Documentation matters more than policy language
In a FINTRAC examination, the records that show how the compliance program runs carry more weight than the policies that describe it.
Common AML program failures for Canadian MSBs
The compliance program failures that most frequently produce FINTRAC findings are structural, not incidental — and most are preventable.
FINTRAC enforcement outcomes show consistent patterns in the compliance failures that lead to administrative monetary penalties. Most of these failures are not obscure technical violations. They are structural gaps between what the compliance program says and what the business does. Understanding them in advance allows fintech MSBs to build programs that avoid the most common examination findings.
Policies that do not reflect the actual business
The most widespread compliance failure is a written compliance program that describes a business that no longer exists, or never existed in the form the documents describe. This happens when policies are drafted at registration, based on the anticipated product, and then not updated as the business launches, changes, and grows.
A virtual currency exchange that still has a compliance program written for a generic money transmitter has a documentation gap that will appear in examination. A payment platform that has added foreign exchange features without updating its risk assessment or policies has the same gap. The policy documents need to describe the actual product, the actual customer base, and the actual transaction types the business handles.
This failure is particularly common in companies that experienced rapid growth. When product and operations move fast, compliance documentation often falls behind. The gap becomes apparent when an examiner asks to see policies that address a specific feature the business has been operating for a year.
Risk assessments that are generic rather than specific
FINTRAC requires a risk assessment that is specific to the business. An assessment that identifies only general money laundering risks without reference to the particular customers, products, geographies, and delivery channels of the business does not satisfy that requirement.
Generic risk assessments are often produced by templates downloaded from the internet or provided by third-party compliance consultants without adequate customization. They may cover all the required topics at a high level without engaging the actual risk profile of the business.
A specific risk assessment for a crypto exchange identifies the risks associated with high-value virtual currency transactions, the specific jurisdictions the exchange serves, the customer types it onboards and their associated risk levels, and the on-ramp and off-ramp mechanisms it uses. A specific risk assessment for a remittance platform identifies the destination countries that present elevated risk, the customer segments that transmit to those destinations, and the monitoring approach calibrated to those flows.
Training that cannot be evidenced
Training that happened but was not documented is treated the same as training that did not happen in a FINTRAC examination context. If the business cannot produce records showing that a specific individual received training on a specific topic before performing the functions that training covers, the training program cannot be demonstrated.
This failure is most common when training is delivered informally, whether through verbal instruction, observed practice, or informal team meetings, without any record of the content, the attendees, or the date. Growing companies often train new employees quickly under operational pressure without generating the documentation that would satisfy a regulatory review.
The fix is straightforward: document what was covered, who attended, when it occurred, and how completion was verified. That record does not need to be elaborate, but it needs to exist.
Monitoring without documented outcomes
Transaction monitoring that generates alerts and then resolves them without written records of the review is not a defensible monitoring program. FINTRAC’s expectation is that alerts are reviewed by a qualified person, that the review is documented, and that the disposition of the alert — including the basis for not filing an STR where one was considered — is recorded.
Fintech companies using automated monitoring tools sometimes assume that the tool’s logs satisfy the documentation requirement. In many cases they do not, because the tool records that an alert was opened and closed without capturing the human analysis of why it was closed and what was found.
Periodic review that produces no output
The periodic compliance review is a mandatory element of the compliance program. FINTRAC expects it to occur at intervals appropriate to the risk profile of the business, and to produce written output that shows what was reviewed, what was found, and what was done as a result.
Reviews that are conducted informally, or that produce only verbal conclusions, cannot be demonstrated in examination. The absence of review records is treated as evidence that the review did not occur, regardless of what the compliance team says it did informally.
Related topics
Related Posts
View All Posts »Preparing for a FINTRAC examination
FINTRAC examinations test operating evidence, not just policy documents — preparation means assembling the records that show how the compliance program runs in practice.
Six pillars of MSB defensibility
A defensible AML compliance program for Canadian MSBs is built on six elements that FINTRAC examines both as documentation and as operating evidence.
Transaction monitoring gaps in fintech compliance
The monitoring gaps most likely to produce FINTRAC findings are not technology failures — they are documentation and design failures.