Investment Dealer Anti-Money Laundering Compliance Guidance

Guidance Note
Distribute internally to
Internal Audit
Legal and Compliance
Senior Management
Trading Desk
Rulebook connection
IDPC Rules
Investment Dealer


Member Regulation Policy
Business Conduct Compliance

Executive Summary

Dealer Members (Investment Dealers)1  are required to meet a variety of applicable rules relating to anti-money laundering (AML) and anti-terrorist financing (ATF), including:

  • CIRO’s IDPC Rules,
  • Canadian federal legislation,
  • National Instrument 31-103 - Registration Requirements, Exemptions and Ongoing Registrant Obligations (NI 31-103), and
  • other AML/ATF requirements applicable to Investment Dealers for activities carried out in various jurisdictions.

Investment Dealers must comply with all applicable laws and regulations relating to AML and ATF. We are publishing this Guidance to focus on the relationship between federal AML/ATF laws and the IDPC Rules client due diligence requirements to assist Investment Dealers in meeting their regulatory obligations.

  • 1As defined in subsection 1201(2) of the Investment Dealer and Partially Consolidated (IDPC) Rules.
Table of contents
  1. Introduction


  1. Purpose

In this Guidance, we outline the AML/ATF regulatory requirements and expectations applicable to Investment Dealers. We also include links to resources to assist Investment Dealers in meeting their obligations.

  1. Scope

At this time, we are limiting this Guidance to Investment Dealers. We are consolidating2 the IDPC’s and Mutual Fund Dealer Rules’ client due diligence, know-your-client and surveillance requirements, which overlap with Dealer Members’ AML/ATF obligations and are referenced throughout this Guidance. As part of our integration of Investment Dealer and Mutual Fund Dealer Member compliance testing, we are also developing consistent AML/ATF examinations for all CIRO Dealer Members, as it relates to shared AML/ATF regulatory oversight between CIRO and the Financial Transactions and Reports Analysis Centre of Canada3 (FINTRAC). Once we complete that work, we plan to revisit this Guidance.

Investment Dealers have a variety of business models. We do not discuss each type in this Guidance. We expect each Investment Dealer will adapt its AML/ATF compliance program(s) to its business model.

  1. Responsibility for AML/ATF compliance reviews

Regulatory oversight of Investment Dealer compliance with AML/ATF rules is shared between CIRO and FINTRAC. FINTRAC includes CIRO Investment Dealers in its AML examination coverage, outreach and guidance. CIRO’s Business Conduct Compliance, Investment Dealer Division also performs focused AML/ATF testing as part of regularly scheduled examinations of Investment Dealers, based on an analysis of various risk-based factors. CIRO and FINTRAC exchange information pertaining to Investment Dealer AML/ATF compliance on a regular basis (through an information sharing agreement). Even in cases where CIRO does not perform focused AML/ATF testing as part of an Investment Dealer exam, we will generally review certain aspects of the Investment Dealer’s AML/ATF compliance program as part of other testing including with respect to client identification, trading activity, and fund transfers.

  1. Requirements

IDPC Rules client due diligence requirements4 have purposes that differ from, and are in addition, to AML/ATF requirements. Some of our client due diligence rules require more information than the related Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA) or Proceeds of Crime (Money Laundering) and Terrorist FinancingRegulations (PCMLTF Regulations) provisions to ensure that Investment Dealers obtain information necessary to investigate capital markets abuse.

We remind Investment Dealers that where IDPC Rules differ from applicable laws, they must comply with the more stringent requirement. In this Guidance, we refer to the PCMLTFA and the PCMLTF Regulations jointly as the AML rules.

CIRO has its own Investment Dealer client identification requirements5 . These requirements are set out in Part A of IDPC Rule 3200.

Investment Dealers may also be subject to certain client due diligence requirements under National Instrument 31-103 Registration Requirements, Exemptions and Ongoing Registrant Obligations (NI-31-103).

  1. Compliance and Supervision programs

Under the PCMLTFA, Investment Dealers must establish an AML/ATF compliance program.6 The PCMLTF Regulations7 set out specific requirements, including:

  • the appointment of a person responsible for the compliance program,
  • the development and application of compliance policies and procedures that are up to date and approved by a senior officer,
  • regular assessment and documentation of the risk of a money laundering or terrorist financing offence being conducted through the firm, and implementation of measures to mitigate high-risk scenarios,
  • an ongoing documented compliance training program for employees8 of the firm, and
  • a review of the compliance program to test their effectiveness to be conducted every two years by an internal or external auditor.

Under IDPC Rules 1400 and 3900, Investment Dealers are required to establish a compliance and supervision program. An Investment Dealer’s AML compliance program could be a part of its compliance and supervision program.

FINTRAC’s Compliance program requirements guidance contains details on specific AML requirements for compliance programs.

  1. Designation of an AML compliance officer

An Investment Dealer must designate a person responsible for its anti-money laundering program (AML Compliance Officer)9 .

Based on the roles and responsibilities of the Chief Compliance Officer (CCO) set out in IDPC Rule 3900, a CCO could be appointed as the AML Compliance Officer responsible for the AML/ATF compliance program, including approving policies and procedures. While this could help the CCO ensure integration of AML/ATF procedures into the firm’s compliance program, Investment Dealers may want to assess their CCO’s duties first to determine whether they have the capacity to fulfill this additional function.

Investment Dealers’ AML Compliance Officers should remain up-to-date with AML/ATF rules and risks. If CCOs deal with day-to-day regulatory issues, changes to securities regulations and to AML/ATF requirements, they may not have enough time to maintain the knowledge needed to oversee an effective AML/ATF regime. If this is the case, the Investment Dealer may want to consider designating a different qualified individual as the AML Compliance Officer.

