AML-ATF Guidance Document

Table of Contents


Guidance on Establishing an AML-ATF Compliance Program

*If you are viewing this material on a text editor, please hold ctrl when clicking on links to have them open

The 5 Components of a Compliance Program

  1. Compliance Officer Job Description and Appointment Form
  2. Policies and Procedures Compliance Manual Template
  • Table 1 – Methods to ascertain client identity directly
  • Table 2Summary of who can identify your client on your behalf – Ascertaining client identity by an agent, mandatary or entity
  • Table 3Examples of reliable sources of information under the dual process method
  • Table 4– Examples of acceptable photo identification documents
  • Table 5 – Examples of international organizations and institutions established by international organizations
  1. Risk Assessment
  1. Self-Assessment
  1. Training


Guidance on Establishing an AML-ATF Compliance Program

The Legal and Regulatory Requirements

The Proceeds of Crime (Money Laundering) and Terrorist Financing Act (the “Act”) requires MGAs to adopt a compliance regime and ensure that their employees and those who act on their behalf comply with the Act.   The Act’s 5 requirements include:

  1. Assessing and documenting your money laundering and terrorist financing risks on an ongoing basis.
  2. Appointing a Compliance Officer.
  3. Developing detailed, auditable compliance policies and procedures for reporting, establishing and updating records and ongoing monitoring of customers’ information and activities.
  4. Ongoing review of the effectiveness of controls through self-assessments and/or audits.
  5. Meaningful, job-related compliance training for employees, agents or others acting on behalf of the MGA and a written forward-looking training plan.

Independent Advisors and AGAs (known collectively as “Advisors”) who hold contracts with MGAs are not representatives of the MGAs with which they hold contracts and do not act on MGAs’ behalf.  They are required to have their own AML compliance regimes. MGA employees who are licensed agents who perform non-selling activities act on MGAs’ behalf and are covered by your compliance regime.  However, if these same employees are also selling agents who maintain their own book of business, they may be required to have their own compliance regime that covers that book of business.  

According to FINTRAC a risk-based approach (RBA), is a process that encompasses the following: 

  • risk assessment of your business activities using certain factors;
  • risk-mitigation to implement controls to handle identified risks;
  • keeping client identification, beneficial ownership and business relationship information up to date; and
  • ongoing monitoring of business relationship information.

Appointment of Compliance Officer(s)

Under the Act, the Compliance Officer is responsible for:

  • Implementing and monitoring the compliance program;
  • Establishing and revising the Firm’s policies and procedures and risk assessment as required;
  • Initial and continuing training of any representatives of the Firm, employees and persons acting for and on the Firm’s behalf;
  • Making any necessary and required declarations and/or reports to authorities;
  • Immediately notifying the principals of the Firm of any known or presumed violation of the Firm’s compliance program.

The Compliance Officer may obtain the assistance of another person to manage the Firm’s compliance responsibilities provided that this person has the necessary experience and skills and their name and responsibilities are documented in the compliance program.  Ultimate accountability rests with the Compliance Officer, however. See Compliance Officer Job Description and Appointment Form, which can be used to fulfill the Compliance Officer requirement.

Policies and Procedures

If your MGA has a Board of Directors, the Board must formally approve your policies and procedures and overall AML regime.  Your Board Secretary should sign the first page of the Policies and Procedures Manual. If you do not have a Board, the most senior manager in the MGA is responsible for accepting and signing the Manual.  See Policies and Procedures Manual Template.

Risk Assessment

Effective June 30, 2017, the approved methods for identifying clients will change and many of the older methods will no longer be available.  In addition, FINTRAC has added domestic PEPs and heads of international organizations, along with their families and close associates, to the list of identification and record-keeping requirements.  Finally, FINTRAC has issued guidance that indicates MGAs and others must take technology changes and introductions of new products, processes and distribution channels into account when assessing risk.  This increases the obligations of Advisors and MGAs.

Prior to creating or updating your risk assessment, it is a good idea to review FINTRAC’s 2015 Guidance on the Risk-Based Approach to Combatting Money Laundering and Terrorist Financing, which provides useful examples of risk indicators and checklists to assist in determining your risks and risk levels.  Pay particular attention to Annex B – “example of risk segregation for a business-based risk assessment” and Annex C – “Likelihood and Impact Matrix.” Also review FINTRAC’s July 22, 2016 Risk-Based workbook for Life insurance companies, brokers and agents, which is used extensively in this guidance and in the design of the compliance program.   

FINTRAC suggests that you consider both your “business-based” risks and your “relationship-based” (customer) risks in your assessment.  However, the average MGA’s risks may be exclusively business-based, if it does not have a book of its own customers. The MGA is influenced second-hand by Advisors’ relationship-based risks and should take these into account in assessing the risk each Advisor poses.  (See Risk Assessment Template and Risk Analysis Worksheet).  

Note that if the MGA owns books of business outright and/or services orphan blocks of business, it is likely that it has business relationships with some of these customers.  The MGA should risk-assess each client within these blocks to determine what additional due diligence, identification, record-keeping and monitoring might be required. The MGA in this instance acts as an Advisor and therefore must meet the same standards as the Advisors it typically serves.  Consequently, you can use the second worksheet in the Risk Analysis worksheet to assess not only the risk that Advisors’ customers pose to you but also the risk your own customers pose if, as an MGA, you own books of business.  

