Blog - Just Commentary - Not Legal Advice and Not the Views of the firm or any of its clients!
CAMLO ALERT - UPDATING YOUR TECHNOLOGY?
Canadian Anti-Money Laundering Compliance Programs: It's just over a year until the regulations change so it's time to get started on the changes now!
As of June 21, 2021, one of the key changes to AML compliance programs relates to adoption and implementation of technology. This is a big deal because there are rapid changes happening all the time, and these are now happening at breakneck speed due to COVID-19 and the need to work differently.
In 2021 the new Regulation will REQUIRE that your AML risk assessment happen in advance, and will read:
S. 156(2) – If the person or entity intends to carry out a new development or introduce a new technology that may have an impact on their clients, business relationships, products or delivery channels or the geographic location of their activities, they shall, in accordance with paragraph 1(c), assess and document the risk referred to in subsection 9.6(2) of the Act before doing so. (emphasis added)
The specific section 9.6(2) risk mentioned is the requirement that the Compliance Program address the “risk of a money laundering offence” or a “terrorist activity financing offence”. You need to start considering how your new technology will engage with and affect your ability to assess and document these risks.
To develop, update and review your AML compliance progam you will almost certainly need an external consultant (or significant in-house expertise) but prior to doing so, frank discussions with counsel in the course of obtaining privileged legal advice can aid in improving your compliance program efficiently and effectively while protecting your entity as the client.
I have a background in information governance and I have been recognized by the IAPP as a Fellow of Information Privacy (FIP) (having IAPP/C, IAPP/E and CIPM certification). I am also a former crown attorney (criminal prosecutor), and the Law Society of Ontario has granted me the status of Certified Specialist in Criminal Law.
As such I am uniquely qualified to provide privileged legal advice on risk assessment in the area of the criminal offence of money laundering and how adoption of new technology tools affects the risk profile for an organization.
There are some fantastic, experienced and knowledgeable AML consultants out there (there are quite a few but for example the AML Shop and Outlier Solutions are two such companies) and I have a great deal of respect for the work they do to help reporting entities and others to address all their obligations (and beyond).
As legal counsel I can work with you to coordinate the efforts of external AML consultants and assist you in exploring your legal options and assessing the potential impact on your organization and its senior management.
Gerry McGeachy, CAMS, CFE, CFCS
Money Laundering: Let's not forget that it is Criminal, not just Regulatory.
"...If the current state of your anti-money laundering training or written material says the following is the offence of Money Laundering in Canada, it is wrong..."
"...If the current state of your anti-money laundering training or written material says the following is the offence of Money Laundering in Canada, it is wrong..."
Under Canada's Proceeds of Crime (Money Laundering) and Terrorist Financing Act, the core obligation to submit a suspicious transaction report re money laundering is found in s. 7. It is essential that senior management and front line personnel at any reporting entity understand and can answer the question "Suspicious of what?" because it is not just any old suspicion that triggers the reporting obligation (as it relates to money laundering, similar issues apply to terrorist activity financing offences found in sections 83.02 to 83.04 and 83.12 of the Criminal Code of Canada).
The obligation emanates from reasonable grounds to suspect that the transaction is related to a "money laundering offence" (MLO). The concept of MLO includes but is not limited to "money laundering" (ML).
An MLO can be committed in many ways through the Criminal Code. The vast majority of offences in the Code are hybrid offences which makes them indictable because they can be prosecuted through a summary proceeding or indictably, based on an election by the prosecutor. Similar rules surround indictable offences created by other Acts such as the Income Tax Act (see for example s. 239(2) if the ITA).
I am certified by the Law Society of Ontario as a specialist in criminal law, and was a crown prosecutor for many years. My cases included financial crime, conspiracies and offences involving criminal organizations. I was also senior litigation counsel at the Ontario Securities Commission - Enforcement Branch and when there I investigated a broad range of financial businesses ranging from large banks to international internet-based operations. I am not a criminal defence lawyer. Instead I have chosen to leave full-time prosecution and practice proactive compliance for AML/Financial Crime and related issues. I can help your staff make sense of complex ML issues. Please contact me if your people need training on fundamental AML issues including:
c) aiding and abetting;
d) counselling someone to commit an offence;
e) being an accessory after the fact....
... Or they need more clarity on:
- What is a money laundering offence (MLO)?
- What is money laundering (ML) in Canadian criminal law?
If the current state of your anti-money laundering training or written material says the following is the offence of Money Laundering in Canada, it is wrong.
Zooming toward Regulator Enforcement!
