AML/ATF Awareness Training

Free certification course · Canada (FINTRAC / PCMLTFA)

1 · Start

2 · Learn

3 · Quiz

4 · Certificate

Free AML/ATF Awareness Training

A short, plain-language walkthrough of Canada's anti-money-laundering and anti-terrorist-financing regime, followed by a short quiz. Pass and you'll receive a completion certificate from C&G.

Money laundering & terrorist financing KYC / client due diligence Reporting to FINTRAC Monitoring & red-flag indicators

Before you begin

Enter your name and email. Your name will appear on your certificate, and we'll use your email to send you a copy and occasional AML/compliance updates from C&G.

Full name (as it should appear on the certificate)

Please enter your full name.

Email address

Please enter a valid email address.

Organization (optional)

Please note: This module is general AML/ATF awareness education and a marketing resource provided by C&G. The certificate confirms completion of this course only. It is not legal advice and does not, on its own, satisfy a reporting entity's training-program obligations under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA). For a compliance program tailored to your business, contact C&G.

The walkthrough

Four short modules. Read each one, then start the quiz. ~12–15 minutes.

What money laundering and terrorist financing are

Money laundering (ML) is the process of taking money generated by crime and making it look like it came from a legitimate source. It usually moves through three stages:

Placement	"Dirty" cash enters the financial system — e.g. deposited, used to buy assets, or broken into smaller amounts.
Layering	Funds are moved through layers of transactions, transfers, and conversions to obscure their origin and break the audit trail.
Integration	The now-"clean" money re-enters the economy as apparently legitimate funds — investments, businesses, luxury purchases.

Terrorist financing (TF) is raising, moving, or using funds to support terrorism. A key difference: ML always starts with money from crime, but TF funds can come from perfectly legitimate sources (salaries, donations, businesses). With TF, it's the destination and purpose that matter, not the origin.

Who polices this in Canada? The governing law is the PCMLTFA. FINTRAC (the Financial Transactions and Reports Analysis Centre of Canada) is Canada's financial intelligence unit. It collects reports from regulated businesses, analyzes them, and discloses intelligence to police and other agencies. FINTRAC does not investigate or prosecute crimes itself — it also assesses compliance and can levy penalties.

Reporting entities are the businesses required to comply: banks and credit unions, money services businesses (MSBs), accountants, real estate brokers, casinos, dealers in precious metals and stones, life insurers, securities dealers, and more. Recent amendments have pulled in new sectors including mortgage lenders, title insurers, factoring companies, cheque-cashing businesses, financing/leasing companies, and private-ATM operators.

Who fights financial crime in Canada

FINTRAC doesn't act alone. Canada's regime is a team effort across more than a dozen federal partners, each with a different role — setting the rules, gathering intelligence, investigating, and prosecuting:

Department of FinanceFinance Canada Owns the AML/ATF law and policy (the PCMLTFA) and co-leads the national regime.

FINTRACFinancial Transactions and Reports Analysis Centre of Canada Canada's financial intelligence unit and AML/ATF supervisor — receives your reports, analyzes them, and checks compliance.

RCMPRoyal Canadian Mounted Police Investigates money laundering, terrorist financing and other profit-driven crime, acting on FINTRAC intelligence.

CRACanada Revenue Agency Pursues tax evasion and the laundering tied to it, and guards against charities being abused for terrorist financing.

CBSACanada Border Services Agency Runs cross-border currency reporting and seizures, and feeds that information to FINTRAC.

CSISCanadian Security Intelligence Service Receives financial intelligence to investigate threats to national security, including terrorist financing.

PPSCPublic Prosecution Service of Canada Prosecutes money laundering, terrorist financing and related offences in court.

Public Safety CanadaPublic Safety Canada Co-coordinates the overall regime and sets enforcement priorities alongside Finance.

OSFIOffice of the Superintendent of Financial Institutions Prudentially regulates federally regulated banks and insurers, including their financial-crime controls.

On the horizon — the Canada Financial Crimes Agency (FCA). In April 2026 the federal government introduced Bill C-29 to create a dedicated financial-crime law-enforcement agency that would bring together investigative muscle from the RCMP, intelligence from FINTRAC, and expertise from the CRA under one roof, with full investigative powers. As of mid-2026 it is proposed legislation, not yet law.

Every reporting entity needs a compliance program

If your business is a reporting entity, the law doesn't just ask you to file reports — it requires a written compliance program, built on five elements. This course walks through the knowledge that program depends on. The five elements are:

An appointed compliance officer.
Written policies and procedures, kept up to date.
A documented risk assessment of your clients, products, services, and delivery channels.
An ongoing training program for staff.
A two-year effectiveness review of the whole program (at least every two years).

