AML Compliance Canada 2026: Complete PCMLTFA Guide for MSBs & PSPs

For most of the last decade, Canadian AML compliance was treated as a back-office function. Submit your suspicious transaction reports, file your large cash transaction reports, refresh your policies every two years, and move on. That era is over. The combination of FINTRAC’s $176 million penalty wave, the Retail Payment Activities Act (RPAA) coming into force, the 2026 PCMLTFA amendments, and FINTRAC’s expanding examination programme has fundamentally changed what regulators expect from Canadian money services businesses, payment service providers, and fintechs.

Three structural shifts are driving this change. First, FINTRAC has moved from a guidance-led regulator to an enforcement-led one. Second, the population of regulated entities has expanded dramatically with PSP registration under the Bank of Canada and the inclusion of new MSB categories. Third, the depth of examination has increased — what used to be a documentary review has become an effectiveness assessment that tests whether your compliance programme actually works in practice, not just on paper.

Most Canadian MSBs were registered with FINTRAC long before any of this happened. Most PSPs are registering with the Bank of Canada under a framework that did not exist when their compliance programmes were drafted. Most fintech founders inherited templated AML manuals from law firms or online vendors that were never calibrated to their actual risk profile. The gap between what these programmes look like and what FINTRAC now expects is, in many cases, substantial — and only visible once an examination begins.

This guide walks through every component of AML compliance in Canada as it exists in 2026: the statutory framework, the obligations, the audit cycle, the personnel requirements, and the failure patterns that lead to penalties and revocations. It is written for compliance professionals, MSB and PSP operators, and fintech founders who need to understand not just what the rules say, but how FINTRAC actually applies them.

The Statutory Foundation: Understanding PCMLTFA Compliance

Canadian AML compliance rests on a single primary statute: the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA). Everything else — the regulations, the FINTRAC guidance, the examination methodology, the penalty regime — flows from this Act and its companion regulation, the Proceeds of Crime (Money Laundering) and Terrorist Financing Regulations (PCMLTFR).

PCMLTFA compliance means meeting the obligations imposed by the Act on reporting entities. The Act defines reporting entities to include, among others, money services businesses, foreign money services businesses, financial entities, securities dealers, life insurance companies, real estate brokers, casinos, accountants performing certain activities, dealers in precious metals and stones, and — since recent amendments — armoured car operators, mortgage administrators, and certain other categories. Payment service providers regulated under the RPAA are not automatically reporting entities under the PCMLTFA, but most PSPs also conduct activities that bring them within the MSB definition, and the boundary between RPAA registration and FINTRAC registration is a frequent source of confusion. We explore this overlap in detail in our MSB vs PSP licenses in Canada guide.

The PCMLTFA imposes seven core obligation categories:

Registration with FINTRAC (for MSBs and FMSBs)
Compliance programme maintenance
Customer identification and verification (KYC/CDD)
Beneficial ownership identification for entity clients
Record keeping in prescribed forms and for prescribed periods
Reporting of suspicious transactions, large cash transactions, large virtual currency transactions, electronic funds transfers, and terrorist property
Sanctions screening under integrated obligations from the Special Economic Measures Act, Justice for Victims of Corrupt Foreign Officials Act, and the United Nations Act

Each of these obligations is examined by FINTRAC. Each can trigger an administrative monetary penalty. And, as the $176 million TD Bank penalty demonstrated, the penalties can be material even for sophisticated regulated entities. The Department of Finance Canada maintains the authoritative legislative text of the PCMLTFA and its regulations.

Who FINTRAC Regulates: MSBs, PSPs, and Reporting Entities

The first compliance question every operator must answer is: am I a reporting entity, and if so, in which categories? This is not always obvious. A fintech that processes payments may be both a PSP under RPAA and an MSB under PCMLTFA. A crypto platform may be an MSB under the virtual currency dealer category. A foreign-domiciled fintech directing services into Canada may be a foreign money services business (FMSB) and required to register even without a Canadian establishment.

