File No.: CT-2005-006 COMPETITION TRIBUNAL IN THE MATTER OF the Competition Act, R.S.C. I 985, c. C-34, as amended; IN THE MATTER OF an application by B-Filer Inc., B-Filer Inc. doing business as GPAY GuaranteedPayment and Npay Inc. for an order pursuant to section 103.1 granting leave to make application under sections 75 and 77 of the Competition Act;
AND IN THE MATTER OF an application by B-Filer Inc., B-Filer Inc. doing business as GPAY GuaranteedPayment and Npay Inc. for an interim order pursuant to section 104 of the Competition Act.
BETWEEN: B-FILER INC., B-FILER INC. doing business as GPA Y GUARANTEEDPAYMENT and NPA Y INC.
-and-
THE BANK OF NOV A SCOTIA
p Affidavit of Jack J. R 01 D u -- I ~- -~=~~~·~::.\~?-=- ~LW;,JiRAt/;!E T .~: .___O,,T _TA_W_A,_ o_;".i_T, __j _(6. ...2;._.,::.; ...a I, Jack J. Bensimon, of the City of Toronto, in the Province of Ontario, AFFIRM: 1. I am a Certified Anti-Money Laundering Specialist with my own independent regulatory risk management consulting practice, Risk Diagnostics Inc.
2. I have been asked by counsel to the applicants B-Filer Inc. and NPAY Inc. ("B-Filer") to provide an expert opinion relating to anti-money laundering and related issues arising from B-Filer's application under s. 75 of the Competition Act for an order that Bank of Nova Scotia supply it with certain banking services.
Applicants
Respondent
2 3. I attach my report setting out my op1mon on the economic issues raised by this application as exhibit "A" to this affidavit.
AFFIRMED BEFORE ME at lov-uv~-o, 01\. \tln v on August .?- l , 2006.
Jack J. Bensimon B-Filer Inc. - AML Expert Report August, 2006 File No. CT 2005-006 IN THE COMPETITION TRIBUNAL IN THE MATTER OF the Competition Act, R.S.C., 1985, c. C-34, as amended; IN THE MATTER OF an application by B-Filer Inc., B. Filer Inc. carrying on business as GPA Y GuaranteedPayment and NPay Inc. for an order pursuant to section I 03. I granting leave to make application under sections 75 and 77 of the Competition Act;
AND IN THE MATTER OF an application ofB-Filer Inc. carrying on business as GPAY GuaranteedPayment and NPay Inc. for an interim order pursuant to section I 04 of the Competition Act.
BETWEEN: B-FILER, B-FILER INC. carrying on business as GPAY GUARANTEEDPAYMENTand NPAY INC. Applicants
and THE BANK OF NOVA SCOTIA Respondent
AML EXPERT REPORT Regarding Applicants Money Services Business (MSB)
PREPARED AT THE REQUEST OF: Michael Osborne, Barrister, Affleck Greene Orr LLP .. " This ls Exhibit •..... ,e·.""'''"'"' refBrred to in th·e aff/davltof.~1;;-k,,,.;I ... ~r.'.~.I.~.~-~ .. . swombeforeme, this ........ ;;J,,{.~.:: .............. . .Q \:::'f.I\,~.. .. . ....... ' .2.:?S?. ITS Confidential Level A
Jack J. Bensimon B-Filer Inc. – AML Expert Report August, 2006 CONTENTS I BRIEF CURRICULUM VITAE II SUMMARY OF CONCLUSIONS III INSTRUCTIONS IV ISSUES V DOCUMENTATION VI ABSTRACT VII TECHNICAL BACKGROUND VIII OPINION IX REFERENCES X EXPERT’S DECLARATION XI STATEMENT OF TRUTH XII APPENDICES Confidential Level A 2
Jack J. Bensimon B-Filer Inc. – AML Expert Report August, 2006 I BRIEF CURRICULUM VITAE Professional Qualifications and Experience 1. I have provided in-depth training in Anti-Money Laundering (“AML”) to senior representatives of private sector companies since 2001 ranging from scholarship plan dealers, investment banks, to domestic and foreign Schedule I/II banks. My experience and exposure to AML risks and issues is primarily with US and Canadian financial institutions that are dual-regulated under the dictates of US and Canadian securities legislation. 2. I am registered and licensed with US and Canadian securities regulators, SEC (Securities & Exchange Commission)/NASD (National Association of Securities Dealers), Ontario Securities Commission (OSC) and Investment Dealers Association (IDA), respectively, as a General Securities Principal and as Partner, Director and Senior Officer (PDO). 3. I have over thirteen years experience in the securities industry. Since 2001, I have operated my own independent regulatory risk management consulting practice, Risk Diagnostics Inc. Through Risk Diagnostics Inc., I secured contract engagements with various Fortune-500 firms in the capacity of Chief Compliance Officer and other risk management posts. Specifically, I have worked in the capacity of Chief Compliance / AML Officer for Canadian Scholarship Trust Foundation, BCI Canada Securities Inc., Swift-Trade Securities, and most recently, Wellington West Capital Markets (USA) Inc. 4. In addition, I have lead and contributed to several Sarbanes-Oxley / Bill 198 corporate governance projects for companies publicly traded on major US and Canadian stock exchanges, including CIBC, ICICI Bank, CB Richard Ellis, Canadian Tire Corp., Flint Energy Services Ltd., and Universal Music Studios. The corporate governance engagements have often included the development, implementation and monitoring of anti-money laundering risk assessments and programs, most notably with financial institutions. 5. I am a founding partner in a software security company, Clickrisk LLC, which has developed and commercialized proprietary software in detecting and analyzing online fraud and other
Confidential Level A
Jack J. Bensimon B-Filer Inc. – AML Expert Report August, 2006 security forensic anomalies. We have provided expert security reports to assist law firms during the resolution of claims against defendants. 6. I have secured membership, professional competency and certification as a Certified Anti-Money Laundering Specialist (CAMS) through the accredited and global AML industry standard, The Association of Certified Anti-Money Laundering Specialists (ACAMS) based in Miami, FL. 7. I have secured membership, professional competency and certification as a Certified Financial Services Auditor (CFSA) through the accredited and global internal audit standard, The Institute of Internal Auditors (IIA) based in Altamonte Springs, FL. 8. Attached hereto and marked as Appendix “A” is a recent copy of my Curriculum Vitae. II SUMMARY OF CONCLUSIONS 9. The Respondent has failed to conduct an appropriate risk assessment. An appropriate risk assessment would include, while is not limited to, AML risk assessment, account risk assessment, and account risk profiling. These are consistent with using the well-established risk-based industry standard approach for evaluating the relative risk of conducting business with MSBs. They form the basis for the overall risk assessment of the Applicants AML risk to the Bank of Nova Scotia. 10. The Respondent’s expectations as they relate to meeting specific AML regulatory thresholds go far beyond what is reasonably mandated by FINTRAC, and impose an unnecessary regulatory burden that places the Respondent as an implicit de facto regulator of MSBs, rather than a facilitator to the MSB customer. It is important to note that by virtue of the Applicant operating an MSB, it is a customer of the bank and not an agent of the bank. The Respondent by no means has regulatory jurisdiction over the supervision of MSBs. The Respondent is required, however, to perform reasonable due diligence
Confidential Level A
4