Your business risk assessment must be conducted at least once every two years.  It needs to consider all material risks, including product risk, producer risk, customer risk, geographical risk and other risks.  Your compliance policies and procedures should be designed to mitigate the risks you have identified.  Your relationship-based risk assessment is ongoing as you take on new customers and customers engage in transactions.

Risks and Controls

Product risk – the most important risk to consider in our business.  The products most likely to be attractive for money laundering are whole life, universal life and segregated funds.  Sales of these products must be monitored more closely than others.

Advisor risk – Independent Advisors who sell a lot of any of the above products, particularly high premium, corporate-owned or complicated concept products are to be treated as high risk and monitored closely.  In addition, Advisors who demonstrate any concerning behaviours should be monitored.  

Customer risk – this is highest when a customer is purchasing a higher risk product, particularly through a higher risk Advisor and the customer’s business is one that generates cash.  Examples include but are not limited to restaurants, variety stores, boat dealers, jewelers.  

The CRA has also recently targeted some high net worth professionals such as doctors, lawyers and accountants who engage in the practice of offshoring assets in order to avoid tax.  Some of this offshoring is fraudulent and in order to gain access to their funds, these individuals may have to engage in some form of money laundering. As a result, if other red flags are present, high net worth individuals should be treated as higher risk for money laundering.  They may not be using insurance products to launder money, but if they attract the interest of regulators and/or law authorities, all of their activities, including insurance, can fall under the microscope.

Note that any individual identified as a foreign Politically Exposed Person (PEFP) is considered to be inherently high-risk by FINTRAC and must be monitored more closely.  You must determine whether any domestic Politically Exposed Person (PEDP) or Head of International Organization (HIO) are high risk and monitor accordingly.  

Any customer identified as high risk must be subjected to enhanced due diligence and control measures.   

MGAs, acting in their capacity as MGAs, do not have “customers” but instead handle the business that belongs to both insurers and Advisors.  However, they must perform at least a rudimentary risk assessment of Advisors’ clients in order to identify those that require additional monitoring and controls.  This process can take place at the time that an application or change form is presented to the MGA and is being reviewed for good order.  

While the risk assessment process does not need to include additional documentation (such as a checklist), staff training to do a complete review is an absolute pre-requisite.  Consequently, many MGAs use checklists or systems prompts to ensure that the AML-ATF risk review is done and can be demonstrated in an audit. The MGA management needs to be aware of every higher-risk client that could be identified following “reasonable measures” with the information that is available to the MGA. 

Geographic risk is minimal for you because you do business within Canada, in Canadian funds and do not generally operate in areas that represent more risks than others.  However, if you or any Advisors operate in known high-crime areas in Canada and/or have target markets that are groups new to Canada or who have strong ties to foreign countries with weak AML-ATF controls, you need to take this into account in your risk assessment.

Delivery Channel risk – if your organization allows non-face-to-face sales, deal-direct arrangements and other non-traditional practices, you are at higher risk as a result of the looser controls around sales.  You must take this into account in your risk analysis and measures.  

Internal and other risks – high turnover, lack of training or supervision in your new business and customer service departments create the risk of inexperienced staff handling complicated cases and being unable to spot risky cases.

Transactions and services risks – you must assess the risks posed by the extensive use of powers of attorney, free look returns, transfer of ownership of policies, the use of mandataries and any other transactions that might facilitate money laundering.

Technology and other risks – you must determine whether new products, new business practices, including new delivery channels and the use of new technologies for new and existing products increase your risks.  Generally, insurers control such new introductions and typically assume the associated risks as part of their introductions. Regardless, you must always assess new introductions to determine if your controls are adequate. 

Insurance company risk reflects the fact that insurers are not consistent in including all of the requirements for verifying identification and capturing records on their applications and change forms.  This puts Advisors and MGAs at risk since, as regulated entities, they may not have met their regulatory requirements when they have complied fully with insurers’ submission requirements. You should review the forms you use and identify which insurers pose higher risk.  In order to avoid problems, you will have to impose extra controls for processing these insurers’ business. At the moment, we are unable to quantify this risk. However, based on MGAs’ experience with FINTRAC in the course of AML reviews, we know that failure to “fill in the gaps” for insurers can lead to findings against the MGA.

See FINTRAC Risk Assessment Matrix, which helps in deciding levels of risk and CAILBA Risk Analysis Worksheet and Risk Assessment Template, which can be used to complete the risk assessment requirement.

Making Reports to Regulators

Immunity:  No criminal or civil proceedings may be brought against you if you have made a report in good faith.  Given the severe penalties for failing to make reports, the burden is on you to ensure that you discharge your obligations.  

Form of Reports – Refer to FINTRAC Guideline 8.  If you have the necessary technical capabilities to file electronically, you must do so wherever it is FINTRAC’s preferred method.  

Suspicious Transaction or Attempted Transaction Report (“STATR”):

You are required to submit a STATR if you have reasonable grounds to suspect that a transaction or attempted transaction is related to money laundering or terrorist activity financing offenses.  There is no minimum dollar threshold. The report must be filed within 30 days of the date on which reasonable grounds for suspicion were identified.