Emerging compliance issues in the COVID-19 “work from home” era era.
Author: Gerry McGeachy, C.S., CAMS, CFCS, CFE, FIP
Quick Takeaways for regulated organizations who need to invoke a modified compliance program to address the current pandemic situation:
- Take steps to formally employ a risk based approach to the new expanded “work from home” reality;
- Generate clear documentation surrounding the risk assessment, options, decisions and implementation;
- Engage in education and training specifically related to the use of additional communication tools when working from home;
- Integrate your changes and decisions into the formal organization Code of Conduct and business level guidance and policy;
- Demonstrate support from senior management by having the right decision-makers involved and by allocating appropriate funding for the implementation of the decisions made;
- Ensure clear lines of communication with senior management regarding the decisions, and strive for a unified organizational approach;
- Generate appropriate metrics for evaluation and use them to refine the approach;
- Prepare now for questions from regulators and litigation through smart information governance, classification of documents and create a record that defends your organization’s decisions and actions.
Have you ever heard the saying “when the cat is away, the mice will play?” These days to a large degree both the cat and the mice are away, working from home and not subject to the usual compliance supervision, monitoring and surveillance. For the most part everyone is getting their work done admirably, managing the pressures of home life and their work day. If you operate in a regulated industry, are you taking steps to ensure that “work from home” is covered by an effective compliance regime?
“…having investigated Canadian banks, and other business entities involved in financial transactions in Canada and internationally, I am convinced that the human factor is the one of the largest areas of ongoing vulnerability… and the most likely to generate a regulatory sanction.”
Employees are now able to be on their home phones or their personal cellphones, sitting at a desk with their personal computer alongside their work computer, with access to any sort of third-party communication tool that they should choose to utilize. Without creative thinking and controls, there is no compliance presence, at least in the human, personal sense.
The exodus of personnel from the business office to their home locations is a significant regulatory compliance issue. As I set out herein, one of the greatest concerns and dangers that needs to be managed is the ready availability of additional third-party communication tools in an unmonitored environment. Having prosecuted many cases involving financial crime and having investigated Canadian banks, and other business entities involved in financial transactions in Canada and internationally, I am convinced that the human factor is the one of the largest areas of ongoing vulnerability. It is the hardest area to manage and the most likely to generate a regulatory sanction.
In addition to being a crown attorney and prosecutor for many years I was one of the senior litigation counsel in the enforcement branch at the Ontario Securities Commission in 2018 and 2019. At the OSC I was an investigator into companies that range from large international banks all the way down to small internet-based companies offering financial services.
One of the investigations I participated in as senior litigation counsel with the OSC involved Canadian bank foreign exchange traders’ internal and external electronic communication. This investigation resulted in a settlement by TD Bank and the Royal Bank of Canada. The allegations and settlement revolved around a failure to have sufficient supervision and controls in place and insufficient promotion of a culture of compliance. It was agreed ultimately that these failings put customers at risk of harm, could undermine market integrity and were contrary to the public interest.
The world of financial institutions and related businesses seems vast at first glance but it makes sense to break it down into smaller functional groups where specific people have specialized skill sets. The business activities are often performed by people who move around from institution to institution over the course of their career. This results in ongoing relationships which are healthy and great for business, and enable people to get things done. But it also means that your personnel have old friends and trusted contacts who work for, or even own, other businesses. This reality exposes your customers to risk. In areas of operation such as OTC transactions, options, “M&A”, or other areas where salespeople, financial advisors, dealers, brokers and traders who make deals are in a position to share critical confidential deal information with external third parties, the risk is heightened. There may be temptation for individuals or groups to benefit through collusive or manipulative behaviour.
This quick blog article does not delve at length into the larger misconduct issues. This article is mainly about a particular vulnerability that has grown vastly in scale since the arrival of “social distancing” and the overall COVID-19 pandemic response - the availability of unmonitored third-party communication tools (i.e. - Zoom, Viber, Telegram, Signal, Houseparty, WeChat, Line, Pryvate Now, Wickr… and the list goes on. Some are specifically designed to ensure encryption and anonymity and are marketed as such).
“…These days … both the cat and the mice are away, working from home and not subject to the usual monitoring and surveillance…”
Right now regulators (appropriately) recognize the severity of the COVID-19 situation and many are relaxing a number of procedural requirements. Things like deadlines and methods of reporting are being modified for the near future but the ultimate obligations regarding substantive regulatory requirements are generally not being modified. For example, the Ontario Securities Commission has published what it has described as temporary blanket relief from deadlines for filing and FINTRAC has required that reporting entities submit a “voluntary self-declaration of non-compliance” which will be “taken into account in future compliance activities”.
