ARTICLE
14 July 2026

Common FINTRAC Deficiencies: What Reporting Entities Should Avoid

MT
McCarthy Tétrault LLP

Contributor

McCarthy Tétrault LLP provides a broad range of legal services, advising on large and complex assignments for Canadian and international interests. The firm has substantial presence in Canada’s major commercial centres and in New York City, US and London, UK.
FINTRAC's 2026 Industry Day webinar revealed critical compliance deficiencies across Canada's AML/ATF framework, highlighting gaps in risk assessment, ongoing monitoring, training programs, and effectiveness reviews. The presentation emphasized that reporting entities must demonstrate not only that compliance controls exist on paper, but that they are current, consistently applied, risk-based, appropriately documented, and tested in practice. These observations carry significant implications for financial i
Canada Corporate/Commercial Law
TechLex Blog’s articles from McCarthy Tétrault LLP are most popular:
  • with Finance and Tax Executives
  • in United States
  • with readers working within the Banking & Credit and Business & Consumer Services industries

The Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) recently hosted its 2026 Industry Day webinar, which included a discussion of commonly observed compliance deficiencies. Although FINTRAC did not announce new legal or regulatory requirements for reporting entities, the presentation provided useful insight into how FINTRAC may expect reporting entities to operationalize their existing obligations under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA) and its associated regulations, as well as areas that may continue to receive supervisory attention during future compliance examinations.

A common theme throughout the presentation was that FINTRAC is focused not only on whether AML/ATF program components exist on paper, but on whether compliance controls are current, consistently applied, risk-based, appropriately documented, and tested in practice.

Several of the deficiencies identified by FINTRAC also point to broader governance and oversight considerations, including the need to keep compliance programs current and remediate identified deficiencies in a timely manner.

Key Takeaways

  • Risk Assessment:Reporting entities should ensure that their documented risk assessments are thorough and kept up to date. Failure to identify and assess a business’s inherent and residual risks can lead to non-compliance in other AML/ATF areas, including enhanced due diligence, ongoing monitoring and suspicious transaction reporting.
  • Ongoing Monitoring:Although reporting entities have discretion to determine what review frequencies, timelines and trigger events for ad hoc reviews are appropriate for their business, these decisions should be anchored to their AML/ATF risk assessment and followed consistently. Decisions made in the course of ongoing monitoring should be clearly documented to help demonstrate to FINTRAC that risk-based decisions are reasonable, justified and consistently applied.
  • Training:Generic AML/ATF training materials and programs are unlikely to be sufficient to meet FINTRAC expectations or support a risk-based approach. Training should, at minimum, reflect the sector of the business and the roles and responsibilities of the personnel receiving the training.
  • Policies and Procedures:Since 2024, amendments to the PCMLTFA have introduced sanctions evasion-related obligations into the AML/ATF framework applicable to reporting entities. For some reporting entities, these changes represent a relatively new area of compliance and require careful consideration of how sanctions evasion-related risks should be addressed within their AML/ATF program.
  • Two-Year Effectiveness Review: The purpose of a two-year effectiveness review is not simply to confirm that elements of an AML/ATF compliance program required by regulations exist. Instead, the review should gather sufficient evidence to determine whether key compliance controls remain fit for purpose and aligned with the business’s current risk profile.
  • Governance and Oversight:FINTRAC’s observations reinforce the importance of applying compliance controls consistently, documenting the rationale for compliance decisions, keeping AML/ATF programs current and ensuring that identified deficiencies are remediated in a timely manner.

Common Deficiencies

FINTRAC identified common deficiencies across regulated sectors in the following categories of obligations: (1) risk assessment, (2) ongoing monitoring, (3) training, (4) policies and procedures, and (5) the two-year effectiveness review. We summarize below the key categories of deficiencies identified by FINTRAC and the related practical implications for reporting entities.

Risk Assessment

A reporting entity’s risk assessment informs the types and level of controls and processes it must implement to comply with the PCMLTFA, its associated regulations and FINTRAC expectations. This requires the reporting entity to demonstrate clearly that it understands its business, its sector, the AML/ATF risks associated with its activities, and the controls implemented to mitigate those risks.

FINTRAC noted the following recurring deficiencies related to risk assessment compliance:

  • risk assessment methodology being applied inconsistently;
  • risk ratings that are not reflected in the client’s overall risk rating rankings, and risk ratings that do not result in commensurate controls being applied;
  • failure to identify key risk factors of the business or failure to fully explain identified risk factors;
  • insufficient documentation of controls and weak linkage between controls and identified risks;
  • lack of clarity regarding business structures;
  • outdated policies and procedures that do not reflect current FINTRAC publications and guidance (including documenting the distinction between inherent risk and residual risk);
  • failure to incorporate new and emerging indicators into client monitoring; and
  • insufficient linkage between identified risks, implemented controls and resulting outcomes.

An unclear or incomplete risk assessment can lead to non-compliance in other AML/ATF areas. For example, if a product or service creates an inherent risk that is not identified in the risk assessment, that activity may not be subject to appropriate enhanced due diligence or ongoing monitoring, which could increase the risk that suspicious transaction activity is not identified.

