Preparing for a FINTRAC examination
FINTRAC examinations test operating evidence, not just policy documents — preparation means assembling the records that show how the compliance program runs in practice.
What FINTRAC looks for in an MSB review
FINTRAC examinations test whether a compliance program works in practice, not whether it exists on paper.
FINTRAC examinations do not test whether a company has a compliance policy. They test whether the compliance program works in practice. That distinction matters because many fintech companies have written policies that do not reflect how the business actually operates, and that gap is what examiners are trained to find.
What a FINTRAC examination covers
FINTRAC examinations assess five core elements of an MSB compliance program: the written policies and procedures, the risk assessment, the training program, the ongoing compliance function, and the records and reporting obligations. Each element is reviewed against both documentation and evidence of implementation.
Written policies need to describe the actual business. A policy drafted for a generic money transmitter will not adequately address the specific risks of a crypto exchange, a payroll platform, or a marketplace with embedded payments. Examiners look at whether the policies map to the real product, the real customer base, and the real transaction types.
The risk assessment is evaluated against the business as it actually operates. A risk assessment that does not mention virtual currency activity for a crypto platform, or does not address cross-border flows for a remittance business, is not a compliant risk assessment. FINTRAC expects the risk assessment to reflect the specific risks of the specific business.
Training records must show that staff have actually received training, that the training covered the right topics, and that it has been updated when the business or regulatory requirements change. Completion records, training materials, and assessment results are all reviewed.
What operating evidence means
Operating evidence is the category that most often produces findings. A company can have a detailed compliance policy and still receive a penalty if it cannot show that the policy is being followed in practice.
Operating evidence includes records of compliance monitoring decisions, documentation of suspicious transaction escalations and outcomes, records showing how transaction monitoring alerts were reviewed and resolved, training completion logs, and evidence that the periodic compliance review actually occurred and produced actionable output.
FINTRAC examiners will ask for examples. They will ask to see how a specific type of transaction is handled through the monitoring system, what triggered a suspicious transaction escalation, and what the outcome was. If the company cannot show the records, the position that the program is working will not hold.
The most common gaps that produce findings
Policies that were drafted at registration and not updated as the business grew are a consistent source of findings. A company that added a foreign exchange feature or expanded into a new market without updating its risk assessment and policies has a gap that an examiner will identify.
Transaction monitoring that operates without documented outcomes is another common issue. Running automated monitoring without documenting the review and disposition of alerts does not satisfy the ongoing compliance obligation. The records of what was reviewed and what decision was made are part of the compliance evidence.
Incomplete or undated training records are a recurring problem. If the company cannot produce evidence that a specific employee received training on a specific topic before handling customer transactions, the training program cannot be demonstrated to be operational.
Periodic compliance reviews that produce no written output are a gap. The review requirement is not satisfied by informally checking things internally. FINTRAC expects a written record of what was reviewed, what was found, and what was changed or confirmed as a result.
What to do before an examination
FINTRAC examinations can be initiated without advance notice, though in practice there is usually some contact before on-site review. The time to prepare is before the examination is initiated, not after.
The most useful preparation is a gap assessment against the five program elements. For each element, the question is whether documentation exists, whether it reflects the current business, and whether operating evidence supports it. Gaps identified internally are much less costly to address than gaps identified by FINTRAC during examination.
Related topics
Related Posts
View All Posts »Common AML program failures for Canadian MSBs
The compliance program failures that most frequently produce FINTRAC findings are structural, not incidental — and most are preventable.
Documentation matters more than policy language
In a FINTRAC examination, the records that show how the compliance program runs carry more weight than the policies that describe it.
Financial technology regulation in Canada
Canadian fintech regulation turns on what a product does, not what it is called — and the analysis starts with the flow of funds.