Neobank and Digital Bank KYC/AML Compliance in Canada 2026: FINTRAC and PCMLTFA Guide
Complete guide to KYC and AML compliance for Canadian neobanks and digital banks in 2026: PCMLTFA obligations, FINTRAC reporting thresholds, MSB registration, PIPEDA data requirements, and how to build a compliant onboarding programme.
Summarize this article with
ChatGPT
Claude
Perplexity
Gemini
GrokCanadian neobanks and digital banks face the same AML and KYC obligations as federally chartered Schedule I banks โ but most operate as Money Services Businesses (MSBs) regulated under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA) (S.C. 2000, c. 17), supervised by FINTRAC (Financial Transactions and Reports Analysis Centre of Canada). The 2024 amendments to the PCMLTFA strengthened beneficial ownership reporting requirements and made clear that neobanks operating as MSBs are subject to the full suite of FINTRAC obligations. Enforcement is real: FINTRAC fined TD Bank CAD $9.2 million in 2020, Desjardins CAD $1.1 million in 2024, and National Bank CAD $200,000 in 2023.
This article is for informational purposes only and does not constitute legal, financial, or regulatory advice.
For broader guidance on structuring KYC workflows in financial services, see how Canadian banks approach customer onboarding.
The Regulatory Framework for Neobanks in Canada
The compliance architecture for a Canadian neobank depends on its regulatory status. Most digital-only banks and fintech lenders operate as Money Services Businesses (MSBs) under the PCMLTFA โ not as Schedule I, II, or III banks under the Bank Act. A smaller number partner with Schedule I or II banks (e.g., Peoples Bank, Canadian Western Bank) under Banking-as-a-Service (BaaS) arrangements, in which the bank holds the prudential licence from OSFI (Office of the Superintendent of Financial Institutions) and the neobank operates the customer-facing layer.
| Entity type | Primary regulator | AML supervisor | Prudential supervisor |
|---|---|---|---|
| Schedule I/II bank | OSFI | FINTRAC | OSFI |
| Money Services Business (neobank) | FINTRAC (MSB registration) | FINTRAC | N/A (no deposit insurance) |
| BaaS partnership model | OSFI (bank) + FINTRAC (MSB) | FINTRAC | OSFI (sponsor bank) |
| Credit union (provincial) | FSRA (Ontario), BCFSA (BC), ARCU (QC) | FINTRAC | Provincial regulator |
FINTRAC is Canada's Financial Intelligence Unit and AML/ATF regulator under PCMLTFA, operating at fintrac-canafe.gc.ca. The full text of the PCMLTFA is available at laws-lois.justice.gc.ca.
FINTRAC MSB Registration: A Mandatory First Step
Every neobank providing money services โ including foreign exchange dealing, funds transfer, issuing or redeeming money orders, or dealing in virtual currencies โ must register with FINTRAC as an MSB before providing those services. Registration is done online through the FINTRAC portal. Failure to register is a violation of PCMLTFA s.54 and can result in administrative monetary penalties.
Well-known Canadian neobanks including Neo Financial, KOHO, EQ Bank, and Wealthsimple all operate under FINTRAC oversight, in some cases holding both MSB registration and a deposit-taking arrangement through a Schedule I bank partner.
OSFI's Role for Federally Chartered Institutions
For neobanks that are or aspire to be federally chartered banks, OSFI acts as the prudential regulator. OSFI does not supervise AML compliance directly (that is FINTRAC's mandate), but OSFI Guideline E-13 (Legislative Compliance Management) requires federally regulated financial institutions to maintain a board-approved compliance management framework that integrates AML obligations.
KYC Requirements for Digital Onboarding in Canada
Canadian neobanks operating as MSBs must verify customer identity under Part 1, Division 5 of the PCMLTFA Regulations. For retail customers, the core obligation is to verify identity before providing the service โ not after account opening.
Acceptable Identity Documents
The PCMLTFA Regulations prescribe three methods for individual identity verification:
- Government-issued photo ID method: present a single piece of government-issued photo identification such as a Canadian passport, provincial driver's licence, or provincial ID card
- Credit file method: confirm identity against a credit file from an eligible credit bureau (Equifax or TransUnion) that has been active for at least three years
- Dual-process method: combine two different reliable documents or data sources (e.g., driver's licence plus a utility bill)
For digital onboarding without an in-person agent, the dual-process method or a combination of document upload with a credit bureau check is the most practical approach for MSBs. FINTRAC's 2024 guidance on neobanks operating as MSBs explicitly addresses fully digital onboarding scenarios and requires that identity verification produce results equivalent to the in-person standard.
| Customer type | Documents required |
|---|---|
| Individual | Canadian passport, provincial driver's licence, or provincial identity card (photo ID method); or credit file + one reliable document (dual-process method) |
| Corporation | Certificate of Incorporation (Corporations Canada) or provincial equivalent; corporate registry search |
| Trust | Trust agreement; identification of trustees and all beneficial owners |
| Partnership | Partnership agreement; identification of partners |
The Social Insurance Number (SIN) is the Canadian equivalent of a national identification number. PCMLTFA compliance does not require neobanks to collect SINs, but SIN collection is required for tax reporting purposes under the Income Tax Act. MSBs should ensure SIN data is handled in accordance with CRA guidance and PIPEDA consent requirements.
