Common AML program failures for Canadian MSBs
The compliance program failures that most frequently produce FINTRAC findings are structural, not incidental — and most are preventable.
Six pillars of MSB defensibility
A defensible AML compliance program for Canadian MSBs is built on six elements that FINTRAC examines both as documentation and as operating evidence.
FINTRAC examinations assess compliance programs against a consistent framework. Understanding that framework in advance is more valuable than responding to examination findings after the fact. A compliance program that is defensible under examination is not necessarily a complicated one. It is a program that works in practice and can be demonstrated to work. That standard can be broken into six elements.
Written policies and procedures
The first pillar is a set of written policies and procedures that accurately describe how the compliance program operates for the specific business. Policies that were drafted at the time of registration and not updated as the business evolved are a consistent source of examination findings.
Defensible policies describe the actual product, the actual customer base, the actual transaction types, and the actual risks the business faces. A policy that describes a generic money transmitter when the business is a virtual currency exchange, or that references processes that no longer match how the business operates, is not a defensible policy document.
Policies also need to be accessible to the staff who are expected to follow them. A compliance manual that exists but is not distributed, not understood, and not reflected in operational practice is not an implemented compliance program.
Risk assessment
The risk assessment is the foundation on which the rest of the compliance program is built. FINTRAC requires MSBs to assess the risk of money laundering and terrorist financing associated with their business, and to use that assessment to inform the design of their compliance controls.
A defensible risk assessment identifies the specific risks that apply to the specific business. It accounts for the customer types the business serves, the products and services it offers, the geographic reach of its operations, and the delivery channels through which it interacts with customers. It is updated when any of those factors change materially.
Risk assessments that identify only generic risks, that are copied from templates without adaptation to the actual business, or that were completed once and not revisited, are vulnerable in examination. The risk assessment should be a living document that reflects the business as it currently operates.
Training
Training is the mechanism by which the compliance program reaches the people who are expected to carry it out. FINTRAC assesses both the content of the training and the records that demonstrate it was delivered and received.
Defensible training covers the specific obligations that apply to each role, not just general AML awareness. Transaction monitoring staff need training on how to identify suspicious activity in the context of the products the business offers. Customer-facing staff need training on know-your-client obligations. Compliance staff need training on reporting obligations and escalation procedures.
Training records need to show that specific individuals received specific training on specific topics, with dates. Completion records, assessment results, and training materials are all reviewed. Training that cannot be evidenced did not happen from an examination perspective.
Transaction monitoring
Transaction monitoring is the ongoing function of reviewing transactions for patterns or characteristics that may indicate money laundering or terrorist financing. A defensible monitoring program is one that can be shown to operate and that generates documented outcomes.
The monitoring program does not need to be built on sophisticated automated software, although automated tools help with volume. It needs to be appropriate for the scale and risk profile of the business, systematically applied, and documented. Alerts that are generated but not reviewed, or reviewed but not documented, leave gaps in the operating evidence.
The monitoring program also needs to be calibrated to the specific risks identified in the risk assessment. A monitoring program that is not designed to detect the transaction patterns most likely to arise in the business is not a defensible monitoring program for that business.
Ongoing compliance and periodic review
FINTRAC requires MSBs to review their compliance program periodically to assess whether it remains effective and up to date. The periodic review is not an internal audit in the accounting sense. It is a structured assessment of whether the program elements are current, implemented, and producing the outcomes they are designed to produce.
A defensible periodic review produces written output. It identifies what was reviewed, what was found, and what changes were made or confirmed as appropriate. A review that is done informally without a written record cannot be demonstrated in examination.
The frequency of review should be tied to the risk profile of the business, not to an arbitrary calendar. A business that undergoes significant change, in product, market, or risk profile, should review its compliance program more frequently than one that is stable.
Operating evidence
The sixth pillar ties together the other five. Operating evidence is the documentation that shows the compliance program is not just a set of documents but a system that works in practice. It includes the records of monitoring decisions, STR escalation and filing records, training completion logs, risk assessment reviews, and periodic compliance review outputs.
FINTRAC examiners work from operating evidence. They ask for examples of how specific transaction types are handled, how alerts are resolved, how escalation decisions are made, and how training is tracked. If the evidence exists, the examination proceeds on that basis. If it does not, the program cannot be demonstrated and findings follow.
Building and maintaining operating evidence is an ongoing operational function, not a preparation exercise. The records that make a compliance program defensible are the records generated by running the program day to day.
Related topics
Related Posts
View All Posts »Documentation matters more than policy language
In a FINTRAC examination, the records that show how the compliance program runs carry more weight than the policies that describe it.
Preparing for a FINTRAC examination
FINTRAC examinations test operating evidence, not just policy documents — preparation means assembling the records that show how the compliance program runs in practice.
Transaction monitoring gaps in fintech compliance
The monitoring gaps most likely to produce FINTRAC findings are not technology failures — they are documentation and design failures.