MSB Compliance Program — What’s Included and Why It Matters
FINTRAC revoked over 86 MSB registrations in Q1 2026. On March 24 alone, 51 businesses lost their registrations in a single enforcement sweep. The most common ground? Non-eligibility driven by absent or deficient compliance programs — compounded by failures to respond to FINTRAC information demands.
If you are buying a ready-made MSB, the first question you should ask is not about the registration certificate or the permission categories. It is: does this MSB have a compliance program that will survive a FINTRAC examination?
A compliance program is not a binder on a shelf. It is a living regulatory system with five legally mandated elements under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA). Each element must be documented, tailored to the business, and operational before the MSB conducts a single transaction. Since Bill C-12 received Royal Assent on March 26, 2026, the statutory standard is explicit: the program must be “reasonably designed, risk-based and effective.” Failure to meet that standard is now classified as a very serious violation carrying penalties up to $20 million.
This article breaks down what a proper MSB compliance program contains, what each element looks like in practice, and why acquiring a ready-made MSB with a pre-built program eliminates months of work and significant regulatory risk.
Every ready-made MSB from canada-msb.com includes a fully developed compliance program covering all six permission categories. Contact us to learn more.
Why Your MSB Compliance Program Is Everything
Under Section 9.6 of the PCMLTFA, every MSB must have a compliance program in place before it begins operating. This is not a suggestion — it is a statutory prerequisite. FINTRAC treats the compliance program as the foundation of every reporting entity’s obligations. During routine examinations, the compliance program is the first thing examiners review.
FINTRAC does not evaluate compliance programs in isolation. Examiners compare your written policies against your actual transaction records, client files, and reporting history. A program that exists only on paper — or one downloaded as a generic template — will not survive this comparison.
The consequences of getting it wrong have never been higher. Bill C-12 raised maximum administrative monetary penalties to $20 million per entity for very serious violations, or three percent of gross global revenue — whichever is higher. The 2025–2026 enforcement wave has been unprecedented: a record C$176.9 million fine against Xeltox Enterprises Ltd. (operating as Cryptomus) for 2,593 violations including unreported suspicious transactions, dozens of registration revocations targeting businesses with compliance deficiencies, and a clear pattern of FINTRAC working systematically through registration cohorts.
The compliance program is not an administrative burden separate from your business. It is your business’s regulatory licence to operate.
The Five Elements FINTRAC Requires in Every MSB Compliance Program
FINTRAC’s compliance program guidance specifies five mandatory elements. Each must be documented in writing and tailored to the MSB’s specific operations, risk profile, and client base.
1. Compliance Officer
Every MSB must appoint a named individual responsible for implementing, maintaining, and overseeing the entire compliance program. This person — often referred to as the Chief Anti-Money Laundering Officer (CAMLO) — is the MSB’s primary point of contact for FINTRAC during examinations.
The compliance officer must have sufficient authority, independence, and access to information to carry out the role effectively. Appointing someone without actual decision-making power or knowledge of AML/CTF obligations is a common mistake — and one that FINTRAC identifies quickly during examinations.
For a ready-made MSB: When you acquire the business, you or a designated person becomes the new compliance officer. At canada-msb.com, we assist with this transition to ensure continuity and proper documentation.
2. Written Policies and Procedures
The compliance program must include documented policies and procedures that describe how the MSB meets every obligation under the PCMLTFA and its associated regulations. At minimum, these policies must cover:
- Client identification and verification (know your client / KYC)
- Transaction monitoring and suspicious transaction identification
- Reporting obligations — Suspicious Transaction Reports (STRs), Large Cash Transaction Reports (LCTRs), Electronic Funds Transfer Reports (EFTRs), and Terrorist Property Reports (TPRs)
- Record-keeping requirements (five-year retention from date of creation)
- Third-party determination procedures
- Business relationship monitoring
- Sanctions screening
- Enhanced measures for high-risk clients and transactions
Policies must reflect the MSB’s actual operations. If the business changes — new products, new jurisdictions, new delivery channels — the policies must be updated accordingly. FINTRAC examiners focus heavily on gaps between written policies and what transaction records reveal in practice.
