KYC for Payment Service Providers in Canada: FINTRAC, PCMLTFA and OSFI 2026

Payment service providers (PSPs) operating in Canada are subject to anti-money laundering (AML) and counter-terrorist financing (CTF) obligations under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA), enforced by the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC). Federally regulated financial institutions — chartered banks, federal trust companies — are additionally supervised by the Office of the Superintendent of Financial Institutions (OSFI), which has published AML/ATF guidelines that inform best-practice KYC standards across the industry. In 2026, the Canadian regulatory landscape for PSPs is also evolving with new privacy requirements under Bill C-26 (cybersecurity) and the ongoing modernization of the PCMLTFA through regulatory amendments effective June 2024.

This article is provided for informational purposes only and does not constitute legal, financial, or regulatory advice. Consult a qualified professional for your specific situation.

Which PSPs Are Subject to KYC Requirements in Canada?

The PCMLTFA defines specific categories of Reporting Entities among PSPs:

Since June 2021, Foreign Money Services Businesses (FMSBs) — PSPs incorporated outside Canada that direct their services at Canadians — must also register with FINTRAC under amended PCMLTFA regulations. This extraterritorial reach is a distinctive feature of the Canadian regime.

The Retail Payment Activities Act (RPAA), implemented in 2024-2025, introduced a new regulatory framework administered by the Bank of Canada for payment service providers conducting retail payment activities. PSPs subject to the RPAA must register with the Bank of Canada separately from FINTRAC registration.

The Regulatory Framework: PCMLTFA, FINTRAC, and OSFI Guidelines

Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA) The PCMLTFA is Canada's primary AML/ATF legislation. It requires reporting entities — including MSBs and FMSBs — to: implement a written compliance program, identify and verify clients, keep records, and report certain transactions and suspicious activities to FINTRAC. Significant amendments came into force in 2024, including enhanced beneficial ownership requirements for MSBs and updated thresholds for virtual currency transactions. Source: PCMLTFA, justice.gc.ca

FINTRAC FINTRAC is Canada's financial intelligence unit and AML/ATF regulator. It receives and analyses transaction reports, conducts examinations of reporting entities, and can impose administrative monetary penalties (AMPs). FINTRAC publishes detailed guidance on compliance obligations for each sector including MSBs and FMSBs. Source: FINTRAC, fintrac-canafe.gc.ca

OSFI AML/ATF Guideline (Guideline B-8) OSFI's Guideline B-8 sets out supervisory expectations for federally regulated financial institutions' AML/ATF programs. While OSFI does not supervise non-bank PSPs, its guidelines on KYC, risk assessment, and transaction monitoring represent the de facto best-practice standard across the industry. Source: OSFI Guideline B-8, osfi-bsif.gc.ca

PIPEDA and Privacy The Personal Information Protection and Electronic Documents Act (PIPEDA) — and the newer Consumer Privacy Protection Act (CPPA) once fully enacted — governs how PSPs may collect, use, and retain personal information gathered during KYC processes. PSPs must ensure their KYC data flows comply with PIPEDA consent requirements and data minimization principles. Source: PIPEDA, priv.gc.ca

For an overview of KYC/AML compliance obligations, see our AMLD6 compliance guide for obliged entities.

KYC Requirements for Canadian PSPs: FINTRAC Obligations

Client Identification and Verification

Under the PCMLTFA Regulations, MSBs must ascertain the identity of clients for transactions at or above CAD $1,000 (for foreign currency exchange and money transfer transactions). For virtual currency transactions, the threshold is at or above CAD $1,000 per transaction.

Acceptable identification documents for individuals in Canada:

FINTRAC's two-source rule for non-face-to-face verification: when verifying identity remotely, PSPs must use a combination of two independent and reliable sources — for example, a credit file check plus a government-issued document.

For legal entity customers, PSPs must:

• Obtain the entity's name, address, and incorporation number
• Identify its beneficial owners: individuals who directly or indirectly own or control 25% or more of the entity
• Review the entity's articles of incorporation or similar constituting documents

Since June 2024 PCMLTFA amendments, MSBs must obtain beneficial ownership information for all legal entity clients and take reasonable measures to verify it.

Enhanced Due Diligence: High-Risk Cases

FINTRAC guidance and PCMLTFA Regulations identify high-risk situations requiring enhanced measures:

Canada's politically exposed person (PEP) rules are defined under 9.3(1) of the PCMLTFA and cover: heads of state, politicians (MPs, senators, MLAs), senior military officials, senior judicial officials, senior public servants, senior officials of state-owned enterprises, and officials of international organizations — along with their family members and close associates.

