Written by Mike Pearlstein, CISSP, CEO of Fusion Computing Limited. Helping Canadian businesses build and manage secure IT infrastructure since 2012 across Toronto, Hamilton, and Metro Vancouver.
FINTRAC obligations attach to a Canadian accountant the moment the engagement involves receiving, paying, or instructing on funds, securities, or real estate on a client’s behalf. The trigger is the activity, not the firm size. A two-partner CPA practice in Burlington that handles trust-account transfers for one estate client is a reporting entity under PCMLTFA Part 1, with the same record-keeping and reporting obligations as a 40-partner Bay Street firm.
That is the line most accounting practices miss until a FINTRAC examination notice arrives. By the time the examiner asks for two years of client-identification records, the IT controls that were supposed to capture them either exist and are intact, or they don’t. Reconstruction after the fact is rarely defensible.
This post is the IT-controls deep dive inside our 2026 AI and IT playbook for Canadian accounting firms. It applies to CPAs and accounting firms engaged in trigger activities under FINTRAC’s accountant guidance, regardless of province, with the Ontario-supervised CPA Code of Professional Conduct as the professional-accountability overlay.
Key Takeaways
- FINTRAC applies the moment an accountant engages in receiving, paying, or transferring funds, securities, or real estate on a client’s behalf. The firm size does not change the obligation (FINTRAC accountant guidance, 2024).
- FINTRAC Guide 8 requires record retention for at least five years from the date the record was created, with the records produced within 30 days of an examiner request.
- Suspicious Transaction Reports (STRs) must be filed as soon as practicable after the firm has reasonable grounds to suspect; the IT audit trail that supports that timeline is what FINTRAC actually examines.
- The PIPEDA + FINTRAC + CPA Code stack means the same client record is governed by three regimes at once. An IT control that satisfies only one of the three is incomplete.
- The CPA Code of Professional Conduct’s confidentiality rule (Rule 208) does not override FINTRAC reporting. STR tipping-off restrictions resolve the conflict.
When FINTRAC applies to accountants: the trigger-activity test
FINTRAC’s accountant guidance frames the obligation around triggering activities, not around the type of practice. An accountant or accounting firm becomes a reporting entity under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA) when they engage in, or give instructions in respect of, three categories of activity.
Those three categories are: receiving or paying funds; purchasing or selling securities, real properties, or business assets or entities; transferring funds or securities by any means.
The list is operational. Audit, tax preparation, bookkeeping, advisory, and assurance work performed without instructing on funds movement do not trigger FINTRAC. The moment an engagement letter authorizes the firm to receive estate funds, pay a vendor on behalf of a client, instruct a transfer between accounts, or close a real-estate purchase using the firm’s trust account, the firm crosses the line.
A practice that crosses the line on even one client file is a reporting entity for that activity. The compliance program, client identification, record keeping, and reporting obligations apply to the firm as a whole once the trigger has been met, and the IT controls have to match.
Two scenarios show up repeatedly in Canadian practice. Estate work where the firm acts as executor or trustee. The firm receives estate funds, pays beneficiaries, and distributes assets. Trigger met. Real-estate closings where the accountant instructs a wire transfer for a client purchase. Trigger met, even if the transaction closes through a lawyer’s trust account, because the accountant instructed the transfer.
A grey zone that comes up: advisory work where the accountant recommends a transfer but the client executes it from their own bank account. If the firm does not give the instruction to the bank, the activity is not triggered. Document the engagement scope to make the boundary visible.
FINTRAC Guide 8 and the record-keeping IT controls
Guide 8 itemizes the records a reporting accountant must keep: client identification records, large cash transaction records (CTRs), electronic funds transfer records over $10,000 in 24 hours (EFTRs), records of suspicious transactions whether or not reported, terrorist property records, and the compliance program documentation including the risk assessment, policies, training records, and the two-yearly effectiveness review.
