FINTRAC Compliance Checklist for Money Services Businesses (MSBs)

FINTRAC is Canada's financial intelligence unit and is responsible for administering and enforcing Anti-Money Laundering (AML) and Anti-Terrorist Financing (ATF) requirements under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA). Organizations that meet the definition of a Money Services Business (MSB) are required to register with FINTRAC and maintain a compliant AML program.

This checklist is intended to help organizations understand the core compliance requirements that may apply when providing financial services to Canadian natural persons or legal entities. While regulatory obligations vary based on business activities, many organizations are surprised to learn that they may qualify as an MSB even if they do not consider themselves a traditional financial institution.

FINTRAC generally considers a business to be an MSB if it engages in activities such as money transfers, foreign exchange services, issuing or redeeming money orders, dealing in virtual currency, or facilitating the movement of funds on behalf of customers. This can include payment processors, fintech companies, cryptocurrency platforms, payroll providers, remittance businesses, digital wallets, online gifting platforms, online fundraising platforms, and other organizations involved in transmitting, converting, or managing funds.

If your organization processes, transfers, receives, exchanges, or facilitates financial transactions involving Canadian individuals or entities, it is important to determine whether MSB registration and compliance obligations apply to your business.

Required - Mandatory by regulation

Needs tool - Technology required

Registration & Licensing

• Register as a Money Services Business (MSB) with FINTRAC Required
• Renew MSB registration every 2 years Required
• Register in each province you operate if required Required

• Maintain current registration with provincial regulators (provincial money transmitter licenses where applicable) Required 

AML Compliance Program

• Written AML/ATF policies and procedures  document Required
• Designate a qualified Compliance Officer  responsible for the program Required
• Conduct and document an audit-ready BSA/AML risk assessment of your business Required
• Document and maintain a risk appetite statement aligned with corporate strategy Required
• Senior management and board oversight of AML/ATF compliance program Required
• Third-party compliance audit (independent review) at least annually Required
• Documented policies for vendor and counter-party risk assessment and due diligence Required
• Incident and breach reporting procedures to FINTRAC (within 10 calendar days) Required
• Employee AML training program (initial + ongoing, minimum annually) Required

• Annual compliance program effectiveness review Required

  A good annual review needs to include a refresh of your BSA/AML risk assessment, current policies and procedures, employee training program, manual processes, in-house and third-party compliance software and data solutions, vendor and counter-party risk assessments

Customer Identification & Customer Due Diligence

• Identity verification for all customers at onboarding Required Needs tool
• Entity verification for all business clients at onboarding Required Needs tool
• Enhanced due diligence (EDD) for high-risk customers and PEPs Required Needs tool
• Beneficial ownership identification for business clients at onboarding Required
• Ongoing monitoring of customer relationships and transactions Required Needs tool
• Ongoing monitoring of incorporated (ie. businesses, non-profits, etc.) clients for changes to nature of business, organizational structure, persons of control, beneficiaries and ultimate beneficial owners Required Needs tool
• Customer risk rating and classification process (low, medium, high risk) Required Needs tool

Watchlist & Sanctions Screening

• Screen all customers against OSFI Consolidated Sanctions List Required Needs tool
• Screen against UN Security Council sanctions lists Required Needs tool
• Real-time screening at onboarding and on list updates Required Needs tool
• PEP (Politically Exposed Person) screening and flagging Required Needs tool
• Document procedures for handling matches and false positives Required
• Escalation procedures if customer matches a sanctions list Required

Transaction Monitoring & Reporting

• Suspicious Transaction Reports (STRs) filed with FINTRAC Required
• Large Cash Transaction Reports (LCTRs) for $10,000+ cash Required
• Electronic Funds Transfer Reports (EFTRs) for $10,000+ Required
• Transaction monitoring system to detect unusual patternsRequired Needs tool
• Documented transaction monitoring thresholds and alert rules Required
• Investigation and escalation procedures for suspicious activity Required

Record-keeping

• Retain KYC and transaction records for minimum 5 years Required
• Store records in accessible, retrievable format Required
• Maintain records of all FINTRAC reports submitted (STRs, LCTRs, EFTRs)Required
• Maintain audit trail of all compliance decisions, approvals, and overrides Required
• Document all customer risk assessments and EDD performed Required
• Maintain employee training records and completion certifications Required

Need help with your FINTRAC compliance program? Click here to schedule a call with one of our experts.