Canadian MSB AML Compliance — Program Build vs Ready-Made
FINTRAC revoked over 86 MSB registrations in Q1 2026 alone. Of those, 83% were active cancellations — not expired registrations quietly dropping off the list, but businesses shut down for compliance failures. That was before Bill C-12 received Royal Assent on March 26, 2026, raising maximum administrative monetary penalties to $20 million per entity and introducing mandatory compliance agreements for violators.
The message from regulators is unambiguous: operating an MSB without a robust anti-money laundering and counter-terrorist financing (AML/CTF) compliance program is no longer a calculated risk — it is a business-ending one.
This guide covers every element of AML/CTF compliance for Canadian MSBs: the five mandatory program elements FINTRAC requires, your reporting obligations and deadlines, know-your-client thresholds specific to money services businesses, record-keeping rules, the October 2025 regulatory changes you must already be following, and the penalty landscape after Bill C-12. Whether you are building a compliance program from scratch or evaluating a ready-made MSB with a compliance program already in place, this is the reference you need.
Ready to skip the compliance build? A ready-made MSB from canada-msb.com comes with all six permission categories active and a compliance program already developed. Contact us via WhatsApp, Telegram, email, or phone to see current inventory, or book a consultation.
What Is an AML/CTF Compliance Program?
Under Section 9.6 of the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA), every reporting entity — including all MSBs — must implement a compliance program. Bill C-12 now codifies the standard: the program must be “reasonably designed, risk-based and effective.” This is not aspirational language — it is a statutory standard against which FINTRAC will measure your program during examinations.
FINTRAC defines five mandatory elements that every compliance program must contain. Each element must be documented in writing. The program must reflect your actual business operations — a generic template purchased online will not satisfy an examiner who compares your written policies against your transaction records. And the program must be in place before you begin operating, not assembled after registration.
FINTRAC examines compliance programs during routine examinations and can issue administrative monetary penalties or revoke your registration for deficiencies in any element.
The Five Elements of a FINTRAC Compliance Program
1. Compliance Officer (CAMLO)
Every MSB must appoint a Chief Anti-Money Laundering Officer (CAMLO) — a specific, named individual responsible for the design, implementation, and ongoing oversight of the entire compliance program. The CAMLO serves as the main point of contact for FINTRAC.
FINTRAC requires that the compliance officer have sufficient authority, independence, and access to information to carry out the role effectively. This means the CAMLO cannot be a nominal appointment buried in an organisational chart with no real power — they need direct access to transaction data, client records, and senior management.
FINTRAC permits outsourcing the compliance officer role to a third-party firm. Many smaller MSBs take this route because hiring a qualified in-house compliance officer costs between C$73,000 and C$115,000 per year, while outsourced CAMLO services typically run C$1,500 to C$3,000 per month. However, outsourcing does not transfer legal responsibility — the MSB remains fully accountable for all compliance obligations regardless of who performs them. For a full cost comparison, see our MSB costs breakdown.
2. Written Policies and Procedures
Your compliance program must include written policies and procedures that accurately describe how the business complies with every obligation under the PCMLTFA and its associated regulations. These are the operational backbone of your program — they cover customer identification, due diligence, transaction monitoring, record-keeping, and reporting.
Since October 2025, your written policies must also describe how you supervise agents and mandataries who act on your behalf. This is a new regulatory requirement that many MSBs have not yet integrated into their documentation.
Policies must be updated whenever your business activities change — adding a new product, entering a new market, or changing your delivery channels all require corresponding policy updates. During FINTRAC examinations, examiners focus heavily on whether your written policies match actual practice. A gap between what your policies say and what your transaction records show is one of the fastest paths to an enforcement action.
3. Risk Assessment
Every MSB must assess and document the money laundering and terrorist financing risks inherent in its business activities. The risk assessment must consider the products and services you offer, your delivery channels (online, in-person, agent-based), the geographic areas you serve, the types of clients you deal with, and the transaction patterns typical of your business.
The risk assessment is not a one-time exercise. It must be updated whenever there is a material change in your business operations — new products, new jurisdictions, new client segments, or significant shifts in transaction volumes. While the regulations do not mandate an annual review cycle, annual reassessment is widely considered best practice and is what FINTRAC examiners expect to see.
