PROCESSING...

Anti-Money Laundering
Consulting Services & Strategies

0 Items - Total: $0.00 CAD

We Turn 12!

Green foil balloons forming the number 12 with gold confetti on a light background, celebrating a 12-year anniversary.Today marks another milestone for us – 12 years since Outlier Compliance Group was founded.

What began as a bold and novel idea, building a consulting firm made up exclusively of seasoned compliance professionals with deep in-house experience, has grown into a thriving, trusted partner for clients navigating Canada’s ever-changing regulatory landscape.

Our name, inspired by Malcolm Gladwell’s “Outliers, the Story of Success” which espoused the notion that to be truly proficient in a skill, 10,000 hours of practice is required. That was the bar that was set, met, and most often exceeded by every compliance professional that joined our team over the years.

Over the years, we’ve grown, evolved, but have stayed true to our roots. We’ve learned that success comes from surrounding ourselves with exceptional people, from listening closely to our clients, and from being willing to adapt in the face of change. We’ve discovered the value of curiosity when navigating complexity, and the power of collaboration when tackling the most challenging problems.

Through it all, our mission has remained the same “good compliance is good business”. It’s the principle that guides our work, shapes our advice, and underpins every solution we deliver.

As the Canadian regulatory environment becomes increasingly complex, our mission and our learnings will play to our continued success and growth as we continue to provide top tier compliance and risk management services. 

To our amazing team, past, present and future, thank you for your passion, expertise and resilience. To our clients, partners and industry peers, thank you for your trust and collaboration. Lastly, but by no means least, a special thank you to our CEO, David Vijan, and our Chairperson, Amber D. Scott, for keeping us on our toes and steering the ship with vision and purpose. 

Here’s to 12 years of achievement and to the future.

Identification Triggers for Factoring Companies

Background

We recently sought clarification from FINTRAC as it relates to identification requirements that Factoring Companies (Factors) must comply with.

Factors supply liquidity to a customer in exchange for the cash value of a certain amount of the customer’s accounts receivable (i.e. invoices) to be collected later by the factoring company. A factor is defined as a person or entity that is engaged in the business of factoring, with or without recourse against the assignor.

If you missed it, Factors became reporting entities under the PCMLTFA effective April 1, 2025. As a reporting entity, Factors must have in place a compliance program and comply with various requirements, including identification requirements.  Please refer to our previous blog post on Factors that outlines full requirements that factors must comply with.

Identification Requirements

Factors must confirm identification using prescribed methods for individuals and entities where they are required to keep a record as defined under section 24.14 of the

Proceeds of Crime (Money Laundering) and Terrorist Financing Regulations.

Section 24.14 states a factor shall keep the following records in respect of every factoring agreement that it enters into:

(a) an information record in respect of the person or entity with whom it enters into the agreement;

 (b) if the information record is in respect of an entity, a record of the name, address and date of birth of every person who enters into the agreement on behalf of the entity and the nature of the person’s principal business or their occupation;

 (c) if the information record is in respect of a corporation, a copy of the part of official corporate records that contains any provision relating to the power to bind the corporation in respect of transactions with the factor;

 (d) a record of the financial capacity of the person or entity with which it enters into the agreement and the terms of the agreement;

 (e) for any payment it makes; and

 (f) a receipt of funds record in respect of every amount of $3,000 or more that it receives, unless the amount is received from a financial entity or public body or from a person who is acting on behalf of a client that is a financial entity or public body.

As it relates to the last record, funds may come from a party other than the factoring client (a third party) and in such instances it is not sufficient to rely on identification that would have been completed for the factoring client, but rather the third party would have to be identified.

Below is a response from FINTRAC:

Under the PCMLTFA, specifically section 24.14(f), a receipt of funds record must be kept for every amount of $3,000 or more, unless the funds are received from a financial entity, public body, or a person acting on behalf of such an entity.

In response to your question:
If funds are received from a party other than the identified factoring client, identification requirements may still apply depending on who that third party is.

If the third party is not:

    • a financial entity,
    • a public body, or
    • acting on behalf of one,

then yes, identification and a receipt of funds record would be required, even if the factoring client has already been identified. This is because the receipt of funds record pertains to who the funds are actually received from, not just who the factoring agreement is with.

Identification of the factoring client alone is not sufficient if funds are received from another party who does not fall under the exemptions in s. 24.14(f). The source of funds must be identified and recorded accordingly.

The factoring company must take reasonable measures to identify the sender, document those efforts, and keep a receipt of funds record.

While this may prove to be challenging in some instances, demonstrating that reasonable measures were taken becomes critical.