You are also required, before reporting the transaction, to take reasonable measures to ascertain the identity of the person making or attempting the transaction unless you have credible identification already or believe that by attempting to identify this person, you would be tipping them off that you are making a report.  Since you do not interact directly with Advisors’ retail customers, any efforts you make to ascertain identity would likely have to be through the Advisor, so the potential for tipping is very strong. You are prohibited from disclosing to the customer that you have filed a report and it is probably unwise to inform the Advisor if there is any chance he or she will tip off the customer.  You are required to keep a copy of any STATRs you file.  

Employees are required to file STATRs unless they report concerns to the Compliance Officer as soon as they are identified.  In doing so, the employee has discharged his or her duty. Note, however, that is may be at this point that “reasonable belief” has been achieved and therefore you have limited time to make a STATR.

STATRS must be filed electronically via FINTRAC’s secure website at  It is highly advisable to apply to FINTRAC for a filing number as a precaution, rather than waiting for a suspicious transaction to arise.  Go to to review instructions for obtaining access to “F2R”.  

Large Cash Transaction Report (“LCTR”):  NOT APPLICABLE

Our industry has a No Cash Policy.  Therefore, you do not require a LCTR Procedure.  However, if a customer attempts to pay for a policy with cash and the attempt meets the criteria described in the STATR Rules section above, a STATR most certainly should be filed.

Terrorist Group or Listed Property Report:

MGAs and each of their staff is a “reporting entity” with a legal obligation to send a terrorist property report to FINTRAC if you have property in your possession or control, including premium payments and insurance policies, that you (or an associated person) know is owned or controlled by or on behalf of a terrorist group or listed person.   According to FINTRAC, “this includes information about any transaction or attempted transaction relating to that property.”  Note, however, that MGAs and Advisors, acting on behalf of the insurer, do not actually hold the property. It is held by the insurer and you must inform the insurer immediately of any such property and follow their instructions.  

Under the Criminal Code of Canada each Canadian, regardless of where residing, is required to disclose to CSIS and the RCMP the existence of property in that person’s possession or control that meets the criteria above.  

If any of your management or staff encounters any such circumstance, they may not complete or be involved in the transaction or attempted transaction.  They must remove themselves from any involvement. Under the Criminal Code, the property must be frozen.

Terrorist Group or Listed Person Property Reports can only be paper filed as of the date of this manual.  See FINTRAC Guideline 5, section 3.2 for CSIS and RCMP contact information and Guideline 8.3 for information.

Client Identification and Written Records You Are Required to Maintain

FINTRAC Guideline 6A, Section 3.1 has general exceptions to record keeping, which include tax exempt policies, registered products and products that exist for protection only and not for investment purposes.  In all other cases, you must either retain copies of applications and forms that require the information or transfer most of the important elements from these documents onto your systems.  The products affected are whole life, universal life, annuities, segregated funds and CI with return of premium.

Important Note on the Role of the MGA

The MGA works on a best efforts basis to ensure that the Advisor has collected the records needed for compliance.  This entails reviewing all applications and inforce change forms very carefully, identifying gaps, reaching out (generally via email) to the Advisor to ask whether the record was created and whether the Advisor would provide a copy to the MGA for its records.  Processing should not be delayed unless the insurer will delay until the information is received. The above process is a “reasonable effort” to create a record and the MGA must maintain copies of the emails and other evidence of that effort. Often, the effort to obtain the record from the Advisor is the only record the MGA will have.  

Client Information Records:  

For all non-exempt, non-registered life and annuity policies where premiums paid over the life of the policy would reach $10,000 or more, the Advisor needs to verify client identity referring to valid original documents within 30 days by creating a record that contains the client’s (owner’s) name, address, date of birth and principal business or occupation.  For individual sales, the Advisor must record the type of document used to confirm identity, the reference number and its place of issue.  

See Tables 1-4, which lay out the new rules, effective June 30 107, for individual customer identification.  Note that insurers may place limitations on the methods that Advisors might use for customer identification, based on systems and other constraints.  It will take some time for insurers to change their forms and notify distribution partners of their practices.  

All client records – According to FINTRAC, you must be “as descriptive as possible regarding the business or occupation. Record information that clearly describes it, rather than use a general term. For example, in the case of a consultant, the occupation recorded should reflect the area of consulting, such as “information technology consultant” or “consulting forester.” As another example, in the case of a professional, the occupation should reflect the nature of the work, such as “petroleum engineer” or “family physician.”

Ascertaining the Identity of a Child:  Information provided by a parent in order to record the identification of children 12 years of age and younger can be relied on.  Children 12-15 years of age can be identified using one of the methods described in the tables; otherwise you can rely on a source of information that contains the name and address of the parent or guardian and a second source that contains the child’s name and date of birth.

Sales of group policies: “Client” for group sales means the applicant, generally the corporation.  For corporate owners, retain copies of any official corporate records that show power to bind the corporation regarding the purchase.  See below.

Corporate ownership:  Advisors must confirm the existence of the corporation as well as its name and address by referring to any record that confirms its existence.  They must also determine the names of the corporation’s directors. If a paper record is consulted, a copy must be retained. If an electronic record was consulted, they need to keep a record of the corporation’s registration number, and the type and source of the record.  If an Advisor does not produce the information to the MGA, the MGA can consult Corporations Canada database at http:/  

Entities other than corporations:  The Advisor must refer to a partnership agreement, articles of association or similar record.  The same rules as for corporate ownership apply.

