Dealing with FINTRAC: AML and regulatory scrutiny Artwork

Torys LLP Podcasts

Hear the top legal minds at Canadian corporate law firm Torys LLP—along with business and industry leaders—discuss the latest trends, challenges and developments shaping the business and legal landscapes in North America.

All Episodes

Torys LLP Podcasts

Dealing with FINTRAC: AML and regulatory scrutiny

January 14, 2026

As financial crime grows increasingly sophisticated, regulatory scrutiny for reporting entities is on the rise. In this conversation, Torys’ AML team explores the latest regulatory developments, trends and emerging risks in anti-money laundering enforcement efforts, and explores best practices for dealing with FINTRAC to proactively reduce the risk of enforcement action.

This podcast, taken from a recent webinar, provides an overview of FINTRAC’s supervisory framework and its Administrative Monetary Penalty (AMP) regime, highlighting recent trends in enforcement actions and proposed legislative amendments.

Peter Aziz (00:09)

Hello everyone, and thank you very much for joining us today. We're here to talk about what's new in AML and financial crime, and in particular dealing with FINTRAC. So, there are four of us here today. I'll let my colleagues introduce themselves, but basically as a starting point, dealing with FINTRAC is primarily an administrative law matter. So, we have both—obviously it requires AML and sanctions experts, but it's really a combination of both working together.

So with that in mind I'm Peter Aziz, I'm senior counsel here at Torys. I've been dealing with AML since the very first Proceeds of Crime Act in 1990, when I was an articling student in 1991. So, I deal in AML sanctions, consumer protection, and I co-chair our payments and cards group.

And my colleague Marissa Daniels.

Marissa Daniels (01:00)

Hi, everyone. I'm Marissa Daniels. I am counsel in our financial services regulatory group. Much like Peter, I deal with matters relating to AML sanctions, consumer protection and various payments and cards matters.

Now, I'll turn it over to Hailey.

Hailey Schnier (01:15)

Hi, everyone. I'm Hailey Schnier. I'm a senior associate in our financial institutions regulatory group here at Torys. I work very closely with Peter and Marissa and Jon as well, who you will meet shortly, on AML matters and—as well as sanctions and consumer protection matters.

Jon Silver (01:32)

And I'm Jon Silver, I'm a litigator that has a broad administrative law regulatory practice. So I work with Peter, Marissa and Hailey in infusing a litigation approach and lens into different regulatory disputes with FINTRAC and other regulatory bodies. And although I am a litigator, you know, my practice is not just in court. So I, I do a lot of work advising and working behind the scenes to make sure that a litigation approach is being considered when any of our clients are interacting with regulators.

Peter Aziz (02:05)

Thank you. So, so very quickly, so the, the agenda we have today, we're going to provide a very quick overview of FINTRAC’s enforcement measures. And then we're going to talk about AMPs, which of course are a huge concern these days. And then we're going to talk about what you can do to, to help insulate yourselves. We're going to talk about proactive measures for reporting entities, and finally the stages of the FINTRAC review process. And again, best practices for reducing risks of enforcement action. So, I'm going to hand the mic to Hailey now.

Hailey Schnier (02:39)

Thanks. So as Peter said we're, we're going to take a step back and give some background and context to FINTRAC and to the legislative regime dealing with AML in Canada before we get into the meat of the presentation.

So if you're joining today, you likely already know a lot of this. But the main AML regulatory requirements do come from the Proceeds of Crime, Money Laundering and Terrorist Financing Act, which applies to reporting entities.

And some examples of that are financial entities, securities dealers, money services businesses—MSBs and foreign MSBs—and what's interesting is that the scope of reporting entities has quite expanded in recent years. And as recent as last month. So, some new additions are factoring companies, cheque cashers—who have to register as MSBs with FINTRAC—financing and leasing companies (that was April 2025), as well as title insurers and acquire services for private ABMs—that was as recent as October 2025.

I also just wanted to briefly remind everyone that our AML obligations do stem from the Criminal Code, which applies to all Canadians or persons in Canada, and sets out various offenses dealing with aiding and abetting, or dealing in the proceeds of crime or conspiring to do so. So just to be mindful that even if you're attending this presentation and you're not at a reporting entity, you do still have the Criminal Code obligations, and you should be mindful of everything we're talking about here still.

Also, if you're not a reporting entity, you should consider whether a reporting entity is requiring you to comply with the Proceeds of Crime Act contractually.

And for those who are from—joining us from a reporting entity, just important to keep in mind to continuously monitor the various additions to the scope and the new reporting entities being added, because you will want to make sure that your clients are complying with the Proceeds of Crime Act.

So next: FINTRAC. So, you've likely heard about FINTRAC. Generally speaking, its mandate is to detect and deter money laundering, to gather financial intelligence and to provide this intelligence to the RCMP and CSIS in order to prevent and, and stop money laundering in Canada.

FINTRAC’s mandate and FINTRAC’s actions—enforcement actions have severely expanded over the past decade, as you will hear about in this presentation. And we just wanted to explain some context as to why.

So first, taking a step back to the Financial Action Task Force, FATF. Canada is a member of FATF and FATF does a periodic review of Canada and its AML and ATF anti-terrorist financing regime. And in its review in 2021, FATF found—sorry, in 2016, FATF found a lot of room for improvement. It subsequently issued a follow-on report in 2021 where there was still some progress in Canada, but still some improvements, and the current FATF review of 2025 is underway.

We understand that it was recently completed and FATF is now preparing their report. And so, a lot of the various actions and additional AMPs that we're going to describe in this presentation stem from that, from FINTRAC’s desire to take its oversight and enforcement actions very seriously and to demonstrate that to FATF.