Jack J. Bensimon B-Filer Inc. – AML Expert Report August, 2006 procedures to ensure that MSB customers meet minimum acceptable FINTRAC requirements (see Appendix B-D). 11. The Respondent’s position that the UseMyBank MSB does not comply with FINTRAC requirements, sufficient to warrant account maintenance, does not stand up to the scrutiny of established AML guidelines. The Respondent appears to be using AML regulatory arguments to justify the closing of MSB accounts on the basis that they failed to generate sufficient revenues. There is limited Canadian based empirical MSB research. However, recent research published by the American Bankers’ Association (ABA) in June 2006 can be used as a point of reference. The ABA indicates that legitimate MSBs generate relatively marginal revenue (relative to other types of businesses) for banks, and consequently, do not make for a favorable cost-benefit tradeoff. The independent risk assessment conducted as part of this opinion sheds light on the overall low risk exposure of the UseMyBank MSB. 12. While the Applicants have several AML regulatory compliance gaps, the conducted and attached independent risk assessment show that these are considered to be low inherent risk in the aggregate. It is strongly recommended that remedial efforts be made to close such gaps. This should further reduce the risk exposure to the Respondent, comply with all FINTRAC requirements, and impose internal controls to mitigate further risks. III INSTRUCTIONS 13. I, Jack J. Bensimon, have received instructions from the Applicants counsel, Michael Osborne, Barrister, Affleck Greene Orr LLP to provide an opinion on the Applicants joint venture partner, UseMyBank, its practices as they relate to AML risks and issues in using banking services. The following were issues to consider as part of the assessment: (a) Does the Applicants business fall under the classification of a “Money Services Business” (MSB) for purposes of the Proceeds of Crime and Anti-Money Laundering Terrorist Financing (PCAMLTF) legislation?
Confidential Level A
5
Jack J. Bensimon B-Filer Inc. – AML Expert Report August, 2006 (b) Does the Applicants processes for transacting online payments comply with established standards for MSBs? (c) Is the Applicant operating a business by or on behalf of third-parties? (d) Is the Applicants business conducted in a manner that is conducive to facilitating money launderers or terrorist financiers in offshore jurisdictions? (e) What are the underlying risks that the Bank of Nova Scotia is exposed to if they continue to do business with the Applicants? (f) What regulatory obligations or anti-money laundering protocols is the Bank of Nova Scotia expected to comply with if they were to conduct business with the Applicants? (g) Does the Applicants business maintain a level of transparency comparable to the banks, including the implementation of AML controls required under FINTRAC?
IV ISSUES 14. There are a number of salient issues in determining the underlying AML risks the Respondent is exposed to as a result of conducting business with UseMyBank. Some of these issues have been identified by the instructing counsel, Michael Osborne. (a) Does the Applicants business fall under the classification of a “Money Services Business” (MSB) for purposes of the Proceeds of Crime and Anti-Money Laundering Terrorist Financing (PCAMLTF) legislation? (b) Do the Applicants processes for transacting online payments comply with established standards for MSBs as set out by FINTRAC? (c) Are the Applicants operating a business by or on behalf of third parties? (d) Is the Applicants business conducted in a manner that is conducive to facilitating money launderers or terrorist financiers in offshore jurisdictions? (e) What are the underlying risks that the Bank of Nova Scotia is exposed to if they continue to do business with the Applicants?
Confidential Level A
6
Jack J. Bensimon B-Filer Inc. – AML Expert Report August, 2006 (f) What regulatory obligations or anti-money laundering protocols is the Bank of Nova Scotia expected to comply with if they were to conduct business with the Applicants? (g) Does the Applicants business maintain a level of transparency comparable to that of the Bank of Nova Scotia, including the implementation of AML controls required under FINTRAC? (h) Has the Bank of Nova Scotia conducted an appropriate risk assessment consistent with its MSB policies and procedures manual on the Applicants account based on established guidance provided by FINTRAC for MSBs? (i) Are there any completed risk assessments concerning the Applicants account of joint venture partner, UseMyBank, documented so as to evaluate its methodology consistent with FINTRAC requirements for MSBs? V DOCUMENTATION 15. For the purposes of preparing this Report, I have reviewed the following documentation prepared by the Applicant and submitted to the Competition Tribunal: (a) Third Affidavit of Raymond Grace, sworn December 2, 2005; (b) Affidavit of Joseph Iuso, affirmed August 29, 2005, and the Exhibits attached thereto. 16. I have reviewed the following documents on behalf of the Respondent: (a) Affidavit of Robert Rosatelli, sworn July 12, 2005, and the Exhibits attached thereto; (b) Affidavit of David Metcalfe, sworn July 12, 2005, and the Exhibits attached thereto; (c) Responding Affidavit of Robert Rosatelli, sworn September 21, 2005, and the Exhibits attached thereto; (d) Affidavit of Robert Rosatelli, sworn November 25, 2005, and the Exhibits attached thereto; (e) Affidavit of Ryan Woodrow, sworn November 24, 2005 and the Exhibits attached thereto; (f) Affidavit of David Stafford, sworn November 25, 2005;
Confidential Level A
7
Jack J. Bensimon B-Filer Inc. – AML Expert Report August, 2006 (g) Affidavit of Colin Cook, sworn November 23, 2005, and the Exhibits attached thereto; (h) Affidavit of Douglas Monteath, sworn November 25, 2005, and the Exhibits attached thereto; (i) Affidavit of Stanley Sadinsky, sworn November 22, 2005 and the Exhibits attached thereto. (j) Affidavit of Christopher Mathews, sworn November 23, 2005, and the Exhibits attached thereto; (k) Affidavit of Alex Todd, sworn November 25, 2005, and the Exhibits attached thereto. VI ABSTRACT 17. In 1999, Mr. Grace opened several accounts at the Bank of Nova Scotia branch in Sherwood Park (Edmonton), Alberta in the name of “B-Filer Inc./ GPay”. 18. An additional account was approved and opened in the name of B-Filer Inc./GPay on April 15, 2004. By June 2004, an additional six (6) accounts were approved and opened in the name of B-Filer Inc./GPay. In October 2004, Mr. Grace received approval to open five (5) additional accounts; fifteen (15) additional accounts were opened in November 2004 in the name of NPay Inc. 19. In the spirit of opening additional accounts and to support business expansion of UseMyBank, Mr. Grace approached Ryan Woodrow, Manager, to open additional accounts. With Mr. Woodrow declining to approve any further account As a consequence, Mr. Grace resorted to telephone banking to open additional accounts. Over 80 accounts were opened in a span of less than a month by early 2005. 20. The Sherwood Park branch raised concerns over the multiple account openings over a short period of time. This culminated with Branch Manager Margaret Parsons recommending termination of all existing related business accounts.