Know Your Client (KYC) and client due diligence

You can't manage a risk you can't see. KYC means knowing who your client is, what they do, and whether their activity makes sense — before and during the relationship.

Verifying an individual — five methods

FINTRAC authorizes five methods to verify the identity of an individual:

Government-issued photo ID — an authentic, valid and current photo ID issued by a government, showing the person's name, photo and a unique number.
Credit file method — checking a Canadian credit file that has existed for at least three years.
Dual-process method — two reliable, independent sources confirming name + address, or name + date of birth, or name + a financial account.
Affiliate or member method — relying on identity already verified by an affiliate (or a member of the same financial-services cooperative / credit-union central) that used one of the first three methods. You obtain the name, address, date of birth, the method used and the date, and confirm it's still valid; all three data points must match.
Reliance method — relying, under a written agreement, on identity verification already done by another reporting entity (or an affiliated foreign entity). Unlike the affiliate method, they need not be in the same corporate group — and you must judge reliance appropriate for the client's risk.

Government photo ID — in person vs. remote:

Face-to-face: examine the original document, confirm it is authentic, valid and current, that the name matches, and that the photo resembles the person in front of you.
Non-face-to-face (remote): you must authenticate the ID using a technology capable of confirming it is genuine — a plain photocopy or scan is not enough on its own — and confirm the name and that the photo matches the person.

Verifying an entity — three methods

For an entity (e.g. a corporation), there are three methods:

Confirmation of existence method — confirm the entity's name, address and (for a corporation) its directors from a record such as a certificate of incorporation, an annual filing, or a certificate of active corporate status.
Reliance method — rely, under a written agreement, on identity verification already performed by another reporting entity.
Simplified identification method — for specific lower-risk entities (e.g. public bodies, regulated financial entities, publicly traded corporations and their subsidiaries), confirm the entity meets the qualifying criteria instead of full verification.

Whichever method you use, for a corporation you must also identify its beneficial owners — the individuals who directly or indirectly own or control 25% or more — together with its directors and its ownership/control structure.

When and how much

Canada uses a risk-based approach: the higher the risk, the more you do. Higher-risk clients call for enhanced due diligence — more frequent monitoring and steps to establish source of funds and source of wealth.

When is client identification triggered?

You don't verify everyone for everything — specific events trigger the requirement. The common ones:

A large cash transaction ($10,000+) or large virtual currency transaction ($10,000+).
An electronic funds transfer of $10,000+ — you identify the person or entity who requests it.
A suspicious transaction — take reasonable measures to identify the client, regardless of amount, even if it's only attempted.
Opening an account or entering into a business relationship (for account-based sectors).
For money services businesses, lower thresholds apply: $1,000 for money transfers / remittances (and electronic funds transfers), and $3,000 for foreign-currency exchange.
For cheque-cashing businesses: cashing a cheque of $3,000 or more.

Third-party determination

You must take reasonable measures to figure out whether someone is acting on behalf of a third party — i.e. the person in front of you isn't the real beneficiary. This is required when you receive $10,000+ in cash (LCTR), receive $10,000+ in virtual currency (LVCTR), or are required to keep an information record (for example, opening certain accounts that need a signature card or account-operating agreement).

If a third party is involved, record their name, address, telephone number, date of birth, and occupation or nature of principal business, the nature of their relationship to the client, and — for an entity — its incorporation/registration details.
If you can't confirm one but still suspect a third party, you must keep a record explaining why you suspect it.

Example: A man deposits $11,000 cash and mentions it's "for my boss's company." That's a clear third-party signal — you record the boss/company as the third party. Compare: a woman deposits $11,000 and insists it's entirely her own, but pauses and checks her phone for the figures. You can't confirm a third party, but the behaviour is odd — you document why you suspect one.

PEPs and HIOs (higher-risk people)

A politically exposed person (PEP) holds or held a prominent public office; a head of an international organization (HIO) heads (or headed in the last 5 years) an organization set up by governments. Both categories extend to their family members and close associates. PEPs split into:

Foreign PEP	Always treated as high risk. You must take reasonable measures to establish source of funds and source of wealth, get senior-management approval to open/keep the account, and apply enhanced monitoring — there's no time limit on foreign-PEP status.
Domestic PEP / HIO	The same enhanced steps (source of funds/wealth, senior-management sign-off, enhanced monitoring) apply when you assess the relationship as high risk.

Source of funds = where the specific money in this transaction came from. Source of wealth = the origin of the person's overall assets (business, inheritance, investments, etc.). They're different, and PEP rules require both.

Example: A new client is the spouse of a foreign cabinet minister (a foreign PEP's family member, so automatically high risk). Before proceeding you establish that the funds come from the sale of a family business (source of funds), confirm their broader wealth is consistent with that history (source of wealth), and have a senior manager approve the relationship in writing.

