Compliance · British Columbia
FINTRAC Compliance IT Support for BC Reporting Entities
Hexafusion delivers the IT-side controls behind FINTRAC compliance for BC reporting entities. Record retention with immutability, secure reporting channels, identity verification IT, audit trails, encrypted storage, and incident response built to survive both a ransomware event and a FINTRAC examination.
Written by Alex Barari, founder of Hexafusion and a former PCI DSS Internal Security Assessor (ISA). Hexafusion is an IT and security firm, not an AML compliance advisor. We deliver the technical controls that an AML compliance program depends on, in coordination with your compliance officer or advisor.
Who is a FINTRAC reporting entity
FINTRAC (Financial Transactions and Reports Analysis Centre of Canada) regulates entities under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA). If you operate in one of these categories you are a reporting entity:
Financial entities
Banks, credit unions, caisses populaires, trust and loan companies.
Money services businesses
Registered MSBs and foreign MSBs operating in Canada. Currency exchange, money transfer, dealing in virtual currency, cashing or issuing money orders or travellers cheques, and crypto-asset trading platforms.
Securities dealers
Persons or entities engaged in the business of dealing in securities or any other financial instruments.
Life insurance
Life insurance companies, brokers, and agents.
Real estate
Brokers, sales representatives, and developers. Includes BC strata transactions and pre-sale agreements.
Mortgage entities (since Oct 2024)
Mortgage administrators, brokers, and lenders became reporting entities under the October 11, 2024 amendments.
Accountants
Accountants and accounting firms engaging in specified triggering activities for clients (receiving or paying funds, purchasing or selling securities, real estate, or business assets on behalf of a client, or instructing on these activities).
BC notaries
British Columbia notaries public engaged in triggering activities, equivalent to the accountant trigger above.
Dealers in precious metals
Dealers in precious metals, stones, or jewellery selling CA$10,000+ in a single transaction.
Casinos and armoured car
Casinos including online casinos. Armoured car services were added in the October 2024 amendments.
What FINTRAC compliance involves
Five core obligations apply to every reporting entity. The bullet list is the regulatory shape; the IT controls behind it are where Hexafusion does the work:
- Compliance program. Appointed compliance officer, written policies and procedures, ongoing training, risk assessment, two-year effectiveness review.
- Know your client (KYC) and identity verification. Verify identity at prescribed thresholds with prescribed methods (government photo ID, credit file, dual-source, affiliated entity, or reliance methods). Retain the records.
- Beneficial ownership and politically exposed person (PEP) determinations. For corporate clients, identify beneficial owners. For prescribed triggering activities, determine whether a person is a PEP, head of an international organisation, or close family member.
- Reporting. Submit LCTRs, LVCTRs, EFTs, STRs, TPRs, and SERs through FINTRAC Web Reporting (FWR) or API. Each report has prescribed content and timing.
- Record retention. Five years minimum on transaction records; five years from last business relationship transaction on identification records.
The IT controls behind a working compliance program
Where Hexafusion concentrates the work:
Immutable record retention
Five-year retention on KYC, transactions, and reports. Immutable storage so records cannot be deleted or altered by a ransomware event or insider action. Documented retention schedule with automated deletion on the five-year mark.
Encrypted storage and transmission
Full-disk encryption on endpoints holding KYC. Encryption at rest in cloud storage. TLS 1.2+ for all transmission. Encrypted email for any KYC documents emailed externally.
MFA on all systems
FINTRAC Web Reporting account, internal CRM or AML platform, file storage, and email. Phishing-resistant MFA preferred (passkey, FIDO2, app push).
Audit logging
Every access to KYC, every report submitted, every change to a record. Logs retained for the same five-year minimum as the records themselves. Tamper-evident log storage.
Role-based access
Compliance officer and designated staff only. Quarterly access recertification. Departing employees offboarded within 24 hours.
Backup and recovery
Immutable backups separated from production. Tested restoration of FINTRAC records at least annually. Documented RTO and RPO.
EDR on endpoints
Behavioural detection on every device holding or accessing FINTRAC records. Tamper protection so an attacker cannot disable the agent.
Sanctions list automation
Automated screening against OFAC, OSFI, UN, and EU sanctions lists at the CRM or AML platform layer, with documented evidence of the screening for each client onboarding.
FINTRAC Web Reporting access
Secured access to FWR with hardware-key MFA where possible. Backup submission channel documented. Submission records retained alongside the report.
