How to Completely Fail Your FINTRAC Examination
A Guide to Every AML Compliance Mistake That Will End Your Business

If you have always wondered what it would take to truly, spectacularly, and publicly fail a FINTRAC examination under Canada's Proceeds of Crime (Money Laundering) and Terrorist Financing Act, this guide was written for you.
The following is a guide to every compliance pattern that causes Canadian reporting entities to fail FINTRAC examinations. Almost all of them are the result of a business that was growing, a compliance function that was under-resourced, and a regulatory environment that kept moving while the AML program stayed still.
Every item on this list is drawn from real compliance failures, real examinations, real enforcement actions, and real businesses that discovered the hard way that "we thought we were compliant" is not a legal defence.
Read this as a checklist. If you recognise your own organisation in more than three items, stop reading and call a compliance professional. Because you still have time to fix it.
Step One: Assume That Because You Are Registered, You Are Compliant
This is the most common misunderstanding in Canadian AML compliance, and it is an entirely understandable one.
You filed the paperwork, you got the confirmation, FINTRAC knows you exist, and you moved on to running your business. That feels like compliance but it’s just the starting line.
Registration means FINTRAC knows you exist. Compliance means your anti-money laundering program is designed, documented, implemented, tested, and effective.
Those are four entirely different conditions, and a reporting entity can satisfy the first without coming anywhere near the other four. Money services businesses, foreign MSBs, crypto businesses, and other reporting entities under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act are registered. A significant number of them are not compliant, and most of them would be surprised to hear it.
If your compliance strategy is "we are registered, so we are fine," the registration is not the problem. The gap between registration and a functioning AML program is where the examination findings live.
Step Two: Build Your AML Program in Year One and Never Touch It Again
This one is genuinely not anyone's fault.
When a business launches, the compliance program gets built by whoever is available, usually under time pressure, usually while ten other things are happening simultaneously. The program gets filed, the registration gets completed, and then the business gets on with the work of actually operating.
Two years later, the business has new products, new customer segments, new markets, and a compliance program that still describes the operation as it existed on day one. The person who wrote it has moved on. Their name is still on the cover page as Chief Anti-Money Laundering Officer. The folder it lives in has not been opened since the original FINTRAC registration was filed.
The Proceeds of Crime (Money Laundering) and Terrorist Financing Act requires a compliance program that is risk-based and effective, which means it must reflect the actual current risk profile of the business.
A FINTRAC examiner will not be comparing the program to what the business looked like in 2021. They will be comparing it to what the business looks like today. If those two things do not match, every gap between them is a finding waiting to happen.
Step Three: Perform Your AML Risk Assessment Once and Declare It Finished
The AML risk assessment is the document that everything else flows from.
Customer due diligence standards, transaction monitoring thresholds, enhanced measures for higher-risk relationships: all of it is calibrated based on what the risk assessment says the business's risk profile actually looks like.
When the risk assessment is outdated, everything downstream is working from the wrong foundation.
The risk assessment that causes the most examination problems is a perfectly reasonable one that was accurate when it was written and has simply never been revisited. It does not mention the products launched in the last two years. It does not account for the new customer segments that came on board since the original assessment. It does not reflect anything that has changed in the regulatory environment since it was written.
If a FINTRAC examiner asks when the risk assessment was last reviewed and the answer requires a moment of silence while someone checks a file timestamp, the examination is already in serious trouble. A risk assessment that was genuinely current twelve months ago is worth defending. One that was filed at registration and never opened again is not.
๐ TRAINING PROMO: FIRST COME, FIRST SERVED (10 SEATS ONLY) Use code blog29th at checkout for AML Incubator Training. Seats are going fast. Do not be the person who registers for training after the examination notice arrives.
๐ amlincubator.com
Step Four: Treat KYC as a Box-Ticking Exercise at Onboarding and Never Think About It Again
Know Your Customer is an ongoing obligation that requires customer information to be collected, verified, maintained, and updated as circumstances change and risk profiles evolve. The onboarding file is the starting point.
The KYC program that generates the most examination findings is one where onboarding documentation was collected when the customer relationship began and has not been reviewed since, regardless of how long ago that was, how much the customer's transaction behaviour has changed, or how many things have shifted in the intervening period.
Beneficial ownership has been identified in a percentage of files that a compliance professional would describe as aspirational. Enhanced due diligence for higher-risk customers has been interpreted to mean sending an extra email at onboarding.
If the beneficial ownership records for corporate customers were completed by asking the customer to fill in a form and filing the form without any independent verification, those are not beneficial ownership records. They are statements made by customers about themselves, which is a meaningfully different thing, and FINTRAC examiners know the difference.
