Anti-Money Laundering
Consulting Services & Strategies

0 Items - Total: $0.00 CAD

Preparing For An iGaming AML Compliance Effectiveness Review

Written with Heidi Unrau


iGaming Ontario is celebrating two years in the province. But before your online gaming (iGaming) business can launch, you must register with the Alcohol and Gaming Commission of Ontario (AGCO). This government body regulates gaming activities in Ontario to ensure the industry operates above board and does not become a breeding ground for illicit activity. iGaming refers to casino-like games that are played over the internet such as Blackjack, Roulette, Poker, and Slot Machines.

As part of the registration process, you must establish an anti-money laundering (AML) program that complies with the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA) and passes a gap analysis, also known as an effectiveness test. If your AGCO registration is successful, your compliance responsibilities don’t stop there.

You must then sign a non-disclosure agreement (NDA) and enter into an operating agreement with Internet Gaming Ontario (iGO). This watchdog organization oversees registered iGaming operators to make sure they consistently fulfill all regulatory obligations, including AML compliance. Here’s what to know about the role of AML in the iGaming registration process and how to set yourself up for long-term success.

Know Your AML Obligations For Registration

Anti-money laundering regulations are designed to prevent money laundering, terrorist financing, and other illegal activity, hence the name. If you plan to operate an iGaming business in Ontario, the AGCO requires you to comply with the Registrar’s Standards for Internet Gaming. These standards include specific AML responsibilities to minimize illegal activity. They typically include, at a high level, but are not limited to:

  • Having documented policies & procedures
  • Designating a Compliance Officer
  • Establishing a training program for all relevant employees
  • Conducting audits & reviews
  • Identifying & verifying customers
  • Risk ranking customers
  • Monitoring transactions
  • Transaction reporting
  • Record keeping

Your AML program must pass a gap review, which is essentially an effectiveness test. This test is a mandatory part of your AGCO registration process to demonstrate that your AML compliance program meets regulatory standards and can function effectively once your platform is live.

Your iGO Operating Agreement

After successfully registering with AGCO, the next step is to execute an operating agreement with its subsidiary, iGO. This organization is responsible for overseeing and managing how private iGaming operators conduct themselves within the province of Ontario.

The iGO registration process requires you to provide a package of documents, templates, and confirmations related to your anti-money laundering and counter-terrorist financing responsibilities. You’ll be teaming up with iGO’s AML department for this part and the entire process takes approximately two weeks.

Your iGO registration is very similar to the AML component of your AGCO registration. iGO requires you to document your AML policies and procedures as part of the registration process. This documentation should outline measures for preventing and detecting money laundering and terrorist financing activities on your iGaming platform.

You will also need to demonstrate compliance with Canadian AML regulations established by regulatory authorities and iGO as the conduct managing entity.

iGO & Compliance Effectiveness Reviews

Once your iGaming platform is live, you are required to submit to an AML effectiveness review by an independent third party every two years as part of your iGO compliance obligations. The purpose of a regular, recurring review is to assess how well your AML program is working, identify weaknesses, and determine whether your business meets requirements. It is also a test to see if your business is doing what it says it’s doing.

A good effectiveness review should mimic a full-scope FINTRAC examination. As Canada’s financial intelligence unit, FINTRAC has the right to audit regulated entities at any time. In this case, iGO would be the direct subject of the examination and they would contact individual operators for specific documentation if necessary.

An effectiveness review not only ensures you remain compliant in your day-to-day operations, it also ensures you’re prepared in the event iGO is examined by FINTRAC.

Scope of the Review

Ongoing effectiveness reviews can include, but are not limited to:

  • Interview staff handling transactions to assess their understanding of policies, procedures, and reporting requirements.
  • Review a sample of records to check compliance with client identification policies.
  • Examine agreements with agents/vendors and review sample information they use for client identification.
  • Check if suspicious transactions were reported to FINTRAC within the required timeframe.
  • Verify application of risk assessment in client records.
  • Assess adequacy and consistency of ongoing monitoring in client records.
  • Confirm implementation of enhanced measures for high-risk clients.
  • Ensure adherence to proper record-keeping procedures.
  • Review and update risk assessment to align with current operations.
  • Update policies and procedures to comply with legislative requirements and reflect current business practices.

After a Review

Once an effectiveness review is complete, the results must be presented to senior management for sign-off. It should include a summary of the findings, a remediation plan, and the status of required changes.

Choosing an AML Program Reviewer

The right AML program reviewer is foundational to the integrity and effectiveness of your compliance program. They should have a deep understanding of the Canadian anti-money laundering and counter-terrorist financing requirements as well as the specific risks unique to the iGaming industry.

Your chosen reviewer needs to provide a comprehensive and objective assessment of the effectiveness of your AML program, with a final report that identifies deficiencies and includes an action plan for improvement. Therefore, you want a reviewer with relevant experience conducting AML reviews for similar businesses.

Need a Hand?

If you would like to engage Outlier to conduct your AML Compliance Effectiveness Review, have questions about your obligation, or need help creating, reviewing, or updating your AML program, reach out to us today.

The FINTRAC Outage: Guide for AML Reporting Agencies

Written with Heidi Unrau


On March 2, 2024, the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) experienced a major cyber incident. As a security precaution, FINTRAC has taken most of its reporting systems offline, including MSB registration. Canadian reporting entities remain responsible for all anti-money laundering (AML) requirements during the outage.

Application programming interfaces (APIs) are available for some reports, including large cash transaction reports (LCTRs), large virtual currency transaction reports (LVCTRs), and suspicious transaction reports (STRs), as of April 8, 2024.

Reporting entities that are not able to submit reports via API must do so once other systems are back online. In the interim, special processes for priority STR submission and other notifications have been established.

Watch for Official Guidance

It’s essential that you follow FINTRAC’s official communications regarding the outage. Outlier’s insights are meant to complement this directive, not replace it. The official word from FINTRAC remains the final authority on these matters.

It is recommended that all Canadian AML Compliance Officers sign up for FINTRAC’s mailing list to get the latest news from the regulator (if you are not signed up already).

