1.FINTRAC in 2 minutes
The Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) is the federal agency responsible for detecting and preventing money laundering and terrorist financing. It is not the police. It is a financial intelligence unit that receives reports, analyzes them, and forwards cases of interest to relevant authorities (RCMP, CBSA, CSIS).
FINTRAC also has a compliance supervision role. It evaluates whether reporting entities meet their obligations. This is when it conducts on-site reviews, requests documents, and imposes administrative penalties.
2.Who is concerned
The PCMLTFA designates several categories of reporting entities. Mortgage brokers are one. The obligation applies whether you are:
- An independent broker with their own license and no employees.
- A broker affiliated with a national firm.
- The principal of a small 2-to-10 broker firm.
- A private lender.
There is no "how many files" threshold. From the first file, obligations fully apply. A broker who closes 2 deals a year has the same obligations as one who closes 200.
3.The 5 essential obligations
3.1 Identity verification
You must verify each client's identity before initiating the business relationship and, for certain transactions, before completing it. Accepted methods are set by regulation:
- Government-issued photo ID: driver's license, passport, provincial or federal ID card, permanent resident card. Must be authentic, current, and show a photo matching the person.
- Dual independent source method: two documents from distinct reliable sources (e.g., bank statement and municipal assessment).
- Attestation process when the client is not physically present: verification by an agent, use of a recognized digital verification service.
3.2 Recordkeeping
For each client and each file, you must keep a record that includes:
- Client identification information (and co-borrower if applicable).
- A copy of the verified ID.
- The verification method, date, and who performed it.
- The purpose and nature of the business relationship (for a mortgage file: intent to enter a mortgage).
- Due-diligence notes at onboarding and throughout the relationship.
- Copies of any reports filed (STR, EFT, cash).
3.3 Mandatory reports
Three main report types:
- Suspicious Transaction Report (STR): when you have reasonable grounds to suspect a transaction related to money laundering or terrorist financing. No financial threshold. Even an "attempted" transaction must be reported. Deadline: with diligence, which in practice means days, not weeks.
- Large Cash Transaction Report: CAD 10,000 or more in cash, in a single transaction or multiple transactions aggregated under the 24-hour rule.
- Electronic Funds Transfer Report: EFTs of CAD 10,000 or more to or from abroad.
Mortgage brokers rarely see cash (funding flows through the notary/lawyer). STRs are the trickiest obligation: you need an eye for spotting an abnormal situation (unclear source of funds, recently constituted deposit without explanation, unusual co-signer).
3.4 PEP: Politically Exposed Persons
Some clients are politically exposed persons (PEPs): elected officials, senior public servants, state-owned company executives, military leaders, and their close family members. When you identify one:
- Approval by a senior member (your compliance officer if you are solo).
- Enhanced measures to verify source of funds and source of wealth.
- More rigorous ongoing monitoring of the business relationship.
PEP-screening services exist (WorldCheck, ComplyAdvantage, Dow Jones). For a solo broker, a structured search of public parliamentary databases may suffice for a first pass, but the process must be documented.
3.5 Written compliance program
Five mandatory components:
- Appointment of a compliance officer. Even if you are solo, you must formally appoint and date this.
- Written policies and procedures covering all the above obligations.
- Risk assessment documented and current at least annually. Classifies clients by risk level (low, medium, high) using specific criteria.
- Ongoing training program. Document each session: date, content, participants.
- Effectiveness review every two years minimum. Ideally by someone external or independent from the compliance officer.
4.Common pitfalls
4.1 Confusing "I saw the ID" with "I verified the identity"
Looking at a passport on a video call is not documented verification. You need: a retained copy, the date, the method, the verifier's name.
4.2 The "copy-paste" compliance program
Downloading an online template, putting your name on it, and never opening it again. FINTRAC recognizes these documents within two minutes during a review. The program must reflect actual practice.
4.3 Annual training that does not exist on paper
You read FINTRAC bulletins. Great. But if it is not documented (date, topic, duration), it does not exist for FINTRAC. A simple training log will do, but you need one.
4.4 The "zero-risk" files
The client is your cousin, you have known him for 20 years. FINTRAC does not care. Obligations apply the same way. No file is exempt because of familiarity.
4.5 Documents by unencrypted email
Receiving passports and T4s through regular email creates Law 25 + PIPEDA exposure. A privacy incident on this data triggers a notification obligation to the CAI or OPC.
5.Record retention
Baseline rule: 5 years from the end of the business relationship with the client (or 5 years after creation of the document depending on the specific category). In practice, the prudent approach is to retain all records tied to a file for 5 years after file closure.
Records must be retrievable within 30 days upon FINTRAC's request. Basement filing cabinets with unindexed boxes become a problem when a notice arrives. Indexed digital storage by client name and date is the only viable operational approach.
6.What happens during a review
6.1 The initial notice
FINTRAC sends a written notice, typically 2 to 4 weeks before the review. It specifies the date, scope (covered period, types of files), and the initial list of documents to prepare.
6.2 Before the review
You have time to gather what is requested. This is when brokers discover the gaps. Calmly preparing 4 weeks ahead is radically different from panicking the night before.
6.3 The review itself
It can last a day or several weeks depending on practice size. The examiner requests sample files, asks procedural questions, and verifies that the written program matches reality.
6.4 The findings report
FINTRAC produces a report listing observations. You have a window to respond. If violations are confirmed, FINTRAC may impose an administrative penalty (new Bill C-12 scale) or, in the most serious cases, refer the matter to the Public Prosecution Service.
7.Monthly checklist
Do this once a month; it takes 20 minutes and saves hours:
- Review open files: are all identity verifications documented?
- Move documents lingering in email into the official file.
- Update the risk assessment if a client profile falls outside norms.
- Log any training done this month.
- If a suspicious situation was observed but not reported: reassess, decide, and file if applicable.
- Verify digital backups of records are current and accessible.
Hypora automates a large share of these routines: automatic timestamping of identity verifications, file-based classification, exportable FINTRAC PDF reports, and a missing-documents list before file closure. The broker remains the decision-maker and compliance-responsible party. Hypora documents what they do.