  1. Enterprise AML/ATF departments

Some Investment Dealers maintain enterprise AML/ATF departments across the Investment Dealer and its affiliates. As set out above, these Investment Dealers must designate an AML Compliance Officer; however, that person can report to both the enterprise group and the Investment Dealer’s senior management . The Investment Dealer remains responsible for its own AML/ATF program and cannot delegate this responsibility to an enterprise group. Investment Dealer senior management must be kept informed of significant issues. In addition, where the AML rules require approval of a senior officer, it should be the Investment Dealer’s senior officer.

For further guidance on the appointment of an AML Compliance Officer, Investment Dealers can consult FINTRAC’s Compliance program requirements guidance.

  1. Anti-money laundering policies and procedures

An Investment Dealer’s AML/ATF program should include systems and controls designed to prevent and detect money laundering and terrorist financing and to comply with applicable laws.

Investment Dealers can combine their policies and procedures for compliance with AML/ATF rules with other requirements pertaining to securities laws and Corporation requirements10 . However, Investment Dealers should not rely solely on systems and procedures designed to prevent money laundering and terrorist financing to meet securities requirements, such as suitability.

As a best practice, Investment Dealers should integrate AML/ATF policies and procedures with other compliance and supervisory procedures. This will ensure AML/ATF compliance is a part of the business and will not be duplicative. While learning materials outlining specific AML/ATF procedures are a useful part of an education process, integration into the firm’s overall know-your-client (KYC), compliance and supervisory procedures ensure that they become part of the established practice.

Investment Dealers should review their AML/ATF procedures regularly and update them as needed based on any legal/regulatory or business/operational changes.

Investment Dealers may want to consult FINTRAC’s Compliance program requirements guidance for more details on AML/ATF compliance policies and procedures.

  1. Client account forms

As a best practice, Investment Dealers should address AML/ATF client information requirements in their new account forms and related documents. To assist clients in accurately completing their forms, Investment Dealers should include definitions where appropriate. For example, a question on an application regarding who is a politically exposed person or head of an international organization should have a definition of those terms, especially if clients complete the form.

  1. Enterprise risk assessment

Investment Dealers must conduct a money laundering/terrorist financing risk assessment of their business. Section 156 of the PCMLTF Regulations lists the minimum factors to consider in assessing this risk:

  • clients and business relationships,
  • products, services and delivery channels,
  • geographic location of activities,
  • impact of new developments and new technologies on clients and business activities before their implementation,
  • risks of an affiliate, and
  • other relevant factors.

FINTRAC has many tools to assist Investment Dealers in conducting risk assessments. Investment Dealers may want to consult the following when establishing and conducting risk assessments:

  1. Training

Investment Dealers must train all employees with respect to AML/ATF procedures, including the detection of attempted and/or completed suspicious transactions and compliance with AML rules and Corporation requirements.

  1. Minimum requirements

Investment Dealers should tailor the contents of this AML/ATF training to reflect their business model. They should address at minimum:

  • the Investment Dealer’s KYC policy and procedures,
  • the roles of client-facing Approved Persons, operations, Supervisors, management and others,
  • Investment Dealer potential indicators of suspicious activity,
  • rules and regulations for reporting currency transactions (if applicable) and suspicious transactions,
  • Investment Dealer procedures for reporting unusual transactions and reporting suspicious transactions, and
  • civil and criminal penalties associated with money laundering and terrorist financing.

Investment Dealers should also maintain a record of all individuals who participated in the training.

  1. Keeping training current

Investment Dealers should update their training materials to reflect any developments, new techniques or money laundering trends identified by various government agencies such as FINTRAC and the Financial Action Task Force (FATF).

  1. Tailoring Training

Investment Dealers should consider tailoring their training for different roles within the firm. For example, while Approved Persons with direct client contact may be in the best position to identify suspicious activity, other departments such as treasury, operations, margin, credit, corporate security, audit, legal and compliance should be able to identify red flags for their areas of activity.

  1. Review program

Under the PCMLTF Regulations, an Investment Dealer’s internal or external auditors must conduct a compliance effectiveness review of the Investment Dealer’s AML program at least once every two years.11 At a minimum, the review should cover the topics discussed in sections 3.2, 3.3 and 3.4.

Following this review, Investment Dealers must report in writing the following to senior management:

  • their findings, including any deficiencies identified, planned corrective actions, and implementation timelines, and
  • any policies and procedure updates and their implementation status.12

Investment Dealers should include this report (or a summary of it) in the CCO’s annual report to the Board on compliance matters.13

  1. Client due diligence


  1. Client due diligence requirements

The PCMLTF Regulations establish specific “client due diligence” (CDD) requirements, which include information gathering, client identity verification and record keeping. IDPC Rule 3200 contains similar requirements, including KYC and client identification rules. We expect Investment Dealers will leverage the same client information to satisfy their obligations under both the IDPC Rules and the PCMLTF Regulations.

The IDPC Rules and the PCMLTF Regulations sometimes require Investment Dealers to look at client information from different perspectives and consider different or additional elements. The purpose of the PCMLTFA is to detect and deter money laundering and terrorist financing. CIRO’s primary mandate is to protect investors and support healthy capital markets. These different objectives may result in inconsistencies between the two sets of requirements. Investment Dealers should be aware of these different objectives when collecting CDD information.

For example, under the AML rules, Investment Dealers are required to collect information on the purpose and intended nature of a business relationship (as discussed further in section 4.3 of this Guidance).14 The objective of collecting this information is to detect if any client transactions are suspicious and could indicate money laundering or terrorist financing. The IDPC Rules require Investment Dealers to collect their client’s investment objectives to ensure the investments in their clients’ accounts are suitable for them. An Investment Dealer may collect the same information under both requirements, but may not be using it for the same purpose.