We’re Here To Help

If you would like assistance in understanding what this mean to your business, or if you need help in creating or updating your compliance program and processes, please get in touch.

Securities Dealers See Rising FINTRAC Penalties

We’re seeing FINTRAC ramp up Administrative Monetary Penalties against all sectors, however, for securities dealers we’re starting to see some heavy hits, something we haven’t seen before, signaling a graduated approach to compliance assessments by FINTRAC.

On July 3, 2025, FINTRAC announced an Administrative Monetary Penalty of $544,500 against an investment dealer headquartered in Vancouver, British Columbia. Additionally, on February 13, 2025, FINTRAC announced an Administrative Monetary Penalty of $66,000 against, a Wealth Management Securities Dealer in Ontario.

Securities dealers must fulfill specific obligations as required by the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA) and associated Regulations, to help combat money laundering and terrorist activity financing in Canada. As defined under the PCMLTFA, a securities dealer means a person or entity authorized under provincial legislation to engage in the business of dealing in securities or any other financial instruments or to provide portfolio management or investment advising services.

FINTRAC has the legislative authority to issue administrative monetary penalties (AMPs) to reporting entities that are found to be non-compliant with the PCMLTFA and associated Regulations. For more information, see Penalties for non-compliance.

Between the two notices, it was found that following compliance examinations, the following failures were found, which resulted in the AMPs:

  • Failure to develop and apply written compliance policies and procedures that are kept up to date; and, in the case of an entity, are approved by a senior officer. Specifically, the firm did not sufficiently develop and document its compliance policies and procedures in relation to know your client and record keeping requirements.
  • Failure to assess and document the risk of a money laundering or terrorist financing offence, taking into consideration prescribed factors. Specifically, the firm’s risk assessment was incomplete, as it did not clearly outline the risks associated with its clients and did not contain assessment of all the required categories. In addition, the risk assessment did not document an adequate methodology for the assessment of its money laundering and terrorist financing risks.
  • Failure to institute and document the prescribed review of its policies and procedures, risk assessment and training program. Specifically, the scope of a review did not cover the firm’s risk assessment. Additionally, the review did not specify how the organization ensured that its compliance program was tested for effectiveness.
  • Failure to submit suspicious transaction reports where there were reasonable grounds to suspect that transactions or attempted transactions were related to a money laundering or terrorist activity financing offence.
  • Failure to take the prescribed special measures for high risk.

Of all the findings, the ones that netted the highest AMP were related specifically to:

  • Failure to submit suspicious transaction reports where there were reasonable grounds to suspect that transactions or attempted transactions were related to a money laundering or terrorist activity financing offence.
  • Failure to take the prescribed special measures for high risk.

Failures in suspicious transaction reporting continue to be a big focus for FINTRAC and a trend with the larger value AMPs that we’ve been seeing.

Securities dealers are responsible for the following requirements under the PCMLTFA and associated Regulations:

  1. Compliance program:
    1. Appoint a compliance officer who is responsible for implementing the program. The Compliance Officer must always have access to management and the authority to carry out their duties.
    2. Develop and apply written compliance policies and procedures that are kept up to date and, in the case of an entity, are approved by a senior officer. Policies and procedures must be detailed and reflect the reporting entities business model.
    3. Conduct a risk assessment of your business to assess and document the risk of a money laundering or terrorist activity financing offence occurring in the course of your activities. The categories that must be assessed are outlined in guidance.
    4. Develop and maintain a written, ongoing compliance training program for your employees, agents or mandataries, or other authorized persons.
    5. Institute and document a plan for the ongoing compliance training program and deliver the training (training plan).
    6. Institute and document a plan for a review of the compliance program for the purpose of testing its effectiveness, and carry out this review every two years at a minimum (two-year effectiveness review). The review must test all parts of your compliance program as well as operations.
  2. Know your client:
    1. verifying client identity,
    2. politically exposed persons, heads of international organizations, their family members and close associates, beneficial ownership, and
    3. third party determination.
  3. Transaction reporting:
    1. Suspicious Transaction reporting
    2. Listed Person or Entity Property Reports
    3. Large Cash Transactions reporting
    4. Large Virtual Currency Transaction reporting; and
    5. Reporting suspected sanctions evasion.
  4. Record keeping;
  5. Foreign branches, foreign subsidiaries and affiliates; and
  6. Ministerial directives

We’re Here To Help

If you need help in creating or updating your compliance program and processes, are due for a Compliance Effectiveness Review, or have general questions on your compliance obligations,  please get in touch.

What Should You Do After Submitting Suspicious Transaction Reports to FINTRAC?

What Happens After You Submit a Suspicious Transaction Report?

