AML/KYC Compliance for MSBs in Canada: What You Actually Need

1. Appointment of a Compliance Officer

You need a named individual responsible for your AML/ATF compliance program. FINTRAC calls this person the Chief Anti-Money Laundering Officer (CAMLO) or Compliance Officer. This person must have the authority, knowledge, and access to carry out the role. You can't just put the CEO's name on a form and forget about it. The CAMLO needs to understand the regulations, oversee day-to-day compliance operations, and be the primary contact for FINTRAC. For smaller MSBs, the founder often takes this role. That's fine, but you need to actually do the work that comes with it.

2. Written Compliance Policies and Procedures

Your policies need to be written, detailed, and specific to your business. Generic templates don't cut it. FINTRAC examiners can tell within minutes if your compliance manual was actually built for your operations or if someone copied it from a Google search. Your policies must cover customer identification, ongoing monitoring, suspicious transaction detection, record keeping, reporting obligations, sanctions screening, and how you handle high-risk customers. Every policy needs to reflect how your business actually works. A crypto exchange has different risks than a remittance operator, and your compliance manual should show that you understand your own risk profile.

3. Risk Assessment

You're required to assess and document the money laundering and terrorist financing risks specific to your business. This isn't a one-time exercise. Your risk assessment should consider your products and services, delivery channels, geographic exposure, customer types, and transaction volumes. FINTRAC expects you to update this regularly and whenever your business model changes. A risk assessment that sits in a drawer untouched for two years is the same as not having one at all in FINTRAC's eyes.

4. Ongoing Compliance Training

Everyone who handles transactions, deals with customers, or has access to client data needs AML/ATF training. Not just once during onboarding. Ongoing, documented, and updated when regulations change. FINTRAC will ask to see your training records. They'll want to know what was covered, who attended, when it happened, and how you tested comprehension. If you can't produce these records, that's a finding. Even if you only have three employees, you still need documented training.

5. Two-Year Effectiveness Review

Every two years, you must have your compliance program reviewed for effectiveness. And here's the catch: FINTRAC strongly recommends this be done by someone independent. That means not the CAMLO reviewing their own work. An external consultant, an internal auditor who wasn't involved in building the program, or a qualified third party. The review needs to test whether your policies actually work in practice, whether your staff follow the procedures, and whether your transaction monitoring catches what it should. This isn't a checkbox. It's a real test of your program.

Individual Customers

For individual customers, you must verify their identity before or during the first transaction. FINTRAC requires you to collect their legal name, date of birth, and address, and then verify this information using one of the approved methods. The most common approach is the dual-process method where you verify the name and date of birth from one reliable source and the name and address from a different reliable source. Government-issued photo ID is the standard, but FINTRAC also accepts electronic verification through credit bureaus or similar services. Whatever method you choose, you need to document exactly what you verified, how you verified it, and when.

Business Customers

Business customer verification adds more layers. You need to confirm the entity's legal existence through incorporation documents, business licenses, or registry searches. But you also need to identify the beneficial owners. Anyone who owns or controls 25% or more of the entity, or who exercises real control over the business regardless of ownership percentage. Each beneficial owner needs to be individually identified and verified the same way you'd verify an individual customer. This is where things get complicated with holding companies, trusts, and multi-layered corporate structures. FINTRAC expects you to look through these layers until you find the actual humans behind the entity.

Ongoing Customer Due Diligence

KYC doesn't end at onboarding. You need to keep customer information current and monitor for changes in risk profile. If a customer who normally sends $500 per month suddenly starts moving $50,000, that should trigger a review. If their stated business purpose was personal remittances but they're now receiving commercial payments, something changed. Ongoing monitoring is about keeping your customer knowledge fresh and flagging anything that doesn't match the expected pattern.

What to Monitor For

You should be watching for transactions that don't match the customer's profile, unusual patterns like structuring (breaking large transactions into smaller ones to avoid reporting thresholds), rapid movement of funds through accounts, transactions involving high-risk jurisdictions, and any activity that just doesn't make business sense. Your monitoring needs to be calibrated to your business. A remittance operator dealing with $200 transfers has different red flags than a crypto exchange processing $100,000 trades. Build your rules around your actual risk profile, not a generic checklist.

Sanctions Screening

Every MSB must screen customers and transactions against Canadian sanctions lists (the Consolidated Canadian Autonomous Sanctions List), UN Security Council lists, and other relevant designations. This screening must happen at onboarding and on an ongoing basis as lists get updated. If you match a sanctioned individual or entity, you must freeze the transaction immediately and report it. There's no gray area here. Sanctions violations carry criminal penalties and can shut down your business overnight.

Record Keeping

You must keep records of all transactions, customer identification documents, and compliance activities for at least five years. FINTRAC can request these records at any time during an examination. Your records need to be organized, accessible, and complete. If FINTRAC asks for the KYC file on a specific customer and you can't find it, that's a violation. If they ask to see your transaction logs for a specific date range and they're incomplete, that's a violation. Record keeping sounds boring until you realize it's the evidence that proves you're doing everything else correctly.

Suspicious Transaction Reports (STRs)

If you have reasonable grounds to suspect that a transaction is related to money laundering or terrorist financing, you must file a Suspicious Transaction Report with FINTRAC within 30 days. The key word is "reasonable grounds to suspect." You don't need proof. You don't need certainty. If something looks off and you can articulate why, you should file. Not filing when you should have is a much bigger problem than filing too many STRs. FINTRAC would rather get a report that turns out to be nothing than miss an actual case because you decided it wasn't worth reporting.