On top of that was—taking another step back, it's 2022, the Cullen Report. That was a commission into money laundering in—specifically in BC, but it inferred, made a lot of inferences as to the state of money laundering in Canada. It demonstrated that there were billions of funds being laundered in Canada and showed several gaps in Canada's AML regime and in FINTRAC’s enforcement.

So next, I just want to briefly provide an overview as to FINTRAC’s supervisory framework.

So there's three pillars of supervision. The first is engaging, which is essentially communication: working as a partner with reporting entities, providing guidance, providing policy interpretations, working with the industry to identify themes and trends and issues in, in, that they’re, FINTRAC, is seeing and, and trying to proactively assist reporting entities to mitigate money laundering.

And then next we have monitoring, so that's FINTRAC’s assessment powers and role. This can take place of, it’s examinations, through supervisory letters, VSDONCs, which we'll discuss later. And the, the main point here is really just that FINTRAC does take a risk-based approach. Since there are, there is a proliferation of reporting entities, it doesn't really have a choice. It has to focus on the higher-risk entities to the extent that it can, and focus its enforcement and supervisory efforts there.

And the third stage is enforcing. So the, the hot topic of today will be AMPs. That is FINTRAC’s key tool for enforcement. We also have FINTRAC issuing notices of violation and entering into compliance agreements with reporting entities, but ultimately it all comes down to the AMP.

So speaking of AMPs, we're going to just explain briefly how AMPs have been changing. The intensity in which FINTRAC has been imposing AMPs. As you can see on this slide, FINTRAC has been stepping up its enforcement, it has become more active and more aggressive, and the numbers speak for themselves. So you'll see, with the little break during Covid, AMPs have really been increasing to the point of 2025, where we've already seen 25 AMPs to date, and most recently, last week there were five on November 20th, and so FINTRAC has become much more active. As you will likely know, the AMPs are now publicly reported, and that's since 2019, FINTRAC have been publicly issuing the violations and, and publicly posting the AMPs on its website.

And we just wanted to also illustrate that there is a variety of reporting entities receiving AMPs. There's not just one sector that FINTRAC has focused on. There is a bunch of different sectors. The five that came last week were on the real estate sector, but we've also seen AMPs on financial institutions, securities dealers, casinos. There's been a bunch of different reporting entities that have received AMPs.

And just to illustrate that, it's not only the number of AMPs that's increasing, it's the amount of AMPs that have been increasing. So, giving some recent examples, I'm not going to go through each one, but I'll just say most recently we saw the largest AMP that has ever been imposed by FINTRAC in its history, which was against Xeltox Enterprises, which is an MSB, where FINTRAC found approximately 2,500 contraventions of the Proceeds of Crime Act, and it's currently under appeal to the Federal Court. The number itself is quite alarming: $176 million. I, for one, had to read it over a few times just to make sure I was seeing it right. So that—it will be interesting to see what the Federal Court has to say about that AMP.

So the legislation has also been becoming updated. There are various proposals which have to do with a variety of elements of the Proceeds of Crime Act. But today, we're just going to focus on how recent proposals have proposed to increase the amount of AMPs in the—in what can be imposed by FINTRAC.

So you'll see in the chart below the current maximum penalty for the various violation types, and that's how FINTRAC does levy its AMPs. It's based on each violation and what it categorizes in the Proceeds of Crime Act the contravention to be. So we've got “minor”, “serious” and “very serious”. Just to, just to show how large the AMPs can actually be if the new legislation is passed, the current maximum penalty for “very serious” is $500,000 per violation, and that could be up to $20 million.

So, we've seen now various attempts by the federal government to implement these changes. We have Bill C-2, which came into play in June, Bill C-12, which provides a more streamlined approach but still preserves this proposal. And we even had the federal government as recently as a couple of weeks ago indicating its strong support for Bill C-12 in these changes.

Peter Aziz (10:44)

So, so then given the, the increase in maximum fines by a factor of 40, one thing that, you know, a question that, that clients and everybody in industry has is, “Well where are AMPs going? Where is FINTRAC going with AMPs?” Does this mean that when we see something like a seven or a seven to nine million dollar fine given to a large bank, that it could be 40 times that?

So I think the answer to that is probably going to come out of this discussion. But generally, it seems like the largest AMPs are reserved for entities, as Hailey mentioned, where there's no attempt at all to do compliance. And so, you know, if nobody's doing anything, well then the only alternative seems to be, “Well, the only way to, it's, it seems that we can motivate you to do something is to threaten you with an, an AMP.”

And, and for the last one, the largest one out of $176 million, that is—I mean, some people have said that's largely performative on the part of FINTRAC to say, “Yeah, we're serious about AML compliance. We're serious about our enforcement role.” But it's highly unlikely that even if that is upheld, that the government would ever, would ever collect any of it.

Hailey Schnier (12:01)

So just briefly, I'm going to explain what the three factors that are considered when imposing an AMP that are required by the Proceeds of Crime Act and which FINTRAC and, must consider as well as its director, if there's ever—the director has to ever consider what is being, being levied.

So, the three current factors set out in the Act are the purpose of AMPs, which are to encourage compliance, not to punish. So they're non-pun—punitive. The harm done by the violations, so for example, if the AMP is for failing to submit a suspicious transaction report, FINTRAC is to consider what the implications are of that, and not filing that report and not having that financial intelligence. And finally, the reporting entity's history of compliance: whether this is the first time levying an AMP, second receiving an AMP, or third.