Reporting to FINTRAC

Reporting is the heart of the regime. There are several report types — these are the ones you're most likely to meet:

STRSuspicious

LCTRLarge cash

LVCTRVirtual currency

EFTRInt'l transfers

LPEPRListed person

Report & trigger	Deadline	Worked example
Suspicious Transaction Report (STR) Reasonable grounds to suspect a transaction — completed or attempted — relates to ML/TF. No dollar threshold.	As soon as practicable after reaching the suspicion.	A client tries to wire $4,000 abroad, then abandons it the moment you ask about the purpose, and returns the next day to try again at a different branch. No money moved, but you file an STR on the attempt.
Large Cash Transaction Report (LCTR) Receiving $10,000+ in cash in a single transaction.	15 calendar days	A customer pays a $14,000 invoice in $20 bills. Legitimate or not, the cash amount alone triggers an LCTR within 15 days.
Large Virtual Currency Transaction Report (LVCTR) Receiving $10,000+ in virtual currency.	5 working days	A client sends you the Bitcoin equivalent of $12,500 for a purchase. You file an LVCTR within 5 business days.
Electronic Funds Transfer Report (EFTR) International EFT of $10,000+ — both outgoing (you initiate it out of Canada) and incoming (you finally receive it from outside Canada).	5 working days	You send $25,000 to a supplier in Germany (outgoing) — reportable. A client receives $30,000 from an account in Singapore (incoming) — also reportable. Both within 5 business days.
Listed Person or Entity Property Report (LPEPR) Property you know is owned/controlled by or on behalf of a terrorist group, listed person, or listed/sanctioned entity. (Replaced the old Terrorist Property Report on March 2, 2025, and now also covers sanctioned property.)	Disclose to RCMP/CSIS and report to FINTRAC.	You discover an existing account is held by an entity on a Canadian sanctions/terrorist list. No transaction has to occur — the mere existence of the property triggers the report.
Beneficial Ownership Discrepancy Report A material discrepancy between the beneficial-ownership information you obtained and the registry at Corporations Canada, for an active federal (CBCA) corporation you assess as high ML/TF risk. (In force Oct 1, 2025 — note: filed to Corporations Canada, not FINTRAC.)	30 days after identifying it — but not required if you resolve it within those 30 days.	A corporate client's registry lists one director as sole owner, but your due diligence uncovers a silent 40% shareholder who isn't recorded. A missing beneficial owner is material, so you report the discrepancy.

The 24-hour rule: two or more cash (or virtual currency, or international EFT) amounts that together reach $10,000 within a 24-hour window, made by or on behalf of the same person, are treated as a single large transaction and must be reported. Deliberately breaking a payment into smaller chunks to dodge this is called structuring (or "smurfing") — and it's itself a red flag.

Sanctions evasion — reported on an STR, but not the same as ML/TF

Since 2024, suspected sanctions evasion is also reportable. If you have reasonable grounds to suspect a transaction relates to getting around Canadian sanctions — for example, someone transacting on behalf of a sanctioned person or entity, or disguising a sanctioned counterparty — you must file a Suspicious Transaction Report.

Keep the distinction clear: money laundering disguises the proceeds of crime, terrorist financing funds terrorism, and sanctions evasion is circumventing sanctions law — a separate offence that doesn't require any criminal proceeds at all. They use the same STR: if a transaction looks like it involves more than one of these, you file one STR that sets out the details for each suspected offence.

Ministerial directives

The Minister of Finance can issue a ministerial directive under the PCMLTFA requiring reporting entities to apply special, mandatory measures to transactions connected to a particular foreign jurisdiction or entity that poses a high risk. Directives can require enhanced ID, extra record-keeping, or transaction restrictions — and FINTRAC now reviews compliance with them during examinations.

Canada currently has directives covering Iran, Russia, and North Korea (DPRK).

Examples:

Iran — in force since 2020, amended February 2024 and November 15, 2025. Since the November 2025 amendment, all reporting entities (no longer just banks, credit unions and MSBs) must report every transaction to or from Iran regardless of amount, verify the identity of anyone requesting or benefiting from it, and keep the records for at least five years.
Russia and North Korea — updated directives effective March 22, 2025: treat every transaction to or from those countries (any amount) as high-risk, verify the identity of anyone requesting or benefiting from it, apply customer due diligence with particular attention to sanctions-evasion risk, and keep a record.

Tipping off is prohibited

You must never tell a client (or anyone not entitled to know) that you have made, or are considering making, a suspicious transaction report. "Tipping off" can compromise an investigation and is an offence.

You can have to file more than one report for the same transaction — for example, a $12,000 cash deposit that also looks suspicious needs both an LCTR and an STR.