Accessing FINTRAC’s APIs

As of April 8, 2024, FINTRAC APIs are currently available for:

  • LCTRs
  • LVCTRs
  • STRs

An API is a way for different computer programs to communicate with each other. To use FINTRAC’s APIs, reporting entities must first apply to register and be granted access by FINTRAC. The implementation of APIs for reporting will require the support of your technical team or software provider. Reporting via API is different from batch reporting (for those that use it) as the API provides a secure exchange of information that does not require the installation of batch-transmitting software.

For reporting entities that have not implemented API functionality, additional guidance has been provided by FINTRAC.

Priority STRs

For priority STRs with national security or other dangerous implications, FINTRAC has provided a dedicated email address and telephone number to help you with this (see below).

Please note that the CSIS and RCMP systems for Terrorist Property Reporting (TPR) are unaffected by the outage and remain operational.

Priority STR Submission Contact Info:

  • Email:
  • Call Centre: 1-866-346-8722 (toll free)

Reporting entities that are unsure of whether or not an STR is considered a priority may first contact FINTRAC using the information above to determine whether this submission method should be used. It is expected that STRs submitted via this method will also be re-submitted once systems are back online.

No Late Reporting Penalties

FINTRAC has indicated that the regulator understands that late reporting is an inevitable consequence of the outage. Therefore, FINTRAC has indicated that reporting entities will not be penalized for late reporting (within reason). It is expected that reporting entities will submit reports promptly once systems are back online.

Fulfilling Reporting Obligations

During the outage, reporting entities are required to track all reportable transactions. Keep detailed records of transactions that could not be reported during the outage. This will ensure that all required transaction reports are accurately and efficiently submitted once systems are restored.

In addition to information about reportable transactions, reporting entities should keep detailed records of:

  • The outage timing (provides useful context that may factor into future audit and examination-related data analysis)
  • All late reports submitted
  • Time required to clear the backlog once systems become operational

At this time, FINTRAC has not indicated that reporting entities should submit a voluntary self-declaration of non-compliance (VSDONC) related to late reporting due to the current outage. However, if there is a reporting backlog that will take significant time to clear, this may be considered once the outage has been resolved.

No Paper Submissions!

FINTRAC has explicitly advised against submitting paper copies of reports during the outage. Once the issue has been resolved, electronic reporting through the appropriate channels will resume.

MSB Registration & Inquiries

In a recent update on May 17, 2024, FINTRAC introduced a new web form specifically for existing Money Services Businesses (MSBs). This form allows currently registered MSBs to renew, update, or cancel their registration easily. You can access the form here:

It does not appear that new MSB registrations can be completed at this time. MSB registration inquiries can be directed to:

Be Prepared & Stay Alert

Stay up to date on the latest FINTRAC communications to ensure compliance should directives change.

For critical reporting and MSB registration needs, use the designated emails and phone numbers provided by FINTRAC. Keep all communications clear, concise, and accurate with all the necessary information.

Key FINTRAC Contact Information

Issue Email Phone
New MSB Registration Inquiries n/a
Existing MSB Registration Renewals, Updates, or Cancellations n/a
Priority STR Reporting 1-866-346-8722
General Inquiries n/a
API Support n/a

Additional Resources

Below, you’ll find a slide deck presentation and a YouTube video with the same information in this article. You are welcome to use and distribute these resources:

Need a Hand?

If you have any questions or concerns, the team at Outlier Solutions are here to help. Please contact us.

Interview with SafetyDetectives: A Deep Dive into AML and Data Privacy

In a candid interview with SafetyDetectives, Amber Scott and David Vijan, co-founders of Outlier Compliance Group, delve into the intricacies of anti-money laundering (AML) and data privacy in the evolving landscape of financial regulation. With backgrounds as former bankers turned compliance experts, Amber and David offer a unique perspective on the challenges and innovations shaping AML strategies today.

Can you please introduce yourself and talk about your role at Outlier?

Amber: Hi, I’m Amber Scott, the co-founder and CEO at Outlier Compliance Group. David and I were both previously bankers, working in the compliance space. For me, the idea for Outlier started once I left banking and started working in the consulting space. I saw how the leverage model worked, which was the idea that, essentially, if you throw enough smart folks at a problem, you can solve it. This was really different from the approach that Malcolm Gladwell espoused in his book Outliers, which is the idea that to be terribly good at something, you have to practice it a lot, roughly 10,000 hours.

When Outlier was founded, the idea was really that everyone on the team would have at least 10,000 hours of in-house compliance experience, so that people would understand compliance, how organizations work, and how operationalizing those concepts really worked in the long term.

David: Hi, I am David Vijan. I am a co-founder and CRO here at Outlier. We are an AML consulting firm, a compliance consulting firm, that specializes in AML, privacy, and other regulatory compliance consulting matters.

With financial crime tactics becoming more sophisticated, what sets your AML solution apart from others in detecting these threats?

Amber: I think it’s important to preface that our solutions are really consulting services, as opposed to software. When it comes to software, I won’t say that we’re exactly software agnostic, because we do recommend solutions and we always look for those solutions to be a good fit for our clients. However, in theory, we could work with any software solution.

I think that there are always two really important considerations.

  1. Does the software in question meet the regulatory requirements? Meaning, is it up to the regulator’s expectations in terms of what needs to be implemented.
  2. Does it manage the risk effectively?

Ideally, both of those conditions are met.

How does artificial intelligence and machine learning play a role in your solution’s detection and reporting capabilities?

David: As Amber mentioned, our wheelhouse is not in software related solutions per se. AI in general is great. We do have to remember the rule of garbage in, garbage out. That’s definitely something that we have to keep in mind here. AI really has to be understood by compliance staff.

We’ve seen compliance teams play around with AI, and they’re trying to develop policies and procedures using it. And while it does spit out something, it doesn’t have the level of detail that would meet the expectations of the regulator. It wouldn’t pass muster.

That’s a very important piece to the process, as it needs to be explainable to the regulator, but also meet their requirements and expectations. Because at the end of the day, it’s the regulator’s expectations that we’re really trying to satisfy.

Also, with AI, the rationale for decisions needs to be able to be translated into human-readable language. If you present something to someone, and they’re not able to recreate or understand it, it doesn’t really meet the needs of our regulatory obligations or the capabilities of what we need it to do.