Confidential Level A
8
Jack J. Bensimon B-Filer Inc. – AML Expert Report August, 2006 21. An internal investigation at the Bank of Nova Scotia ensued shortly thereafter. The Bank of Nova Scotia officially terminated its relationship with the Applicants and its joint venture partner, UseMyBank by notice letter of May 11, 2005. The accounts were officially closed on late September, 2005. VII TECHNICAL BACKGROUND 22. Anti-money laundering (AML) legislation is primarily concerned with the disguising of illegitimate funds for use in criminal or terrorist financing. The Proceeds of Crime and Anti-Money Laundering & Terrorist Financing (PCAMLTF) legislation is of material concern to banking institutions where legislation breaches can cause significant reputational harm to its business. While banks are required to exercise due diligence and promote the cardinal, Know Your Client (KYC) rule, it is also required to directly or indirectly, assess the merits of accepting each MSB account on a risk-assessed basis. The notion of evaluating the customer account risks and account risk profiling as it relates to AML risk assessments is consistent with the Office of the Superintendent of Financial Institutions (OSFI) and Basel II banking requirements. 23. Although empirical research on MSBs in Canada is limited, US empirical research suggests the trend of uncertain regulatory expectations as it relates to the US Bank Secrecy Act (BSA) and AML obligations of insured banks with its MSB customers. 24. Against this background and context, I, Jack J. Bensimon, carried out an independent risk assessment of the Applicants MSB in order to determine the relative risk of a bank conducting business with it, consistent with established industry practice and guidance developed by both FINTRAC and FinCEN (the US counterpart of FINTRAC). All test results are included in Appendix B-D.
Confidential Level A
9
Jack J. Bensimon B-Filer Inc. – AML Expert Report August, 2006 VIII OPINION Does the Applicants business fall under the classification of a “Money Services Business” (MSB) for purposes of the Proceeds of Crime Anti-Money Laundering Terrorist Financing legislation? 25. The manner in which the Applicant transfers funds to finance customer use of online
services, such as online gambling casinos, is considered to be a money transmitter and falls under the classification of a Money Services Business (MSB) under FINTRAC interpretive guidance as it relates to PCAMLTF. Do the Applicants processes for transacting online payments comply with established standards for MSBs as set out by FINTRAC? 26. The method for transacting online payments is through securing the customer’s bank card
information and online password, and entering into the customer’s account online to effectuate any transfers to finance customer service purchases. Although this method of effectuating money transfers has privacy compliance implications, it does not violate the requirements set out by FINTRAC for MSBs. This MSB model is aimed at serving a segment of the population that either does not have or may not be able to secure a credit card (e.g., high credit risk, poor or damaged credit history). While many MSBs are legitimate businesses and serve credible market segments, banks are required under FINTRAC and OSFI regulations to take extra precautions and conduct additional testing to evaluate account risks. Are the Applicants operating a business by or on behalf of third parties? 27. Given the method of processing transactions, the low volume of transactions, and the purpose for effectuating money remittances, it is my professional view that the Applicants are operating a business on behalf of third parties rather than by third parties. Given the Applicants business model, it is a processor of online transactions in which the Applicants do not have any influence nor contribution to its bill payees operations. The Applicants are not an agent of the bank, but rather a customer of the bank. Agents of banks have different AML standards and tests than an MSB who is a customer of the bank. This subtle but important distinction can often
Confidential Level A
10
Jack J. Bensimon B-Filer Inc. – AML Expert Report August, 2006 be lost in both interpretive FINTRAC guidance or in banks applying high risk due diligence criteria as a minimum standard in servings MSBs. 28. As a classified MSB, FINTRAC rules require the Applicants to conduct reasonable due diligence in verifying customer identification through established procedure to effectuate CIPs (Customer Identification Programs). The Applicants are also required to have appropriate compliance policies and procedures and to develop, implement and maintain an effective AML program. Is the Applicants business conducted in a manner that is conducive to facilitating money launderers or terrorist financiers in offshore jurisdictions? 29. This issue needs to be addressed from a risk-based perspective; that is, the issue is one of
relative magnitude of the inherent risk given the Applicants MSB, its processes for effectuating money transfers, and its existing state of AML compliance policies and procedures. The Applicants are conducting business on behalf of third parties with over 98% of its transactions directed towards online gambling casinos. Although the reputation of these businesses has generally been poor due to the nature of the gambling business, the ethical questions that it raises, and the customers they can attract, this does not present sufficient grounds to support closing accounts. In this case, the Applicants are merely facilitators to an electronic process of transferring money from one source to another. 30. The Applicants average transaction value has recently been in the $82 area, representing a nominal amount of transfer flows to finance customer purchases of gambling services. A suspected terrorist would have to effectuate thousands of purchases at this level to provide for even a small amount of terrorist financing. Terrorist financing often requires larger aggregate sums to finance its illegal activities. Therefore, there is a possibility that through repeat use and manipulation of the Applicant’s UseMyBank system, a suspected terrorist can conceivably launder funds to finance terrorist activity.
