FINTRAC AML Audit Canada 2026: Complete MSB & PSP Effectiveness Review Guide

Why the FINTRAC AML Audit Has Become Existential

The FINTRAC AML audit — formally, the independent review of compliance programme effectiveness required every two years under the PCMLTFA — used to be a quiet exercise. An MSB engaged a consultant, the consultant produced a report, the report sat in a drawer until the next FINTRAC examination, and the cycle repeated. That model is dead. In the post-TD-Bank, post-RPAA, post-2026-amendment regulatory environment, the effectiveness review is now the single most consequential document in a Canadian reporting entity’s compliance file.

There are three reasons for this elevation. First, FINTRAC examiners now ask for the effectiveness review at the start of nearly every examination, and they read it. A weak, generic, or stale review tells the examiner exactly where to focus. Second, FINTRAC has materially increased its capacity to assess whether the review itself was independent and effectiveness-focused — meaning poorly conducted reviews are themselves becoming findings. Third, the administrative monetary penalty regime under the 2024–2026 PCMLTFA amendments has substantially raised the cost of findings that an effective review would have caught and remediated in advance.

The mathematics for any Canadian MSB, PSP, or fintech is straightforward. A well-conducted FINTRAC AML audit identifies and prompts remediation of issues before they become regulator findings. A poorly conducted one — or none at all — leaves those issues to surface during examination, when the consequences are penalty quanta, banking partner pressure, and in serious cases, registration revocation. The cost of doing the audit properly is materially smaller than the cost of not doing it.

This guide sets out exactly what a compliant, examination-ready FINTRAC AML audit looks like in 2026 — the statutory basis, the scope, the methodology, the report, the remediation cycle, and the failure patterns to avoid.

The Statutory Basis for the Two-Year Effectiveness Review

The independent review obligation flows from section 9.6(2) of the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA) and is operationalised in Part 4 of the Proceeds of Crime (Money Laundering) and Terrorist Financing Regulations (PCMLTFR). The statutory text is concise: every reporting entity must implement a compliance programme that includes, among other elements, a review of the policies and procedures, the risk assessment, and the training programme — to test their effectiveness — conducted at least every two years by an internal or external auditor.

Several features of this requirement frequently get misread. The review must:

Cover the policies and procedures, risk assessment, and training programme as distinct components — not as a single bundled assessment
Test for effectiveness, meaning the reviewer must form a view on whether the programme is working in practice, not merely whether the documents exist
Be conducted by an internal or external auditor — meaning the reviewer must be sufficiently independent of the function being reviewed
Occur at least every two years — entities with higher risk profiles or material changes often need more frequent reviews
Be documented, with findings, severity ratings, and recommended corrective actions

The reviewer’s findings are not optional reading. The entity must respond to the findings, document the response, and implement corrective action with appropriate timelines. Both the report and the response are part of the compliance programme record that FINTRAC will request during an examination. The Department of Finance Canada maintains the authoritative legislative text of the PCMLTFA and FINTRAC publishes detailed guidance on the compliance programme requirement.

For broader context on the surrounding compliance programme architecture, see our AML compliance Canada pillar guide and our FINTRAC-compliant AML programme five-element framework.

What FINTRAC Actually Means by “Effectiveness”

The single most important word in the statutory text is effectiveness. It is also the word most frequently misunderstood. Effectiveness, for FINTRAC purposes, is not a documentary check — it is an operational assessment of whether the compliance programme produces the regulatory outcomes it is designed to produce.

A documentary check asks: do you have a policy on customer identification? An effectiveness review asks: when a customer is onboarded, do the staff actually follow that policy, in the sequence the policy describes, with the documentation the policy requires, on every relevant transaction in the sample we test?

This distinction is what separates a credible FINTRAC AML audit from a procurement-driven one. Effectiveness reviews require:

Sample testing of customer files, transactions, reports filed, and training records
Walkthrough interviews with operational staff to confirm policies match practice
Independent verification that controls operated as designed during the review period
Gap identification between policy text and operational reality
Severity rating of each finding to drive remediation prioritisation

A review that consists only of reading the policy manual and confirming each PCMLTFA obligation is mentioned somewhere in it does not meet the statutory standard. FINTRAC examiners can and do identify reviews of this depth, and the resulting finding is twofold: the review was inadequate, and the entity therefore lacks evidence of its programme’s effectiveness. Our analysis of hidden compliance pitfalls that sink MSB effectiveness reviews and the five warning signs your organisation needs an independent AML review now explore this in detail.