Step Five: Configure Transaction Monitoring Once and Assume the Alerts Will Always Be Correct
Transaction monitoring systems do not stay calibrated on their own. The thresholds that made sense based on estimated transaction volumes at implementation may be completely wrong for the actual transaction patterns the business is now seeing.
A system that has never been recalibrated since go-live is not monitoring transactions effectively. It is producing outputs that no longer reflect the risk profile of the business.
The monitoring configuration that causes the most problems is one that generates either far too many alerts for the compliance team to review meaningfully, or so few alerts that the team has quietly concluded that all of their customers are extraordinarily well-behaved.
One of them is a backlog problem. The other is a calibration problem that looks like everything is fine right up until an examiner asks to see the alert history.
For the full examination effect, add an alert backlog with items that have been sitting for six to eighteen months without disposition, suspicious transaction report filing rates that do not reflect the volume of alerts being reviewed, and a monitoring reviewer whose actual primary job is something else entirely. That combination will make for a very thorough examination finding.
Step Six: Train Your Staff Once at Onboarding and Consider the Obligation Permanently Satisfied
AML training is a recurring obligation. It must be role-specific, current, documented, and completed by every employee whose work touches AML-relevant functions, including customer-facing staff, operations teams, senior management, and the compliance function itself.
The training program that generates the most examination criticism is one where new employees receive a general overview of money laundering during their first week, after which training is considered complete regardless of what happens next. Regulatory changes happen. Product changes happen. The employee's role evolves. None of it prompts a training update, because the training was filed as done at onboarding and no one has looked at it since.
The extra detail that makes this finding worse is when training records are stored in a system that is no longer in use, several employees cannot confirm whether they completed the training that records indicate they completed, and the training content itself has not been updated to reflect anything that has changed in the past two years. That combination means the training obligation exists on paper and nowhere else.
๐ TRAINING PROMO: FIRST COME, FIRST SERVED (10 SEATS ONLY) Use code blog29th at checkout for AML Incubator Training. Seats are going fast. Do not be the person who registers for training after the examination notice arrives.
๐ amlincubator.com
Step Seven: Ignore Suspicious Transactions Because Reporting Them Feels Complicated
Suspicious transaction reporting is not something that applies only to transactions that have been confirmed as connected to criminal activity.
The threshold under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act is reasonable grounds to suspect, which is a lower and more accessible standard than most compliance teams apply in practice.
The way this failure usually develops is not that a business decides not to report. It is that an informal internal standard quietly takes hold, where a transaction has to look obviously suspicious before anyone escalates it.
Customer-facing staff are sometimes reluctant to raise concerns because previous concerns did not go anywhere. The compliance function is understaffed and treats every filing as a significant operational event rather than a core program output.
The result is a suspicious transaction report filing rate that does not reflect the actual complexity and risk profile of the customer base, and that disproportion is exactly the kind of pattern a FINTRAC examiner is trained to notice.
Step Eight: Keep Records in a Way That Ensures They Cannot Be Found When Needed
Recordkeeping under the PCMLTFA is specific, retention-period-based, and examination-critical.
When a FINTRAC examiner requests records, the request does not come with a generous timeline. The ability to locate, retrieve, and produce organised records within a reasonable timeframe is itself a compliance function, and the inability to do so is itself a finding, separate from whatever the records contain.
The recordkeeping situation that generates the most examination problems is one where KYC documentation is spread across three different platforms, transaction records require a login credential held by one person who is currently on leave, beneficial ownership files exist in some combination of physical folders and email attachments, and suspicious transaction report documentation for the past two years would require a genuinely impressive archaeological effort to compile.
All of this is a result of a business that grew faster than its document management practices.
If the response to a FINTRAC request for records would involve the phrase "we need a few days to find everything," the recordkeeping function needs attention before that phrase gets used in an examination context.
Step Nine: Appoint a Compliance Officer Who Has No Authority, No Resources, and No Time
The Chief Anti-Money Laundering Officer is a specific statutory role under the PCMLTFA.
The compliance officer must have the authority to implement and enforce the compliance program, access to senior management and the board, adequate resources to carry out the function, and sufficient time to actually do the work.
All four of those conditions matter, and in practice, the one that fails most often is time.
The CAMLO appointment that causes the most examination criticism is one where the role has been assigned to a capable, well-intentioned person who also has a full primary job elsewhere in the business. The compliance program was not built with their input. AML training was not something they had the chance to complete properly.
Senior management treats compliance questions as an interruption to the real work rather than a governance function that protects the business.
