Hello, Insight Monitor subscribers, and welcome to another week of news and analysis on all things related to illicit finance and international security. This week, we’re looking at Canada’s National Security Intelligence Review Agency’s (one of several security and intelligence review and oversight functions) analysis of how Canada regulates and ultimately deregisters charities. This is part of our counterterrorist financing system intended to prevent the abuse of charities by terrorist groups, entities, and individuals. Needless to say, NSIRA found a few….issues…in how this system operates. Have a read to learn more! And if you’re not Canadian, this is still very much worth a read, because NSIRA goes into pretty good detail on how to assess risk in the sector. Something for all of us to learn from.
Last week, the National Security Intelligence Review Agency (NSIRA), released its review of the Canada Revenue Agency’s (CRA) Review and Analysis Division. The purpose of the review was to try and determine whether the division treats registered Canadian charities fairly and without discrimination on the basis of religion.
This review was sparked, at least in part, by the report “Under Layered Suspicion: A Review of CRA Audits of Muslim-Led Charities”.1 The report looked at a selection of case studies and concluded that the possibility of bias in CRA “informs the structure, design, and/or bureaucratic application” of government policies, including the anti-terrorism financing regime. This report was widely cited as demonstrating bias in CRA’s approach to charities. That report, however, never actually went that far, nor would its methodology support findings like that. (Nerd out with me here for a minute: for a study to find bias based on religion, a broader sample of audits of charities would have to be analyzed across a diverse set of charitable causes, and then intervening variables such as quality of governance and management structure controlled for in order to identify bias in an outcome like deregistration.)
Enter NSIRA.
NSIRA also didn’t find that CRA’s Review and Analysis Division (RAD) had breached its non-discrimination obligations under Canadian Law. But there’s a very troubling reason why not, and I’m going to spend some time unpacking that.
What is RAD?
CRA’s Review and Analysis Division was established in the post 9/11 counter terrorism framework as part of Canada’s obligations under the Financial Action Task Force’s (FATF) Recommendation 8. This recommendation requires that all countries protect non-profit organizations from terrorist financing abuse through a risk-based approach that targets only those most vulnerable to misuse. Basically, charities and non-profit organizations were identified as a significant source of terrorist financing after the terrorist attacks of September 11, 2001, and this was the global response to that. To learn more about how terrorists exploit charities and the broader charitable sector:
RAD is responsible for conducting audits of charities to identify potential terrorist financing abuse (although the Charities Directorate, writ large, can also audit for broader issues). NSIRA’s review focused on the trigger for these audits, or essentially, what led RAD to conduct an audit of the charitable organization.
These triggers include things like derogatory media, intelligence from security and intelligence partners, public tips, or referrals from other areas of the CRA. In cases of serious non-compliance, CRA can order the revocation of the charitable status of the organization. (Note: this does not mean that the organization has to stop functioning, and there are no criminal penalties associated with this. In fact, some charities that have had their status revoked have continued to operate as non-profit entities in Canada, enjoying tax-free status. Have a read of the case below to find out what happens when a charity loses its tax-free status. It’s not particularly good news.)
The Findings
The report is well worth reading, particularly in the context of Canada’s upcoming FATF mutual evaluation (starting later this year, and expected to conclude, with results published, in 2026). This report will certainly be on the FATF assessor’s reading list. Let me highlight some of the findings from the report and explain why I think these are so important.
RAD’s indicators of terrorist abuse
NSIRA found that RAD does not have an evidence-based method for validating risk indicators that it relies on to justify scrutinizing a charity for terrorism-related concerns. They have a list of indicators, but they don’t record which indicators are triggered that lead to an audit. This is what the youth today might call vibes analysis.
While this is quite bad from a transparency and accountability perspective, let’s take a quick look at the positive outcome of this. In their response to the review, CRA said:
“Effective for the 2025-26 fiscal year, the CRA will implement a formal tracking mechanism to oversee audit referrals and refine processes for documenting audit selection criteria and decisions. This will enable the CRA to formally document annual audit planning decisions, and identify which registered charities will be audited during a fiscal period based on established priorities and available resources.”