Amber: This is incredibly important in an examination context with your regulator. If you’re an in-house compliance person, and you’re going to be called upon to explain how you came to a certain decision. The answer can’t be “I did what the robot told me to do”, “it came out of a black box”, or “we don’t understand the rationale for a decision”. It has to be something that you can translate to human-readable, human-understandable language, and that needs to be part of your documentation all the way down.

How do you approach data privacy and security, especially when dealing with sensitive financial data?

Amber: Amber: I think it’s important to acknowledge that there’s a natural tension between anti-money laundering (AML) and privacy. For us, at Outlier as a service firm, we consider it to be very important to minimize the amount of data and personal information that we ingest, particularly when we’re talking about our customer’s customer.

However, that’s not always practical or even possible for our clients who have very different requirements. From their perspective, it’s always important to understand:

  • Where the data lives across various systems
  • How you are using that data
  • How different systems are communicating with one another, both your own internal systems and your vendor systems, that you’re going to be using to do various functions.

Having a solid mapping of where that personal information, or PI, lives, and how that PI is used, is incredibly important and to keep that updated on a regular basis.

At the other end, not just knowing what’s happening during that lifecycle, but you need to have a plan to be able to anonymize or purge PI that’s no longer required, or no longer in use.

There’s this funny thing about data that when we’re holding on to personal information or sensitive information, the risk associated with that data never goes away. It can actually increase over time where the usefulness of that data decreases over time. So you have something that just stays risky but doesn’t stay useful to you. That alone needs to be a motivator to start to look at how we age off this data and how we move away from just retaining data forever. That doesn’t necessarily have a use for us. And that isn’t something that we could justify having if it were problematic.

David: Those are very important pieces. In our consulting services, we often see clients that don’t know where the data lives. It’s really important to understand where it’s mapped. Under privacy legislation, and we’re not really going to get into that, there are principles and one of them is limited use. Consent is given for a certain piece and sometimes we hear the business say, “Oh, well, we’ll use the data for something else later.” Well, there’s a whole other consent requirement you have to go back to. To Amber’s point, is there really a reason to hang on to data as it ages? Yes, in some cases, there are regulatory requirements, but we’ve seen data that goes back 10 – 20 years still in organizations systems. Is there a reason it’s still there and what is the risk? It’s probably not worth hanging on to it that long.

Can you discuss the significance of real-time monitoring versus batch processing in AML detection and reporting?

David: There definitely is value in having both approaches, and often you need both. Real-time is going to help with certain things such as fraud in progress, things that need to be captured right away. An example of that is listed person or sanctions. Those are transactions that you want to stop and that’s where real-time is going to really be important.

But sometimes batch reporting is needed because it actually learns. There are longer transaction patterns that it’s detecting, that will actually help you with different types of alerts. It’s important to look over those patterns over time and for those parameters to be changed. So that the system adapts over time and patterns become normal.

Amber: Absolutely. Nothing stays the same, except for the idea that things will change eventually.

That segues nicely to our next questions. How do you see the future of AML evolving, especially with the advent of new payment methods and financial technologies?

I think it’s important to say that monitoring at scale is impossible without technology solutions. We still, from time to time, see things where people are saying all of our monitoring is manual. I think we’re coming into a space where that’s not going to be the expectations of regulators at all. And it’s important to note that. There is an expectation that we’re using some kind of technology solution, and those solutions are going to continue to evolve.

The best solutions, in my opinion, consider the whole scope of a customer’s activity. This means their activity across different products and services. For example, if a customer has a mortgage, checking account, and credit card with us, we’re not looking at the risks of each of those products in isolation. We’re seeing the scope of the activity across all the products and services that the customer is using with us.

We’re also looking at the changes in patterns over time. We’re bringing in open-source intelligence or OSINT. So, what do we know about that customer from different potential sources? Where there’s virtual currency, we’re also looking at the risks that can be incurred from on-chain activity. If we know that a certain wallet is associated with that customer, we’re look at the risk of that wallet, not just in the transactions that are happening with our institution, but we’re able to monitor the general level of that wallet over time and what that wallet is interacting with.

Similarly, we can see connections between customers, so groups of people and entities that transact with each other, people that may own companies or entities together, sit on boards together, those types of things where you have multiple touchpoints between individuals. I think, in particular, if there’s one of those individuals that suddenly becomes high risk, that’s something that can trigger us to take a look at the other individuals to see if they may be involved in similar activity that would also change their risk ratings.

I think one of the biggest challenges is still data across various regions and across various languages. As we move more towards open banking and open data, I think this becomes very interesting because there are a number of external data points that we’ll be able to pull in and use in terms of monitoring and risk in very novel ways that we don’t necessarily see today.


Final Amendments to the Proceeds of Crime (Money Laundering) and Terrorist Financing Regulations – October 2023


On October 11, 2023, final amendments to regulations under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act were published in the Canada Gazette. The most noteworthy changes fall under the Proceeds of Crime (Money Laundering) and Terrorist Financing Regulations and the addition of a new regulation. This round of anticipated changes introduces the compliance requirements for armoured car companies and mortgage lending entities. Additionally, FINTRAC will now be able to charge businesses and individuals for the annual cost of its compliance program as part of its assessment of expenses funding model.

Other changes include the new requirements for correspondent banking relationships, and additional requirements related to the Money Services Business (MSB) registration.

To make reading these changes a little easier, we (thanks Rodney) have created a redlined version of the regulations, with new content showing as tracked changes, which can be found in a combined document here.

What’s Changed?

From the draft regulations published back in February of this year, there have not been significant changes to the final publication. As expected, entities that collect currency, money orders, traveller’s cheques, or other similar negotiable instruments (except for cheques payable to a named person or entity) will be treated as a new category of MSB. With these changes, such providers will be subject to existing money services businesses requirements.

With respect to mortgage lenders (brokers responsible for mortgage origination, lenders responsible for underwriting the loan or supplying the funds, and administrators responsible for servicing the loan), they will now have to comply with AML compliance requirements imposed on reporting entities. Note the definition of a mortgage lender was changed slightly from the draft regulations, narrowing the scope of who is captured.