Your risk assessment drives your entire compliance program. It determines the level of customer due diligence you apply to different client categories, which transactions receive enhanced monitoring, and where you allocate compliance resources. A weak or outdated risk assessment undermines every other element of the program.
4. Ongoing Compliance Training
You must develop and maintain a written, ongoing training program for everyone involved in your MSB’s operations — employees, agents, mandataries, and any other authorised persons who handle transactions, client interactions, or compliance functions.
Training must cover red flag indicators for suspicious transactions, reporting obligations and deadlines, client identification procedures, and sanctions screening. The program must be updated whenever regulations change — and given the pace of regulatory change in 2025–2026 (October 2025 amendments, Bill C-12, RPAA obligations), training updates should be frequent.
Records of all training sessions, including dates, content covered, and attendance, must be retained. FINTRAC examiners routinely request training records and will note deficiencies if training is infrequent, outdated, or poorly documented.
5. Two-Year Effectiveness Review
At least every two years, your MSB must conduct an independent review of the entire compliance program. “Independent” means conducted by a person or firm not involved in the day-to-day operation of the compliance program — this can be an internal auditor from a different department or an external consultant, but it cannot be the compliance officer reviewing their own work.
The effectiveness review must examine the accuracy of your risk assessment, the frequency and adequacy of transaction monitoring, whether enhanced mitigation measures are being applied where required, the completeness of record-keeping procedures, and whether your risk assessment still reflects current business operations.
Findings must be documented in a written report and presented to senior management. Any deficiencies identified must be addressed with a remediation plan and timeline.
External effectiveness reviews typically cost between C$5,000 and C$15,000 depending on the complexity of your operations. See our costs guide for a full breakdown. FINTRAC specifically requests effectiveness review documentation during examinations — if you cannot produce a current review, that is itself a compliance deficiency.
Reporting Obligations
MSBs must file several types of reports with FINTRAC. Each has a specific trigger, threshold, and deadline. Missing a reporting deadline — or failing to file at all — is among the most common grounds for enforcement action.
Suspicious Transaction Report (STR)
A suspicious transaction report must be filed whenever you have reasonable grounds to suspect that a transaction or attempted transaction is related to money laundering or terrorist financing. There is no monetary threshold — an STR can be triggered by a $50 transaction if the circumstances warrant suspicion. The deadline is “as soon as practicable” after establishing reasonable grounds, which FINTRAC interprets as within days, not weeks. Failure to file STRs is the single most common trigger for FINTRAC enforcement actions against MSBs.
Large Cash Transaction Report (LCTR)
Any time your MSB receives C$10,000 or more in cash in a single transaction, you must file an LCTR within 15 calendar days. The 24-hour aggregation rule applies: if the same person makes multiple cash transactions that total C$10,000 or more within a 24-hour period, those transactions must be aggregated and reported as a single LCTR.
Electronic Funds Transfer Report (EFTR)
When your MSB sends or receives an international electronic funds transfer of C$10,000 or more, you must file an EFTR within 5 business days. This applies to both incoming and outgoing international transfers. Domestic EFTs are not reportable under this category.
Large Virtual Currency Transaction Report (LVCTR)
If your MSB receives virtual currency equivalent to C$10,000 or more in a single transaction, you must file an LVCTR within 15 calendar days. The same 24-hour aggregation rule that applies to cash transactions applies here — multiple virtual currency receipts from the same person totalling C$10,000+ within 24 hours must be reported. This reporting obligation is particularly relevant for MSBs operating under the virtual currency permission.
Terrorist Property Report (TPR)
If your MSB knows or has reason to believe that it possesses or controls property owned or held by a listed terrorist entity, you must report immediately — without delay. In addition to filing the TPR, you must freeze the property or funds. There is no monetary threshold.
Sanctions-Related Reports
MSBs must screen all clients and transactions against Canadian sanctions lists, including those maintained under the Criminal Code, the Special Economic Measures Act (SEMA), the Justice for Victims of Corrupt Foreign Officials Act (JVCFOA), and the United Nations Act (UNA). Any match requires immediate reporting and asset freezing.