  1. Keeping client information current

The PCMLTF Regulations and the IDPC Rules require Investment Dealers keep CDD and KYC information up to date. Subsection 3202(3) of the IDPC Rules requires an Investment Dealer to take reasonable steps to keep client identification information current. Investment Dealers must also take reasonable steps to update this information within a reasonable time after they become aware of a material change in the client’s KYC information.15 As a best practice, Dealers should use these KYC and client due diligence information update touchpoints as an opportunity to meet AML rule requirements.

  1. Business Relationship Records

  2. Business Relationships

Under the PCMLTF Regulations, firms must establish and maintain records relating to business relationships (Business Relationship Record), in addition to basic client identification requirements.16 A business relationship exists when:

  • a person opens an account with an Investment Dealer, or
  • a person conducts two or more transactions within a five-year period that require the Investment Dealer to ascertain the identity of the client.17

If a client maintains multiple accounts with an Investment Dealer associated with various products and services, the Investment Dealer should consider the business relationship as a whole when conducting the risk assessment and resulting monitoring.

  1. Documentation

Investment Dealers must document the purpose and intended nature of each business relationship.18 They should include the client’s intentions for the assets held within its account(s).

Investment Dealers may use the client’s investment objectives to inform the purpose and intended nature of the business relationship. For business relationships involving multiple accounts, the Investment Dealer should include all accounts when documenting the purpose and intended nature of the business relationship.

  1. Periodic updating

Investment Dealers must keep the Business Relationship Record current.19 The Business Relationship Record helps Investment Dealers anticipate client activities. Through ongoing monitoring, Investment Dealers may notice a deviation from anticipated client activity triggering them to reassess the client’s risk level. Investment Dealers may also need to reassess the client’s KYC and/or the suitability of its overall portfolio.

As noted in section 4.2, Investment Dealers can update client information during their periodic meetings with clients. If the client’s beneficial ownership has changed, the Investment Dealer must determine who owns or controls the entity by complying with Part A of IDPC Rule 3200 and section 138 of the PCMLTF Regulations20 . The Investment Dealer must record the information obtained to update the client’s beneficial ownership information.

Investment Dealers must review high risk business relationships at a frequency appropriate to their risk21 . Investment Dealers should determine the frequency of the review based on their risk assessment. Investment Dealers should document the high risk nature of the business relationship in their risk assessment.

  1. Client risk assessment

Investment Dealers must conduct a risk assessment for all clients.22 In certain cases, a business relationship may exist even if the client has not opened an account. For example, an investment banking relationship does not necessarily involve opening a client account. In this case, the Investment Dealer may not be required to ascertain identity under the AML rules nor document or monitor the business relationship. However, the Investment Dealer must still conduct a risk assessment based on a number of factors:

  • the products, services and channels23 the client uses,
  • where the client lives or which countries they transact in, and
  • the client’s characteristics, activities and transaction patterns.24

Investment Dealers should use the information contained in the Business Relationship Record to identify risk factors that apply to the overall business relationship.

For more information on the PCMLTF Regulations’ client due diligence and business relationship requirements, including ongoing monitoring and risk assessments, please consult the following FINTRAC Guidance:

  1. Introducing and Carrying Brokers’ obligations

PCMLTF Regulations exempt carrying brokers from CDD for clients of introducing brokers whose accounts they carry25 . Introducing brokers are responsible for conducting CDD. The PCMLTF Regulations are silent on introducing broker/carrying broker arrangement types, so this exception applies to all types of arrangements. However, this exception covers only the PCMLTF Regulations’ CDD requirements; it does not cover large cash transactions and suspicious transactions reporting requirements.

Regardless of this exception, under the IDPC Rules, we consider a client to be a client of both the introducing and the carrying broker in all types of arrangements with respect to the services the carrying broker performs for the introducing broker.

As a best practice, we recommend introducing and carrying brokers address AML/ATF compliance in their introducing broker/carrying broker agreements. At minimum, these agreements should address the following:

  • which party is responsible for anti-money laundering procedures,
  • the information the introducing firm needs to conduct CDD in the case the carrying broker provides standard account documentation forms,
  • reports the carrying broker will provide to the introducing broker to fulfill its transaction monitoring responsibilities,
  • what support the carrying broker will provide, such as checking of client names against terrorist lists,
  • compliance with record keeping and access requirements, and
  • if clients can deal directly with the carrying firm to conduct transactions such as deposits, withdrawals and wire transfers, there should be communication between the firms to enable proper monitoring for unusual activity.

Carrying brokers may decide to develop or enhance tools to assist introducing brokers in analyzing client transactions. These tools could include client account deposit and trade reports. Carrying brokers should disclose these reports to introducing brokers at the inception of the introducing/carrying relationship.

Introducing and carrying brokers should communicate effectively when dealing with indications of unusual activity. For example, when a carrying broker reports a potentially suspicious activity to an introducing broker, the introducing broker should show the carrying broker how that activity has been addressed. Introducing brokers can advise their carrying broker of any other activity that should be reviewed.

Introducing and carrying brokers should advise anyone conducting an audit of their anti-money laundering procedures of their agreed responsibilities. Both Investment Dealers’ auditors should work together and share information to ensure both parties are executing their responsibilities according to applicable laws and requirements and the introducing/carrying broker agreement.

  1. Registered plan accounts

The PCMLTF Regulations exempt registered plan accounts, such as locked-in retirement plan accounts and registered retirement savings plan accounts from the following requirements26 :

  • client due diligence, including politically exposed persons and heads of international organizations requirements, under sections 94 and 119 of the PCMLTF Regulations, and
  • client account record keeping under section 29 of the PCMLTF Regulations.

The IDPC Rules do not include equivalent exemptions for registered plan accounts because our requirements have a different purpose. Investment Dealers must comply with Part A of IDPC Rule 3200 when opening all client accounts, including registered plan accounts. Investment Dealers must establish the identity of every client who opens a registered plan account using such methods that allow them to form a reasonable belief it knows the identity of the individual and by taking reasonable measure to confirm the information obtained.

