KYC Requirements for Canadian MSBs: CDD, EDD and Ongoing Monitoring Under PCMLTFA

KYC as a Compliance Foundation, Not a Formality

Know Your Client is the operational core of every FINTRAC-registered MSB’s AML/CTF compliance program. Without robust KYC, transaction monitoring is blind, suspicious transaction reporting is unreliable, and your risk assessment is built on assumptions rather than data. FINTRAC examiners treat KYC deficiencies not as isolated procedural failures but as evidence of a systemic compliance program breakdown.

The Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA) and its Regulations impose specific, granular KYC obligations on MSBs — obligations that go well beyond collecting a name and address. Customer identification, verification, business relationship establishment, third-party determination, beneficial ownership, PEP and HIO screening, enhanced due diligence, and ongoing monitoring are all distinct legal requirements, each with their own triggers, methods, and record-keeping obligations.

This guide covers each layer in practitioner-level detail — not as an academic overview, but as a practical reference for MSB operators who need to know precisely what FINTRAC expects and how to build procedures that will withstand examination scrutiny.

For context on how KYC fits within your broader compliance program, our guide on building a FINTRAC-compliant AML program covers the five-element framework in full. For the registration obligations that precede KYC, see our Canada MSB license guide and the FINTRAC AML requirements guide.

---

Who Is Subject to KYC Requirements Under PCMLTFA

All entities registered as MSBs with FINTRAC are subject to KYC obligations under the PCMLTFA. This includes:

• Domestic MSBs providing foreign exchange, remittance, money orders, cheque cashing, or virtual currency services
• Foreign MSBs (FMSBs) registered with FINTRAC that provide MSB services to persons in Canada

The KYC obligations apply at the transaction level and the relationship level — meaning that even where no ongoing business relationship exists, a one-off transaction above certain thresholds can trigger identification and verification requirements.

Understanding which transactions trigger KYC, at what threshold, and through which verification method is the operational question that MSB front-line staff must be able to answer correctly and consistently. FINTRAC examiners test this through transaction file sampling — not just by reviewing your written procedures.

---

Customer Identification: The First Layer

When Identification Is Required

Under the PCMLTFA and its Regulations, MSBs must identify clients in the following circumstances:

• When conducting a foreign exchange transaction of $3,000 or more
• When conducting an international electronic funds transfer (EFT) of $1,000 or more
• When sending a domestic EFT of $1,000 or more on behalf of a client
• When issuing or redeeming money orders, traveller’s cheques, or similar instruments of $3,000 or more
• When receiving cash of $10,000 or more (triggering both identification and Large Cash Transaction Report obligations)
• When entering into a business relationship with a client
• When there are reasonable grounds to suspect that a transaction or attempted transaction is related to ML/TF — in which case identification is required regardless of amount
• When dealing in virtual currencies — specific thresholds apply (see the virtual currency section below)

What Identification Means

Identification is the collection of client information — specifically:

• For individuals: full legal name, date of birth, address, and the nature of their principal business or occupation
• For entities (corporations, partnerships, etc.): legal name, address, nature of business, and information on directors and beneficial owners

Identification is the collection step. It is distinct from verification — the step that confirms the information collected is accurate.

Verification Methods

FINTRAC prescribes specific methods for verifying client identity. For individuals, acceptable verification methods include:

• Government-issued photo identification — examining an original, valid document such as a passport or driver’s licence
• Credit file method — confirming the individual’s identity through a Canadian credit file that has been in existence for at least three years
• Dual-process method — using two separate, reliable, independent sources of information to verify the individual’s name and address, or name and date of birth
• Affiliate or member method — relying on verification performed by an affiliate or member of a financial services cooperative
• Agent or mandatary method — relying on a third-party agent to perform the verification