This is extremely good news, and highlights the best outcome of NSIRA’s reviews: a strengthening of internal processes, and ultimately, a strengthening of rule of law in Canada. At a time when we see this deteriorating around the world, and particularly in our southern neighbours, I think we should take a moment to enjoy this.
CRA relies on risk indicators as part of its process for selecting charities for audits. These indicators reflect “internationally recognized indicators” as developed by the FATF. (Sidebar: Anyone involved in risk indicator development knows how slippery this process is. I wouldn’t describe it as evidence-based, or methdologically sound. Probably something we should all work on, right?)
NSIRA found that the CRA’s indicators are also not formally assessed for effectiveness, and they recommended that RAD develop an evidence-based method for validating indicators. This is a great suggestion for countries all around the world who are using similar methods to assess risks of charitable abuse. But here’s the bottom line of NSIRA’s review: they aren’t recording their use of indicators, and those indicators themselves aren’t validated or based on real evidence. More vibes.
Here’s the real kicker though. The lack of rigour in RAD’s processes introduced the risk of bias and discrimination. NSIRA could not go further, however, because of how poor RAD’s internal governance is/was (it’s important to note here that steps have already been taken to start fixing this). There was “no consistency in the documentation for capturing and assessing risks”, and the lack of standardization means that the selection of charities for audit is “highly subjective and could be susceptible to bias.” Basically: the work was so poorly documented and standards were so uneven (when they existed at all) that NSIRA couldn’t even test for bias in their review.
Our terrorist financing analysis course caters to researchers, intelligence, law enforcement, and compliance professionals to help them learn about terrorist financing, and analyze suspicious patterns and activities more effectively. Sign up today!
Going forward
I want to take a second to highlight that responses to this review haven’t been entirely fact-based. For instance, the International Civil Liberties Monitoring Group stated that NSIRA “confirmed” their findings that audits of Muslim charities are “flawed, biased & discriminatory”. Having read this review, NSIRA has definitely found the audits to be flawed. But biased and discriminatory? Nope. (This whole topic has big “vibes-over-evidence” energy.)
You can read CRA’s response to the NSIRA review here. My sincere hope is that even more steps are taken to tighten up how the CRA conducts audits of charities for terrorist abuse, and that the CRA really takes a close look at its indicators in the current geopolitical context of terrorism, state-sponsored terrorism, and extremism. Because terrorists find charities (and charitable causes) useful for financing and facilitation activities, it is unlikely to stop anytime soon.2
To use these types of indicators, it’ll be important for them to remain contextually relevant. For instance, I would argue that if RAD wants to continue using the indicator “conducting activities in or close to a foreign high-risk jurisdiction”, they’re going to have to include the United States as one of those high-risk jurisdictions. I’m not being facetious. A handful of terrorist entities on our terrorist list (Three Percenters, James Mason, Proud Boys, and the Base) originate in the United States. If we’re going to call Syria a high-risk jurisdiction because it’s been home to several terrorist groups, then we have to do the same for the United States.
Oh, also, someone should do something about the non-profit organizations. They are almost entirely unregulated and unaudited, and they are just as likely to be abused for terrorist financing purposes as registered charities. Vibes-based legislation and regulation.
Did you find this post insightful? Share it with a colleague, and help us grow our community of people who care about illicit finance!
© 2025 Insight Threat Intelligence Ltd. All Rights Reserved.
This newsletter and its contents are protected by Canadian copyright law. Except as otherwise provided for under Canadian copyright law, this newsletter and its contents may not be copied, published, distributed, downloaded or otherwise stored in a retrieval system, transmitted or converted, in any form or by any means, electronic or otherwise, without the prior written permission of the copyright owner.
Anver M. Emon and Nadia Z. Nasan, Under Layered Suspicion: A Review of CRA Audits of Muslim-Led Charities (2021), https://uploads-ssl.webflow.com/6014cdeca65f7f2af7e18187/605eb346393ed260c23713e2_Under_Layered_Suspicion_Report_Mar2021.pdf.
Another sidebar. I think CRA RAD has the capacity to become a world leader (and ideally, trainer), in developing and validating risk indicators. They have the skills, knowledge, and frameworks to do this. The whole sector is ripe for reform, and I would personally love to work on this, either with CRA or with one of my partner organizations working in this area.