New MSB Onboarding Risk: Why Higher-Risk Applicants Often Test New Firms Early
Launching a money services business can bring an encouraging early signal: inbound demand. But early demand is not always the kind of demand you want. Some of the first applicants a new MSB sees may also be the people most likely to test weak onboarding, unclear escalation rules, or inconsistent review standards. In Canada, MSBs must register with FINTRAC before they begin operating, and reporting entities must establish and implement a compliance program. The real challenge, then, is not only getting registered. It is making sure the business can ask the right questions, turn away the wrong clients, and document difficult decisions before pressure starts influencing the process.
Why This Risk Shows Up Early
A new money services business is not automatically weak. But early on, it can be easier to test.
That usually happens because several things are happening at once. The business is trying to grow, build internal routines, set thresholds, and make real onboarding decisions without much history to work from. When controls have not yet been tested enough times to become consistent, applicants who rely on confusion, urgency, or weak explanations tend to notice.
That does not mean early customers are usually criminals. That would be too broad. A more realistic point is that newly launched firms can attract a higher share of weak-fit or higher-risk applicants because their controls are still taking shape in practice.
The same issue can come back later, too. An existing MSB can face the same kind of exposure when it launches a new product or starts serving a different type of customer.
AMLI Analysis: One of the first real compliance tests for a new MSB is often the first group of applicants who want to see how much the business will actually question.
What Counts as an MSB in Canada?
In Canada, an MSB generally includes businesses involved in foreign exchange, remittance or funds transmission, money orders or similar instruments, virtual currency, and other in-scope services described by FINTRAC.
This matters because some founders move quickly into onboarding and growth without fully appreciating how early AML obligations begin once the business falls within scope.
Legal requirement: If the business qualifies as an MSB, registration and ongoing compliance obligations apply.
Operational expectation: Before onboarding customers at scale, the business should confirm whether its products, services, and transaction flows place it within MSB scope in Canada. A useful starting point is FINTRAC’s MSB guidance and its “Check to see if you need to register” tool.
AMLI Analysis: Many early-stage compliance problems start with sequencing. The business begins building the customer funnel before it has fully built the controls around it.
Registration Does Not Mean the Business Is Ready
Registration gets the business into the market. It does not prove the onboarding process can hold up under pressure.
FINTRAC says all reporting entities must establish and implement a compliance program. That includes a compliance officer, written policies and procedures, a documented risk assessment, an ongoing training program, and a review of program effectiveness at least every two years. FINTRAC also says the compliance program forms the basis for meeting reporting, recordkeeping, client identification, and other know-your-client requirements.
This is where many new firms overestimate their readiness.
They may have policy documents, onboarding forms, and a vendor stack in place, but still lack clear escalation, meaningful challenge, or reliable documentation when something feels off.
Legal requirement: The compliance program must exist and be implemented.
Operational expectation: The program should lead to consistent decisions across onboarding, monitoring, reporting, and recordkeeping.
AMLI Analysis: A firm may be ready to operate from a registration perspective while still being unprepared from an onboarding perspective.
Why Higher-Risk Applicants Often Focus on New Firms
More mature firms often are harder to test. Their teams usually have better instincts, clearer thresholds, and more confidence in challenging weak explanations. They also have a stronger sense of what normal customer behaviour looks like.
A new firm usually has less of that. It may still be figuring out how much friction to apply, who can approve an exception, when a case should be escalated, and what a strong file note actually looks like. Applicants who rely on confusion, urgency, or inconsistency tend to notice those gaps quickly.
That is why the real issue is not simply “being new.” The issue is what often comes with it: limited baseline data, commercial pressure, and standards that are still being learned in real time.
AMLI Analysis: A new MSB becomes easier to test when the business is moving faster than its controls.
Higher-Risk Applicants Do Not All Look the Same
It is better to be specific than to rely on one broad label.
In practice, higher-risk applicants may include fraudsters, money mules, deceptive applicants, sanctions-related concealment risk, and clients whose expected activity raises money laundering concerns.
These are not all the same. The warning signs, escalation path, and monitoring response may differ depending on the type of risk.
AMLI Analysis: Weakly defined risk categories often lead to weak decisions. Precision improves challenge, escalation, and documentation.
Why Registration Does Not Mean Onboarding Is Ready
One of the easiest mistakes to make in early-stage compliance is to assume that once registration is complete, onboarding is ready.
It is not.
A registered MSB still needs practical answers to questions like:
-
Which customer types carry the highest onboarding risk?
-
Which geographies and corridors need enhanced scrutiny?
-
Which products or flows are easiest to misuse?
-
Which indicators should lead to escalation or refusal?
-
Who is allowed to approve a higher-risk applicant?
-
What happens when suspicious activity is attempted but not completed?