While Investment Dealers must comply with Part A of IDPC Rule 3200 when opening registered plan accounts, they are not required to comply with the PCMLTF Regulations those accounts are exempted from, including the politically exposed persons and heads of international organizations requirements.

  1. Trading authorization

Subsection 3220(4) of the IDPC Rules requires Investment Dealers to record all individuals who have trading authorization over their clients’ accounts.

Under section 29 of the PCMLTF Regulations, Investment Dealers must record (amongst other items) every person authorized to give instructions on the account. Subsection 94(a) of the PCMLTF Regulations requires Investment Dealers ascertain the identity of every person who can give instructions with respect to an account.

Investment Dealers can use the information they collect under these PCMLTF Regulations on individuals authorized to give instructions to comply with subsection 3220(4) of the IDPC Rules.

  1. Non-individual clients

As discussed in section 5.1.1 of this Guidance, money launderers can use corporations and other non-individual accounts to shield their identity and make it more difficult to investigate their illegal conduct.

Part A of IDPC Rule 3200 was initially implemented to deter money laundering through such entities and to assist in market conduct investigations. While the IDPC Rules are intended to be consistent with similar provisions in NI 31-103 and with the PCMLTF Regulations, in certain respects, the IDPC Rules may still be more stringent than the PCMLTF Regulations27 . Investment Dealers must always comply with the strictest requirement.

  1. Client structure

IDPC Rule 3200 requires Investment Dealers to establish the identity28 of any individual who exercises control over any corporations, partnerships and trusts who are their client, in addition to these clients’ beneficial owners, beneficiaries and other controlling individuals. Investment Dealers should understand their clients’ ownership and control structure. Ownership and control are not always synonymous. Trustees can control a trust without being beneficiaries. Where a corporation has voting and non-voting shares, ownership may be separate from control. Accordingly, sub-clause 3204(1)(iii) of the IDPC Rules refers to beneficial ownership or control “of the voting rights attached to the outstanding voting securities of a corporation”. When establishing the identity of individuals who exercise control over the affairs of a partnership or trust, Investment Dealers should identify those individuals who have the power to influence the trusts' or partnerships’ affairs, regardless of the structure of the partnership or the trust.

  1. Direct or indirect control

IDPC Rule 3200 requires Investment Dealers to establish the identity29 of individuals who exercise “direct or indirect” control over 25% or more of a corporation. If a corporation is owned or controlled by other entities, the Investment Dealer must identify those individuals who ultimately have beneficial ownership or control over its clients. Where a client has multiple owners, the Investment Dealer should establish the ownership or control of each individual involved.

For example, if an individual owns 50% of the voting shares of a corporation that owns 25% of the voting shares the client, this individual owns directly 12.5% of the client. This individual’s ownership falls below our 25% threshold, so the Investment Dealer would not need to identify them. However, if the individual owned 100% of the voting shares of a corporation that owns 25% of the voting shares of the client, the Investment Dealer must identify the individual as they indirectly own 25%. We included a chart in Appendix I that shows the calculation of percentage indirect ownership in a multi-level ownership structure.

PCMLTF Regulations require Investment Dealers to obtain the name and address of anyone owning, directly or indirectly, 25% or more of a corporation or other entity.30 By complying with IDPC Rule 3200, Investment Dealers will comply with the PCMLTF Regulations.

However, if a client is considered high risk, as a best practice, Investment Dealers may consider whether to identify individuals who own or control less than 25%. For example, if an Investment Dealer suspects that a client has an ownership structure designed to dilute or obscure the account’s true beneficial owners, as a best practice, it may consider identifying individuals who own or control less than 25% of the company.

Investment Dealers must record the measures taken and the information obtained in determining beneficial ownership.31 Investment Dealers must maintain these records for all non-individual clients, regardless of their structure.32

  1. Establishing identity

IDPC Rule 3200 requires Investment Dealers to establish the identity of:

  • individual beneficial owners of 25% of corporations,
  • individuals who exercise direct or indirect control or direction of 25% of corporations, and
  • individuals who exercise control over partnerships and trusts.

This rule does not specify any method of establishing these individuals’ identity. We require Investment Dealers use “such methods that allow the Investment Dealer to form a reasonable belief that it knows the identity of the individual and by taking reasonable measures to confirm the accuracy of the information obtained.”33 The PCMLTF Regulations require Investment Dealers “take reasonable measures to confirm the accuracy of the information when it is first obtained”.34 FINTRAC’s Beneficial ownership requirements guidance goes into detail on how Investment Dealers should confirm this information.

Although the IDPC Rules do not specify a method, Investment Dealers are required to comply with the PCMLTF Regulations as outlined in the following FINTRAC guidance:

If an Investment Dealer complies with the requirements outlined in this FINTRAC guidance, we would consider this a reasonable method of establishing the individual’s identity.

  1. Identity verification timing

IDPC Rule 3200 requires Investment Dealers to establish the identity of beneficial owners and individuals who exercise control over corporations, partnerships and trusts “as soon as it is practicable, but not more than 30 days after opening the account.” While 30 days is the maximum amount of time, Investment Dealers should begin their efforts at as soon as possible. IDPC Rule 3200 is consistent with the PCMLTF Regulations, which require that the existence of the corporation or another entity be verified within 30 days of account opening.

Under section 138 of the PCMLTF Regulations, an Investment Dealers can open an account for a corporation or another entity without obtaining and confirming details about its beneficial owners, beneficiaries and other controlling individuals, provided the Investment Dealer meets certain conditions, including ascertaining the identity of the entity’s chief executive officer or the person who performs that function and taking special measures, including:

  • taking enhanced measures to verify the entity’s identity, and
  • updating client identification information and conducting ongoing monitoring of the business relationship more frequently.

