Building a FINTRAC-Compliant AML Program: The Complete 5-Element Framework

Why Your FINTRAC AML Program Is Your First Line of Defence

For every Money Services Business registered with FINTRAC, the compliance program is not a checkbox — it is the operational backbone of your entire AML/CTF posture. FINTRAC’s examination methodology evaluates your business against its compliance program before anything else. If your program is deficient, every downstream obligation — transaction reporting, record keeping, KYC — becomes suspect by extension.

Canada’s historic $176 million FINTRAC penalty against TD Bank demonstrated with brutal clarity what happens when a compliance program exists on paper but fails in practice. For MSBs — where resources are leaner and regulatory tolerance is lower — a weak or incomplete program is an existential risk.

The Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA) and its associated Regulations are explicit: every reporting entity must implement and maintain a compliance program. FINTRAC operationalises this through five mandatory elements, each of which carries its own sub-requirements and examination criteria.

This guide walks through every element in practitioner-level detail — what FINTRAC expects, how it tests for compliance, and how to build each component in a way that withstands scrutiny.

---

Who Needs a FINTRAC-Compliant AML Program

Any entity registered as an MSB with FINTRAC must maintain a compliance program. Under the PCMLTFA, MSB activities include:

• Foreign exchange dealing
• Remittance and funds transfer services
• Issuing or redeeming money orders, traveller’s cheques, or similar instruments
• Dealing in virtual currencies
• Operating a cheque cashing service

Foreign MSBs (FMSBs) — entities headquartered outside Canada that provide MSB services to persons in Canada — face the same compliance program requirements as domestic MSBs. There is no lighter-touch regime for foreign operators. Importantly, FMSBs must also designate a person in Canada who is responsible for their compliance program and who can be contacted by FINTRAC — this is a distinct requirement from simply naming a compliance officer in the home jurisdiction. Our MSB vs PSP licenses guide covers the threshold question of whether your activities trigger FINTRAC registration in full.

PSPs registered under the Retail Payment Activities Act (RPAA) with the Bank of Canada have separate compliance obligations, but where a PSP’s activities also meet the PCMLTFA definition of MSB activity, FINTRAC obligations apply concurrently. Our RPAA compliance guide and Canada PSP and MSB regulatory framework explain how these regimes interact.

The 5 Mandatory Elements: An Overview

FINTRAC’s compliance program framework is codified in Part 1, Division 2 of the Proceeds of Crime (Money Laundering) and Terrorist Financing Regulations (PCMLTFR). The five elements are:

Element	Regulatory Basis	What It Requires
1. Designated Compliance Officer	Part 1, Div. 2, PCMLTFR	A senior individual responsible for the compliance program
2. Written Policies and Procedures	Part 1, Div. 2, PCMLTFR	Documented procedures covering all AML/CTF obligations
3. Risk Assessment	Part 1, Div. 2, PCMLTFR	A documented assessment of your ML/TF risks
4. Ongoing Training	Part 1, Div. 2, PCMLTFR	A training program for all relevant staff
5. Independent Effectiveness Review	Part 1, Div. 2, PCMLTFR	A periodic independent review of program effectiveness

FINTRAC’s operational guidance on each element is published at fintrac-canafe.gc.ca.

These five elements are cumulative and interdependent. FINTRAC does not treat any one as optional or secondary. A program missing any element — or implementing one deficiently — is non-compliant as a whole.

---

Element 1: Designated Compliance Officer

What FINTRAC Requires

Every MSB must appoint a single individual as its compliance officer. This person is responsible for implementing and overseeing the compliance program. The requirement is not satisfied by a committee, a shared function, or an external consultant acting without internal authority.

FINTRAC expects the compliance officer to be:

• Senior enough to have meaningful authority over compliance decisions — including the ability to escalate matters to senior management or the board
• Knowledgeable about the entity’s operations, the PCMLTFA and its Regulations, and the ML/TF risks specific to the business
• Accountable — their name and contact details must be on file with FINTRAC as part of your registration

Practical Implementation

For smaller MSBs, the compliance officer is often the owner or a senior manager with dual responsibilities. This is permissible, but it introduces the risk that compliance obligations are deprioritised when operational demands intensify. FINTRAC examiners will ask about the compliance officer’s actual time allocation and activities — not just their title.

For larger or higher-risk MSBs, a dedicated compliance officer — or an outsourced MLRO with clearly scoped responsibilities — is increasingly the standard. The case for outsourcing your MLRO function is particularly strong when your organisation lacks the internal AML expertise to manage FINTRAC’s evolving expectations.

