Category: Blog Post

  • Getting started on an AML Compliance Program

    Getting started on an AML Compliance Program

    Frequently our clients find us in a state of overwhelm; if you are a reporting entity and need to follow FINTRAC guidelines here is how to get started.

    What is FINTRAC?

    FINTRAC, or the Financial Transactions and Reports Analysis Centre of Canada, is Canada’s financial intelligence unit responsible for detecting, preventing, and deterring money laundering and terrorist financing. It is an independent agency that collects and analyzes financial transaction reports from businesses to provide financial intelligence to law enforcement and other agencies. FINTRAC also supervises entities to ensure compliance with anti-money laundering and anti-terrorist financing laws.

    Does my Business need to Report to FINTRAC?

    Reporting entities that must report certain transactions, including suspicious transactions, to FINTRAC include:

    • accountants and accounting firms (when carrying out certain activities on behalf of their clients)
    • acquirer services in relation to private automated banking machines New as of October 1, 2025
    • agents of the Crown that sell money orders
    • armoured car businesses
    • casinos
    • cheque cashers New as of July 10, 2025
    • dealers in precious metals and precious stones
    • factors New as of July 10, 2025
    • financing or leasing entities New as of July 10, 2025
    • financial entities such as:
      • banks, caisses populaires, credit unions, departments and agents of the Crown that accept deposit liabilities
      • life insurance companies, or entities that are life insurance brokers or agents, in respect of loans or prepaid payment products they offer to the public and accounts they maintain with respect to those loans or prepaid payment products (other than those specified in the definition in the Regulations)
      • loan companies
      • trust companies
      • unregulated trust companies
    • life insurance companies, brokers and agents
    • money services businesses and foreign money services businesses
    • mortgage administrators, brokers and lenders
    • public notaries and notary corporations of British Columbia (when carrying out certain activities on behalf of their clients)
    • real estate brokers, sales representatives and developers (when carrying out certain activities)
    • securities dealers
    • title insurers New as of October 1, 2025
    • employees of these reporting entities for the purposes of suspicious transactions

    My Business is reporting entity. I understand that I need to report suspicious transactions, but what else do I need to do?

    In a nutshell you are going to need a compliance program, which FINTRAC defines as:

    A compliance program is established and implemented by a reporting entity that is intended to ensure its compliance with the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (the Act) and associated Regulations (PCMLTFA). A compliance program forms the basis for meeting all of your reporting, record keeping, client identification and other know-your-client requirements under the Act and associated Regulations. All reporting entities must establish and implement a compliance program.

    Specifically, all reporting entities must implement the following elements of a compliance program:

    • appoint a compliance officer who is responsible for implementing the program
    • develop and apply written compliance policies and procedures that are kept up to date and, in the case of an entity, are approved by a senior officer
    • conduct a risk assessment of your business to assess and document the risk of a money laundering or terrorist activity financing offence occurring in the course of your activities
    • develop and maintain a written, ongoing compliance training program for your employees, agents or mandataries, or other authorized persons
    • institute and document a plan for the ongoing compliance training program and deliver the training (training plan)
    • institute and document a plan for a review of the compliance program for the purpose of testing its effectiveness, and carry out this review every two years at a minimum (two-year effectiveness review)

    What steps does my business need to take? How can Soteria Protection help?

    The following are the essentials for building an AML compliance program and how we can assist:

    Step 1 Risk Assessment- the foundation of your AML program

    Every compliant AML program begins with a formal Risk Assessment.

    At Soteria Protection, we conduct a structured 90 minute interview to understand:

    • Your products and services
    • Delivery channels (digital, in-person, third-party)
    • Client types and geographic exposure
    • Transaction volumes and complexity

    We then assess inherent risk and evaluate it against Canada’s National Inherent Risk Assessment, focusing on identifying and documenting residual risk.

    This step is critical because:

    • FINTRAC requires a documented risk assessment
    • It determines the strength of your controls
    • It shapes monitoring, reporting, and training obligations

    Without a defensible risk assessment, your AML program has no foundation.

    How Soteria Protection Helps:
    We deliver a documented, board-ready risk assessment aligned with Canadian regulatory expectations and tailored to your actual operations.

    Step 2 Policies and ProceduresYour AML framework in action

    Once risk is defined, your AML framework must be formalized.

    Using the results of your Risk Assessment, we develop customized AML Policies and Procedures that reflect your business model — not a generic template.

    • Policies establish your compliance commitments and governance structure.
    • Procedures outline the specific actions your team must take, including:
      • Client identification and verification
      • Record keeping
      • Ongoing monitoring
      • Suspicious Transaction Reporting (STR)
      • Compliance oversight and internal review

    FINTRAC is looking for customized documents. Your policies must reflect how your business actually operates.