Large Cash Transaction Reports (LCTRs)

Any cash transaction of $10,000 or more, or multiple cash transactions totaling $10,000 or more within a 24-hour period by the same person, must be reported within 15 calendar days. This is an automatic obligation. There's no judgment call involved. If the threshold is hit, you report. FINTRAC takes late LCTRs very seriously because they're the most straightforward reporting obligation you have.

Electronic Funds Transfer Reports (EFTRs)

International electronic fund transfers of $10,000 or more must be reported within 5 business days. This applies to both incoming and outgoing transfers. For remittance operators and payment processors, this is often the most frequent report type. Missing these reports or filing them late is a common area where MSBs accumulate violations quickly because of the volume and tight reporting window.

Large Virtual Currency Transaction Reports (LVCTRs)

If you deal in virtual currency, any transaction of $10,000 or more in virtual currency must be reported. This applies to exchanges, OTC desks, and any MSB handling crypto. The same 24-hour aggregation rule applies as with cash transactions. If a customer makes three separate $4,000 crypto purchases in the same day, that trips the threshold and you need to report.

Terrorist Property Reports

If you discover that you're holding property owned or controlled by a listed terrorist entity, you must report it immediately and freeze the assets. There's no waiting period. No internal review. You freeze and report. This ties directly back to your sanctions screening process. If your screening catches a hit, the clock starts immediately.

1. Template Compliance Manuals

The number one problem we see. Someone buys a compliance manual template online, changes the company name, and calls it done. FINTRAC examiners have seen every template out there. They know what generic looks like. When your compliance manual describes procedures for services you don't offer, or misses the specific risks of your actual business model, it signals that compliance isn't being taken seriously. Your manual needs to be yours. Written for your business, your products, your risk profile.

2. No Evidence of Transaction Monitoring

Having a policy that says "we monitor transactions" is meaningless without evidence. FINTRAC wants to see the actual alerts your system generated, how they were investigated, what decision was made, and who made it. If your monitoring system generates zero alerts, that's a red flag too. It either means your thresholds are too loose or you're not actually monitoring. Neither answer is good.

3. Late or Missing Reports

Reporting deadlines exist for a reason and FINTRAC tracks them carefully. Late STRs are a particular concern because a 30-day window is generous. If you can't file within 30 days of detecting something suspicious, it raises questions about whether you detected it at all or just ignored it. Missing LCTRs and EFTRs accumulate fast if your reporting processes aren't automated or at least well-organized.

4. Incomplete KYC Files

FINTRAC will pull random customer files during an examination. If they open a file and the ID verification is missing, the beneficial ownership information isn't there, or the risk rating was never completed, that's a violation for each file. Now multiply that across your customer base. Ten incomplete files equals ten violations. This adds up fast and it's entirely preventable with proper onboarding procedures and quality checks.

5. No Risk Assessment or Outdated Risk Assessment

Your risk assessment drives everything else. It determines your KYC intensity, your monitoring thresholds, your training focus. If it's missing or hasn't been updated since you started the business, FINTRAC sees a program that isn't adapting to changing risks. If you added a new product, entered a new market, or changed your customer base and your risk assessment doesn't reflect that, you're operating blind.

6. Training Exists Only on Paper

Saying you trained your staff is different from proving it. FINTRAC will ask for training records, attendance logs, and evidence that employees actually understood the material. If your only training record is a single email from two years ago saying "please read the compliance manual," that's not training. Real training is regular, documented, tested, and updated when regulations or your business model change.

Start with Your Risk Assessment

Before writing a single policy, understand your risks. What products do you offer? Who are your customers? Where do they come from? Where does money flow? What could go wrong? Your risk assessment should be a working document that shapes every other part of your program. High-risk areas get more controls, more monitoring, more scrutiny. Low-risk areas can have lighter procedures. But you need to justify why you've categorized things the way you have.

Make Your Policies Operational

A good policy tells your staff exactly what to do. Not in abstract terms. In specific, step-by-step instructions. When a new customer signs up, what information do you collect? What documents do you accept? How do you verify them? What if the verification fails? What if the customer is from a high-risk country? Your procedures should answer these questions clearly enough that a new employee could follow them without guessing.

Automate What You Can

Manual compliance works when you have 50 customers. It breaks down at 500. And it collapses at 5,000. Invest early in KYC verification tools, sanctions screening APIs, and transaction monitoring systems. You don't need the most expensive platform on the market. But you need something that scales with your business and produces the audit trail FINTRAC expects. The cost of a compliance tool is almost always less than the cost of a single FINTRAC penalty.

Document Everything

If it's not documented, it didn't happen. That's the operational reality of AML compliance. Every customer verification, every alert investigation, every training session, every risk assessment update, every STR filing decision. Document it. Keep it organized. Make it retrievable. When FINTRAC shows up and asks to see your compliance records, you want to pull them up in minutes, not spend days searching through email threads and shared drives.

Need Help Building Your AML/KYC Program?

We build compliance programs for Canadian MSBs that hold up under FINTRAC scrutiny. From risk assessments and policy manuals to transaction monitoring setup and staff training, we cover the full spectrum of AML/KYC compliance.

If you're launching an MSB, preparing for a FINTRAC examination, or need to upgrade your existing compliance framework, start with a free 30-minute consultation. We'll review your current setup and give you a clear picture of where you stand and what needs to happen next.