Navigating eCARs: A Compliance Opportunity

Hello and welcome to another episode of The know your

compliance the KYC Podcast. I'm super excited today to have

Zahra and Cagatay from the Really Trusted team, joining me

to talk about ecars or shrax. Doesn't have go as well. But the

the what might be the first phase of heading towards an

examination. So before we get into it, let me give you guys

each an opportunity to introduce yourself. Zahra. Who are you?

What do you do?

Yeah. So I'm Zara. I am the anti money

laundering operations here with really trusted I have experience

in like the FinTech, bank, credit union realm now real

estate, and then soon to be mortgage broker. And, yeah, I

just am excited to talk about this, because we've seen an

uptick in it. So that is me chatting. What about you? Well,

yes, the program lead for the finch space program. So

basically all our friends out there who have already had their

face to face meetings with me. Know that I create your

compliance programs and ensure that your FinTech obligations

are put in place, etc, and hence I'm always here to have help

lending hand for you guys.

Awesome. Thank you so the the supervisory risk

assessment questionnaire, srac, or the ecars, which actually,

does anybody remember what ecar stands for, electronics

compliance assessment report? Ah, thank you, sir. All right.

Or ecar, depending on on what you get, they're essentially the

same thing. First of all, those two sets of abbreviations. But

Cagatay, can you give me, like a Cole's notes on what that is?

Let's start there.

Yeah, exactly. So as you know, Finch rack is the

regulatory body for all AML CFT issues in the country, and hence

everybody needs to abide by those rules and regulations. And

what the E car is actually is a tool for to ensure that the

regulator entities are complying with these regulations. So, as

the name suggests, they're electronic questionnaires, and

Finch, once they forward these and request them to be filled,

that has the opportunity to ensure they are able to assist

the victim. This are the regulated, regulated entities

compliance program, and also try to understand whether they can

identify any potential risk in terms of money laundering or

terrorism financing.

Yeah, and I think the lens that I would look at the E

car, slash, let's call it an E car, because it flows off the

tongue easily for today, the lens that I would take these

electronic things from is that, much like your FINTRAC

compliance program should be risk based, this FINTRAC uses a

risk based approach as to when and where to do further

examinations. And I think the way I would look at it, this is

their first filter that they might apply is to decide whether

to go deeper or not, with your bro, with your with your

business, with your reporting entity. So as you start to see

this questionnaire, is there what what would be like some

really high level, broad things that I think would be important

for our compliance officer reporting entity to to start to

consider, I

mean, just with regards to what they would see,

something that they would see in the E car, yeah,

maybe, actually, you know, you're right, maybe we

should start by describing the questions and the lay of

questions that they're going to get. Let's, let's go with that

first. Yeah, yeah. So, yeah. I mean, just as

a basic they generally use Canada Post for information

sharing, just with regards to just some of the recent hacks

we've seen. So not a bad thing that they're choosing to do that

kind of thing. But anyway, so it would be through Canada Post.

And so if you get an email or something like that, don't,

don't worry, it's not out of ordinary. But then the type of

information that they would be asking for, basically, is just

sorry before you join to us by Canada Post, you mean

the electronic Canada Post, not the to your door Canada Post,

but carry on. Sorry,

absolutely. It is not by paper. It is, for

sure, ecart electronic. Yeah, thank you for considering that.

So it would be kind of like either a PDF document or an

Excel, and they would be asking you about your business, just

your organization in general, specific to how your business

practices are, like, what, what you know, types of transactions,

that you accept, agents, very, very basic questions that you

would be able to actually answer, just based on what you

know about your business. And then the other types of

scenarios. And then there's also a part of of it, which asks

about your compliance program. These are all questions that are

based off of the five pillars that they actually give as

guidance for the real estate entities and brokerages to be

able to comply to FINTRAC. So they're going to be asking

various questions. Questions about, yeah, I mean, what type

of transactions you accept, who you do business with, geographic

risks, various things. But these, these questions are going

to be ones that will generally be in your policies and

procedures, if that's something that you have in place already,

and so, depending on where your compliance program is these

types of questions could be very, very easy, and then on the

opposite side, they could also be slightly challenging,

depending on where you're at with your compliance program.

