Documentation matters more than policy language

A compliance policy is a description of what a company intends to do. Operating documentation is evidence of what it actually did. In a FINTRAC examination, the second category carries significantly more weight than the first. Companies that invest heavily in policy drafting without building the operational record that supports it are prepared for the wrong test.

What operating documentation includes

Operating documentation is the record generated by running the compliance program. It includes the records of every monitoring alert that was reviewed and its disposition, the records of suspicious transaction escalations and their outcomes including the basis for any decision not to file, training completion records for every employee who has responsibilities under the compliance program, the risk assessment with a record of when it was last reviewed and what changes were made, and the periodic compliance review with a description of what was assessed and what was found.

Each of these records is generated by doing the compliance work. A company that does the work without generating the record has a gap. A company that generates the record without doing the work has a different problem. The goal is alignment between the work being done and the records being produced.

Why language quality in policies does not compensate for missing records

FINTRAC examination findings are not primarily about whether the compliance policy is well-drafted. A compliance policy written in clear, precise language that maps accurately to the regulatory requirements is a good starting point. But if the examiner asks to see evidence that the policy was followed, and no records exist, the policy does not help.

The examination test for the training element is not whether the training program is well-designed. It is whether specific employees received specific training and whether those training events can be documented. The examination test for transaction monitoring is not whether the monitoring description in the policy is accurate. It is whether monitoring was run, alerts were reviewed, and those reviews were recorded.

Companies that focus compliance effort on policy drafting and neglect the operational record are well-prepared for a policy review and unprepared for an evidence review.

Building a documentation posture

A documentation posture is the set of habits and systems by which operating evidence is generated and maintained as a byproduct of running the compliance program rather than as a retrospective exercise.

The elements of a useful posture are: a defined record-keeping location for compliance records, a clear responsibility for maintaining each category of record, a routine for generating the record at the time the compliance work is done rather than after the fact, and a periodic review of the record to confirm it is current and complete.

For small compliance teams, this posture does not require sophisticated technology. A shared drive with folders organized by compliance element, and a practice of saving the relevant record when the work is done, produces the documentation that an examination requires. The sophistication of the system matters much less than the consistency of the practice.

What to assess before an examination

The most useful self-assessment before a FINTRAC examination is not a review of the policy language. It is a review of the operational record. For each element of the compliance program, the question is: if FINTRAC asked to see evidence that this element was implemented over the past 12 months, what records would the company produce?

If the answer to that question for any element is “we would have difficulty producing records,” the gap is in the operating documentation, not in the policy. Addressing that gap before the examination is the preparation that matters.

Related topics

• FINTRAC compliance in Canada
• FINTRAC audits and penalties
• What FINTRAC looks for in an MSB review
• Six pillars of MSB defensibility