Canada’s financial intelligence unit is still working to bring all of its services back online more than five months after a cyberattack, creating headaches for some businesses and sparking concerns about gaps in the country’s anti-money laundering regime.
The Financial Transactions and Reports Analysis Centre of Canada, also known as FinTRAC, took some of its systems offline to protect its data after a cyber incident on March 2. The financial intelligence unit has not provided details of the attack, but noted on its website that it has “found no evidence that information was lost or that data was removed.”
Businesses such as banks, money services businesses, securities dealers, real estate brokers and casinos are legally required to report certain transactions to FinTRAC, including suspicious ones and those involving large sums of cash or virtual currency.
However, some of FinTRAC’s systems remain offline, as the watchdog is in the process of replacing them amid a push to modernize its digital infrastructure that began prior to the attack. Those offline services include the online platform that companies with lower reporting volumes use to flag transactions for the watchdog remains offline, as well as FinTRAC’s registration system for money services businesses.
Meanwhile, as of April, companies that report high volumes of suspicious transactions have been able to do so through FinTRAC’s new API system, which stands for application programming interface.
The watchdog has implemented some workarounds for the offline systems. For instance, businesses that are not able to file suspicious transaction reports through their usual channels are being asked to triage them, sending priority reports through Canada Post’s online ePost system and holding onto the others to submit once the online service is up and running.
However, Dwayne King, an anti-money-laundering compliance officer at WFCU Credit Union based in Windsor, Ont., said that, in order to be meaningful, intelligence needs to be timely.
Additionally, some organizations are likely finding it challenging to discern which suspicious transaction reports qualify as priority ones, Mr. King said, as they have not received adequate training or guidance.
“The fear of making a mistake is going to 100-per-cent make people file a ton of [suspicious transaction reports] that probably were not priorities,” he said.
Meanwhile, companies looking to newly register as Money Services Businesses (MSBs) with FinTRAC, as required by Canadian law, are advised to e-mail the watchdog while the registration portal remains offline.
However, Adam Atlas, a lawyer who advises MSBs and other payments companies, said prospective registrants are not receiving timely responses from the watchdog.
“There are new entrants into the Canadian market who simply cannot register with FinTRAC because FinTRAC does not reply to e-mails,” he said.
Mr. Atlas added: “It is a matter of national security that someone who is moving money around in Canada should actually be able to comply with Canadian law.”
FinTRAC spokesperson Mélanie Goulette Nadon said processing new registration requests is a priority for the agency.
“In July, FinTRAC has begun processing registrations received since its systems have been offline, and has started responding to requests received in a phased approach,” she said in an e-mail.
Ms. Goulette Nadon noted that the watchdog is continuing to receive, assess and act on transaction reports, and that it has been disclosing financial intelligence to law enforcement and national security agencies to assist with money laundering and terrorist financing investigations.
Working through the backlog of non-priority reports once FinTRAC’s systems are fully operational again will also be a challenge, according to experts.
“There’s got to be some good guidance from FinTRAC on what are the expectations to clear the backlog in your organization,” Mr. King said.