Internal vs External Independent Review: Choosing Correctly

The PCMLTFA permits the review to be conducted by an internal or external auditor, but the practical reality for the majority of Canadian MSBs and PSPs is that internal independence is unachievable. The independence requirement is strict: the reviewer cannot be the compliance officer, anyone reporting to the compliance officer, anyone responsible for designing the programme, or anyone responsible for operating it.

For internal review to be genuinely available, the entity needs:

A separate internal audit function reporting to the audit committee or board
Audit team members with sufficient AML technical expertise to conduct the review
Sufficient capacity within that team to dedicate time to the review
Demonstrable separation from the compliance function

The reality is that the population of Canadian MSBs and PSPs that meet these criteria is small — typically the larger banks, large credit unions, and a handful of mid-sized financial institutions. Almost every MSB, PSP, and fintech below this threshold engages an external independent reviewer. Anything else creates an independence challenge that FINTRAC will identify on examination.

The choice of external reviewer matters. The reviewer should:

Have demonstrable Canadian AML expertise (not generic financial audit)
Understand FINTRAC’s examination methodology and findings patterns
Be independent of the entity’s other advisers (for example, the firm that drafted the policies should not be the reviewer)
Produce reports that meet FINTRAC’s expected format and depth

ComplyFactor operates as an independent AML audit firm in Canada, the US, and the UK, conducting effectiveness reviews specifically calibrated to FINTRAC’s expectations. Our FINTRAC MSB audit and independent AML effectiveness review service is designed for exactly this requirement.

Scope of a Compliant FINTRAC AML Audit

A FINTRAC AML audit must address every PCMLTFA and PCMLTFR obligation applicable to the entity, in proportion to the risk it presents. For a Canadian MSB or PSP, the typical scope includes:

Programme architecture review

Compliance officer appointment, authority, resources, and senior management reporting line
Policies and procedures coverage of all applicable PCMLTFA obligations
Risk assessment currency, completeness, and methodology
Training programme design, delivery, and completion records
Prior effectiveness review findings and remediation status

Customer due diligence and KYC testing

Customer identification at trigger points specified in the regulations
Identification methods used and their alignment with prescribed methods
Beneficial ownership identification for entity clients, including reasonable measures documentation
PEP, HIO, and family member/close associate identification
Enhanced due diligence application for higher-risk customers
Ongoing monitoring of business relationships against expected activity profile

Transaction monitoring and reporting testing

Transaction monitoring rules, thresholds, and alert generation
Alert investigation, escalation, and decisioning workflows
STR identification and filing — including timeliness, content quality, and field-level accuracy
LCTR, LVCTR, and EFTR filing accuracy and completeness
Terrorist Property Report processes
Sanctions screening at onboarding and on an ongoing basis

Record-keeping and retention testing

Retention of customer identification records, beneficial ownership records, and transaction records
Retention of compliance programme documentation
Retrievability within the thirty-day standard
Retention period compliance (the at-least-five-year minimum)

Governance and oversight testing

Senior management or board engagement with compliance issues
Compliance reporting frequency and depth
Incident management and breach reporting
Third-party and outsourcing oversight

For PSPs that are also RPAA-registered, the audit should also cover the operational risk and end-user fund safeguarding obligations under the RPAA framework administered by the Bank of Canada — though that is a distinct regime from the PCMLTFA. Our PSP Canada RPAA compliance guide covers the boundary between the two.

For VASPs and crypto-focused MSBs, the audit must additionally address virtual currency-specific obligations, including LVCTR filing accuracy and Travel Rule compliance. Our VASP compliance global guide and crypto Travel Rules 101 guide cover the global standards Canadian VASPs are expected to meet.

The Audit Methodology That Survives Examination

A FINTRAC AML audit conducted to an examination-ready standard follows a methodology that mirrors how FINTRAC itself conducts examinations. The phases are sequential and each builds on the prior phase.