Know Your Client (KYC) Requirements
Identity Verification Thresholds
MSBs have specific monetary thresholds above which client identity must be verified. These thresholds are lower than those for most other reporting entities, reflecting the higher-risk profile that FINTRAC assigns to money services businesses:
- Foreign exchange dealing: C$3,000 or more
- Money transfer (sending or receiving): C$1,000 or more
- Virtual currency transactions: C$1,000 or more
- Issuing or redeeming money orders / traveller’s cheques: C$3,000 or more
- Crowdfunding contributions: C$1,000 or more (since April 2022)
For the specifics of each permission type and its obligations, see our permissions overview, foreign exchange, money transfer, virtual currency, money orders, and crowdfunding pages.
FINTRAC accepts five methods for verifying identity: government-issued photo identification, credit file verification, the dual-process method, the affiliate or member method, and reliance on another reporting entity’s verification.
Beneficial Ownership
For all entity clients (corporations, partnerships, trusts), your MSB must determine beneficial ownership — identifying every individual who owns or controls 25% or more of the entity. Since October 2025, MSBs dealing with high-risk federally incorporated clients must consult the Corporations Canada beneficial ownership database as part of this process. If you discover a material discrepancy between what the client has disclosed and what the database shows, you must file a Beneficial Ownership Discrepancy Report with Corporations Canada within 30 days.
Ongoing Monitoring
Client relationships must be monitored on an ongoing basis for consistency with the client’s risk profile, the purpose and intended nature of the business relationship, and expected transaction patterns. Enhanced due diligence (EDD) is required for high-risk clients, including politically exposed persons (PEPs), heads of international organisations (HIOs), and clients connected to high-risk jurisdictions identified by the Financial Action Task Force (FATF).
Record-Keeping Requirements
All records related to your AML/CTF obligations must be retained for a minimum of five years from the date of the transaction or from the end of the business relationship, whichever is later. Records must be maintained in English or French and must be producible to FINTRAC within 30 days of a request.
Records that must be retained include client identification documents, transaction records, copies of all reports filed with FINTRAC, compliance program documentation (policies, risk assessments, training materials), training attendance records, effectiveness review reports, and — since October 2025 — agent eligibility verification records.
October 2025 Regulatory Changes
Amendments that came into force on October 1, 2025, introduced several new obligations that MSBs must already be following:
Agent verification: MSBs must now verify the eligibility of all agents and mandataries who act on their behalf, including conducting criminal record checks. Agents engaged after October 1, 2025, must be verified before they begin operating. For agents engaged before that date, there is a transition period — verification must be completed by October 1, 2027. The MSB remains fully responsible for its agent’s compliance, even after verification.
Beneficial ownership database consultation: When dealing with high-risk federally incorporated entity clients, MSBs must consult the Corporations Canada beneficial ownership database and report discrepancies within 30 days.
Compliance program updates: Your written policies and procedures must now explicitly describe how you supervise agents and mandataries. If your compliance program documentation does not yet include agent supervision procedures, it is already non-compliant.
These changes are detailed further in our MSB requirements guide and FINTRAC registration guide.
Bill C-12 — The New Penalty Reality
Bill C-12, the Strong Borders Act, received Royal Assent on March 26, 2026, and dramatically escalates the consequences of AML non-compliance.
New administrative monetary penalty (AMP) maximums:
- Minor violations: up to $40,000
- Serious violations: up to $4,000,000 per person / $20,000,000 per entity
- Compliance order violations: up to $5,000,000 per person / $30,000,000 per entity
- Cumulative cap: the higher of $20,000,000 or 3% of gross global revenue, applied at the group level for affiliated entities
Bill C-12 also introduces mandatory compliance agreements after violations — FINTRAC can now require a violating entity to enter into a formal agreement with specific compliance milestones and deadlines. Violations are subject to public disclosure, meaning your clients, banking partners, and competitors will know.
The compliance program standard is now statutory: “reasonably designed, risk-based and effective.” This is the yardstick FINTRAC will use when deciding whether your program meets requirements. A program that exists on paper but fails to detect or report suspicious activity will not pass this test.
Criminal penalties remain severe: operating an unregistered MSB can result in up to $2,000,000 in fines and five years of imprisonment.