Key differentiator: Every ready-made MSB from canada-msb.com holds all six permission categories — foreign exchange, money transfer, virtual currency, crowdfunding, money orders, and payment services. The compliance program’s policies and procedures cover all activity types from day one, not just the standard foreign exchange and money transfer that most competitors provide.
3. Risk Assessment
Every MSB must conduct and document a comprehensive assessment of its money laundering and terrorist financing (ML/TF) risks. The risk assessment must consider:
- Clients and business relationships — who the MSB serves and the risk profile of its client base
- Products and services — which of the six permission categories are active and how they are used
- Delivery channels — online, in-person, agent-based, or hybrid models
- Geographic exposure — jurisdictions served and their risk levels
- Affiliates and third parties — any relationships that introduce additional risk
High risks identified must have corresponding enhanced mitigation measures documented in the policies and procedures.
The risk assessment is not a one-time document. It must be reviewed and updated whenever the business model changes — which always happens after an acquisition. The new owner’s intended operations, target markets, and client segments will differ from the previous owner’s, and the risk assessment must reflect that reality.
For a ready-made MSB: The risk assessment is pre-built and covers all six permission types. After acquisition, the new owner must review and customize it to reflect their specific business model and intended operations. This is a critical post-acquisition step — keeping the original assessment unchanged is one of the most common mistakes buyers make. Our team provides guidance through this process.
4. Ongoing Compliance Training Program
The MSB must maintain a written training program for all relevant personnel — employees, agents, mandataries, and anyone involved in compliance-related functions. Training must be:
- Role-appropriate: A compliance officer needs different training than a front-line agent or transaction processor
- Comprehensive: Covering AML/CTF obligations, suspicious transaction identification, reporting procedures, sanctions awareness, and the MSB’s specific policies
- Documented: Records of who was trained, when they were trained, and what topics were covered must be retained
- Timely: New employees and agents must complete training before they begin duties
Since the October 2025 agent verification requirements took effect, training programs must also address agent supervision, verification procedures, and the requirement to re-verify agents every two years.
For a ready-made MSB: Training materials and the training program framework are included with the acquisition. The buyer’s responsibility is to actually deliver the training to their team — having materials on file without conducting training will not satisfy FINTRAC.
5. Effectiveness Review
FINTRAC requires a biennial review (every two years) of the entire compliance program. The effectiveness review tests whether the program is working as designed and identifies gaps between policy and practice.
A proper effectiveness review should include:
- Review of written policies against actual operational practices
- Sample transaction testing to verify monitoring and reporting procedures work
- Gap analysis identifying deficiencies or outdated elements
- Regulatory update check to ensure the program reflects current requirements
- Documented findings with specific corrective actions and timelines
The review can be conducted internally or by an independent third party. Independent review is considered best practice and carries more weight during FINTRAC examinations.
For a ready-made MSB: Check when the last effectiveness review was conducted. If the review is overdue, this should be one of your first priorities after acquisition. At canada-msb.com, our compliance consulting services include effectiveness reviews and remediation support.
Building all five elements from scratch takes months of work — drafting policies, conducting risk assessments, developing training materials, and testing the whole system. A ready-made MSB from canada-msb.com comes with everything already in place. Contact us to see current inventory.
Your MSB’s Reporting Obligations Under the Compliance Program
Your compliance program governs how you fulfil mandatory reporting obligations to FINTRAC. Your policies must describe exactly how and when each report type gets filed, who is responsible, and how records are maintained.
Suspicious Transaction Reports (STRs): Must be filed within 30 calendar days of the determination that reasonable grounds to suspect exist. There is no dollar threshold — any transaction where you have reasonable grounds to suspect it is related to money laundering or terrorist financing must be reported, regardless of amount.