What FINTRAC Examines

During an examination, FINTRAC will assess:

• Whether a compliance officer has been designated and their details are current in FINTRAC’s portal
• Whether the individual has a documented job description or mandate covering their AML responsibilities
• Evidence of actual compliance activity — meeting notes, training records, STR review logs, policy updates
• Whether the compliance officer has the authority and resources to perform their role effectively

Element 2: Written Policies and Procedures

What FINTRAC Requires

Your policies and procedures must be documented in writing and must cover every AML/CTF obligation that applies to your specific business. Generic, off-the-shelf templates that do not reflect your actual operations will not satisfy FINTRAC.

The policies and procedures must address, at minimum:

• Know Your Client (KYC) — customer identification, verification, and ongoing monitoring procedures
• Business Relationship management — thresholds and triggers for establishing business relationships
• Third Party Determination — procedures for identifying whether a third party is directing a transaction
• Politically Exposed Persons (PEPs) and Heads of International Organisations (HIOs) — identification, enhanced scrutiny, and senior management approval processes
• Agent network management — where your MSB operates through authorised agents, the policies governing agent oversight, monitoring, and accountability under FINTRAC’s agent registration framework
• Transaction reporting — internal escalation procedures for Suspicious Transaction Reports (STRs), Large Cash Transaction Reports (LCTRs), and Electronic Funds Transfer Reports (EFTRs)
• Record keeping — what to retain, in what format, for how long
• Sanctions compliance — while sanctions screening is not a direct PCMLTFA obligation, it is a parallel requirement under the Special Economic Measures Act (SEMA) and the United Nations Act, administered by Global Affairs Canada. MSBs operating internationally should maintain screening procedures and reference these as a companion obligation within their broader compliance framework

The Specificity Standard

FINTRAC applies a specificity standard to policies and procedures: they must be precise enough that a staff member reading them could carry out the obligation correctly without further guidance. Vague statements like “staff will exercise due diligence” do not meet this standard. Effective procedures specify:

• Who performs the task
• When it must be performed (triggers and timing)
• How it is performed (step-by-step)
• What records must be generated and retained
• What escalation pathway applies if a red flag is identified

Keeping Policies Current

Policies and procedures are not a one-time exercise. They must be reviewed and updated whenever regulatory changes affect your obligations, your business model changes materially, an examination finding identifies a gap, or a new ML/TF typology relevant to your business is identified in your risk assessment.

FINTRAC has found this element deficient in examinations where entities maintained policies that pre-dated material regulatory changes — for example, where virtual currency guidance issued since 2019 had not been incorporated into legacy procedures. See our FINTRAC AML requirements guide for current guidance obligations.

Element 3: Risk Assessment

What FINTRAC Requires

The risk assessment is the analytical foundation of your compliance program. It must be a documented, written assessment of the ML/TF risks your business faces, and it must be business-specific — not a generic sector-level analysis.

FINTRAC expects the risk assessment to evaluate risk across four dimensions:

1. Products and services — which of your offerings carry higher ML/TF risk, and why
2. Clients and business relationships — risk profiling of your customer base, including higher-risk categories such as PEPs, non-face-to-face clients, clients in high-risk jurisdictions, and cash-intensive customers
3. Delivery channels — how your services are delivered (online, agent network, in-person) and the ML/TF risks each channel presents
4. Geographic exposure — the countries and regions your business transacts with, assessed against FATF grey and black lists, FINTRAC advisories, and other risk intelligence

Risk Rating and Mitigation

The risk assessment must produce a risk rating — typically high, medium, or low — for each risk category, and must document the controls in place to mitigate each identified risk. Canada’s 2025 National ML/TF Risk Assessment identifies the highest-risk sectors, typologies, and geographies in the Canadian context. Your entity-level risk assessment should be calibrated against this national picture.

Review Frequency

The risk assessment must be reviewed regularly and updated whenever a material change occurs in your business, new ML/TF typologies emerge, a FINTRAC advisory changes the risk landscape, or an examination finding flags a gap. FINTRAC does not prescribe a fixed review interval — the standard is regular review calibrated to your risk environment. Most MSBs review annually or biennially; higher-risk entities should do so more frequently.

