Canadian Bank Needs Spy Compliance

Nutty news from up north: Canadian regulators have forced a bank there suspected of ties to the Chinese government to cut ties with its three founders, relocate to new headquarters with better security, sweep the corporate premises for bugs, and hire two senior compliance officers — including a “national security” compliance officer who will need a government-issued security clearance.

This astonishing tale involves Wealth One Bank of Canada, and comes to us courtesy of an article earlier this week in the Toronto Globe and Mail. Whatever gripes we in the United States might have about intrusive compliance monitors and rampant cybersecurity risks, what’s happening in Canada takes things to a whole other level. 

As recounted by the Globe and Mail, finance minister Cynthia Freeland sent a letter to Wealth One earlier this year known as an amended “letters of patent,” a regulatory maneuver used to force a financial institution to change its governance and business practices. (Think of it as the Canadian equivalent of a consent decree.) The letter is dated April 23, although for some reason it didn’t become public until just now.

The amended letters of patent demanded that Wealth One cut all ties with its three founders: Toronto insurance executive Shenglin Xian, Vancouver property developer Morris Chen and Toronto grocery tycoon Yuangsheng Ou Yang. The Finance Ministry also told the three men directly that they had to sell all their shares in Wealth One.

Why? Because for some time now, Canada has suspected that Xian, Chen, and Yang might be susceptible to pressure from the Chinese government. Wealth One caters to Chinese Canadians, who make up nearly 5 percent of Canada’s population and have thriving communities in Toronto, Vancouver, and pretty much every other major Canadian city. Canada has had tense relations with China over suspected Chinese meddling in Canadian political affairs; hence Wealth One has been on the government’s radar. 

Draconian Compliance Measures

More interesting to us compliance professionals are the extraordinary measures that Wealth One must now take to stay clear of Xian, Chen, and Yang. That brings us back to those amended letters of patents, a copy of which the Globe and Mail posted publicly

Most notably, Wealth One must hire two compliance officers: an anti-money laundering compliance officer, which isn’t news; and a “compliance security officer” who basically has to help the Finance Ministry figure out the extent of any Chinese espionage that might be happening at or through the bank. 

I’ve never heard of a U.S. compliance officer having quite the same duties, although I assume if one of you had that role and told me, you’d have to kill me. 

On the surface this job sounds rather straightforward. The candidate must be a Canadian citizen and hold a valid government security clearance; and the rest of the job description could have been lifted from any deferred-prosecution agreement here in the United States: vested with sufficient senior-level authority and resources, reports to the board of directors, has sufficient access to data to execute his or her responsibilities, and so forth. 

But there’s more! Part of  this compliance officer’s job is to file reports to the Finance Ministry documenting Wealth One’s progress on new security obligations the ministry has imposed — and those requirements are a doozie. 

  • Data protection: Wealth One must assure that Xian, Chen, and Yang never have access to the bank’s data again; and must report to the Finance Ministry any time any of the men even attempt to access the bank’s data. The bank must also create an “Enterprise Data Privacy and Security Council” that meets quarterly to assure that Wealth One lives up to its data privacy and protection obligations.
  • Messaging app bans: Wealth One must “prohibit and prevent” the use of WeChat (a popular social media app in China) or any other social media messaging platform, and mandate the use of corporate devices and systems for all business-related communications between employees or between the bank and its customers. (Again with the messaging apps compliance!) 
  • Surveillance countermeasures: The bank must hire a government-approved third party to conduct sweeps for bugs on company property (yes, the Ministry actually used the word “sweeps”) and to assure the technical integrity of all corporate devices, either at bank branches or approved for remote use. The sweeps must then be conducted at least annually for the foreseeable future.
  • Physical security: Wealth One must move to a new location “as soon as possible,” and the location must be pre-approved by the government; and the new location must be wholly separate from Xian, Chen, and Yang, who are not permitted to set foot on the property “for any reason unrelated to compliance with these terms.” 

We could keep going, rest assured. The Finance Ministry wants Wealth One to cut ties with its founders entirely, and build an entirely new data protection and cybersecurity program, and to engage in extensive anti-espionage measures potentially for years to come. It’s the most draconian, scorched-earth approach to breaking bad business habits that I’ve ever seen.

Where Wealth One Goes From Here

For its part, Wealth One says it has “worked collaboratively” with the Finance Ministry to reach this settlement, and even proposed some of the terms included in the amended letters of patent. It is not clear, however, whether Xian, Chen, and Yang have fully divested from the bank, or exactly what sort of influence Beijing may have been exerting at the bank.

“This brings certainty for the bank and closure for our stakeholders as we continue to operate in the normal course, under the leadership of our independent board of directors and the management team,” bank CEO Paul Leonard told the Globe and Mail.

I just want to know who fills that security compliance officer role, and what experience he or she has to land that job. 

Leave a Comment

You must be logged in to post a comment.