When it comes to AML compliance, submitting a Suspicious Transaction Report (STR) to FINTRAC is just the beginning, not the end.

In this short video presentation, Divya Bhaktha from Outlier Compliance Group breaks down exactly what you need to do after an STR is filed, and the consequences if you don’t follow-up correctly.

Reference Links

Public notice of administrative monetary penalties

Reporting suspicious transactions to FINTRAC

Guide on harm done assessment for suspicious transaction reports violations (section 2.3.4)

 

Need help navigating STR obligations? Email us at info@outliercanada.com or get in touch here.

What to Expect When FINTRAC Comes Knocking

Written with Heidi Unrau

FINTRAC’s New Assessment Approach – It’s Not Just Exams Anymore

Every request, meeting, form, or call with the Financial Transaction and Reports Analysis Centre of Canada (FINTRAC), Canada’s anti-money laundering (AML) regulator and financial intelligence unit (FIU), is a potential assessment activity. If your business is subject to the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA), the regulator could contact you at any time. In 2025, FINTRAC significantly expanded and diversified its compliance assessment toolkit.

FINTRAC’s assessment activities are not limited to full-blown compliance examinations, and the regulator is increasingly using other assessment tools. These include a wider range of formal and informal touchpoints, each of which can carry consequences and should be taken seriously. Here’s what you need to know to prepare, respond, and stay one step ahead when FINTRAC contacts you.

Yes, These Are All Assessment Activities

Many organizations are surprised to learn that not every FINTRAC interaction is labelled as an “examination,” although a range of activities are used to assess FINTRAC reporting entities. While some of these activities may be more informal than examinations, they are not unimportant.

In 2025, common FINTRAC assessment activities include, but are not limited to:

A woman peeking out from behind a stack of folders on a desk.

Data Hide and Seek

  • Information Requests
  • Supervisory Risk Assessment Questionnaires (SRAQs)
  • Compliance Self-Attestations
  • Monitoring Meetings
  • Action Plans
  • Examinations

Each of these activities serves as an opportunity for FINTRAC to understand and evaluate how well your organization is meeting its AML compliance obligations. Responding late, incorrectly, or incompletely can impact your risk score, trigger follow-up activities including examinations, or even result in penalties.

Information Requests

FINTRAC can request a wide range of information from reporting entities related to AML compliance. Where no personal information (PI) is being requested, these requests may be delivered by email rather than by more secure channels such as Canada Post’s secure messaging system.

However, reporting entities that prefer to respond via a secure channel can request this, and FINTRAC will generally accommodate their request. If an information request is unclear or if the timeframes are not feasible for your business, it is important to contact FINTRAC as soon as possible to resolve the issue.

Supervisory Risk Assessment Questionnaires (SRAQs)

SRAQs are Excel forms sent through Canada Post’s secure platform, often after a call or meeting with FINTRAC to explain the process. They include detailed questions about your business structure, risk levels, and electronic funds transfers.

Some fields may be pre-filled by FINTRAC, but must be reviewed. The SRAQ will generally have questions about your risk assessment, and you may be asked whether your risk assessment aligns with Canada’s National Risk Assessment (NRA).

Compliance Self-Attestations

These detailed PDF forms are also delivered securely, either with a SRAQ or on their own, and may follow a call or meeting with FINTRAC to explain the process. The self-attestation form asks about your Compliance Officer, AML policies and procedures, risk assessment, training, and compliance effectiveness reviews (audits). The responses must be specific (tailored to your business, documentation, and processes), and questions often overlap with the SRAQ.

The self-attestation questionnaire commonly asks who approved your policies, and whether compliance effectiveness reviews (audits) led to action plans. The final section of the attestation form requires sign-off from the person completing it, attesting to the accuracy and completeness of the information provided.

Monitoring Meetings

Monitoring meetings are common for larger or higher-risk businesses and are used to follow up on issues like reporting errors, self-declared non-compliance, or action plan progress. Be ready to explain past issues and decisions, particularly where FINTRAC is actively monitoring the remediation of an issue, including deficiencies observed by FINTRAC through examinations or other assessment activities. Detailed records help keep these meetings focused and efficient.

Action Plans

FINTRAC may request an action plan to correct deficiencies observed in the course of its assessment activities, or subsequent to a voluntary self-declaration of non-compliance. An action plan describes the deficiencies, the steps that are being taken to address and correct the issues, and the expected timelines. In some cases, FINTRAC may request updates to action plans in conjunction with monitoring meetings.

Examinations

FINTRAC selects businesses for examinations based on factors like risk score, past findings, or industry trends. Examinations may be in-person or remote, and full-scope (covering a broad range of AML compliance requirements) or targeted (covering only a narrow scope, such as high-risk customers and enhanced due diligence activities).