For each record type the IT controls have to deliver four properties at examination time: completeness (the record exists), integrity (it has not been altered after creation), retention (it is preserved for at least five years), and producibility (it can be retrieved within 30 days). The control set below maps each property to the Microsoft 365 surface most Canadian accounting firms already run.
| Record type | IT control | M365 surface |
|---|---|---|
| Client identification records | Encrypted at rest, retention label of 5 years from record date, immutable audit log of access events, identity-document image scanned with creation timestamp. | SharePoint with Purview retention label; Unified Audit Log for access events |
| Large cash transaction records | Dated and signed at the time of receipt; retention label applied at file creation; export-on-demand to FINTRAC submission format. | SharePoint document library with Power Automate workflow |
| EFTR records (over $10,000) | Captured from the firm’s trust-account banking export; reconciled monthly; retention 5 years; integrity hash for each batch. | Banking export to SharePoint with Purview retention |
| Suspicious transaction records (reported and unreported) | Access restricted to the compliance officer and named delegates; tipping-off controls enforced; retention 5 years from date of the STR or the date the firm decided not to file. | Restricted SharePoint site with sensitivity label |
| Compliance program documentation | Risk assessment, policies, training records, two-yearly effectiveness review, all dated and signed by the compliance officer; retention 5 years per version. | SharePoint compliance library with version history |
| Ministerial directive records | Records of any transaction subject to a ministerial directive under Part 1.1 of the PCMLTFA; retention 5 years; flagged for accelerated review. | Dedicated SharePoint site with restricted access |
The dominant compliance failure mode at small Canadian firms is not the absence of records. It is records held in personal email, on local drives, or in a former-employee’s OneDrive that was deleted at offboarding. A retention label applied at the tenant level prevents the deletion regardless of where the file lives, and the Unified Audit Log captures the access trail FINTRAC examines.
The PIPEDA + FINTRAC + CPA Code stack
A single client record at a Canadian accounting firm sits inside three regulatory regimes at the same time. PIPEDA governs the personal information of the client and any individual identified in the record. PCMLTFA Part 1 governs the record as a FINTRAC reporting obligation. The CPA Code of Professional Conduct governs the firm’s conduct in handling the information. An IT control that satisfies only one of the three is incomplete.
PIPEDA requires the firm to protect personal information with safeguards proportionate to its sensitivity, to retain it only as long as necessary, to give the data subject access on request, and to notify affected individuals of a breach of security safeguards that poses a real risk of significant harm under Section 10.1.
FINTRAC requires the same record to be retained for at least five years and produced to the regulator on request. The CPA Code requires confidentiality, due care, and professional behaviour in the firm’s handling of the record. Three regimes, one artefact.
The retention conflict is the most common one. PIPEDA says retain no longer than necessary; FINTRAC says retain at least five years. The resolution is that the FINTRAC requirement is the legal mandate that defines the “necessary” period for the records inside Guide 8’s scope. A five-year retention label on identification records, transaction records, and STR records satisfies both regimes simultaneously.
Want help mapping the PIPEDA, FINTRAC, and CPA Code stack onto your tenant? Book a consultation →
Quebec Law 25 adds a fourth layer for any firm with a Quebec resident in its client base. The breach-notification clock and the data-residency expectation are tighter than PIPEDA’s, and the IT control surface has to accommodate it. The PIPEDA compliance for Canadian small business primer covers the federal track; the stack here adds the FINTRAC and CPA Code layers.
Decision matrix: FINTRAC obligation by IT control and CPA Code overlap
The matrix below is the one we use in scoping conversations with Canadian CPA firms that are inside FINTRAC’s perimeter. Each row maps a FINTRAC obligation to the IT control that implements it, the CPA Code rule that overlays it, and the Microsoft 365 surface where the control lives. The matrix is a tool for the compliance officer to confirm coverage, not a substitute for the firm’s documented compliance program.
| FINTRAC obligation | IT control | CPA Code overlay | M365 mapping |
|---|---|---|---|
| Client identification (individual, entity, beneficial owner) | Identity capture form, scanned ID storage, beneficial-owner declaration with retention label | Rule 201 (due care); Rule 208 (confidentiality) | Microsoft Forms + SharePoint + Purview label |
| Ongoing monitoring and risk assessment | Risk-rated client list, periodic review schedule, dated risk assessment artefact | Rule 202 (integrity); Rule 203 (professional competence) | SharePoint list with Power Automate review reminders |
| Suspicious transaction reporting (STR) | STR draft template, compliance-officer-restricted access, tipping-off enforcement on internal messaging | Rule 208 (confidentiality, with PCMLTFA carve-out); Rule 215 (cooperation with regulators) | Restricted SharePoint site + Teams sensitivity label |
| Compliance program, training, two-yearly effectiveness review | Documented program with version history, completion tracking, dated effectiveness review | Rule 203 (professional competence); Rule 204 (objectivity) | SharePoint training site + Microsoft Viva Learning |
| Five-year record retention with 30-day producibility | Tenant-level retention label, immutable audit log, eDiscovery-ready hold | Rule 208 (confidentiality); Rule 215 (cooperation with regulators) | Purview retention + Purview eDiscovery (Premium) |
| Compliance officer designation and accountability | Named individual on the firm’s compliance program; documented authority; reporting line to the firm’s senior leadership | Rule 102 (reputation of the profession); Rule 203 (professional competence) | Entra ID role assignment + governance documentation |
The matrix has one column the small-firm compliance officer often forgets: tipping-off enforcement on internal messaging. PCMLTFA section 8 makes it an offence to disclose to anyone the fact that an STR has been filed or is contemplated. Teams chats, Slack messages, and shared mailboxes are the leakage vectors. A sensitivity label that restricts the STR work product to the compliance officer and named delegates closes the gap.
