Proceeds of Crime (Money Laundering) and Terrorist Financing Regulations

156 (1) For the purposes of subsection 9.6(1) of the Act, a person or entity referred to in that subsection shall implement the compliance program referred to in that subsection by

• (a) appointing a person who is to be responsible for implementing the program or, in the case of a person, taking responsibility for implementing the program;

• (b) developing and applying written compliance policies and procedures that are kept up to date and, in the case of an entity, are approved by a senior officer;

• (c) assessing and documenting the risk referred to in subsection 9.6(2) of the Act, taking into consideration

  • (i) their clients and business relationships,

  • (ii) their products, services and delivery channels,

  • (iii) the geographic location of their activities,

  • (iv) in the case of an entity that is referred to in any of paragraphs 5(a) to (g) of the Act, any risk resulting from the activities of an entity that is affiliated with it and that either is referred to in any of those paragraphs or carries out activities outside Canada that are similar to those of a person or entity referred to in any of those paragraphs, and

  • (v) any other relevant factor;

• (d) if the person or entity has employees, agents or mandataries or other persons who are authorized to act on their behalf, developing and maintaining a written, ongoing compliance training program for those employees, agents or mandataries or other persons;

• (e) instituting and documenting a plan for the ongoing compliance training program and delivering the training; and

• (f) instituting and documenting a plan for a review of the compliance program for the purpose of testing its effectiveness.

(2) If the person or entity intends to carry out a new development or introduce a new technology that may have an impact on their clients, business relationships, products, services or delivery channels or the geographic location of their activities, they shall, in accordance with paragraph (1)(c), assess and document the risk referred to in subsection 9.6(2) of the Act before doing so.

(3) A review referred to in paragraph (1)(f) shall be carried out and the results documented every two years by an internal or external auditor of the person or entity, or by the person or entity if they do not have an auditor.

(4) An entity shall report the findings of the review, any updates made to the policies and procedures within the reporting period and the status of the implementation of those updates in writing to a senior officer within 30 days after the day on which the review is completed.