Legal requirement: The business must implement a compliance program that supports its reporting, recordkeeping, client identification, and related obligations.
Operational expectation: Those obligations should be visible in actual workflows, not just in policy documents.
AMLI Analysis: Many new firms have compliance language. Far fewer have a compliance process people can use consistently in real situations.
Early Onboarding Red Flags
Suspicious applicants do not always look dramatic. More often, they look rushed, evasive, inconsistent, or commercially unconvincing.
FINTRAC’s MSB guidance points out that money laundering and terrorist financing indicators are potential red flags. These may create suspicion or point to something unusual when there is no reasonable explanation. It also notes that these indicators often come from facts, behaviours, patterns, or circumstances that do not line up with what would normally be expected. See FINTRAC’s MSB indicators guidance.
Identity and profile red flags |
|
| Behavioural red flags |
|
Transaction-intent red flags |
|
Business and ownership red flags |
|
Red flags are not proof of wrongdoing. They are signs that should lead to deeper review, stronger documentation, and, where needed, enhanced measures or suspicion assessment.
AMLI Analysis: New MSBs often do notice the red flag. The real problem is that they do not always know what to do next.
AMLI helps review your onboarding controls, escalation thresholds, and documentation standards before weak-fit demand turns into a larger compliance problem.
Not Every Unusual File Is Suspicious
This distinction matters.
An awkward, incomplete, or unusual file does not automatically become reportable suspicion. The real question is whether the explanation makes sense. Does the story hold together once more information is requested? Does the behaviour fit the stated purpose? Does the applicant respond in a way that clears up the inconsistency, or makes it worse?
FINTRAC says the threshold for filing an STR is reasonable grounds to suspect, and that an STR must be filed when a financial transaction occurs, or is attempted, and there are reasonable grounds to suspect it is related to the commission or attempted commission of a money laundering or terrorist activity financing offence.
Operational expectation: Higher-risk indicators should trigger review, not automatic rejection.
Attempted Abuse Matters Too
Many early-stage programs focus too heavily on completed activity and not enough on attempted abuse.
That is a mistake.
Higher-risk applicants may use onboarding itself as a testing ground. They may not even want a long-term relationship. They may simply want to see:
-
what your team checks
-
what it overlooks
-
how beneficial ownership is handled
-
whether contradictory information matters
-
which staff are easier to persuade
-
how much pressure is needed to get an exception
Legal requirement: Attempted suspicious activity can still create reporting obligations where the threshold of reasonable grounds to suspect is met. See FINTRAC’s STR guidance.
Operational expectation: New MSBs should record and review attempted abuse patterns, especially where a file shows deception, contradiction, unusual urgency, or suspicious intent.
AMLI Analysis: Some of the most useful early intelligence comes from the customers the business does not onboard.
Business Clients Create a Different Kind of Risk
Business applicants often create some of the most difficult early-stage onboarding decisions.
A company can look commercially attractive while still being hard to understand. That is especially true where ownership is layered, activity is vague, the source of funds is weakly explained, or the applicant wants rapid access to higher-value or cross-border capability.
Higher-risk business-client patterns often include:
-
newly incorporated entities with little visible operating footprint
-
unclear explanation of who really controls the business
-
ownership structures that create unnecessary opacity
-
promised volume that does not match commercial reality
-
foreign links that are relevant but poorly explained
-
source-of-funds claims that do not fit the stated business model
FINTRAC’s beneficial ownership guidance says reporting entities must obtain beneficial ownership information and confirm its accuracy when required. Its ongoing monitoring guidance also says monitoring is used to keep client identification information, beneficial ownership information, and the purpose and intended nature of the business relationship up to date, reassess risk, and determine whether activity is consistent with what is known about the client.
Operational expectation: The business should assess whether the ownership story, use case, and commercial rationale make sense together.
AMLI Analysis: Weak onboarding can let opaque business clients through because the commercial opportunity is easier to see than the underlying risk.
Source of Funds Is Often Collected, But Not Really Tested
This is one of the most common weaknesses in early onboarding.
A client may provide a document or an explanation, but that does not automatically resolve the issue. The real question is whether the explanation is coherent in light of:
-
the client profile
-
the stated purpose of the relationship
-
the expected transaction pattern
-
the size and speed of the anticipated activity
-
the broader commercial logic of the client’s story
In higher-risk files, source of funds may also need to be considered alongside broader source-of-wealth context.
Operational expectation: Source-of-funds review should not stop at collection. It should assess plausibility and consistency.
AMLI Analysis: A document can look sufficient on paper while still failing to explain the real risk.
What Should Happen After a Red Flag Appears?
This is where many programs break down.
The issue is not only spotting the red flag. It is knowing what happens next.