The examination process generally begins with a notification call, followed by a formal letter, document review, interviews, and concludes with a findings report. As PI and other sensitive information is exchanged with FINTRAC in this process, written communication is usually through Canada Post’s secure online portal. If serious deficiencies are discovered, FINTRAC may issue a Notice of Violation, which accompanies an administrative monetary penalty (AMP).

Take Every Request Seriously, The Consequences Are Real

A single poorly handled request can escalate to a formal examination or enforcement action, up to and including an AMP. For example:

  • Information Requests might ask for detailed operational data, like wallet addresses, transaction volumes, geographic reach, etc., that must be provided within specific timeframes.
  • SRAQs and Self-Attestations often probe the strength and scope of your compliance program, training, policies, and controls.
  • Monitoring Meetings may seem routine, but they serve as real-time evaluations of progress or issues.

Even if you think your compliance program is strong, you can’t rest on your laurels. Giving too much, too little, or the wrong kind of information can still cause problems.

Timing & Scope Matter, So Speak Up Early

One of the most preventable mistakes? Not raising concerns early. If you receive a request that:

  • Requires more time than you realistically have
  • Involves an impractical volume of data
  • Touches on sensitive or operationally risky areas (like sending wallet addresses via unencrypted email, for example)
  • Is unclear or difficult to fulfill, or
  • Seems misaligned with your actual business structure…

Reach out to FINTRAC right away! They may allow accommodations like a secure file upload option or deadline extensions. FINTRAC  will also be able to clarify or refine the scope of their request, but you have to ask early. Proactive communication helps avoid mistakes and shows a good-faith effort to comply.

Documentation is Protection

Formal or informal? It doesn’t matter. If you interact with FINTRAC, document everything:

  • The requests received and your interpretations,
  • Deadlines and communication
  • What data you provided and how
  • Who internally approved or reviewed the responses

Keep a central record, like a shared folder or internal compliance log, to track all relevant information. Where there is something unusual about your business or processes, consider whether or not it makes sense to include explanations either in writing or during a meeting with FINTRAC.

Common Errors to Avoid

These are the biggest issues that trip up even experienced teams:

  • Not answering the question asked: Too much or too little detail can both be problematic, and providing information that doesn’t address the question makes you seem disorganized at best.
  • Assuming foreign compliance standards apply: FINTRAC’s mandate is to ensure compliance with Canadian requirements, and straying from this focus can imply that you’re not well-versed when it comes to the Canadian AML framework.
  • Underestimating the data lift: Raw data is often messier and harder to extract than expected. Plan accordingly and start pulling data and organizing your response early.
  • Auditor independence: If your auditor is also your AML program creator, expect scrutiny for lack of independence.

Make an Action Plan, Even if You’re Not Asked

There is some variance in terms of whether or not action plans are requested after FINTRAC examinations. Today, they’re becoming an unspoken expectation, though you may not be asked for your action plan until the next time that you’re faced with an assessment activity. Best practice? Develop an internal action plan, even if  FINTRAC doesn’t ask for one. Examiners, auditors, and your leadership team will expect to see how you’ve addressed gaps. Your action plan should:

  • Outline findings and fixes
  • Assign owners and timelines
  • Track milestones and updates

If you’ve already had an examination or audit and didn’t document an action plan, it’s not too late. Your plan can include work already completed to address any deficiencies.

Is This Really From FINTRAC? How to Tell

Some recent FINTRAC requests look different from what businesses are used to, which has caused confusion. And to make matters worse, there have been documented cases of scammers impersonating FINTRAC and other regulators. Here’s how to tell if the request is legitimate:

  • Check the Sender: Legit emails come from @fintrac-canafe.gc.ca or @fintrac-canafe.canada.ca.
  • Look for legal references: Real requests often cite the PCMLTFA (for example, section 63.1(2) of the PCMLTFA).
  • Expect formal language: Clear instructions, deadlines, and specific data requests are standard.
  • Templates included: FINTRAC may attach Excel or PDF forms to complete. These will not be in a “zipped” format or other format that cannot be scanned for malicious elements.
  • No contact name? Still valid: Some are signed by the team or department without a specific person named.
  • Delivery method: Sensitive items may come through Canada Post’s secure epost system, but where this is the case, reporting entities will generally receive a phone call first.

If you’re unsure, don’t ignore it. Verify through FINTRAC’s official contact channels, not by replying to a suspicious email.

Final Reminder: Treat Every Touchpoint as an Evaluation

A call. An email. A simple questionnaire or data request. It’s all part of a broader assessment process. These activities carry weight, can impact your risk profile, and may lead to further scrutiny if not handled correctly.