Business Relationship Records:

According to FINTRAC, when an Advisor has to ascertain the identity of a client or confirm the existence of a corporation or other entity twice in five years, they have a business relationship with the client and must keep a record of the purpose and nature of the business relationship.  Most insurance companies’ applications ask the Advisor to identify the reason that the customer is purchasing insurance.  This should suffice as the record. The Advisor must also take reasonable measures to confirm beneficial ownership information of any entity and keep related records.

MGAs, acting in their capacity as MGAs, do not establish business relationships with clients.  However, as part of their record-keeping, they should make reasonable efforts to record the business relationship information provided by the Advisor.  Where the MGA owns a book of business, the Advisor obligations discussed here apply directly to them and they do have business relationships with certain clients.  

Very few policyowners who purchase “higher risk” products will actually be higher risk clients.  Except for PEFPs, clients must demonstrate other characteristics or behaviours in order to be considered higher risk.  For this reason, you should put your lower risk clients into groups for purposes of your risk assessment worksheet, and only identify specific clients who are deemed to be high risk.  You must be able to provide a rationale for the categories in which you place each clientSee Risk Analysis Worksheet Template.  

Beneficial Owners Records:

According to FINTRAC, “a client acting on behalf of an entity who is not aware of that entity’s beneficial owners …may lead you to consider that client as a higher risk.”

Advisors are required to confirm the existence of corporations and other entities within 30 days of creating a record and obtain beneficial ownership information about certain entities.  The Advisor is required to obtain:

For Corporations:

  1. The names of all directors of a corporation;
  2. The names and addresses of all individuals who directly or indirectly own or control 25% or more of the shares of the corporation; and
  3. Information on the ownership, control and structure of the corporation.

For Trusts:

  1. The names and addresses of all trustees and all known beneficiaries and settlors of the trust; and
  2. Information on the ownership, control and structure of the trust.

For entities other than corporations or trusts:

  1. The names and addresses of all individual who directly or indirectly own or control 25% or more of the entity; and
  2. Information on the ownership, control and structure of the entity.

FINTRAC states that “beneficial ownership refers to the identity of the individuals who ultimately control the corporation or entity and cannot be another corporation or entity.  You must search through as many levels of information as necessary in order to determine beneficial ownership. However, there may be cases where there is no individual who owns or controls 25% or more of an entity.  You must still keep a record of the measures you took and the information you obtained in order to reach that conclusion.”  

If information cannot be obtained or confirmed, the Advisor must:

  1. Obtain the name and ascertain the identity of the most senior managing officer of the corporation, trust or other entity;
  2. Treat the entity as high risk and impose more frequent monitoring.

MGAs who ask Advisors whether they have obtained beneficial ownership information and whether they will provide that to the MGA, while keeping a record of the effort to obtain the information, will have made a “reasonable effort.”  

See FINTRAC Guideline 6A for more information about the requirements.

Not-for-Profit Organization Record:

Where a customer is a not-for-profit organization, Advisors are required to keep a record that indicates whether the customer is a charity registered with CRA or a non-registered entity that solicits charitable financial donations.  According to FINTRAC, any transaction in which “the client is acting on behalf of a third party but does not know anything about the third party may lead you to consider that client as a higher risk.” CRA site can be consulted.  Note: it is advisable to treat non-registered charities as higher risk since they are not regulated.  

Third Party Determination Record: 

Every reasonable effort must be made by an Advisor to determine whether the owner of the policy is acting on behalf of a third party.  If so, a record must be created that contains the name, address, DOB and principal business of the third party (if an individual). In the case of a corporation, all of the above information (except DOB) is required along with the incorporation number and place of incorporation if the 3rd party is a corporation.  The nature of the relationship between the owner and the third party must be identified.  If there are suspicions regarding the involvement of a third party, the Agent must create a record indicating why there are suspicions.  

Politically Exposed Person (“PEP”) and Head of International Organization (HIO) Record:

Note that domestic PEPs and HIOs are new classifications.  We expect that insurers will amend their applications and other forms prior to the June 17, 2017 inforce date of the new regulation.   

Advisors are required to take reasonable measures to determine whether anyone who makes a lump-sum payment of $100,000 or more for an immediate or deferred annuity or life insurance policy is a domestic or foreign PEP, HIO or family member or close associate of either.  

A ‘foreign politically exposed person’ (PEFP) is a person who, regardless of citizenship, residence status or place of birth, holds or has held one of the following offices or positions in or on behalf of a foreign state: (a) head of state or head of government; (b) member of the executive council of government or member of a legislature; (c) deputy minister or equivalent rank; (d) ambassador or attaché or counsellor of an ambassador; (e) military officer with a rank of general or above; (f) president of a state-owned company or a state-owned bank; (g) head of a government agency; (h) judge; (i) leader or president of a political party represented in a legislature; or(j) holder of any prescribed office or position.  It includes any prescribed family member of such a   person. Once a person is determined to be a PEFP, he or she is forever a foreign PEFP, according to FINTRAC.  According to FINTRAC, any client known to be a PEFP or a family member or close associate of a PEFP should automatically be considered a higher risk and monitored closely.

Where it has been determined that a person is a PEFP, the insurer and Advisor must take reasonable measures to establish the source of the funds used for the transaction.  Additionally, the transaction now must be reviewed by a member of the insurer’s senior management within 30 days of the transaction.