As part of the assessment of expenses funding model, the new Financial Transactions and Reports Analysis Centre of Canada Assessment of Expenses Regulations will allow FINTRAC to pass on expenses, to reporting entities, that it incurs in the administration of the PCMLTFA. Note there have been some changes to the formula that will be used for assessment amounts. The base assessment amount for federally regulated banks, trust and loan companies, and life insurance companies will be based on their value of consolidated Canadian assets that excludes its subsidiary’s reported value of Canadian assets. Guidance related to how reporting entities will be charged has been issued and can be found here.

Please refer to our previous blog post that outlines details on the changes and the exact requirements that will come into force.

What Next?

Requirements for armoured car companies come into force on July 1, 2024, and October 1, 2024 for mortgage lending entities. Effective April 1, 2024, FINTRAC will commence recovering costs from the 2024–25 fiscal year.

In the meantime, FINTRAC will have to issue guidance related to cash transport and mortgage lending. Additionally, there may be FINTRAC policy interpretations that will no longer be able to be relied upon, as it relates to cash transport and mortgage lending.

While we await guidance, armoured car and mortgage lending entities should start working on developing their compliance program in anticipation of the respective in-force dates noted above.

We’re Here To Help

If you would like assistance in understanding what these changes mean to your business, or if you need help in creating or updating your compliance program and processes, please get in touch.

Bill C-47 Amendments To the Proceeds of Crime (Money Laundering) and Terrorist Financing Act


Back on June 22, 2023, Bill C-47 received royal assent. As it relates to AML obligations, this has introduced changes to the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA). We have summarized what we believe to be the most significant changes below.

To make reading these changes a little easier, we (thanks Rodney) have created a redlined version of the legislation, with new content showing as tracked changes, which can be found here.

What’s Changed?

Amendments to the PCMLTFA introduce structuring as an offence: “Every person or entity commits an offence that directly or indirectly undertakes, or attempts to undertake, a structured financial transaction.” For clarity, a structured financial transaction is a series of financial transactions that:

  • cause a regulated entity to be in receipt of cash or virtual currency or involve the initiation of an international electronic funds transfer;
  • would, if they occurred as a single financial transaction, require a person or entity referred to report to FINTRAC; and
  • are undertaken with the intent that a regulated entity will not have to report the transaction to FINTRAC.

The offence of structuring would be punishable by a fine and/or imprisonment for a term up to five years.

These requirements come into force on a day to be fixed by order of the Governor in Council (which we are still awaiting).

Money Services Businesses (MSBs)
Amendments to the PCMLTFA will prohibit MSBs from engaging with agents or mandataries convicted of certain types of offences. As such, MSBs will be required to perform due diligence on their agents to ensure that they have not committed certain designated offences.

As part of due diligence, the following documents must be obtained and reviewed:

  • a document that sets out their record of criminal convictions, or states that the person does not have one, that is issued by a competent authority in the jurisdiction in which the person resides; or
  • if the agent or mandatary is an entity, for each of the chief executive officer, the president and the directors of the entity and for each person who owns or controls, directly or indirectly, 20% or more of the entity or the shares of the entity, a document that sets out the person’s record of criminal convictions, or states that the person does not have one, and that is issued by a competent authority in the jurisdiction in which the person resides.

If any documentation is in a language other than English or French, the person or entity shall also obtain and review a translation of it.

These requirements come into force on a day to be fixed by order of the Governor in Council (which we are still awaiting).

Also as it relates to MSBs, this round of changes has criminalized the operation of unregistered money services businesses. Any business or entity that knowingly engages in MSB activity for which it is not registered with FINTRAC is guilty of an offence and liable of a fine up to CAD 500,000 and/or imprisonment up to five years.

These requirements come into force June 22, 2024.

Back in 2022, The Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) published an advisory related to Underground Banking through Unregistered Money Services Businesses highlighting the risk of such activity. If you suspect individuals or businesses are operating unregistered money services businesses or foreign money services businesses, you may wish to submit voluntary information to FINTRAC anonymously.

Other Changes
The amendments to the PCMLTFA will require regulated entities to report to FINTRAC where a reporting obligation arises under the Special Economic Measures Act as well as under the Justice for Victims of Corrupt Foreign Officials Act (Sergei Magnitsky Law).

Related to Ministerial Directives, the Minister of Finance may issue orders setting conditions in respect of the trading or suspend or cancel trading of compliance units or invalidate any trade of compliance units if the Ministers are of the opinion that the trade or use of a compliance unit has a negative impact on the integrity of the Canadian financial system or its reputation.

As it relates to sharing of information, FINTRAC will be able to share information with different governmental departments, which includes sharing information with the Department of Finance for the purposes of granting, revoking, suspending or amending approvals under the Retail Payment Activities Act.

What Next?

Regulated entities that have transaction limits in place that are just under reporting thresholds (i.e., CAD 9,990) may want to rethink those limits and the reasons they are in place, due to the offence of “structuring”.

As it relates to MSB specific changes, compliance program updates may be required where existing agent relationships exist.

As with all legislative changes, we await FINTRAC guidance for clarity.

We’re Here To Help

If you would like assistance in understanding what these changes mean to your business, or if you need help in creating or updating your compliance program and processes, please get in touch.

TW – With Antisemitism on the Rise, Canadian AML Geeks Must Identify Hamas Linked Activity

Since Hamas’ attacks on Israel on October 7th, 2023, several Canadians have been reported dead. Several more are being held hostage.

Closer to home, on October 12th, a day on which Hamas’ leaders were calling for a “global day of Jihad,” three young men, two of whom were minors, entered a Jewish school in Toronto, ON, destroyed property and uttered threats of death and violence. Ultimately, they left the school and were arrested without any violent fallout. They are now free on bail, while students of the school grapple with mounting terror and trauma.

While we have, as Canadians, enjoyed a long period of relative peace and prosperity, we cannot rest in any certainty that global conflicts will not land on our home shores. In all likelihood, they already have.