For non-face-to-face transactions — which now represent the majority of MSB activity — the credit file and dual-process methods are the most commonly used alternatives to in-person document examination. <div style=”border-color:#f7853399;border-style:solid;border-width:1px;border-radius:16px;color:#1e1e1e;background:linear-gradient(86deg,rgb(255,245,237) 6%,rgb(255,255,255) 100%);margin-top:16px;margin-bottom:32px;padding:24px;font-family:-apple-system,BlinkMacSystemFont,’Segoe UI’,Roboto,Oxygen-Sans,Ubuntu,Cantarell,’Helvetica Neue’,sans-serif”> <div style=”display:flex;align-items:center;gap:12px;margin-bottom:12px”> <span style=”font-size:20px”>💡</span> <p style=”color:#f78533;font-size:16px;font-weight:600;line-height:1.5;margin:0″>PRO TIP</p> </div> <p style=”color:#1e1e1e;font-size:18px;font-weight:500;line-height:1.5;margin:0″>FINTRAC distinguishes sharply between identification and verification. Many MSBs collect client information (identification) but fail to apply a prescribed verification method and document which method was used. In a FINTRAC examination, a client file showing collected information but no record of the verification method applied will be treated as an unverified client — regardless of what your policies say.</p> </div>

---

Customer Due Diligence (CDD): What It Actually Means for MSBs

CDD under the PCMLTFA goes beyond identification and verification. It encompasses the full process of understanding who your client is, what they do, and why they are conducting the transaction or relationship with your MSB.

CDD at the Transaction Level

For transactions that trigger identification requirements, CDD means:

• Collecting and verifying the client’s identity using a prescribed method
• Determining whether a third party is directing the transaction (see Third-Party Determination below)
• Assessing whether the transaction is consistent with the client’s stated purpose and expected behaviour
• Determining whether there are reasonable grounds to suspect ML/TF — which triggers suspicious transaction reporting obligations regardless of the transaction amount

CDD at the Relationship Level

Where a business relationship is established, CDD obligations expand significantly:

• Keeping client identification information up to date
• Monitoring the business relationship on an ongoing basis for transactions inconsistent with the client’s risk profile
• Determining whether the client is a PEP, HIO, or close associate
• Determining beneficial ownership for entity clients

The quality of CDD is ultimately what enables your transaction monitoring to function — without an accurate understanding of who your client is and what behaviour is expected, anomalous transactions cannot be identified as such.

---

Business Relationships vs. Occasional Transactions

One of the most practically important distinctions in the PCMLTFA KYC framework is the difference between a business relationship and an occasional transaction. The obligations that attach to each are materially different.

What Constitutes a Business Relationship

Under the PCMLTFA, an MSB is considered to have entered into a business relationship with a client when:

• The MSB opens an account for the client, or
• The MSB has conducted transactions with the client on two or more occasions for which it is required to keep records — with the business relationship established at the point the second record-keeping-triggering occasion occurs

This threshold is lower than many MSB operators realise. A client who conducts two separate foreign exchange transactions above the $3,000 threshold, or two remittances above $1,000, has entered into a business relationship with your MSB — regardless of whether those transactions are weeks or months apart.

Obligations That Attach to Business Relationships

Once a business relationship is established, the following obligations apply in addition to standard transaction-level CDD:

• Beneficial ownership must be determined for entity clients
• PEP/HIO screening must be conducted
• Ongoing monitoring of the relationship must be conducted (see below)
• Client information must be kept up to date throughout the relationship

Many smaller MSBs fail to recognise when a business relationship has been established and consequently do not apply the elevated obligations that flow from that status. FINTRAC examiners specifically look for this gap — testing whether the MSB’s transaction files reflect appropriate escalation of obligations when the business relationship threshold is crossed. <div style=”border-color:#e7484899;border-style:solid;border-width:1px;border-radius:16px;color:#1e1e1e;background:linear-gradient(86deg,rgb(255,240,242) 6%,rgb(255,255,255) 100%);margin-top:16px;margin-bottom:32px;padding:24px;font-family:-apple-system,BlinkMacSystemFont,’Segoe UI’,Roboto,Oxygen-Sans,Ubuntu,Cantarell,’Helvetica Neue’,sans-serif”> <div style=”display:flex;align-items:center;gap:12px;margin-bottom:12px”> <span style=”font-size:20px”>⚠️</span> <p style=”color:#e74848;font-size:16px;font-weight:600;line-height:1.5;margin:0″>COMMON MISTAKE</p> </div> <p style=”color:#1e1e1e;font-size:18px;font-weight:500;line-height:1.5;margin:0″>Many MSBs treat every transaction as an “occasional transaction” and never formally establish business relationships — even with clients who transact repeatedly. This is a material compliance failure. Once the business relationship threshold is crossed, beneficial ownership determination, PEP/HIO screening, and ongoing monitoring obligations all activate. Failing to recognise this is one of the most common KYC findings in FINTRAC MSB examinations.</p> </div>