PEFP Record:  Advisors are required to keep a record of (a) the office or position that causes the person initiating the transaction to be considered a PEFP; (b) the source of funds, if known; (c) the date it was determined the person was a PEFP; (d) the name of the member of senior management who reviewed the transaction; and (e) the date the transaction was reviewed.  

MGA staff should immediately escalate PEFPs who are identified to the Compliance Officer, who should review the case, contact the insurer, and create a solid record.

A ‘domestic politically exposed person” (PEDP) is one who holds,  or has held within the last 5 years, a specific office or position in or on behalf of the Canadian federal government, a Canadian provincial government, or a Canadian municipal government:  (a) Governor General, lieutenant governor or head of government; (b) member of the Senate or House of Commons or member of a legislature; (c) deputy minister or equivalent rank; (d) ambassador, or attaché or counselor of an ambassador; (e) military officer with a rank of general or above; (f) president of a corporation that is wholly owned directly by Her Majesty in right of Canada or a province; (g) head of a government agency; (h) judge of an appellate court in a province, the Federal Court of Appeal or the Supreme Court of Canada;  (i) leader or president of a political party represented in a legislature; or (j)mayor regardless of the size of the population of the municipality.  A person ceases to be a PEDP 5 years after they have left office.

A head of an international organization (HIO) is a person who is the primary leader of either:

  1. an international organization established by the government of more than one country; or
  2. an institution established by an international organization regardless of whether they only operate internationally or domestically or in one jurisdictions.

Once a person ceases to head the organization, they are no longer a HIO.

FINTRAC indicates that the key to determining whether you are dealing with a HIO is to determine how the organization was established. If it was established by means of a formally signed agreement between the governments of more than one country, then the head of that organization is a HIO. The existence of these organizations is recognized by law in their member countries but the organizations are not seen to be resident organizations of any one member country.

Certain organizations clearly meet this definition, but others may take more research before coming to a determination. Examples of international organizations, and institutions established by international organizations, can be found in Table 5 in the Appendices.

Family members and close associates of PEPs or HIOs

FINTRAC states that many criminals’ family members or other personal relationships conduct transactions on their behalf.  As a result, you may not see transactions between family or close associates and PEPs or HIOs. FINTRAC provides guidance on other types of associations to consider when making a close associate or family member determination.

A family member of a PEP or a HIO are: (a) their spouse or common-law partner; (b) their child; (c) their mother or father; (d) the mother or father of their spouse or common-law partner; and (e) a child of their mother or father (sibling).

A family member of a PEFP must always be treated as high risk.  You must risk-assess family of PEDPs and HIOs to determine whether they are a high risk for a money laundering or terrorist activity financing offence.  (See below). If so, they are to be treated as high-risk clients.  

Close associates of PEPs or HIOs

A close associate is anyone who is closely connected to a PEP or HIO for personal or business reasons but not every person who has been associated with a PEP or HIO is a close associate.

A close associate of a PEFP must be treated as a high-risk client. You must risk-assess close associates of PEDPs and HIOs to determine whether they are a high risk for a money laundering or terrorist activity financing offence.  (See below). If so, they are to be treated as high-risk clients. The following is FINTRAC’s examples of a close associate for personal or business reasons, which includes any person who is:

  • joint on a policy where one of the holders may be a PEP or HIO;
  • an owner who makes a deposit of $100,000 or more and the payee is a PEP or HIO;
  • business partners with, or who beneficially owns or controls a business with, a PEP or HIO;
  • in a romantic relationship with a PEP or HIO, such as a boyfriend, girlfriend or mistress;
  • involved in financial transactions with a PEP or a HIO;
  • a prominent member of the same political party or union as a PEP or HIO;
  • serving as a member of the same board as a PEP or HIO; or
  • closely carrying out charitable works with a PEP or HIO.

“Reasonable measures” to identify a close association may include media monitoring; the ongoing monitoring of your business relationships; questions you ask of your clients; access to a database that outlines associations; or a third party credible source.

Once the determination is made

  1. If you determine that the person is a PEFP or a family member or close associate of a PEFP, within 30 days of the transaction you must also take reasonable measures to determine the source of the funds for the transaction and have a member of senior management review the transaction.
  2. If you determine that the person is a PEDP, a HIO, or their family member or close associate, within 30 days of the transaction you must perform a risk assessment of the person. If you determine that the person is a high risk, you must take reasonable measures to determine the source of the funds for the transaction and have a member of senior management review the transaction.  If you determine that a domestic PEP, a HIO, their family member or close associate is not a high risk, you must document this assessment, either on a case-by-case basis or by placing your clients into categories of risk and treating them accordingly. FINTRAC may ask you to demonstrate why you have placed a client in a certain risk category.

Indicators of high risk PEPs and HIOs include:

  • the length of time since the person held the position;
  • the risk level of the organization in which the person holds or held the position, particularly if identified as high risk for corruption by Transparency International;
  • if the person attempts to shield their identity to prevent detection;
  • the person uses intermediaries;
  • the person is uncomfortable or evasive about source of wealth or funds;
  • the type of transaction to be conducted;
  • a change in client activity on becoming a PEP or HIO, close associate or family member;
  • client provides inaccurate or incomplete information;
  • client does not reveal additional positions they hold or held elsewhere.

