FINTRAC audit: what to expect and how to prepare

Types of examinations

FINTRAC conducts two types of examinations. Desk examinations are conducted remotely: FINTRAC requests specific documents, records, and policies, and you submit them electronically. The examiner reviews everything off-site. On-site examinations involve FINTRAC examiners visiting your place of business, interviewing staff, reviewing physical and digital records, and observing your operations firsthand. On-site exams are more comprehensive and typically reserved for higher-risk entities or situations where a desk examination has surfaced concerns. Either way, the scope is the same: does your compliance program work, and are you meeting your obligations?

How you get selected

FINTRAC uses a risk-based approach to select entities for examination. Factors include the type and volume of transactions you process, the geographies you serve, the products you offer (virtual currency dealers get extra attention), and your reporting history. A sudden spike or unexplained drop in suspicious transaction reports can trigger scrutiny. Newly registered MSBs are also commonly examined within their first two years. But random selection happens too. You don't need to do anything wrong to be examined. It's part of being a regulated entity.

1. Your compliance program

This is the foundation. FINTRAC will ask for your written compliance policies and procedures, your risk assessment, your training program records, and evidence that you conduct a two-year effectiveness review. They want to see that your CAMLO (Chief Anti-Money Laundering Officer) is named, qualified, and actively overseeing the program. A binder full of generic policies downloaded from the internet will not pass. Examiners look for specificity: do your policies reflect your actual business model, your actual products, your actual risk profile? If you run a crypto exchange and your compliance manual talks about wire transfers and cheque cashing, that's an immediate red flag.

2. Know your client (KYC) records

Examiners will pull a sample of client files and check whether you've properly identified your clients, verified their identity using acceptable methods, and conducted ongoing monitoring. They check whether you've screened clients against sanctions lists and determined if any are politically exposed persons (PEPs) or heads of international organizations (HIOs). For business clients, they verify that you've identified beneficial owners. Every gap in a client file is a finding. If you have 500 clients and 30% of your files are missing a required document, that's a systemic issue, not a paperwork glitch.

3. Transaction reporting

FINTRAC will verify that you're filing the right reports, on time, and with complete information. This includes suspicious transaction reports (STRs), large cash transaction reports (LCTRs), electronic funds transfer reports (EFTRs), and terrorist property reports. They don't just check that you filed reports. They check whether you should have filed reports that you didn't. If your transaction monitoring shows patterns that should have triggered an STR but no report exists, that's a serious deficiency. Late filings, incomplete filings, and failure to file are among the most common examination findings.

4. Record keeping

Under the PCMLTFA, you must keep prescribed records for at least five years. This includes transaction records, client identification records, large cash transaction records, and copies of reports filed with FINTRAC. Examiners will check that your records are complete, organized, and retrievable. If you can't produce a record within a reasonable time, it's treated as if the record doesn't exist. Digital systems are fine, but they need to be organized, backed up, and accessible. A shoebox of printed receipts is not a record-keeping system.

5. Risk assessment

Your risk assessment must identify and document the money laundering and terrorist financing risks inherent in your business. It should cover your products, services, delivery channels, client types, and geographic exposure. Examiners will check whether your risk assessment is current, whether it reflects your actual business, and whether the mitigating measures you've described are actually in place. A risk assessment that says "we serve low-risk domestic clients only" when you actually process international crypto transactions will not hold up.

Conduct a self-assessment

Before FINTRAC examines you, examine yourself. Pull a random sample of client files and check them against your own policies. Are identification documents present? Are beneficial owners recorded? Are PEP/HIO checks documented? Run through your transaction records for the past 12 months and verify that reportable transactions were actually reported. Check your STR filing log against your transaction monitoring alerts. If you find gaps, fix them now. Identifying and remediating issues before an examination is a sign of a mature compliance program. Discovering them for the first time when an examiner points them out is not.

Update your compliance program documentation

Make sure your policies and procedures reflect your current business. If you've added new products, entered new markets, or changed your business model since your last review, your compliance program needs to reflect that. Verify that your risk assessment is current and comprehensive. Confirm that your CAMLO designation is up to date and that training records show all staff have been trained within the required period. Check that your two-year effectiveness review has been conducted on schedule and that findings have been documented and addressed.