    How Soteria Protection Helps:
    We draft clear, risk-based documentation designed to be operational — not theoretical — and aligned with FINTRAC expectations.

    Step 3 AML Training (Operationalizing Compliance)

    Training is not a checkbox exercise. It is a legal requirement and a core defence against regulatory exposure.

    Your AML training must:

    • Be delivered at least annually
    • Be tailored to staff roles
    • Be documented with attendance records
    • Reflect your specific risk profile

    An AML program only works if your staff understand their obligations and can recognize suspicious activity in real time.

    How Soteria Protection Helps:
    We design and deliver structured AML training programs, provide certificates of completion, and ensure that your records meet regulatory standards. If industry training is available, we can compliment that training by offering advanced training on select topics such as trade-based money laundering, and advance training for senior leadership and compliance officers.

    Wondering about us?

    Soteria Protection was founded by professionals with decades of experience working inside fintechs and financial institutions. We understand that compliance must function under commercial pressure.

    We build AML programs that are:

    • Risk-based
    • Operationally realistic
    • Documented and defensible
    • Designed for executive oversight

    If you are unsure whether your business meets FINTRAC requirements , or if you need to strengthen your existing AML framework, we can help.

    Reach out for complimentary consult

  • The Impetus Behind Soteria Protection

    Soteria Protection was founded in Victoria BC after more than 50 years of collective experience inside fintech companies, financial institutions, and technology firms.

    Anti-money laundering (AML) and compliance are our specialties but more importantly, our founders (Adam, Darci and Penny) have lived compliance operationally. We have worked daily with the policies, procedures, and internal controls that guide fintech and financial services organizations. We understand that compliance is not theoretical. It operates under commercial pressure, aggressive growth trajectories, investor expectations, and real regulatory scrutiny.

    We built Soteria Protection to help businesses succeed in an increasingly complex regulatory environment, with AML compliance at the core of what we do.

    Why AML? And why does it matter now?

    Many businesses don’t give much thought to AML. The assumption is that the banks and larger institutions look after AML. But we all need to be concerned about financial crime and AML.

    If your business is considered a reporting entity in Canada you are legally obligated to maintain an AML compliance program that meets FINTRAC requirements. This is not optional.

    Too often, AML is viewed as a necessary hassle or a cost centre. In reality, reporting entities act as financial gatekeepers and that role carries real societal impact.

    When illicit funds enter the economy, the consequences extend far beyond regulatory penalties. Money laundering destabilizes markets, undermines business continuity, distorts competition, and erodes trust in institutions. We have seen firsthand how financial crime infiltrates legitimate systems.

    Financial crime is not just something in movies. It exists in plain sight.

    The proceeds of laundered money are directly linked to organized crime, drug and weapons trafficking, human exploitation, and terrorist financing. Beyond the human toll, money laundering fuels a shadow economy operating largely outside the tax system, weakening public infrastructure and economic stability.

    A robust AML program does help avoid regulatory scrutiny from FINTRAC—but it does much more than that. It protects the integrity of the Canadian economy and, by extension, Canadian society.

    Financial crime is so pervasive today that vigilance cannot be outsourced. It requires diligence and understanding.

    The Canadian AML landscape is shifting

    AML compliance in Canada is evolving, and frankly, it needs to.

    Other jurisdictions, including Australia, Europe, and the United States, have moved more aggressively in the fight against financial crime. Canada is now accelerating its regulatory posture.

    FINTRAC has expanded both its outreach and expectations. The focus is no longer on whether policies exist. Regulators want to know:

    • Do your controls actually work?
    • Do you understand your risk exposure and residual risk?
    • Can you defend your decisions?

    Too many businesses rely on generic templates, outdated guidance, or advisors who speak in theory rather than operational accountability.

    Soteria Protection was built to close that gap.

    AML Compliance should not incite fear

    We also understand the anxiety surrounding AML compliance, especially for organizations implementing a program for the first time.

    As FINTRAC continues to expand the definition and scope of reporting entities, many businesses are now entering the AML framework for the first time. The reaction is often panic, confusion or total avoidance.

    Our goal is to help organizations navigate the evolving AML landscape with clarity and confidence. We work alongside our clients to build programs that are practical, defensible, and aligned with how your business actually operates.

    Why the name Soteria?

    Soteria comes from the Greek concept of protection, preservation, and deliverance.

    The name is intentional.

    Our work is not about checking boxes. It is about safeguarding organizations in an environment where the consequences of getting compliance wrong are real—financially, operationally, and reputationally.