Financial crimes reporting

Listen to the Audio here

Financial crimes are crimes that involve money. They could range from vanilla white-collar frauds to esoteric but increasingly commonplace spoofing, phishing, and cyber ransom. As the incidence of financial crimes increases, so do the reporting obligations for securities firms.

Money laundering is the process through which criminals pass money from their criminal activities (placement) through the financial system in various forms (layering) so that when the funds are returned into the system, they appear to be from legitimate sources (integration). Money laundering is an offence under the Criminal Code. Securities firms must report to FINTRAC whenever they have a large ($10,000 and over) cash transaction or when they encounter a suspicious transaction.

Terrorist financing is the use of money, through legitimate or illegitimate means, to fund terrorist activity. When the source of the money is illegitimate, terrorists use money laundering techniques to integrate their funds so that the money appears to be from a legitimate source. Terrorist financing and providing funds for terrorist financing are offences under the Criminal Code. Securities firms must file a monthly report to the securities regulator related to terrorist financing and Canadian sanctions. The sanctions include lists of designated persons belonging to certain terrorist or suspected terrorist organizations.

A new reporting requirement has come into effect. The Common Reporting Standard is an international standard created by the OECD for countries to report tax evasion to one another. The concept was based on FATCA, the US Foreign Account Tax Compliance Act. Canada introduced the Common Reporting Standard on July 1, 2017. Canadian financial institutions (including securities firms) must report to CRA information about account holders who are resident in a foreign jurisdiction. Although the first reporting period has passed, the full-blown reporting takes effect for accounts as at December 31, 2019. Reporting must be done by May of each year.

Other reports securities firms may need to file include mandatory reporting of privacy breaches under PIPEDA and the Alberta Personal Information Protection Act. Although there is currently no need to report to securities regulators on cyber-attacks that do not involve the breach of personal information, the regulators would expect to be notified if a cyber-incident threatened the stability of the capital markets or investor protection. IIROC proposed amendments to its rules to require mandatory reporting of cyber-attacks, but those amendments have not yet come into effect.

As criminals become increasingly sophisticated, the burden of reporting will become greater. If you need assistance or guidance about your reporting obligations, please contact us at or 604-644-9232.

Share this post with your friends

Share on facebook
Share on google
Share on twitter
Share on linkedin