Large Cash Transaction Reports (LCTRs): Required for cash transactions of $10,000 or more (single or multiple transactions within a 24-hour period by or on behalf of the same person). Must be filed within 15 calendar days.
Electronic Funds Transfer Reports (EFTRs): Required for international electronic funds transfers of $10,000 or more. Must be filed within five business days.
Terrorist Property Reports (TPRs): Must be filed immediately upon discovery. There is no dollar threshold and no filing delay permitted.
Record retention: All transaction records, client identification documents, and compliance documentation must be retained for five years from the date of creation.
Agent verification (effective October 1, 2025): MSBs must verify agents before engagement and re-verify every two years. Pre-existing agents have a transition deadline of October 1, 2027, for initial re-verification.
Your compliance program’s policies and procedures must address each of these reporting types with clear workflows, responsible parties, and escalation procedures.
The Cost of an Inadequate Compliance Program
FINTRAC’s enforcement activity in 2025 and 2026 has been the most aggressive in the agency’s history. The numbers speak for themselves:
Record fines: The C$176.9 million penalty against Xeltox Enterprises Ltd. (Cryptomus) in October 2025 for over 2,593 violations — including failure to file suspicious transaction reports for transactions linked to fraud, ransomware, sanctions evasion, and trafficking in child sexual abuse material. FINTRAC also imposed a $14 million fine on KuCoin for registration failures and incomplete transaction reporting.
Mass revocations: 86+ MSB registrations revoked in Q1 2026 alone. On March 24, 2026, FINTRAC revoked 51 registrations in a single day. Analysis shows that 94% of revoked entities had registered in 2021, with FINTRAC working backward through registration cohorts — meaning businesses registered in 2019 and 2020 are in the current enforcement frame.
Bill C-12 penalties: Since March 26, 2026, administrative monetary penalties have increased to $40,000 for minor violations, $4 million for serious violations, and $20 million for very serious violations. The cumulative cap is the higher of $20 million or three percent of gross global revenue. Failure to maintain a program that is “reasonably designed, risk-based and effective” is now specifically classified as a very serious violation.
Beyond penalties: Registration revocation means you cannot legally operate as an MSB in Canada. It damages banking relationships — which are already difficult for MSBs to establish. It creates reputational harm that follows the beneficial owners across future ventures. And re-registering after revocation is extremely difficult.
Building a compliant program from scratch takes months. Buying a ready-made MSB with a pre-built compliance program eliminates that exposure from day one.
Don’t risk your registration. Start with a compliant MSB. Contact us to discuss your requirements.
Why a Ready-Made MSB Gives You a Compliance Head Start
When you acquire a ready-made MSB from canada-msb.com, you are not just buying a registration certificate. You are acquiring a fully operational compliance framework:
What’s included:
- A compliance program covering all six permission types — foreign exchange, money transfer, virtual currency, payment services, crowdfunding, and money orders
- Pre-built risk assessment covering all activity categories
- Written policies and procedures that are examination-ready
- Training materials and a documented training program framework
- Ongoing access to compliance consulting and AML support services
What you still need to do after acquisition:
- Appoint yourself or a designated person as compliance officer
- Review and update the risk assessment to reflect your specific business model and intended operations
- Customize policies and procedures to match your actual delivery channels, client segments, and geographic markets
- Deliver compliance training to your team using the included materials
- Schedule your first effectiveness review (or conduct one immediately if the previous review is overdue)
The difference between registering an MSB from scratch and buying a ready-made one is measured in months. A new FINTRAC registration takes three to four months — and only then can you begin building your compliance program. A ready-made MSB is operational immediately, with the compliance infrastructure already in place.
For MSBs that also require Retail Payment Activities Act (RPAA) registration with the Bank of Canada, our MSB + RPAA packages include both registrations with aligned compliance programs. The RPAA guide covers the additional requirements in detail.
