business man working on laptop

Key things to include in an AML/ATF compliance program

Key things to include in an AML/ATF compliance program

5 Minute Read

Find out what’s needed to set up a compliance program that meets all requirements outlined in the PCMLTFA Regulations.

This article was originally published by CPA Canada. It has been re-posted with permission.

There are many elements that go into building a compliance program that meets all of the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA) regulations, from establishing written policies and procedures to training and monitoring. Any missteps and organizations can be flagged for increased scrutiny or penalties.

“A compliance program is a requirement for every reporting entity across different sectors,” says Éric Lachapelle, CPA, national finance crime leader for KPMG Canada. “You need to have a specific program in place with all the required components for FINTRAC when they come to examine you. You must be in a position to report suspicious or prescriptive activity to be able to give information to the financial intelligence unit to help law enforcement do their job. That requires a governance framework and detailed processes and procedures to execute it.”

“By law and for good governance, compliance with laws and countering risks is achieved through a rational, structured and documented approach,” says Corey Anne Bloom, FCPA, partner, Eastern Canada leader, forensics, investigations and litigation support services for MNP.

The following is a look at the elements that organizations need to consider when setting up and maintaining an Anti-Money Laundering and Anti-Terrorist Financing (AML/ATF) compliance framework.


The first step is naming an individual who is accountable, says Lachapelle. “That could be a chief AML officer or someone who takes responsibility to be sure everything is in place. The compliance officer is responsible for developing policies and procedures, training people and implementing tools needed.”

The person in this role should have a great understanding of the operation of the business itself, adds Bloom. “Someone with the interest and bandwidth to remain current with prevailing legislation and guidance, and that has access to the right resources within the organization.”


These policies and procedures must provide a clear roadmap about how people, processes and systems will work together to meet prevailing obligations, says Bloom. “They should also allocate resources to the areas of greatest threats,” she adds.

Written policies and procedures are critical, says Lachapelle. “If they’re not in writing, you can’t expect people to follow them.”


Training is also a critical part of a compliant AML/ATF program. “A policy on a shelf won’t work,” says Lachapelle. “You really need to put a strong training program in place, starting with onboarding, ongoing training and, depending on your role and level within an organization, more specific, advanced training.”

Bloom emphasizes that training should start with awareness of money laundering risks, leading to a detailed explanation of what each team member needs to do and how they are to do it. “Training should be conducted with sufficient role-specificity and frequency as to ensure that team members will recognize and know how to report unusual activities, and to ensure the consistent application of policies and procedures.”


The PCMLTFA regulations require a risk-based approach, according to Lachapelle. “You need to understand where your risks are as an organization and apply the proper measures to mitigate those risks to ensure you are compliant across all products, services and business lines.”

Bloom notes that, at the client or relationship level, there are steps that are prescribed for risk management and those that are taken using the judgment of the organization. Prescribed risk management measures include collecting and verifying base information about a client, such as their identity and beneficial ownership.

Additional measures might be taken in the face of higher-risk characteristics, such as the geography relevant to the client’s transactions (such as areas with higher crime rates, organized crime activity or jurisdictions subject to economic sanctions), she adds. “That might include getting a better understanding of supporting documentation when encountering a real estate deal involving an area known to be associated with organized crime activity. Risks don’t just represent the likelihood and consequence that an entity won’t comply, but also the risk that the vulnerabilities of a company will be exploited by a threat actor for money laundering or terrorist financing.”


An AML/ATF compliance program must be reviewed every two years. This can be done, for example, by an internal audit department or external firm. “It’s not just to avoid penalties, it is a requirement to do an effectiveness review every two years to ensure you have the right program in place,” says Lachapelle.

Sophisticated tools may be needed to perform many of the activities, including ongoing monitoring, he adds. “You can’t do this by hand. Large reporting entities need machine learning and data-analytics tools. Smaller volume businesses may be able to look at transactions one by one.”


In addition to establishing and maintaining a compliance program, organizations must adhere to a specific reporting regime that includes suspicious transaction, large cash transaction, large virtual currency transaction, electronic funds transfer, terrorist property and, in the cases of casinos, casino disbursement reports.

“Records must be kept in case FINTRAC needs to come back to you in the event of a more detailed investigation,” says Lachapelle.

He adds that some circumstances may demand special reporting or actions that can be revoked at any time. “One example is Iran. While the reporting is not within the PCMLTFA Regulations, it’s a temporary Ministerial directive that must be followed.”


Beyond an accountant’s training in risk and controls, Bloom adds that, “The primary resource for those appointed with responsibilities is the Proceeds of Crime (Money Laundering) and Terrorist Financing Act legislation and its regulations. FINTRAC publishes guidance to help accounting firms understand their obligations for complying with the legislation.”

More applied and specific guidance is available, including the CPA Canada AML/ATF Guide, the CPA Canada AML/CTF Webinar, its update on record keeping and FINTRAC reporting, and external news are all available on the CPA Canada website.

Requirements have changed considerably over time, so organizations need to make sure they are compliant with all new rules and regulations, and update their compliance program accordingly.

It is also important to determine what activities are included in the AML legislation, says Bloom. “The legislation does not apply to all activities. You need to make sure you are overseeing what is actually covered within your firm.”

For example, an accountant is not subject to the AML/ATF legislation if they only perform triggering activities on behalf of their employer. However, if the accountant’s employer is an accounting firm, then the AML/ATF legislation does impose an obligation on both the accountant and accounting firm to report suspicious transactions and terrorist property, she explains.

Triggering activities means, on behalf of a person or entity:

  1. Receiving or paying funds or virtual currency
  2. Purchasing or selling securities, real property, immovables or business assets or entities
  3. Transferring funds, virtual currency or securities by any means
  4. Giving instructions on behalf of a person or entity in connection with any of the above.

It should be noted that there are some exceptions for when triggering activities do not apply. For more on these activities, refer to CPA Canada’s new anti-money laundering/anti-terrorist financing (AML/ATL) requirements associated with record-keeping and reporting to FINTRAC.

Lachapelle stresses the importance of having the right people, the right teams with the right documentation and training in building and maintaining a successful AML/ATF framework. “With that you can execute a plan that is compliant and avoids potential penalties. While it’s pretty straightforward, it takes time and resources.”

Contact us 

To learn more, contact Corey Bloom, FCPA, CA•IFA, CFF, CFE, ACFE Regent Emeritus.


  • Confidence

    June 20, 2024

    Three tips to keep your business insurance effective

    Avoid the pitfalls of inadequate business insurance with these three essential tips.

  • Agility

    June 20, 2024

    Why your credit union can’t afford to ignore scenario planning

    In today’s era of business, credit unions need scenario planning to anticipate and respond to future risks and opportunities.

  • Progress

    June 19, 2024

    How the current market impacts the value of your energy business

    How do shifts in the energy sector impact the value of your business? A valuation can help you understand what your company is worth in a volatile market.