As practitioners in the anti-money laundering (AML) and counter-terrorism financing (CTF) spaces, we must look to gain deeper understandings of the funding mechanisms that fuel such incidents in the hope that such intelligence can be used to prevent, detect, disrupt and deter such activities. While it is not yet clear whether last week’s school incident was financially motivated, it is noteworthy that there are well-known paths for terrorism funding paths related to attacks against Jews in Israel:

  • Funds originating in Iran, but often flowing through sympathetic third countries flow to terrorist conspirators and their families;
  • Payments are made in specific amounts for the completion of specific tasks: e.g.
    • USD 10,000 for each death of a targeted person, or person from a targeted group; and
    • Additional bonuses paid to the family of the threat actor where they lost their own life, such as in a suicide bombing.

While it does not appear that such brazen attacks are yet being carried out against Jews on Canadian soil, it is nonetheless important to be vigilant. On October 20th, the U.S. AML authority, the Financial Crime Enforcement Network (FinCEN) related updated guidance specific to Hamas and related activity. While the Canadian authority, the Financial Transactions and Analysis Centre of Canada (FINTRAC) has not yet released specific guidance, its guidance on terrorism financing, including guidance on ideologically motivated domestic extremism is instructive. The bulletin notes that when reporting to FINTRAC, #IMVE can be used to denote “ideologically motivated violent extremism” in the freeform field.

From the FinCEN bulletin, we know that:

  • Operatives are being harboured in, and funds are flowing through third countries including:
  • Sudan
  • Türkiye
  • Algeria
  • Qatar

From a Canadian perspective, it’s important to note that the sanctions regime related to Iran is not the same as in the US, and it is possible to see transactions originating directly from Iran as well.

Red flags include

  • Transactions with a nexus to sanctioned entities, persons or virtual currency addresses
  • Information in a transaction (such as the message to the recipient) that appears to support Hamas or related terrorist activities
  • Unusual MSB transactions (e.g. a customer that does not usually deal with MSBs) involving MSBs that deal in high risk jurisdictions, including the third countries noted above, or Iran[1]
  • Transactions that involve vaguely named or described “trading companies” that have a nexus in high risk jurisdictions, including the third countries noted above, or Iran
  • Charities or not for profit organizations that collect donations and do not appear to do charitable works, or appear to support Hamas or other terrorist groups, or activities.

Canadian reporting entities can submit suspicious transaction reports to FINTRAC, and should indicate in the opening sentence that the activity being reported may be related to terrorism and threats to Canada’s national security. For non-reporting entities, a voluntary report can also be submitted online. In both cases, the person and/or entity submitting the report is protected so long as the report is made in good faith.

Reports related to matters of national security can also be made directly to the Royal Canadian Mounted Police (RCMP) RCMP National Security Information Network by phone at 1‐800‐420‐5805 or by email at Reports can also be made to the Canadian Security Intelligence Service (CSIS) online.

As an AML geek, and as an ally, I urge all readers to be vigilant in your personal and professional lives. Hate cannot be allowed to spread unchecked. Terror must not be permitted to reach into our schools. We must stand against it.

[1] In Canada, transactions with a nexus to Iran are permitted for some purposes, however, all transactions with a known nexus to Iran are reported to FINTRAC under the Canadian Ministerial Directive on Iran –


Ministerial Directives Related to Iran & LVCTRs

There have been a number of conversations floating around about FINTRAC Large Virtual Currency Transaction Reporting (LVCTR) obligations as it relates to transactions involving Iran, and potentially involving Iran, under the current Ministerial Directive (MD). While this is not a new requirement (LVCTRs were effective June 1, 2021 and the original MD became effective July 25, 2020), there has been clarification provided with regards to reporting, and what activities trigger which reports.

For background, Outlier Compliance Group wrote an article on what the Iran-related MD entails, so if you are not familiar with the requirements, we suggest starting there.

Existing Guidance

The existing MD guidance does not align with the information provided in a recent policy interpretation for reporting transactions involving Iran that generally are not otherwise reportable, such as a transaction below the reporting threshold. The current guidance says the following:

Any transaction involving the receipt of virtual currency (VC) for exchange to Iranian rial, or VC that is equivalent to an amount under the reporting threshold of $10,000 CAD must be reported using the LVCTR by:

    • Inserting the IR2020 code when using the LVCTR upload; or
    • Selecting IR2020 in the ‘Ministerial Directive’ field of the LVCTR.
    • Because the report is related to the MD, you must ensure that the information provided reflects a connection to Iran.

Recent Interpretation

On June 11, 2023, a policy interpretation was submitted to clarify FINTRAC’s expectations with regards to reporting VC transactions related to the Iran MD. A few specific scenarios were included to ensure an easily digestible response was provided. The portion below is the most noteworthy sections of the response from FINTRAC clarifying the expectation of reporting virtual currency transactions that are below the reporting threshold where there is a nexus to Iran:

To answer your question regarding other instances that could involve the receipt of VC originating from Iran in one or more transactions under the threshold, please refer to section 3) of the Ministerial Directive. It states that any transaction (originating from or bound for Iran) must be treated as a high-risk transaction for the purposes of subsection 9.6(3) of the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA), and must be reported to FINTRAC. Where these transactions involve the receipt of VC but cannot be reported using an LVCTR, they must be reported using the Suspicious Transaction Report (STR) with the IR2020 code.  Only completed transactions can be reported through an STR if the only reason for reporting is that the transaction is originating from or bound for Iran. An attempted transaction should only be reported when you have reasonable grounds to suspect that the transaction is related to the attempted commission of a money laundering or terrorist activity financing offence. 

Further to section 3(a) of the Ministerial Directive, you need to look at a variety of elements when determining whether a transaction originates from or is bound for Iran because the circumstances of each transaction are different. The exchange of VC for Iranian rial is not the only circumstance in which a VC transaction may fall under the Ministerial Directive. After you’ve considered the facts, contexts and indicators of a transaction and you determine it is subject to the Ministerial Directive, you must determine if the transaction(s) should be reported using the LVCTR or STR, as described above.