However, under section 3206 of the IDPC Rules, if an Investment Dealer cannot establish the beneficial owners’ and the controlling individuals’ identity within 30 days, it must limit trading in the account.

If an Investment Dealer cannot obtain and verify the necessary client information, it should review the situation to determine if any suspicious transaction reporting is required.

  1. Exceptions to client identification requirements

Section 3207 of the IDPC Rules contain exceptions for certain entities from our client identification requirements. Such entities include:

  • Canadian financial institutions and their affiliates,
  • Canadian securities registrants,
  • Authorized foreign banks or Schedule III banks,
  • Canadian pension funds, and
  • Canadian public bodies or corporations (or their affiliates) with minimum net assets of $75 million:
    • whose shares are traded on a Canadian stock exchange or a stock exchange designated under subsection 262(1) of the Income Tax Act, and
    • who operate in a country that is a member of the Financial Action Task Force.

Section 154(2) of the PCMLTF Regulations contain similar exceptions, with some key distinctions. For instance, while the PCMLTF Regulations have exceptions for accounts where a Canadian financial institution or Canadian securities registrant provides instructions, our rules do not provide exceptions for these account types. However, Investment Dealers must still comply with the IDPC Rules KYC requirements. We expect Investment Dealers will establish the identity of every client who owns a registered plan account in accordance with IDPC Rule 3200. Prohibition on shell banks

Sections 3205 of the IDPC Rules prohibit Investment Dealers from opening or maintaining accounts for any shell bank. Sub-section 3205(1) defines a shell bank as a bank that does not have any physical presence in any country.

The exceptions discussed in section 4.7.5 of this Guidance do not exempt affiliates of Canadian financial institutions from this prohibition on shell banks.

  1. Politically Exposed Persons and Heads of International Organizations

IDPC Rules do not include any specific requirements on politically exposed persons or heads of international organizations. IDPC Rule 3200 requires Investment Dealers to use due diligence to learn and remain informed of the essential facts relative to each client. We consider information collected under the PCMLTFA on a client’s status as a politically exposed person or head of an international organization to be essential facts.

For more information on the PCMLTFA’s politically exposed persons and heads of international organization requirements, consult FINTRAC’s guidelines “Politically exposed persons and heads of international organizations” and “Politically exposed persons and heads of international organizations guidance for account-based reporting entity sectors”.

  1. Key risk indicators for Investment Dealers

Investment Dealers can identify potential risk indicators based on specific client behaviours. In this section, we outline key risk indicators for Investment Dealers. If a client exhibits any of the following behaviours or if the Investment Dealer is concerned these behaviours could be occurring, it should investigate further.

Even if the Investment Dealer decides not to open an account or conduct a transaction, it should consider whether it has reasonable grounds for filing a suspicious transaction report. Section 6 deals with suspicious transactions.

For more information on key money laundering and terrorist financing risk indicators, consult FINTRAC’s guidance on “Money Laundering and Terrorist Financing Indicators – Securities Dealers”.

  1. Client due diligence risks


  1. Clients with complex ownership structures

Some non-individual clients (such as trusts or corporations) can have complex ownership structures that obscure the true beneficial owners of the account. The client identity requirements in Part A of IDPC Rule 3200 are intended to “pierce the corporate veil” and identify the account’s true beneficial owner. If the Investment Dealer is finding it challenging to fulfill these requirements, it may be an indication of a complex ownership structure.

These clients can use off-book transactions, offshore accounts and nominees to further obscure true beneficial ownership. Clients may use accounts in one country as a “pass through” for accounts in other countries. This can indicate tax evasion, which is a predicate offence to money laundering.

If individuals want to use an entity to obscure the source of their funds or hide beneficial ownership, they may structure that entity’s ownership to avoid our beneficial ownership requirements. For instance, an individual may hold 24.9% of an entity to avoid being caught above our 25% threshold. As a best practice in such cases, Investment Dealers should consider identifying such beneficial owners.

While Part A of IDPC Rule 3200 requires Investment Dealers to collect information on beneficial owners of 25% or more of a corporation, when faced with a client who is higher risk, as a best practice, an Investment Dealer should consider identifying beneficial owners of less than 25%.

  1. Using accounts for undeclared purposes

While Investment Dealers are required to record the intended use of each client’s account, it can be challenging to monitor whether the client is using its account for undeclared purposes. We expect the recorded intended use to be consistent with:

  • client’s KYC information, including its investment objectives and time horizon, and
  • transactions in the client’s account(s), including the types of securities purchased.

If not, the Investment Dealer should conduct further investigation.

  1. Trading risks


  1. Over-the-Counter (OTC) securities

Companies with OTC securities are not required to provide much financial information. There is little demand for low cost or risky OTC securities, which are attractive to individuals, who can use them to move funds.

  1. Stock manipulation

Some forms of stock manipulation occur when a client, acting alone or with an Approved Person, artificially inflates or deflates the price of securities to make a profit. This is an example of the criminal activity taking place within the market, which could be a predicate offence to money laundering. This risk may appear in conjunction with the OTC securities risk described in section 5.2.1.

  1. Low-priced securities

While low-priced securities may indicate an under-valued issuer, they could also be associated with fraudulent or potentially fraudulent companies. This risk may appear in conjunction with the OTC security risk in section 5.2.1, but may also be present with publicly traded issuers on regulated markets. If a client frequently trades in low-priced securities this could indicate suspicious activity, especially if:

  • the client immediately liquidates or transfers the proceeds, or
  • the client does not provide a reasonable rationale for the trade.

Trading in low-priced securities could be used by individuals to obscure the trace of the funds.

  1. Inactive issuers and shell companies

If an issuer does not have an active business or an active investor base, this could be an indication of a shell company. Shell companies are often used by individuals to launder money. Other indicators of a shell company include:

  • no brick and mortar locations or locations which are shared with other companies or law firms,
  • frequent changes to name, business plan or structure, or
  • issuer information is hard to obtain or is fraudulent or misleading.

