Now booking Q3 FINTRAC MSB filings. Reserve a scope call →
Guide · FINTRAC

Building an AML program that survives a FINTRAC examination.

What examiners actually open first, where most programs fall apart under questioning, and how to write the parts that don't survive a one-line answer.

14 min read Updated May 2026 Series AML programs

A FINTRAC examination is not a test of how thick your AML binder is. It's a test of whether the program written on paper matches the way the business actually operates. Most programs survive the document review. Most programs do not survive the operational walk-through that follows.

What examiners open first

Almost every examination follows the same opening sequence:

  1. The compliance officer appointment. Who is named, when were they appointed, what is their authority, who do they report to.
  2. The risk assessment. The methodology, the date of last review, and whether it actually drives the rest of the program.
  3. The compliance program document. The written policies and procedures, with the date and version control visible.
  4. The training records. Who has been trained, on what, and when.
  5. The two-year independent review. When the last one happened, what it found, and what was done about the findings.

If any one of those five doesn't surface within the first hour, the examination tone shifts. Examiners are not looking for clever programs. They are looking for the basics, in order, current.

Where programs fall apart

The risk assessment that nobody reads

The single most common finding: a risk assessment that exists on paper but does not influence any operational decision. The policies don't reference it. The thresholds don't derive from it. The training doesn't reflect it. Examiners ask one question that breaks the structure: "Walk me through how a change in this risk rating would change your monitoring rules."

If the answer is "we'd review them," the assessment is not driving the program. That's a finding.

Customer due diligence that doesn't match the customers

The CDD policy may describe a careful process. The customer file shows three lines and a screenshot of an ID. The gap between policy and file is the finding — and it's harder to close than re-writing policy, because the gap was operational.

Transaction monitoring with off-the-shelf thresholds

Generic thresholds (over $10,000, structuring patterns, sanctioned-country flows) produce alerts. Whether those alerts are reviewed, escalated, and closed with documented rationale is what examiners test. Alert logs with thousands of open or auto-closed items signal that the monitoring is not being run as a real control.

The compliance officer who's also five other things

Examiners ask the compliance officer to walk through a recent decision. If the officer cannot — because they did not actually make it, or because they made it without the supporting evidence — the program lacks an effective compliance function. Title alone does not satisfy the regulation.

The training that's a slide deck and a sign-in sheet

Training records should show: who attended, what they were trained on, when, and a test or attestation that demonstrates the training was absorbed. A sign-in sheet alone does not establish that the front-line staff actually know the policies.

The parts that don't survive a one-line answer

Examiners often probe four areas with a single follow-up question. Programs without depth fail on the follow-up:

  • Beneficial ownership. "Walk me through how you determined the beneficial owner of this customer." A one-line answer is not enough; expect to show the underlying documents and the analysis.
  • PEPs and HIOs. "What did you do when this PEP screening returned a possible match?" The expectation is a documented review, not a deletion.
  • Suspicious transaction reports. "Why did this alert not become an STR?" The decision not to file is a decision that needs reasoning on the file.
  • Sanctions screening. "Show me a positive hit and how you cleared it." A clean log with zero matches looks unrealistic; examiners expect to see real disposition decisions.

What "examination-ready" looks like

  • The risk assessment is dated within the last 12 months and references current business activities, jurisdictions, and customer types.
  • The compliance program is version-controlled, signed by the compliance officer, and dated.
  • CDD files show the policy applied to the customer in front of you — not the policy in the abstract.
  • Transaction-monitoring rules are calibrated to your business and produce alerts that are actually reviewed and dispositioned.
  • Training records connect named staff to specific training events with attestation.
  • The most recent two-year independent review is on file, with documented action on each finding.
  • STR, LCTR, EFTR, and VCTR filings are timely, traceable, and consistent with what monitoring would expect to surface.
The examination starts before it starts FINTRAC notifies examination subjects in writing. The window between notification and examination is when most program weaknesses can still be fixed — not by rewriting documents, but by ensuring current operations match what the documents describe. Use the window.

If you're rebuilding

Programs that have been outgrown by the business are best rebuilt in parallel with operations, not as a paper exercise. Sit with the front-line team, watch what they actually do, and write the program around that. A program that captures real operations is durable. A program that describes an idealized operation will fail the next examination — or the one after.

AML program due an examination — or a rebuild?

We write, review, and remediate AML programs so the operational reality matches the document.

Book a scope call See AML services

Related from the desk

Guide · AML programs

Transaction-monitoring rules that match your business model

11 min read Guide · FINTRAC

What a clean MSB application actually looks like

10 min read Regulator update

What changed in the 2026 FINTRAC bulletins

5 min read