A practical response path may include:
-
requesting more information or documents
-
escalating the case for enhanced review
-
applying stronger source-of-funds or ownership challenge
-
declining the onboarding request
-
approving with conditions
-
increasing monitoring if the customer is onboarded
-
assessing whether suspicious transaction reporting is required
Where onboarding decisions are escalated, approval authority, review responsibility, and monitoring ownership should be clearly assigned.
Operational expectation: Staff should not have to improvise the response to a known risk indicator.
AMLI Analysis: A red flag without a response framework is just an observation.
Refusal Records Matter More Than Many Firms Realise
When a new MSB declines a client, the file should not just disappear.
Refusal records are useful because they show:
-
what indicators were identified
-
why onboarding was declined
-
whether repeated or modified attempts followed
-
whether suspicion was considered
-
whether the case exposed a gap in policy, training, or escalation logic
Operational expectation: Refusal decisions should be documented clearly enough to support future review, pattern recognition, and control improvement.
Monitoring Starts Earlier Than Many Teams Think
Some firms treat monitoring as something that matters only after the client becomes active and produces meaningful volume.
That is too late.
A customer who passes onboarding can still become high-risk quickly if actual behaviour differs from the original explanation.
FINTRAC says ongoing monitoring is a process reporting entities must develop and use for clients with whom they have a business relationship. It is used to detect suspicious transactions, keep client and beneficial ownership information up to date, reassess risk, and determine whether transactions or activities are consistent with what is known about the client. Related business relationship guidance explains when those obligations begin.
Legal requirement: Ongoing monitoring applies once the business relationship criteria are met.
Operational expectation: The business should define when monitoring starts, what triggers reassessment, and who reviews early-stage changes.
AMLI Analysis: New MSBs often treat monitoring as a later-stage scaling issue. In reality, it is one of the earliest verification tools they have.
What Weak Onboarding Usually Looks Like
Weak onboarding often looks reasonable in the moment, which is why it can become part of the process so easily.
Common examples include:
-
collecting enough information to open the relationship, but not enough to understand it
-
verifying identity without properly testing the narrative
-
having no written threshold for enhanced review
-
allowing commercial pressure to soften challenge
-
approving higher-risk applicants without clear rationale
-
failing to document what concerns were identified and how they were resolved
-
spreading duties so widely that no one clearly owns the decision
A Practical Example
Consider a newly launched MSB that receives an application from a business customer seeking urgent access to cross-border payment capability.
The file shows:
-
a recently formed company
-
a layered ownership structure
-
vague commercial activity
-
weak source-of-funds explanation
-
expected transaction volumes that seem high relative to the business story
None of these facts alone proves misconduct. But taken together, they should make the MSB pause before approving, ask for more information about ownership and source of funds, escalate the case for closer review, document the reasons for its decision, and assess whether the proposed activity raises reporting concerns.
This is how early abuse risk usually appears.
What Evidence a New MSB Should Keep
A strong compliance program is not only about identifying risk. It is about being able to show what happened when risk was identified.
For higher-risk onboarding cases, a new MSB should be able to produce:
-
the indicators identified
-
what further information was requested
-
who reviewed the case
-
what decision was made
-
why that decision was justified
-
whether conditions were applied
-
whether suspicion was considered
-
what follow-up monitoring was required
FINTRAC’s assessment material explains that examinations assess whether businesses have implemented and maintained a compliance program that adequately meets legal requirements. See FINTRAC’s compliance program requirements and broader obligations and guidance.
Operational expectation: These cases should be reviewable later without relying on memory or informal chat history.
AMLI Analysis: In compliance, undocumented reasoning is fragile reasoning.
A Practical Early-Abuse Playbook
A new MSB does not need a perfect control environment on day one. But it does need a disciplined baseline.
A practical starting point includes:
-
defining higher-risk onboarding scenarios before launch
-
creating separate review logic for individuals and business clients
-
documenting red-flag escalation triggers
-
strengthening beneficial ownership and source-of-funds challenge where needed
-
treating attempted abuse as intelligence
-
reviewing the first customer cohort more closely than normal
-
using a simple decision log for escalated cases
-
assigning clear owners for approval, escalation, and monitoring
-
training frontline staff using realistic onboarding examples
-
reviewing red-flag thresholds and escalation rules as customer mix, corridors, products, and abuse patterns evolve
Getting Support
AML Incubator supports MSBs through:
-
beneficial ownership and source-of-funds challenge design (Related blog)
AMLI can help review whether your onboarding controls are truly defensible, whether your escalation framework is clear enough for frontline and compliance teams to use consistently, and whether your evidence standards will hold up once volumes grow and edge cases become more frequent.
Book a free consultation to review onboarding risk, escalation gaps, and what a maintainable AML operating model should look like for your MSB.