Suspicious transaction reporting and the IT audit trail
STRs are the highest-stakes reporting obligation under PCMLTFA. The trigger is reasonable grounds to suspect, which is a lower bar than reasonable grounds to believe. The reporting timeline is “as soon as practicable,” not a fixed clock, and FINTRAC weighs the firm’s process by examining the IT audit trail of the decision points.
A defensible STR audit trail captures four moments: the date and time the indicator was first identified by any staff member; the date and time the compliance officer received the escalation; the date and time the compliance officer formed reasonable grounds to suspect; and the date and time the STR was submitted to FINTRAC. The gap between each pair is what an examiner reviews. Long gaps without contemporaneous notes are the failure pattern.
The IT controls that make the trail defensible: an indicator-logging form accessible to every staff member with read-once routing to the compliance officer, a compliance-officer-only review log with timestamped notes, an STR draft library with version history, and a submission confirmation receipt captured into the firm’s record. All four artefacts share the same five-year retention label.
The tipping-off rule overlays every step. The indicator-logging form should not be visible to the client; Teams channels discussing the file should not include the client’s account team where the file is theirs; the firm’s engagement-continuation decision should be documented in a separate restricted location from the client’s general matter file. Our cybersecurity services hub covers the sensitivity-label and access-control architecture in more depth.
Want us to map your STR workflow against FINTRAC’s examination expectations? Get in touch →
The 8-step IT compliance rollout for FINTRAC reporting entities
A Canadian accounting firm that has just identified itself as a FINTRAC reporting entity has a sequenced path to defensible IT controls. The eight steps below are the rollout we run with new accounting-firm engagements. Each step has an owner, an output artefact, and a typical duration. The full rollout closes inside 60 days at most 6-to-15-partner firms.
8-step FINTRAC IT controls rollout
- Scope confirmation (days 1-3). Engagement letters and active client list are reviewed by the compliance officer and the firm’s legal counsel to confirm which activities cross the FINTRAC trigger. The output is a scoping memo that names the activities and the affected client files.
- Risk assessment (days 3-10). The firm produces a documented risk assessment under PCMLTFA section 9.6 covering client risk, geographic risk, product or service risk, channel risk, and the firm’s overall control environment. The compliance officer dates and signs the assessment.
- Compliance program documentation (days 7-21). Policies, procedures, training plan, and the two-yearly effectiveness review schedule are drafted, reviewed, and signed off. The compliance officer is named in the firm’s organizational documentation with explicit authority.
- M365 retention labels and audit logging (days 14-28). Purview retention labels are configured at the tenant level: five-year labels for client identification records, transaction records, and STR records; a separate compliance-program-documentation label for policy versions. Unified Audit Log is enabled and verified.
- SharePoint architecture and sensitivity labels (days 21-35). A FINTRAC site collection is provisioned with restricted-access libraries for identification records, transaction records, and STR work product. Sensitivity labels enforce the tipping-off controls. Access is granted to the compliance officer and named delegates only.
- STR workflow and forms (days 28-42). The indicator-logging form, the compliance-officer review log, the STR draft template, and the FINTRAC submission confirmation capture are configured. Power Automate routes escalations and timestamps each transition.
- Training rollout (days 35-49). Every staff member who touches client funds, securities, or real-estate transactions completes role-appropriate training. The two-yearly effectiveness review cadence is established. Training completions are dated and retained.
- Dry run and effectiveness review (days 49-60). The firm runs a tabletop on one historical client file against the new controls. Gaps are documented and remediated. The compliance officer signs the first effectiveness review, scheduled to recur every two years.