Confidential Level A
11
Jack J. Bensimon B-Filer Inc. – AML Expert Report August, 2006 31. Terrorist financiers come from all walks of life, varied professions, and diversified types of businesses. Certain businesses, such as online casinos, may attract more suspected terrorists due to the ease of effectuating online transfers and perception of a limited verifiable audit trail. However, the Applicants have no control over its payee’s AML internal compliance controls. Furthermore, their respective jurisdictions would be responsible for providing AML regulation and guidance. What are the underlying risks that the Bank of Nova Scotia is exposed to if they continue to do business with the Applicants? 32. The risks that the Bank of Nova Scotia is exposed to if it continues to do business with the
Applicants include: deploying manual or automated resources to regularly monitor the account for suspicious activity; ensuring the Applicants have strong internal compliance controls to mitigate the risk of its employees abusing their privilege of having access to customer bank card numbers and passwords; and taking reasonable steps to ensure the Applicants are complying with FINTRAC requirements as an MSB. 33. Although there may be some reputational risk exposure from being perceived as allowing the facilitation of money transfers to online gambling casinos through an MSB channel, the Applicants history with the bank has not demonstrated evidence of conducting other suspicious business activity or ‘restricted businesses’ so as to generate regulatory scrutiny or internal policy breaches of bank code of acceptable customer conduct. What regulatory obligations or anti-money laundering protocols is The Bank of Nova Scotia expected to comply with if they were to conduct business with the Applicants? 34. Were the account to be maintained by the Respondent for the Applicants, the Bank of Nova
Scotia would be expected to conduct a risk assessment of the account and the due diligence on the nature of the MSB. Some of the elements of such a risk assessment may include items covered in the independent risk assessment included in the Appendix. The Bank of Nova Scotia does not appear to have conducted and documented a thorough risk assessment and AML risk ranking methodology of the account that would yield to established FINTRAC due diligence procedures and tests to determine if the account was low, medium or
Confidential Level A
12
Jack J. Bensimon B-Filer Inc. – AML Expert Report August, 2006 high risk. Mr. Cook’s affidavit sworn on November 23, 2005 asserts that the Bank of Nova Scotia carried out a ‘product profile’ after it was determined that the Applicants account had been escalated to commercial account status from small business account status. 35. The Bank of Nova Scotia’s product profile does not seem to provide for an appropriate and documented account risk assessment that would be open to audit scrutiny and evaluation of testing methodology. The Bank of Nova Scotia would be required, at a minimum, to carry out the following procedures in determining whether to open or maintain an MSB account for the Applicants: (a) Obtain basic identifying information about the MSB through the application of the Applicants CIP. 1 (b) Confirm FINTRAC registration; (c) Confirm compliance with provincial or federal licensing requirements (where applicable); (d) Conduct a basic risk assessment to determine the level of risk associated with the account to solicit additional information, as deemed necessary. Please see Appendix B-D for additional tests that banks can conduct to assist in distinguishing low from high risk accounts. Does the Applicants business maintain a level of transparency comparable to the banks, including the implementation of AML controls required under FINTRAC? 36. The Applicants business does not maintain the same or comparable level of transparency
as the banks as they relate to AML controls required under FINTRAC. The independent risk assessment discovered in Phase I Test Results (Appendix B) indicates that the Applicants have several important gaps with respect to the development, implementation and monitoring of a compliance regime. The following weaknesses were identified and considered material and require remediation in order to reduce the inherent account risk level for an MSB customer: (l) The appointment of a designated Compliance Officer; Confidential Level A 13
Jack J. Bensimon B-Filer Inc. – AML Expert Report August, 2006 (ii) Compliance Policies and Procedures; (iii) Testing of Policies and Procedure; and (iv) Compliance training programs. Remediating these deficiencies and regularly monitoring their implementation would further reduce the residual risk of the MSB account for the Bank of Nova Scotia. 2 Has The Bank of Nova Scotia conducted an appropriate risk assessment consistent with its MSB policies and procedures manual on the Applicants account based on established guidance provided by FINTRAC for MSBs? 37. The Bank of Nova Scotia has failed to conduct a detailed and documented risk assessment
that is consistent with OSFI’s or FINTRAC’s guidance and checklists in evaluating the aggregate risk of accepting and maintaining the Applicants MSB. Although the Bank of Nova Scotia has a comprehensive document management system as it applies to various types of investigations, its ‘Security & Investigative Reporting Procedures’ (SIRP) do not capture an appropriate AML risk assessment in evaluating both inherent and residual risks for maintaining MSB accounts. SIRP investigations are to include any AML issues, but there is an absence of a defined criteria for risk assessing and priority ranking such AML risk exposures as they relate to MSB accounts. 38. The Bank of Nova Scotia’s ‘Case Complexity Rating Grid’, as part of its SIRP program, deals more with the level of case complexities for determining appropriate allocation of internal resources, rather than identifying established FINTRAC or FinCEN MSB account criteria for risk testing MSB or determining high AML risks. The banks’ grid merely identifies a ‘Regulator, Legal’ category, but fails to capture the necessary criteria for guiding staff on evaluating AML account risks based on specific FINTRAC requirements and risk testing that banks can use for MSBs.
1 Banks are required to implement a CIP (Customer Identification Program). 2 Residual risk refers to the level of risk remaining after compliance controls have been implemented, while inherent risk includes any risk arising from fraud.
Confidential Level A
14
Jack J. Bensimon B-Filer Inc. – AML Expert Report August, 2006 39. It is my professional view, based on the independent risk assessment conducted and documented in the Appendix, that, on balance, the MSB account of the Applicant represents a low inherent risk for the bank as far as AML risk exposure is concerned. Are there any completed risk assessments concerning the Applicants account of joint venture partner, UseMyBank, documented so as to evaluate its methodology consistent with FINTRAC requirements of MSBs? 40. The affidavit provided by Mr. Cook’s sworn testimony of November 23, 2005 indicates that
the Bank of Nova Scotia determined the Applicants account was operating in a “restricted business”, while offering no documentation as to how that was integrated into the wider risk assessment of the account. The Bank of Nova Scotia’s ‘Case Complexity Rating Grid’, as part of its SIRP program, deals more with the level of case complexities for determining appropriate allocation of internal resources, rather than identifying established FINTRAC or FinCEN MSB account criteria for risk testing MSB or determining high AML risks. The banks’ grid merely identifies a ‘Regulator, Legal’ category, but fails to capture the necessary criteria for guiding staff on evaluating AML account risks based on specific FINTRAC requirements and risk testing that banks can use for MSBs. 41. The Respondent had an obligation to conduct a detailed risk assessment and include guidance questionnaires and checklists provided most notably by FinCEN. This test could have provided additional insight into the account of the Applicants in accurately and appropriately profiling the risk of this specific MSB account.