What's interesting is that in Bill C-12, a new factor that's been proposed is the entity's ability to pay an AMP. And that's actually really key as we're seeing the, the value in AMPs potentially severely increasing. So next I'm going to pass it to Jon to dive into each factor in a bit more detail.

Jon Silver (13:11)

Thanks, Hailey. So FINTRAC, like many other regulators, has a administrative monetary penalty guide, guideline or policy. And the policy sets out how they go about assessing AMPs, because obviously the numbers that we showed you are very different. And the, the nature of the ultimate penalty that is levied really depends on the application of the discretion at FINTRAC as to how to assess the harm and ultimately to consider the mitigating factors.

So there's been a recent update to the FINTRAC AMP policy. What you see on the slide is the new policy. We'll talk a little bit about the old policy because there were important changes that we'll, we'll see how they play out. But the policy was only amended in August, so hasn't been a long time.

But if FINTRAC essentially takes a two-step approach, it first considers the harm done, and as Hailey described, if what we're dealing with is the failure to report a suspicious transaction, there's a number of criteria that they have. There's an actual entire guidebook on FINTRAC’s website, but how they assess that harm, so there's a base amount, and then they look to see whether or not there are any mitigating factors themselves with respect to how the entity either failed—is it a complete failure to report? Is it a partial failure? Did they fill out the form wrong but there's enough information for FINTRAC to consider it? If there was a request from the police for a production order, even if they didn't, you know, file a suspicious transaction report, did they give the information to the police in another way?

So there's a number of factors. And FINTRAC, what they first do is they decide, okay, what is sort of the base amount based on the harm done. And then they turn to step two, where they consider those other two factors they're required—so the first factor as, as Hailey mentioned is harm done by the violation. And then they are required to consider both the, both the entity’s history of compliance, as long, as well as the purpose of AMPs, which is to not to punish but to ensure compliance.

And, you know, ultimately this is a discretionary decision. It involves judgment that FINTRAC’s applying on the basis of, of, you know, a number of factors. But typically what you'll see is, you'll see, and in the, you know, notice of violation, which we'll talk about is sort of the charging document per se, where you understand what the potential AMP is going to be, you see the assessment of the harm done. And then usually that is reduced on the basis of the compliance history and the non-punitive factor.

And if we turn the slide, there was an important case released—it was released confidentially last year but released publicly earlier this year—Norwich Real Estate Services from the Federal Court.

And we'll explain a little later in the presentation how an AMP gets all the way to the Federal Court. You know, there's a number of steps in the process that ultimately leads to a statutory appeal. And in this appeal, the Federal Court considered an $150,000 AMP levied on a real estate broker. This is under the old AMP framework, which I'm going to, you know, talk about in a second. But essentially under that old framework, there was still an assessment of the harm done, but then there were a little bit of more prescriptive criteria, in FINTRAC’s AMP policy as to how they applied the reduction for the compliance history and the non-punitive purpose.

So what they would do is they would apply a two-thirds reduction to the base penalty if it was a first time offense. And I say offense even though we're not dealing with offenses, these are penalties. They're not criminal. They're, they're, they're not—they're considered to be non-punitive and considered to be compliance-oriented. But what they used to do is they would apply a two-thirds reduction for a first time AMP to a one-third reduction for a second time, and no reduction if it was your third time receiving an AMP.

And what happened here is the matter went to the director, which is the step before the Federal Court and the director applied that reduction, but didn't actually consider whether the adjusted penalty was ultimately necessary to encourage compliance. And so the appeal before the Federal Court was whether or not applying that two-thirds reduction one-third reduction step was enough to meet the statutory factors, and the Court held it was not.

And the reason why is that the two-thirds factor, or the one-third reduction really only accounted for past compliance history. But it didn't ask the important question, which is required under the statute, which is whether or not the penalty is necessary to meet the objective of encouraging compliance. So, sort of the lesson from the Norwich real estate case is that not only can FINTRAC—not only does FINTRAC, you know, assess a base penalty and then apply sort of a formula for its reduction, it has to consider whether or not the penalty is necessary for the purpose of, of encouraging compliance. And FINTRAC didn’t ask itself that question in this case. And so that appeal was allowed.

Importantly and interestingly, to the point that Hailey made about potentially a change to the, the legislation, FINTRAC in that case didn't dispute that the impact of the penalty cannot be so great that it would impose a punitive effect on the entity and obviously, if the legislation is amended to include failure—ability to pay, that sort of is a mirror for this potential factor.

But the court didn't ultimately consider this because there wasn't really any evidence on the record as to whether or not this was going to have such an impact. But it's important to note that if you're, if you're dealing with FINTRAC, there's at least on record FINTRAC’s agreement that the penalty can't be so great as to have a punitive effect, which is somewhat getting to the ability to pay.

So really, the response of FINTRAC, obviously it's still percolating. And what we've been seeing in some of the decisions that FINTRAC, in the notice of violation FINTRAC has released since August, since the decision came out publicly in April and since they've released their new policy in August. A lot of what was in the pipeline was based on the old policy, so they're still applying the two-thirds reduction, but they may be adding another step to consider whether or not the penalty is necessary for the purposes of encouraging compliance. But I think Norwich is—it's safe to say Norwich is sort of a practice-changing decision and we're still seeing the effects of Norwich percolate through FINTRAC and the decisions in appeals, that will be coming.

Peter Aziz (19:27)

And Jon, can I just ask you in terms of, of dealing with FINTRAC, what, what do you think is the role of procedural fairness, or what have we been seeing about issues around procedural fairness in FINTRAC?