Report types and timing
| Report | Trigger | Filing deadline |
|---|---|---|
| LCTR | Large cash transaction of CA$10,000+ within 24 hours. | Within 15 days. |
| LVCTR | Large virtual currency transaction of CA$10,000+ within 24 hours. | Within 5 working days. |
| EFT | Electronic funds transfer of CA$10,000+ across the Canadian border. | Within 5 working days. |
| STR | Reasonable grounds to suspect a transaction is related to money laundering or terrorist financing. No minimum threshold. | As soon as practicable after suspicion. |
| TPR | Terrorist property report when the entity is in possession or control of property owned or controlled by a terrorist. | Immediately. |
| SER | Sanctions evasion report (new). Reasonable grounds to suspect property is related to sanctions evasion. | As soon as practicable. |
FINTRAC examinations: what they look like in practice
FINTRAC conducts compliance examinations periodically. Risk-based selection: higher-risk sectors (MSBs, real estate, casinos) see more frequent examination. The examination typically runs 1-3 days on site or virtual, with pre-engagement document requests and post-engagement findings.
What the examination team asks for on the IT side:
- Evidence that records are retained for the required period.
- Sample of records reproduced from storage on request.
- Evidence of access controls and audit logs.
- Evidence of backup and recovery capability.
- Evidence of secure transmission of reports.
- Evidence of identity verification methods documented and applied consistently.
- Risk assessment documentation including IT risk components.
An audit-ready evidence package, refreshed continuously, is far cheaper than producing one under examination deadline pressure. We maintain it as part of every FINTRAC engagement.
Common pitfalls we see in BC reporting entities
- Records on local file shares with no immutability. A ransomware event can encrypt or delete five years of KYC. Immutable cloud storage with object lock is the working pattern.
- KYC documents in personal email folders. Compliance officers sometimes hold scanned ID in their own mailbox. This breaks the access controls, audit logging, and retention schedule. Consolidate to a structured store.
- No backup of the AML platform. Several BC AML platforms hold transaction records and risk assessments. If the platform vendor changes hands or goes out of business, the records still need to be accessible for the five-year retention. We maintain exportable copies.
- FINTRAC Web Reporting account on shared credentials. Each submitter should have a named account. Shared credentials break the audit trail.
- Mortgage entities not realising they are now covered. The October 2024 amendments brought mortgage administrators, brokers, and lenders in. Many BC firms in this category are still building the program.
- Treating the IT program as separate from the AML program. The compliance officer's policies should reference the IT controls and the IT controls should produce the evidence the compliance program assumes exists. We coordinate to keep the two aligned.
FAQ
Who is a FINTRAC reporting entity?
Financial entities, MSBs, securities dealers, life insurance, real estate (brokers, reps, developers), mortgage administrators/brokers/lenders (since Oct 2024), accountants, BC notaries, dealers in precious metals, casinos, and armoured car services.
Does Hexafusion write the AML compliance program?
No. We are an IT and security firm, not an AML compliance advisor. We deliver the technical controls behind the program and coordinate with your compliance officer or AML advisor.
How long are records retained?
At least five years from creation for transactional records; at least five years after the last business relationship transaction for client identification records.
How are reports submitted?
Electronically through FINTRAC Web Reporting (FWR) or API. Paper submissions are no longer accepted.
What does FINTRAC examine for on the IT side?
Retention proof, access controls, audit logs, backup and recovery, secure transmission, identity verification IT, and the IT components of the risk assessment.
Does FINTRAC compliance overlap with PIPEDA?
Yes. PCMLTFA tells you what to collect and retain. PIPEDA tells you how to protect it. We design programs that satisfy both at once.
What changed in October 2024?
Mortgage administrators, brokers, and lenders became reporting entities. Armoured car services were added. New sanctions evasion report category. Adjustments to LVCTR.
What is the penalty exposure?
Administrative monetary penalties up to CA$500,000 per violation for very serious violations under the AMP regulations. Repeat or wilful violations have led to multi-million-dollar AMPs for Canadian banks and MSBs. Criminal penalties under PCMLTFA exist for serious offences. Reputational damage from public findings is typically the bigger driver for BC SMBs.
Book a FINTRAC IT review
30-minute call to map your FINTRAC IT controls, identify gaps, and produce an evidence-ready remediation plan in coordination with your compliance officer. Free.
Book a FINTRAC IT reviewRelated compliance topics
Part of our broader compliance coverage for Vancouver and BC businesses.