Certificates of Incorporation issued by Corporations Canada are the Canadian equivalent of UK Companies House certificates. Provincial equivalents include certificates from Ontario's OnCorp system, the Registre des entreprises du Quรฉbec (REQ), and equivalents in all other provinces.
Beneficial Ownership Verification
The 2024 PCMLTFA amendments significantly strengthened beneficial ownership requirements for MSBs. When a neobank onboards a corporate or entity customer, it must now:
- Identify all beneficial owners holding 25% or more of shares or voting rights
- Take reasonable measures to verify the identity of each beneficial owner
- Obtain and record the ownership structure of the entity, including any intermediate holding companies
- Refresh beneficial ownership information when the business relationship changes materially
For a complete guide to beneficial ownership verification, see the AMLD6 beneficial ownership verification guide.
FINTRAC Reporting Obligations
FINTRAC reporting is structured around three mandatory report types, each with distinct triggers and filing timelines.
Large Cash Transaction Reports (LCTRs)
A neobank must file an LCTR with FINTRAC when it receives CAD $10,000 or more in cash in a single transaction or in two or more transactions totalling $10,000 or more within 24 consecutive hours, if the neobank has knowledge that the transactions were made by or on behalf of the same person or entity.
LCTRs must be filed within 15 calendar days of the transaction. In practice, neobanks operating as digital-only MSBs have limited cash exposure โ but cash-out transactions via BaaS partner ATM networks, or receipt of cash deposits through partner retail networks, are captured by the LCTR obligation.
Electronic Funds Transfer Reports (EFTRs)
An EFTR must be filed when an MSB sends or receives an electronic funds transfer of CAD $10,000 or more internationally. This directly captures remittance neobanks and cross-border payment platforms. Like LCTRs, EFTRs must be filed within 5 business days.
Suspicious Transaction Reports (STRs)
STRs have no monetary threshold. A neobank must file an STR when there are reasonable grounds to suspect that a transaction or attempted transaction is related to money laundering or terrorist activity financing. The grounds for suspicion must be documented. FINTRAC's published indicators of suspicious activity provide a reference framework for transaction monitoring calibration.
The obligation to consider filing arises when suspicion is formed โ delay in STR filing is itself a compliance failure.
Ready to automate your checks?
Free pilot with your own documents. Results in 48h.
Request a free pilotPIPEDA and Privacy Law Requirements for KYC Data
Customer identity data collected during KYC onboarding is personal information subject to Canada's privacy regime. The applicable legislation depends on the province where the customer resides.
The Personal Information Protection and Electronic Documents Act (PIPEDA) applies federally and requires:
- Meaningful consent before collecting, using, or disclosing personal information
- Data minimisation: collect only what is necessary for the identified purpose
- Retention limits: destroy or de-identify personal information when no longer required for compliance purposes
- Breach notification to the Office of the Privacy Commissioner of Canada (priv.gc.ca) and affected individuals when a breach creates a real risk of significant harm
Quebec's Loi 25 (Loi modernisant des dispositions lรฉgislatives en matiรจre de protection des renseignements personnels, 2021) applies stricter standards to neobanks processing Quebec residents' data:
- Mandatory breach notification to the Commission d'accรจs ร l'information (CAI) within 72 hours
- Privacy impact assessments for new technology-based processing (including AI-driven document verification)
- Right to data portability for individuals
- Appointment of a privacy officer
Alberta's PIPA and British Columbia's PIPA impose similar private-sector requirements in those provinces.
Provincial Regulatory Variations
FINTRAC oversight is federal and applies uniformly. However, neobanks operating in specific provinces must also be aware of provincial financial regulators.
Ontario: The Financial Services Regulatory Authority (FSRA) oversees credit unions and some fintech activities, including mortgage brokering. Ontario-chartered neobanks or credit unions must maintain FSRA compliance alongside FINTRAC.
Quebec: The Autoritรฉ des marchรฉs financiers (AMF Quรฉbec) regulates securities dealers, insurers, and mortgage brokers. Some neobank products โ particularly investment accounts or insurance-linked savings products โ require AMF authorisation in addition to FINTRAC registration.
British Columbia: The BC Financial Services Authority (BCFSA, formed from the merger of FICOM) oversees credit unions and some MSB activities in BC.