Organize your records

Examiners will request specific records, and they expect to receive them promptly. If your records are scattered across multiple systems, email inboxes, and filing cabinets, you'll spend the examination scrambling to find documents instead of demonstrating your compliance. Create a central index of where records are stored. Make sure your client identification records, transaction records, training logs, STR filings, and compliance program documents are all accessible. If you use digital systems, ensure the examiner can view what they need without needing your proprietary software.

Brief your team

If the examination is on-site, FINTRAC examiners may interview your staff. They'll ask frontline employees about their understanding of compliance policies, how they identify clients, what they do when they spot a suspicious transaction, and how they escalate concerns. Your team doesn't need to be compliance lawyers, but they need to understand the basics. If an employee says "I don't know what our AML policy is" or "I've never heard of an STR," that reflects directly on your training program. A brief refresher session before an examination can make a meaningful difference.

The opening meeting

On-site examinations begin with an opening meeting where the examiner explains the scope, the timeline, and what they need from you. This is your opportunity to provide context about your business, describe your compliance program, and ask questions. Be cooperative and transparent. The examiner is not your adversary. Being defensive, evasive, or obstructive will only make things harder. The tone you set in this meeting shapes the entire examination.

Document review and interviews

The bulk of the examination involves document review. The examiner will go through your compliance program, pull client files, review transaction records, and check your reporting logs. They may ask your CAMLO to walk them through specific processes. They may interview other staff. They'll take notes and may request additional documents as they go. An on-site examination typically lasts one to three days, depending on the size and complexity of your business. Desk examinations can take several weeks from initial request to final results, as there's back-and-forth correspondence.

The closing meeting

At the end of an on-site examination, there's typically a closing meeting where the examiner shares preliminary findings. These are not final. The formal results come later in a written report. But the closing meeting gives you an early indication of any deficiencies found and an opportunity to provide additional context or clarification. If the examiner mentions findings, listen carefully, take notes, and ask what specific remediation they expect. This is not the time to argue. It's the time to understand.

No deficiencies

This is the best outcome. Your compliance program meets all requirements, your records are in order, and your reporting is current. This is rare for a first examination but achievable. It shows regulators that you take your obligations seriously and positions you well for future interactions, including with banking partners who may ask about your examination history.

Deficiencies with an action plan

The most common outcome. FINTRAC identifies specific deficiencies and gives you a timeframe to remediate them. You'll need to submit an action plan explaining how and when you'll fix each issue. FINTRAC may conduct a follow-up examination to verify that you've addressed the findings. The key here is to take every finding seriously. An action plan that says "we'll try to do better" is not acceptable. FINTRAC expects specific, measurable remediation steps with clear timelines.

Administrative monetary penalties (AMPs)

For serious or repeated violations, FINTRAC can impose administrative monetary penalties. These can be substantial: up to $500,000 per violation for individuals and up to $1,000,000 per violation for entities. Penalties are calculated based on the nature and severity of the violation, the entity's compliance history, and whether the entity cooperated during the examination. AMPs are published on FINTRAC's website, which means your clients, partners, and competitors can see them. The reputational damage often exceeds the financial cost of the penalty itself.

Criminal referral

In extreme cases involving willful non-compliance, obstruction, or evidence of money laundering, FINTRAC can refer the matter to law enforcement for criminal investigation. This is rare in the context of compliance examinations, but it happens. Deliberately destroying records, lying to examiners, or operating without registration are the types of conduct that can trigger criminal referral.

Incomplete client identification records. Missing government-issued ID copies, unverified beneficial owners, no PEP/HIO screening documentation. This is the single most common finding across all MSB examinations.

Failure to file suspicious transaction reports. Either the MSB has no transaction monitoring process, or the process exists but staff don't know how to use it. Transactions that should have been reported weren't.

Generic compliance program. Policies that don't reflect the actual business model. A risk assessment that was written once and never updated. No evidence of a two-year effectiveness review.

Inadequate training. No records of staff training, or training that hasn't been updated to reflect regulatory changes or new products.

Late or incomplete report filings. STRs filed weeks after the triggering event. LCTRs with missing fields. EFTRs with incorrect beneficiary information.

No ongoing monitoring. Clients identified at onboarding but never reviewed again. No process for detecting changes in transaction patterns or risk profiles.

Not sure if your compliance program will survive an examination?

We help MSBs prepare for FINTRAC examinations. From compliance program gap assessments and self-audit walkthroughs to full remediation of deficiencies, we cover the entire process. If you've received an examination notice or want to be ready before one arrives, we can help.

Book a free 30-minute consultation to review your compliance readiness and identify the gaps that matter most.