01

Weak or Outdated AML Policies

The Problem

Copy-paste templates or unreviewed manuals that do not reflect your actual business — its risks, services, client types, or reporting thresholds.

The Fix

Policies must match your actual business model. Review and update your program at least annually, or immediately when your business model or regulations change.

02

No Risk Assessment — or a Generic One

The Problem

A one-size-fits-all risk form will not satisfy FINTRAC. A generic risk assessment tells examiners you have not actually assessed your business.

The Fix

Develop a tailored risk-based assessment covering: products & services, delivery channels, geographic exposure, new technologies, and client types. Keep it current and relevant to what you actually offer.

Important: Do not include crypto as a service with mitigation measures if you do not offer crypto. FINTRAC examiners notice discrepancies between your risk assessment and your actual operations.
03

No Ongoing AML Training — or Lack of Documentation

The Problem

A single onboarding session does not build a culture of compliance. And undocumented training — as far as FINTRAC is concerned — did not happen.

The Fix

Run annual AML/ATF training for all relevant staff. Track training dates, topics covered, and names of attendees. Maintain a training log regardless of delivery format.

Tip: You do not need to spend a lot. Reputable free or low-cost options include the TCAE Knowledge Series (free webinars), ACFCS Annual Virtual Conference, and Tamlo’s “Flag the Money” course. For webinars without certificates, keep screenshots, sign-in records, or confirmation emails as proof. If it is not recorded, it did not happen.
04

Missing or Incomplete Record-Keeping

The Problem

FINTRAC expects MSBs to retain records for five years — including reports, client ID, and transaction logs. Many MSBs cannot produce key records when asked.

The Fix

Store STRs, LCTRs, EFTRs (with submission confirmation), client ID records, and transaction logs for at least five years. Download copies of all submitted reports from FINTRAC’s FWR portal and store them on your own system.

Critical: Do not rely solely on FINTRAC’s FWR portal. We have seen MSBs unable to access critical records during portal outages. Store your own copies at all times.
05

Inadequate Transaction Reporting

The Problem

MSBs often misapply reporting thresholds or reporting windows for LCTRs, LVCTRs, and EFTRs — creating compliance gaps that surface during examination.

The Fix

Know your triggers precisely and ensure they align with your written policies. If your 24-hour rule defines a day as midnight to midnight, your report must cover 00:00:00 to 23:59:59 with no flexibility.

06

No Clear Escalation Procedure

The Problem

Staff spot suspicious activity but do not know what to do with it — who to notify, how to document it, or when to file an STR.

The Fix

Document a clear, step-by-step escalation path. Train employees on who to notify, how to document concerns, and when an STR is required. Escalation should be second nature — not guesswork.

07

No Independent AML Review

The Problem

Many MSBs assume a FINTRAC examination counts as an independent review. It does not. This is one of the most common — and costly — misunderstandings in MSB compliance.

The Fix

An independent AML review must be conducted at least every two years by someone not involved in daily operations — or by an external expert. Document findings, address deficiencies, and retain the review report.

Most AML Failures Are About Missing Structure — Not Bad Intent

If your AML program needs a review, update, or better structure, C&G Professional Services Inc. specialises in building bulletproof AML programs for MSBs, PSPs, and fintechs across Canada. Let’s make sure your business is audit-ready and regulator-resilient.

Talk to Our Team Book a Free Consultation
← Updating Your Info with FINTRAC All Articles →