Fincrime Briefing: Fintrac deadline on AML for virtual currency exchanges, massive cyber breach, EU fincrime compliance enforcement update, and more

By Brian Monroe
bmonroe@acfcs.org
November 22, 2019

Quote of the Day: “March on. Do not tarry. To go forward is to move toward perfection. March on, and fear not the thorns, or the sharp stones on life’s path.”Khalil Gibran, author of “The Prophet”

In today’s ACFCS Fincrime Briefing, Canada’s Fintrac opens door on AML registration for crypto exchanges, releases guidance on identity verification, unsecured server yields more than a billion records, EU Central Bank gives glimpse of future fincrime compliance oversight, enforcement, and more. 

Please enjoy this unlocked story, part of the many benefits of being an ACFCS member. 

Want to talk about industry trends, story ideas or get published? Feel free to reach out to ACFCS Vice President of Content Brian Monroe at the email address above. Now, on to more sweet sweet content! 

CANADA

Fintrac releases key updates to AML obligations, including virtual currency exchange MSB registration, details tactics to verify individual, corporate identities  

Canada’s Financial Transactions and Reports Analysis Centre (Fintrac), the country’s financial intelligence unit (FIU), has released a bevy of critical updates tied to anti-money laundering (AML) obligations, including opening the door for virtual currency exchanges to register as money services businesses for compliance purposes and offering more clarification on how to verify individual and corporate identities. 

Fintrac, cognizant that countries, including Canada, are under more pressure to uncover and detail the beneficial owners of corporations, is bolstering a critical precursor for such initiatives: ensuring that the documentation tied to corporates, individuals and other entities is ironclad and can form the foundation of strong customer due diligence, risk assessments and be reliable in related AML investigations. 

Here is a look at some of those updates: 

MSBs in Canada acting as virtual currency exchanges must register and can do so now

MSBs that deal in virtual currency can now voluntarily register with Fintrac in advance of June 1, 2020, when registration will be mandatory, according to a notice on the regulator’s site. 

In short, the requirements mirror similar efforts by U.S. regulators, where a virtual currency exchange is considered an MSB and, correspondingly, MSBs are subject to a host of AML rules. Fintrac notes that crypto exchanges, and those engaged in P2P exchanges on behalf of others, are captured by the rules, even if the transactions are involving only virtual values. 

AML rules, and related Fintrac and MSB registration duties, get tripped for both virtual currency exchange and virtual currency transfer services, in several scenarios, including: 

1. Virtual currency exchange services include exchanging:

  • o funds for virtual currency,
  • o virtual currency for funds or,
  • o virtual currency for another virtual currency.

2. Virtual currency transfer services include:

  • o transferring virtual currency at the request of a client or,
  • o receiving a transfer of virtual currency for remittance to a beneficiary.

To read more about the upcoming virtual currency registration deadline, or to get a better sense of what Fintrac considers an MSB, click here

Identity verification 

Methods to verify the identity of an individual and confirm the existence of a corporation or an entity other than a corporation

Fintrac also released guidance on how best to review and verify documents, details and data to properly confirm the identify of individuals and corporates to the depth required by Canada’s AML rules. 

Though this may seem a rote, rudimentary task at first blush, the quality and accuracy of data is considered the lifeblood of the financial crime compliance program and customer information in particular is considered a powerful foundation for related risk assessments, which in turn, tune bank transaction monitoring systems to alert and lead to producing suspicious activity reports (SARS).

Fintrac covers key nuances to identify verification, including using digital documentation, how and when institutions can rely on identification captured by affiliates and agents and taking a hybrid approach by combining several weaker forms of identification to reach a threshold that meets regulatory expectations while not running afoul of privacy rules. 

This document answers the following questions:

  • 1. What does it mean to verify the identity of an individual or to confirm the existence of a corporation or of an entity other than a corporation?
  • 2. How do I verify the identity of an individual?
  • 3. How do I use an affiliate, agent, or mandatary?
  • 4. How do I identify a child?
  • 5. How do I confirm the existence of a corporation or of an entity other than a corporation?
  • 6. Are there restrictions on the use of personal information?