Jon Silver (19:41)

It's a good question because FINTRAC is a regulator that you're dealing with in many different capacities. So at the beginning you're dealing with FINTRAC sort of the, the, the—not the enforcement side of FINTRAC, but you're dealing with the examination team, you're working with them to sort of help them get the information they need to be able to properly assess whether or not you have been compliant.

And there are a number of opportunities for procedural flaws or problems to arise, all the way leading up to a potential notice of violation. So, it's important to be mindful of whether you believe as a, as an entity that you're getting a fair process all throughout the way up until the opportunity to make submissions to the director, and we're going to walk through the steps, sort of, one by one in the enforcement process.

But issues of procedural fairness are, are live, so to speak, at all different points in time when you're interacting with FINTRAC. And it's important that if you feel that you haven't been given a fair process or you need more process in the sense that you want to provide more evidence, you want to have more opportunity to, to address any sort of deficiencies that FINTRAC may be finding, that you raise those issues immediately because as you continue down the path to the court, the court may be interested in your procedural fairness arguments, and they’re—the court has jurisdiction to address procedural unfairness. But if you haven't made the request to FINTRAC at the time that the potential issue is arising, the court is going to have significantly less sympathy.

So, when we talk about strategies for potentially minimizing the chances of adverse outcomes, AMPs, really it's about taking a proactive approach every time you're dealing with the regulator and on matters of fairness, raising those concerns so that they're, sort of, ripe for the court if you need to get to the court, but of course, our, our job is to try and avoid court. As much as I'm a litigator and I spend a lot of time in court, it's important to work with our clients as best we can to avoid potential court outcomes for, for a number of reasons, which we'll talk about. But you really want to set yourself up for the best possible arguments in court, and that's being alive to these procedural fairness questions.

Peter Aziz (21:43)

Thank you.

Marissa Daniels (21:44)

Thanks, Jon. Before we dive into talking about the FINTRAC review process and lifecycle, we thought we'd speak about a couple of what we consider to be proactive measures that can help put reporting entities in the best position possible in the event of a review, and can potentially guard against enforcement measures.

The first of these proactive measures is the two-year effectiveness review, and this is the obligation of reporting entities to conduct an internal evaluation that must be done every two years, with the clock-ticking beginning at the time of the last review, to test the effectiveness of a compliance program. So to, basically, test whether your compliance program is doing what it's supposed to do and whether your actual business practices are reflecting what's written in your policies and procedures. It's also intended to evaluate your risk assessment, keeping in mind your particular business, your clients and various factors. So, a reporting entity is given significant discretion to determine how to appropriately conduct this review within the guidelines of FINTRAC.

The plan for this review should, of course, include the scope of review, the rationale that supports the areas of focus and the time-period that will be reviewed, as well as evaluation methods and sample sizes. And this—these evaluations may include interviews, sampling of records and review documentation.

Just a note on the auditor: so reporting entities have discretion as to whether to select an internal or external auditor to do the effectiveness review. We just want to emphasize the importance—whether you choose to use an individual who is internal to your organization or to choose an external auditor—of using someone who is well-versed in AML, who understands fully AML compliance, and the details of this review. I think in the past, some entities were a little bit more lax about this review and would just use someone with kind of a limited understanding of AML, but who, you know, was able to do this review, who was generally an internal employee. But, you know, as, as my colleagues have demonstrated, FINTRAC is really amping up its enforcement efforts and we really think it's important now to take this review seriously, use it as an opportunity to use a skilled auditor to identify any compliance issues and, and gaps before it might be too late.

Peter Aziz (24:08)

Yes. And to, to this point, when we see some of the comments that FINTRAC has been making recently on deficiencies in AML policy—compliance policies and procedures, when we look at them we thought, “Not sure that anyone would actually have noticed that or been aware of that in order to update the policy.”

It's almost like it's inside information. In other words, if you have access to have seen what type of comments FINTRAC is making, well, then you know the kind of changes you can make in a policy you’re reviewing [inaudible]. An internal auditor and you haven't seen what FINTRAC is asking, it would be extremely difficult to, to actually come up with that. So, so as Marissa was saying, you know, to the extent that you're thinking, an entity’s—reporting entity’s thinking, “Well, gee, I'm not sure I want to pay for an external auditor,” calculus around that decision has now, has now changed. And, and it may be worthwhile.

Marissa Daniels (25:02)

Thanks, Peter. The second proactive measure we wanted to discuss briefly today is the voluntary self-declaration of noncompliance. This is an optional tool that gives reporting entities an opportunity to disclose noncompliance with the Act to FINTRAC if two conditions are met.

The first is that the issue should not be a repeated instance of a previously-voluntarily-disclosed issue, which means that you can't use this tool as a way to evade FINTRAC scrutiny while having an ongoing, ongoing and unaddressed compliance issue.

And the second is that the declaration has not been made after a reporting entity has been notified of an upcoming examination. So, again, a VSDONC can't be reactively filed after the reporting entity has been notified of an upcoming exam in order for—as, as an effort to try to insulate a particular activity or, or part of the business from FINTRAC scrutiny. And where the VSDONC is used, the reporting entity needs to provide FINTRAC with certain information about the noncompliance and have a remediation plan in place to resolve and close out these issues, including anticipated timelines for doing so.

And so, a couple of, of things worth noting here. The first is that, you know, this is not a statutory requirement, but FINTRAC has communicated through its guidance, its expectation that reporting entities use this tool and do these filings where appropriate. And we think that the goal of these VSDONCs is to encourage a culture of compliance and encourage reporting entities not to sweep things under the rug, encourage them to come forward and report any issues they've identified.