The version of this that generates the most pointed examination finding is a CAMLO whose performance incentives are structured around revenue targets.
When compliance and commercial objectives compete for the same person's attention, compliance loses, not because anyone planned it that way, but because that is what happens when the incentive structure does not support the compliance function.
Step Ten: Treat a FINTRAC Examination Notice as the Beginning of Your Compliance Program
FINTRAC examination notices are notifications that FINTRAC is coming to examine the AML program that already exists.
Businesses that receive an examination notice and respond by urgently drafting policies, updating risk assessments, and locating records for the first time are not demonstrating compliance readiness. They are demonstrating that the compliance program did not exist in any meaningful operational sense before the notice arrived, and examiners are experienced enough to tell the difference between a program that has been running and one that was assembled in the weeks before the examination.
The time to build the AML program is before the examination notice.
The time to update the risk assessment is before the examination notice.
The time to train the staff, calibrate the monitoring system, remediate the KYC gaps, and confirm the recordkeeping is functional is before the examination notice arrives, and not one moment after.
What to Do Instead
Every item in this guide is a real compliance failure pattern.
Every one of them is also completely fixable before a FINTRAC examination arrives. The readiness checklist below reflects the minimum operational condition a reporting entity under the PCMLTFA should be in before an examination.
Confirm reporting entity status and registration accuracy.
Verify that the business is appropriately classified, that registration information is current, and that the registered activities accurately reflect what the business actually does today.
Update AML policies and procedures to reflect current operations.
Close every gap between the documented compliance program and the actual operational reality of the business, prioritising areas that have changed most since the program was last reviewed.
Refresh the AML risk assessment.
If the risk assessment is more than twelve to eighteen months old, or if the business has changed materially since the last review, it does not reflect the current risk profile and needs to be updated before an examination.
Remediate KYC, beneficial ownership, sanctions, and PEP gaps.
These are the areas FINTRAC examinations focus on most heavily, and gaps in these areas are not treated as minor findings.
Test transaction monitoring calibration and alert operations.
Confirm that the system is generating alerts at an appropriate volume, that alerts are being reviewed and disposed of within a reasonable timeframe, and that suspicious transaction report filing rates reflect a program that is actually running.
Review all reporting workflows.
Confirm that suspicious transaction reports, large cash transaction reports, electronic funds transfer reports, and other applicable reporting obligations are documented, tested, and operationally assigned to individuals who understand the requirements.
Confirm recordkeeping quality and retrievability.
If producing complete, organised records within 48 hours would be a challenge, that challenge needs to be resolved before an examiner makes the request.
Update and document staff training.
Training must be current, role-specific, and documented for every employee with AML-relevant responsibilities, not just onboarding completions from two years ago.
Ensure the CAMLO has appropriate authority, resources, and time.
The compliance officer must be able to do the job, which requires authority, access, and sufficient capacity to treat compliance as a genuine priority rather than a secondary function.
Schedule an independent AML effectiveness review.
An independent review is the most credible mechanism for demonstrating to FINTRAC that the compliance program is genuinely functional. If the last review was more than two years ago, schedule one now.

๐ TRAINING PROMO: FIRST COME, FIRST SERVED (10 SEATS ONLY) Use code blog29th at checkout for AML Incubator Training. Seats are going fast. Do not be the person who registers for training after the examination notice arrives.
๐ amlincubator.com
Get In Touch
AML Incubator provides practical AML compliance support for Canadian reporting entities navigating FINTRAC examinations and preparing for stronger regulatory scrutiny. The work is implementation-focused, building, assessing, and remediating compliance programs that need to function under a more visible and more enforceable regulatory environment.
Services most directly relevant to reporting entities preparing for examination:
- Independent effectiveness review:
Assessing whether the AML program is operationally functional, identifying gaps before FINTRAC does, and producing a remediation roadmap with prioritised action items. - Regulatory remediation:
Supporting entities that have received FINTRAC findings, compliance agreements, or compliance orders and need to demonstrate corrective action through documented, verifiable program improvements. - Outsourced CAMLO and MLRO services:
Providing qualified, named compliance officer coverage for entities that need an accountable individual without a full-time hire. - MSB registration support:
Registration, renewals, and regulatory correspondence for MSBs and foreign MSBs, including crypto MSBs and payment businesses.
๐ amlincubator.com | ๐ง hello@amlincubator.com
This article is written in a satirical format for educational purposes. Every compliance failure described reflects real patterns observed across Canadian reporting entities. None of the content constitutes legal advice. Reporting entities with specific compliance questions should engage qualified AML counsel or a compliance professional.




