The FINTRAC Two-Year Effectiveness Review: Scope, Reviewer Criteria, and What Survives a Compliance Examination

Every reporting entity subject to the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA) must conduct a two-year effectiveness review of its compliance program. The obligation appears at paragraph 156(1)(f) of the Proceeds of Crime (Money Laundering) and Terrorist Financing Regulations (PCMLTFR), SOR/2002-184, and applies without exception to casinos, online gaming platforms, money services businesses, and all other regulated sectors. This is not an internal audit recommendation or a best-practice suggestion from FINTRAC guidance. It is a statutory requirement, and the consequences of non-compliance include administrative monetary penalties (AMPs) under the PCMLTFA’s civil enforcement framework.

For casino and iGaming operators, this obligation sits inside a compliance program that already carries significant operational weight: appointed compliance officer, written and current policies and procedures, enterprise-level risk assessment, an ongoing training program, and now a biennial review of all of the above. The two-year review is the mechanism by which a reporting entity demonstrates, on a documented and recurring basis, that its compliance program actually works in practice, not just on paper.

What the Regulation Actually Requires

PCMLTFR subsection 156(1) sets out the mandatory elements of a compliance program. Paragraph (f) specifically requires a reporting entity to have a two-year effectiveness review and plan. The review must be conducted at least every two years, though a reporting entity may elect to conduct it more frequently, particularly where the risk environment is elevated or significant changes have been made to the compliance program.

The regulatory definition of the two-year effectiveness review is precise: it is a review, conducted at a minimum every two years, by an internal or external auditor to test the effectiveness of the reporting entity’s policies and procedures, risk assessment, and training program. The word “test” is operative. A gap analysis, a management self-assessment, or a readiness review does not satisfy this requirement. The review must apply testing methodology to actual records, transactions, and operational practice.

PCMLTFR subsections 156(3) and 156(4) impose two additional obligations that flow directly from the review. Subsection 156(3) requires that the results of the review and an action plan based on those results be reported to senior management. Subsection 156(4) requires that a written action plan be prepared that documents how identified deficiencies will be remediated, and that subsequent reviews include a status update on the implementation of prior action plan items. The review, the findings, the action plan, and the senior management report are all distinct deliverables with distinct documentation requirements.

Who Can Conduct the Review

FINTRAC permits two reviewer categories: an internal auditor, or an external auditor. The compliance officer who is responsible for implementing and maintaining the compliance program cannot conduct the two-year review of that same program. This is a structural independence requirement, not a preference. The reviewer, whether internal or external, must be sufficiently separate from the compliance program to conduct an objective assessment.

For larger reporting entities, the internal auditor is typically a member of the internal audit or assurance function who has no direct responsibility for designing or operating AML controls. For smaller operators, particularly those with lean compliance teams, genuine independence is harder to achieve internally. In those cases, an external auditor with AML/PCMLTFA expertise is the appropriate path. The external reviewer does not need to be a chartered accountant, though FINTRAC’s definitions reference chartered accountants and accounting firms in the relevant glossary terms. The core requirement is independence and the capacity to test compliance program effectiveness against FINTRAC’s standards.

A review, conducted every two years (at a minimum), by an internal or external auditor to test the effectiveness of your policies and procedures, risk assessment, and training program.

The Mandatory Scope: Four Areas of Testing

FINTRAC’s compliance program guidance is specific about what the two-year review must cover. The review is not open-ended or scoped at the discretion of the reviewer. It must test the effectiveness of the three core compliance program components, policies and procedures, risk assessment, and training program, and it must do so through actual testing of records and transactions, not through document review alone.

Policies and Procedures

The reviewer must assess whether the reporting entity’s written policies and procedures are current, whether they accurately reflect the entity’s actual operations, and whether staff with compliance responsibilities have the knowledge required to apply them. FINTRAC’s guidance specifies that this includes a review of employee knowledge of policies and procedures, related record-keeping requirements, client identification obligations, and reporting requirements. The reviewer should test whether staff can apply the policies in practice, not merely confirm that a policy document exists.

Risk Assessment

The two-year review must include a review of a sample of client records to assess whether the risk assessment methodology is being applied in accordance with the documented process, and whether the frequency of ongoing monitoring is appropriate and carried out in accordance with client risk level assignments. For casinos and iGaming operators, this means verifying that client risk ratings are not static, that higher-risk clients are receiving enhanced monitoring, and that the enterprise-level risk assessment has been updated to reflect changes in the product mix, player base, and ML/TF risk environment. A risk assessment last updated in 2022 that has not been revisited since will not survive review.

Training Program

The review must assess whether the training program is appropriate for the entity’s size, complexity, and risk exposure. This means examining training records, including dates, attendance, and topics covered. For iGaming operators with large customer-facing teams and multiple product verticals, FINTRAC expects training to be role-differentiated. General enterprise AML awareness training and specialized training for high-risk roles are distinct requirements. A single annual eLearning module delivered to all staff will not demonstrate adequate training effectiveness if the entity operates VIP programs, handles high-volume virtual currency transactions, or carries concentrated PEP exposure.