And of course, the risk of not using this tool, at least where there's more material noncompliance, is that a reporting entity might need to answer for this issue and why they haven't disclosed it previously if FINTRAC identifies it in an examination.

The second key thing worth noting is, as you can see, we've square bracketed the—and put a question mark in the—“without enforcement” language.

The reason we've done this is that until fairly recently, FINTRAC’s published guidance on VSDONCs provided that if the requisite conditions are met, then VSDONCs provide an opportunity to disclose without enforcement. So FINTRAC, in these cases, should be working with reporting entities to rectify the issue and should not be imposing enforcement measures with respect to that particular noncompliance issue.

And so, historically, we found that VSDONCs were used quite liberally with reporting entities because they sort of seemed—there seemed to be no downside. It seemed to be a great way to report any issues, whether small or large, and avoid enforcement effort—efforts on FINTRAC’s part. And of course, we were never 100% certain that they were a “get out of jail free” card, but we could rely on that assurance and guidance that FINTRAC should not—likely should not—impose enforcement efforts. However, we—quite recently, it came to our attention that FINTRAC has removed the “without enforcement” language from its guidance.

So, where we're at now is that we, we don't have really any assurance anymore that FINTRAC will not impose an AMP or, or any other sort of enforcement measures with respect to a voluntarily disclosed issue. And it's also been observed in our, in our colleagues on the compliance side, that FINTRAC has, I think, been quite explicit in saying, you know, VSDONCs are not a “get out of jail free” card.

So, where we're at now is that, I think a lot of our clients are needing to more carefully consider, based on the facts, whether the issue that they're dealing with is material enough and appropriate for a VSDONC, or whether it may not rise to the level of requiring of a VSDONC. And so we are working with a lot of clients on this and working, you know, with legal and compliance sides on figuring out, on a case-by-case basis, whether a VSDONC should be filed just given the current state of things, or whether it may not be in an entity's interest to do so.

Peter Aziz (28:57)

And one other thing I'll, I’ll add is FINTRAC now does say on its website that they have an expectation that reporting entities should report material issues of noncompliance, and we just point out that FINTRAC doesn't actually have the statutory authority to require that in their policy, because the Proceeds of Crime Act, unlike the FCAC Act, doesn't have—doesn't require mandatory reporting to the regulator of RCIs or Reportable Compliance Incidents. So we're, we're just pointing that out.

Marissa Daniels (29:35)

Thanks, Peter. We'll now move on to talking about the various stages of the FINTRAC review process. We thought this was a helpful little graphic from the FINTRAC Assessment Manual as—we've tinkered with it a little bit, but as many of you likely know, FINTRAC reviews can take various forms and they are continuing to evolve, so the structure sometimes changes a little bit. But we thought this was a pretty helpful overview of what the lifecycle of a review might look like, starting with, of course, the assessment—notice of assessment, followed by the assessment and then the findings may be communicated through a meeting, through a findings letter and/or a compliance assessment report followed by the potential delivery of a notice of violation, then the opportunity to make representations to the director and potentially a statutory appeal.

As a starting point, the Proceeds of Crime Act provides FINTRAC with the statutory authority to inquire into the business and affairs of reporting entities, and that's what gives it the authority to conduct examinations. As one of my colleagues—I think it was Hailey or Jon—mentioned earlier, there are quite a large number of reporting entities and growing. So FINTRAC takes a risk-based approach to examinations, focusing its efforts mostly on the highest-risk entities. And the purpose of the review is really to assess whether the entity is meeting its obligations under the Act.

A couple of things worth noting. The first is that we've observed that FINTRAC is using some new tools as part of its assessment mandate. One we can discuss is the Supervisory Assessment Questionnaire, and we found that this has actually been used to identify potential deficiencies and weaknesses before launching a formal review process. And ideally after FINTRAC does a bit of probing into an entity's compliance measures through this SAQ, it will probably have a monitoring meeting where it will deliver its findings and discuss, you know, what deficiencies need to be remediated.

Or it might make the determination that based on what has been found, that a full-blown exam is required and that that will be the next step. In terms of the types of exam, we note that they can take the form of an on-site examination or a desk examination that FINTRAC will conduct from its own office location with documents provided electronically.

We list a number of areas of key focus, none of which should come as a surprise for reviews. Of course, looking at compliance programs, transaction reporting, client ID, KYC, recordkeeping and third-party determinations. After the review has been completed, findings might be provided as part of an exit interview, and then they may be further communicated by way of a findings letter, which can include a compliance assessment report.

Generally, the letter will communicate either, you know, ideally that no further compliance or enforcement action is required, that possible follow up compliance action is required, or it might include a recommendation for an enforcement action, such as an AMP.

The entity will then likely be, be given the opportunity to respond to the findings document. Lately, we've seen FINTRAC giving reporting entities generally about 30 days to respond to a compliance assessment report or a findings letter. And this is where, you know, advocacy is really key, which Jon and Peter will speak more about. And this is, of course, subject to any extension that might be granted.

After this, a reporting entity might receive a notice of violation. In order to impose this AMP, FINTRAC needs to have reasonable grounds to—grounds to believe that a reporting entity has violated a requirement in the Act and the associated regulations.

The notice of violation will set out a number of things: explain how they arrived at the penalty amount; list of the violations that it has identified, with appropriate section references; details on the calculation and, and the factors considered. And this will, will set out sort of their justification for why they are opting to administer an AMP.