Ready to acquire an MSB with a complete compliance program? Contact our team via WhatsApp, Telegram, email, or phone. Book a consultation to discuss your needs, review current inventory, and get started immediately.
- WhatsApp / Telegram: available on our contact page
- Email: available on our contact page
- Phone: available on our contact page
MSB Compliance Program Checklist
Use this checklist to evaluate any MSB you are considering purchasing — or to audit your current MSB’s compliance program against FINTRAC’s requirements.
Compliance Officer
- Named individual appointed with documented authority
- Has independence, access to information, and decision-making power
- Registered with FINTRAC as the MSB’s compliance contact
Written Policies and Procedures
- Cover all active permission categories (ideally all six)
- Address KYC/client identification, transaction monitoring, and reporting workflows
- Include sanctions screening procedures
- Updated to reflect October 2025 agent verification requirements
- Match actual business operations (no policy-practice gaps)
Risk Assessment
- Documented assessment of ML/TF risks across all business dimensions
- Updated to reflect current business model (not the previous owner’s)
- High risks identified with corresponding enhanced mitigation measures
- Reviewed after any material change in operations
Training Program
- Written program with role-appropriate content
- Documentation of training delivery (who, when, what)
- New personnel trained before beginning duties
- Includes agent supervision and verification procedures
Effectiveness Review
- Conducted within the last two years (biennial requirement)
- Documented findings with corrective actions and timelines
- Covers all five program elements
- Policy-practice comparison with sample transaction testing
Reporting Readiness
- STR, LCTR, EFTR, and TPR filing workflows documented and tested
- Responsible parties identified for each report type
- Record-keeping system meets five-year retention requirement
- FINTRAC Reporting System access confirmed and functional
Frequently Asked Questions
What are the five elements of a FINTRAC compliance program?
FINTRAC requires every MSB to maintain a compliance program with five mandatory elements: (1) a designated compliance officer with sufficient authority and independence, (2) written policies and procedures covering all AML/CTF obligations, (3) a documented risk assessment of money laundering and terrorist financing risks, (4) an ongoing compliance training program for all relevant personnel, and (5) a biennial effectiveness review testing whether the program works as designed.
Does a ready-made MSB come with a compliance program?
Yes. Every ready-made MSB from canada-msb.com includes a fully developed compliance program covering all six permission categories — foreign exchange, money transfer, virtual currency, payment services, crowdfunding, and money orders. The program includes written policies, risk assessment, and training materials. After acquisition, the new owner must customize these elements to reflect their specific business model and operations.
How often must an MSB compliance program be reviewed?
FINTRAC requires a formal effectiveness review at least every two years (biennial). However, the written policies and risk assessment should be updated whenever there is a material change in business operations — including after an acquisition. Annual review of all program elements is considered best practice.
What happens if my MSB doesn’t have a compliance program?
FINTRAC can revoke your MSB registration, issue administrative monetary penalties up to $20 million per violation (or three percent of gross global revenue, whichever is higher) under Bill C-12, impose mandatory compliance agreements, and refer cases for criminal prosecution. In Q1 2026 alone, FINTRAC revoked 86+ MSB registrations — the majority for compliance program deficiencies.
Can I use a template compliance program for my MSB?
No. FINTRAC requires compliance programs tailored to the specific MSB’s operations, risk profile, and client base. A generic template downloaded from the internet will not survive a FINTRAC examination. Examiners compare written policies against actual transaction records — a template that does not reflect your business reality will be flagged as deficient. Ready-made MSBs from canada-msb.com come with compliance programs that are already developed for MSB operations and need only customization to the buyer’s specific business model.
What is the compliance officer’s role in an MSB?
The compliance officer (CAMLO) is responsible for implementing, overseeing, and maintaining the entire compliance program. They serve as the MSB’s primary contact with FINTRAC during examinations, must have authority to make compliance decisions, and need access to all relevant transaction data and client records. The role can be performed in-house or outsourced to a qualified third party, but legal responsibility remains with the MSB regardless.