Establishing the source of funds

According to FINTRAC, reasonable measures to establish the source of funds used for the transaction include asking the person or referring to information available about the transaction. If the transaction activity is not in line with the information you have about the source of funds, you might follow up with the person to determine if there are reasons for that. If the information remains inconsistent with what you may know about the person or you are not satisfied with the person’s response, and have reasonable grounds to suspect that the transaction is related to the commission or the attempted commission of a money laundering offence or of a terrorist activity offence, you must file a suspicious transaction report (STATR).

Senior management review of transactions

According to FINTRAC, a member of senior management who can review the transaction means an individual who has:

  • authority to make and be held accountable for management decisions about transactions;
  • awareness of the money laundering or terrorist financing risks to which life insurance companies, brokers or agents are exposed; and
  • awareness and understanding of the concepts of PEP, HIO, family member, and close associate.

Maintaining records about PEPs, HIOs, family members, or close associates

You must keep a record after you determine that a person is a PEFP, a high-risk PEDP, a high-risk HIO, or the high-risk family member or high-risk close associate of any of these.  Your record must include:

  • the office or position of the PEP or HIO;
  • the name of the organization or institution of the PEP or HIO;
  • the source of the funds, if known, that were used for the transaction;
  • the date you determined the individual to be a PEP, HIO, their family member or close associate;
  • the name of the member of senior management who reviewed the transaction, and
  • the date the transaction was reviewed.

You may also want to include in the record, the nature of the relationship between your client and the PEP or HIO.

Many insurers conduct daily PEFP searches on all clients.  Some do not include a PEFP question on their forms. This may leave you at risk, so ensure that you ask the client whether he or she is a PEFP, record the response and take appropriate action.  

Reasonable Measures Record

You must keep a record of any unsuccessful reasonable measure you take, such as when you do not obtain a yes or no response that would allow you to make a conclusive determination or create a complete record. The record must include the measure taken; the date the measure was taken; and the reason why the measure was unsuccessful.  

You must outline your “reasonable measures” in your policies and procedures, which can be used as part of your record, or you could document, the case-by-case measures taken in each record for unsuccessful reasonable measures.  

You are required to keep reasonable measures records of your unsuccessful efforts to:

    1. keep client identification records updated for high-risk clients;
    2. conduct ongoing monitoring of high-risk clients;
    3. ascertain the identify of a person conducting or attempting to conduct a suspicious transaction;
    4. determine whether an individual is acting on behalf of a third party;
    5. determine whether the client is a PEP or HIO, within 30 days from the day of the transaction;
    6. determine the source of funds for sales to PEFPs and PEDPs or HIOs as applicable.

According to FINTRAC, “reasonable measures” for PEPs and HIOs include documenting that you have an automated approach to run the names of persons who make a lump-sum payment of $100,000 or more against a commercial database that lists PEPs, HIOs, their family members and their associations. Your policies and procedures may indicate that you ask questions of any person who makes such a lump-sum payment.  These policies and procedures can form part of the record of unsuccessful reasonable measures. 

FINTRAC’s examples of documenting unsuccessful reasonable measures:

  1. If you called a purchaser to inquire as to whether they were a PEP or HIO and the person did not call you back, then your record would indicate the measure you took, the date you did this and the fact that the client did not respond.
  2. If you ask a high-risk domestic PEP to tell you the source of the funds for the transaction and the person does not want to specify the source, your record would indicate that you asked for the information, the date you did this and that the person refused to provide the information.

FINTRAC indicates there are two scenarios where you may want to consider an approach that allows you to clearly demonstrate that you are considering persons appropriately and in line with your compliance program’s risk-based approach.

  1. The record-keeping obligations apply to unsuccessful reasonable measures. There is no requirement to keep a record if you determine that a person is a domestic PEP, HIO, their family member or close associate, and assess that person as low risk. However, during a FINTRAC examination, you may be asked to demonstrate that you conducted the risk assessment for a domestic PEP and HIO in accordance with your risk-based approach.
  2. If you receive a negative response to a reasonable measure taken to determine if a person is a PEP or HIO, or their family member or close associate, recording this response would show that a determination was carried out. During a FINTRAC examination, FINTRAC may ask you to demonstrate how you applied your policies and procedures for PEP or HIO obligations.

Examples of records you may consider keeping:

  • If a purchaser answered that they were a domestic PEP or HIO, or a family member or close associate of one, but you assessed the person as a low risk, then your record could indicate that you asked the person and that you assessed the person is a low risk.
  • If you conducted an open source internet search and did not find any information to suggest that a person is a PEP or HIO, or a family member or close associate of one, then you could record the measure taken, and that the results did not suggest a PEP or HIO status for the person.

Records Retention:

You must retain records for 5 years from the day they were created or from the date of the last transaction.  They must be in machine-readable form or in electronic form with a proper electronic signature. They must be provided to FINTRAC within 30 days after a request.

MGAs maintains records in order to fulfill our obligations to insurers and Advisors.  You maintain whatever records are submitted by Advisors and required by insurers in connection with the sale and service of policies.  If FINTRAC were to make a request, you should respond by assisting the Advisor and/or insurer in compiling records and make available the records you maintain in your own systems and files.  Retain records for the period required.

Acceptable client signatures

As of June 2016, in order to increase flexibility in non-face-to-face situations, FINTRAC allows a handwritten or an electronic signature which is numeric, character-based, or even biometric, so long as it is unique to the client and a record of it can be kept.”   PINs and passwords are considered to be signatures, while clicking on “accept” buttons is not. Note that currently several insurers may not accept some or all of the options.