Element 4: Ongoing Compliance Training

What FINTRAC Requires

Every person who performs compliance-related functions must receive training appropriate to their role. FINTRAC’s training requirement has four components:

1. A training program — a documented curriculum specifying what training is delivered, to whom, and at what frequency
2. Initial training — delivered when staff join or take on a compliance-relevant role
3. Ongoing training — updated and refreshed at regular intervals and whenever regulatory or policy changes occur
4. Training records — documented evidence that training has been completed, by whom, and when

What Training Must Cover

Training content must be tailored to each role’s actual compliance responsibilities. For front-line MSB staff, this typically includes:

• How to identify suspicious transactions and ML/TF red flags relevant to your specific products and services
• The KYC and verification procedures they are required to perform
• When and how to escalate to the compliance officer
• The consequences of non-compliance for the business — including administrative monetary penalties, reputational damage, and loss of banking relationships — and the role each employee plays in protecting the organisation through proper compliance practice

For compliance officers and senior management, training should cover FINTRAC guidance updates, emerging typologies, and changes to the regulatory framework.

Common Training Deficiencies

FINTRAC has repeatedly found this element deficient in examinations of smaller MSBs where training consisted of a one-time induction with no ongoing refresh, generic online AML training not tailored to Canadian MSB obligations, or no documented records to evidence completion.

Our AML training programs are designed specifically for FINTRAC-registered entities, covering the full scope of PCMLTFA obligations with role-specific modules and completion tracking.

Element 5: Independent Effectiveness Review

What FINTRAC Requires

The fifth element requires MSBs to conduct an independent review of the effectiveness of their compliance program at least every two years. Three aspects deserve particular attention:

Independence: The review must be conducted by someone independent of the compliance function being reviewed. The compliance officer cannot review their own program.

Effectiveness — not just existence: FINTRAC requires a review that tests whether your program actually works — whether your controls are being applied consistently, whether staff can perform their obligations correctly, and whether your program is fit for your current risk profile.

Documented findings and follow-up: The review must produce a written report with findings and recommendations, and there must be documented evidence that management has reviewed and acted on them.

What an Effectiveness Review Covers

A properly scoped effectiveness review will test:

• Whether your risk assessment accurately reflects your current business and risk environment
• Whether your policies and procedures are complete, current, and being followed in practice
• Whether KYC is being performed correctly, consistently, and at the right risk levels
• Whether transaction monitoring is generating appropriate alerts and those alerts are being investigated and dispositioned properly
• Whether STRs, LCTRs, and EFTRs are being filed correctly and on time
• Whether training is being completed and staff demonstrate the expected knowledge

ComplyFactor’s FINTRAC MSB audit and independent effectiveness review service is purpose-built for this requirement. Our review reports are structured to meet FINTRAC’s examination expectations — not just to generate a document for the file.

How the 5 Elements Work Together

The five elements are not five separate boxes to tick. They form a closed loop of continuous improvement:

1. The risk assessment identifies your ML/TF risks and determines the level of controls required
2. Policies and procedures translate those controls into operational instructions for staff
3. Training ensures staff understand and can execute those procedures
4. The compliance officer oversees the program, monitors its operation, and keeps it current
5. The effectiveness review independently tests whether the whole system is working — and feeds findings back into updated risk assessments and revised policies

FINTRAC expects to see evidence of this cycle operating continuously — not a compliance program built once and left untouched.

Element	Feeds Into
Risk Assessment	Policies & Procedures (controls must match risk)
Policies & Procedures	Training (staff trained on actual procedures)
Training	Compliance Officer oversight (evidenced by records)
Compliance Officer	Effectiveness Review (program activities available for testing)
Effectiveness Review	Risk Assessment (findings inform next review cycle)

Documenting Your Compliance Program: The Evidence Standard

A compliance program that exists but cannot be evidenced is, from FINTRAC’s perspective, a program that does not exist. Documentation is the mechanism by which your compliance program becomes verifiable and defensible.

What FINTRAC Examines for Documentation

When FINTRAC conducts an examination, its examiners will typically request:

• Your compliance program document or policy manual, with version history and date of last review
• Your current risk assessment, with the date it was completed and by whom
• Training records showing who was trained, on what, and when
• Records of your most recent effectiveness review, including the report and any management response
• Your designated compliance officer’s name, title, and contact details as registered with FINTRAC
• Transaction reports filed in the examination period (STRs, LCTRs, EFTRs)
• A sample of KYC records to test whether your procedures are being applied in practice

Version Control and Policy Governance

Every policy update should be dated, version-numbered, and approved by the compliance officer or senior management. This creates an audit trail demonstrating your program is actively maintained. FINTRAC examiners regularly find policies that have not been updated since initial registration — in a regulatory environment where significant guidance has been issued since 2019 on virtual currencies, beneficial ownership, and third-party determination, an unrevised policy manual is a clear finding waiting to happen.