This means that when regulators finally catch their breath and begin to look back to consider early to mid-2020, they may have questions for you. Months from now, when things will have (presumably and hopefully) returned to a more normal state, regulators may still be prepared to overlook lapses in some timelines, failure to meet specific date requirements and irregularities in how information was reported. One important way of dealing with a true inability to comply with a deadline is to notify the regulator of the failure, preferably before it happens, provide the reason and confirm that it is documented and provide a plan to address the issue as soon as possible. That will help somewhat with a due date for filing a document, but substantive failures which reflect true regulatory failings are unlikely to get a pass. For true substantive violations where the required level of diligence cannot be established, it is more likely that the COVID-19 pandemic response will translate into a reduction in overall penalty or other sanction, if the error was in good faith. It is worth noting that a reduced regulatory penalty does not necessarily translate into a reduction in reputational harm in the eyes of the public or the capital markets community.
The “Work from Home” Change Brought About by COVID-19
There are numerous developments taking place as a result of COVID-19 but one of the greatest is that vast numbers of workers are now operating out of their own homes, and not coming into the office.
Is your organization ready to:
- Take steps to ensure that your “work from home” employees are not engaged in misconduct at home that affects your business?;
- Defensibly capture and document the development of your in-house compliance approach to the new reality such that you will be able to satisfy your regulators that you have done a sufficient job?;
(This latter point (ii) is not about factually doing good a good job. It is about the equally important task of generating a defensible evidentiary record that can be produced on demand to demonstrate to a regulator that there is no need for an investigation or enforcement proceeding. You have to comply. You also have to be able to show that you complied.)
“…You have to comply. You also have to be able to show that you complied.”
People are Great – They are also a Great Source of Vulnerability
Human skill, creativity, motivation, experience, relationships and intelligence underly all successful business operations. But some of the problems with humans within a regulated organization include that they:
- occasionally make mistakes;
- have limited capacity to remember and process large data sets;
- are often ambitious;
- can at times be lazy or procrastinate;
- rationalize when confronted with a choice between ethics/compliance and self-interest;
- can be wilfully dishonest, sometimes in creative and unpredictable ways.
In order to adequately assess what is required and to ensure that the “work from home” reality is addressed we should look to current best practices including:
- establishing an overall risk appetite for the organization and for business units;
- “Tone from the Top”;
- education and training;
- global and departmental codes of conduct;
- whistleblower programs;
- appropriate compensation structure;
- training and awareness about the presence of surveillance and monitoring;
- deterrent practices including appropriate sanctions for misconduct ranging from education to dismissal.
These are all applicable and important during the rapid shift to “work from home” that is required to address COVID-19.
There are “carrots” and “sticks” built into these practices. Some are intended to encourage and push people toward the right behaviours. Appropriate compensation structure falls into this category, particularly if compliance behaviours are factored into decisions surrounding compensation and career advancement.
Some of the practices are intended to identify misconduct and punish. A number of them have a blended effect. Surveillance and monitoring is a “stick” because it catches misconduct and facilitates on enforcement step. But additionally, widespread distribution of information about the existence of surveillance and monitoring or a whistleblower program encourages appropriate behaviour. It encourages those who would apply a cost vs. benefit approach to misconduct to attach greater costs to misconduct due to the increased likelihood of being caught. This makes misconduct appear less attractive to those types of individuals.
Negative financial or reputational harm often flows from honest human error (often caused by sloppiness or curiosity) such as in the case of phishing type attacks and those involving human engineering. But there is also human dishonesty, fraud and corruption to address. We know from experience that there is a risk that some misconduct may be tolerated by senior management if the bad actor generates enough profit, or if the behaviour can be rationalized into a dubious form of acceptance or even wilful blindness.
And then there are organizations where people openly behave unethically because that is “what you have to do”.
At the current time, there is a huge looming compliance risk for regulated financial sector businesses arising out of the massive changes and the “work from home” status of such a large number of employees. In addition to the number of employees, there are a number of roles that would not traditionally have been amenable to “work from home”. Regardless of the role of the personnel, the goal should be to modify compliance practices and procedures in order to ensure a reasonably similar level of oversight. Are you managing to enable the same level of monitoring and surveillance of personnel working from home? Are they sitting in their home office using their home computer on their desk alongside their work computer? Would this have been permitted if they were working in-house?
