70. Every record that is required to be kept under these Regulations shall be retained in such a way that it can be provided to an authorized person within 30 days after a request is made to examine it under section 62 of the Act.

• 71. (1) For the purpose of subsection 9.6(1) of the Act, a person or entity referred to in that subsection shall, as applicable, implement the compliance program referred to in that subsection by

  • (a) appointing a person — who, where the compliance program is being implemented by a person, may be that person — who is to be responsible for the implementation of the program;

  • (b) developing and applying written compliance policies and procedures that are kept up to date and, in the case of an entity, are approved by a senior officer;

  • (c) assessing and documenting, in a manner that is appropriate for the person or entity, the risk referred to in subsection 9.6(2) of the Act, taking into consideration

    • (i) the clients and business relationships of the person or entity,

    • (ii) the products and delivery channels of the person or entity,

    • (iii) the geographic location of the activities of the person or entity, and

    • (iv) any other relevant factor;

  • (d) if the person or entity has employees, agents or other persons authorized to act on their behalf, developing and maintaining a written ongoing compliance training program for those employees, agents or persons; and

  • (e) instituting and documenting a review of the policies and procedures, the risk assessment and the training program for the purpose of testing their effectiveness, which review is required to be carried out every two years by an internal or external auditor of the person or entity, or by the person or entity if they do not have such an auditor.

• (2) For the purposes of the compliance program referred to in subsection 9.6(1) of the Act, every entity referred to in that subsection shall report the following in written form to a senior officer within 30 days after the assessment:

  • (a) the findings of the review referred to in paragraph (1)(e);

  • (b) any updates made to the policies and procedures within the reporting period; and

  • (c) the status of the implementation of the updates to those policies and procedures.

71.1 The prescribed special measures that are required to be taken by a person or entity referred to in subsection 9.6(1) of the Act for the purpose of subsection 9.6(3) of the Act are the development and application of written policies and procedures for

• (a) taking reasonable measures to keep client identification information and the information referred to in section 11.1 up to date;

• (b) taking reasonable measures to conduct ongoing monitoring for the purpose of detecting transactions that are required to be reported to the Centre under section 7 of the Act; and

• (c) mitigating the risks identified in accordance with subsection 9.6(3) of the Act.