Trading in shell companies or inactive issues could indicate potential money laundering or fraud.

  1. Non-trading risks


  1. Cash deposits or withdrawals

Almost all client accounts at Investment Dealers are funded by either account transfers from other firms or direct deposits from Canadian banks or credit unions. Funds are usually removed from accounts in similar ways. As such, most transactions are conducted with other Canadian financial institutions subject to the same AML rules. If a client requests a cash deposit or withdrawal directly from the Investment Dealer, this could be an indicator of potential money laundering or terrorist financing as the client would remove funds from the regulated Canadian financial system.

  1. Physical certificates deposits

The vast majority of securities are now traded electronically and physical certificates are rare. When physical certificates are deposited into a brokerage account, there is little information confirming the source of funds or how the client obtained them. As a result, there is a greater risk that they could be used by criminals to obscure the source of their money.

  1. Early redemption of securities

Certain GICs and mutual funds can incur fees when sold early or prior to maturity. If a client is selling securities early and incurring a fee without a plausible explanation, this could indicate money laundering. Criminals may invest in these products to hide the source of their wealth and then sell them, making their money “clean”.

  1. Requesting proceeds in the form of negotiable instruments

Proceeds of the sale of securities are typically held within a client’s account(s), usually to be reinvested or transferred to its bank account. Individuals might instead ask for the proceeds using bank drafts or certified cheques to disguise the true source and ownership of the funds.

  1. Transfer of funds between accounts

Individuals may transfer money frequently between accounts, theirs or their family members’, to layer transactions and distance their money from its criminal origin. Investment Dealers should be suspicious of accounts used solely as conduits to transfer funds without legitimate securities transactions.

Likewise, Investment Dealers should also be wary of frequent changes of ownership between accounts of related or connected individuals and cross-border money movements.

  1. Suspicious transactions

FINTRAC has issued the following guidelines on suspicious transactions:

  1. Account Supervision requirements

IDPC Rule 3900 requires Investment Dealers supervise all account activities to ensure compliance with Corporation requirements, securities laws and other applicable laws, including the PCMLTF Regulations and the PCMLTFA.35

Investment Dealers’ policies and procedures should provide for, amongst other things:

  • identification of clients presenting a high AML risk to the Investment Dealer,
  • identification of clients presenting a high risk of conducting improper activities in the securities markets, and
  • screening of trading activity to detect issues for further enquiry or investigation.

Investment Dealers should consider “high risk” to include a high risk of conducting fraudulent securities activities, which are predicate money laundering offences and/or could be indications of money laundering and terrorism funding.

CIRO’s Universal Market Integrity Rules (UMIR) Rule 7.1 also includes trade supervision requirements that apply to Investment Dealers who are also Participants36 . For the purposes of UMIR 7.1, a supervision system must consist of both policies and procedures aimed at preventing violations from occurring and compliance procedures aimed at detecting whether violations have occurred.37

IDPC Rule 3900 also requires Investment Dealers’ account supervision programs to detect the following (among other items):

  • unsuitable trading,
  • excessive trade activities,
  • trading in restricted securities,
  • excessive trade transfers and trade cancellations indicating possible unauthorized trading,
  • inappropriate or high risk trading strategies,
  • excessive or improper crosses of securities between clients,
  • manipulative and deceptive activities, and
  • insider trading.

The PCMLTFA requires that Investment Dealers report attempted and completed suspicious transactions. The PCMLTFA and PCMLTF Regulations also require Investment Dealers to conduct ongoing monitoring of their business relationships with clients. Investment Dealers can use their account supervision program to meet the AML rules’ transaction and activity monitoring requirements.

For example, Investment Dealers may detect suspicious transactions through account supervision. Insider trading and manipulative and deceptive trading activities are considered predicate money laundering offences under the Criminal Code (RSC 1985, c. C-46). If an Investment Dealer detects these types of activities through its supervision program, it should consider reporting these activities to FINTRAC as a suspicious transaction. It is very difficult to separate a transaction that is part of a market-based criminal offense from a transaction designed to launder the proceeds of crime.

Investment Dealers can find information on common suspicious transactions in the securities industry in the FINTRAC’s guidance , Money Laundering and Terrorist Financing Indicators – Securities dealers.

  1. Account Supervision programs and ongoing monitoring

An Investment Dealer Member’s account supervision program can range from the manual monitoring of significant transactions or activities to the use of automated supervision systems38 . Once an Investment Dealer determines the appropriate method to supervise account activity effectively, it should adopt appropriate related procedures.

The frequency and nature of the monitoring should be commensurate with the risk level of the business relationship. More frequent monitoring will be required for high-risk business relationships. An Investment Dealer’s policies and procedures should document at minimum:

  • the actual monitoring processes,
  • the required frequency, and
  • the rationale to support the monitoring processes.

Investment Dealers should use the Business Relationship Record to determine whether transactions or activities are consistent with the client’s information, including that client’s risk assessment. The ongoing monitoring program can detect suspicious transactions and indicate when an Investment Dealer should reassess the client’s risk level.

Although Investment Dealers frequently use risk-based supervision and monitoring procedures and focus on higher risk products, services and clients, they are still required to monitor all clients and business relationships. For example, while Investment Dealers may decide to monitor high risk clients more frequently than low risk clients, they must still monitor low risk clients. “Low risk” is not “no risk” and Investment Dealers should pay attention to all types of suspicious activities.

Investment Dealers should compare individual transactions to other account activities and the client’s profile to determine whether they are suspicious. Investment Dealers should examine transactions seeming to lack a reasonable economic basis or recognizable strategy based on the particular client.