Some key snapshots include ways to verify the identity of individuals and corporations. 

For individuals: 

  • A government-issued photo identification document must be issued by either a federal, provincial or territorial government in order to be used to verify the identity of an individual. 
  • You may accept a foreign government-issued photo identification document if it is an equivalent to a Canadian document such as those listed in this guidance. 
  • Photo identification documents issued by municipal governments, Canadian or foreign, are not acceptable. 

For corporations: 

  • its certificate of incorporation;
  • a certificate of active corporate status;
  • a record that has to be filed annually under provincial securities legislation; or
  • any other record that confirms the corporation’s existence, such as the corporation’s published annual report signed by an audit firm, or a letter or notice of assessment for the corporation from a municipal, provincial, territorial or federal government.

To read the full Fintrac report on identity verification, click here

Ascertaining identity under AML duties

Fintrac also released a recent Policy Interpretation on Ascertaining Identification and ensuring the related documents are authentic 

In addition to detailing what documents works to satisfy AML rules for proper identification, the regulator went into more detail to parse out the nuances of actually how institutions can go deeper and verify the foundational documents themselves. 

Here is a snapshot of that policy interpretation: 

Reporting entities must verify the identity of a person pursuant to one of the methods prescribed at subsection 64(1) of the Proceeds of Crime (Money Laundering) and Terrorist Financing Act Regulations (PCMLTFR), which can all be used when a client is physically present or when a client is not physically present. 

These methods are commonly referred to as i) the government-issued photo identification method, ii) the credit file method, and iii) the dual process method.

Subsection 64(1.4) of the PCMLTFR further requires that a document used to ascertain identity under subsection (1) be authentic, valid, and current and that other information used for that purpose be valid and current.

While the restriction on using an electronic image of a document has been removed from subsection 64(1.4) of the PCMLTFR, other stipulations do exist to ensure the continued effectiveness of the obligation to verify identity. 

Specifically, if a reporting entity chooses to verify identity by referring to:

1.         A government-issued photo identification document – it must be authentic, valid and current.

  • a. You can determine the authenticity of a government-issued photo identification document in person by looking at the characteristics of the original physical document and its security features (or markers, as applicable) in the presence of the individual to be satisfied that it is authentic as issued by the competent authority (federal, provincial, territorial government), that it is valid (unaltered, not counterfeit), and current (not expired). 
  • b.  If an individual is not physically present, the authenticity of a government-issued photo identification document must be determined by using a technology capable of assessing the document’s authenticity. 
  • For example, a technology that would compare the features of the government-issued photo identification document against known characteristics (size, texture, character spacing, raised lettering, format, design, etc.), security features (holograms, barcodes, magnetic strips, watermarks, embedded electronic chips, etc.), or markers (logos, symbols, etc.) to be satisfied that it is an authentic document as issued by the competent authority (federal, provincial, territorial government).

To read the full Fintrac policy interpretation on identity authentication, click here

Monroe’s Musings: Fintrac, along with Canada overall, has made a bevy of changes and improvements to improve its defenses against fighting financial crime, from more resources for investigators and examiners to stronger penalty powers for AML failures and updates to compliance legislation to counter opaque beneficial ownership bastions. 

But it’s still a powerful and positive move to continue those efforts, even into seemingly AML 101, bread and butter initiatives like capturing and verifying the identities of individuals, corporates and such. 

One of the first, and potentially most immediate and effective, ways to bolster an AML program is to have frontline staffers asking the right questions of potential customers – and not being swayed by money when they don’t give the right answers or act evasive. 

In some cases, a teller or business line staffer at a bank who is properly trained on AML and does not shirk on customer due diligence questions can suss out potential criminals and fraudsters, or scare them enough by being inquisitive that the bad guy walks out the door. 

CYBERSECURITY

Unsecured server exposes more than one billion records, including social media profiles, personal information: researchers

Some four terabytes of data on over 1.2 billion individuals – including LinkedIn and Facebook profiles – was exposed to the internet on an unsecured Elasticsearch server, according to an analysis by a pair of independent researchers.