---

Third-Party Determination

What FINTRAC Requires

For every transaction for which MSBs are required to keep a record, they must take reasonable measures to determine whether the transaction is being conducted by or on behalf of a third party — meaning whether someone other than the person physically conducting the transaction is the true principal behind it.

If a third party is identified (or if the MSB has reasonable grounds to suspect a third party is involved), the MSB must collect:

• The third party’s name
• Their address
• Their date of birth (if an individual)
• Their business or occupation
• The nature of the relationship between the third party and the client conducting the transaction

Why Third-Party Determination Matters

Third-party determination is one of the mechanisms FINTRAC uses to address structuring and smurfing — scenarios where a money launderer uses multiple individuals (each conducting transactions below detection thresholds) to move funds. Without third-party determination procedures, MSBs are vulnerable to being used as the transactional layer in ML schemes where the true beneficial principal is never identified.

FINTRAC examiners check whether MSB policies and procedures contain meaningful third-party determination steps — not just a checkbox asking “is this for a third party?” but a genuine inquiry process that captures indicators and documents the outcome.

---

Beneficial Ownership

The Obligation

When an MSB establishes a business relationship with an entity — a corporation, partnership, trust, or other legal person — it must take reasonable measures to determine the identity of the entity’s beneficial owners.

Under the PCMLTFA framework, a beneficial owner is an individual who directly or indirectly owns or controls 25% or more of the entity. For corporations, this means tracing ownership through corporate layers to identify the natural persons who ultimately hold that ownership threshold.

Verification of Beneficial Ownership

The PCMLTFA does not require MSBs to independently verify beneficial ownership information against a documentary standard in every case — it requires them to take reasonable measures to determine beneficial ownership. What constitutes reasonable measures depends on the risk level of the client and the nature of the relationship.

For lower-risk entity clients, this may mean obtaining a declaration from the entity’s authorised representative. For higher-risk clients — clients in high-risk jurisdictions, complex ownership structures, or clients where other risk factors are present — more robust measures are expected, such as reviewing corporate registry records, ownership charts, or constitutional documents.

Canada’s beneficial ownership registry is now operational and publicly searchable through Corporations Canada under amendments to the Canada Business Corporations Act (CBCA) that came into force January 22, 2024. MSBs dealing with federally incorporated entity clients should incorporate this registry into their beneficial ownership verification procedures as a reasonable measure to confirm or corroborate beneficial ownership information provided by the client. For MSBs serving clients in multiple provinces, note that provincial beneficial ownership registries exist separately — Ontario, British Columbia, and Quebec have their own corporate registry frameworks relevant to provincially incorporated entities.

Ownership and Control Structures

The 25% ownership threshold can be met through direct shareholding, indirect shareholding through intermediate entities, or control through voting rights or other contractual arrangements. Where complex structures make it impossible to identify a natural person meeting the threshold, the MSB should identify the most senior managing official of the entity as a proxy beneficial owner and document the steps taken to trace ownership.

---

Politically Exposed Persons (PEPs) and Heads of International Organisations (HIOs)

Definitions

The PCMLTFA distinguishes between:

• Domestic PEPs — individuals who hold or have held a prescribed senior political, judicial, or military office in Canada. Where a person ceased to hold a domestic PEP position more than five years ago, the enhanced measures applicable to domestic PEPs are generally not required — the five-year window determines when enhanced obligations are triggered, not the definition of PEP itself
• Foreign PEPs — individuals who hold or have held a prescribed senior political, judicial, or military office in a foreign state (no time limitation for enhanced measures)
• Heads of International Organisations (HIOs) — individuals who are or have been the head of an international organisation such as the United Nations or its agencies
• Close associates — individuals closely connected to a PEP or HIO by close personal or business relationships
• Family members — defined family members of PEPs and HIOs

When Screening Is Required

PEP and HIO screening must be conducted when entering into a business relationship with a client, when there are reasonable grounds to suspect a client or transaction is connected to a PEP or HIO, and at periodic intervals during ongoing business relationships where the risk profile warrants it.