The MSB categories under PCMLTFA include:

Foreign exchange dealing (currency conversion services)
Money transferring (remittance, electronic funds transfer)
Issuing or redeeming money orders, traveller’s cheques, or similar negotiable instruments
Dealing in virtual currencies (exchange, transfer, issuance, custody)
Crowdfunding platform services (since recent amendments)

A business meeting any of these definitions on a commercial basis must register with FINTRAC before commencing operations. Registration is biennial — every two years, MSBs must complete a FINTRAC MSB renewal, and failure to renew on time has been one of the most common revocation triggers in the recent enforcement wave.

For payment service providers, the regulatory geography is different. PSPs register with the Bank of Canada under RPAA, which is an operational and prudential regime, not an AML regime. But many PSP activities — particularly those involving electronic funds transfer or foreign exchange — also constitute MSB activities under PCMLTFA. The result: most PSPs need to be both RPAA-registered and FINTRAC-registered. Our PSP Canada RPAA compliance guide and comprehensive RPAA compliance guide walk through this dual-track compliance architecture.

For founders setting up new MSBs, our MSB Canada setup guide and Canada MSB License complete guide cover the registration mechanics in detail.

The Five-Element AML Compliance Canada Programme Framework

FINTRAC has been remarkably consistent on what a compliant AML programme must contain. Section 9.6 of the PCMLTFA and Part 4 of the PCMLTFR set out five mandatory elements that every reporting entity’s compliance programme must include. Missing any one of these is, by itself, a regulatory finding.

The five elements are:

Appointment of a compliance officer with the authority and resources to operate the programme
Written compliance policies and procedures covering all PCMLTFA obligations applicable to the entity
Risk assessment documenting the entity’s exposure to money laundering, terrorist financing, and sanctions risk
Ongoing compliance training programme for employees, agents, and contractors
Independent effectiveness review conducted at least every two years

This five-element architecture is non-negotiable. We have published a complete five-element framework breakdown and the complete AML programme blueprint showing how each element should be designed, documented, and operated. What examiners look for is not just the existence of each element but its integration — does the risk assessment actually drive the policies? Do the policies actually drive the training? Does the training actually reach the people who need it? Does the effectiveness review actually test whether the controls work?

When FINTRAC assesses an MSB or PSP, it does not score these elements separately. It assesses the programme as a system. A flawless policy manual paired with no training and no risk assessment will fail an examination just as comprehensively as a programme with no policy manual at all.

Risk Assessment: The Foundation Examiners Test First

The single most-cited deficiency in FINTRAC examinations is an inadequate or unupdated risk assessment. This is not a coincidence. The risk assessment is the document that justifies every other choice in your compliance programme — your customer due diligence thresholds, your transaction monitoring rules, your enhanced due diligence triggers, your jurisdictional restrictions, your product approval framework. If the risk assessment is generic, templated, or stale, every downstream control is, by definition, unsupported.

A compliant Canadian AML risk assessment must address risk across at least these dimensions:

Products and services offered (and risk-rate each)
Delivery channels (face-to-face, online, agent-based, third-party)
Customer types and behaviours (retail, corporate, PEPs, beneficial ownership structures, geographic risk)
Geographic exposure (jurisdictions of customers, counterparties, payment corridors)
New technologies including virtual currencies, AI-driven onboarding, and emerging payment rails

For each dimension, the entity must document inherent risk, the controls in place, and the residual risk. The assessment must be reviewed periodically and updated when material changes occur — new products, new corridors, new beneficial ownership structures, new regulatory typologies. FINTRAC publishes detailed guidance on risk assessment that should be the starting point for every Canadian operator.

A useful self-diagnostic: pull your current risk assessment. If the date on the document is more than twelve months old, or if it does not explicitly address the products you actually sell today, your programme is operating without a foundation. ComplyFactor’s AML risk assessment calculator provides a starting framework for entities that need to scope this work.

KYC and Customer Due Diligence Under Canadian Law

KYC compliance Canada is governed by Part 4 of the PCMLTFR and the FINTRAC guidance on customer identification. The framework distinguishes between:

Customer identification — verifying the identity of every customer at the trigger points specified in the regulations
Customer due diligence (CDD) — gathering enough information about the purpose and intended nature of the business relationship to monitor it
Enhanced due diligence (EDD) — additional measures for higher-risk customers, including PEPs, heads of international organisations, and customers identified as high-risk through the entity’s risk assessment
Ongoing monitoring — continuous review of business relationships against the customer’s expected activity profile

Each MSB activity carries specific identification trigger thresholds — for example, money transfers of CAD 1,000 or more, foreign exchange of CAD 3,000 or more, and certain virtual currency transactions. The thresholds are technical, and getting them wrong is one of the most frequent FINTRAC findings. Our KYC requirements for Canadian MSBs guide walks through each threshold and trigger.