So couple of thoughts for that come out of that. I

think, as you're completing this, it's, I think, I think to

go some to kind of go further into something you just said,

everything that's in here should be written in your compliance

program should be in there. Like, I just think that if you

have a good set of program, policy, procedures, risk

assessment, the answers to, okay, so the operational answers

to your questions might not be in there, but the policy side of

the questions should be in there, and you should be able to

point to where in your documentation these are. And as

a best practice, my tip on this would be that that's exactly

what you would do now, as you're doing that, what are i What are

the things that we've seen people are really struggling

with? Can What Are either of you guys have feedback on where

they've really where people have struggled with the with the SAR,

with the car questions?

Well, I've seen in the questionnaire that basically, of

course, this basically pulled down many on, you know, whether

the various scenarios that they have asked Where have happened

or seldom happened or never happened. So those are cool down

menus. So in that regard, I don't think there is any issue

for anybody to answer them, but perhaps more difficulties may

come up in regards to the compliance program questions

itself, hence they need to have a good understanding of exactly

as just duly pointed out, as what the compliance program is

actually covering. And in that regards, you know, you have all

sorts of things like payment methods accepted your business

and, etc. There are sanction controls, etc. You're reporting

requirements, etc. You're doing this. You're doing that. I think

French rack here is basically trying to understand, you know,

do you have a grasp on your policies and procedures, or just

or it's just a pretty document that's sitting at your brokerage

on your desk, kind of thing? So, so it's basically, you need to

have a good grasp on this. You need to understand what these

registered requirements entail. And hence, then just go with the

floor in regards to answering these questions, go

and, and I think I was also, I just just to

tail on to that with the other part that I think some people

have challenges with is if they feel that their compliance

program isn't well rounded off. And so even, even if they

they're trying to answer these questions, they don't know how

to and it's only just because they might not have policies and

procedures in place, or they might not have gone through a

risk assessment, or whatever the instances, and in those

instances that can become a little bit difficult. But yeah,

so it's, it's it's good. FINTRAC is doing their due diligence to

figure out what the brokerage what stage they're at, really,

I actually just thought of something as we've

been talking this through that I think is interesting when, if we

think about a formal examination, that process starts

with a call, right the the fintra, FINTRAC phones, the

compliance officer says, Hey, we are beginning in an examination

of your business. You'll be receiving a letter detailing

what we need to see. You have 30 days to respond, etc, etc. The

interesting thing is that this is not a formal examination, and

where the opportunity is is if you are looking through this and

you realize you have a deficiency. FINTRAC has a

process for that. You have what's called a voluntary

disclosure of non compliance. There's a C at the end of that.

No, no, that's right, voluntary disclosure of non compliance,

VD, noc, process where you can self disclose that you have some

sort of a deficiency. I think the opportunity when you use

these ecars properly, if you're feeling like you have a

deficiency, this might be what causes you to realize you have a

deficiency, which be the greatest get out of jail. Free

card, by the way, when done properly, How's that for an

opportunity out of what might be an initially scary process,

thoughts on that?

Yeah, I think you're pointing at a appropriate thing

here. It's a good approach. But on the other end. Shouldn't be

a, as you mentioned, that the jet Get Out of Jail Free card

thing. I think it shouldn't be just the easy way out.

Nevertheless, no, yeah, because eventually the legislative

requirements are important, etc. And FINTRAC is, I think when

they first make this contact and they want the E car

questionnaire to be filled out. They want to ensure that the you

know the business does understand its risks. What is

doing to mitigate those risks, etc. And hence, all the answers

properly compiled in that questionnaire are reflecting

upon the knowledge awareness of such legislative requirements.

So I they never come an instance where this volunteer disclosure,

etc, you know, has happened, at least in my past experience,

etc. And hence, what the consequence would be for the

business eventually, when Finch wreck receives such a thing,

exactly. But nevertheless, it's beneficial, of course, because

you'll be honest, and that's what's most important about

these questionnaires as well. You have to be honest. There

should be no faking any answers. There should be no, you know,

amending or, you know, fraudulent, you know, replies,

things like, whatever it is, it is. I mean, as you do the point,

I agree. If it's if you feel like there's deficiency in your

program, stated, don't go and say, I have this. I have that,

because Finch, they come in and then they find out that you

actually don't have it, that you're then you're in real

trouble. Absolutely, you want to talk. You want to

Yeah,

this actually reminds me of, Are you guys

familiar with the panopticon? I feel like I talk about it often.