Transaction Testing

Transaction testing is where many compliance programs reveal gaps between documented policy and actual practice. The review must include a review of transactions to assess whether suspicious transaction reports (STRs) were submitted to FINTRAC where required. It must also include a review of large cash transactions to confirm they were reported accurately and within prescribed timelines. For entities with electronic funds transfer obligations, the review must assess whether reportable EFTs were reported to FINTRAC with accurate information and on time. Client records must be sampled to verify that client identification procedures were followed and that the affiliate or mandatary verification requirements, where applicable, were met.

Review Component	What Is Tested	Applies To
Policies and Procedures	Currency, accuracy, staff knowledge, record-keeping adherence	All reporting entities
Risk Assessment	Application of risk methodology, ongoing monitoring frequency, client risk ratings	All reporting entities
Training Program	Training records, frequency, role differentiation, content adequacy	All reporting entities
STR Testing	Whether suspicious transactions were reported to FINTRAC	All reporting entities
Large Cash Transaction Testing	Accuracy and timeliness of LCTR submissions	Entities with LCTR obligations incl. casinos
EFT Reporting	Accuracy and timeliness of reportable EFT submissions	Entities with EFT reporting obligations
Client Record Sampling	KYC compliance, agent/mandatary verification, identity method	All reporting entities

Documenting Findings

The two-year review generates two categories of documented output: findings and an action plan. Findings must record the results of each area tested, including any identified deficiencies, control weaknesses, or gaps between documented policy and actual practice. The findings documentation must cover the period reviewed, not merely a snapshot of current state, because FINTRAC’s compliance examinations assess historical compliance for defined examination periods.

FINTRAC’s guidance also requires that the review documentation capture updates made to policies and procedures during the reporting period that were not the result of the review itself. This means the review must reconcile the current version of each policy against its prior version and explain the basis for any amendments made between review cycles. For entities that update their policies reactively, in response to FINTRAC guidance updates, regulatory examination findings, or staff turnover, the review must record those changes and confirm they were properly implemented.

The status of implementation of updates from prior reviews must also be documented. If an action plan from the previous two-year review required enhanced PEP screening procedures by a specific date, the current review must confirm whether that action was completed, and if not, why not. This creates a continuous improvement loop that FINTRAC expects to see functioning in practice. A reporting entity that produces an action plan but cannot demonstrate it was executed will face findings in a FINTRAC compliance examination just as surely as an entity that skipped the review entirely.

Action Plan Requirements Under PCMLTFR s. 156(3)

PCMLTFR subsection 156(3) requires that the results of the two-year effectiveness review, together with an action plan based on those results, be reported to senior management. The action plan is not optional even when the review identifies no significant deficiencies. FINTRAC’s expectations for a well-structured action plan include clear identification of each deficiency or gap, the remediation steps required, the person or team responsible for each step, and a target completion date.

For iGaming operators, the senior management reporting obligation under subsection 156(4) means that the compliance officer cannot be the sole recipient of review findings. The findings and the action plan must go to a board committee, an executive compliance committee, or a named senior officer with authority to direct resources toward remediation. Documentation of that reporting, including meeting minutes or sign-off records, is part of the compliance record that FINTRAC may request during an examination.

The compliance officer cannot be both the implementer of the compliance program and the reviewer of its effectiveness. Where internal independence cannot be achieved, an external auditor is the required solution.

The Review Plan

Alongside the review itself, PCMLTFR paragraph 156(1)(f) requires a two-year effectiveness review plan. The plan is the forward-looking document that describes how and when the review will be conducted, what methodology will be applied, and who will conduct it. The plan should address the frequency of the review, the scope of testing, the sampling approach for transaction testing, and the process for reporting findings to senior management.

The review plan must be kept current. If the entity’s risk profile changes materially between review cycles, the plan should be updated to reflect expanded testing scope. An online casino that adds a virtual currency deposit option, for example, should update its review plan to incorporate testing of the large virtual currency transaction (LVCT) reporting stream, even if that stream was not part of the prior review cycle.

What FINTRAC Examinations Look For

FINTRAC’s compliance examinations assess reporting entities against the obligations in the PCMLTFA and associated Regulations. During an examination, FINTRAC will review whether the two-year effectiveness review was conducted within the required cadence, whether the reviewer was independent, and whether the scope of the review covered all mandatory areas. Examiners will typically request the review documentation, the action plan, and evidence that findings were reported to senior management.

The iGaming Ontario annual report for 2024-2025 provides a concrete illustration of what a FINTRAC examination looks like in practice. iGaming Ontario disclosed that FINTRAC undertook a compliance examination covering the period September 1, 2023 to February 29, 2024, assessing iGO’s AML/ATF compliance program and its ability to meet its obligations under Part 1 and Part 1.1 of the PCMLTFA. FINTRAC communicated preliminary findings during an exit interview on July 17, 2025, with a formal findings letter anticipated that could indicate no further action, follow-up compliance action, or an administrative monetary penalty. The examination demonstrates that even sophisticated, publicly accountable online gaming entities operating in Canada’s regulated market are subject to full FINTRAC examination methodology.