And at this point you might be thinking about, “Okay, at what point can we really advocate, can we make some efforts?” And Jon and Peter are going to talk a little bit more about this, but I think it's just really important to drive home that you should not wait until you receive a notice of violation to advocate for yourself, to engage the appropriate professionals, whether it be legal or external compliance, to help you with responding in the most efficient way possible, and addressing FINTRAC’s questions in a manner that, you know, raises doubt as early as the assessment process rather than, you know, waiting for a findings letter or notice of violation.

And with that, I'm going to pass it to Jon to talk about the next stage, which is the ability to make representations to a director.

Jon Silver (34:29)

Thanks, Marissa. And yeah, and, and to reiterate what Marissa just said, you know, the standard is reasonable grounds and the examination is the opportunity where FINTRAC decides what it has reasonable grounds to believe. So, you know, your opportunity for advocacy starts well before you get the notice of violation, because, you know, FINTRAC has to satisfy itself, at least at the notice of violation stage, that, that there are grounds for a violation.

And, you know, your best opportunity to prevent an AMP is to persuade FINTRAC early on that there aren't reasonable grounds that you’ve, that you've violated the Act. But we'll get into some of those strategies in a bit just to finish sort of our run, rundown of the process.

Once you get the notice of violation, you have sort of what I like to call an internal appeal mechanism, or administrative lawyers like to call an internal appeal mechanism. Before you can run off to court, you have—and in a much cheaper and confidential process, you can make representations to the director. So FINTRAC’s sort of enforcement branches, who sends a notice of violation, the director is not involved in that decision on the notice of violation, as she sits in sort of an appeal capacity, but it's a de novo appeal, which means that she decides, on a balance of probabilities, whether the reporting entity committed the violations listed in the notice of violation. So, this is sort of an opportunity to, to really advocate to someone different than FINTRAC—although a member of FINTRAC, a director of FINTRAC—but to advocate, to say, you know, “We disagree with the notice of violation for these reasons.”

You can also advocate about the penalty. So you might say, you know—we've, we've been involved in cases where, you know, you're not going to dispute that the violation occurred. But what you're disputing is that the penalty was inappropriate. And, you know—for example, it was inappropriate because the, FINTRAC did not consider what was necessary to ensure compliance.

There are a number of other arguments you could make in front of the director, and as Marissa said, the director shouldn't be the first time you're making these arguments, but of course, until you know what the penalty is, you can't argue one way or another about whether it should be decreased or not, not given. The director—there's no, sort of, form of, form of submissions. You know, it's sort of a typical legal submission, and the director can impose the penalty proposed in the notice of violation or a lesser penalty.

The statutory language does not contemplate the director increasing the penalty. So, again, in terms of level of risk, there's not a significant risk that it's going to get worse with the director. So, you know, we often encourage our clients to, to, to make representations to the director and the director has, you know—the statute’s a little bit unclear, but typically the director releases her decision within 90 days because if she doesn't, there's a direct right to the Federal Court, which we'll talk about in, in a second.

You have your director's decision. You now have 30 days to appeal to the Federal Court, so this is what is known as a statutory appeal. Under, you know, recent administrative law, decisions from the Supreme Court of Canada, this appeal is treated as a standard appeal. So it's as, it's almost as if there was a decision of the Federal Court that you're appealing, so for those on the call that are, you know, litigators or involved in litigation, you know, you have the typical standards of review on appeal. And for those who are not, it really just means that the Court doesn't have the same jurisdiction, really, to interfere with factual findings or, sort of, discretionary decisions that the director made. What the court can do is assess the matter and decide whether or not, as a legal matter, there were any errors of law in the director's decision.

Of course, there are some practical challenges. There, there are some cases that are, are ripe for an appeal court, especially Norwich, for example, where you know, the, the FINTRAC director did not consider one of the key factors under the statute. You know, failure to consider a factor, a relevant and binding factor, is a legal error. And that's what the court found.

But, you know, there are practical challenges. One is the standard review, which I've mentioned. And so, you're really not going to be able to overturn any factual findings. Another, of course, is that there's no, you know, you can seek confidentiality protection in Federal Court, but ultimately courts are open processes. So, whereas the director's decision itself is not published, but, you know, if you don't challenge the director's decision, there's publication of the AMP. The Federal Court process is a much more open process, so you're going to have to seek, proactive, a confidentiality protection before you wind up having, you know, all of the material about your confidential practices, you know, in the court record, and, you know, anyone could access the court record, including journalists and, and others that are interested potentially in the matter.

So the Court, the right to proceed to court is an important right, but it is not—it doesn't have the same level of confidentiality and formality as making representations to the director.

Peter Aziz (39:16)

Thank you. So, so in terms of, once again, dealing with FINTRAC, something to remember is that anything you say or do during an interaction with FINTRAC can be used against you. So just to pick up on what all of my colleagues have been saying: every interaction with FINTRAC is an opportunity for advocacy. And so, as they were saying, you shouldn't wait.

So, so in terms of, you know what, what you might want to be doing, often we see where FINTRAC isn't clear on the facts, and they're making assumptions about, assumptions about the facts, and we're talking to the client and the client will explain how FINTRAC has drawn a wrong conclusion. What would we suggest is, don't leave FINTRAC any room to interpret the facts: you should be getting right in there explaining what the facts are, what the relevant facts are, essentially as early as possible. And you know, in situations you, you probably want to put forward enough facts to, to just raise some doubts as to whether there is a violation. And again, if there, if there are situations of noncompliance, it's not that you would want to be denying that there's noncompliance, but you just want to present your facts in the best light.