It is equally as important to consider whether the “work from home” employee has the appropriate resources in the home environment. If not, then effors should be made to ensure that the right tools are available to do the job. For example, a front line employee who conducts new account onboarding and CDD should have access to the same information remotely as they would have in the office. This includes sanctions checks, negative news, proprietary and open source tools.
Additionally, there are unique features of current COVID-19 transition/attempts to get people working in a socially distant way. It happened so quickly and without the usual planning or implementation of controls and performance indicators that undoubtedly compliance gaps have arisen. Of course, this change has been out of necessity. Businesses are being forced to get work done in a very different way using different communication tools and in a less monitored and surveilled environment, on a quicker timeline than they have been implemented after careful consideration of all the risks associated with this change.
“…Regardless of the role of the personnel, the goal should be to modify compliance practices and procedures in order to ensure a reasonably similar level of oversight.”
How are you going to address employees who are now able to use third-party communication channels to communicate in an unmonitored way? Are you allowing new communication tools to be installed on work devices during this period of change? Have they been properly evaluated not only through a privacy and data security lens, but also from a surveillance perspective. Can all the communications be ingested into your existing monitoring system? There is a considerable risk that senior management or business unit managers are taking steps, again out of a sense of necessity, to enable third-party “off the book” communication tools such as Zoom or other chat type tools for off-site employees.
This effectively eliminates the ability of any electronic transaction monitoring system to capture communications with third parties. Even if the installation of software on a “work device” is not permitted, people are now operating out of less secure locations. It is simply not possible to have compliance personnel or business unit compliance people visit with everyone in their home office or be present and visible and in a position to observe and make inquiry. Perhaps even more importantly, there may be a sense that they’re not as available to mentor and assist personnel with issues requiring clarification or interpretation. The essential message is that companies need to employ the full range of compliance program thinking to the new “work from home” reality. At its core is a risk based approach, enabling resources and thinking to be applied efficiently and proportionally to the most realistic and probable threats.
Graydon McGeachy Law LLP would be pleased to discuss how we can help you address any of your regulatory concerns. Before moving to private practice in 2019, Gerry McGeachy was a crown attorney in Ontario for 15 years, worked at a national law firm on matters for institutional clients and was a senior litigation counsel at the Ontario Securities Commission – Enforcement Branch. He understands evidence and government investigations.
Do the right thing and be able to demonstrate that you did the right thing. Although closely related, these are different issues, and they are both vital to preventing adverse consequences premised on an alleged failure to comply with a regulatory obligation.
All complex compliance functions are necessarily risk based when done correctly. This ensures that the right resources are applied to the right risk, thereby maximising mitigation and addressing the problem, not perfectly, but all things considered, in the best way that can be realistically accomplished. To seek to address complex compliance issues without a risk based approach in 2019 is like pouring money into the purchase of lottery tickets, hoping there will be a (highly unlikely) good outcome. That is not compliance, and it is not good corporate governance.
The resources need to be targeted to be effective. Currently, it is still people (aided by teams, processes and technology) who make those decisions, using the best information they have at their disposal.
Part of the perennial problem from the perspective of a financial institution or other reporting entity is the fear that a regulator, a court or even a party to litigation, will disagree with your risk assessment. If they are right… and you are wrong… then your resources have been misapplied, resulting in a less than optimal approach. Sanctions, damage awards and other detrimental outcomes will often be the result. Not to mention the fact that criminals are more likely to reap the financial benefits of their crime due to a deficient risk based approach. This includes drug dealers, human traffickers and fraudsters. Not a desirable outcome, and hence the importance of an effective risk based approach.
Arguably, there is no perfect risk assessment. One can argue about whether a risk assessment is perfect as long as it is procedurally and conceptually correct, regardless of its effect. But for the purpose of this brief blog post, let’s approach risk assessment from the perspective that if it is reasonable it is sufficient. I am not oversimplifying, just analytically setting the groundwork for highlighting the defensibility risk and distinguishing it from the risk based approach.
Let's use anti-money laundering (AML) compliance for example. For AML work, there is a lot built up in the concept of reasonableness including but not limited to:
- the designation of a CAMLO;
- tone from the top (corporate buy-in);
- appropriate use of technology;
- training and education;
- lines of reporting;
- credible internal enforcement and sanctions for deficiencies or misconduct;
- relationship between the business line, compliance and audit.
So let’s assume all these things (and more) are in place and the risk assessment that has been put in place is reasonable.
The question that is not asked often enough, and when asked, is not addressed frankly and starkly is:
Is our AML program defensible?