Enhanced measures for high-risk clients

Ongoing Monitoring and Updating Information

Advisors and MGAs with books of business are required to identify the nature of purpose of each business relationship (for example estate planning, financial planning, income replacement) and monitor each business relationship on an ongoing basis to:

  • detect suspicious transactions that have to be reported;
  • keep client identification, beneficial ownership information, and the purpose and intended nature of the business relationship up to date;
  • reassess the level of risk associated with the client’s transactions and activities;
  • determine whether the transactions or activities are consistent with the information previously obtained about the client, including the risk assessment of the client.

They must also take reasonable measures to determine whether they are dealing with a politically exposed person (PEP) or Head of International Organization (HIO) for every prescribed electronic fund transfer, since the client’s status may have changed.

For high-risk clients:

  • update beneficial ownership information more frequently and perform more frequent monitoring; and   
  • keep a record of the measures they take to monitor their business relationship and the information they obtain as a result. 

Although MGAs acting solely in the capacity of MGAs do not have business relationships and may not have sufficient information to identify level of risk, as part of their own due diligence, they are well-advised to review and flag cases/customers that appear to represent higher risk and to establish monitoring processes, including:

  1. Paying attention to the sale of whole life, universal life and segregated funds and the Advisors who sell complicated, large premium cases. In particular, new Advisors should be monitored closely.
  2. Establishing dollar amount thresholds for staff to escalate cases to a supervisor, based on the type of business they do.
  3. Training staff to identify red flags that require escalation.
  4. Sending out yearly notices to Advisors that remind them of their obligations to update client information and monitor business relationships and asking for updated information.
  5. Posting information on the MGA website.
  6. Including information on this topic in any Advisor training delivered.

If the MGA has a book of business or if you have advisors whose books of business contain customers whom you have identified as high risk, FINTRAC suggests that you choose among the following measures to monitor:

  • Review transactions:
    • on a schedule to identify those that management must approve;
    • more frequently against suspicious transaction indicators relevant to the relationship;
  • Prepare reports or performing more frequent reviews of reports that identify high-risk transactions;
  • Flag unusual activities and elevating your concerns as necessary;
  • Set business limits or parameters regarding transactions that would trigger early warning signals and require mandatory review;
  • Obtain:
    • additional information on the client (e.g., occupation, assets, information available through public databases, Internet, etc.);
    • information on the source of funds or source of wealth of the client;
    • information on the reasons for intended or conducted transactions;
    • the approval of senior management to enter into or maintain the business relationship;
    • the approval of senior management at the transaction level for products and services that are new for that client.
  • Identify patterns of transactions that need further examination;
  • Increase:
    • monitoring of transactions of higher-risk products, services and channels;
    • awareness of high-risk activities and transactions;
    • internal controls of high-risk business relationships
  • Establish:
    • more stringent thresholds for ascertaining identification;
    • transaction limits;
  • Gather additional documents, data or information, or taking additional steps to verify the documents obtained.

Keep copies of any written assessments in your files.  You are not required to have a documented assessment for your high-risk clients or those of the advisor, but you must be able to justify the category that you placed any client in. 

Client Risk Assessment and Keeping Updated Records:

Advisors and MGAs with books of business are required to assess the risk that each customer poses and to ensure that client information is updated regularly, based on risk.  In addition, high risk clients must be monitored more frequently. The MGA would be well-advised to post reminders about updating information and monitoring on its website and asking Advisors to ensure that they are apprised when information changes.  See below.

FINTRAC’S Privacy Safeguards:  

FINTRAC provides assurance that it has safeguards in place that meet all legal and regulatory standards.   

Self-Assessments and Audits of Compliance Policies and Procedures

You are required to review your policies and procedures at least every two years to test their effectiveness, taking into account changes in legislation or regulation, any non-compliance you find and any new services or products that have been introduced.  It is highly recommended that the review be conducted by a person who is independent of reporting, record keeping, and compliance monitoring.

A written report must be delivered to a senior officer within thirty days following the completion of the assessment.  The report must contain the findings and identify any updates to policies and procedures within the reporting period along with the status of implementation of these updates.  The scope and any deficiencies or gaps should be reported, with a request for a management response, action plan and timeline for implementation. Failure to report to senior management within thirty days of a review could lead to an Administrative Monetary Penalty of up to $100,000.

Your self-assessment should fit your business needs and reflect the nature, size and complexity of your organization.  Weaknesses, proposed corrective actions, a timeline for implementing such actions and any follow-up actions should be noted.  Any deficiencies identified must be reported to the principal(s). The results of this review must be documented and kept on file.  

From time to time, your program may be reviewed by external parties, with the results documented and reported within 30 days of the review to a senior manager for follow-up and corrective measures.  The last such review should be identified on the face page of this document.  

Note that FINTRAC has recently indicated that it holds regulated entities to strict calendar timing.  This means that your self-assessments should be conducted no later than 24 months after the last assessment.  

See CAILBA Self-Assessment Checklist and Testing Protocol part 1 and part 2 and Template for Self-Assessment Report.

Anti-Money Laundering and Anti-Terrorist Financing Training Program

According to FINTRAC, “if you have employees, agents or other individuals authorized to act on your behalf, your compliance regime has to include training.”  You are not required to provide training to Independent Advisors who submit business through you, although you may choose to provide training. Advisors are directly subject to the Act’s training requirements.