Confidential Level A
15
Jack J. Bensimon B-Filer Inc. – AML Expert Report August, 2006 IX REFERENCES American Bankers Association (ABA), Testimony of Wayne A. Abernathy, Subcommittee on Financial Institutions Consumer Credit of the Committee on Financial Services Unites States House of Representatives. “Bank Secrecy Act’s Impact on Money Services Businesses”. June 21, 2006.
Djinis, Peter J. and Intriago, Charles. Guide to the U.S. Bank Secrecy Act Regulations: 2006 Edition (Revised and Updated). Alert Global Media, 2006.
FinCEN Publication. “Interagency Interpretive Guidance on Providing Banking Services to Money Services Businesses Operating in the United States.” April, 2005.
FINTRAC Publication. “Money Services Business: Legislative Requirements”. Government of Canada, 2005.
Office of the Superintendent of Financial Institutions (OSFI). “Deterring and Detecting Money Laundering and Terrorist Financing”. Government of Canada, November 2004.
Confidential Level A
Jack J. Bensimon B-Filer Inc. - AML Expert Report August, 2006 X EXPERT'S DECLARATION 1. I understand that my overriding duty is to the tribunal, both in preparing reports and in giving oral evidence. I have complied and will continue to comply with that duty.
2. I have set out in my report what I understand from those instructing me to be the questions in respect of which my opinion as an expert are required.
3. I have done my best, in preparing this report, to be accurate and complete. I have mentioned all matters that I regard as relevant to the opinions I have expressed. All of the matters on which I have expressed an opinion lie within my field of expertise.
4. I have drawn to the attention of the tribunal all matters, of which I am aware, which might adversely affect my opinion.
5. Wherever I have no personal knowledge, I have indicated the source of factual information. 6. I have not included anything in this report which has been suggested to me by anyone, including counsel instructing me, without forming my own independent view of the matter.
7. Where, in my view, there is a range of reasonable opinion, I have indicated the extent of that range in the report.
8. At the time of signing the report I consider it to be complete and accurate. I will notify those instructing me if, for any reason, I subsequently consider that the report requires any correction or qualification.
9. I understand that this report will be the evidence that I will give under oath, subject to any correction or qualification.
10. This report includes a statement setting out the substance of all facts and instructions given to me which are material to the opinions expressed in this report or upon which those opinions are based.
11. That I have no conflict of interest of any kind, other than any which I have disclosed in my report.
12. That I do not consider that any interest which I have disclosed affects my suitability as an expert witness on any issues on which I have given evidence.
13. That I will advise the party by whom I am instructed if, between the date of my report and the trial, there is any change in circumstances that affect my answers to either of the above two points.
XI STATEMENT OF TRUTH I confirm that insofar as the facts stated in my report are within my own knowledge I have made clear which they are and I believe them to be true, and the opinions I have expressed represent my true and complete pr essional opiniQn.
Confidential Level A
17
Jack J. Bensimon B-Filer Inc. – AML Expert Report August, 2006 XII APPENDICES APPENDIX A Curriculum Vitae APPENDIX B Phase I Test Results—AML FINTRAC Compliance Risk Assessment
APPENDIX C Phase II Test Results—MSB Bank Account Risk Profiling APPENDIX D Phase III Test Results—MSB Bank Account Risk Assessment Confidential Level A 18
Jack J. Bensimon B-Filer Inc. – AML Expert Report August, 2006 APPENDIX A: Curriculum Vitae Jack J. Bensimon, B.A. (Hon.), CFSA, CCSA, CAMS Executive Summary This Risk Management professional has over 13 years of experience in the financial services, securities compliance and audit sector. His extensive and diverse background spans areas such as securities trading, research, compliance, financial controls, risk & project management including Sarbanes-Oxley Act (SOX) and Bill 198 audits. Jack has demonstrated strong project management skills with in-depth hands-on knowledge making him an invaluable subject matter expert.
Key Career Accomplishments • Developed, implemented and monitored Anti-Money Laundering (AML) programs for Canadian Scholarship Trust Foundation, Wellington West Capital Markets (USA) Inc., Swift-Trade Securities and Biremis USA. • Provided AML training to senior management of Wellington West Capital Markets (USA) and advised on continuing education and regulatory firm element programs to meet NASD compliance. • Founding partner of security software firm, Clickrisk LLC, assisted in developing and commercializing proprietary software to detect and analyze online fraud and other online security anomalies. • Managed Canada Depository for Securities (CDS) audit work team of compliance auditors/accountants to ensure SOX 302/404 financial controls certification as well as other internal controls. • Developed, implemented, tested and lead entity-level controls and corporate governance initiatives for Sarbanes-Oxley projects with Flint Energy Services Ltd. and Canadian Tire Corp. • Provided Quality Assurance for internal controls/regulatory compliance oversight for Flint Energy Services Ltd. and Canadian Tire Corp. CEO/CFO Certification Program. • Developed and implemented audit Work Programs for substantive Legislative Compliance Management (LCM) testing for CIBC (banking unit). • Developed Written Supervisory Procedures (WSP) compliance manuals and reporting tools for both trading officers and branch managers. • Provided business risk management advisory for online forensic investigations. • Consulted to the Ontario Securities Commission (OSC) on the future of Proprietary Electronic Trading Systems (PETS).