Context matters here. The 86+ revocations in Q1 2026 demonstrate that FINTRAC was already exercising its enforcement powers aggressively under the previous, lower penalty regime. Bill C-12 gives the regulator substantially more capacity to impose financial consequences that threaten the viability of a non-compliant business. For MSBs in the RPAA registration space, the Bank of Canada adds a second layer of regulatory oversight.
Buy a Ready-Made MSB with Built-In Compliance
Building a compliant AML/CTF program from scratch takes two to six weeks and costs between C$10,000 and C$25,000 or more — and that assumes you get it right the first time. Errors in your risk assessment, gaps in your policies, or inadequately documented training records create vulnerabilities that may not surface until a FINTRAC examination, by which time the penalties under Bill C-12 are severe. For a detailed breakdown, see our timeline guide and costs guide.
A ready-made MSB from canada-msb.com eliminates this risk entirely. Every MSB we sell comes with:
- Active FINTRAC registration with all six permission categories — foreign exchange, money transfer, virtual currency, payment services, money orders, and crowdfunding
- Compliance program already developed and documented — all five FINTRAC-required elements in place
- Risk assessment completed and ready for customisation to your specific operations
- Written policies and procedures covering all regulatory obligations
- Transaction monitoring framework established and operational
We also offer ongoing compliance consulting and AML support services to keep your program current as regulations evolve. Outsourced compliance officer services are available for MSBs that need a qualified CAMLO without the cost of a full-time hire.
For payment service providers who need both FINTRAC and Bank of Canada coverage, our MSB + RPAA packages include Retail Payment Activities Act registration alongside the MSB — the most complete regulatory package available in the Canadian market. Learn more about RPAA requirements in our RPAA guide.
Not sure whether to buy a ready-made MSB or register from scratch? Browse our current inventory or contact us to discuss your situation.
Get a compliant, operational MSB — ready now. Contact us via WhatsApp, Telegram, email, or phone, or book a consultation to discuss your requirements.
Frequently Asked Questions
What are the five elements of a FINTRAC compliance program?
Every FINTRAC compliance program must contain five elements: (1) appointment of a compliance officer (CAMLO), (2) written policies and procedures, (3) a documented risk assessment, (4) an ongoing compliance training program, and (5) a two-year effectiveness review conducted by an independent party.
What reports must a Canadian MSB file with FINTRAC?
Canadian MSBs must file suspicious transaction reports (no threshold, as soon as practicable), large cash transaction reports ($10,000+, within 15 days), electronic funds transfer reports ($10,000+ international, within 5 business days), large virtual currency transaction reports ($10,000+, within 15 days), terrorist property reports (immediately), and sanctions-related reports (immediately).
What happens if an MSB fails to comply with AML requirements?
FINTRAC can issue administrative monetary penalties up to $20 million per entity under Bill C-12, revoke your MSB registration, or refer the matter for criminal prosecution — which carries up to $2 million in fines and five years of imprisonment. FINTRAC revoked over 86 MSB registrations in Q1 2026 alone.
How often must an MSB review its compliance program?
A formal effectiveness review must be conducted at least every two years by an independent party. Risk assessments should be updated whenever there is a material change in your business operations. Best practice is to review the entire program annually, with the formal two-year review as the regulatory minimum.
Can I outsource my MSB compliance officer?
Yes. FINTRAC permits outsourcing the compliance officer (CAMLO) role to a qualified third-party firm. However, the MSB itself remains legally responsible for all compliance obligations. Outsourced CAMLO services typically cost C$1,500 to C$3,000 per month, compared to C$73,000 to C$115,000 per year for an in-house hire.
What changed for MSB compliance on October 1, 2025?
Three key changes took effect: (1) MSBs must now verify the eligibility of agents and mandataries, including criminal record checks; (2) MSBs must consult the Corporations Canada beneficial ownership database for high-risk federally incorporated entity clients; and (3) compliance programs must explicitly describe agent and mandatary supervision procedures.
Do ready-made MSBs come with a compliance program?
Yes. Every ready-made MSB from canada-msb.com includes a fully developed compliance program with all five FINTRAC-required elements — compliance officer designation, written policies and procedures, risk assessment, training framework, and effectiveness review schedule. The program is ready for customisation to your specific business operations from day one.