Phase 1 — Planning and scoping. The reviewer obtains the compliance programme documentation, the prior effectiveness review report and remediation plan, the risk assessment, transaction volumes, customer profile data, and any FINTRAC correspondence. From this, the reviewer scopes the testing intensity per area in proportion to risk.

Phase 2 — Documentation review. The reviewer assesses whether the policies, procedures, risk assessment, and training programme are technically compliant with current PCMLTFA and PCMLTFR requirements as amended. This phase identifies documentary gaps but does not, by itself, satisfy the effectiveness requirement.

Phase 3 — Operational testing. The reviewer conducts walkthrough interviews with the compliance officer, operations staff, and senior management. The reviewer samples customer files, transactions, alerts, reports, training records, and remediation evidence. The samples are selected to test whether documented policies are operating in practice.

Phase 4 — Findings analysis. The reviewer aggregates findings, rates severity, identifies root causes, and drafts recommendations. Findings are categorised — typically as critical, high, medium, or low severity — based on regulatory exposure and operational impact.

Phase 5 — Reporting and exit. The reviewer produces a written effectiveness review report with findings, severity ratings, recommendations, and supporting evidence references. The report is delivered to the compliance officer and senior management. An exit meeting confirms findings and discusses remediation timelines.

Phase 6 — Remediation tracking. While remediation itself is the entity’s responsibility, the reviewer typically returns within twelve months to verify closure of findings. This re-validation is increasingly expected by FINTRAC examiners as evidence that the review process is operating as a compliance loop, not a one-off exercise.

This methodology is set out in our AML audit checklist for 2025, our 15 critical areas compliance officers must review, our key components of an effective AML audit programme, and our complete AML audit guide.

Sample Testing: Where Most Programmes Fail

Sample testing is the analytical core of any effectiveness review and is also where most programmes that look strong on paper fail. The reviewer selects a statistically defensible sample across customer files, transactions, alerts, reports, and training records, and tests each sample against the applicable policy.

For a typical Canadian MSB, a defensible sample at minimum includes:

A representative sample of customer files across customer types (individual, entity, PEP, high-risk)
A representative sample of transactions across transaction types (wire, foreign exchange, virtual currency, money order)
A complete population review or representative sample of STRs filed during the review period
A complete population review of LCTRs, LVCTRs, and EFTRs filed during the review period
Sanctions screening logs across onboarding and ongoing periods
Training completion records across all categories of staff
All transaction monitoring alerts during a defined sub-period, traced through to disposition

Common findings from sample testing include:

Customer identification records that are missing one of the prescribed verification elements
Beneficial ownership records that capture the names of beneficial owners but lack the reasonable measures documentation
Transaction monitoring alerts where the disposition rationale is recorded as “no concern” without supporting analysis
STRs filed with field-level errors that cause data quality issues at FINTRAC
LCTRs missing on transactions that aggregated above CAD 10,000 across a 24-hour period
Sanctions screening that runs at onboarding but not on an ongoing basis as the lists are updated
Training records that show completion percentages below 100% with no follow-up evidence

Each of these findings, on its own, is a regulatory exposure. In aggregate, they form the picture of a programme operating below standard — and that is the picture FINTRAC examiners are looking for. Our analyses of the Monzo $21.1 million wake-up call and the Barclays £39.3 million AML failures illustrate how exactly these failure patterns materialise into penalty quanta when surfaced by regulators rather than by independent reviewers.

The Effectiveness Review Report: Format and Content

The effectiveness review report is the document that FINTRAC examiners will read. Its quality directly affects how the rest of the examination unfolds. A report that meets FINTRAC’s expectations contains, at minimum:

Executive summary — overall conclusion on programme effectiveness, key findings, and themes
Scope and methodology — what was reviewed, the sample basis, the testing approach
Background on the entity — products, services, customer base, risk profile, and material changes since the prior review
Findings by area — for each PCMLTFA obligation reviewed, the testing performed, the findings identified, the severity rating, the root cause analysis, and the recommendation
Status of prior review findings — explicit confirmation of which prior findings have been remediated and which remain open
Conclusion and recommendations — overall view on programme effectiveness with prioritised remediation list
Reviewer’s qualifications and independence statement — establishing the reviewer’s authority to conduct the review

The report should be substantive but not bloated. A FINTRAC AML audit report typically runs to between thirty and seventy pages depending on entity complexity. Reports significantly shorter than that are typically too thin to evidence the depth of testing required. Reports significantly longer often signal that the reviewer has padded the document with policy summaries rather than findings — which itself can be a signal of inadequate operational testing.