And, and probably, that's probably the essence of advocacy: putting your facts and putting your case—your procedures, your judgment, your assessments—forward in the best, best light. We can certainly help you with that. And not that you'd ever want your lawyers in the room or them to even know that you're using lawyers. But with our issues, we, we can certainly help in the background, or other lawyers can help in the background, really at, at every stage.

And then the other aspect of this is, because everything you say can be used against you, if you're asked a question and you're not certain of the answer—you don't have a have a clear answer—don't feel that you need to say something which may not be complete or inaccurate, because again, that's the kind of statement that will, will be used against you.

It's perfectly fine to say, you know—not that you may be, may be thinking, “Well, gee, they should expect me to have this answer. And if I don't respond, they may think that I don't, I don't, I'm not up on my compliance policy.” You can of course, say something like, “I, I see what you're getting at. I have an answer for you, but I want to make sure that it's accurate and complete, so let me get back to you on that,” rather than put something forward. Again, we see that time and time again. There's a partial statement. And FINTRAC takes that as fact and, and runs with it.

Finally, the point about keeping clear records of interactions with FINTRAC so that you're ready to respond to requests. And, you know, unfortunately, the way the way things are with FINTRAC now is, when you're being reviewed, I think now we can almost expect that FINTRAC is going to have findings where they're going to suggest an AMP. So it used to be, “Can we avoid an AMP? Is there going to be an AMP?” Now it’s, “You probably can’t avoid an AMP,” and it's “How large is the AMP going to be?”

So if you want to, kind of, keep that in mind as you're going and thinking, “Well, one day we're going to, you know, eventually after this process, we're going to need to be speaking to our lawyers to write a, a letter to FINTRAC, indicating why we don't think an AMP is appropriate,” think about, you know, the notes you want to keep of your various points.

So in terms of the stages, so even before FINTRAC comes, the first opportunity for reducing risk is designing an implementation or audit of your AML processes. And so, you want to design and build an appropriate procedures. You want to be sampling. You want to make sure that they work. We've seen time and time again where a really good system is put in place and people assume it's working, but then they find out, well, it's not actually working, it's not, it's not producing the results. The results are false. And we see in the correspondence, in the client, the senior people at the organization are very frustrated. They're saying, “How is it that we could have been using this for X period of time, and nobody realized it didn't work? Isn't that what the audit process is for?” In other words, “Isn't this your job?”

But look, people are human, and these things happen. And I haven't seen anybody get fired [laughter], not that we know of. So, but, testing so that you can demonstrate testing is appropriate. One other thing we've seen is, people hire experts and for whatever reason, something isn't quite right in what, what the expert put in place. And, you know, our view, one argument we make is, “Look, the standard for compliance is not to guarantee the results of your expert, it's that you went out and you used your judgment. You took this seriously and you hired reasonable experts to put it in place.” So again, it goes down—it goes to, what is FINTRAC evaluating on? If it's your compliance efforts, well, you've done your compliance efforts as opposed to the result.

And then second opportunity for reducing risks during the FINTRAC assessment stage, and I think that I just mentioned this about advocacy. And again, you want to be correcting deficiencies if required as quickly as possible, so that by the time the findings letter comes out and you're responding to the findings letter, it would be ideal if you can say, “Yeah, we noticed that there were some deficiencies uncovered and we've already addressed them.” In other words: “No need for an AMP to encourage compliance because we've already complied.”

And I'll pass it back to Jon.

Jon Silver (44:51)

Yeah. And I think to Peter's point, if the purpose of AMPs is to ensure compliance, how do you put yourself in the best position to persuade FINTRAC that you do not need an AMP for the purpose of promoting compliance? And so, as to Peter's example, if you're, before FINTRAC has started an examination, if you're hiring experts, you're doing your own testing, you know, you give yourself a much more credible argument to FINTRAC that, you know, “This monetary penalty is not going to move the needle on compliance, because before you were here, FINTRAC, we already were doing all of the things to ensure compliance. And of course, there might be a misstep or there might be an issue, but we're taking proactive steps to resolve those issues well before you came along and, you know, potentially threatening an AMP.” So it's really taking those proactive steps early on and designing your system in a way that allows you to have the factual evidence to give to FINTRAC when they do come knocking to say, you know, “We're doing this already, so don't be worried that we're not complying, and in fact, it would be inconsistent with the purpose of AMPs to give us an AMP, because you have no evidence or reason to believe that we're not complying.” It's the situations where, you know, FINTRAC’s initiation of an examination that prompts the change in behavior, that gives FINTRAC a better argument to say and a, and a better justification for an AMP, because they're going to say, “Well, if it wasn't for us, you wouldn't be complying.” So, you know, taking your own initiative before you hear from FINTRAC is important.

On the slide, I'm talking about the third opportunity—so Peter’s talked about the first being before you hear from FINTRAC, the second being once you hear from FINTRAC. The third is, there are these compliance assessment reports or findings letters that, you know, under FINTRAC’s old examination manual these were required or these were part of the process. Now they're an optional part of the process. To date, we still think we've seen FINTRAC, you know, providing these and these are sort of a report, a preliminary report of FINTRAC’s findings as an opportunity to address any of the findings. And again, this is a really great opportunity to say, you know, you see now what FINTRAC is, is thinking about the potential noncompliance, and here is where you can really provide your, put your best foot forward or if you haven't already, in terms of, “Why do these facts not require an AMP? What are the legal requirements for finding an AMP? What are the potential for penalty?” So, you know, when we've been involved at this stage we’ll often assist a client in, in writing a response that both deals with the fact of a violation and also deals with potential penalty, because if you, if you know that a penalty is coming, you want to make sure before FINTRAC, you know, issues a notice of violation that you've at least addressed number one, whether a penalty is appropriate—so you're addressing the statutory criteria for an AMP—and number two, if an AMP is appropriate, what would the range or the penalty be?