For foreign PEPs and HIOs, the obligations are stricter. Once identified, an MSB must:

• Obtain senior management approval before establishing or continuing the business relationship
• Take reasonable measures to establish the source of funds and source of wealth
• Conduct enhanced ongoing monitoring of the business relationship

For domestic PEPs, the requirement to obtain senior management approval applies only where the MSB determines that the relationship presents a high risk of ML/TF.

Practical Implementation

PEP and HIO screening typically involves screening new clients against a PEP/HIO database at onboarding and periodic re-screening of existing clients within business relationships. The screening obligation is ongoing — a client who was not a PEP at onboarding may become one during the course of the business relationship. MSBs that screen once at onboarding and never again are non-compliant.

---

Enhanced Due Diligence (EDD): When Standard CDD Is Not Enough

What Triggers EDD

EDD is required where:

• The client is a foreign PEP or HIO (mandatory)
• The client has been assessed as high risk in your risk assessment
• The transaction involves a high-risk jurisdiction — a country or territory on FATF’s grey or black lists, or identified in a FINTRAC advisory
• There are unusual or complex transaction patterns that cannot be readily explained
• The source of funds is unclear or inconsistent with the client’s stated occupation or business profile

What EDD Involves

EDD is a risk-proportionate escalation of the standard CDD process. Depending on the risk profile, EDD may involve:

• Source of funds inquiry — asking the client to explain and document where the funds originate
• Source of wealth inquiry — for PEPs and HIOs, understanding how the client accumulated their overall wealth
• Enhanced transaction monitoring — increasing the frequency and depth of monitoring
• Senior management approval — for certain high-risk relationships, requiring sign-off before proceeding
• Additional documentary verification — requesting bank statements, corporate financial statements, or tax records to corroborate client explanations

EDD in Your Policies and Procedures

A common gap identified in FINTRAC examinations is that MSBs have a high-risk client category in their risk assessment but no corresponding EDD procedures in their policies. Identifying a client as high risk without prescribing what additional steps apply is not compliance — it is documentation without substance. Your policies must specify what EDD measures apply to each risk tier, who authorises them, and how they are recorded. ComplyFactor’s AML compliance program service and AML advisory services address this linkage as a core deliverable. <div style=”border-color:#9b59b699;border-style:solid;border-width:1px;border-radius:16px;color:#1e1e1e;background:linear-gradient(86deg,rgb(248,240,255) 6%,rgb(255,255,255) 100%);margin-top:16px;margin-bottom:32px;padding:24px;font-family:-apple-system,BlinkMacSystemFont,’Segoe UI’,Roboto,Oxygen-Sans,Ubuntu,Cantarell,’Helvetica Neue’,sans-serif”> <div style=”display:flex;align-items:center;gap:12px;margin-bottom:12px”> <span style=”font-size:20px”>🔍</span> <p style=”color:#9b59b6;font-size:16px;font-weight:600;line-height:1.5;margin:0″>INDUSTRY INSIGHT</p> </div> <p style=”color:#1e1e1e;font-size:18px;font-weight:500;line-height:1.5;margin:0″>FINTRAC’s examination teams look for the connection between your risk assessment and your EDD procedures. If your risk assessment identifies remittances to high-risk jurisdictions as a high-risk activity but your policies contain no EDD steps for those transactions, that disconnect is a structural deficiency. The risk assessment must actively drive your procedures — not exist as a separate document that never influences operational decisions.</p> </div>

---

Ongoing Monitoring

What FINTRAC Requires

Once a business relationship is established, MSBs must conduct ongoing monitoring of that relationship. Ongoing monitoring has two components:

1. Transaction monitoring — reviewing transactions within the business relationship to identify those inconsistent with the client’s known profile, stated purpose, or expected behaviour
2. Client information maintenance — keeping the client’s identification and risk-assessment information up to date throughout the relationship

What “Inconsistent” Means in Practice

Ongoing transaction monitoring for smaller MSBs means having documented procedures for reviewing client transaction patterns and flagging anomalies for compliance officer review. An anomaly might be:

• A client whose transactions suddenly increase significantly in frequency or value without explanation
• A client who begins transacting with jurisdictions not previously associated with their profile
• A client whose stated occupation is inconsistent with the volume or nature of their transactions
• Transactions structured just below reporting or identification thresholds

The obligation is to have a procedure for detecting anomalies, escalating them to the compliance officer, and documenting the outcome. Where an anomaly cannot be adequately explained, it may give rise to reasonable grounds to suspect ML/TF and trigger an STR filing obligation.

Keeping Client Information Current

If a client’s circumstances change materially — new address, change of occupation, change in beneficial ownership of an entity client — the MSB must update its records. The obligation to keep information current is ongoing for the duration of the business relationship.

FINTRAC has found this obligation deficient in examinations of MSBs where client files showed original onboarding information but no evidence of any subsequent review or update, even where the relationship had been active for several years and transaction patterns had evolved materially. The Canada 2025 national ML/TF risk assessment identifies the typologies and client risk profiles that should be feeding directly into your ongoing monitoring criteria.

---

KYC for Virtual Currency MSBs

MSBs that deal in virtual currencies have specific KYC obligations that reflect the heightened ML/TF risk profile of this activity.

Transaction Thresholds for Virtual Currency

Under the PCMLTFA Regulations, MSBs dealing in virtual currencies must:

• Identify clients for virtual currency transactions of $1,000 or more (lower threshold than for foreign exchange)
• Report large virtual currency transactions of $10,000 or more received in a single transaction (Large Virtual Currency Transaction Reports — LVCTRs)
• Keep records of virtual currency transactions of $1,000 or more

Travel Rule for Virtual Currency

The Travel Rule applies to virtual currency transfers under Canadian regulations. MSBs and VASPs must transmit originator and beneficiary information with transfers of $1,000 or more. Our crypto travel rules guide covers the Canadian and international framework in full.

Enhanced Risk Considerations

Virtual currency transactions present specific ML/TF risk factors that must be addressed in both your risk assessment and your KYC procedures:

• Anonymity risk — the pseudonymous nature of public blockchain transactions
• Jurisdiction risk — the global nature of virtual currency transfers and difficulty determining the jurisdiction of counterparties
• Mixer and tumbler exposure — transactions passing through mixing services designed to obscure transaction trails
• Unhosted wallet risk — transactions involving wallets not associated with a regulated entity

MSBs dealing in virtual currencies should ensure their KYC procedures specifically address these risk factors — not simply apply the same CDD procedures used for cash and foreign exchange transactions. Our 6 AML trends guide covers the evolving ML/TF typologies specific to virtual currency that should feed into your KYC risk calibration.

Our guide on virtual currency MSBs in Canada covers the registration and compliance framework for crypto MSBs in detail.

---

KYC Record Keeping Requirements

What Must Be Retained

Record Type	Retention Period
Client identification records (individuals)	5 years from date of record creation
Client identification records (entities)	5 years from date of record creation
Beneficial ownership records	5 years from date of record creation
Business relationship records	5 years from the date of the last transaction in the relationship
Transaction records (foreign exchange, EFTs, etc.)	5 years from date of transaction
Third-party determination records	5 years from date of record creation
PEP/HIO determination records	5 years from date of determination

Format and Retrievability

Records must be kept in a format that allows them to be provided to FINTRAC within a reasonable timeframe on request. For digital MSBs, this means ensuring your client management system or AML platform retains records in an accessible, exportable format — not just as live system data that becomes inaccessible if the system changes.