Treat every request seriously and respond with care. If something is unclear, the scope seems off, or if you need more time, speak up early! Proactive communication prevents misunderstandings and protects your organization from costly consequences.

Need a Hand?

If you’re unsure how to interpret a request, need help crafting a response, or want to strengthen your overall compliance approach, Outlier Compliance Group is here to help. Please get in touch.

60 Days to RPAA: Are You Prepared?

With only 60 days left, the Bank of Canada (BoC)’s operational framework for payment service providers (PSPs) will come into force under the Retail Payment Activities Act (RPAA) and Retail Payment Activities Regulations (RPAR) – collectively referred to as Retail Payments Supervision (RPS) on September 8, 2025. If your business performs any of the following five payment functions, RPS apply to you, and you should already be registered with the BoC:

  • The provision or maintenance of a payment account;
  • The holding of end-user funds until withdrawn or transferred;
  • The initiation of a payment at the request of an end-user;
  • The authorization of an electronic funds transfer, transmission, reception, or facilitation of a payment message; 
  • The clearing or settlement of payment transactions.

With the deadline approaching, PSPs should be close to finalizing their operational risk and incident response policy frameworks which must include mapping all operational risk factors to BoC guidance. Key areas to focus on include

  • Identifying the human and financial resources that are required to implement and maintain the framework;
  • Allocating specific roles and responsibilities in respect of the implementation and maintenance of the framework;
  • Identifying the assets (systems, data, and information) and business processes that are associated with the PSPs performance of retail payment activities; 
  • Identifying operational risks, which must cover: 
    • business continuity and resilience,
    • cybersecurity,
    • fraud,
    • information and data management,
    • information technology,
    • human resources,
  • Identifying process and product design and implementation related to operational risk;
  • Establishing measures for protecting payment activities from identified risks;
  • Reviewing and testing of the framework; and
  • Managing its risks from third-party service providers, agents, and mandataries.

Additionally, PSPs that hold end-user funds must adhere to the safeguarding requirements under RPS. To safeguard funds on behalf of end-users, PSPs must utilize one of the following methods:

  1. Hold the funds in trust in a trust account used solely for that purpose; or
  2. Hold the funds in a segregated account backed by eligible insurance or guarantee in an amount equal to or greater than the funds held.

As a reminder, RPS requirements are in addition to your existing AML obligations under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA). We’re advising clients every day to align their policies, controls, and documentation to meet the BoC’s expectations. This often means creating and implementing new frameworks for many organizations.  If you haven’t finalized your framework yet, now is the time to act.

Outlier is here to help, so please get in touch.

We’re Hiring an Operational Risk Ninja!

We’re looking for a senior operational risk person to join our team. Initially, this is going to be a part-time role but we’d love for it to become a full-time role, depending on the need and fit. We take bringing on new team members very seriously. We’re a small and close-knit team, and fit is just as important as experience. We’d be lying if we said that “can we just handle the work ourselves” isn’t something that was brought up (multiple times). You’re reading this posting because we need a very capable human, and maybe that’s you. 

While we know many great folks, we’ve chosen to post this role publicly in the interest of widening the possible field to include candidates that we might not know personally. We have done it before and we lucked out! 

What does the job actually entail?

We’re compliance and risk consultants. Our core areas of practice include:

  • Anti-Money Laundering (AML), Anti-Terrorist Financing (ATF)
  • Canadian Sanctions
  • Privacy
  • Regulatory Compliance
  • Operational Risk Management (including Retail Payment Compliance)
  • Pan-Canadian Trust Framework (PCTF)

Most of the companies that we work with are AML reporting entities (banks, credit unions, money services businesses, securities dealers, dealers in precious metals and precious stones, real estate brokerages, etc.). Our work is generally project-based, and those projects include:

  • Developing and updating compliance and risk policies and procedures;
  • Developing risk assessments;
  • Designing and delivering training;
  • Conducting effectiveness reviews/audits;
  • Helping clients to prepare for reviews and regulatory examinations; 
  • Helping clients to remediate review and regulatory examination findings; and
  • Helping clients with compliance-related questions.