Ongoing Monitoring Requirements

MSBs and PSPs must continuously monitor their business relationships to detect suspicious activity:

FINTRAC Reporting Obligations

Suspicious Transaction Reports (STRs)

PSPs must file a Suspicious Transaction Report (STR) with FINTRAC when they have reasonable grounds to suspect that a transaction — completed or attempted — is related to money laundering or terrorist financing. Key features:

• No minimum threshold: an STR must be filed regardless of amount
• Filing deadline: within 3 business days (30 days for certain other reports) after forming the suspicion
• Confidentiality: the client must not be told that an STR was filed ("no tipping off" under PCMLTFA s. 8)
• Safe harbour: PSPs acting in good faith in filing STRs are protected from civil liability

Source: FINTRAC STR guidance

Large Cash Transaction Reports (LCTRs)

PSPs must file an LCTR within 15 days of receiving CAD $10,000 or more in cash (or equivalent) in a single transaction or within 24 consecutive hours.

Large Virtual Currency Transaction Reports (LVCTRs)

Since 2021, PSPs dealing in virtual currency must file an LVCTR within 5 business days of receiving virtual currency valued at CAD $10,000 or more in a single transaction or within 24 consecutive hours.

Source: FINTRAC LVCTR guidance

FINTRAC Penalties for Non-Compliance

FINTRAC can impose Administrative Monetary Penalties (AMPs) for violations:

• Non-willful violations: up to CAD $1 million per violation
• Willful violations: up to CAD $2 million per violation
• Serious violations (including systematic failure to report STRs): higher AMPs with named-entity publication
• Criminal prosecution (for operating without FINTRAC registration): up to 5 years imprisonment

FINTRAC publishes AMPs issued to reporting entities. Notable enforcement actions include penalties in the millions of dollars for banks and large PSPs with systemic compliance failures.

Automating KYC for Canadian Payment Service Providers

Automated document verification is critical for Canadian PSPs processing high volumes of client onboarding. CheckFile delivers:

• Verification of Canadian passports, provincial driver's licences, and permanent resident cards under FINTRAC CIP standards
• Remote two-source identity verification for digital onboarding (credit file + document)
• Automated beneficial ownership identification for legal entity clients
• Sanctions screening against the Canadian Consolidated List, OFAC SDN, and UN consolidated list
• FINTRAC-compliant audit trails retained for five years minimum

To strengthen your risk-based approach to AML customer segmentation, CheckFile assigns risk indicators adapted to the Canadian regulatory context — PEP classification per PCMLTFA definitions, FATF jurisdiction risk, and virtual currency exposure. See our pricing guide for API access options.

Frequently Asked Questions

Does a foreign PSP serving Canadian clients need to register with FINTRAC?

Yes, if the foreign PSP conducts money services business activities directed at Canadians — including virtual currency exchange, remittance, or payment processing — it is classified as a Foreign Money Services Business (FMSB) and must register with FINTRAC. Operating without registration is a criminal offence under PCMLTFA s. 65.

How does the Retail Payments Oversight Framework (RPAA) relate to FINTRAC registration?

They are separate regulatory regimes. FINTRAC registration under PCMLTFA addresses AML/ATF obligations. Registration under the RPAA with the Bank of Canada addresses operational and systemic risk oversight for retail payment activities. A PSP may need to comply with both, depending on its activities.

What is the difference between a PEFP and a PEDP under Canadian law?

A Politically Exposed Foreign Person (PEFP) is a senior government official of a foreign state. A Politically Exposed Domestic Person (PEDP) is a senior Canadian official (federal or provincial). Both require enhanced due diligence, but PEFPs are considered higher risk and require mandatory senior management approval for the business relationship.

Are virtual currency PSPs regulated differently in Canada?

Virtual currency dealers (exchanges, virtual currency money services businesses) are explicitly captured under the PCMLTFA since 2014 and 2021 amendments. They must register with FINTRAC, implement full AML/ATF programs, and meet LVCTR reporting obligations. FINTRAC has specifically stated that DeFi platforms directing services at Canadians may also be captured.

What records must Canadian PSPs keep, and for how long?

PSPs must keep client identification records, transaction records, and compliance records for a minimum of 5 years from the date the record was created or the transaction occurred. Electronic records must be accessible in a readable format throughout the retention period.