Common Compliance Failures and FINTRAC Enforcement
FINTRAC's enforcement record against neobanks and traditional institutions provides clear signals about where compliance programmes typically fail.
| Failure type | FINTRAC response | Amount |
|---|---|---|
| Inadequate AML/ATF policies and procedures | AMPs + corrective action plan | TD Bank: CAD $9.2M (2020) |
| Incomplete beneficial ownership identification | AMPs | Desjardins: CAD $1.1M (2024) |
| Deficient STR processes | AMPs | National Bank: CAD $200K (2023) |
| Failure to register as MSB | Criminal referral possible | Various |
FINTRAC administrative monetary penalties (AMPs) under PCMLTFA s.73.1 can reach CAD $1,000 per violation for minor violations, up to CAD $100,000 per violation for serious violations, and up to CAD $500,000 for very serious violations. Repeated or wilful violations attract the highest penalties.
Building a Compliant Neobank Programme
A compliance programme for a Canadian neobank must be documented, risk-based, and operationally integrated โ not a theoretical framework that exists only in a policy binder.
Required Programme Components
Compliance officer appointment: The PCMLTFA Regulations require MSBs to appoint a compliance officer responsible for implementing the compliance programme. The officer must have the authority and resources to discharge this responsibility.
Written compliance policies and procedures: The programme must be documented in writing and cover: customer identification, record-keeping, report filing, transaction monitoring, employee training, and the effectiveness review process.
Risk assessment: An enterprise-wide ML/TF risk assessment must identify the specific risks presented by the neobank's customer base, products, delivery channels, and geographic exposure. The risk assessment should be reviewed at least every two years and updated when material changes occur.
Employee training: All employees and agents involved in customer-facing activities or transaction processing must receive training appropriate to their role. Training records must be maintained.
Effectiveness review: The compliance programme must be reviewed for effectiveness at least every two years by an internal or external reviewer.
Record retention: PCMLTFA s.24 requires records to be kept for at least five years from the date of the transaction or business relationship. Records must be accessible to FINTRAC within 30 days of a written request.
Technology and Verification Infrastructure
Digital onboarding at scale requires automated verification infrastructure that can apply consistent CDD standards across every customer interaction. Manual review alone cannot sustain the volume, speed, or consistency that FINTRAC's programme requirements demand.
CheckFile's banking KYC solutions support verification of Canadian provincial driver's licences, passports, Certificates of Incorporation from Corporations Canada and all provincial registries, and supporting documents used in the dual-process identity verification method. Coverage spans 3,200+ document types across 32 jurisdictions.
Data security for KYC infrastructure must meet PIPEDA and (where applicable) Loi 25 requirements. CheckFile's security architecture is designed to satisfy financial institution data protection requirements. For programme planning and pricing, see CheckFile pricing.
Frequently Asked Questions
What is the difference between FINTRAC and OSFI for neobanks?
FINTRAC supervises AML/ATF compliance for all reporting entities under the PCMLTFA, including neobanks operating as MSBs. OSFI is the prudential regulator for federally chartered banks, trust companies, and insurance companies. Most neobanks in Canada are MSBs, not federally chartered banks, so they are subject to FINTRAC oversight but not OSFI prudential supervision. If a neobank holds deposits through a BaaS arrangement with a Schedule I bank, the sponsor bank is OSFI-supervised and carries prudential responsibility for the deposited funds.
Does a Canadian neobank need to file Suspicious Transaction Reports even for small transactions?
STRs have no monetary threshold under the PCMLTFA. An STR must be filed whenever there are reasonable grounds to suspect that a transaction โ of any amount โ is related to money laundering or terrorist activity financing. The decision to file is based on suspicion, not the value of the transaction. FINTRAC published a list of indicators of suspicious activity to help MSBs calibrate their transaction monitoring programmes.
How does PIPEDA apply to KYC data collected during neobank onboarding?
Personal information collected during KYC onboarding is subject to PIPEDA federally and to provincial privacy laws where applicable. Neobanks must obtain meaningful consent before collecting identity documents and related data, use that data only for the identified compliance purpose, and implement appropriate safeguards. In Quebec, Loi 25 additionally requires breach notification to the CAI within 72 hours and privacy impact assessments for high-risk automated processing. The Office of the Privacy Commissioner of Canada provides guidance at priv.gc.ca.
What documents are required to verify a Canadian corporation under PCMLTFA?
To verify a Canadian corporation, an MSB must confirm the corporation's existence using a government-issued document such as a Certificate of Incorporation from Corporations Canada or a provincial registry equivalent. The neobank must also identify all beneficial owners holding 25% or more by obtaining and verifying the ownership and control structure. Where beneficial owners cannot be identified through the corporate registry, the neobank must take reasonable measures including requesting a written declaration from an officer of the corporation.
What FINTRAC reporting thresholds apply to cross-border payments?
Electronic Funds Transfer Reports must be filed for international transfers of CAD $10,000 or more. This threshold applies to each transfer individually, or to two or more transactions conducted within 24 consecutive hours by or on behalf of the same person that together total $10,000 or more. Large Cash Transaction Reports apply the same $10,000 threshold to cash transactions. Neither threshold applies to Suspicious Transaction Reports, which are triggered by suspicion regardless of amount.
Stay informed
Get our compliance insights and practical guides delivered to your inbox.