The person we are looking for would be responsible for the following:

  • Design, document, and improve policies, procedures, and internal control frameworks to meet regulatory expectations and industry best practices.
  • Advise clients on compliance with operational risk management requirements (RPAA and OSFI E-21). This includes third-party risk, incident response, fraud business continuity and safeguarding  requirements.
  • Support the development and implementation of operational risk management frameworks, governance structures, and reporting mechanisms.
  • Guide clients through compliance with the RPAA, including registration, risk management frameworks, incident reporting, and safeguarding of end-user funds.
  • Lead operational risk assessments, control reviews, and gap analyses across client operations, with a focus on payment service providers and fintechs.
  • Provide guidance on privacy and data governance issues, including compliance with PIPEDA and other applicable provincial privacy legislation.
  • Monitor emerging regulatory changes and industry developments to inform clients and update risk frameworks accordingly.
  • Liaise with client legal, compliance and risk teams as needed on matters related to risk, compliance, and governance.

To do this effectively, we believe that you need to have deep, hands-on experience in these areas. This is why all of our team members have over 10,000 hours of in-house compliance experience. This is non-negotiable. Additionally, we are looking for the following qualifications:

  • Deep knowledge of operational risk frameworks, including proven experience implementing or assessing operational risk programs in line with it.
  • Strong working knowledge of Canadian privacy laws and their application to operational and data risk.
  • Experience developing and implementing risk and compliance frameworks, including for third-party/vendor risk, incident response, and operational resilience.
  • Excellent communication skills, with the ability to explain complex regulatory concepts to stakeholders at all levels.
  • Strong writing skills for client deliverables, policies, and presentations.
  • Proficient knowledge of Microsoft Office (Word, Excel, Powerpoint, etc). 

Additionally, if you have any of the below it is a definite asset:

  • Experience advising or working with PSPs, MSBs and/or fintechs.
  • Experience with developing and or updating AML policies and procedures.
  • Experience with conducting AML effectiveness reviews.
  • Designing and delivering training.
  • Experience and/or knowledge of the Pan-Canadian Trust Framework (PCTF). 
  • Prior experience engaging directly with Canadian regulators.
  • Relevant certifications (i.e. RIMS CRM CIPP/C, CRISC, FRM, CIA). and
  • Bilingualism (English/French) is a plus but not required.

What it’s like working at Outlier

We think our team is pretty great: professional, friendly, and incredibly nerdy. At first, we might seem intimidating, or even a little cliquey, but we’ll do everything we can to bring you into the fold. That said, you’ll need to identify and ask for what you need. Autonomy is a big part of how we work.

No two days are the same. We work on different projects that move at different paces, and sometimes things get hectic — it can be stressful. You’ll need to be comfortable providing your own structure and managing your schedule, while keeping in mind the needs of the business and our clients. As long as the desired outcomes are delivered on time, you can work at your own pace and from your own location. Most of our work is done remotely, though occasionally we may need to be on site with clients. We also have an office in downtown Toronto for when the need arises (and you’re welcome to work from that location whenever you like). 

Our clients are professionals, entrepreneurs, and thought leaders. They’re smart, driven, and often push boundaries and ways of thinking, which means we’re constantly learning from them as well as answering their questions. They won’t always be compliance-minded, but the conversations are rarely boring. It’s often an absolutely incredible journey.

Our compensation model is radically transparent and tied to individual performance. Consultants earn a share of the revenue from each project they’re part of. These are democratic decisions, visible to the entire team, which helps ensure fairness. We know that openly discussing compensation can feel awkward at first — we try to approach it with empathy and openness.

Some things that we think are probably true about the right candidate

  • You’re really good at what you do, but you are never satisfied. 
  • Every time you’ve left a job, they’ve had to hire several people to replace you. You try not to gloat about this too much, but sometimes you can’t help it.
  • When put in charge of a well-functioning system, you’re likely to test “process improvements” until something breaks.
  • You’re at your very best when you’re fixing something broken or building something new – those challenges invigorate you.
  • When a business person tells you what they want to build, you immediately start thinking about how to execute their ideas within the parameters of existing law and regulation.
  • The phrase “that’s the way we’ve always done it” makes you either shudder or clench your jaw (maybe both).
  • In your spare time, you probably deconstruct, make or build things. 

Want to apply?

Send an email with your resume attached in PDF format to: ninjas@outliercanada.com by July 14, 2025. 

The subject line should read: Risk Ninja, 2025

In the body of the email, please indicate why you believe that you would be a good fit, referencing this posting, as well as where you clocked your 10,000 hours of in-house compliance practice. Please feel free to include any questions that you have for us at the outset as well.

Please note that messages submitted in any other format via any other channels will not be considered. Only applicants selected for an interview will be contacted. A reminder, only Canadian citizens need apply.

Outlier Compliance Group welcomes Daniel Dobre!

The Outlier Compliance Group team is thrilled to welcome our newest member, Daniel Dobre.

Daniel brings a wealth of banking compliance experience, most recently as Director Anti-Money Laundering, Financial Crime Oversight at Royal Bank of Canada.