FIELD NOTE FROM MIKE
A Q1 2026 audit-prep engagement with a 9-partner Hamilton accounting firm started with a FINTRAC examination notice arriving on a Tuesday. The firm had been a reporting entity for three years on estate-trustee work but had never run a formal risk assessment. The first 36 hours were spent reconstructing the client-identification trail from email attachments, scanned PDFs in OneDrive, and one partner’s personal Dropbox.
We hit 30-day producibility on day 18. The retention labels and Unified Audit Log went live on day 22. The effectiveness review and the documented compliance program closed on day 41.
The examination closed with a corrective-action letter, not an enforcement penalty. The lesson the firm took away: the IT controls were always going to exist or not exist. Reconstructing them under examination pressure is roughly 4 to 6 times the effort of building them ahead of time.
Mike Pearlstein, CISSP, Fusion Computing. Engagement details anonymized; named-client clearance pending.
“The pieces of Microsoft 365 we already paid for did most of the FINTRAC work once they were configured the right way. The unlock was getting the retention labels and the sensitivity labels right at the tenant level, not at the file level. Once those were in place, the rest was process.”
Common FINTRAC IT mistakes Canadian accounting firms make
Across the accounting-firm engagements Fusion has run since 2022, four mistakes account for most of the avoidable FINTRAC examination friction.
| Don’t | Why it fails | Do this instead |
|---|---|---|
| 1. Treat record retention as a folder-organization problem. | Folders depend on staff discipline. Records in personal email, on local drives, or in a former employee’s OneDrive disappear at offboarding. FINTRAC examines tenant-level retention, not folder structure. | Apply tenant-level Purview retention labels. A five-year label preserves the record regardless of where it lives or who created it. Folder structure becomes a navigation aid. |
| 2. Discuss STR-related files in general firm channels. | PCMLTFA section 8 prohibits tipping off about an STR or contemplated STR. Teams chats and shared mailboxes that include the client’s account team violate the restriction even when no one intends to leak. | Restrict STR work product to a compliance-officer-only SharePoint site with a sensitivity label that prevents copy, forwarding, and external sharing. Teams discussion happens in a private channel limited to the compliance officer and named delegates. |
| 3. Rely on the engagement letter to bound FINTRAC scope. | FINTRAC scope is the activity, not the contract. An engagement letter that scopes the firm to advisory work but operationally has the partner instruct a wire transfer crosses the trigger anyway. The firm becomes a reporting entity in fact. | Review engagement scope against operational reality every six months. Update engagement letters to match what the firm actually does. If the firm crosses the trigger, document the date and start the compliance program. |
| 4. Skip the two-yearly effectiveness review because the program is documented. | The effectiveness review is a PCMLTFA section 9.6 requirement, not an optional best practice. A firm with a documented program but no dated effectiveness review is non-compliant on a line item FINTRAC examiners check first. | Schedule the effectiveness review every two years. The compliance officer dates and signs the review with explicit findings and remediation actions. Retain the artefact for at least five years from the review date. |
Frequently asked questions
Does FINTRAC apply to my accounting firm if we only do tax and audit work?
Not on the basis of tax or audit work alone. FINTRAC scope is triggered by receiving, paying, or instructing on funds, securities, or real estate on a client’s behalf. A firm whose entire practice is advisory, tax preparation, and assurance, with no funds movement on client account, is outside the reporting-entity perimeter. The moment one engagement crosses the trigger, the firm becomes a reporting entity for that activity.
How long do we have to keep FINTRAC records?
At least five years from the day the record was created, per FINTRAC Guide 8. Records must be produced to FINTRAC within 30 days of a request. The Microsoft 365 control that delivers both properties is a Purview retention label applied at the tenant level, not at the file level, so the record is preserved regardless of where it lives or who created it.
What happens if our compliance program is documented but we have not done the two-yearly effectiveness review?
The firm is non-compliant on a line item FINTRAC examiners check early in any examination. PCMLTFA section 9.6 requires the effectiveness review on a two-year cycle, signed and dated by the compliance officer. A firm in this position should schedule the review immediately, run it against the documented program, and remediate any gaps before the next examination cycle.
Can our MSP serve as the FINTRAC compliance officer?
No. The compliance officer is a named individual inside the firm with explicit authority and a reporting line to senior leadership. An MSP can support the compliance officer with IT controls, training delivery, and audit-log review, but the named individual must be a partner or employee of the accounting firm. The CPA Code rules on professional responsibility do not delegate.
