AML/ATF Compliance — Canada
The Complete Guide for Canadian Reporting Entities
FINTRAC compliance training is a legal requirement for every reporting entity in Canada. Under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA), all businesses subject to FINTRAC oversight must implement an ongoing compliance training program — not a one-time orientation, but a documented, regularly updated curriculum delivered to every employee with AML/ATF responsibilities.
Critically, that training program must be informed by the organization’s risk assessment. FINTRAC expects training content, frequency, and role targeting to reflect the specific risks identified in your business-wide risk assessment — not simply a generic overview of AML/ATF topics. This is one of the most frequently cited deficiencies in FINTRAC compliance examinations.
This guide explains exactly what FINTRAC requires, who must comply, what your training program must cover, and how to build a program that passes examination.
The PCMLTFA applies to a broad range of businesses that FINTRAC classifies as reporting entities (REs). If your organization falls into any of the following categories, a FINTRAC-compliant training program is mandatory:
A note on payment service providers (PSPs): PSPs regulated under the Retail Payment Activities Act (RPAA) are supervised by the Bank of Canada for retail payment risk management and funds safeguarding. RPAA regulation does not automatically create PCMLTFA obligations. PSPs that also conduct money transfer, foreign exchange, or virtual currency activities are required to register with FINTRAC as MSBs and are subject to the full PCMLTFA compliance program requirements, including training. PSPs that do not engage in those activities are not independently subject to FINTRAC’s reporting entity requirements.
Each sector has tailored guidance published by FINTRAC, but the training obligation applies across all reporting entity categories without exception.
FINTRAC’s compliance program requirements (formerly Guideline 4) specify that every reporting entity must build a compliance program on five pillars:
Training sits at Pillar 4 — and FINTRAC examiners evaluate it directly. During a compliance examination, examiners request training records, curriculum content, delivery logs, and assessment results. A policy document emailed once a year does not satisfy FINTRAC’s expectations.
FINTRAC does not prescribe a specific course format or minimum number of hours. What it does require is a program that is adequate, risk-sensitive, documented, and ongoing. Based on FINTRAC’s published compliance program guidance and examination methodology, a compliant program must address all of the following.
Training must be tailored to each employee’s actual responsibilities. Frontline staff who accept cash need to understand Large Cash Transaction Reporting thresholds and how to recognize structured transactions. Compliance officers need in-depth knowledge of reporting obligations, risk assessment methodology, and program governance. Senior management needs to understand the organization’s risk appetite and its accountability under the PCMLTFA. The compliance officer is not exempt — FINTRAC guidance explicitly requires that the compliance officer also receive ongoing training appropriate to their role.
Generic training that treats all employees as identical will not satisfy FINTRAC’s risk-based approach.
At a minimum, all relevant staff must understand:
FINTRAC explicitly requires training to be ongoing. Training must be refreshed when:
Annual training is a common baseline practice, but it is not sufficient on its own if regulatory or policy changes occur mid-year. Training must respond to those changes, not wait for the next calendar cycle.
Every training session must be documented. During an examination, FINTRAC examiners will request:
Both elements matter: completion records alone are not sufficient if the examiner cannot verify what content was actually delivered. Organizations must retain the training materials themselves alongside the delivery logs.
An LMS with automated tracking produces exactly the kind of documentation FINTRAC examiners request — completion dates, pass/fail results, and per-employee detail — without additional administrative effort. Tracking training delivery through email distribution or verbal confirmation carries substantial audit risk.
Training must be assessed for effectiveness. FINTRAC examiners look for evidence that staff actually absorbed the content — not simply that a course link was distributed. Scenario-based knowledge checks, post-training assessments, and periodic competency audits demonstrate that training is producing measurable outcomes. A program without any assessment component is routinely flagged in FINTRAC examinations.
Where a reporting entity operates through agents or third-party distribution channels — common in MSBs, life insurance, and mortgage lending — those agents must also receive appropriate training. FINTRAC’s sector-specific guidance addresses agent obligations; the training program must account for them.