This question is not as important to a regulator because regulators are concerned with whether you complied, not how well you defend your view that you are complying. If they form the opinion that a program is insufficient they seek to enforce. It is grist for the mill.
If the entity cannot defend its program (usually a specific allegation but the allegation may be broad and extend as far "breach of industry standards" or a "failure to comply with an institutional Global Code of Conduct"), various findings may occur. It may be found to be eligible for an administrative monetary penalty due to a deficiency or perhaps to have violated a law such as securities law, or to have behaved contrary to the public interest.
It may seem strange, but although a finding of deficiency, once appeal routes are exhausted, is legally determinative, the finding doesn’t necessarily mean your program was or is substantively deficient. If your program was substantively sufficient, the negative outcome means you didn't have (and perhaps still don't collect) the evidence to defend it.
For the purpose of this blog post, let’s leave aside criminal or quasi-criminal offences which are determined on the standard of beyond a reasonable doubt and also the issue of settlement (based on its own sort of risk assessment). In standard regulatory litigation, a finding of deficiency occurs when a tribunal or court finds that the allegations are probably true. This may sound foreign to some readers who are not experienced in litigation, but essentially if a tribunal or court finds, after considering all the evidence, that an entity is 49% likely to be compliant then they must find the entity to be non-compliant.
Certainly, some deficiencies are clear, such as failing to file a report. In that case, the deficiency that is found overlaps with and maps perfectly onto the actual deficiency.
But what about situations where a program is in theory sufficient, but is not demonstrably so? This problem arises out of a lack of evidence - a failure of defensibility. It can apply to any poorly documented aspect of a compliance program. How would your senior compliance management team answer the question: How was your electronic monitoring tool calibrated, what types of inputs and transactional information was it capable of ingesting, and what factors were in place to generate a compliance “hit” in February 2016? (I know, it is more than one question but I hope you get the point). How about the follow up questions? (and keep in mind that all these questions may relate to a specific point in time):
- Who reviewed hits? Did they review all the hits and if not how were they selected?
- Was this system “out of the box” from the vendor or was it specifically tuned?
- Did you ever modify the tool to reduce positive hits? When, how and why?
- What qualifications and training did the reviewers have?
- How were concerns escalated from the initial reviewers?
- Did the compliance personnel in the second line of defence understand the subject matter of the “hit” or did they need to resort to asking the business line questions about the “hit”?
These are just a few questions on a specific topic related to electronic monitoring. There may be hundreds of questions that could be asked about this very specific issue for a very specific time. And there are obviously many other issues that may generate questions. Again, using AML as an example, topics may include the substantive issue of whether your human beings and/or electronic tools understood (for example) money-laundering typologies.
I have written about this elsewhere but since June 2019, the ability of staff and electronic tools to recognize indicia of money-laundering is very much in question. The substantive offence changed significantly to include the mental element of “recklessness”.
All that being said, the defensibility problem seems to me to be most likely to occur in a serious way when the human experience and judgment involved in risk assessment is not adequately documented. The activity of risk assessment, whether it is performed by an individual decision-maker in a small entity or a team project with numerous departments and data sources providing input to a risk committee, is the foundation of the risk based approach.
As long as best practices are in place and experienced, credible decision-makers are in the appropriate roles armed with the right information, their risk assessment should be defensible. Day to day, entities are focused not on defensibility but on effectiveness of their compliance program. Defensibility is a disturbing notion to some because it may seem like CYA (“cover your ass”) for a deficient program.
It is not that at all. Appropriate corporate governance not only entitles but arguably requires senior management to protect the organization by ensuring that the entity is in a position to rebut false claims by third parties that they are failing, whether it is in the regulatory or any other area of operation.
Spend time thinking about evidence and put your organization in the best position to show that you are doing the right thing. When responding to an allegation that you have failed, being able to demonstrate compliance may be just as important as actually having been compliant.
You've Probably Been Doing AML "Wrong" Since June 2019.
In June 2019 the Criminal Code of Canada was revised. Among many recent changes to the Code, the substantive offence of money-laundering was amended to add the mental element of recklessness.
Section 462.31 of the Code used to read:
Laundering proceeds of crime
462.31 (1) Every one commits an offence who uses, transfers the possession of, sends or delivers to any person or place, transports, transmits, alters, disposes of or otherwise deals with, in any manner and by any means, any property or any proceeds of any property with intent to conceal or convert that property or those proceeds, knowing or believing that all or a part of that property or of those proceeds was obtained or derived directly or indirectly as a result of
(a) the commission in Canada of a designated offence; or
(b) an act or omission anywhere that, if it had occurred in Canada, would have constituted a designated offence.
