What is a fractional MLRO in Canada?

A fractional MLRO is a senior AML compliance officer who acts as your named Compliance Officer under the PCMLTFA on a part-time or shared basis, taking on all the same responsibilities a full-time in-house officer would carry, at a fraction of the cost. In Canada, FINTRAC refers to this role as the Compliance Officer, but the function is identical to what UK and international businesses know as the MLRO. ComplyFactor's fractional MLROs are named in FINTRAC's records and actively manage your reporting obligations, risk assessment, training, and program documentation.

Is a fractional MLRO legally recognised by FINTRAC?

Yes. The PCMLTFA requires a named senior officer responsible for your AML compliance program; it does not require that officer to be a full-time employee. Your fractional MLRO is designated as your Compliance Officer in FINTRAC's registry. From FINTRAC's perspective this is indistinguishable from an in-house hire. The individual must, however, have genuine authority within your organisation and be actively engaged in the program, not simply listed in name only.

How quickly can ComplyFactor provide a fractional MLRO?

For urgent situations such as staffing gaps or examination notices, a named MLRO can be in place and FINTRAC records updated within 24 to 48 hours. For planned engagements, we deliver a written proposal within 48 hours of a free scoping call and begin active management within the first week of engagement.

Can a fractional MLRO handle FINTRAC STR and EFTR filings?

Yes. FINTRAC reporting is a core responsibility of every ComplyFactor fractional MLRO engagement. This includes Suspicious Transaction Reports (STRs), Electronic Funds Transfer Reports (EFTRs), Large Cash Transaction Reports (LCTRs), and Large Virtual Currency Transaction Reports (LVCTRs). All reports are filed within FINTRAC's mandatory timelines with supporting documentation maintained in your compliance records.

What is the cost of a fractional MLRO in Canada?

ComplyFactor prices all MLRO engagements on a fixed monthly fee, not hourly billing. The fee depends on your business size, transaction volumes, and the scope of obligations to be managed. A straightforward MSB with low transaction volumes requires less MLRO time than a multi-product PSP with complex reporting. We provide a written fee proposal within 48 hours of a free scoping call. Contact us at +1 807 806 0444.

Do PSPs need a different type of MLRO than MSBs?

PSPs regulated under the Retail Payment Activities Act (RPAA) carry dual regulatory obligations: FINTRAC compliance under the PCMLTFA and operational oversight from the Bank of Canada. Most fractional MLRO providers are trained only in FINTRAC obligations. ComplyFactor's officers are trained in both, which means PSPs receive MLRO support that covers the full scope of their regulatory exposure rather than just one part of it.

Home / Services / AML Compliance Program Canada

AML compliance program Canada — the PCMLTFA five pillars, built for your business

Every business registered with FINTRAC must maintain a written AML compliance program under the PCMLTFA. A registration number is not enough — FINTRAC examines the program itself, and a program that does not reflect your actual business will generate findings regardless of how long you have been registered.

ComplyFactor builds AML compliance programs for Canadian MSBs, PSPs, fintechs, and VASPs — structured around FINTRAC's five mandatory pillars, calibrated to your business model, and documented to survive an examination from day one.

Book a free scoping call See the 5 pillars

All 5 FINTRAC pillars covered Business-specific — not templates Bill C-12 standard Examination-ready

The legal definition

What is a PCMLTFA compliance program — and what must it cover?

A PCMLTFA compliance program is the documented framework through which a FINTRAC reporting entity demonstrates it has identified its money laundering and terrorist financing risks and implemented controls to manage them. It is not a policy template — it is a living set of documents that must reflect your actual business: your customer types, products, transaction volumes, geographies, and delivery channels.

Under PCMLTFA Part 1, Section 9.6, the program must be reasonably designed, risk-based, and effective — the three-part standard FINTRAC applies during every examination. A program can be reasonably designed on paper but ineffective in practice. FINTRAC examines all three.

The program must cover five specific pillars — each with its own documentation requirements, examination criteria, and common failure patterns. A program missing any of the five is non-compliant on its face.

