Due diligence explained: business checklist
A practical guide to due diligence for businesses: what it covers, legal requirements in Canada, and a complete checklist across legal, financial
Summarize this article with
ChatGPT
Claude
Perplexity
Gemini
GrokDue diligence is the structured process of investigating a counterparty, acquisition target, or business partner before committing to a transaction or relationship. In Canada, due diligence obligations arise from multiple sources: the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA), the Corruption of Foreign Public Officials Act (CFPOA), the Canada Business Corporations Act (CBCA), and PIPEDA.
This article is for compliance officers, finance directors, and legal teams who need to structure their due diligence process. It is informational only and does not constitute legal, financial, or regulatory advice.
What is due diligence and why does it matter?
Due diligence is a risk assessment carried out before a business decision. It confirms a counterparty's identity, ownership structure, financial health, regulatory standing, and reputation. In financial services and other regulated sectors, it is not optional -- it is a legal requirement.
FINTRAC guidance requires reporting entities to apply Customer Due Diligence (CDD) measures before establishing any business relationship, under the PCMLTFA. Entities that fail to comply face enforcement action: FINTRAC has imposed significant administrative monetary penalties for AML compliance failures.
The scope of due diligence has expanded significantly. The Fighting Against Forced Labour and Child Labour in Supply Chains Act (S.C. 2023, c.9) requires certain entities to report on measures taken to prevent and reduce the risk of forced or child labour in their supply chains. The EU's Corporate Sustainability Due Diligence Directive (CSDDD) will affect Canadian businesses with EU market exposure.
The 5 types of due diligence
Due diligence is not a single exercise. The scope depends on the context: M&A transactions, new client onboarding in regulated sectors, vendor qualification, or investment appraisal.
| Type | Primary focus | Key documents |
|---|---|---|
| Legal | Corporate structure, litigation, IP, contracts | Corporations Canada/provincial registry filings, articles, beneficial ownership |
| Financial | Profitability, cash flow, liabilities | 3-5 years financial statements, management accounts |
| Tax | CRA compliance, hidden tax liabilities | Tax returns 6 years, GST/HST records |
| Regulatory/AML | Sanctions, PEP status, beneficial ownership | KYC documents, source of funds, screening results |
| ESG | Human rights, environment, anti-corruption | Supply chain reports, ESG reports, ISO certifications |
The complete due diligence checklist
Legal due diligence
Legal due diligence confirms that a business exists, operates lawfully, and carries no undisclosed liabilities. Canadian practitioners consistently identify this as the starting point for any M&A or partnership process.
Documents to collect:
- Corporations Canada or provincial corporate registry filings: registered name, number, status, registered office, directors, and beneficial ownership information
- Articles of incorporation and shareholder agreements
- Material contracts -- customer, supplier, and employment -- including change-of-control clauses
- Schedule of current and threatened litigation
- Intellectual property ownership: registered trademarks, patents, domain names
Beneficial ownership transparency requirements have been strengthened in Canada. The CBCA amendments (2019, 2022) require corporations to maintain a register of individuals with significant control (ISC register), identifying anyone holding 25% or more of shares or who exercises significant influence.
Financial and tax due diligence
Financial due diligence validates the valuation and uncovers hidden liabilities. Canadian M&A practice requires a minimum three-year financial review for SME transactions and five years for larger deals.
Priority checks:
- Adjusted EBITDA and normalized free cash flow analysis
- CRA compliance: Corporation Tax, GST/HST, payroll source deductions. Check for open audits via the company's tax advisers
- Pension fund obligations
- Accounts receivable ageing schedule -- DSO trends reveal underlying revenue quality
- Shareholder loans and related-party transactions
Corporate registry filings are publicly available but financial statements are not always filed publicly in Canada -- always request financial statements directly from the target.
AML/KYC due diligence for regulated entities
For entities regulated by OSFI, FINTRAC, or provincial securities commissions, customer due diligence is a statutory requirement under the PCMLTFA.
Three tiers of due diligence apply under the PCMLTFA risk-based approach:
- Simplified measures: applies to lower-risk situations as determined by the entity's risk assessment.
- Standard Due Diligence (CDD): the baseline for most business relationships. Verify identity, beneficial ownership, and purpose of the relationship.