The training program must be in writing and be maintained, laying out the frequency and methods of training (formal, on-the-job, external).  New staff should be trained immediately after hiring. At a minimum, training should cover background about money laundering that is relevant to your business, the regulatory requirements and penalties and your policies and procedures.  FINTRAC expects that those who are trained should be able to understand how money laundering risks relate to their jobs.  

Employees must be made aware that they cannot disclose that they have made a STATR, or disclose the contents of such a report, with the intent to prejudice a criminal investigation, and that there is immunity for making a report in good faith.

According to FINTRAC, staff “also need to know when an enhanced level of caution is required in dealing with transactions, such as those involving countries or territories that have not yet established adequate anti-money laundering or anti-terrorist financing regimes consistent with international standards. See additional information about this in subsection 6.1.2 and the Guidance on the Risk-Based Approach to Combatting Money laundering and Terrorist Financing.”

Where to find information about higher-risk countries and geographical areas:

To find out which countries are members of the FATF, refer to its website (

At a minimum, you should annually review your compliance program and policies and procedures with staff, along with a presentation that covers any changes to law or internal processes, the relevant sections of FINTRAC guidance and any emerging typologies.   Material generated by CLHIA, FINTRAC, Advocis, on behalf of CAILBA and CLIFE (a CE provider) is available for use by Advisors and staff at little or no cost.  Programs designed and delivered by insurers and presentations you generate are also acceptable. Records of attendance at training should be maintained in your files. It is highly advisable for you to post training information on your website for the benefit of Advisors.  

See updated CAILBA training deck, template for written training plan.  

Penalties for Non-Compliance

“Failure to comply with the compliance regime, reporting, record keeping or client identification requirements can lead to criminal charges against a reporting entity. Conviction of failure to retain records could lead to up to five years’ imprisonment, to a fine of $500,000, or both. Alternatively, failure to keep records or identify clients can lead to an Administrative Monetary Penalty. For more information on penalties, consult the Penalties for non-compliance section of FINTRAC’s website (”  (FINTRAC).

FINTRAC Examinations

FINTRAC may notify you of an impending examination by phone or by mail.  They also have the right to simply appear at your offices unannounced.

Many advisors and MGAs have been asked to fill out Compliance Assessments.  FINTRAC typically schedules examinations to follow up on answers provided in the Assessment.  If FINTRAC contacts you to conduct an audit, you must produce the material they request.  The items that might be requested include:

  • Written evidence that the Compliance Officer has been formally appointed;
  • Compliance procedures for client identification and record-keeping, including policies for dealing with high risk situations;
  • Written ongoing training program;
  • Risk assessment including special measures to mitigate identified high risk areas;
  • Copies of the last 2 documented internal or external reviews of the program (self-assessments);
  • Copies of all Large Cash Transaction Records and associated 3rd party records from the prior two quarters.  (Your response to this will always be N/A).
  • Copies of all other reported transactions.
  • Copies of client records, including ID and third party determinations, relating to certain product sales (such as UL, segregated funds and annuities) sold in the prior quarter(s).  This will account for the bulk of the work required in producing information and will be the source of findings if your client identification and records are not complete;
  • Organization chart;
  • Most recent financial information for your business (asset size, gross revenue, net revenue);
  • Total number of full-time equivalent employees in your business.

You will spend a significant amount of time assembling the material.  Your response to FINTRAC is timely and complete. Refer to your FINTRAC Compliance Assessment when preparing your response.

The Review

Once FINTRAC receives your initial response, it will schedule a review (in person or by phone), which will last at least 90 minutes.  The CO may be asked detailed questions about the MGA’s Compliance Program, including the role of the CO, the content of policies and procedures for client identification and record-keeping, the risk assessment, self -assessment and training.  Questions can include “how do you file a Suspicious Transactions Report?” Consequently, it is essential that you review your entire Compliance Program in detail and have copies of all elements of your Compliance Program with you during the review so that you can consult the material.  Having a documented program is of limited value if the Compliance Officer cannot show comfortable familiarity with its contents.

The Exit Discussion

You will be informed of the methods FINTRAC used to review the files you provided as well as the deficiencies noted.  FINTRAC will follow up by letter within 30 days of the interview. If there are deficiencies, you will have 30 days from the date of the letter to respond with an action plan that includes how you will repair deficiencies and when.  

The findings letter will also indicate whether:

  • no further compliance or enforcement action is intended;
  • possible follow-up compliance action is intended; or
  • a recommendation that you be charged an Administrative Monetary Penalty (AMP) will be made.

Anecdotally, if you have been audited by FINTRAC once and you have deficiencies, you can expect to be audited again.  It is a serious matter to have repeat findings and you could be subject to Administrative Monetary Penalties.  

Important Note for CAILBA members:

MGAs do not fit easily into the category of “licensed advisor” provided by FINTRAC, but that is how they are categorized.  FINTRAC has made efforts to understand the services MGAs provide, but from time to time a disagreement in rule interpretation may arise between and MGA and FINTRAC.  Consider advising the Compliance Chair at CAILBA of any such disagreements and if necessary, ask for assistance in resolution of the issue.  

Maintaining an Archive of Compliance Program Changes

You are required to archive the changes to your program, for review by FINTRAC.