I’ve provided the reporting information for the scenarios you presented in your email:

    1. Virtual currency that originates from an identified virtual currency exchange in Iran.
      • Report the transaction in the STR with code IR2020.
    2. Virtual currency that originates from a wallet address identified as being in or from Iran.
      • When the conductor, beneficiary or third party address details list Iran as the country, and the transaction is not a VC exchange to Iranian rial, report the transaction in the STR with code IR2020.
    3. Travel rule information from the receiving client (or from a participant in the travel rule network) that sent the virtual currency from an address associated with an Iranian virtual currency exchange, or a person or entity in Iran that is not captured under the Ministerial Directive.
      • If a VC transaction has travel rule information that indicates it originates from or is bound for Iran and it does not meet the LVCTR criteria for the Ministerial Directive, the transaction must be reported using the STR with code IR2020.

So What Do I Need To Do?

What is important to understand in this clarification, is the obligation to report every transaction that has a nexus to Iran, such as originating from a VC exchange in Iran, and how that is to be reported. Where a transaction is not otherwise reportable to FINTRAC via an LVCTR, it must be reported using a Suspicious Transaction Report (STR) and the MD indicator IR2020 must be selected (we also suggest including IR2020 in the opening of the narrative in Section G). Transactions that are not otherwise reportable to FINTRAC include VC exchange transactions below the reporting threshold, as referenced in the response from FINTRAC.

Moving Forward

In order to ensure you are compliant with the MD obligation, a thorough lookback to June 1, 2021 for all VC transactions below the reporting threshold, that may have had a nexus with Iran, needs to be performed. Should transactions that should have been reported be found, a Voluntary Self-Disclosure of Non Compliance (VSDONC) should be submitted to FINTRAC. For more information on VSDONCs and how to complete one, please see our blog post on the topic.

Need a Hand?

If you are looking for help completing a lookback or would like a second set of eyes on a VSDONC, please feel free to contact us.

Proposed 2023 AML Changes: Mortgage Lenders and Armoured Car Services


February seems to be the month for proposed legislative changes.

On February 18, 2023, draft amendments to the regulations under the Proceeds of Crime Money Laundering and Terrorist Financing Act (PCMLTFA), and a net-new draft regulation, were published in the Canada Gazette. If you’re the type that likes to read original legislative text, you can find it here. We (thanks Rodney) also created a redlined version of the regulations, with new content showing as tracked changes, which can be found here.

These changes are meant to renew and improve Canada’s anti-money laundering (AML) and Counter Terrorist Financing (CTF) regime, adapting to new money laundering (ML) and terrorist financing (TF) risk. One of the most significant changes, in our opinion, is the introduction of two new regulated entity types, mortgage lenders and armoured car companies.

Currently, mortgages issued by financial entities are captured under the PCMLTFA but these amendments would make all entities involved in the mortgage lending process (brokers responsible for mortgage origination, lenders responsible for underwriting the loan, and administrators responsible for servicing the loan) reporting entities. The intent here is to level the playing field between regulated and unregulated mortgage lenders, and to deter misuse of the sector for illicit activities.

While the activity of transportation is not currently supervised for AML purposes per se, armoured car carriers provide services largely to regulated entities. Given the flow of funds that is typically seen in this sector, reconciliation and identification of the origin of funds can sometimes be challenging, and allows funds to move with some degree of anonymity, which is an ML/TF vulnerability.

The draft regulations also introduce new requirements for correspondent banking relationships, and additional requirements related to the Money Services Business (MSB) registration. There are also some technical amendments related to existing reporting requirements and changes related to Administrative Monetary Penalties (AMPs).

Lastly, a new regulation would introduce a prescribed formula for the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) to assess the expenses it incurs in the administration of the PCMLTFA against reporting entities. Such models are seen from other regulators, such as the Office of the Superintendent of Financial Institutions (OSFI) and the Financial Consumer Agency of Canada (FCAC). Currently, FINTRAC is funded through appropriations.

In the following sections, we have summarized what we feel are the most important requirements to note.

Armoured Car Companies

The proposed changes would require a company that engages in “transporting currency or money orders, traveller’s cheques or other similar negotiable instruments” (except for cheques payable to a named person or entity) to be considered an MSB. As such, the following obligations will have to be met:

  • Development of a compliance program;
  • Maintaining an up-to-date MSB registration with FINTRAC;
  • Conducting compliance effectiveness reviews;
  • Reporting certain transactions;
  • Identifying customers;
  • Record keeping;
  • Risk ranking customers and business relationships;
  • Conducting transaction monitoring and list screening;
  • Conducting enhanced due diligence and transaction monitoring for high-risk customers and business relationships; and
  • Follow ministerial directives and transaction restrictions.

One record keeping obligation to note, which is new for armoured car companies, is the requirement to record the following information when transporting CAD 1,000 or more of cash or virtual currency, or CAD 3,000 or more in money orders or similar negotiable instruments:

  • The date and location of collection and delivery;
  • The type and amount of cash, virtual currency or negotiable instrument transported;
  • The name and address of the person or entity that made the request, the nature of their principal business/occupation and, in the case of an individual, their date of birth;
  • The name and address, if known, of each beneficiary;
  • The number of every account affected by the transport, the type of account, and the name of the account holder;
  • Every reference number that is connected to the transport, and has a function; equivalent to that of an account number; and
  • The method of remittance.

An additional requirement that will apply to armoured car companies is in relation to PEP determinations (existing PEP requirements for MSBs still apply). Specifically, a PEP determination is required whenever a person requests that the MSB transport more than CAD 100,000 in cash or virtual currency, or in an amount that is not declared.

Under the proposed regulations, there are some exemptions for reporting that are noteworthy. Large Cash and Large Virtual Currency reporting requirements will not apply where there is an agreement of transportation between:

  • The Bank of Canada and a person or entity in Canada;
  • Two financial entities;
  • Two places of business of the same person or entity; or
  • Canadian currency coins for purposes of delivery under the Royal Canadian Mint.

It is noteworthy, based on the definition, that there may be more than just armoured car companies that are captured under these new requirements. This will be clarified in guidance from FINTRAC that will follow publication of the legislation.

The requirements applicable to armoured car companies will come into force eight months after final publication in the Canada Gazette.