Investment Dealers should provide examples of potentially suspicious activity to all appropriate personnel and incorporate these into their anti-money laundering policies, procedures and training materials. Investment Dealers should advise their employees that they must escalate and report any suspicious activity to FINTRAC.

  1. Enhanced measures for high risk business relationships

Investment Dealers can also implement additional enhanced measures for high-risk clients beyond frequently updating client identification information and more frequent monitoring of client activity. FINTRAC’s Compliance program requirements guidance includes a list of potential enhanced measures Investment Dealers can take.

  1. Other Compliance and Supervision systems and procedures

Investment Dealers may find reviewing gatekeeper reports on market manipulation or insider trading filed under UMIR Rule 10.16 to be helpful sources when determining which transactions should be reported to FINTRAC as suspicious.

Investment Dealers should also review improper activities by employees or agents such as internal theft, fraud or conspiracy to manipulate a market to determine whether to report them to FINTRAC as a suspicious transaction.

  1. U.N. suppression of terrorism reports and similar requirements

Investment Dealers are required to check client names against the lists of designated individuals and organizations under Canadian economic sanctions and report monthly on the results. Further information can be found on our predecessor IIROC’s website under “Sanctions Reporting System”.

Investment Dealers must conduct monthly reporting through our predecessor’s IIROC Services portal.

From time to time, the federal government passes other regulations that amend the reporting requirements.

Access to the password-protected reporting system is limited to authorized persons at each firm. Investment Dealers should have policies and procedures to ensure that client name checks are done and reports are filed on time. In addition, there must be a back-up for the person responsible for the reporting and a succession plan and training in case that person is not available.

  1. Applicable Rules

IDPC Rules this Guidance Note relates to:

  • Rule 1400,
  • Rule 3200, Part A and
  • Rule 3900.
  1. Previous Guidance Notes

This Guidance replaces:

  • GN-3200-21-007 – Anti-Money Laundering Compliance Guidance
  1. Appendices

Appendix AClient Due Diligence and Large Cash Transaction Requirements

Appendix BBackground

Appendix CPenalties for Violations of PCMLTFA

Appendix DClassification of Violations for Determining Administrative Penalties

Appendix EMembers of FATF

Appendix FStock Exchanges Recognized Under Section 262(1) of the Income Tax Act in FATF Member Countries

Appendix GReference Material

Appendix HClient Identification and Verification Requirements Comparison Chart

Appendix IBeneficial Ownership Diagram

Appendix A: Client Due Diligence and Large Cash Transaction Requirements

Information on the PCTFMLA, the PCTFML Regulations’ client due diligence and large cash transaction requirements can be found here:

  1. FINTRAC Guidance:
  1. Proceeds of Crime (Money Laundering) and Terrorist Financing Regulations
  2. Proceed of Crime (Money Laundering) and Terrorist Financing Act


Appendix B: More Information on Money Laundering Legislation

1. Money Laundering Under the Criminal Code

The Criminal Code (RSC 1985, c. C-46) establishes offences on the possession of and dealings in the proceeds of crime, money laundering and the financing of terrorism.

1.1 Possession and Money Laundering Offences

It is an offence under section 354(1) of the Criminal Code to possess any property or the proceeds of any property knowing it was obtained by or derived from the commission of an indictable offence.

Section 462.31 of the Criminal Code addresses money laundering. It is an offence to use, transfer the possession of, send or deliver, transport, transmit, alter, dispose of or otherwise deal with any property or the proceeds of property with intent to conceal or convert the property, knowing or believing that all or a part of the property was obtained directly or indirectly by the commission of a designated offence.

Section 462.3(1) of the Criminal Code defines a designated offence, often called a predicate offence, as any indictable offence under any Act of Parliament other than offences established by regulations.

Designated offences of particular interest to Investment Dealers include:

  • Offences relevant to the securities markets:
    • breach of trust,
    • fraud,
    • stock market manipulation,
    • insider trading, and
    • money laundering itself.
  • Terrorism and the financing of terrorism because of special client due diligence and reporting requirements under various regulations described below.
  • Bribery and corruption because of the provisions regarding secret commissions and the PCMLTFA requirements regarding politically exposed foreign persons described in this guidance.

Investment Dealers should also be aware of the wide variety of designated offences, including:

1.2 Penalties for Possession of the Proceeds of Crime

The maximum punishment under the Criminal Code for possession of proceeds of crime is ten years’ imprisonment, if the offence is considered an indictable offence. If the offence is punishable on summary conviction, the

the maximum penalty is two years’ imprisonment or a $5,000 fine or both.

1.3 Terrorist Property and Financing

Knowingly dealing, facilitating transactions or providing financial services in respect of terrorist property is an offence under section 83.08(1) of the Criminal Code punishable by a maximum of 10 years’ imprisonment.

2. PCMLTFA Requirements Applicable to Investment Dealers

2.1 The Proceeds of Crime (Money Laundering) and Terrorist Financing Act

The requirements for financial institutions to implement anti-money laundering mechanisms are based on Proceeds of Crime (Money Laundering) and Terrorist Financing Act (RSC 2000, c. 17) (PCMLTFA).

2.2 Regulations

Most of the specific AML/ATF requirements are contained in regulations under PCMLTFA. The five regulations applicable to Investment Dealers are:

2.3 Offences and Penalties under PCMLTFA

Violations of the PCMLTFA can result in up to a $2 million fine and 5 years’ imprisonment for the most serious offences.

2.4 Administrative Penalties

Violations are classified as minor, serious or very serious. Maximum penalties are a $1,000 fine for a minor violation, a $100,000 fine for a serious violation and a $100,000 (individual) or $500,000 (entity) fine for a very serious violation.

Part 4.1 of PCMLTFA contains more details on the procedures for the imposition of administrative penalties.


Appendix C: Penalties for Violations of PCMLTFA

This information is available on FINTRAC’s Penalties for non-compliance website.