The Compliance Activity Log

A running compliance activity log — even a spreadsheet — recording monthly STR threshold reviews, policy review dates, training sessions, staff escalations, and external guidance updates transforms a paper program into a demonstrably operational one. For MSBs that engage ComplyFactor for ongoing AML advisory services or global MLRO support, this documentation infrastructure is built into the service model from the outset.

Record Retention Under PCMLTFA

The PCMLTFA imposes a five-year record retention requirement on the vast majority of records created under the Act — KYC records, transaction records, business relationship records, and compliance program documentation itself. Records must be kept in a form that allows them to be provided to FINTRAC within a reasonable timeframe on request. Our guide to compliance documentation for Canadian PSPs addresses the document architecture question in depth, with principles that apply equally to MSBs.

Common AML Program Failures FINTRAC Finds on Examination

Based on publicly available FINTRAC examination outcomes and the lessons documented in Canada’s AML enforcement record, the most common program failures are:

Risk Assessment failures: Generic, sector-level assessments not tailored to the specific entity; risk assessments not updated to reflect changes in business model; risk ratings not connected to corresponding control enhancements.

Policies and Procedures failures: Procedures that reference obligations without specifying how they are to be met; outdated policies that pre-date FINTRAC guidance on virtual currencies or beneficial ownership; no documented escalation pathway for suspicious activity.

Training failures: No documented training records; training not updated to reflect regulatory changes; front-line staff who cannot articulate their KYC obligations or identify red flags.

Effectiveness Review failures: Reviews performed by the compliance officer themselves; reviews that confirm policy existence without testing operational effectiveness; no management response to review findings.

Compliance Officer failures: Officer listed on FINTRAC registration but with no documented compliance activities; insufficient authority to escalate or implement changes; no documented mandate or job description.

For a deeper examination of what triggers FINTRAC findings, our guide on MSB AML audit requirements covers the examination methodology in full.

Building vs Buying: Practical Considerations

Every MSB faces a build-or-buy decision when establishing or overhauling their compliance program.

Building in-house makes sense when you have experienced AML compliance staff with FINTRAC-specific knowledge, a straightforward business model, and the resources to maintain and update the program as regulations evolve.

Engaging external specialists makes sense when you are a start-up or newly registered MSB without an established compliance function, your team lacks FINTRAC-specific expertise, you have received examination findings requiring remediation, your compliance program has not been reviewed or updated in more than two years, or you operate in higher-risk segments such as virtual currency, international remittance, or high-value FX.

ComplyFactor’s AML compliance program development service delivers all five elements in a form ready for FINTRAC examination. Our AML advisory services support ongoing program maintenance, policy updates, and regulatory change management. For MSBs evaluating their current program, our AML risk assessment calculator provides a rapid baseline assessment.

---

FAQ

Is every MSB required to have all five elements of the compliance program? Yes. The five-element framework applies to every entity registered as an MSB with FINTRAC, regardless of size, transaction volume, or number of employees. There is no de minimis exemption.

Can a sole proprietor MSB appoint themselves as compliance officer? Yes. FINTRAC permits the owner or operator of a small MSB to act as their own compliance officer. However, this individual must demonstrate genuine compliance activity — not just a title on a registration form.

How often must the effectiveness review be conducted? At minimum, every two years. Higher-risk entities or entities that have undergone material changes should consider more frequent reviews. Following a FINTRAC examination finding, an accelerated review timeline is typically expected.

Can the compliance officer conduct the effectiveness review? No. The independence requirement means the compliance officer cannot review their own program. The review must be conducted by someone genuinely independent — either an internal audit team with no reporting relationship to the compliance officer, or an external specialist.

What happens if FINTRAC finds my compliance program is deficient? FINTRAC can issue a Notice of Violation, impose an administrative monetary penalty, or in serious cases refer the matter for criminal prosecution. Compliance program deficiencies are treated as a priority finding because they are the root cause of all downstream failures. See our FINTRAC AML requirements guide for the full penalty framework.

How long do I have to implement a compliance program after registering with FINTRAC? The compliance program must be in place before you begin providing MSB services. FINTRAC registration and program implementation are concurrent obligations — there is no grace period after registration.

What is the difference between an AML review and an AML audit for FINTRAC purposes? Both terms are used in the industry. Our AML review vs AML audit guide explains the distinction. For FINTRAC purposes, the fifth element requires an independent effectiveness review — a structured assessment of whether your program is working, not simply a document review. A properly scoped AML audit for an MSB will satisfy this requirement.