The methods of identification permitted under PCMLTFR are also specific: government-issued photo ID, credit file method, dual-process method, affiliate or member method, and reliance method (with restrictions). The regulation does not permit improvised approaches. An MSB that cannot demonstrate its identification methods map to the prescribed methods will receive a finding.

For corporate customers, beneficial ownership identification is mandatory. Entities must identify all individuals who directly or indirectly own or control 25% or more of the corporation, take reasonable measures to confirm the accuracy of that information, and keep records of those measures. The reasonable measures requirement has been a particular pain point — examiners are increasingly asking what specific steps the entity took to confirm beneficial ownership, not merely whether the information was collected.

Transaction Monitoring and Suspicious Transaction Reporting

Transaction monitoring Canada is the operational engine of any AML programme. The PCMLTFA requires reporting entities to monitor business relationships on an ongoing basis to detect transactions that must be reported, to maintain accurate customer information, and to reassess risk over time. FINTRAC does not prescribe specific monitoring tools or rules — it prescribes outcomes. What it tests is whether the monitoring you do is appropriate for the risks you face.

For MSBs and PSPs, effective monitoring typically means:

Rules-based detection for transactions that match known typologies (structuring, rapid movement of funds, jurisdiction risk, layering patterns)
Threshold-based alerts for transactions approaching reporting thresholds
Behavioural baselining so that deviation from a customer’s expected pattern triggers review
Sanctions screening at onboarding and on an ongoing basis against Canadian, UN, and partner jurisdiction lists
Documented escalation pathways from analyst review to MLRO decision to STR filing or no-file determination

Suspicious transaction reporting Canada is governed by section 7 of the PCMLTFA. A reporting entity must file a Suspicious Transaction Report (STR) with FINTRAC as soon as practicable after it has reasonable grounds to suspect that a transaction or attempted transaction is related to the commission or attempted commission of a money laundering or terrorist activity financing offence. The “reasonable grounds to suspect” standard is lower than reasonable grounds to believe and considerably lower than the criminal evidentiary standard. FINTRAC’s expectation is that entities err toward filing.

Beyond STRs, MSBs and PSPs must file:

Large Cash Transaction Reports (LCTRs) for cash transactions of CAD 10,000 or more (single or aggregated within 24 hours from the same person)
Large Virtual Currency Transaction Reports (LVCTRs) for virtual currency transactions of CAD 10,000 or more
Electronic Funds Transfer Reports (EFTRs) for international electronic funds transfers of CAD 10,000 or more
Terrorist Property Reports (TPRs) when the entity knows it has property owned or controlled by a listed person

The FINTRAC reporting guidance is detailed and technical. Errors in field-level data — incorrect dates, missing identifiers, incorrect transaction codes — are themselves findings, and FINTRAC’s automated validation has become considerably more sensitive in recent examination cycles.

Record-Keeping and Reporting Obligations

The PCMLTFR specifies what records must be kept, in what form, and for how long. The standard retention period is at least five years from the date the record was created or, in the case of customer identification records, from the date the business relationship ends — whichever is longer.

The categories of mandatory records include:

Customer identification records and the verification methods used
Beneficial ownership records and the reasonable measures taken
Transaction records (electronic funds transfer records, large cash records, large virtual currency records, money services records)
Records of compliance with reporting obligations (including copies of reports filed)
Records of internal investigations leading to STR filings or no-file determinations
Compliance programme documentation: policies, procedures, risk assessments, training records, effectiveness review reports, and corrective action plans

Records must be retrievable within thirty days of a FINTRAC request. This thirty-day standard catches more entities than they expect. It is one thing to have records in a system; it is another to have the operational ability to extract, format, and produce them in response to a Production Order. Entities operating across multiple platforms or with offshore service providers frequently underestimate this retrieval burden.