Professional Experience • Canada Depository for Securities (CDS) Inc. – SOX/Bill 198 Project Manager & Lead Auditor • Clickrisk LLC – Chief Risk Officer • Protiviti Risk Consulting – SOX Regulatory Compliance Auditor • Swift-Trade Inc. & Biremis LLC – Chief Financial & Compliance / AML Officer • Wellington West Capital Markets (USA) Inc. – Chief Compliance / AML Officer • Canadian Scholarship Trust Foundation – National Compliance / AML Manager • Flint Energy Services Ltd. – Entity-Level Controls (Corporate Governance) C-SOX Lead • Canadian Tire Corp. -- Entity-Level Controls (Corporate Governance) C-SOX Lead • StockHouse Media Corp. – US Financial Institutions Research Analyst • BCI (Banca Commerciale Italiana) Bank – Compliance Officer • TD Securities Inc. – Trader • The Canadian Securities Institute – Course Instructor Education, Certification, Memberships • Honors Bachelor of Arts, Economics & Math – University of Toronto • Certified Financial Services Auditor (CFSA); member of Institute of Internal Auditors (IIA) • Certification in Control Self-Assessment (CCSA) • Certified Anti-Money Laundering Specialist (CAMS); member of ACAMS (Association of Certified Anti-Money Laundering Specialists) • Global Association of Risk Professionals (GARP) – Member since 2003. • Numerous courses from the Canadian Securities Institute and NASD; registered General Securities Principal with NASD and PDO (Partner, Director, Senior Officer) with IDA/OSC. • Association of Certified Fraud Examiners (ACFE) -- Member Confidential Level A
AML Expert Report APPENDIX B Phase I Applicants AML FINTRAC Compliance MSB Risk Assessment MSB Legislative Requirements AML Risk Description Existing AML Control Reporting Suspicious Transactions Suspicious transactions are reported where there is reasonable grounds to suspect that a transaction is related to the commission of an offense. Large Cash Transactions Large Cash Transactions involving more than $10,000 or more received in cash must be reported. Electronic Funds Transfers International electronic fund transfers must be reported (i.e., the transmission of instructions at the request of a client for a transfer of $10,000 or more through any electronic, magnetic or optical device, telephone instrument or computer) Terrorist Property Where it is known there is property in your possession or control that is owned or controlled by or on behalf of a terrorist group or a terrorist group, this must be reported. Record Keeping Large cash transaction Large Cash Transactions involving more than $10,000 or more records received in cash must be reported. Client information records Information on all client records is expected to be maintained for a period of at least five years after the termination of the relationship. Records for transactions Records for the sale of travelers cheques, money orders or exceeding $3,000 other similar instruments in the amount of $3,000 or more Money order record Records of money orders must be kept for orders cashed in the keeping amount of $3,000 or more Records for transmission or Records for transmissions or remittance of $3,000 or more by money remittances any means, through any person, entity or electronic funds transfer network must be retained. Official corporate records Copies of official corporate records (binding provisions) are required to be kept. Ascertaining Identification for large cash Specific measures must be taken to identify any individual or Identification transactions entity that conducts a large cash transaction.
Y L Confidential Level A GPay/NPay Inc. v. BNS
August 16, 2006 Effective? Frequency (Y/N) (L, M, H) AML Risk Implications Comments The filing of a STR to FINTRAC is key requirement of MSBs and for banks to ensure Y L they are timely reported. The average transaction recently has been $82, There is a process for the with a few bundled transactions that attempted to Applicants reporting to circumvent the $10K rule. These were identified FINTRAC on a timely basis and reported to FINTRAC. with automated compliance edits built into the software Y L platform. The average transaction recently has been $82, with a few bundled transactions that attempted to circumvent the $10K rule. These were identified and reported to FINTRAC. Y L N/A L All transactions are effectuated online, with no Y L acceptance of cash or cheques. GPay has been in business since 2003. N/A N/A N/A A record retention policy has been developed and This policy requires annual maintained. review and monitoring. Y L The Applicants does not deal with any money orders. N/A N/A A record retention policy has been developed and maintained. Y L A record retention policy is developed and maintained, as well as maintenance of corporate Y L records that are easily retrieved. The average transaction recently has been $82, The Applicants has with a few bundled transactions that attempted to developed and tested a real-circumvent the $10K rule. These were identified time fraud alert system with and reported to FINTRAC. extensive security policy to define and assess its online security threats and risks.
Phas A e M I L Expert A R peppolritcants AML FINTRAC Compliance MSB RAisPkPE ANDsIsXe B MSB Legislative Requirements AML Risk Description Existing AML Control Ongoing business Specific measures must be taken to identify any individual or relationships entity with which there is an ongoing business relationship
Amounts issued to Specific measures must be taken to identify any individual or individuals that exceed entity for whom an amount of $3,000 or more is issued, $3,000 redeemed, remitted or transmitted. Third-Party Individuals acting on behalf Where a large cash transaction is required, or when a client Determination of a third-party information record is generated, reasonable steps must be taken to determine whether the individual is acting on behalf of a third-party. Third-party information In cases where a third-party is involved, specific information reported about the third-party and the relationship with the individual providing the cash or account holder must be obtained. Indeterminate Compliance Appointment of a A Compliance Officer is required to be appointed to oversee Regime designated Compliance appropriate AML legislative controls. Officer Compliance Policies & Compliance Policies and Procedures are required to be Procedures developed, implemented and monitored. Testing of Policies & Compliance policies and procedures should be periodically Procedures reviewed and tested to ensure operational effectiveness. Compliance Training An ongoing compliance training program is to be implemented. Programs Confidential Level A
ssment August 16, 2006 Effective? Frequency (Y/N) (L, M, H) AML Risk Implications Comments There is a compliance exposure as existing Efforts are underway to compliance framework can be improved. remediate this deficiency immediately. The Applicants do have a control by way of a matching process which provides for a cross-referencing of account name/adresses to the name/address registered with the bill payee.
N M The average transaction recently has been $82, with a few bundled transactions that attempted to circumvent the $10K rule. These were identified and reported to FINTRAC. Y L The existing policies and procedures framework has shortcomings and needs to be more clearly defined and independently tested. N M Insufficient documentation provided to test this control. M This is identified as a compliance gap requiring Remediation efforts have timely remediation. commenced. N M This is identified as a compliance gap requiring Remediation efforts have N M timely remediation. commenced. This is identified as a compliance gap requiring Remediation efforts have timely remediation. commenced. N M This is identified as a compliance gap requiring Remediation efforts have N L timely remediation. commenced. GPay/NPay Inc. v. BNS
AML Expert Report APPENDIX C August 16, 2006 Phase II Applicants MSB Bank Account Risk Assessment
Information Operational Account Provided? Dimension Data Required (Y/N) Noted Bank Gaps/Concerns Risk Implications Comments Types of products and The categories of services The Bank of Nova Scotia is concerned about MSB As of June 2006, the Bank of Nova Scotia appears to be Traditionally, MSBs have not services offered engaged in by the particular Y operations/accounts in general. conducting business with and maintaining accounts for a numbe been lucrative sources of MSB. of MSBs. revenues for banks. Whether the MSB is a "principal" The Bank of Nova Scotia raised initial concerns The multiplicity of accounts, in excess of over 80 by early 2005, (with a fleet of agents) or an over multiple accounts opened via telephone represents a greater compliance monitoring burden. agent of another MSB Y banking, while internal account opening limits exist as per bank policy.
