FINTRAC identity verification: what IAM teams need to change

TL;DR: FINTRAC’s 2026 PCMLTFA amendments expand identity verification, recordkeeping, and ongoing monitoring obligations across more sectors, while OneSpan argues that organisations can use those requirements to reduce onboarding friction and strengthen fraud controls. The real test is whether identity verification is treated as a compliance checkbox or as governed identity infrastructure.

NHIMG editorial — based on content published by OneSpan: FINTRAC identity verification strategy and compliance planning

By the numbers:

• Only 5.7% of organisations have full visibility into their service accounts.
• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.

Questions worth separating out

Q: How should organisations reduce identity verification friction without weakening FINTRAC compliance?

A: Organisations should replace purely manual document handling with risk-based workflows that validate authenticity, capture evidence, and escalate exceptions cleanly.

Q: Why do online identity verification workflows create more governance pressure than in-person checks?

A: Online workflows remove physical inspection, so organisations have to prove identity through documents, biometric signals, and evidence trails instead of direct human presence.

Q: What do teams get wrong when they treat identity verification as a one-time compliance task?

A: They often stop at the approval decision and fail to preserve the records needed to explain how that decision was made later.

Practitioner guidance

• Map identity verification friction points Review the full customer journey from intake to decision and identify where manual document review, repeated resubmission, or exception handling creates delay.
• Add document authenticity checks to online workflows Use authenticity validation for government-issued photo IDs, including checks for forgery, photocopy reuse, screen display, and replay attempts.
• Build auditable evidence summaries Store the evidence that supported each identity decision, including document checks, verification outcomes, and escalation notes.

What's in the full article

OneSpan's full article covers the operational detail this post intentionally leaves for the source:

• Step-by-step guidance on how to assess your current identity verification journey for friction and compliance gaps.
• Detailed examples of document authenticity checks, including forgery, photocopy, replay, and screen-display detection.
• Practical implementation considerations for facial biometrics, liveness detection, consent capture, and audit trails.
• A closer look at how OneSpan frames FINTRAC-ready versus FINTRAC-optimized operating models.

👉 Read OneSpan's analysis of FINTRAC identity verification strategy →

FINTRAC identity verification: what IAM teams need to change?

Explore further

View Full Forum →  |  NHI Foundation Course →