So you would want to say to FINTRAC that the penalty is not appropriate, but if you are going to impose a penalty, here is what you should be considering as relevant to the statutory criteria in issuing an AMP. So, you know, this is a great opportunity and, you know, it's—it, it may or may not be given based on the guidance that FINTRAC has put out to date, it was a historic practice, it may no longer be part of the practice. But again, if you feel, as Peter mentioned, if you feel that there has been, you know, a lack of process or you haven't had an opportunity to put your best foot forward, that's where you might want to write to FINTRAC and say, “We'd like an opportunity to, to present on this issue.” And if FINTRAC says “No,” then you've sort of created the foundation to make an argument in front of the director or the Federal Court that you asked for an opportunity for, to, for more submissions because you thought it was necessary for a fair process and you were denied that opportunity.

So, again, that's—when we talk about how we sort of take a multidisciplinary approach to, to working with clients on FINTRAC matters, it's because you have the, sort of, subject matter expertise of the lawyers that are the AML experts, but we also bring sort of the administrative law, regulatory litigation expertise to think through, “Okay, so we think from an AML perspective, we need to give this information to FINTRAC to help persuade it. What are the ways that we can best set ourselves up to make sure we can get that information before FINTRAC? And if FINTRAC doesn't want the information, what's our recourse going to be, either to the director or to court?”

So last chance you have before you go to court is representations to the director. And again, as I mentioned, this is more of a court-style, court-style document that you're—again, it's informal because it's, it's not a court, but you really, here you are doing everything you can to contest the notice of violation to the extent that you, that you want to. So, this is your, sort of, last chance to have the director, you know, reduce the AMP or vacate the AMP if you feel it was inappropriate. And one thing that I think people sometimes forget to do is they think, “Okay, well, FINTRAC had all this information and now I'm just making legal submissions to the director,” and, and that's inconsistent with the director's role. The director actually has to decide on a balance of probabilities—which is on the facts—that the notice of violation has been made out. And we've had mandates where we've been able to persuade the director that there wasn't a notice of violation and had a notice of violation taken off the, the board. So don't see this as only an opportunity to make legal submissions. You need to put all of the factual evidence before the director that helps support.

Now, you should have all that right in hand because you've been every step of the way putting your best foot forward, but you still have an opportunity here to tell the director that, you know, “This notice a violation, there aren't reasonable grounds. We disagree with the notice of violation for these five reasons, and here's all the evidence supporting it.”

So, really important to include documentation. Really important to address the parts of the notice of violation you would disagree with and the penalty criteria. Because ultimately, once you get a decision from the director, your next step is the court. And the court is not going to reevaluate whether or not there's been reasonable grounds, unless it's so egregious that the court would intervene on the basis of facts.

Really, the court's role is much more limited to making sure that the statute has been appropriately applied and that there's been no legal errors committed. They're not going to disagree with the director if there is some basis in the evidence that there was a violation committed. So, putting your best foot forward in front of the director at the very end of the process is the last, sort of, chance you have to reduce the AMP, and it's your best chance.

So, with that, I think I will turn it to Peter for a few more comments and maybe to address any questions.

Peter Aziz (51:21)

Sure. So, thank you. There's, there’s one question that’s, that’s, that’s interesting. It has to do with procedural fairness and guardrails. It's: are the procedural fairness guardrails commensurate with the new powers we're seeing in legislation (i.e., the increased AMPS) or should there be additional criteria in regulation? So this kind of, goes to, like, a mix of, I think—so, in both response to the changes in the legislation and in response to Norwich, like, what should there be? Should there be changes in law or is it the idea, well, procedural fairness—we’re talking about common law, and that's, that's generally not reduced to, to law but wondered if you had any, any thoughts?

Jon Silver (52:04)

That’s a, it’s a good question. And, and I think what is nice about the duty of procedural fairness at common law is that it is flexible and it is—the court has said it's eminently variable. And so where the AMP is higher, you know, it stands to reason that the process has to be more rigorous because the effect on the regulated entity or reporting entity is going to be greater.

So, what I would say is, you know, the hope would be that FINTRAC would add additional process in their, in their guidelines or in regulation to ensure that, that there is an adequate opportunity to address any of these potential findings given the, the increased potential for penalties. But the Supreme Court has been pretty clear that guidance and regulations, unless they are explicit, are not dispositive of process.

So, you would have a pretty good argument that in the circumstances of your case, if the AMP is significantly high or the potential for reputational harm is really high given the findings, that you would be entitled to additional process. And you'd want to make that argument—it's really important when you're at the court, the court is not as interested in arguments that you haven’t made before the regulator. So, you'd want to make that argument right at the beginning, you know, given what you might learn FINTRAC is, is, is contemplating, especially once you've had the notice of violation. You might want to write to the, the director and say, you know, “You provide 30 days: given the severity of the potential consequences here, we need 120 days.” And if they get denied, then you have a right of potentially raising that on appeal.

But that's a very good question. And we're going to have to see how FINTRAC responds to its increasing potential to, to impose AMPs and how the courts will respond if there isn't a fair process afforded.

Peter Aziz (53:43)

Thank you, Jon. So, we're, we're at time. So, a big thank you to my colleagues Marissa, Jon and Hailey. Thank you so much. Thank you to all of you for attending our presentation. And we're happy to support you with any questions. Please feel to reach out to any of us here. Thank you very much.