The Independent AML Effectiveness Review (Two-Year Audit Cycle)

Section 9.6(2)(d) of the PCMLTFA requires every reporting entity to have its compliance programme reviewed for effectiveness by an internal or external auditor at least once every two years. This is not a documentary review. It is an effectiveness assessment — meaning the reviewer must form a documented view on whether the programme is operating as intended in practice.

A FINTRAC AML audit, conducted properly, examines:

Whether the risk assessment reflects the entity’s current activities
Whether policies and procedures address all applicable PCMLTFA obligations
Whether the policies are actually being followed in day-to-day operations (sample testing)
Whether the training programme has reached the relevant staff and is effective
Whether reports are being filed accurately and on time
Whether records are complete, retrievable, and retained for the prescribed period
Whether weaknesses identified in prior reviews have been remediated

The independence requirement is strict. The reviewer cannot be the compliance officer or anyone responsible for designing or operating the programme being reviewed. For most MSBs and PSPs, this means engaging an external independent reviewer — internal independence is rarely achievable in entities with small compliance teams.

The output is a written effectiveness review report identifying findings, severity ratings, and recommended corrective actions. The report and the entity’s documented response (with timelines) must be retained as part of the compliance programme. FINTRAC examiners ask for the most recent effectiveness review report at the start of nearly every examination. We cover this in depth in our AML audit checklist for 2025, MSB AML audit requirements, and our complete AML audit guide.

A commonly misunderstood distinction: an AML review is not the same as an AML audit. An AML audit (effectiveness review) is the statutorily mandated two-year exercise. An AML review can be a lighter, more focused exercise often used between audit cycles to test specific components or prepare for examination. Many entities confuse the two and end up with neither done properly. Our analysis of the hidden compliance pitfalls that sink MSB effectiveness reviews covers the most common failure patterns.

The AML effectiveness review is one of those obligations where the cost of doing it well is meaningfully smaller than the cost of an inadequate review surfacing during a FINTRAC examination. Entities that treat the two-year review as a tick-box exercise tend to discover its real value only when penalties are issued.

The MLRO and Compliance Officer Function in Canada

Every reporting entity must appoint a compliance officer responsible for the implementation of the compliance programme. In smaller MSBs, this individual is often referred to as the Money Laundering Reporting Officer (MLRO), although the PCMLTFA itself uses the term “compliance officer.” The function carries substantive personal accountability — examiners interview the compliance officer, review their qualifications, and assess whether they have been given the authority and resources to do the job.

The compliance officer must:

Have direct access to senior management
Have the authority to escalate concerns and require corrective action
Be sufficiently senior and resourced to oversee the programme
Be sufficiently independent of revenue functions to make objective compliance decisions

For many small and mid-sized Canadian MSBs and PSPs, recruiting a full-time compliance officer with the depth of regulatory experience FINTRAC now expects is structurally difficult. The pool of qualified Canadian AML professionals is finite, salaries have escalated materially, and even when an entity successfully hires, retention is difficult. This is the operational reality behind the rise of the fractional MLRO Canada and fractional compliance officer Canada model — engaging an experienced compliance professional on a part-time, contractual basis rather than a full-time hire.

ComplyFactor’s global MLRO services provide fractional compliance officer support for Canadian MSBs, PSPs, and fintechs that need senior compliance leadership without the burden of a full-time executive hire. The five reasons to outsource MLRO and seven benefits of MLRO outsourcing discussions, while written for different jurisdictions, set out the structural logic that applies equally to Canadian operators. For a deeper view of the role itself, see our piece on AML compliance officer roles and responsibilities.

A further consideration: many Canadian MSBs are required by their banking partners or by the federal incorporation framework to maintain a local Canadian director. This is distinct from the compliance officer requirement, but the two functions can intersect — banks frequently want assurance that the entity has both Canadian governance and Canadian compliance leadership.

Penalties, Revocations, and the New Enforcement Reality

For most of the PCMLTFA’s history, FINTRAC’s enforcement footprint was modest. Penalties were issued, but they were small, and revocations were rare. That is no longer the case. The enforcement reality of 2024–2026 has shifted in three observable ways.