It's, I think it was Adam Smith, but it's basically just this,

this idea of a jail that had been created a long time ago

that's fully circular, where there's only, say, one guard,

just at the top watching, and the rest of the the jail people

are in their cells, and they're in a circle. And basically the

idea is that there's only one person that's actually looking.

They're not able to look at everybody at the same time at

all. But because of this, the idea, or the threat that there's

somebody that could possibly be looking whatever you're doing at

the time, you are self governing yourself, and I think that that

really lends, lends it to this, because it's that idea that

that's kind of what FINTRAC is doing. I mean, they're, they're

sending these e cars, and they're saying, okay, you know,

this is our kind of spot check. If we have a bunch of people

that come out and voluntary disclose that they don't that

they're out of compliance, it's actually really good because,

yeah, that would be such a win, because they're now seeing,

okay, great, you're you're actually basically auditing

yourself. You're seeing that you're able to see those gaps

and you're going to be able to fix them. It doesn't mean that

they're not going to look away from you. It just means that

you're doing the work for them

well, but but to be clear, like if they decide that

if you submit this, there's, there's, there's kind of three

possibilities, I see it. Look we can all agree, everybody,

probably everybody watching this, but certainly the three of

us can all agree that the best thing would be that you have a

program on policy, a procedure, a risk assessment that's

actually doing all the right things, that would be the

perfect situation. The real world is such that that's not

always true. And to be clear, like there's always room for

improvement no matter how great your program is you. That's why

effectiveness reviews are a part of the regime. That's why these

are living, breathing documents these. That's why this the

training needs to amend itself. That's why the regulations

change. So like even the best case, it is possible for you to

identify some deficiencies at some point. In fact, you should

be occasionally. But let's go to the the other possibilities.

There's a possibility where you are trying, but as a result of

receiving this E car, you realize that there's some

questions that you just don't even know how you're going to

answer. Well, I'm going to suggest to you that you have two

POS, two options here. One, you commit fraud, and I would never

think that that's the right approach, and I would hope that

that's never the approach that anybody would take. Or two, you

use a mechanism that FINTRAC has specifically set out for this

exact situation where you realize you have a piece of non

compliance. You disclose that through the through that

channel, there's a there's an email address, there's a there's

a process. I think it's an actual email address, in fact,

at this point. But anyhow, you disclose that process through

that process, and then as you file your ecar, you would go and

say, Look, we filed a V doc on this. We are going to work

towards remediation of this. And as a in all of the interactions

I've had with FINTRAC, that would be almost as good, if not

better, honestly, than than just being buttoned up in the first

place, because that now you're showing that commitment to

compliance. The third possibility is, and probably the

worst of them, I think, is you go and you fill out the SRA Q,

and you're deceptive or misleading, or you. Kind of just

ignore some of the questions, or don't answer them in detail, in

enough detail, and then FINTRAC is going to want more

information, and then they come in and they find some

deficiencies. Now you're you kind of put yourself into this

hole all of a sudden. So I think the the opportunity to use this

as a free effectiveness review, for lack of a better way of

describing it, is a pretty decent one thoughts on that?

Yeah, 100% I 100% agree. I think, I think

people rightfully so, because the amounts that are the fines

that are given out are terrifying, but I think maybe

people also don't have the perspective that FINTRAC really

like they're just trying to get people into compliance. And so

if they're seeing that you have that intention, if they're

seeing that you want to do that, generally, they're actually

going to be relatively your friends, like it's not, it's

it's kind of like a tutor relationship, where they're only

going to scold you if you are cheating on the test, you know

what I mean. But if they're seeing you're really trying hard

to figure out that math equation, they absolutely will

say, okay, great, that's awesome. You got to see plus.