Daniel’s Bio

Daniel joins the Outlier team with more than 18 years of compliance experience working within the Financial Institution sector. A seasoned professional, Daniel brings a strong background in regulatory compliance and risk expertise. Throughout his career, he has held senior oversight roles in financial crime and regulatory compliance, leading the design and execution of monitoring and testing programs, and developing and enhancing compliance methodologies. His work has included oversight of second line reviews, implementation of AML/ATF systems and processes, execution of risk assessments all with a strong focus on stakeholder engagement, communication and building strong business relationships.

Daniel recognized early in his career that compliance was the path he wanted to pursue. Following a management trainee program that provided exposure to various areas of banking, he chose to join the compliance team, despite strong interest from several other departments. While doing branch compliance reviews for four years, Daniel realized that anti-money laundering is what he is most passionate about and made it his goal to grow in this field. After moving to Canada, Daniel was determined to re-enter the compliance field, which he successfully achieved in 2010. After a few years of growing his experience within compliance, operations, and internal controls, he had the opportunity to join the CAMLO of a financial institution to enhance their AML program following a regulator’s exam. Among his key accomplishments were the successful development and implementation of a real-time customer name screening process, as well as the design and rollout of a transaction monitoring system and an associated alert investigation process. 

Daniel’s passion for financial crime risk led him to join a major bank, where he was able to gain valuable experience while leading, monitoring, and testing reviews over the financial crime risks, controls and associated regulations for all lines of business and functions within the bank. He later spearheaded the design and implementation of an integrated monitoring and testing (assurance) program, covering both financial crime and regulatory compliance risks, while overseeing testing teams across 3 continents. During this time, Daniel also became CAMS and ICA certified, and is looking forward to helping make a difference in the financial crime industry by ensuring that all customers are operating safely and in accordance with the regulatory requirements. 

As with all our consultants, Daniel has deep subject matter expertise and supports Outlier’s mission statement “good compliance can enable good business”. He is passionate about compliance and risk management, and believes that businesses can be successful and compliant at the same time.

Please join us in welcoming Daniel!

He’ll be attending the Futurist conference in Toronto as his first official Outlier event coming up on May 13, 2025. Please say hello and welcome him to the team.

Integrity Over Profit

Earlier this week I was approached by a client with whom we had completed a full overhaul of their Risk Assessment documentation, which occurred about 3-4 months ago. The project was completed with excellent results, and from all accounts, an ideal outcome. Mainly, the client was satisfied with the deliverable, felt more confident in the status of their overall compliance program, and was a delight to work with.

When they reached out this week, they were inquiring about Outlier completing their upcoming 2 year Compliance Effectiveness Review (CER). This was a clear indication of their satisfaction, which was a good feeling. However, we had to keep in mind that we (Outlier) revised their Risk Assessment documentation not too long ago. After some internal discussion, we felt it was not the right move for us to take on their CER, as we would be reviewing a portion of our own work. Not only would this be less value to the client, but should their financial service provider or FINTRAC determine that their reviewer was also the drafter of a portion of the compliance documentation, that would be a bad look. FINTRAC guidance states “Also, as a best practice, to ensure that your review is impartial, it should not be conducted by someone who is directly involved in your compliance program activities.”

Informing the client about our perceived conflict, and that it would not be the right move given the situation, felt less than optimal. No one wants to turn business away. However, the response was received with grace and understanding. This isn’t a shock as this individual is, in my opinion, an underrated pillar of the AML community, and generally, a person with a high degree of integrity.

Ok, So What?

This post is not intended to be a self-congratulatory post, but rather a message to highlight an important point for reporting entities. We have sat through examinations with clients where FINTRAC has identified the lack of separation between the drafter of the documentation and reviewer of the documentation. This situation left the reporting entity in a position they could not defend, resulting in, what I deem, an entirely unnecessary position. Had the reviewer acted with integrity, by informing the reporting entity about the potential risk and downfalls, the FINTRAC examination would have resulted in a more favorable outcome, including one less deficiency.

From my experience, the separation between the drafter and reviewer should go beyond merely assigning different people, or different departments, within the same organization because the baseline knowledge is consistent across the business. You want completely fresh eyes on your compliance program and its effectiveness.

The intent of this post is to serve as an FYI to reporting entities that relying on one firm to handle all aspects of compliance support is not an ideal scenario and can lead to problems down the line. There is no shortage of fantastic compliance consulting firms in Canada, each with deep expertise when it comes to Canadian regulatory requirements and FINTRAC expectations. If you would like some suggestions on additional firms that can offer compliance support, please feel free to reach out to us, and we can make warm introductions to other trusted firms.