A useful test for reviewing the quality of a draft report: count the number of findings supported by specific sample references and calculate the percentage relative to the total findings. In a well-conducted effectiveness review, the overwhelming majority of findings should be tied to specific samples or interviews — not to documentary observations alone.

Remediation, Corrective Action, and Closing the Loop

The effectiveness review report is the start of the remediation cycle, not the end. The reporting entity must respond to each finding, document the response, assign accountability for corrective action, and set a realistic timeline for closure. The response and remediation plan must be retained as part of the compliance programme record.

A robust remediation plan includes:

Finding-by-finding response — agreement, partial agreement, or disagreement with each finding, with reasoning where the entity disagrees
Corrective action steps — specific, measurable actions to address each finding
Accountability — named owner for each corrective action
Timeline — realistic completion dates for each action, prioritised by severity
Verification approach — how the entity will confirm the corrective action has worked
Reporting cadence — how progress is reported to the compliance officer and senior management

The verification approach matters disproportionately. A common failure pattern is for entities to record corrective actions as “completed” without independent verification that the action actually addresses the underlying finding. When the next FINTRAC examination — or the next effectiveness review — tests the same area, the same finding reappears. This is one of the highest-severity outcomes in any examination cycle: a finding that was identified, recorded as remediated, and that recurs.

For this reason, many entities engage their independent reviewer to conduct a remediation verification visit — typically six to twelve months after the original review — to test that closed findings are actually closed in operational terms. This is particularly valuable for entities that have received prior FINTRAC findings or operate in higher-risk segments. <div style=”background: #fee2e2; border-left: 4px solid #dc2626; padding: 16px; margin: 24px 0;”> <strong>COMMON MISTAKE:</strong> Treating the effectiveness review as a procurement exercise rather than a compliance one. Selecting the lowest-cost reviewer who will produce a clean report is a short-term saving with long-term consequences — FINTRAC examiners can identify low-quality reviews, and the resulting findings include both the substantive deficiencies the review failed to catch and the inadequacy of the review itself. </div>

How a FINTRAC AML Audit Differs from a FINTRAC Examination

The terms are sometimes used interchangeably, but they refer to two fundamentally different exercises. Understanding the difference matters because the two processes interact — the effectiveness review is, in effect, a private rehearsal for the FINTRAC examination.

Dimension	FINTRAC AML Audit (Effectiveness Review)	FINTRAC Examination
Conducted by	Internal or external independent auditor engaged by the entity	FINTRAC examiners
Statutory basis	Section 9.6(2) PCMLTFA — entity obligation	Section 62 PCMLTFA — regulator power
Frequency	At least every two years	Risk-based, at FINTRAC’s discretion
Purpose	Test programme effectiveness internally	Determine regulatory compliance
Outcome	Findings report to entity, remediation plan	Findings letter, potential AMP, potential revocation
Confidentiality	Internal — but FINTRAC may request	Public penalty decisions; non-public examination work papers
Cost	Borne by entity	Borne by entity (compliance cost), no fee paid to FINTRAC
Consequences of poor outcome	Findings to remediate	Penalty, banking impact, registration revocation

It is also worth distinguishing the AML review from the AML audit. The two are sometimes treated as interchangeable but serve different purposes. Our piece on AML review vs AML audit and what is AML audit sets out the distinction in detail. In summary: the AML audit is the statutorily required two-year effectiveness review; an AML review may be a lighter targeted exercise used between audit cycles, often to prepare for an examination or to test a specific area of concern. Both have their place — but only the audit satisfies the section 9.6(2) obligation. Our regulator-ready guide on independent AML reviews explores how reviews and audits work together strategically.