A strong risk assessment properly reflects and considers all of the business’s activities that may contribute to its money laundering, terrorist financing and sanctions evasion exposure. In other words, a business should ensure that its risk assessment reflects and considers all of its products, services, delivery channels and relationships, including clients or customers and business partners, and is regularly updated to reflect changes to the business, particularly where new technologies or innovations are introduced before they have been tested within the AML/ATF framework.

Ongoing Monitoring

FINTRAC noted the following common deficiencies relating to ongoing monitoring:

  • insufficiently frequent reviews;
  • limited enhanced due diligence refreshes;
  • poor communication between teams responsible for automated and manual monitoring;
  • reviews conducted at an overly high level;
  • inconsistent review frequencies;
  • limited or inconsistent monitoring of trigger events;
  • insufficient audit trails;
  • documentation that relies heavily on standardized templates without adequately supporting investigative conclusions;
  • gaps between investigative analysis and documented outcomes;
  • transaction monitoring backlogs;
  • ineffective periodic client reviews; and
  • inadequate prioritization of higher-risk alerts and investigations.

Although a risk-based approach gives reporting entities flexibility to determine review frequencies, timelines and trigger events for ad hoc reviews, these decisions should be anchored to the business’s documented AML/ATF risk assessment (discussed in 1 above) and followed consistently, whether the business monitors manually, uses automated tools or uses a combination of both. This applies equally to client relationship monitoring, transaction reviews and audits of the processes themselves.

Reporting entities should also document the rationale for decisions made during investigations, reviews and monitoring activities. Clear documentation helps demonstrate to FINTRAC that risk-based decisions are reasonable, justified and consistently applied.

(Specialized) Training Program and Plan

FINTRAC noted the following common deficiencies relating to specialized training programs:

  • training that was generic rather than tailored to the reporting entity’s business, products or services;
  • outdated or overly general training materials;
  • insufficient assessment of employee understanding; and
  • gaps in tracking and documenting completion of required training.

The PCMLTFA regulations require a reporting entity to develop and maintain a written, ongoing compliance training program for its employees, agents and anyone else authorized to act on its behalf. FINTRAC’s observations suggest that training should be risk-based and tailored to the elements of the business’s documented risk assessment that are relevant to the day-to-day responsibilities of employees, agents and other personnel.

Policies and Procedures

FINTRAC identified the following common deficiencies relating to policies and procedures:

  • outdated sanctions indicators and typologies;
  • sanctions indicators that were unclear or applied inconsistently;
  • inconsistent or unclear documentation;
  • incomplete or unclear guidance regarding reporting obligations;
  • outdated sanctions and Listed Person or Entity Property Report guidance;
  • insufficient guidance regarding what information should be documented and how it should be documented;
  • unclear suspicious transaction reporting thresholds;
  • outdated or incomplete money laundering, sanctions evasion and fraud indicators; and
  • insufficient guidance regarding escalation procedures and suspicious transaction reporting obligations.

Beginning in mid-2024, significant amendments to the PCMLTFA introduced sanctions evasion offences into Canada’s AML/ATF framework. These amendments introduced sanctions evasion-related obligations into the AML/ATF framework applicable to reporting entities. Firms in certain sectors, particularly those that are not traditionally in the import/export business, may historically have had limited or no direct exposure to Canada’s economic sanctions requirements. Reporting entities should familiarize themselves with the United Nations Act, the Special Economic Measures Act and the Justice for Victims of Corruption Foreign Officials Act (Sergei Magnitsky Law) when considering how sanctions evasion-related risks should be addressed in their AML/ATF program.

For additional discussion of sanctions-related reporting obligations, see our previous posts:

Two-Year Effectiveness Review

FINTRAC identified the following common deficiencies relating to the two-year effectiveness review requirement:

  • limited evidence demonstrating the outcomes of effectiveness testing;
  • incomplete or insufficient testing results;
  • outdated risk coverage frameworks;
  • inconsistent or ineffective remediation practices;
  • testing that focused primarily on the existence of controls rather than their effectiveness;
  • scenario validation that was limited or insufficiently risk-based;
  • sample sizes that were too small or incomplete; and
  • incomplete end-to-end testing.

These deficiencies underscore that the purpose of the two-year effectiveness review is not simply to verify that the required elements of an AML/ATF compliance program exist. Instead, the review should collect sufficient information and evidence to support a meaningful assessment of whether the program is operating effectively in practice and achieving its objectives.

A well-designed effectiveness review provides the reporting entity with assurance that its key compliance controls remain effective and continue to be appropriate for the nature, size and risk profile of the business. The review methodology should evolve with the business, taking into account changes to its operations, emerging financial crime risks and typologies in its sector, and FINTRAC’s latest guidance.

What FINTRAC's Observations Mean for Reporting Entities

FINTRAC’s observations reinforce that reporting entities should be able to demonstrate not only that required AML/ATF compliance program components exist, but that controls are current, risk-based, consistently applied, appropriately documented and tested in practice.

To view the original article click here

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More