Appendix D: Classification of Violations for Determining Administrative Penalties

This information is available on FINTRAC’s Administrative monetary penalties website.


Appendix E: Members of FATF (Financial Action Task Force)

This information is available on FATF’s FATF Members website.


Appendix F: Stock Exchanges Recognized Under Section 262(1) of the Income Tax Act in FATF Member Countries

This information is available on the Department of Finance’s Designated Stock Exchanges website.


Appendix G: Reference Material

Financial Action Task Force Recommendations

FATF Recommendations

Additional Guidance

FATF: Risk-based Approach Guidance for the Securities Sector
FATF: Canada's measures to combat money laundering and terrorist financing
FINTRAC Information for Securities Dealers
Minister of Finance – Ministerial DirectivesFINTRAC website – Ministerial directives and transaction restrictions


Appendix H: Client Identification and Verification Requirements Comparison Chart

RequirementAML RulesIDPC Rules
Beneficial owners and beneficiaries                 
(information firms must collect on the client)

Information on the ownership, control and structure of the entity



  • Names of all directors
  • Names & addresses of those who own or control 25% or more of the shares of a corporation

Entities other than corporations:

  • names and addresses of those who own or control 25% or more of the entity


  • the names and addresses of all trustees and all known beneficiaries and settlors of the trust

Identity of:

  • beneficial owners of more than 25% of a corporation
  • individuals who exercise control over affairs of a partnership or trust

Names & addresses of:

  • all directors of a corporation
  • all trustees, known beneficiaries and settlors of a trust
Establishing identity                 

  • confirm information
  • establish information (as per s.3206 in Appendix C)
(how long firms have to verify/establish/ confirm the information)

Entities - 30 days

Individuals – before the first transaction other than the initial deposit

  • 30 days
  • financial entity or affiliate that carries banking, life insurances or securities activities (bank, credit union, caisse populaire, trust and loan companies)
  • registered plans
  • regulated pension fund
  • securities dealer
  • investment fund
  • life insurance company
  • public body or large publicly-traded corporation
  • Canadian registered firm
  • Canadian investment fund
  • Canadian financial institution
  • Schedule III bank
  • public body or large publicly-traded corporation

(Note: the Rule Amendments clarify that foreign financial entities are not exempt.)


Appendix I: Beneficial Ownership Diagram

This diagram shows the calculation of percentage indirect ownership in a multi-level ownership structure:

Beneficial Ownership Diagram
IndividualOwnership Calculation (of SJ Enterprises)Is Beneficial Ownership Information Required?
Mr. Bill0.35 X 1.00 X 0.50 = 0.175 = 17.5%No*
Mr. Hunt0.65 X 1.00 X 0.50 = 0.325 = 32.5%Yes
Ms. Smith0.40 X 1.00 X 0.20 = 0.080 = 8.00%No*
Ms. Best0.60 X 1.00 X 0.20 = 0.120 = 12.0%No*
Mr. Smith10.0%No*
Mr. Hunter3%No*
Ms. Little7.0%No*
Mr. Smart10%No*

*Beneficial ownership information may be required if the client is high risk or if there are any red flags.

  • 2Bulletin 23-0089 for more information on CIRO’s rulebook consolidation.
  • 3FINTRAC administers PCMLTFA and associated regulations.
  • 4See Part A of IDPC Rule 3200, specifically section 3202.
  • 5See Part A of IDPC Rule 3200, specifically sections 3203 through to 3207.
  • 6See section 9.6 of the PCMLTFA.
  • 7See section 156 of the PCMLTF Regulations.
  • 8Where the term “employee” is used with reference to Investment Dealers, it includes Registered Representatives in a principal/agent relationship with an Investment Dealer Member and any employees of an agent who are engaged in the Investment Dealer Member’s business. 
  • 9See section 156 of the PCMLTF Regulations.
  • 10As defined in section 1201(2).
  • 11See section 156 of the PCMLTF Regulations.
  • 12See section 156 of the PCMLTF Regulations.
  • 13As required by IDPC Rules sub-section 3915(1).
  • 14See section 145 of the PCMLTF Regulations.
  • 15See subsection 3209(3) of the IDPC Rules. We discuss these requirements further in GN-3400-21-004.
  • 16See section 145 of the PCMLTF Regulations.
  • 17See section 4.1 of the PCMLTF Regulations.
  • 18See section 145 of the PCMLTF Regulations.
  • 19See section 123.1 of the PCMLTF Regulations.
  • 20As described in Notice 19-0145, Part A of IDPC Rule 3200 was amended to materially conform with section 11.1 of the PCMLTF Regulations.
  • 21See section 157 of the PCMLTF Regulations.
  • 22See section 123.1 of the PCMLTF Regulations.
  • 23As discussed in FINTRAC’s Compliance program requirements guidance.
  • 24See section 156 of the PCMLTF Regulations.
  • 25See the PCMLTF Regulations section 154(2)(p).
  • 26 See PCMLTF Regulations section 154(2)(i)
  • 27See Appendix H for more details.
  • 28See IDPC Rule section 3206 and section 4.7.3 of this Guidance for details.
  • 29See IDPC Rule section 3206 and section 4.7.3 below for details.
  • 30See section 138 of the PCMLTF Regulations.
  • 31See section 138(3) of the PCMLTF Regulations. See also section 3804 of the IDPC Rules.
  • 32See section 138(3) of the PCMLTF Regulations. See also section 3804 of the IDPC Rules.
  • 33See IDPC Rules, section 3206.
  • 34See subsection 138(2) of the PCMLTF Regulations.
  • 35See IDPC Rule clause 3904(2)(ii).
  • 36See section 1.1 of UMIR for a definition of “Participant”.
  • 37See UMIR Policy 7.1.
  • 38The use of an automated supervision system may require CIRO approval or discussion. Please contact your Business Conduct Compliance Manager.