Finally, this also raises concerns regarding independence of the CER process when the same company is engaged for multiple reviews in succession. We have strongly suggested to a few longstanding clients that they source a different reviewer for a “fresh set of eyes,” after completing multiple CERs for them previously. We have also received feedback from clients that during FINTRAC exams, FINTRAC examiners are suggesting the same thing. While its nice to have a good relationship with your compliance support providers, there comes a point where a changeup is not only suggested, it is necessary. It’s better to make the choice yourself, rather than have FINTRAC make it for you.

Independent Support

If you are in need of a completely independent reviewer, a suggestion for a couple of different options, or just have general questions, please feel free to contact us. We are here to help, and truly believe that rising tides lift all boats.

New Reporting Entity: Factoring Companies

Background

On March 26, 2025 final amendments to the Proceeds of Crime (Money Laundering) and Terrorist Financing Regulations were officially published in the Canada Gazette (SOR/2025-68). This round of anticipated changes introduces three company types that will become reporting entities. Below, we summarize the requirements that Factoring Companies will have to comply with as of April 1, 2025.

Factoring Companies (Factors)

Factors supply liquidity to a customer in exchange for the cash value of a certain amount of the customer’s accounts receivable (i.e. invoices) to be collected later by the factoring company. A factor is defined as a person or entity that is engaged in the business of factoring, with or without recourse against the assignor.

Requirements

All reporting entities (including Factoring Companies, as of April 1, 2025) must have in place a compliance program as defined under the PCMLTFA and associated regulations. The following is a summary of the requirements, as well as links to FINTRAC guidance (some of which will need to be updated).

Program Elements

  • Appoint a compliance officer who is responsible for implementing the compliance program and have oversight. The Compliance Officer must always have access to management and have the authority to carry out their duties.
  • Develop and apply written compliance policies and procedures that describe what is required under law and how these obligations will be met. These must be kept up to date and approved by a senior officer.
  • Conduct and document a risk assessment of your business. This assessment should include all activities that could make an entity vulnerable to money laundering or terrorist financing, as well as the mitigating controls that are put into place to prevent such risks.
  • Develop and maintain an ongoing compliance training program for your staff and agents. Everyone that deals with customers, customer funds, or transactions must receive AML and ATF training at least annually.
  • Conducting compliance effectiveness reviews. This is an audit that tests a company’s AML and ATF program and its effectiveness. These reviews must be completed at least once every two years.

Operational Elements

  • Reporting certain transactions. Where there are reasonable grounds to suspect that a particular financial transaction is related to the commission of a money laundering or terrorist activity financing offence, a Suspicious Transaction Report must be summitted to FINTRAC. This includes Large Cash and Large Virtual Currency reporting.
  • Follow ministerial directives and perform watchlist screening. Where a company may be in possession of funds or property that belong to a terrorist (either an individual or an organization) or a listed person, a Listed Person or Entity Report must be submitted to FINTRAC.
  • Identifying customers. Upon entering into a factoring agreement or when an information record is created, Factoring Companies will need to verify the identity of a customer using prescribed methods for individuals and entities.
  • Conducting transaction monitoring.
  • Conducting enhanced due diligence and enhanced transaction monitoring for high-risk customers.
  • Keeping certain records. In addition to keeping records related to the requirements above, Factoring Companies are required to keep the following records:
    • an information record in respect of the person or entity with whom it enters into the agreement;
    • if the information record is in respect of an entity, a record of the name, address, and date of birth of every person who enters into the agreement on behalf of the entity and the nature of the person’s principal business or their occupation;
    • if the information record is in respect of a corporation, a copy of the part of official corporate records that contains any provision relating to the power to bind the corporation in respect of transactions with the factor;
    • a record of the financial capacity of the person or entity with which it enters into the agreement and the terms of the agreement;
    • for any payment it makes, a record of:
      • the date of the payment,
      • if the payment is in funds, the type and amount of each type of funds involved,
      • if the payment is not in funds, the type of payment and its value,
      • the method by which the payment is made,
      • the name of every person or entity involved in the payment, and
      • every account number or other equivalent reference number connected to the payment; and
    • a receipt of funds record in respect of every amount of $3,000 or more that it receives, unless the amount is received from a financial entity or public body or from a person who is acting on behalf of a client that is a financial entity or public body.

What Next?

Factoring Companies should start working on developing their compliance program immediately if they have not done so already. FINTRAC has updated their sector-specific guidance page with relevant information for this new reporting entity and should be read.

We’re Here To Help

If you would like assistance in understanding what these changes mean to your business, or if you need help in creating or updating your compliance program and processes, please get in touch.

Return to Blog Listing