A funny thing about the PCMLTFA regulations
By Jay Krushell
Chief Legal Officer & Co-Founder
On November 30th the Federal Department of Finance pre-published new regulations under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA) in the Canada Gazette, Part I, Volume 158, Number 48 (Canada Gazette, Part 1, Volume 158, Number 48: Regulations Amending the Proceeds of Crime (Money Laundering) and Terrorist Financing Regulations and the Proceeds of Crime (Money Laundering) and Terrorist Financing Administrative Monetary Penalties Regulations). These regulations contain four distinct elements:
- They create the requirement for traders to report on the importation and exportation of goods to the Canada Border Services Agency;
- They implement measures allowing reporting entities to share information with each other;
- They introduce a requirement for reporting entities to report material discrepancies between their records and filings in the federal beneficial ownership registry in high-risk situations; and,
- They bring factoring companies, cheque-cashing businesses, financing and leasing entities into the FINTRAC regime.
These new measures, which expand the coverage of Canada’s AML regime, are laudable. However, the funny thing is that these measures do nothing to address the material deficiencies in the existing regulations. These deficiencies undermine the efficacy of Canada’s AML regime, and in this article, I will describe what I believe is the largest deficiency and the change that can be made to fix it.
To begin, on December 3rd, 2024, FINTRAC published a notice that contained the following statements:
“All businesses subject to the Act and associated Regulations must verify their clients’ identity using prescribed methods. Verifying the identity of a person or an entity removes the anonymity from financial transactions and is one of the most important ways to protect Canada’s financial system from money laundering and terrorist financing activities.”
These statements underline the fact that identity verification is one of the foundational pillars of Canada’s AML regime. The problem is the identity verification requirements contained in the current regulations have one major flaw that undermines the efficacy of the entire regime. The flaw is the fact that businesses subject to the Act are allowed to verify the identity of the individuals they are interacting with using only one of the following three core methods (there is a fourth core method. However, that method is not currently in use so it is not discussed here):
– Government-Issued Photo ID Method;
– Credit File Method; and,
– Dual-Process Method.
The problem with requiring the use of only one of these core methods is that each of them, when used in isolation, are very easy to circumvent and, because of that, using only one of these methods does almost nothing to actually deter money laundering and terrorist financing. For instance, these days the bad guys have such high-quality fake IDs that no technology currently available can detect them effectively and even specially trained fraud professionals have a very hard time spotting them. The bad guys have also figured out ways to get governments to issue real IDs with the wrong information on them. These IDs are current, valid and authentic so they will pass every check that can be done. This means that if a business only relies on the Government-Issued Photo ID Method there is very little chance they will detect these high-quality fake IDs or the fraudulently obtained real IDs and prevent the bad guy(s) from perpetrating their crimes.
With respect to the Credit File Method, that Method is very good at determining whether an individual with a specific name, address and date of birth exists in Canada, but it does nothing to confirm whether the individual the business is dealing with is that individual. In other words, if a bad guy has obtained an innocent third-party’s name, address and DOB, which is not hard for the bad guy to do, that is all the information the bad guy needs to pass the Credit File Method. As a result, using the Credit File Method on its own to verify the identity of an individual does absolutely nothing to stop money-laundering and terrorist-financing.
Finally, the Dual Process Method is severely limited for three reasons. First, there are a very small number of “Reliable Sources” that Canadian businesses can access. Second, the data held by these Reliable Sources, such as the Canadian credit bureaus, telcos and banks, is very low quality. For example, a large number of cell phone accounts are in family plans or are corporate accounts and, therefore, the information associated with those accounts that can be accessed through the telcos cannot be used to match the name address and DOB of the individual whose identity is being verified. Similarly, people often do not update their names or addresses with their bank if there are changes to that information and that means matching the name and address provided by the individual against the data held by banks leads to very high failure rates. Further, there are often data entry errors made when the Reliable Sources collect the personal information from the clients and these errors also contribute to the high failure rates when a business attempts to match the name, address and DOB collected from the individual against the information held by the Reliable Sources. Finally, it is easy for the bad guys to circumvent the Dual Process Method by using strategies such as conducting their transactions on pre-paid phones or opening a bank account using one of those high-quality fake IDs. Because of the foregoing, the Dual Process Method, when used on its own, is a weak strategy for preventing money laundering and terrorist financing.
The good news is there is a proven solution that fixes this flaw and that solution is to use all three of these methods simultaneously. This practice is commonly referred to as “multi-factor authentication” or “MFA.” The Financial Services Regulatory Authority of Ontario (FSRA) recommends MFA as a best practice (see: the FSRA guidance on detecting and preventing mortgage fraud No.MB0044INT) and all four of the Canadian title insurance companies have implemented identity verification solutions that utilize the MFA approach on real estate transactions, which are high-value targets for money-launderers. The title insurance companies have publicly stated that their use of the MFA strategy has resulted in an 80-90% reduction in identity-theft based fraud claims. As a result, if FINTRAC were to amend its client ID rules to require businesses to use the MFA approach instead of only requiring them to satisfy one of the primary Client ID Methods it is very likely we would see a dramatic reduction in money-laundering and terrorist financing.
It is important to note there are dozens of companies that offer MFA based identity verification solutions to Canadian businesses at costs ranging from $25.00 to about $10.00. This means that Canadian businesses could implement an MFA strategy easily without the need for any capital investment if they were required to do so.
This brings us to the question of why the Department of Finance has been focused solely on expanding the scope and reach of Canada’s AML regime with little to no effort being made to improve the effectiveness of the existing regime. A cynical person might take the position that the focus on expansion is intended to make Canada’s AML regime look better before the FATF audit in December 2025 without actually making it better. That person might also ask the question: wouldn’t it make sense to fix the fundamental flaws in the existing AML regime before expanding it? I’d be curious to hear your thoughts on this.
Jay Krushell is the Co-Founder, Chief Legal Officer and VP of Business Development for Treefort Technologies Incorporated, an Edmonton based cybersecurity and digital identity business. Jay went to law school at the University of Alberta and was called to the Bar in 1999. He articled at Witten LLP in Edmonton, and he stayed with the firm as an Associate and then a Partner until 2021 when he left private practice to join Treefort full-time. Since then, Jay has developed an expertise on digital identity technologies and digital identity law and he presents on these topics frequently. Jay can be contacted on LinkedIn or at jkrushell@treeforttech.com.
This article was originally published on Law360TM Canada (www.law360.ca), part of LexisNexis Canada Inc.