It’s not clear who owns the database or if any of the personally identifiable information it contained has been accessed by hackers or cybercriminals, according to analysis posted Friday by Bob Diachenko and Vinny Troia, who discovered the server in October.

The server stored 622 million email addresses, over almost 50 million phone numbers, plus names and profile information from LinkedIn and Facebook, the two researchers told Wired.

An examination of the exposed server found that the personal information came from two data enrichment companies, although both said they did not own the cloud-based server, according to the researchers’ report.

“We regularly look for open Elasticsearch databases and we were just scouring IP address and we found this one and right away we could see that it had 4 terabytes and that it was a pretty large database,” Troia told Information Security Media Group. 

“When we started to dig into it, we found a ton of user profile information and it was just a ‘holy wow’ moment … At a glance we saw almost 4 billion user records and once we went through it and did deduplication, we found 1.2 billion unique records and that’s pretty momentous.”

The two researchers found the exposed database on Oct. 16 as part of an ongoing research project using Shodan, an open source network discovery tool. 

And while the IP address for the Elasticsearch server was traced back to the Google Cloud Platform, it’s not clear who owns the database or who has responsibility for securing it, Troia, who runs the threat intelligence firm Data Viper, told Wired.

No password or authentication was needed to access the database, the researchers say. Troia told ISMG that he notified the FBI about the database, and then within a few hours, someone pulled the server and the exposed data offline. 

Troia added that when he examined the IP address further, it appears that the server itself dates from November 2018, (via BankInfoSecurity).

Monroe’s Musings: Stories like this should scare companies into having better cyber defense, resilience and recovery efforts. It should also be a lightning bolt for individuals to be more careful with their data and be very sensitive to any odd bank or credit card charges. 

CORRUPTION

Swiss prosecutors search Vitol, Trafigura offices amid sweeping graft probe

Swiss investigators have executed search warrants at addresses linked to Vitol and Trafigura, their counterparts in Brazil said on Thursday, as a sprawling probe into the global commodity trading industry intensifies.

In a statement, Brazilian federal prosecutors said Swiss investigators searched the Geneva addresses on Wednesday as part of a probe made public late last year. 

As part of that probe, authorities alleged employees of major commodity trading firms paid employees of Petroleo Brasileiro SA at least $31 million in bribes from 2011 to 2014.

In return, the trading firms would buy Petrobras fuel for artificially low prices or sell at artificially high prices, fleecing the state-run company in the process.

One employee of Petrobras, as the firm is commonly known, has pled guilty in the United States to conspiracy to commit money laundering and is cooperating with the U.S. Federal Bureau of Investigation in a parallel investigation of the matter.

In September, Reuters reported that a cooperating witness in Brazil told prosecutors that high-ranking executives at Vitol, Trafigura and Petrobras were aware of the scheme, and in some cases helped facilitate bribe payments, (via Reuters).

Monroe’s Musings: Brazil has been a hub of corruption and bribery investigations in many regions, spearheaded in recent years by the United States. 

But now the investigative focus is shifting to the foreign parents tied to the massive corruption scandals to determine if, how or how long, top executives at headquarters knew about these schemes or worse, actively supported and blessed them with the goal of increased profits. 

COMPLIANCE

A look ahead at EU AML supervision: Stronger laws, guidance applicable to all member states equally, single pan-bloc enforcement body, more aggressive information sharing  

In the wake of historic money laundering scandals, a top European Union watchdog is considering a push to make financial crime compliance directives have the force of law, ensuring a more harmonized implementation across member states, the creation of a powerful new enforcement authority and bolstering information sharing between bloc authorities and countries. 

Those are just some of the issues addressed in a recent speech by Yves Mersch, a Member of the Executive Board of the European Central Bank (ECB) and Vice-Chair of the Supervisory Board of the ECB, at the Colloque de l’AEDBF-Europe in Paris, a nuanced diatribe offering practical solutions to a knotty problem many large, advanced countries are still wrestling. 

