to obtain the prior consent of all parties to conduct business electronically. Electronic signatures are presumed valid unless proof to the contrary is produced.

Are e-signatures acceptable

If the AML laws and/or regulations became effective in the last 2 years, what were the requirements of the previous AML regime?

N/A

Non financial sector (e.g. casinos, high value goods etc.)

The Canadian Securities Administrators (“CSA”) is an umbrella organisation comprised of 13 provincial and territorial securities regulatory authorities. The CSA serves as a forum for coordinating and harmonising the regulation of Canadian capital markets. Securities regulators also delegate certain aspects of securities regulation to self-regulatory organisations including the Investment Industry Regulatory Organisation of Canada (“IIROC”)

Does the country have a risk based approach?

Yes. Entities are required to assess and document the risk related to money laundering and terrorist activity financing in their business. This assessment must be tailored and should consider factors such as customers and business relationships, products, delivery channels and geographic areas where business is conducted, as well as other relevant factors. This assessment is in addition to the client identification, record keeping and reporting requirements.

Where copies of identification documentation are provided, what are the requirements around independent verification or authentication?

Copies of identification documents are not permitted. In order for a document to be acceptable for identification purposes, it must be valid (i.e. not expired), have a unique identifier number and be issued by a provincial, territorial or federal government. Customer identification through attestation is also permitted, in which case confirmation must be obtained to demonstrate that the customer’s ID has been certified to be true and correct by a commissioner of oaths or a guarantor. The attestation method requires that the document is a legible photocopy and contains the name, profession, address and signature of the commissioner of oaths or the guarantor, and the type and number of the identifying document. This method can only be used in conjunction with other prescribed methods of customer identification, including referring to an independent and reliable identification product, cleared cheque or deposit account. It is acceptable for a reporting entity to rely on the customer identification records of an affiliate or co-member when the customer is not physically present, provided that affiliate or co-member viewed the original identification documents. In this case, the reporting entity must verify the individual’s name, address and date of birth against the information maintained by the affiliate.

Is there case law, other constitutional law or any other laws or regulations that may impact upon the transfer of information to this jurisdiction?

None that we are aware of.

List of case law, constitutional law or any other laws or regulations that may impact upon the transfer of information.

N/A