First, penalty quanta have increased materially. The TD Bank penalty of CAD 9.18 million from FINTRAC was followed by the broader US enforcement action that totalled US $3 billion globally — a wake-up call to Canadian financial institutions of all sizes. More relevantly for the MSB and fintech population, FINTRAC has issued numerous administrative monetary penalties in the seven-figure range in recent years. Our Simple Canadian Services analysis shows how a CAD 229,350 penalty can land on a mid-sized MSB.

Second, the volume of MSB revocations has accelerated. FINTRAC has revoked dozens of MSB registrations in the recent enforcement cycle, and our analysis of the 2026 MSB revocations and the March 24 revocation cohort shows the most common grounds — failure to renew on time, failure to file required reports, failure to maintain a compliance programme, and failure to respond to FINTRAC information requests. Our piece on FINTRAC MSB licence revocation walks through the procedural mechanics.

Third, examination depth has increased. What used to be a documentary inspection has become an effectiveness assessment. Examiners are sampling transactions, interviewing staff, testing whether policies are actually applied, and asking compliance officers to walk through the programme in real time. The era of passing examinations on the strength of well-written documents is over.

The combination of these three shifts means that the cost of running an inadequate Canadian AML programme has materially increased, and the warning signals — frequent FINTRAC information requests, banking partner pressure, audit findings — typically appear well before a penalty is issued. Most MSBs that received recent revocations had received warning signs that were not acted on.

The 2026 PCMLTFA Amendments You Cannot Ignore

The PCMLTFA framework was substantially amended in 2024 and 2025, with provisions phasing in across 2025 and 2026. Our 2026 PCMLTFA amendments analysis covers the technical detail. The high-level changes that matter for compliance programmes:

Expanded reporting entity coverage — including armoured car operators, mortgage administrators and brokers, white-label ATM operators, and crowdfunding platforms (specific in-force dates apply per category)
New violations and increased AMP ceilings under the administrative monetary penalty regime
Enhanced beneficial ownership requirements aligned with the federal beneficial ownership registry
Expanded information-sharing powers for FINTRAC with domestic and international counterparts
Tightened rules around politically exposed persons and heads of international organisations
New obligations relating to virtual currency and the integrity of the regulated MSB framework

For most Canadian MSBs and PSPs, the practical effect of the amendments is that pre-2024 compliance programmes are now technically out of date. A programme that has not been reviewed and updated since the amendments came into force is operating under a superseded framework. The Canada 2025 assessment of money laundering and terrorist financing risks sets out the national risk picture that the amendments are designed to address.

Building a Canadian AML Programme That Survives Examination

An AML compliance programme that survives a FINTRAC examination has the following characteristics. They are not aspirational — they are observable in the programmes of entities that pass examinations cleanly.

Documentation that is current. Risk assessment dated within twelve months. Policies updated to reflect the 2026 amendments. Training records showing completion within the last twelve months. Effectiveness review completed within the last two years. None of this is exotic — but the absence of any one of these documents, current and dated, is a finding.

Documentation that is internally consistent. The risk assessment names risks that the policies actually address. The policies describe procedures that the operations team actually follows. The training programme actually covers the obligations the policies impose. Examiners are trained to find inconsistencies between layers of the programme, and those inconsistencies are typically the easiest findings to write up.

Operational evidence that controls work. Sample testing on customer files, transaction monitoring alerts, STR filings, sanctions screening logs, and training completion records. A programme that has documents but no evidence of operation will not survive a 2026 examination.

Visible governance. A compliance officer who can articulate the programme without reading from a document. A senior management or board minute trail showing engagement with compliance issues. A documented escalation pathway from analyst to MLRO to senior management.

Evidence of remediation. Findings from the prior effectiveness review, with a documented response and verifiable corrective action. Examiners specifically test whether prior findings have been closed.

ComplyFactor’s AML advisory services and AML compliance programme services are designed to build, remediate, or independently review programmes against this standard. <div style=”background: #fef3c7; border-left: 4px solid #f59e0b; padding: 16px; margin: 24px 0;”> <strong>PRO TIP:</strong> If you have not formally reviewed your compliance programme since the 2024 PCMLTFA amendments came into force, treat that as the highest-priority remediation item. A pre-amendment programme being assessed against post-amendment standards will produce findings — and findings under the new AMP regime carry materially higher quantum than they did before. </div>

Common Compliance Failures and How to Avoid Them

After reviewing dozens of FINTRAC examination outcomes, MSB revocations, and AMP decisions, the same failure patterns recur. Some are technical, some are structural, but all of them are avoidable.