FINTRAC's three-part standard

Every program is examined against all three — not just whether it exists.

Reasonably designedBuilt to address the real ML/TF risks your business actually faces

Risk-basedControls calibrated to the ratings in your risk assessment

EffectiveWorks in practice — and produces evidence that it does

The framework

The 5 pillars of AML compliance under FINTRAC

FINTRAC's five-pillar framework is the structural foundation of every PCMLTFA compliance program. Each pillar has a specific legal basis, a defined examination focus, and a documented pattern of failure that appears repeatedly in enforcement actions.

1Compliance officer designation

Legal basis

PCMLTFA s.9.6 — a senior officer must be designated and named in your FINTRAC records. See compliance officer & fractional MLRO.

FINTRAC examines

Whether the officer is named, holds genuine authority, and is demonstrably engaged in the program.

Common failure

A name on the form with no real involvement — or a junior employee without the authority the role requires.

2Written policies & procedures

Legal basis

Written, business-specific policies covering your AML obligations and the internal procedures that implement them.

FINTRAC examines

Whether policies are current, reflect the actual business, and are followed — tested directly against your records.

Common failure

A registration-day template describing procedures the business does not follow — the single most common FINTRAC finding.

3Risk-based approach & risk assessment

Legal basis

PCMLTFR s.156 — a documented risk assessment across customer, product, geographic, and delivery-channel risk.

FINTRAC examines

Whether the assessment is documented, business-specific, current, and actually drives your controls.

Common failure

Generic risk ratings that don't match the customer base — or an assessment never updated as the business changed.

4Ongoing training programme

Legal basis

PCMLTFR s.165 — ongoing, role-specific training for relevant employees, documented and retained.

FINTRAC examines

Whether training was delivered, role-specific, completed in time, with completion records to show the examiner.

Common failure

One-size-fits-all or undocumented training — or no completion evidence retained at all.

5Independent effectiveness review

Legal basis

PCMLTFA s.9.6(2) — an independent effectiveness review at least once every two years.

FINTRAC examines

Whether a review was conducted within the past two years and its findings reported to senior management.

Common failure

No review on record — or a "review" that was never genuinely independent of the compliance function.

When it fits

When Canadian businesses need a compliance program build

A compliance program is not a one-time document — it is a framework that must evolve with your business. These are the four situations where a full build or rebuild is the right action.

Scenario 01

New MSB or PSP registration

FINTRAC expects a working program from day one — not a registration-day placeholder. We build the full five-pillar framework behind your registration so the first examination finds a program, not a gap.

Scenario 02

Examination findings require a rebuild

FINTRAC has identified program deficiencies and you need to demonstrate a corrected framework. We rebuild the affected pillars and document the changes against the findings, so the fix holds up on review.

Scenario 03

Built at registration and never updated

Your program was written when you registered and hasn't moved since — while the business, and the Bill C-12 standard, have. We rebuild it to reflect what you actually do today.

Scenario 04

Business model has changed significantly

New product lines, new customer types, or new geographies change your risk profile — and your program must change with them. We re-run the risk assessment and recalibrate every dependent control.

Scope of the build

What our AML compliance program build covers

A program build is not a consulting engagement — it is a documentation project with a defined output. Here is exactly what a ComplyFactor build produces.

#

Component

What it covers

01

AML policy & procedures manual

Your complete written AML policy — client identification and verification, record-keeping, transaction monitoring, STR/EFTR/LVCTR filing procedures, sanctions screening, and escalation protocols. Written for your business type, not adapted from a bank template.

02

AML risk assessment

Documented assessment across your four risk dimensions: customer risk (by client type and segment), product and service risk, geographic risk (by jurisdiction and remittance corridor), and delivery-channel risk — ratings supported by documented rationale.

03

Customer risk rating framework

A scoring matrix for classifying customer risk at onboarding and review — defining low, medium, and high-risk characteristics specific to your model, with corresponding CDD and EDD trigger criteria.

04

Transaction monitoring framework

Documented monitoring parameters — thresholds, scenarios, and red flags specific to your product type — including the alert review process and the escalation path from flagged transaction to potential STR.

