About usServicesOur clientsAMLI LabsTrainingsBlogContact
Login
About us
Services
Our clients
AMLI Labs
Trainings
Blog
Login
Contact

16.12.25

Written by Haik Kazarian, Head of Business Development
Reviewed by Tigran Rostomyan, Compliance Expert

The 5 Pillars of a Compliant MSB in Canada

For Canadian Money Services Businesses, compliance is not assessed by reviewing individual reports in isolation. FINTRAC examinations are structured around whether an MSB has a complete and functioning compliance framework that meets the requirements of Canadian AML law under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act.

Five orange Greek style pillars on a dark background, each labeled CAMLO, WCP, RISK, TRAINING, and AUDIT, representing the core pillars of MSB AML compliance under FINTRAC.

For FINTRAC purposes, an MSB is a business engaged in money services activities as defined under the PCMLTFA, including foreign exchange, money transfers, dealing in virtual currency, and certain payment activities.

When deficiencies are issued, they almost always map back to weaknesses in a small number of core compliance pillars. Understanding these pillars is essential for building a defensible MSB compliance program in Canada and for avoiding remediation orders, unfavorable compliance ratings, or administrative monetary penalties.

Pillar 1 – Governance and Compliance Leadership

Every MSB is required to appoint a Compliance Officer, commonly referred to as a CAMLO, who is responsible for the design, implementation, and oversight of the AML compliance program.

FINTRAC requires that the Compliance Officer have sufficient authority, independence, and access to information to perform this role effectively. In practice, this includes the ability to escalate issues, influence operational decisions, and ensure corrective actions are implemented across the organization.

During a FINTRAC examination, this pillar is typically assessed through interviews, organizational charts, documented decision making, and evidence of senior management involvement. Regulators look for clear accountability and confirmation that compliance decisions are actively enforced, not merely documented.

Common deficiencies include assigning the role to staff without adequate AML expertise, limiting authority over operations, or treating compliance as an administrative task rather than a control function. Weak governance frequently undermines the effectiveness of all other pillars.

See CAMLO services.

Pillar 2 – Risk-Based Approach and Risk Assessment

FINTRAC requires MSBs to apply a documented risk-based approach that reflects the nature, size, and complexity of their business. This begins with a business wide risk assessment covering customer types, products and services, delivery channels, geographies, and transaction behavior.

The risk assessment must do more than identify risks. It must directly inform internal controls, monitoring thresholds, due diligence measures, and escalation procedures.

During examinations, FINTRAC typically reviews the risk assessment alongside transaction data and operational workflows to confirm alignment. Regulators also assess whether the assessment has been updated following business changes, new products, or shifts in geographic exposure.

A frequent deficiency is reliance on generic or outdated risk assessments that do not influence day-to-day decisions. While annual reviews are considered best practice, updates are required whenever there is a material change in the business.

Consulting services

Pillar 3 – Policies, Procedures, and Internal Controls

MSBs are required to maintain written AML policies and procedures that accurately reflect how the business complies with its obligations under the PCMLTFA. These documents form the operational backbone of the compliance program.

Internal controls include transaction monitoring, reporting, and recordkeeping processes. This covers Suspicious Transaction Reports, Large Cash Transaction Reports, Electronic Funds Transfer Reports, and applicable virtual currency reporting, along with the documentation supporting reporting decisions.

During FINTRAC examinations, regulators assess not only whether reports were filed, but how decisions were made. This includes reviewing alerts, escalation records, narratives, and retention practices. Weak rationales, missing records, or unclear workflows often result in findings even when reporting volumes appear adequate.

Generic policy templates are a common source of deficiencies, particularly when they describe processes the MSB does not actually use.

Pillar 4 – Ongoing AML Training

FINTRAC requires MSBs to provide ongoing AML training to employees whose roles are relevant to compliance. Training must be role appropriate and aligned with the MSB’s specific risk profile.

Initial onboarding training alone is not sufficient. Staff must receive periodic training that reflects regulatory updates, changes in internal controls, and emerging risks.

During examinations, FINTRAC often interviews staff to assess their understanding of reporting triggers and escalation procedures. Training records, attendance logs, and training materials are commonly requested as evidence.

A common deficiency is treating training as a checkbox exercise. If training cannot be evidenced, regulators treat this pillar as ineffective regardless of policy quality.

Get training here

Pillar 5 – Independent Effectiveness Review (Audit)

FINTRAC requires MSBs to conduct an independent effectiveness review of their AML compliance program at least once every two years. The review must be independent of the program’s day to day operation.

The review should assess governance, risk assessment, internal controls, training, and remediation efforts. Superficial reviews that simply confirm the existence of documents are frequently cited as inadequate.

During examinations, FINTRAC evaluates both the scope of prior reviews and how identified deficiencies were addressed. Failure to track remediation or demonstrate corrective action can lead to escalated enforcement outcomes.

What's an effectiveness review?

Why Documentation Matters Across All Five Pillars

A recurring theme in FINTRAC examinations is documentation. MSBs may perform required activities but fail to retain sufficient evidence. Policies, risk assessments, training, monitoring decisions, and audit remediation must all be documented, current, and retrievable.

From a regulatory perspective, undocumented controls are treated as if they do not exist.

Conclusion

A compliant MSB relies on five interconnected pillars:

  • Governance and Compliance Leadership with clear authority and accountability

  • A Risk Based Approach that drives operational controls

  • Policies, Procedures, and Internal Controls that function in practice

  • Ongoing AML Training that ensures staff competence

  • Independent Effectiveness Reviews that identify and correct weaknesses

Each pillar is assessed independently during a FINTRAC examination, but failure in one weakens the entire framework. Many MSBs, particularly early stage, crypto focused, or cross border businesses, operationalize these requirements through a combination of internal ownership and external support.

Viewed as a system rather than isolated obligations, these five pillars provide a practical and defensible foundation for MSB compliance in Canada.

LogoLogo

Quick links

Socials

Contact

© AML Incubator™ 2025 all rights reserved