Mersch gave a potential glimpse of the future of European Union (EU) enforcement from the perspective of the ECB, which has historically had limited authority over anti-money laundering (AML) implementation, but has emerged in the last year as a thought leader for potential solutions to embarrassing and record money laundering scandals. 

The ECB is lobbying for more aggressive information sharing between member state banks and regulators with its own officials – both to help individual member states see broader trends and also inform its own counter-crime focal points tied to overall prudential oversight of countries and institutions – a move it spearheaded roughly a year ago as part of EU AML rules. 

In order to improve cooperation between both sets of supervisors, the ECB signed an agreement in January setting out the “practical modalities for exchanging information with the AML/CFT supervisors of credit and financial institutions within the European Economic Area.”

That move, and other independent analyses, has yield critical insight for the ECB to offer potential solutions for, initially, the failures that led to the Danske Bank money laundering scandal, which saw some $230 billion in suspect funds from Russia move through the operation’s now defunct Estonian branch. 

Here is a snippet from the speech that is required reading for AML compliance professionals at EU banks or working at institutions with a strong EU presence: 

How to strengthen the EU’s institutional setup

While much has already been done, weaknesses in the European AML/CFT framework still represent a risk to the integrity and resilience of the European banking sector. 

The current supervisory fragmentation and differences in supervisory practices in the area of AML/CFT can severely undermine the integrity and stability of EU banks and thereby the ECB’s supervisory effectiveness, particularly in a cross-border context.

The steps taken so far might not be enough to effectively prevent money laundering and terrorist financing in the banking sector. Thus, further steps might be considered by the political authorities to make the AML/CFT framework more effective, particularly for cross-border activities.

We therefore welcome the ongoing discussion on what steps to take, and we stand ready to provide support in our areas of competence. However, as I said earlier, the ECB cannot take over the role of an AML/CFT supervisor; this is ruled out by the Treaty. Furthermore, there are also only limited synergies between prudential supervision and AML/CFT supervision.

From our perspective, a strategy to strengthen the EU AML/CFT framework could comprise at least two elements.

First, a further harmonisation of the AML/CFT rulebook could address possible divergences and shortcomings in the way the rulebook was transposed in different Member States. It could also strengthen enforcement of AML/CFT compliance through AML/CFT supervisors by providing clear regulatory guidance and harmonised, stronger supervisory powers. 

This could be achieved by transforming the AML Directive into an EU regulation, which would have the potential of defining a harmonised anti-money laundering framework that is directly applicable throughout the European Union. 

To be effective, the scope of a future regulation should be as broad and encompassing as the legal base would allow, also with a view to moving towards a more rule-based approach, while fully respecting the legal constraints and the remaining variety of national institutional setups, particularly in the area of criminal law and justice systems.

Second, supervisory fragmentation should also be addressed, especially in relation to coordination and cooperation procedures. 

This could be achieved by charging an EU body or a new authority with AML/CFT tasks. This EU body or authority should be independent to allow it to act decisively in addressing ML/TF risks. 

It could detail a single AML/CFT rulebook via technical standards and/or guidelines, coordinate its implementation and ensure strict and harmonised AML/CFT supervisory practices in the EU and across Member States, leveraging on the experience and expertise of national supervisors. 

The EU AML/CFT body should make sure that accurate and timely assessments on possible irregularities and ML/TF risks are proactively provided to prudential supervisors, including the ECB in its supervisory role, so these risks can be factored into their prudential assessments.

Finally, if supported by co-legislators and primary law, the EU AML/CFT authority could be equipped with direct AML/CFT supervisory powers, (via the European Central Bank).

Monroe’s Musings: This was a very meaty and weighty speech that gives a porthole view into the massive changes that are in store for EU AML investigations, examinations, overall oversight and even offers a portent of encroaching penalties. 

I say this a lot, but this speech should be read and re-read by financial crime and compliance professionals in the EU – and other regions, like the U.S. and other jurisdictions. 

Regulators in the EU, U.S., Canada and the U.K., among others, are longtime allies and travel in the same circles. If one country makes a change that works, the others follow suit. 

So the changes coming to the EU may also be coming to bank operations in your jurisdiction – so get ready.