Cost, Duration, and Procurement Lead Time

The cost of a FINTRAC AML audit varies considerably with entity size, complexity, transaction volume, geographic footprint, and product mix. There is no useful “average” figure, but the structural drivers are:

Sample size required — entities with higher transaction volumes require larger samples to be defensible
Number of products and services — each product line typically requires its own scope component
Geographic and customer complexity — international corridors, PEP populations, virtual currency activity
Quality of existing documentation — entities with well-organised records pay less for the same depth of review
Reviewer specialisation — Canadian-AML-specialist reviewers cost more than generalist auditors but produce reports that survive examination

Duration from kick-off to final report typically ranges from six to sixteen weeks for most MSBs and PSPs. Procurement lead time is non-trivial — qualified Canadian AML reviewers operate with limited capacity, particularly in the months ahead of the financial year-end and during periods of heightened FINTRAC enforcement activity. Entities that approach their two-year review date with no engagement in place often discover that the available reviewers cannot accommodate them within the statutory window.

The practical implication: the effectiveness review should be procured at least four to six months before the statutory due date. Entities that wait until the last quarter routinely end up with either a rushed review or a review delayed past the two-year mark, both of which create regulatory exposure.

Selecting an Independent Reviewer in Canada

The market for FINTRAC AML audit services in Canada includes Big Four professional services firms, mid-tier consulting firms, specialist AML advisory firms, and independent practitioners. Each tier has trade-offs.

Big Four firms offer scale, brand, and integrated tax and audit relationships. They are typically the most expensive and may apply standardised methodologies that are less calibrated to MSB and PSP-specific risks. Their AML practitioners are often strong, but the engagement may be staffed at varying levels of depth.

Mid-tier consulting firms offer breadth of services and reasonable pricing but vary considerably in Canadian AML specialisation depth. Quality of effectiveness reviews from this tier is highly firm-dependent.

Specialist AML advisory firms focus on the specific subject matter and typically deliver depth of FINTRAC-specific expertise that generalist firms cannot match. This is the tier where most Canadian MSBs, PSPs, and fintechs will find the strongest fit-for-purpose engagement, particularly for entities operating across multiple jurisdictions.

Independent practitioners can deliver excellent work but carry concentration risk — if the practitioner is unavailable, capacity-constrained, or moves on, continuity can be difficult.

The most important selection criteria, regardless of tier, are:

Demonstrable FINTRAC examination experience (not just generic financial audit)
Track record of effectiveness reviews for entities of similar profile
Independence from the entity’s other compliance advisers
Ability to commit named senior reviewers, not just project codes
Willingness to defend the review’s methodology if FINTRAC questions it

ComplyFactor operates in the specialist AML advisory tier and has conducted FINTRAC AML audits across the MSB, PSP, EMI, and VASP populations. Our AML audit services, global MLRO services, AML advisory services, and AML compliance programme services work in combination — which is particularly useful for entities that need both an effectiveness review and the remediation support to close the resulting findings. <div style=”background: #f3e8ff; border-left: 4px solid #9333ea; padding: 16px; margin: 24px 0;”> <strong>INDUSTRY INSIGHT:</strong> The reviewer who conducted your last effectiveness review should generally not also be remediating its findings — independence over time matters. Many entities rotate between an audit firm for the effectiveness review and a separate advisory firm for remediation, then alternate the roles in the next cycle. This rotation builds independence into the multi-year programme. </div>

Common Effectiveness Review Failures and Findings

Across the FINTRAC AML audit population, the same finding categories recur. The list below is observable across hundreds of effectiveness reviews and FINTRAC examination outcomes.

