Whistleblower Compliance in Canada: PCMLTFA, FINTRAC, and Documentation Guide 2026

Regulatory disclaimer: This article is for informational purposes only. Canadian whistleblower obligations are federal and provincial. Consult legal counsel for jurisdiction-specific advice.

Canada does not have a single comprehensive private-sector whistleblower protection law equivalent to the EU Directive 2019/1937. Instead, whistleblower protection in Canada comes from a patchwork of federal statutes — including the Public Servants Disclosure Protection Act (PSDPA) for federal public servants, the Canada Labour Code for federally regulated private-sector employees, and provincial employment standards legislation. For the financial sector, FINTRAC and the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA) create specific reporting and documentation obligations.

Canada's Whistleblower Regulatory Landscape

Ontario Securities Commission (OSC) Whistleblower Program (2016): The OSC operates a formal whistleblower program with awards of up to $5 million CAD for original information that leads to an enforcement action with sanctions exceeding $1 million. The AMF Québec has its own whistleblower regime under the Securities Act (Québec).

OSFI Guideline E-13: Federally regulated financial institutions (FRFIs) — including banks, insurance companies, and trust companies — must implement effective compliance regimes under OSFI Guideline E-13 that include procedures for employees to report compliance concerns. OSFI expects FRFIs to maintain documented whistleblower policies.

FINTRAC Reporting: Suspicious Transaction Reports (STRs)

Financial institutions and other reporting entities under the PCMLTFA must report suspicious transactions to FINTRAC within specified timeframes.

STR documentation requirements:

STR retention: Reporting entities must retain all records related to STRs for 5 years from the date of the transaction, in accordance with FINTRAC's record-keeping requirements under the PCMLTFA.

FINTRAC applies a "tipping-off" prohibition analogous to the BSA: reporting entities may not disclose to the subject of a suspicious transaction that an STR has been filed. Documentation of the STR must be kept separate from the client file with restricted access.

PCMLTFA Program Documentation Requirements

Every reporting entity must have a documented compliance program that meets FINTRAC requirements. The program must include:

• Written compliance policies and procedures (reviewed and updated at least annually)
• A designated compliance officer (documented appointment)
• A risk assessment of inherent and residual ML/TF risks
• Ongoing training records (dates, content, employees trained)
• An effectiveness review every two years (or more frequently if significant changes occur)

FINTRAC's compliance program requirements mandate that policies include procedures for receiving and escalating internal suspicious activity concerns. This creates a de facto internal whistleblower procedure for the AML compliance function.

PIPEDA and Loi 25: Data Protection for Whistleblower Processes

Whistleblower data in Canada is personal information subject to federal and provincial privacy laws.

Federal PIPEDA (Personal Information Protection and Electronic Documents Act): Applies to private-sector organisations' commercial activities in provinces without substantially similar provincial laws. PIPEDA requires:

• A documented privacy policy covering whistleblower data collection and use
• Limiting collection to what is necessary for the legitimate business purpose
• Retaining personal information only as long as necessary, then securely destroying it
• Safeguards appropriate to the sensitivity of the information

Loi 25 (Québec — Law 25, Act to modernize legislative provisions as regards the protection of personal information): Applies to personal information collected or used in Québec. As of September 2023, Loi 25 requires:

• A Privacy Impact Assessment (PIA) before implementing new technology that processes personal information (including whistleblowing platforms)
• Appointment of a Chief Privacy Officer (CPO) or designated responsible person
• Privacy incident reporting to the Commission d'accès à l'information (CAI) within 72 hours of becoming aware of a serious incident

Documentation requirements under Loi 25:

• Privacy policy covering the whistleblower channel
• PIA records
• Privacy incident register
• Records of consent (where required) or legal basis for processing

CheckFile supports 3,200+ document types across 32 jurisdictions. For Canadian financial institutions, the KYC verification module supports validation of Social Insurance Numbers (SIN), provincial driver's licences, and PR Cards under FINTRAC CDD requirements.

Provincial Whistleblower Protections: Ontario and Québec

Ontario: The Ontario Securities Act protects employees of capital markets participants who report securities violations to the OSC. The Occupational Health and Safety Act (OHSA) protects workers who report workplace health and safety violations. The Employment Standards Act, 2000 (ESA) prohibits reprisals against employees who exercise their rights under the Act.

Québec: The Act respecting labour standards (LSST) prohibits dismissal or disciplinary measures against employees who exercise their rights under the Act. The AMF Québec operates a whistleblower program for financial sector violations. Québec's Public Administration Act covers public-sector denunciations.

Building a Canada-Compliant Whistleblower Programme

Key differences from the EU framework that compliance teams must address:

1. No universal size threshold: Canada has no equivalent to the EU's 50-employee rule. Obligations are sector- and jurisdiction-based.
2. Bilingual requirements: Federal entities and companies operating in Québec must make whistleblowing channel information available in both English and French.
3. FINTRAC STR non-disclosure: Unlike EU whistleblowing, FINTRAC STR filings have an absolute non-disclosure prohibition — no acknowledgement to the subject.
4. Provincial variation: Ontario, Québec, Alberta, and BC each have different employment standards and securities whistleblower rules.

A practical checklist for Canadian compliance:

• Document FINTRAC compliance program (policies, risk assessment, training, effectiveness review)
• Appoint a designated compliance officer with documented authority
• Establish STR filing procedures with 5-year retention for PCMLTFA-covered entities
• Complete PIA before deploying whistleblowing platform (Loi 25 / PIPEDA requirement)
• Bilingual channel documentation for federal and Québec operations
• OSFI Guideline E-13 compliance review for FRFIs

Integrate this review into your broader compliance risk assessment and our document compliance guide for a complete governance framework.

Frequently Asked Questions

Is a private Canadian company required to have an internal whistleblower channel?

There is no universal federal requirement for private companies. Obligations exist for federally regulated financial institutions (OSFI), capital markets participants (OSC, AMF QC), and PCMLTFA reporting entities (FINTRAC). Provincially, some regulated industries (e.g., Ontario securities dealers) have specific requirements. Best practice — and increasingly a contractual requirement in government procurement — is to have a documented ethics hotline.

What is FINTRAC's approach to the 5-year retention rule?

FINTRAC requires that all records related to client identification, business relationships, transactions, and STRs be retained for 5 years from the last business transaction with the client or from the date of the transaction. Electronic records must be in a format accessible to FINTRAC examiners within 30 days of a request.

Does PIPEDA require a privacy policy for the whistleblowing channel?

Yes. PIPEDA Principle 1 (Accountability) and Principle 5 (Limiting Use, Disclosure, and Retention) require that organisations have a documented privacy policy covering how they handle personal information, including information collected through whistleblowing channels. The policy should be publicly available and explain the organisation's data handling practices.

How does Loi 25 differ from PIPEDA for whistleblower data in Québec?

Loi 25 (effective September 2023) imposes stricter requirements than PIPEDA: mandatory PIA before implementing new technology, mandatory CPO appointment, and 72-hour privacy incident reporting to the CAI. Companies operating in Québec must comply with both regimes. Where Loi 25 is stricter, it applies in Québec.

Can a whistleblower receive an award under the OSC programme for reporting internally first?

Yes, under certain conditions. The OSC Whistleblower Programme allows reporting to the OSC after an internal report if the organisation has not acted on the information within a reasonable time. The 90-day clock for award eligibility can be preserved by filing a Form OSC WB-1 early, even before any internal action is completed.