The section now reads:
Laundering proceeds of crime
462.31 (1) Every one commits an offence who uses, transfers the possession of, sends or delivers to any person or place, transports, transmits, alters, disposes of or otherwise deals with, in any manner and by any means, any property or any proceeds of any property with intent to conceal or convert that property or those proceeds, knowing or believing that, or being reckless as to whether, all or a part of that property or of those proceeds was obtained or derived directly or indirectly as a result of
(a) the commission in Canada of a designated offence; or
(b) an act or omission anywhere that, if it had occurred in Canada, would have constituted a designated offence.
This section is the bedrock of all AML work in Canada. It is the core measure against which suspicious transactions are measured. Of course, evidence of other offences should generate an STR too, but any transaction involving, for example, fraud, would also generate a money laundering concern. It is difficult to imagine a distinct substantive crime such as fraud which would not generate at least a suspicion that the party is dealing with in any manner or means, any property or any proceeds of any property with the requisite mental element of knowledge or belief. All financial crime is suspicious and at the same time all or nearly all transactions involving proceeds of financial crime are potentially money laundering.
The former pre-June 2019 AML offence, without the expanded mental element of recklessness has been the focus of AML monitoring, reporting, and training programs in Canada. This is no longer sufficient. In addition to the wide variety of recent changes coming to the FINTRAC regime and the Proceeds of Crime (Money Laundering) and Terrorist Financing Act and Regulations, organizations must grapple with a broader money laundering offence.
It is generally accepted that mere negligence is not recklessness. Something more is required. It has been described by the Supreme Court of Canada in R. v. Theroux as:
"Recklessness presupposes knowledge of the likelihood of the prohibited consequences. It is established when it is shown that the accused, with such knowledge, commits acts which may bring about these prohibited consequences, while being reckless as to whether or not they ensue."
Consider the example of a lawyer who regularly deposits money received from her client into her trust account. Under the prior money laundering offence, if the lawyer has no knowledge about an illicit source of the funds and has no reason to believe that the funds are proceeds of crime then the lawyer is not committing the crime of money laundering. It remains to be seen how investigations, prosecutorial discretion and the courts will treat the new offence but on its face, the lawyer could now be money laundering without knowing or believing the funds are proceeds of crime if the lawyer is only reckless about whether the funds are proceeds of crime. This could involve knowledge about the source of funds that make it appear likely that they are proceeds of crime, without the need to actually know or have come to believe it to be so.
The effect of this is that a financial services business must be looking for reckless transactors, not only transactors who appear to know or believe that transactional funds are proceeds of crime. This necessarily involves second-guessing the processes of clients. These individuals and businesses may, in the face of "clues" that they are dealing with proceeds of crime, nevertheless not believe them to be so. This could amount to recklessness.
It has always been an offence to believe one is laundering proceeds of crime even if the money in question is in fact completely legitimate. This may seem overly broad, but the policy choice made by Parliament was to criminalize those who were subjectively at fault because they believed they dealing with property obtained by crime or the proceeds of such property.
In application, the former offence, requiring knowledge or belief, has proven to be a difficult and expensive compliance problem for financial institutions. Money launderers modify their behaviour and develop innovative ways to carry out their transactions in order to extract the financial benefit of criminal activity and integrate their wealth back into circulation. This has pushed the financial industry into the role of being both reactive, updating and modifying AML programs, but also proactive, developing monitoring tools and sharing typologies in order to anticipate new ML tactics.
The new section 462.31, introduced without much fanfare, raises the bar for reporting entities and indeed any party to financial activity in the most broad sense. For first party transactors, there is now a specific obligation to rise above the level of recklessness in dealing with others. For businesses that provide financial services, in addition to the risk of becoming ensnared in a money laundering allegation through reckless behaviour, there is a new and significant obligation to ensure that their anti-money laundering program is set up to catch reckless parties to transactions.
Reduced to its essential core, the new substantive offence means that an entity commits money laundering if it is reckless about money laundering.
This is not an additional or separate offence. This is not just a FINTRAC issue. The actual criminal offence of money laundering can now be committed through recklessness without any additional subjective fault.
Among other things, the issue is no longer just what the party knows or believes. The suspicious transaction evaluation now must ask whether the party has done enough of its own evaluation to rise above recklessness, given the risk profile of the financial activity. Ultimately, this appears to involve a risk based assessment of the client's business activities to determine whether the client, given the risk profile its activity, has taken sufficient steps to prevent money laundering.
