Is Your Business Due for Its 2-Year Independent AML Review?

Recently, I had a conversation with a client who was confident they no longer needed to complete their two-year independent AML effectiveness review. Their reasoning was simple: they had just gone through a FINTRAC examination, and in their view, that should suffice.

This is a common and understandable assumption. However, it is not consistent with Canadian regulatory requirements.

A FINTRAC examination and a two-year independent AML effectiveness review serve fundamentally different purposes under Canadian law. One does not replace the other, even if they occur close together in time.

This article clarifies the distinction, outlines what the law requires, and explains how reporting entities can remain compliant.

FINTRAC Examination vs. Independent AML Review: Not the Same Thing

A FINTRAC examination is a regulatory supervisory activity. It is conducted by FINTRAC to assess whether a reporting entity is meeting its obligations under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA) and its associated Regulations.

An independent AML effectiveness review, on the other hand, is a statutory compliance obligation imposed on the reporting entity itself. It must be conducted proactively, regardless of whether FINTRAC has examined the business.

The key distinction is clear:

• A FINTRAC examination represents external regulatory oversight
• An independent AML review represents internal governance and accountability, carried out by an independent and qualified party

Importantly, a FINTRAC examination does not reset, suspend, or eliminate the legal requirement to complete an independent AML review when it becomes due.

What the Law Actually Requires

Under the PCMLTFA and its Regulations, every reporting entity is required to establish and maintain a compliance program that includes, at a minimum:

• Written AML policies and procedures
• A documented risk assessment
• Ongoing compliance training
• A review of the effectiveness of the compliance program at least once every two years

This review must be independent, meaning it cannot be conducted by individuals responsible for the day-to-day operation or oversight of the AML program.

Failure to complete this review when due constitutes a standalone compliance deficiency, regardless of whether FINTRAC has recently examined the business.

Objectives of the Independent AML Effectiveness Review

The two-year independent review is designed to:

1. Assess effectiveness, not just existence. It evaluates whether policies, controls, and processes are actually working in practice.
2. Identify gaps and weaknesses early before they escalate into reportable violations, penalties, or enforcement actions.
3. Test operational implementation Evaluate the application of KYC, transaction monitoring, reporting, and recordkeeping controls.
4. Ensure alignment with current regulatory expectations, including updated FINTRAC guidance, sector-specific risks, and emerging typologies.
5. Provide governance-level assurance. Senior management and boards rely on this review to understand true AML risk exposure.

What the Review Is Meant to Address

At a minimum, the independent AML review should help answer the following questions:

• Are AML policies up to date and aligned with the business model?
• Is the risk assessment accurate, documented, and operationalized?
• Are KYC and ongoing monitoring processes applied consistently?
• Are suspicious transaction reporting and other regulatory filings accurate and timely?
• Are deficiencies tracked, remediated, and escalated appropriately?
• Is training adequate for staff roles and risk exposure?

These are not questions a FINTRAC examination is designed to answer comprehensively. FINTRAC examinations typically assess compliance status at a point in time, rather than overall program effectiveness across an operating cycle.

Minimum Scope of an Independent AML Review

While the scope of the review should be risk-based, a compliant and defensible review will typically include assessment of:

• AML compliance officer oversight
• Policies and procedures against PCMLTFA requirements
• Enterprise-wide risk assessment
• KYC and customer due diligence testing
• Transaction monitoring management
• Regulatory reporting
• Recordkeeping and retention

Sampling, testing, and evidence-based conclusions are critical. A checklist-only review is rarely defensible.

Who Can Conduct the Review?

The independent AML review must be conducted by a person or firm that is:

• Independent of AML operations
• Competent and experienced in Canadian AML regulation
• Capable of exercising professional judgment

This may include external AML consultants, qualified internal audit teams not involved in AML execution, or specialized compliance advisory firms. What matters most is their independence, expertise, and defensibility.

Final Thought

A FINTRAC examination is not a basis to defer or forgo a two-year independent AML effectiveness review. In many cases, it makes the review more important.

If your review is due, overdue, or approaching, now is the time to act.

How C&G Professional Services Inc. Can Help

C&G Professional Services Inc. supports reporting entities across Canada with risk-based, regulator-ready independent AML effectiveness reviews. Our approach is practical, evidence-driven, and aligned with current regulatory expectations.

For support in assessing your obligations or conducting an independent AML effectiveness review, please contact:

Claudius O. Otegbade, CPA (New York), FCA (Nig), MBA, CAMS, CFCS, CFE, CCI, CFI, CIPP/C
Principal Consultant
C&G Professional Services Inc.

Office: +1 (289) 505-1158
Email: claudius@candg.ca
Website: www.candg.ca