FINTRAC’s published compliance program guidance and examination advisories identify recurring deficiencies:
Any of these findings can result in a deficiency during a FINTRAC examination. Repeated deficiencies across examination cycles can trigger administrative monetary penalties (AMPs) under s.73.1 of the PCMLTFA or, in serious cases, criminal prosecution referrals under s.74.
SCORM (Sharable Content Object Reference Model) is the technical standard for e-learning in regulated environments. It addresses the documentation requirements FINTRAC examiners evaluate:
Tamlo’s Flag the Money course series was designed specifically for Canadian reporting entities operating under the PCMLTFA. The series addresses the core AML/ATF knowledge areas FINTRAC examiners evaluate, delivered in scenario-based modules that reflect real compliance situations.
| Module | Content |
|---|---|
| What Is Money Laundering? | The three stages, Canadian typologies, how financial crime enters legitimate systems |
| What Is Terrorist Financing? | Differences from ML, red flags, the FINTRAC reporting obligation |
| Suspicious Transaction Reports | When STRs are required, what triggers reporting, how to document the decision |
| Large Cash Transaction Reports | LCTR thresholds, structuring red flags, EFT reporting obligations |
| Customer Identification and Ongoing Monitoring | FINTRAC identity verification requirements, ongoing monitoring, beneficial ownership |
| Record-Keeping | What records must be kept, retention timelines, format requirements |
All modules include knowledge checks, produce SCORM-compliant completion records, and are available in both English and French to support bilingual compliance obligations.
Sector-specific versions are available for financial institutions, credit unions, MSBs, insurance companies, and securities dealers — ensuring staff see typologies and scenarios relevant to their actual sector.
RapidLMS (Hosted)
Access Flag the Money through Tamlo’s own hosted learning management system. No IT infrastructure required. Tamlo manages enrolment, tracking, and reporting. Completion certificates are issued automatically. Ideal for organizations that need a turnkey compliance training solution without an internal LMS.
SCORM Package (Non-Hosted)
Deploy Flag the Money in your own LMS — SuccessFactors, TalentLMS, Moodle, Absorb, Cornerstone, or any SCORM 1.2-compatible platform. Full ownership of your training data and completion records. Licensing is based on seat count or site license depending on organization size.
Both options produce the tracking documentation FINTRAC examiners require — completion records, training materials, and assessment results.
What does FINTRAC require for AML training?
FINTRAC requires all reporting entities to implement an ongoing compliance training program as part of their five-pillar compliance program under the PCMLTFA. Training must be informed by the organization’s risk assessment, cover AML/ATF obligations relevant to each employee’s role, be delivered to all staff with compliance responsibilities (including the compliance officer), be updated when regulations or policies change, and be fully documented — including the training materials used.
How often does FINTRAC require AML training?
FINTRAC requires training to be ongoing, not on a fixed annual schedule. New employees must receive training before taking on compliance-relevant responsibilities. Existing employees must receive updated training when there are changes to the organization’s policies and procedures, when regulatory requirements change, or when the risk assessment identifies new threats. Annual training is a common minimum baseline, but it must be supplemented whenever triggering events occur.
What are the consequences of non-compliant AML training?
FINTRAC can assess administrative monetary penalties (AMPs) under s.73.1 of the PCMLTFA for violations including deficient compliance programs. Repeated deficiencies or serious violations can result in enforcement action or public disclosure of findings.
Does FINTRAC accept online AML training?
Yes. FINTRAC does not mandate a delivery format. Online SCORM-based training is widely accepted and preferred by compliance officers because it produces automatic documentation — completion records, training materials, and assessment results — that directly satisfies examination requirements.
Is Tamlo’s Flag the Money course FINTRAC-compliant?
Flag the Money was designed to address FINTRAC’s compliance program requirements under the PCMLTFA. Courses are scenario-based, risk-sensitive, role-specific, bilingual (English and French), and SCORM-compatible for LMS tracking and documentation.
Tamlo works with financial institutions, credit unions, MSBs, securities dealers, and insurance companies across Canada. Whether you need a fully hosted solution through RapidLMS or a SCORM package for your own LMS, we can help you build a training program that meets FINTRAC’s requirements — and document every step for your next examination.
[Get a Quote] [Browse Flag the Money Courses] [Contact Us]