It is usually quite difficult to prove that a person knows something or holds a particular belief. It can certainly be done but given that admissions of wrongdoers are rare, the proof relies on circumstancial evidence that requires extensive resources and plenty of motivation. With the modification of the money laundering offence to include recklessness, the evidence can be much more objective in that a person, a company, and by extension, senior management may be guilty of money laundering in Canada now because they have not paid due regard to the risks associated with their transactions.
If this new reality has not been addressed yet within your organization, it is time to consider whether your AML program is now considering reckless behaviour. This will have an impact on all three lines of defence. This applies to policies and procedures, the training of staff, the monitoring tools implemented, practices around recording and reporting and internal audit and evaluation. In short, the overall program must address the criminal law concept of recklessness as established in Canada.
Reasonable Limits on Investigations and Warrants under the Occupational Health and Safety Act, R.S.O. 1990.
*This paper is not legal advice.
Regulators have a lot of power when acting within the scope of their jurisdiction. The power comes along with the mandate to act for a specified purpose which often includes the “public interest” or some other identified valuable goal. Ontario’s Occupational Health and Safety Act, R.S.O. 1990, c. O.1 ( both the Act and its Regulations are herein referred to collectively herein as “OHSA” or “Act”) is no different, either in its aspirations or in the broad scope of the powers it provides to the people who are tasked with ensuring its application. The OHSA sets out its underlying purposes as powers and duties of the Minister of Labour in Section 4.1 of the OHSA as:
- To promote occupational health and safety and to promote the prevention of workplace injuries and occupational diseases.
- To promote public awareness of occupational health and safety.
- To educate employers, workers and other persons about occupational health and safety.
- To foster a commitment to occupational health and safety among employers, workers and others.
- To make grants, in such amounts and on such terms as the Minister considers advisable, to support occupational health and safety.
The OHSA is remedial legislation. It is primarily protective and preventive, rather than punitive. This is apparent in that its goals include health promotion, injury prevention, education and the provision of financial support for initiatives in furtherance of the Act. There is nothing specific about denunciation in the Act, for example. There are non-punitive compensatory provisions such as Section 30 which prescribes circumstances under which owners or constructors are liable for losses and damages if they fail to comply with their duty to prepare a list of designated substances at a work site.
In the OHSA “prevention” is sought through effective administration of the Act. This includes mandatory reporting obligations, codes of practice, protection of whistleblowers, health and safety committees, and the right to refuse to work. These, along with inspection and enforcement have a deterrent effect on those who would intentionally or unintentionally fail to comply with the Act. As with other regulatory regimes, there are carrots and sticks built into the OHSA, which include:
This brief article focuses on the enforcement element of the OHSA, and in particular an examination of the search warrant provisions. There are elements within these powerful search warrant provisions that are problematic. This may open investigations to challenge and expose enforcement proceedings to a successful application seeking the exclusion of evidence as having been obtained in violation of the Charteror even a stay of proceedings in some circumstances.
It is clear that a person who is designated under S. 6 of the OHSA as an inspector (“Inspector”) has expansive powers. Many of these are outlined in S. 54, including the authority to “remove… record(s)”, “conduct or take tests” and “make inquiries” and require the production of “records or information” Notably for the purpose of this article, the Inspector may also “enter in or upon any workplace at any time without warrant or notice.
Workplace is broadly defined in the OHSA as “any land, premises, location or thing at, upon, in or near which a worker works.” The power to “enter” in S. 54 is limited to exclude a person’s dwelling. It offers two alternate routes to entry, namely “consent of the occupier” or “the authority of a warrant”. Warrants can be issued under the OHSA or the Provincial Offences Act, 2001, c. 26, s.1 (POA).
This article focuses on the OHSA and is intended to address situations in which an Inspector utilizes an OHSA or POA warrant to enter a workplace or a dwelling for the purpose of search and seizure. This is related but separate from the topic of arrest warrants which are not addressed in this article.
In some circumstances a workplace and a dwelling may be the same location if, for example, employees work out of the business owner’s home. There is, however, a meaningful and important distinction between workplace and dwelling for search and seizure law. For example, the two concepts do not overlap where a search warrant is obtained for a home office which was used for some purpose related to the business but which does not qualify as a “workplace” within the meaning of the Act.
This investigative power is set out in Sections 158 to 160 of the POA. Section 158 sets out the test for issuance of a search warrant as follows:
158 (1) A justice may at any time issue a warrant under his or her hand if the justice is satisfied by information upon oath that there are reasonable grounds to believe that there is in any place,
(a) anything on or in respect of which an offence has been or is suspected to have been committed; or
(b) anything that there are reasonable grounds to believe will afford evidence as to the commission of an offence.