Backup and retention policies should be addressed explicitly in your compliance program documentation. A record that exists in theory but cannot be produced on FINTRAC examination request is treated as a missing record. Our guide on compliance documentation for Canadian PSPs covers the document architecture question in depth with principles that apply equally to MSBs. For the full record-keeping obligations by transaction type, the FINTRAC AML requirements guide provides a comprehensive reference.

---

Common KYC Failures FINTRAC Finds on Examination

Based on FINTRAC’s published examination findings and administrative monetary penalty decisions, the most frequent KYC deficiencies in MSB examinations are:

Identification without verification: Client information collected but no prescribed verification method applied or documented. This is the single most common KYC finding in MSB examinations.

Wrong verification method for non-face-to-face transactions: Using in-person document examination as the stated method when the transaction was conducted remotely. The verification method must be appropriate to the channel.

Business relationship threshold not tracked: MSBs with repeat clients who have never been identified as business relationship clients — meaning beneficial ownership, PEP/HIO screening, and ongoing monitoring obligations have never been triggered.

PEP/HIO screening at onboarding only: Clients screened once at the start of a relationship and never re-screened, despite the ongoing nature of the obligation.

EDD triggered but not applied: High-risk clients identified in the risk assessment with no corresponding EDD procedure in the policies, or EDD procedures that exist on paper but are not applied in practice.

Beneficial ownership not determined for entity clients: Entity business relationship clients where no beneficial ownership determination was made or documented.

Ongoing monitoring with no documented output: Policies state that ongoing monitoring is conducted but client files show no evidence of any monitoring activity — no review notes, no escalation records, no documentation of anomaly assessments.

Our MSB AML audit requirements guide covers how FINTRAC tests these obligations during examinations. ComplyFactor’s FINTRAC MSB audit service tests KYC compliance at the transaction file level — not just the policy level. For MSBs that want to self-assess before an examination, our AML audit checklist provides a practical review framework, and our AML risk assessment calculator helps identify where your KYC risk controls may have gaps.

---

FAQ

At what dollar threshold must an MSB identify a client for a foreign exchange transaction? The identification threshold for foreign exchange transactions is $3,000 or more. If a client exchanges $3,000 or more in a single transaction, identification and verification obligations are triggered.

Does the $3,000 threshold apply per transaction or per day? Per transaction. However, if there are reasonable grounds to suspect that transactions are being structured to avoid the threshold, the structuring itself may give rise to STR reporting obligations.

What is the difference between CDD and EDD? CDD is the standard due diligence applied to all clients — collecting and verifying identification, understanding the nature of the business relationship, and assessing consistency with the client’s profile. EDD is an elevated level of scrutiny applied to higher-risk clients and transactions — it involves additional steps such as source of funds inquiries, enhanced monitoring, and in some cases senior management approval.

When does a business relationship begin for PCMLTFA purposes? An MSB enters into a business relationship with a client when it opens an account for the client, or when it has conducted transactions with a client on two or more occasions for which it is required to keep records. The business relationship is established at the point the second record-keeping-triggering occasion occurs.

Is PEP screening required for every transaction? PEP screening is required when entering into a business relationship with a client, and periodically during ongoing business relationships where the risk profile warrants it. It is not required for every individual occasional transaction.

Can an MSB rely on KYC performed by a third-party agent? Yes, in certain circumstances. The PCMLTFA permits MSBs to rely on verification performed by an agent or mandatary acting on their behalf, subject to conditions. The MSB remains responsible for compliance — reliance on an agent does not transfer the legal obligation to the agent.

How does the Travel Rule apply to virtual currency MSBs in Canada? Canadian virtual currency MSBs must transmit originator and beneficiary information with virtual currency transfers of $1,000 or more, regardless of whether the counterparty VASP is a Canadian or foreign entity. See our crypto travel rules guide for a full treatment.

What records must an MSB keep for a business relationship client? The MSB must keep client identification records, beneficial ownership records (for entities), PEP/HIO determination records, records of all transactions that trigger record-keeping obligations, and records of ongoing monitoring activity — all retained for five years from the date of record creation or from the date of the last transaction in the relationship, whichever is later.