In September 2025, FINTRAC issued a CAD 199,000 administrative monetary penalty against a non-profit Toronto casino operator, according to Canadian Gaming Business and CP24 reporting from that period. While the specific violation breakdown was not fully public at the time of writing, AMP public notices from FINTRAC consistently cite compliance program failures, including deficient two-year reviews, inadequate risk assessments, and STR reporting gaps, as the categories generating the largest penalty amounts under the harm done assessment framework.

Practical Considerations for iGaming and Casino Operators

For online gaming operators registered in Ontario under the AGCO framework, the two-year effectiveness review obligation runs in parallel with AGCO Standard 6.02, which requires that AML policies and procedures supporting PCMLTFA obligations be implemented and enforced. The AGCO does not replace FINTRAC’s oversight, and a positive AGCO compliance review does not constitute a FINTRAC two-year effectiveness review. The two regulatory frameworks operate independently, and a compliance calendar must accommodate both.

Alberta’s regulated iGaming market, opening under the AGLC’s Standards and Requirements for Internet Gaming framework, will bring additional operators within PCMLTFA scope as reporting entities. Those operators must ensure their two-year review plans are established before or immediately upon becoming reporting entities. The plan is itself a required element of the compliance program, the absence of a plan is a separate violation from the absence of a completed review.

Operators that have undergone a merger, acquisition, or significant change in business structure should consider whether those events trigger an earlier review than the two-year minimum. A change in beneficial ownership, a new product vertical, a new payment method with distinct ML/TF risk characteristics, or a significant change in the client demographic all represent material changes to the risk environment that the review must cover. Waiting for the scheduled cycle to turn while the risk landscape has materially changed leaves a demonstrable gap in the compliance program record.

Compliance teams at iGaming operators regularly face the question of whether to use internal or external reviewers. The functional independence test is the determinant, not the organizational structure. A large operator with a mature internal audit function may achieve genuine independence with an internal reviewer. A smaller operator whose compliance officer doubles as the chief operating officer will not. External reviewers with PCMLTFA and gaming sector experience bring additional value in benchmarking findings against FINTRAC examination priorities and in identifying gaps that internal teams, through familiarity with their own processes, may miss.

The two-year review is also the mechanism by which a compliance program stays current with legislative and guidance changes. Canada’s AML regime has evolved materially in recent years, with virtual currency reporting obligations, sanctions evasion requirements, and beneficial ownership transparency measures all changing the scope of what a compliant program must address. Bill C-2, introduced in 2025, is anticipated to expand FINTRAC’s supervisory powers further, including enhanced information-sharing provisions. A two-year review conducted under the current legislative framework will need updating as those changes come into force. Operators should structure their review plans to incorporate a post-legislative-change review trigger as a supplement to the mandatory two-year cadence.

Connecting the Review to the Full Compliance Program

FINTRAC defines a compliance program as all five elements together: the appointed compliance officer, written and current policies and procedures, a risk assessment, an ongoing training program, and the two-year effectiveness review. The review is the audit function of this architecture. It is the mechanism that tests whether the other four elements are functioning as designed.

A compliance program that has all four other elements in place but conducts no review, or conducts a review that is limited to document inspection without transaction testing, is materially incomplete. FINTRAC’s examination methodology will assess each element of the program against the regulatory standard, and a deficient review process will produce findings on the review itself while also signaling potential deficiencies in the elements it should have tested.

For guidance on how AML compliance program obligations intersect with player-facing KYC requirements, including large cash transaction thresholds, casino disbursement reporting, and the client identification standards that feed directly into two-year review testing scope, see the AML &amp, Financial Compliance hub on this site.

Operators building or refining their Canadian compliance programs for both Ontario and Alberta markets should also consult the AGCO vs AGLC comparison for a detailed breakdown of how the provincial iGaming frameworks interact with federal PCMLTFA obligations across both jurisdictions.

Key Resources

FINTRAC Compliance Program Requirements Guidance, the primary FINTRAC guidance document covering all five compliance program elements including the two-year effectiveness review and plan. Published by Financial Transactions and Reports Analysis Centre of Canada.

PCMLTFR, SOR/2002-184, the Proceeds of Crime (Money Laundering) and Terrorist Financing Regulations. Paragraph 156(1)(f) mandates the two-year review, subsections 156(3) and 156(4) govern the action plan and senior management reporting obligations. Available at laws-lois.justice.gc.ca.

FINTRAC Penalties for Non-Compliance, sets out the administrative monetary penalty framework, harm done assessment guides, and public notice requirements. Available at fintrac-canafe.gc.ca/pen/1-eng.

FINTRAC Harm Done Assessment Guide, Compliance Program Violations, the specific guide governing how FINTRAC calculates AMP amounts for failures in the compliance program, including two-year review deficiencies. Published by FINTRAC.