Whether the MSB is a new or The Bank of Nova Scotia raised concerns over The MSB of the Applicants was in operation for two years, with GPay has three years of established operation. substantial monthly growth in transaction volume transaction history to provide bank in order to conduct an transaction history, allowing a and resources required to keep pace with over 80 appropriate risk assessment. bank to make a risk-based Y accounts. assessment on the account with several metrics to assist in its
analysis.
Whether or not MSB represent a No particular gaps noted by the Bank of Nova Applicants made it clear to the bank that there was no ancillary primary or ancillary aspect of the Scotia. aspect to the business, while disclosure of expected transaction business. Y growth was made to Mr. Woodrow. Locations) and The markets it targets The Bank of Nova Scotia raised implicit concerns Although many online gambling sites operate offshore, there are It is my understanding that Markets) served by that Applicant was targeting online gambling a plethora of tax and regulatory reasons for this; the AML operating an online gambling MSB Y casinos, which it deemed higher risk for MSBs and argument is but one amongst a series of many for such casino in Canada is legal. believed would generate reputational risk exposure.businesses operating offshore.. The locations it serves The Bank of Nova Scotia raised concerns over Cross-border transactions are often more difficult to trace, often The Applicants has developed cross-border transactions that would potentially leaving a limited or weak audit trail for original source customer and tested a real-time fraud permeate online gambling casinos, one of the identification. The Applicants are original source facilitators of alert system with extensive Y largest users of MSBs. electronic payment transactions. security policy to define and assess its online security threats
and risks.
Whether it offers international The Applicants disclosed to several senior bank Over 98% of transactions are effectuated with online gambling The online gambling sector is services representatives that the transactions were not casinos, some of which operate offshore with lax AML and concentrated with a few players limited to local transactions, but would provide for terrorist financing controls. operating offshore that dominate cross-border transactions. market share (e.g., ProxyCyber, of which the Applicants conducts
Indeterminate business with). Limiting its business model to local residents would pose significant business risk.
Whether it caters exclusively to The Applicants disclosed to several senior bank GPay does not accept any form of payments (e.g., cheques, The online gambling sector is local residents. representatives that the transactions were not money orders, travellers schques) that are not online payments concentrated with a few players limited to local transactions, but the online platform involving the debiting of an account from a registered domestic operating offshore that dominate
would provide for cross-border transactions. Schedule I bank.
Y business with). Limiting its business model to local residents would pose significant business risk.
Confidential Level A
market share (e.g., ProxyCyber, of which the Applicants conducts
GPay/NPay v. BNS
Phas A e M I L I E x Apeprtp R leipcoartnts MSB Bank Account Risk Assessment APPENDIX C August 16, 2006 Information Operational Account Provided? Dimension Data Required (Y/N) Noted Bank Gaps/Concerns Risk Implications Comments Anticipated Account The service the business intends The Bank of Nova Scotia raised concerns over the The Applicants business only deals with fund transfers, Activity to use, such as currency substantial growth in transaction volume over a considered lower risk than currency or cheque deposits owing to deposits or withdrawals, cheque short 3-6 month interval; it later considered the lower authentication and security risks. deposits, or funds transfers. Y Applicants business a 'restricted business' under its internal policy guidance.
Estimated transaction amounts. The Bank of Nova Scotia concerns were less about Over 98% of transactions are effectuated with online gambling Owing to fluctuations in average the average per transaction amount ($82 recent casinos, some of which operate offshore with lax AML and transaction value for online trend), but more about the growth in transaction terrorist financing controls. gambling casinos, this could not Y volume that was also not making it a viable and have been reasonably estimated profitable account to hold and maintain for the with only 3 years of data. Applicants.
The branch locations the The Applicants opened in excess of 80 accounts business intends to use. via telephone banking, well in excess of the limits N for small business customers who generate $5M per year in transactions. Any external or seasonal factors The Applicants business experienced hyper-growth over a short Owing to fluctuations in average period of time, triggering STR and FINTRAC reporting requirements. N
Account Purpose The MSBs AML program The Bank of Nova Scotia implicitly identified this as The absence of appropriately designed AML programs can This is identified as a a compliance gap. increase the inherent risk of the Appplicants for the Bank of compliance gap requiring timely N Nova Scotia. remediation. Remediation efforts have commenced. The results of the MSB's The Bank of Nova Scotia implicitly identified this as The absence of independent testing of AML programs to ensure This is identified as a independent testing of its AML a compliance gap. operating effectiveness can increase the inherent risk of the compliance gap requiring timely program. N Appplicants for the Bank of Nova Scotia. remediation. Remediation efforts have commenced. Review list of agents, including The Bank of Nova Scotia implicitly identified this as The absence of a defined process for regular and ongoing This is identified as a locations, within or outside of a compliance gap. monitoring of AML programs to include existing business compliance gap requiring timely Canada, that will be receiving relationships, can increase the inherent risk of the Appplicants remediation. Remediation efforts services directly or indirectly N for the Bank of Nova Scotia. have commenced. through the MSB account.
Written procedures for the The Bank of Nova Scotia implicitly identified this as The absence of a appropriate procedures as part of an AML operation of the MSB. a compliance gap. program to include MSB operations, can increase the inherent Y risk of the Appplicants for the Bank of Nova Scotia. Written agent management and termination practices for the MSB. N/A Confidential Level A
The Applicants opened multiple accounts via telephone banking system, triggering AML account alerts. transaction value for online gambling casinos, this could not have been reasonably estimated with only 3 years of data.