Finding Category	Typical Severity	Frequency in Review Population
Outdated risk assessment (more than 12 months old)	High	Very common
Risk assessment does not address all current products	High	Common
Policies not updated for 2024–2026 PCMLTFA amendments	Critical	Common
Customer identification methods not aligned with prescribed methods	High	Common
Beneficial ownership reasonable measures not documented	High	Very common
STR field-level errors and incomplete narratives	Medium-High	Very common
LCTRs missed on aggregated transactions	High	Common
Sanctions screening at onboarding only, not ongoing	High	Common
Training completion below 100% with no follow-up	Medium	Common
Compliance officer authority not documented in writing	Medium	Common
Senior management oversight not evidenced	Medium-High	Very common
Prior effectiveness review findings not closed	Critical	Recurring

The last item — prior findings not closed — deserves particular attention. A finding that recurs in successive reviews escalates in severity at each iteration. By the third review, an unremediated finding signals to FINTRAC that the entity is not operating a compliance loop — and that conclusion materially affects how the next examination unfolds. Our analyses of the $176M FINTRAC penalty, the Simple Canadian Services penalty, and the 2026 MSB revocations all show how unremediated findings compound into enforcement outcomes. <div style=”background: #dbeafe; border-left: 4px solid #2563eb; padding: 16px; margin: 24px 0;”> <strong>COMPLIANCE ALERT:</strong> If your last effectiveness review identified findings that are still open as you approach your next two-year review, you have two options: close the findings before the next review, or accept that they will be re-flagged at higher severity. The third option — hoping the next reviewer misses them — is not a strategy. FINTRAC examiners explicitly test whether prior findings have been closed. </div>

Frequently Asked Questions

How often must a Canadian MSB or PSP conduct a FINTRAC AML audit? At least once every two years, as required by section 9.6(2) of the PCMLTFA. This is a minimum, not a target — entities with higher risk profiles, recent material changes, or open findings from prior reviews often benefit from more frequent reviews. The two-year clock runs from the date the prior review was completed.

Can the FINTRAC AML audit be conducted by an internal team? Yes, the PCMLTFA permits internal review, but only where genuine independence can be demonstrated. The reviewer cannot be the compliance officer, anyone reporting to them, or anyone responsible for designing or operating the programme. For most Canadian MSBs and PSPs, internal independence is not structurally achievable, and external review is the practical pathway.

What is the difference between a FINTRAC examination and an AML audit? A FINTRAC examination is conducted by FINTRAC under section 62 of the PCMLTFA and produces regulatory findings, potentially including penalties. An AML audit (effectiveness review) is conducted by the entity’s appointed reviewer under section 9.6(2) and produces findings for the entity to remediate. The audit is, in effect, the entity’s private preparation for any future examination.

What does a FINTRAC AML audit cost? Costs vary considerably with entity size, complexity, and product mix. There is no useful average — what matters is whether the cost reflects the depth of testing the entity actually requires. The cheapest review is rarely the most cost-effective when measured against the regulatory exposure it surfaces or fails to surface.

Does FINTRAC review the effectiveness review report directly? FINTRAC requests the most recent effectiveness review report at the start of nearly every examination. Examiners read it, identify the findings, and use those findings as a starting point for their own examination scoping. A weak or stale review tells FINTRAC where to look first.

What happens if I miss the two-year deadline? A missed effectiveness review is a finding in itself and is one of the most clearly identifiable deficiencies in any FINTRAC examination. Entities that have missed the deadline should commission the review immediately and document the reasons for the delay alongside the corrective action.

Can I use my last review’s reviewer for the next review? You can, and many entities do — there is value in continuity. However, multi-cycle independence matters. Some entities rotate between reviewers every two cycles to build refreshed independence into the multi-year programme. Banking partners and sophisticated counterparties increasingly look for evidence of this rotation.

Does the AML audit need to cover the RPAA framework for PSPs? The PCMLTFA AML audit does not formally include RPAA obligations, but for PSPs that are dual-registered, conducting both reviews together — under separate but coordinated scopes — is operationally efficient. The two regimes share governance and risk infrastructure, and a coordinated review reduces duplication.

How long does the audit take from start to finish? Typically six to sixteen weeks from kick-off to final report, depending on entity size and complexity. Procurement lead time can add a further four to eight weeks. Entities should engage their reviewer at least four to six months before the statutory due date.

Is there a FINTRAC-mandated template for the effectiveness review report? No. FINTRAC does not mandate a specific template. What matters is that the report addresses each PCMLTFA obligation applicable to the entity, sets out the testing performed, identifies findings with severity ratings and root causes, and recommends corrective actions. Reports that follow this structure are accepted; reports that do not, regardless of format, generate findings.