- Enhanced Due Diligence (EDD): mandatory for Politically Exposed Persons (PEPs), high-risk clients, and correspondent banking relationships, per FINTRAC guidance.
Automated document verification reduces KYC processing time by 60-80% compared to manual review. CheckFile automates identity document verification, corporate registry cross-checks, and address verification in line with FINTRAC CDD requirements.
For more context on AML obligations, see our anti-money laundering compliance guide.
ESG and supply chain due diligence
ESG due diligence is increasingly mandated. The Fighting Against Forced Labour and Child Labour in Supply Chains Act requires certain entities to report annually on measures taken to prevent forced and child labour in their supply chains.
Checklist:
- Supply chain due diligence report (required annually for qualifying entities)
- Supplier code of conduct and audit programme
- Carbon footprint disclosure (Scope 1, 2, and 3 emissions)
- Anti-corruption procedures under the CFPOA -- documented policies and training records
- PIPEDA compliance: Privacy Impact Assessments for high-risk processing
Under the CFPOA, it is an offence to bribe a foreign public official to obtain or retain a business advantage -- and inadequate compliance procedures increase prosecution risk.
Explore further
Discover our practical guides and resources to master document compliance.
Explore our guidesDue diligence by transaction type
| Transaction | Due diligence level | Recommended timeline | Key specialists |
|---|---|---|---|
| New regulated client (OSFI entity) | Standard to Enhanced | 2-5 business days | Compliance, front office |
| SME acquisition | Comprehensive | 4-8 weeks | Lawyers, accountants, tax advisers |
| Strategic supplier (critical) | Standard | 1-2 weeks | Procurement, legal, compliance |
| Minority investment | Comprehensive | 3-6 weeks | M&A advisers, finance |
| Standard vendor onboarding | Simplified | 24-48 hours | Procurement, compliance |
How to automate your due diligence process
The most common question from compliance teams is: How do we scale due diligence without adding headcount?
The answer lies in combining secure virtual data rooms with automated document verification. CheckFile verifies document authenticity (fraud detection, intelligent OCR, cross-document consistency checks) and integrates with existing workflows via API.
An internal benchmark across 150 due diligence files processed via CheckFile showed an average 72% reduction in document collection and verification time compared to a standard manual process. Our data from over 180,000 documents processed monthly confirms a fraud detection rate of 94.8% and an average verification time of 4.2 seconds per document.
For a comprehensive overview, see our document compliance complete guide.
Go further
To dive deeper into this topic, explore our complete guide on document verification.
FAQ
What is the difference between due diligence and an audit?
Due diligence is a pre-transaction investigation carried out by the acquiring party to inform a decision. An audit is a periodic, independent review of accounts or processes. The two complement each other: a recent clean audit shortens the financial due diligence phase but does not replace it.
Is due diligence a legal requirement for all Canadian businesses?
Not universally. For FINTRAC reporting entities, CDD is a statutory obligation under the PCMLTFA. For businesses qualifying under the Fighting Against Forced Labour Act, supply chain due diligence reporting is required annually. For all businesses, general duties of care and the CFPOA create practical due diligence obligations regardless of sector.
How long does due diligence take in Canada?
SME acquisitions typically complete due diligence in 4-8 weeks. Complex transactions involving multiple entities or regulated activities can extend to 12 weeks. FINTRAC-regulated new client onboarding should complete standard CDD within 2-5 business days; EDD typically requires 5-10 business days.
What documents does Corporations Canada provide for due diligence?
Corporations Canada provides: certificate of incorporation, articles of incorporation, annual returns, director information, and certificates of status. Provincial registries provide similar information for provincially incorporated entities. Not all documents are publicly accessible -- some must be requested directly from the corporation.
How should due diligence findings be documented?
Document findings in a written report with a risk matrix classifying each issue by probability and financial impact. Include a clear summary for decision-makers, specific items for price adjustment or warranty/indemnity protection, and conditions precedent to completion. Retain all working papers for a minimum of 6 years for CRA purposes and 5 years under the PCMLTFA.
This article is for informational purposes only and does not constitute legal, financial, or regulatory advice. For jurisdiction-specific guidance, consult a qualified lawyer, accountant, or compliance specialist. CheckFile supports compliance teams with automated document verification -- visit our pricing page or contact us to learn more.
Stay informed
Get our compliance insights and practical guides delivered to your inbox.