This is identified as a compliance gap requiring timely remediation. Remediation efforts have commenced. The MSB is a principal, with an absence of agency relationships with other MSBs. GPay/NPay v. BNS
Phas A e M I L I E x Apeprtp R leipcoartnts MSB Bank Account Risk Assessment APPENDIX C August 16, 2006 Information Operational Account Provided? Dimension Data Required (Y/N) Noted Bank Gaps/Concerns Risk Implications Comments Written employee screening for The Bank of Nova Scotia implicitly identified this as The absence of appropriate employee screening procedures as This is identified as a the MSB. a compliance gap. part of an AML program (e.g., Know-Your-Employee (KYE)) to compliance gap requiring timely mitigate internal data theft, can increase the inherent risk of the remediation. Remediation efforts
Appplicants for the Bank of Nova Scotia. Cache memory does have commenced. Y not allow bank card password to be stored in memory, providing some risk mitigation in preventing others from exploting such data.
Confidential Level A
GPay/NPay v. BNS
AML Expert Report APPENDIX D August 16, 2006 Phase III Applicants MSB Bank Account Risk Profiling Does it apply? Risk Level AML Risk Indicator (Y/N) AML Risk Implications Comments Lower Risk Primarily markets to customers that conduct The MSB model is volume-based, with high velocity of accounts in The average transaction has recently been $82, considered to be Indicators routine transactions with moderate frequency in denominations averaging less than $100. This amount is low by AML standards. low amounts Y considered negligible for PCAMLTF exposure. Offers only a single line of MSB product (i.e., for There is only a single MSB product as part of its business model: Collection of customer bank card and password has privacy example, only cheque cashing or only currency money transmitting and debiting from the customer's bank account compliance risk implications. exchanges) domiciled in Canada through disclosure of bank card number and Y online password. Is a cheque cashier that does not accept out-of- GPay does not accept any form of payments (e.g., cheques, province cheques money orders, travellers schques) that are not online payments involving the debiting of an account from a licensed financial N institution. Is an established business with an operating GPay has three years of transaction history, allowing a bank to GPay has been in business since 2003, with an upward bias history make a risk-based assessment on the account with several metrics toward significant transaction growth over the last three years. Y to assist in its analysis. Only provides services such as cheque cashing to GPay does not accept any form of payments (e.g., cheques, local residents. money orders, travellers schques) that are not online payments involving the debiting of an account from a licensed financial
N Only facilitates domestic bill payments. Facilitates transactions to many offshore jurisdictions, some of which are considered high AML risks as they have lax AML N regulations. Is a money transmitter that only remits funds to Facilitates transactions to many offshore jurisdictions, some of domestic entities which are considered high AML risks as they have lax AML regulations. None of these jurisidictions appear to be published terrorist financing countries, such as those listed on the NCCT (Non-Cooperative Countries and Territories) Initiative.
N Is a cheque cashier that does not accept third- party cheques or only cashes payroll or government cheques. N Higher Risk Allows customers to conduct higher-amount Although the average transaction is $82, the online platform allows The nature of online gambling casinos is such that variances in Indicators transactions with moderate to high frequency. its customers to transact at higher levels, potentially triggering Y FINTRAC reporting requirements. Offers multiple types of MSB products N Is a cheque cashier that cashes any third-party cheque or cashes cheques for commercial businesses. N Is a money transmitter that offers only, or Many of the online gambling casinos are off-shore. However, not specializes in, cross-border transactions, all are domiciled in areas that pose high AML risks due to lax AML particularly to jurisdictions posing heightened risk controls. There were several countries identified that are known to involving the debiting of an account from a licensed financial of money laundering or the financing of terrorism be terrorist financing havens. or countries identified as having weak anti-money
laundering controls. Y Confidential Level A GPay/NPay Inc. v. BNS
institution. None of these jurisidictions appear to be published terrorist financing countries, such as those listed on the NCCT (Non-Cooperative Countries and Territories) Initiative. None of these jurisidictions appear to be published terrorist financing countries, such as those listed on the NCCT (Non-Cooperative Countries and Territories) Initiative.
GPay does not accept any form of payments (e.g., cheques, money orders, travellers schques) that are not online payments involving the debiting of an account from a licensed financial institution. average dollar transactions can fluctuate considerably from period to period. There is only a single MSB product as part of its business model: money transmitting and debiting from the customer's bank account through disclosure of bank card number and password. GPay does not accept any form of payments (e.g., cheques, money orders, travellers schques) that are not online payments involving the debiting of an account from a registered Schedule I bank. GPay does not accept any form of payments (e.g., cheques, money orders, travellers schques) that are not online payments institution..
Phas A e M I L II Ex Apeprtp R leicpoartnts MSB Bank Account Risk Profiling APPENDIX D August 16, 2006 Does it apply? Risk Level AML Risk Indicator (Y/N) AML Risk Implications Comments Is a currency dealer or exchanger for currencies GPay does not accept any form of payments (e.g., cheques, of jurisdictions posing heightened money money orders, travellers schques) that are not online payments laundering risks or the financing of terrorism or involving the debiting of an account from a licened financial countries identified as having weak anti-money institution. laundering controls. N Is a new business without an established GPay has been in business since 2003, with an upward bias operating history. toward significant transaction growth over the last three years. N
Is located in an area designated as a High Money Laundering and Related Financial Crimes Area or a High-Intensity Drug Trafficking Area. (*)
N
(*) While the operation of an MSB in either of these two areas does not itself require a bank to conclude that the MSB poses a high risk, it is nonetheless a factor that may be relevant.
Confidential Level A
Facilitates transactions to many offshore jurisdictions, some of which are considered high AML risks as they have lax AML regulations. None of these jurisidictions appear to be published terrorist financing countries, such as those listed on the NCCT (Non-Cooperative Countries and Territories) Initiative.
GPay/NPay Inc. v. BNS
BETWEEN: B-FILER INC., B-FILER INC. doing business as GPAY GUARANTEEDPAYMENT and NPAY
THE BANK OF NOVA SCOTIA Respondent
AFFIDAVIT OF JACK BENSIMON
AFFLECK GREENE ORR LLP Barristers & Solicitors One First Canadian Place Suite 840, P.O. Box 489 Toronto, Ontario M5x 1e 5
Michael Osborne T 416-360-5919 F 416-360-5960 E mosborne@agolaw.com
Jennifer Cantwell T 416-360-F 416-360-5960 E jcantwell@agolaw.com
EDY, DALTON 800-1015 4 ST. S.W. CALGARY, AB, T2R 1J4
Sharon J. Dalton T 403-263-3200 EXT: 105 F 403-263-3202
E jdalton@edydalton.com
Solicitors for the Applicants
Court File No. CT-2005-006 COMPETITION TRIBUNAL INC. Applicants -and-