Three remittance scenarios

The same money-transfer counter can generate different reports depending on what happens. Picture a busy remittance/MSB front desk:

LCTR	A customer hands over $11,500 in cash to send to family abroad. Receiving $10,000+ in cash triggers a Large Cash Transaction Report — verify their identity and file within 15 calendar days.
EFTR	You transmit a client's $15,000 international money transfer out of Canada (or finally receive one from abroad). An international EFT of $10,000+ triggers an Electronic Funds Transfer Report — file within 5 working days.
STR	A customer who normally sends $300 suddenly makes five $2,000 transfers in a week to different people in a high-risk country, and gets evasive about where the money came from. No single transfer hits $10,000, but the pattern (possible structuring) gives reasonable grounds to suspect. File a Suspicious Transaction Report — no threshold, as soon as practicable, and don't tip the customer off.

Ongoing monitoring and red-flag indicators

Ongoing monitoring means keeping an eye on a business relationship over time — to detect transactions that have to be reported, keep client information current, reassess risk, and check that activity still matches what you know about the client.

Common ML/TF indicators

No single indicator proves wrongdoing; you look at the whole picture. Watch for:

Transactions that don't fit the client's known profile, income, or business.
Structuring — amounts kept just under reporting thresholds, or split across days/branches.
Reluctance or refusal to provide ID, beneficial-ownership details, or source-of-funds information.
Unusual nervousness, over-explaining, or knowledge of reporting thresholds.
Use of third parties, nominees, or shell companies with no clear business rationale.
Funds moving quickly in and out, or routed through high-risk jurisdictions.
Requests to avoid records, rush a deal, or pay large amounts in cash without reason.

Sector-specific indicators

Different businesses see different red flags. A few that matter most in higher-volume cash and transfer sectors:

Money services businesses & remittance:

Amounts kept just under the $1,000 or $10,000 thresholds, or split across agents, locations or days.
Many different senders funding one beneficiary, or one sender paying many unrelated beneficiaries.
Transfers that don't fit the customer's stated purpose, income or community ties.
Use of informal value-transfer systems (hawala, hundi, fei ch'ien) layered with formal transfers.
Reluctance to identify the beneficiary or explain source of funds; a third party clearly directing the transfer.

Payment service providers (PSPs) & prepaid products:

"Funnel" or pass-through accounts: funds in and straight back out, with no real business purpose.
Account or card name that doesn't match the person funding or using it.
Many small loads of prepaid/reloadable cards followed by rapid withdrawal or transfer.
Rapid movement of funds between wallets, cards and accounts to break the trail.

Casinos & gaming:

Buying in with large cash, playing minimally, then cashing out for a cheque ("refining" dirty cash).
Asking for winnings to be paid to a third party, or to an account in a high-risk country.
Using others to place bets or buy chips on someone's behalf.
Buy-ins structured just under reporting thresholds, or spread across cages and tables.

Your compliance program — the five pillars

Detecting and reporting all of the above only works if it sits on a proper compliance program. Every reporting entity must maintain one, built on five required elements (introduced at the start of this course):

OfficerAppointed lead

Policies& procedures

Riskassessment

TrainingOngoing

ReviewEvery 2 years

Recent amendments raise the bar: a compliance program must now be "reasonably designed, risk-based and effective," and the maximum administrative monetary penalties (AMPs) for violations have increased substantially. FINTRAC also publishes the names of penalized businesses — non-compliance carries real financial and reputational cost.

Recordkeeping and retention

If it isn't documented, to a regulator it didn't happen. Good records prove you met your obligations and let FINTRAC reconstruct what occurred.

What you generally have to keep

Client identification records — who you verified, the method used, the ID type, issuing authority, and unique number.
Transaction records — copies of every report filed (LCTR, LVCTR, EFTR, STR, LPEPR) and the underlying records (receipt of funds, account activity).
Beneficial ownership information for entities, and the steps taken to confirm it.
PEP/HIO determinations — the status decision, source of funds/wealth measures, and senior-management approval.
Third-party determination records (including why you suspected a third party when you couldn't confirm one).
Business relationship records — purpose and intended nature of the relationship, and your ongoing-monitoring measures.

Two numbers to remember:

Keep records for at least 5 years (generally from the day the record was created, or after an account is closed / the last transaction).
Be able to produce them to FINTRAC within 30 days of a request.

Records can be kept on paper or electronically, as long as they're retrievable within that 30-day window and can be turned into a readable, usable format. Under a ministerial directive (e.g. Iran), you may have to keep records of transactions regardless of amount.

Example: Two years after a $40,000 wire, FINTRAC sends an examination request. Because you kept the client-ID record, the EFT details, the purpose-of-relationship note, and a copy of the EFTR, you assemble and submit the file inside 30 days — and demonstrate a compliant, retrievable system.