05

AML training programme

Role-specific training content for frontline staff, onboarding teams, and senior management — covering their individual obligations, your internal procedures, and red-flag identification. Formatted with completion-record templates.

06

Governance & oversight framework

Terms of reference for the compliance officer role, senior-management reporting structure, board-level AML accountability documentation, and the schedule for annual reviews and biennial independent audits.

How we build

Our AML program build process

Building a PCMLTFA-compliant program requires understanding your business before writing a single policy. Our five-phase process is designed around that principle — discovery first, documentation second.

1

Business discovery

We map your business model — customer types, products, transaction flows, geographies, and sector-specific obligations (MSB, PSP, VASP, or finance company). This informs every component; without it, the output is generic.

2

Risk assessment

We build your risk assessment before writing any policy. Risk ratings drive your monitoring thresholds, CDD trigger criteria, and resource decisions. A program built without one is built on assumptions.

3

Program drafting

Each component is drafted to reflect the risk-assessment outputs and your actual procedures. We do not write policies that describe a business you don't operate — FINTRAC tests policies against records.

4

Review & calibration

You review the draft; we calibrate any component that doesn't accurately describe your operations. A policy that doesn't reflect reality is worse than none — it documents a gap.

5

Delivery & briefing

Finalised documents delivered in editable format, version-controlled and dated — with an implementation briefing covering what changed, what obligations are now active, and your next compliance-calendar dates.

The standard has shifted

FINTRAC's current program standards — the post-Bill C-12 shift

Before Bill C-12, FINTRAC's approach was primarily existence-based — did you have a program? Under Bill C-12 (March 2026) the standard became effectiveness-based: is your program reasonably designed, risk-based, and effective in practice? A program that ticks every box on paper but produces no STRs, applies no EDD, and shows no active monitoring will not satisfy the new standard.

After Bill C-12 — March 2026

Before Bill C-12

Program standard

AfterReasonably designed, risk-based, AND effective

BeforeReasonably designed and risk-based

Examination focus

AfterDoes the program work in practice?

BeforeDoes the program exist?

What triggers a finding

AfterMissing documentation OR evidence of ineffectiveness

BeforeMissing documentation

Maximum penalty — serious

After$4,000,000

Before$100,000

STR quality assessment

AfterNow assessed — low/zero STRs in high-risk businesses are examined

BeforeNot formally part of examination

Every ComplyFactor program is built to the post-Bill C-12 effectiveness standard — designed to produce evidence of active compliance, not just to document that a program exists.

Deliverables

What Canadian businesses receive

A complete, documented compliance framework — every component formatted for FINTRAC examination and editable for ongoing maintenance.

AML policy & procedures manual

Version-controlled Word document, dated, with your business name and FINTRAC registration number. Section structure mirrors FINTRAC's examination framework.

AML risk assessment

Structured document with a four-dimension risk matrix, individual ratings with documented rationale, an overall inherent risk rating, and a control-effectiveness assessment.

Customer risk rating framework

Scoring matrix in editable format — low/medium/high definitions, a risk-indicator checklist, and CDD/EDD trigger criteria specific to your customer types.

Transaction monitoring framework

Monitoring-threshold document with product-specific red flags, an alert-review workflow, and an STR escalation decision tree.

AML training programme

Role-specific modules (frontline / onboarding / management) in editable format, plus blank completion-record templates for ongoing documentation.

Governance & oversight framework

Compliance officer terms of reference, a senior-management reporting template, an annual review schedule, and a biennial audit coordination checklist.

Compliance calendar

A 12-month forward schedule of all program obligations — training cycles, risk-assessment review dates, FINTRAC filing deadlines, and the biennial audit trigger date.

The difference

Why Canadian MSBs & PSPs choose ComplyFactor

Programs built from your business outward — to the effectiveness standard FINTRAC now examines.

ComplyFactor specialist building a compliance program

Risk-firstRisk assessment before any policy is written

Built by a named specialist

Your program is built by a CAMS-certified AML specialist with direct FINTRAC examination experience — named in your engagement, because program builds require author credibility.