Failure Pattern	Root Cause	Practical Fix
Outdated risk assessment	No periodic review trigger	Calendar a formal annual risk assessment review with documented sign-off
Templated policies that don’t match operations	Off-the-shelf manual never customised	Walk through each policy with operations to confirm it describes actual practice
Missed two-year independent review	No tracking of review cycle	Set a review date 18 months from prior review to allow procurement lead time
Late or missed renewal of MSB registration	No renewal calendar	Set a 90-day pre-renewal alert; treat renewal as a board-reporting matter
Incomplete beneficial ownership records	Reasonable measures not documented	Document the specific steps taken to confirm BO information for every entity client
STR field-level errors	Reliance on legacy templates	Validate STR submissions against current FINTRAC schema before filing
Training gaps for new joiners	No onboarding compliance module	Require completion of AML training before granting system access
No evidence of senior management oversight	Compliance treated as operational only	Establish a quarterly compliance reporting cycle to senior management or board

Our common mistakes in MSB registration, common tax mistakes for Canadian MSBs, and data protection laws for Canadian MSBs and PSPs round out the picture for entities trying to map the full compliance perimeter.

Frequently Asked Questions

Is AML compliance Canada the same as PCMLTFA compliance? Effectively, yes. AML compliance in Canada is governed primarily by the PCMLTFA and its regulations. The two phrases are used interchangeably. Where they diverge is in scope — AML compliance Canada also encompasses sanctions screening obligations under separate federal statutes that integrate with the PCMLTFA framework.

Do Canadian PSPs need a FINTRAC AML programme even if they are RPAA-registered? In most cases, yes. RPAA registration with the Bank of Canada is a separate regime focused on operational risk and end-user protection. Most PSP activities also fall within the PCMLTFA’s MSB definitions (particularly money transferring and foreign exchange dealing), which triggers FINTRAC registration and the full AML compliance programme obligations. PSPs should obtain a clear written analysis of which regimes apply to their specific activities.

How often must a Canadian MSB conduct an AML effectiveness review? At least once every two years. The PCMLTFA sets this as a minimum, not a maximum — entities with higher risk profiles, recent material changes, or prior examination findings often benefit from more frequent reviews. The reviewer must be independent of those who designed or operate the programme.

Can the MLRO and the compliance officer be the same person? In a Canadian MSB or PSP context, yes — the PCMLTFA uses the term “compliance officer,” and most entities map the international MLRO function to that single role. The key requirement is that the individual has the authority, independence, and resources to operate the programme.

What is a fractional MLRO and is it permitted under Canadian law? A fractional MLRO is an experienced compliance officer engaged on a part-time, contractual basis rather than as a full-time employee. The PCMLTFA does not require the compliance officer to be a full-time employee — it requires the function to be properly resourced and exercised. Fractional engagements are widely used by Canadian MSBs and PSPs and, when structured correctly, are fully compliant.

What triggers a FINTRAC examination? Examinations may be triggered by risk-based selection (sector, geography, size), prior findings, incoming intelligence (including STRs filed about the entity itself), failure to file required reports, failure to renew registration, or random selection. There is no single trigger — examinations should be assumed to be possible at any time.

How long does FINTRAC keep records of examinations and findings? Indefinitely for regulatory purposes. Findings remain part of the entity’s regulatory file and are typically considered when subsequent examinations are scheduled. Penalty decisions are public.

What happens after a FINTRAC examination? The entity receives a Findings Letter setting out deficiencies. The entity has the opportunity to respond and propose corrective action. Where deficiencies are material, FINTRAC may impose an administrative monetary penalty, refer the matter for prosecution in serious cases, or — for unregistered entities or those with persistent failures — revoke MSB registration. Entities have rights to make representations and, in penalty cases, rights of review.

Can I get banking for my MSB or PSP if I have a strong AML programme? Banking access remains one of the most practical challenges for Canadian MSBs and PSPs, regardless of programme quality. A strong, independently reviewed programme materially improves banking conversations but does not guarantee them. Our banking guide for Canadian MSBs and PSPs covers the practical pathways.