Does the CPA Code of Professional Conduct prevent us from filing an STR?
No. CPA Code Rule 208 (Confidentiality) carves out disclosure required by law. PCMLTFA reporting is required by law, so an STR filed in good faith does not breach the Code. The tipping-off rules under PCMLTFA section 8 then prevent the firm from telling the client about the report, which resolves the apparent conflict between confidentiality and reporting.
What is the difference between an STR and a Large Cash Transaction Report?
A Large Cash Transaction Report (LCTR) is required for any single cash transaction or multiple related cash transactions totalling $10,000 or more in 24 hours, regardless of suspicion. An STR is required when the firm has reasonable grounds to suspect any transaction or attempted transaction is related to money laundering or terrorist financing, regardless of amount or method. The two reports are independent and can apply to the same transaction.
How does Quebec Law 25 stack with FINTRAC for accounting firms?
Law 25 applies to any firm that holds personal information about a Quebec resident, regardless of where the firm is located. The breach-notification clock and the data-residency expectation are tighter than PIPEDA’s. The FINTRAC five-year retention requirement still applies; Law 25 governs the notification and consent layer on the same record. A firm with one Quebec-resident client file inherits Law 25 obligations on that file.
Where in Microsoft 365 should we store FINTRAC records?
A dedicated SharePoint site collection with restricted-access libraries for identification records, transaction records, and STR work product. Purview retention labels enforce five-year retention at the tenant level. Sensitivity labels enforce tipping-off controls on STR-related files. The Unified Audit Log captures access events for the FINTRAC examiner. Personal email, OneDrive, and Teams chat are not appropriate FINTRAC storage surfaces.
What does a FINTRAC examination of our IT controls actually look like?
An examiner asks for the dated risk assessment, the compliance program documentation, the training records for the period under review, the most recent effectiveness review, a sample of client identification records, a sample of transaction records, and the STR audit trail for any reportable indicators in scope. The records must be produced within 30 days. The examiner reviews completeness, integrity, retention, and producibility for each record class.
Do we need to register with FINTRAC?
Accountants and accounting firms do not register with FINTRAC the way money services businesses do. The reporting-entity status is automatic when the firm engages in the trigger activities. The firm does establish a relationship with FINTRAC by submitting its first report (LCTR, EFTR, STR, or terrorist property report). The compliance program must exist whether or not the firm has filed a report yet.
What is the penalty range for FINTRAC non-compliance at an accounting firm?
Administrative monetary penalties under PCMLTFA range from $1 to $100,000 per violation for a designated very serious violation; up to $250,000 for a corporation under criminal conviction. Penalty severity reflects the firm’s history, the nature of the violation, and the firm’s cooperation. The most expensive outcome is rarely a single penalty; it is the supervisory follow-up that puts the firm on an ongoing examination schedule.
How does this connect to our cyber-insurance coverage?
Most Canadian SMB cyber policies underwrite on the firm’s overall control posture. A FINTRAC-compliant control set, layered on the CCCS Baseline V1.2, raises the firm’s control maturity in underwriter language. Carriers also require notification before forensic engagement on any material incident. Our cybersecurity services overview covers the insurance-readiness posture in more depth.
Conclusion
FINTRAC obligations attach to the activity. Once a Canadian accounting firm crosses the trigger on even one client file, the firm is inside the reporting-entity perimeter, and the IT controls have to support a regulator that examines completeness, integrity, retention, and 30-day producibility on five-year records.
The control set is not exotic. A tenant-level Purview retention label, a restricted SharePoint site for STR work product, a sensitivity label enforcing the tipping-off rule, and a documented compliance program with a two-yearly effectiveness review handle the structural requirements. The Microsoft 365 tenant most firms already pay for does most of the work once it is configured the right way.
The firms that come through a FINTRAC examination cleanest are the ones whose compliance officer can produce the dated risk assessment, the training completions, the access-review log, and the STR audit trail without reconstructing anything. Reconstruction is the failure mode. The full control surface is covered in the AI and IT playbook for Canadian accounting firms.
Sector-specific deep dives include CRA EFILE security for Canadian accounting firms, tax-season cybersecurity for Canadian CPA firms, CCH iFirm and CaseWare hardening, our cybersecurity services hub, and the PIPEDA compliance for Canadian small business primer for the parallel federal privacy track.