Mortgage Lending

The proposed regulations would require mortgage lenders, brokers, and administrators (mortgage participants) to put in place compliance regimes, similar to that of other regulated entities, which include the following:

  • Development of a compliance program;
  • Conducting compliance effectiveness reviews;
  • Reporting certain transactions;
  • Identifying customers;
  • Keeping records;
  • Risk ranking customers and business relationships;
  • Conducting transaction monitoring and list screening;
  • Conducting enhanced due diligence and transaction monitoring for high-risk customers and business relationships; and
  • Follow ministerial directives and transaction restrictions.

It is noteworthy, that many mortgage brokers already have existing voluntary AML compliance programs and already apply AML measures. This is in part due to various securities regulations and lending partners.

The requirements applicable to mortgage lending will come into force six months after final publication in the Canada Gazette.

Cost Recovery

As part of this round of regulatory changes, there is a net-new regulation, the Financial Transactions and Reports Analysis Centre of Canada Assessment of Expenses Regulations. This regulation will allow FINTRAC to pass on expenses, to reporting entities, that it incurs in the administration of the PCMLTFA. Only the following prescribed entity types are affected by this:

  • Banks and authorized foreign banks;
  • Life insurance companies;
  • Trust and loan corporations; and
  • Every entity that made more than 500 threshold reports during the previous fiscal year.

The regulations provide a formula that FINTRAC would use to calculate the assessment amounts payable by reporting entities on the basis of their annual asset value, and the volume of all threshold transaction reports submitted. For clarity, threshold transaction reports include Large Cash Transaction Reports (LCTRs), Large Virtual Currency Transaction Reports (LVCTRs), Electronic Funds Transfer Reports (EFTRs), and Casino Disbursement Reports (CDRs).

The requirement would come into force on April 1, 2024. This means FINTRAC would commence recovering costs from the 2024-2025 fiscal year and forward.

Other Changes

Enhancing MSB registration

Under the proposed amendments, as part of MSB registration, MSBs would now need to include the telephone numbers and email addresses of its president, directors and every person who owns or controls 20% or more of the MSB. This is in addition to current required information. Additionally, the number of the MSB’s agents, mandataries and branches in each country will be added (currently, only those within Canada are required).

This requirement will come into force twelve months after final publication in the Canada Gazette.

Streamlining requirements for sending AMPs

Under the proposed amendments, FINTRAC would be allowed to serve a reporting entity solely by electronic means when issuing an AMP. Currently, FINTRAC would also have to send an additional copy by registered mail.

This requirement would come into force on registration.

What Next?

There is a 30 day comment period (ending March 20, 2023) for the proposed regulations. It is strongly recommended that industry, and potentially impacted companies, review carefully and provide feedback. Comments can be submitted online via the commenting feature after each section of the proposed changes, or via email directly to Julien Brazeau, Associate Assistant Deputy Minister, Financial Sector Policy Branch, Department of Finance, 90 Elgin Street, Ottawa, Ontario K1A 0G5.

We’re Here To Help

If you have questions related to the proposed changes, or need help starting to plan, you can get in touch using the online form on our website, by emailing us directly at, or by calling us toll-free at 1-844-919-1623.

The Proposed Retail Payment Activities Regulations


On February 11, 2023, the proposed Retail Payment Activities Regulations were published in the Canada Gazette. This is to support the Retail Payment Activities Act (RPAA) which was released under Bill C-30 and received royal assent in June 2021. The Retail Payment Activities Regulations are required to bring the RPAA into force.

A Payment Service Provider (PSP) is defined as an individual or entity who performs payment functions as a service or business activity that is not incidental to another service or business activity. Certain entities, such as financial institutions, are exempt as they are regulated under other federal obligations (i.e., Office of the Superintendent of Financial Institutions’ Operational Risk and Enterprise Risk management guidelines.)

The current lack of requirements and supervision increases risks, such as the risk of financial loss in instances of business insolvency, and threats to the security of sensitive personal information. The Regulations aim to address gaps in the supervision of unregulated PSPs and are meant to align with other jurisdictions which already have regimes for PSPs.

The principles that guide the Regulations are:

  • Necessity — supervision should address risks that lead to significant harm to end users and avoid duplication of existing rules;
  • Proportionality — level of supervision should be commensurate with the level of risk posed by the payment activity;
  • Consistency — similar risks should be subject to a similar level of supervision; and
  • Effectiveness — requirements should be clear, accessible and easy to integrate within different payment services.

PSPs will be required to apply and register with The Bank of Canada (no date for this yet). There is a proposed registration fee of CAD 2500. Additionally, an annual assessment fee will be required.

In the following sections, we have summarized what we feel are the most important requirements to note.

Operational Risk Management

PSPs will have to implement and maintain an Operational Risk Framework consisting of the following:

  • Identify its operational risks (i.e., business continuity, cybersecurity, fraud, data management, information technology, human resources, process and product design and implementation, change management, physical security and third parties);
  • Protect its retail payment activities from those risks;
  • Detect incidents and control breakdowns;
  • Respond to and recover from incidents;
  • Review, test and audit its Risk Management Framework;
  • Establish roles and responsibilities for the management of operational risk;
  • Have access to sufficient human and financial resources; and
  • Manage risks from third-party service providers, agents and mandataries.

PSP must ensure that the above are proportional to the impact that a reduction, deterioration, or breakdown of its payment activities could have on end users.

Incident Response

Under the proposed Regulations, PSPs must develop a comprehensive plan for investigating, responding to and recovering from incidents that have a material impact on an end user. An incident is defined as an event or series of related events that is unplanned and that results in or could reasonably be expected to result in the reduction, deterioration or breakdown of any payment activity performed by a PSP.

The incident would be reported to the Bank of Canada and would include the following at a minimum:

  • A description of the incident;
  • The impact on individuals or entities listed in the Act; and
  • Actions taken by the PSP to respond to the incident.

There would also need to be a notice to impacted end users and other impacted parties.

PSPs can only resume operations after an incident once they have verified the integrity and confidentiality of all systems, data and information have been restored, and that it is able to perform retail payment activities without reduction, deterioration or breakdown.

Audit, Testing and Training

Under the proposed Regulations, PSP’s will have to complete various types of testing related to the Framework and have training in place.

