The cyberattack that hit Canada’s anti-money-laundering watchdog has left some businesses unable to submit information about transactions to the agency for weeks, sparking concerns that some financial reporting could be slipping through the cracks.
Many businesses are legally required to report certain transactions – including suspicious ones and those involving large sums of cash or virtual currency – to the Financial Transactions and Reports Analysis Centre of Canada, also known as FinTRAC. The businesses that report to the watchdog include financial institutions such as banks, money services businesses, securities dealers, real estate brokers and casinos. The total volume of reporting is large: FinTRAC receives an average of 35 million financial transaction reports each year.
However, the FinTRAC systems through which many of these reports are filed have been offline for more than two weeks as the watchdog deals with a cyberincident it first identified on March 2. The agency disclosed the attack the following day but did not provide any details, including whether any ransom payments are being sought, stating only that its intelligence or classified systems were not involved.
In a March 11 update, the agency said it “continues to work closely with its federal partners, including the Canadian Centre for Cyber Security (Cyber Centre), to investigate and manage” the incident.
FinTRAC has advised businesses to continue identifying and documenting all reportable transactions and to be ready to file them once the system is back online.
“No enforcement actions (e.g., administrative monetary penalties) will result from late reporting until further reporting instructions are provided by FinTRAC,” the watchdog said in a statement to The Globe and Mail.
However, experts have expressed concerns about the fact that reports are not being submitted.
“Financial intelligence is definitely hampered. If you’re not getting the reports, how are you going to report to law enforcement?” said Joseph Iuso, executive director of the Canadian Money Services Business Association.
“I think that’s definitely a big impact for the financial security stability of Canada,” he added.
That sentiment was echoed by Adam Atlas, a fintech and crypto lawyer who advises money services businesses and other payments companies.
“It’s impossible for them to not miss suspicious activity that is ongoing right now,” said Mr. Atlas. “There’s this whole swath of data that’s just not being put in the system.”
FinTRAC noted that businesses are still able to report large cash transactions and large virtual currency transactions to the watchdog if they are set up to use a new portal that FinTRAC has been gradually deploying.
All of FinTRAC’s major reporters, which submit approximately 96 per cent of the reports it receives annually, are able to file large cash transaction reports through the new portal, the watchdog said.
“FinTRAC continues to receive reporting. The Centre is also actively disclosing financial intelligence in support of the money laundering and terrorist financing investigations of Canada’s law enforcement and national security agencies,” reads a second statement provided by FinTRAC.
However, many money services businesses are not yet integrated with the new portal, according to Mr. Iuso as well as several consultants who advise companies in the sector. Some of those consultants have been telling their clients to send FinTRACpaper reports until the systems are restored.
“I have been advising them to protect themselves and to submit their forms through courier to FinTRAC’s offices,” said Angela Chartrand, the founder of Sentinence, an advisory and consultation firm specializing in anti-money-laundering compliance.
Amber Scott, CEO and co-founder of consultancy firm Outlier Solutions Inc., said that although FinTRAChas vowed not to penalize businesses for filing their reports late, “the longer the outage goes on, the more likely it is for reporting entities to end up with a significant backlog of filings that will take them a long time to file.”
Mr. Iuso, who is part of the Canadian Anti-Fraud Centre’s Financial Crime Intelligence Sharing Group, said that in some cases, the reports that are submitted to FinTRAC contain information that needs to be acted on quickly.
“My understanding is that a lot of them are somewhat time sensitive, especially when there’s cases involving fraud or scams, where the faster the information comes, the better.”
That time sensitivity might be exactly why the watchdog was targeted, said Sam Cousins, senior associate of sanctions, ransomware and risk at the Association of Certified Anti-Money Laundering Specialists.
“Some of these groups target these types of institutions simply because they know that if it’s a critical type of role, they’ll be more likely to pay out,” said Mr. Cousins, speaking about hackers.