But next test that you have, let's work on it from there on

and and I think that's something that maybe a lot of people don't

have that that perspective on, because the fines are absolutely

yeah, they're terrified,

yeah. I mean, it's a lot of money. I like, yeah,

it's a lot of money. And why is that money when you

can just do your homework, basically, I mean, yeah, you can

invest that money into your own business or whatever. I mean,

it's simple, I mean, and as you to point out, Greg, and I mean,

if you are not able to do this by yourself, you know, just seek

assistance, seek help. And I'm not sure whether we're allowed

to advertise here, but our

podcast, we can do

it. Really. Trust it. Guys,

no, it's our podcast. And I think it's totally fair to

say, Look, guys like, if you're listening to this and you've

you've received an E car and you're not sure how to respond,

it's not too late, reach out. We can help. We will happily walk

you through. We've done this before. We can walk you through

what we think are some of the better practices in terms of

responses. And if your program is completely missing

everything, this is a really good wake up call for you,

because if you're receiving the E car and you don't want to

commit fraud, which I'm going to assume is the case for most

people, then your best bet is to start to resolve this problem,

and we're going to help you with all of that. So that's

and if you if you are a client and you're

listening to this, that is also awesome, because we would have

access to your compliance program. We would be able to,

we've been helping shape it, and so we would be able to actually

give you direct feedback on kind of guidance with this

specifically. So for sure, reach out whether you're a client or

you're not. Please

don't go it alone. Yeah, yeah. Okay. Well, with

that, thank you very much, shatai and Zara both for your

time. I appreciate you coming on and talking about ecars, SRA

cues and whatever other Ford letter acronyms comes up with in

the next iteration. Sorry,

should we, Greg, just quickly touch on what

happens after or once we send it, is there? Is there? Or is

that a completely different it's possible it could be a

completely different podcast. No, I

mean, we could talk about that for sure. Like, go

ahead, that sounds good. Well, yeah.

I mean, so just just once, once you're done

filling out the e car, usually you get a time, a time frame to

fill it out and, and so you send that back. And we've seen where,

literally, that's it. That's that it just goes into the

ether, if in track and you never hear back, and that is likely

the best case scenario, because that means that they're really

happy with your responses, and maybe not even really happy.

It's just that there aren't enough red flags for them to

say, Okay, we need to look at your compliance program, which

is awesome. So if you don't hear back, that's great, but then

it's possible that, I don't know timeline wise, it really depends

when track is kind of a little bit, yeah, they kind of have the

curtain there, but, but if you do hear back then, then there's

a next step. And still, there are a couple other steps before

they decide to formally, actually audit you. But they're

just, it's just a continued continuance of gathering of

information. Yeah,

I think, I mean, I thanks for bringing this back to

that. Because I think it is important to realize that this

is one of many things that FINTRAC is doing to monitor

their reporting entities and their gather this is just

information gathering for them. So you may not hear back. That's

not unusual for FINTRAC. That's not a bad thing. Might be a

preferred option, honestly.

And perhaps one final note, time frame for. Actually

submitting your responses. I've come to understand that Finch

are quite, you know, lenient in providing extensions to all

those you know who receive these questionnaires. So normally,

you're given 30 days to provide the feedback, but if for one

reason, as you have a pretty good excuse of, you know, not

being able to you can apply to them, and they will provide you

an extension as well. The key

to that, of course, is don't ignore them. Ask your

extension.

Definitely. If you

go to them two months later and say, Oh, by the way,

we want an extension, they're going to say, Wait a minute.

This was due a while ago,

and ensure you're like checking out your email inbox

here, and then, because sometimes they may just get

lost, that's a real other things.

That's a good point and a real life story that we

can kind of touch on, which is that they their contact

information isn't perfect. So you know, if you've had an email

address out there that make sure you're checking those ones that

you set up years ago when you first set up your business.

Because if that goes, if that's where the E car goes, that might

be where the E car goes. So

but then even to that, right, if, if there's a

legitimate, justified reason for why you never got that, use it

at all. Fin tracks, they're not extremely unreasonable. They're

not, they're somewhat reasonable, you know, no, no,

they're absolutely, if

you like, if you didn't get it, and you say,

Look, guys, we didn't get it, but we'll have it to you within

30 days of now, they'll say, Okay, well, that makes sense.

You just got it like you got 30 days. I mean, I can't guarantee

that, because they get to do what they want to do, but

that's, that's what we've seen, and that's what I would expect

to continue to continue to be the case

So, yeah, totally.

All right, well, thank you once again. Really

appreciate you guys taking the time and thank you for

listening, folks to another episode of the KYC podcast. I

know your compliance podcast. Please join us again soon. Take

care.