In Ghotaymi v. BCLC (2026 BCSC 191), the court upheld a risk-based approach to anti-money laundering controls that is directly relevant to mortgage brokers, lenders, and other mortgage service providers. The key message for the mortgage industry is that you do not need “proof” of money laundering to take enhanced due diligence steps—if the facts reasonably indicate higher risk, you can impose additional verification requirements as a preventative compliance measure.
Risk indicators can justify enhanced due diligence—even without wrongdoing
In the case, the customer repeatedly made cash transactions just below a known trigger threshold. The regulator treated that pattern as a classic red flag for “structuring” (i.e., breaking transactions into smaller amounts to avoid scrutiny). The court agreed it was reasonable to respond to that kind of pattern with tighter controls, even though there was no allegation the customer was actually laundering money.
Mortgage industry parallel: if a borrower, investor, or third party payer shows patterns that resemble threshold avoidance—e.g., repeated deposits just under internal review cutoffs, unusual payment splitting, inconsistent documentation, or rapid movement of funds—your compliance team can require additional source-of-funds documentation, apply heightened review, or decline to proceed until risks are addressed. The trigger is the risk pattern, not a criminal finding.
“Enhanced conditions” are more defensible when they are framed as risk management, not punishment
A major reason the regulator succeeded is that the measure was framed as administrative and preventative—conditions on how the customer could transact—rather than a penalty or accusation. The court viewed the control as relatively low intrusion: the customer could still participate, but had to prove where funds came from.
Mortgage industry parallel: when you need more information, position it as a standard risk-control step, not an accusation. For example: “Based on transaction characteristics, we require additional verification of the source of down payment and closing funds.” Avoid language that implies the client is a criminal; focus on your regulatory obligations and risk controls.
You can act quickly, but you should still explain the “why”
The court accepted that organizations may need to act quickly to control AML risk and do not always have to provide advance notice or a pre-decision hearing before applying enhanced controls. However, the court also signaled that customers should generally receive an understandable explanation after the fact—especially because they cannot meaningfully respond or seek reconsideration unless they know what triggered the concern.
Mortgage industry parallel: it is usually reasonable to pause a file or require enhanced documentation immediately when risks emerge (particularly close to closing), but you should still provide a clear, non-sensitive explanation. A short rationale such as “the payment pattern is inconsistent with the stated source of funds” is often enough. This also reduces complaint risk and improves the defensibility of your file if FINTRAC ever reviews it.
“Overinclusive” controls can be acceptable if they are proportionate
The customer in the case had an innocent explanation that made sense. The court still upheld the control because the public interest in preventing money laundering is high, and the verification step was not overly burdensome. Importantly, the court accepted that a risk-based system will sometimes capture legitimate customers—what matters is that the response is proportionate and tied to a real risk rationale.
Mortgage industry parallel: you can require bank statements, deposit history, proof of sale proceeds, gift letters with corroboration, corporate ownership details, and explanations for unusual flows—even if the client insists everything is legitimate—so long as your requests are reasonable and connected to the risk you are trying to mitigate.
Documented policies matter
BCLC relied on a detailed AML manual with defined risk criteria (e.g., structuring indicators, profile inconsistent with activity). The court found it persuasive that the decision aligned with written risk factors rather than an ad hoc hunch.
Mortgage industry parallel: your strongest defence is a well-written AML program that (1) defines higher-risk patterns, (2) lists what enhanced measures you apply in response, and (3) requires documentation of the rationale in the file. When an underwriter escalates a file, the record should clearly show which red flag was observed, what steps were taken, and what conclusion was reached.
Privacy: collecting financial information is permitted when it is necessary for AML compliance
The customer argued the regulator had no right to collect private banking information. The court rejected that argument because the information was directly connected to AML obligations and necessary for the regulator’s mandate.
Mortgage industry parallel: asking for bank records and source-of-funds documents is generally defensible when it is necessary to meet AML obligations—but you should still follow privacy best practices: collect only what you need, explain the purpose, restrict access, and apply retention limits.
A key operational warning: “indefinite flags” create governance risk
One fact the court noted (without deciding it) was that the conditions were effectively indefinite and that removals were rare. In any regulated industry, “once flagged, forever flagged” can create fairness, customer, and governance problems.
Mortgage industry parallel: build a real off-ramp. If you categorize a client as higher risk, you should have periodic review criteria, clear documentation of what would satisfy the concern, and appropriate second-line compliance oversight. Otherwise, your process can look arbitrary, even if your initial decision was reasonable.
Practical bottom line for mortgage services clients
This case supports a core AML principle: you are allowed (and often expected) to be cautious. When transaction patterns suggest elevated ML risk, you can require enhanced source-of-funds verification or slow/stop a transaction—even if you cannot prove illicit activity—provided your steps are proportionate, policy-based, documented, and accompanied by a clear explanation.