The POA includes a number of restrictions on search warrants such as a requirement that it must specify time window for execution that cannot be longer than 15 days and that it must be executed between 9 a.m. and 6 p.m. unless the issuing justice “otherwise authorizes”. Additionally, it contains provisions to deal with the manner of execution and post-execution issues such as how seized property is to be dealt with and to address situations where solicitor-client privilege is claimed.
The search warrant powers under the OHSA are understood through a reading of a number of areas of the Act. For example, an OHSA search warrant is always assessed against the backdrop the numerous and broad investigatory powers that are already accorded to S. 6 “appointed” Inspectors under S. 54 of the Act “for the purposes of carrying out his or her duties and powers under this Act and the regulations…”
It is in the context of exercising those “duties” and “powers” where an Inspector seeks to enter a dwelling house that a specific warrant requirement is imposed:
S. 54(2) An inspector may only enter a dwelling or that part of a dwelling actually being used as a workplace with the consent of the occupier or under the authority of a warrant issued under this Act or the Provincial Offences Act.
The authority for “a warrant issued under this Act” is found in Section 56 as follows:
56 (1) On application without notice, a justice of the peace or a provincial judge may issue a warrant authorizing an inspector, subject to this section, to use any investigative technique or procedure or to do any thing described in the warrant if the justice of the peace or provincial judge, as the case may be, is satisfied by information under oath that there are reasonable grounds to believe that an offence against this Act or the regulations has been or is being committed and that information and other evidence concerning the offence will be obtained through the use of the technique or procedure or the doing of the thing.
The Inspector may be authorized in the warrant to be assisted by one or more persons who have “special, expert or professional knowledge”.
The OHSA also specifies what it describes as “Terms and Conditions of Warrant” in S. 56 (1.2) as:
(1.2) The warrant shall authorize the inspector to enter and search the place for which the warrant was issued and, without limiting the powers of the justice of the peace or the provincial judge under subsection (1), the warrant may, in respect of the alleged offence, authorize the inspector to,
(a) seize or examine and copy any drawings, specifications, licence, document, record or report;
(b) seize or examine any equipment, machine, device, article, thing, material or biological, chemical or physical agent;
(c) require a person to produce any item described in clause (a) or (b);
(d) conduct or take tests of any equipment, machine, device, article, thing, material or biological, chemical or physical agent, and take and carry away samples from the testing;
(e) take measurements of and record by any means the physical circumstances of the workplace; and
(f) make inquiries of any person either separate and apart from another person or in the presence of any other person.
A warrant issued pursuant to the OHSA “is valid for 30 days or such shorter period as may be specified in it.” Notably and importantly, the Act also provides that “the warrant may contain terms and conditions in addition to those (statutorily) provided for … as the justice of the peace or provincial judge… considers advisable in the circumstances”and that nothing in Section 56 “restricts any power or duty of an Inspector under this Act or the regulations…” This is a critically important feature of the entire OHSA investigatory regime. The Inspector does not need a search warrant to carry out any of the his or her non-warrant investigatory steps or techniques if it is authorized under the Act or regulations. This aspect of the regime will appear straightforward at first but with closer thought it is clear that there fact that the powers and duties referred to have to be “under” the Act or regulations arguably has some significant implications.
The most important of those is that the powers are subject to law, and they are also subject to the Charter. The search warrant provisions are in addition to and complementary to the standard OHSA Inspectorial powers.
At the outset, it is important to compare the differences between the two available warrant regimes, OHSA and POA. I is worth mentioning that there may be other applicable regulatory regimes including the Criminal Code and its offences, and that investigations may in some cases overlap in this additional sense. Where police are involved in a related or even an unrelated investigation arising out of a workplace incident, the complexity of the issues, the nature of the potential penal consequences and the investigative tools available will vary. This article addresses primarily only the OHSA and touches upon the POA because of the specific inclusion of POA warrants in the OHSA.
The major statutory differences are set out in the following table:...
Here is a link to an article I co-wrote with colleagues at McCarthy Tétrault. The risk remains high. Given the strength of current security technology the largest vulnerability continues to be internal staff vulnerability to phishing and variants such as spearphishing.
Train your staff on the importance of only accessing trusted links to external sources, and techniques for identifying suspicious links. Then test them with mock phishing attacks to assess and revisit your training if required!
If you need an update to your cybersecurity policies or training, give us a call to see how we can help.