Key takeaways
- FINTRAC does not issue a pass/fail grade β but a review with multiple significant deficiencies is, in practice, a failed review.
- The review is your internal document, but examiners now routinely request it at the start of every examination.
- Consequences escalate from a compliance assessment report to a Notice of Violation, and ultimately to registration revocation.
- The most underestimated risk is losing your bank account β enforcement actions are public, and banks act on them.
A failed FINTRAC effectiveness review does not automatically end your MSB registration. But it sets in motion a chain of consequences that, if left unmanaged, can do exactly that.
Understanding what FINTRAC does after a negative review β and what you are required to do β is the difference between a manageable compliance gap and a regulatory crisis. This article covers what a failed review actually means, what FINTRAC's response looks like, and the concrete steps an MSB must take to recover.
What "failing" an effectiveness review actually means
FINTRAC does not issue a pass or fail grade on an effectiveness review. The terminology is more nuanced, but the outcomes are not.
An independent effectiveness review β required at minimum every two years under section 9.6(2) of the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA) β assesses whether your compliance programme is not only documented but genuinely working. Reviewers test your policies, procedures, risk assessment, and training programme against actual operational evidence.
The review produces findings, categorised by severity:
- Significant deficiency β a control failure that materially undermines your programme's ability to detect or report money laundering or terrorist financing.
- Deficiency β a gap that weakens the programme without completely disabling a control.
- Recommendation β an improvement that would strengthen the programme but does not represent a current failure.
A review with multiple significant deficiencies is, in practical terms, a failed review. It tells FINTRAC β and your banking partners β that your compliance programme is not operating effectively.
FINTRAC's role: who sees the review?
The independent effectiveness review is an internal document. You commission it, your reviewer produces it, and you retain it. FINTRAC does not automatically receive a copy.
However, FINTRAC examiners now routinely request the most recent effectiveness review at the outset of every compliance examination. If you cannot produce one, or if the review is out of date, that absence is itself a finding β a failure to meet the two-year review obligation under the PCMLTFA.
If your review contains significant deficiencies and FINTRAC's examiner reviews it, those findings become the roadmap for the examination. The examiner will test precisely the areas the review identified as weak. A poor effectiveness review followed by no remediation is one of the most damaging compliance positions an MSB can be in.
What FINTRAC does after a compliance examination
When FINTRAC conducts a compliance examination β separate from your independent review β and identifies violations, its response depends on the severity and pattern of the findings.
Sending a compliance assessment report
For lower-severity findings, FINTRAC typically issues a compliance assessment report outlining the violations found and the corrective actions required. This is not a penalty. It is a formal notice that your programme has gaps and that FINTRAC expects remediation. You are required to respond with a remediation plan within the timeframe FINTRAC specifies. Failure to respond, or a response FINTRAC considers inadequate, escalates the matter.
Issuing a Notice of Violation
For more serious findings β particularly repeated violations, systemic programme failures, or a pattern of non-reporting β FINTRAC may issue a Notice of Violation alongside an Administrative Monetary Penalty (AMP). This is covered in detail in our companion article on responding to a FINTRAC Notice of Violation.
Referring to law enforcement
In cases where FINTRAC's examination reveals evidence of actual money laundering or terrorist financing activity β or deliberate non-compliance designed to facilitate it β FINTRAC refers the matter to the RCMP, CSIS, or the Canada Revenue Agency. This is rare but not theoretical.
Registration revocation
FINTRAC has statutory authority to revoke an MSB registration where it determines the registrant is no longer eligible. Eligibility is a continuous obligation. An MSB with a compliance programme that has materially failed β particularly one with findings that go unremediated across multiple examination cycles β is at genuine risk of revocation.
The Q1 2026 revocation wave, in which FINTRAC cancelled 35 MSB registrations in a single quarter, demonstrated that this authority is exercised actively, not as a last resort.
Banking consequences: the risk most MSBs underestimate
FINTRAC enforcement actions are public. Administrative monetary penalties, Notices of Violation, and revocations are published on FINTRAC's website.
Your banking partners monitor these publications. A published AMP or Notice of Violation triggers enhanced due diligence by your bank β and in many cases, account termination. For MSBs, losing a bank account is often more immediately damaging than the penalty itself.
Banks are particularly sensitive to two things: evidence that your compliance programme is not functioning, and evidence that FINTRAC has taken formal action. An unresolved effectiveness review with significant deficiencies β even before FINTRAC gets involved β can also trigger bank concerns if it surfaces during a banker's periodic file review of your business.
Your obligations after a failed review
If your independent effectiveness review returns significant deficiencies, your obligations are clear.
- Remediation is not optional. The PCMLTFA requires that your compliance programme be effective. A review that identifies it is not effective creates an obligation to fix it. There is no statutory grace period β remediation must begin immediately and be documented throughout.
- Document every remediation step. FINTRAC examiners look for evidence that findings were taken seriously. A remediation log that tracks each finding, the corrective action taken, who was responsible, and the completion date is the minimum standard. Verbal assurances carry no weight.
- Update your risk assessment and policies. Most significant deficiencies involve either an outdated risk assessment that no longer reflects your actual business, or policies not updated to reflect current PCMLTFA obligations. Both must be corrected before your next examination.
- Retrain relevant staff. Where a deficiency relates to how staff identify customers, file reports, or escalate suspicious activity, targeted retraining is required. Document who was trained, on what, and when.
- Consider an interim review. If your review returned multiple significant deficiencies, waiting two years for the next scheduled review leaves you exposed. An interim gap assessment β six to twelve months after remediation β confirms whether your fixes actually worked before FINTRAC tests them.
The most common deficiencies that cause reviews to fail
Based on FINTRAC's published compliance assessment data, the findings that most consistently produce significant deficiencies are:
- Incomplete or outdated risk assessment β FINTRAC expects your business risk assessment to reflect your current customer base, geographic exposure, products, and delivery channels. A risk assessment drafted at registration and never updated almost always fails.
- No evidence of ongoing transaction monitoring β Policies that describe monitoring without documentary evidence it is actually happening β flagged transactions, escalation records, review logs β are treated as non-functional controls.
- STR filing failures β Failure to file Suspicious Transaction Reports in circumstances that clearly warranted them, or STRs filed significantly past the prescribed timeframe, are among the most serious findings FINTRAC makes.
- Third-party determination gaps β Many MSBs do not have documented processes for determining whether a transaction is conducted on behalf of a third party, a specific obligation under the PCMLTFR.
- Absence of a compliance officer β Having a named compliance officer on your FINTRAC registration but no evidence that person has actually performed compliance functions is a common and easily identified deficiency.
How ComplyFactor can help
If your effectiveness review has returned significant findings, or you have not had an independent review conducted within the past two years, the time to act is now β not after FINTRAC schedules an examination.
ComplyFactor provides independent FINTRAC effectiveness reviews that meet the statutory independence requirement under the PCMLTFA, along with full compliance programme remediation for MSBs that need to close findings quickly. Our team works with you to prioritise deficiencies by risk, build a defensible remediation record, and prepare your programme for the next examination cycle.
Contact ComplyFactor to discuss your current compliance position.
Frequently asked questions
Does FINTRAC automatically know if my effectiveness review found deficiencies?
Can FINTRAC revoke my registration based on an effectiveness review alone?
How long do I have to remediate findings from an effectiveness review?
What if my effectiveness review was conducted by someone without real independence?
ComplyFactor is a specialist AML and regulatory compliance advisory firm working exclusively with MSBs, PSPs, fintechs, and VASPs across Canada's FINTRAC framework. Our advisors hold CAMS certification and bring direct FINTRAC examination experience to every engagement.