Built for your business — not from a template

Every component is written for your customer types, products, and transaction flows. We don't maintain a library of templates to adapt. Generic programs produce generic gaps.

Post-Bill C-12 effectiveness standard

Every program is tested against the "reasonably designed, risk-based, and effective" standard — not just the pre-2026 existence requirement. FINTRAC examines effectiveness; so do we.

Risk assessment first — always

We build the risk assessment before writing any policy. Your ratings drive your monitoring thresholds, CDD criteria, and resource allocation. A program built without one is built on assumptions.

Delivered as editable documents — not PDFs

Your program is delivered in fully editable format so your compliance officer can maintain it without coming back to us for every change. You own it.

Questions

Frequently asked questions — AML compliance program Canada

What are the 5 pillars of AML compliance under FINTRAC?

FINTRAC's five compliance pillars under the PCMLTFA are: (1) a designated senior compliance officer named in your FINTRAC registration; (2) written policies and procedures covering your AML obligations and internal procedures; (3) a risk-based approach including a documented risk assessment; (4) an ongoing training programme for relevant staff with documented completion records; and (5) an independent effectiveness review conducted at least once every two years. Every pillar is examined directly during a FINTRAC examination — a program missing any of the five is non-compliant on its face.

Does every Canadian MSB need a written AML compliance program?

Yes. Every business registered with FINTRAC as a reporting entity is required by law under the PCMLTFA to maintain a written AML compliance program. This includes Money Service Businesses, Payment Service Providers, virtual asset service providers, and — since April 2026 — finance and leasing companies. Having a FINTRAC registration number without an accompanying compliance program is a violation in itself.

How long does it take to build a PCMLTFA compliance program?

A complete build for a straightforward MSB typically takes two to four weeks from the initial scoping call to final document delivery. More complex businesses — multi-product PSPs, international remittance corridors, or VASPs with diverse service lines — may require four to six weeks to ensure the risk assessment and monitoring framework accurately reflect the business model. We provide a specific timeline in the written engagement proposal.

Can we use a template AML compliance program?

A template can provide structure, but a template-only program will not survive a FINTRAC examination. Examiners test your policies against your actual records — if your policy describes procedures your business doesn't follow, or risk ratings that don't match your customer base, the policy becomes evidence of a gap rather than a control. ComplyFactor builds from your business model outward, using structure only as a starting point.

How often does an AML compliance program need to be updated?

Under PCMLTFA regulations, the program must be reviewed and updated when material changes occur — new products, new customer segments, new geographies, or changes in transaction volumes that affect your risk profile. In addition, an independent effectiveness review must be conducted at least every two years. As a practical matter, most components should be reviewed annually even without a material trigger.

What is the difference between an AML compliance program and an AML audit?

An AML compliance program is the documented framework through which your business meets its PCMLTFA obligations — the policies, risk assessment, training materials, and governance structure. An AML audit (effectiveness review) is an independent assessment of whether that program works in practice. The program is the foundation; the audit tests whether the foundation holds. Under the PCMLTFA, both are required — the program must exist and must be independently reviewed for effectiveness every two years.

Message us on Telegram Chat with us on WhatsApp

AML compliance program Canada — the PCMLTFA five pillars, built for your business

What is a PCMLTFA compliance program — and what must it cover?

FINTRAC's three-part standard

The 5 pillars of AML compliance under FINTRAC

When Canadian businesses need a compliance program build

New MSB or PSP registration

Examination findings require a rebuild

Built at registration and never updated

Business model has changed significantly

What our AML compliance program build covers

Our AML program build process

Business discovery

Risk assessment

Program drafting

Review & calibration

Delivery & briefing

FINTRAC's current program standards — the post-Bill C-12 shift

What Canadian businesses receive

Why Canadian MSBs & PSPs choose ComplyFactor

Built by a named specialist

Built for your business — not from a template

Post-Bill C-12 effectiveness standard

Risk assessment first — always

Delivered as editable documents — not PDFs

Frequently asked questions — AML compliance program Canada

Book a free Canada AML consultation

Talk to an AML expert