Crypto and the Travel Rule: where Canadian VASPs are getting it wrong

Canadian crypto-asset service providers operate at the intersection of three regimes: securities regulation through the CSA, prudential and consumer-protection oversight in some provinces, and AML obligations under the PCMLTFA. The AML piece is where most enforcement risk now lives, and it's where program maturity varies the most across the industry.

Registration and scope

Most crypto firms dealing with the public in Canada must be registered with FINTRAC as money services businesses (MSBs) or foreign MSBs. Registration is not a one-time event: changes in services, ownership, or directors require updates, and lapsed or inaccurate registration is itself a finding that examiners look for first.

The Travel Rule in practice

The Travel Rule requires originator and beneficiary information to accompany virtual currency transfers above the threshold. In practice, three failure modes are common:

• Inbound transfers from counterparties that don't transmit required information, with no documented decisioning on whether to accept, return, or freeze.
• Outbound transfers where required fields are populated incorrectly or incompletely.
• Self-hosted wallet transfers handled inconsistently across the customer base, with no clear policy.

Large virtual currency transaction reports

Reporting obligations for large virtual currency transactions have matured, but firms still struggle with aggregation logic, 24-hour rule application, and the linkage between reportable transactions and the underlying customer record. Examiners specifically look for whether the reported data ties cleanly back to your KYC and transaction history.

Sanctions and high-risk jurisdictions

Crypto's borderless nature means sanctions exposure is constant. Address screening, jurisdictional risk scoring, and ministerial-directive compliance need to be operationalized, not handled ad hoc when something flags.

What 'good' looks like for a Canadian VASP

• A risk assessment that explicitly addresses crypto-specific typologies and is refreshed when products or counterparties change.
• An onboarding flow that captures the customer profile, source of funds, and intended activity, and ties them to ongoing monitoring rules.
• Travel Rule, large virtual currency, and STR workflows that share a single customer and transaction record, not parallel spreadsheets.
• Sanctions and jurisdictional screening that runs continuously, not only at onboarding.
• An audit trail that lets an examiner trace any reported transaction back to the customer, the decision, and the evidence.

The takeaway

The Canadian crypto compliance bar has risen meaningfully and quietly. Firms that built early, lightweight programs to satisfy registration are now finding those programs don't survive examination. The good news is that the operational pattern, connected customer record, consistent monitoring, defensible audit trail, is well understood. The work is in implementing it.