All staff who have a role in establishing, implementing or maintaining the PSP’s Risk Management Framework must be provided with the information and training that are necessary to carry out that role.

Framework Review

On at least an annual basis, PSP’s must evaluate its compliance with regulatory requirements. Such a review is also required before any significant changes are made to the PSP’s operations or controls after an incident (defined in the section above).  The findings of the review must be reported to a senior officer.


PSPs must also establish and implement a testing methodology to determine the effectiveness of its Risk Management Framework. This must be tested at least once every three years and findings must also be provided to a senior officer.

Independent Review

In addition to the above, a PSP must have their Framework independently reviewed at least every three years. The review must be documented and describe the scope, methodology use and findings. Findings of the review must be reported to a senior officer.

Biennial Independent Review

PSPs must have requirements related to safeguarding of funds tested at least once every two years by a sufficiently skilled individual who has had no role in the establishment, implementation, or maintenance of the safeguarding requirements under a PSPs Framework. We discuss what safeguards requirements are below.


PSPs will be required to hold customer funds in a trust account or a segregated account, with insurance or a guarantee to safeguard end-user funds against financial losses due to insolvency.

For consumer protection, the Regulations contain requirements to protect the end user from loss. These requirements include:

  • End-user funds must be held at prudentially regulated financial institutions;
  • Insurance or guarantee cannot be from an affiliate of the PSP;
  • The proceeds from the insurance or guarantee cannot form part of the PSP’s estate;
  • The Bank of Canada must be notified at least 30 days in advance of the cancellation of the insurance or guarantee;
  • PSPs must implement and maintain a written fund safeguarding framework to ensure that end-users have reliable access to their funds without delay; and
  • PSPs must keep a ledger with the names of their end-users and the amount of funds held.

This will require detailed flow of funds documentation.


Under the proposed Regulations , PSPs will have to complete various types of reports.

Annual Report

PSPs will need to provide an annual report to the Bank of Canada, no later than March 31 of each year.  Some of the information that must be contained in the report is:

  • A description of any changes made to the payment service provider’s risk management and incident response framework;
  • A description of the human and financial resources for implementing and maintaining the risk management and incident response framework;
  • A description of the PSP’s operational risks in respect of the reporting year, their potential causes and the manner in which they were identified;
  • A description of the systems, policies, procedures, processes, controls, including any approvals required;
  • A description of training;
  • A description of all reviews, and independent reviews; and
  • A description of any incidents that the payment service provider experienced during the reporting year.

Also, the report will need to contain certain volume and value statistics related to the services a PSP is providing.

Significant Change Report

PSPs will be required to notify the Bank of Canada, at least five days in advance, before making a significant change that could materially impact operational risks or the safeguarding of end user funds.

The information that must be contained in the report is:

  • The name and contact information of the individual who may be contacted regarding the significant change;
  • A description of the change or new activity to be performed;
  • The reason for the change or new activity;
  • The date on which the change is to be made;
  • The PSP’s assessment of the effect that the change or new activity will have on its operational risks; and
  • A copy of all documentation in relation to the PSP’s Risk Management Framework, that has been amended to reflect the change or new activity, including any necessary approvals.

If a PSP has senior officers, the change or new activity must be approved and receive formal sign off by senior management before submission of a report. This should be taken into account from a planning perspective, as it can take some time to obtain such internal approvals.

Incident Report

PSPs must report incidents that have a material impact on an end user, other PSPs, or designated financial market infrastructures, to the Bank of Canada and other impacted individuals and entities.

The information that must be contained in the report is:

  • A description of the incident;
  • What impact does the incident have on individuals and entities; and
  • What actions have been taken by the PSP to respond and remediate.

The Regulations do not make it clear what timeframe is required for reporting such incidents, however they do state the standard time to respond to a request from the Bank of Canada is 15 days. Failure to report an incident can result in an administrative monetary penalty classified as very serious.

What Does This Mean?

From the highlights, it’s evident that these Regulations will create a substantial burden for PSPs, especially ones that are smaller or just starting. A significant amount of time, resources and cost are going to be needed to manage the compliance requirements that PSPs will need to follow. If a PSP does not comply or there is partial compliance, they may be subject to administrative monetary penalties that range from CAD 1,000,000 per each serious violation, up to CAD 10,000,000 per each very serious violation. The draft Regulations did not make clear what a dispute process would like.

It should be noted that most PSPs captured under the RPAA are also considered money services businesses (MSBs), and as such must also comply with anti-money laundering (AML) compliance obligations. Check out our blog related to that here.

What Next?

Due to these changes not being final, we wait. There is no set date for when we can expect final legislation or when they will come into force, but it is a good time to start budgeting and align resources.

Also, as there is a 45-day comment period for the proposed Regulations which closes on March 28, 2023, PSPs should review the Regulations carefully and provide feedback. Comments can be submitted online via the commenting feature after each section of the proposed Regulations, via email, or via regular mail to Nicolas Marion, Senior Director, Payments Policy, Department of Finance, 90 Elgin Street, Ottawa, Ontario K1A 0G5.

We’re Here To Help

If you have questions related to the proposed changes, or need help starting to plan, you can get in touch using the online form on our website, by emailing us at, or by calling us toll-free at 1-844-919-1623.

New Illegal Wildlife Trade Indicators

FINTRAC has published a new Operational Alert on the Illegal Wildlife Trade.

The alert includes diagrams of known fund flows, both into and out of Canada (though the latter is most common). Three categories of indicators are included:

  • General wildlife trade,
  • Import into Canada, and
  • Export from Canada.

As a Compliance Officer, it’s important to think through where these indicators might be visible to you and your team. For instance, if you are offering remittance or payment services, and there is an available memo or purpose of payment field, there are several keywords in the indicators that should be added to your monitoring parameters (if they haven’t been already).

All Canadian reporting entities must use this information to:

  • Update the indicators in training materials,
  • Update the indicators in policies and procedures, and
  • Update transaction monitoring mechanisms (where applicable) to detect relevant indicators.

Of course, if you require assistance, Outlier Compliance is here to help. Please feel free to contact us.

Return to Blog Listing