FINTRAC identity verification methods: the accepted ways to verify identity in Canada
FINTRAC does not let a reporting entity verify identity any way it likes. It sets out specific accepted methods, and an examiner will ask which one you used and whether you can evidence it. This guide explains each accepted method, when it applies, and how AI-powered identity verification maps onto the rules rather than around them.
Under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA), FINTRAC sets out the methods a reporting entity may use to verify the identity of a person, and you have to use one of them. The methods are not interchangeable with whatever a vendor happens to offer. This guide walks through each accepted method, when it fits, and where modern AI-powered verification sits within the rules.
Why the method matters
Identity verification is the foundation of a FINTRAC compliance program. If the method is wrong, or applied incorrectly, every downstream control inherits the weakness, and an examiner who finds it will treat onboarding as unreliable. Since Bill C-12 came into force in March 2026, the standard is explicit: a program has to be reasonably designed, risk-based, and effective. A method that technically exists on paper but does not confirm a real, present human will not meet that test. For the wider framework, see the Bill C-12 compliance guide.
The government-issued photo identification method
The most common method for remote onboarding. The reporting entity confirms that an authentic, valid, and current government-issued photo identity document belongs to the person, and that the person is who they claim to be. The document has to be issued by a federal, provincial, or territorial government, and the entity has to be satisfied the document is authentic and that the person in front of it is the document holder.
This is where AI-powered verification lives. Facial recognition matches the live selfie to the photo on the document, passive liveness confirms the person is real and present, document checks confirm the ID is authentic, and deepfake detection screens out a generated face before it ever becomes an account. None of that changes the legal method; it is a stronger, recorded way of applying it.
The credit file method
The reporting entity verifies identity by referring to information in a credit file that has existed for at least three years, held by a Canadian credit bureau, and confirms the name, address, and date of birth match. The credit file has to be consulted at the time of verification, and the information has to correspond to what the customer provided.
The credit file method confirms that a consistent record exists. It does not, on its own, confirm that the live human applying is the person the record describes, which is why it is often paired with a document or biometric check in higher-risk flows. A credit file is also exactly what a synthetic identity is engineered to build, so relying on it alone is a known weak point.
The dual-process method
Where a photo document or a usable credit file is not available, the dual-process method verifies identity by referring to information from two different reliable and independent sources. Each source has to confirm at least two of: the person's name, their address, and their date of birth, drawn from sources such as a government record, a utility statement, or a financial account, with specific combinations required.
The dual-process method is more administrative and is common where biometric capture is not practical. Whatever the sources, they have to be reliable, independent of each other, and recorded, and the combination has to meet FINTRAC's requirements rather than simply being two documents.
Other accepted approaches
FINTRAC also recognises reliance on the verification done by an affiliate or another reporting entity in defined circumstances, and the use of an agent or mandatary to carry out verification on the entity's behalf. In both cases the responsibility for getting it right, and for keeping the record, stays with the reporting entity. Reliance is a way to avoid duplicating work, not a way to outsource the obligation.
The method is not the evidence
Choosing an accepted method is the first step. The part that survives an examination is the evidence that you applied it correctly: which method, what was checked, what the result was, who decided, and the record retained for the required period. This is the difference between a program that looks compliant and one that is. Modern verification software helps precisely because it records this automatically for every customer, producing the examiner-ready file as a by-product of onboarding. That is the model behind BriteBase identity verification software, and the supporting controls run through document verification and screening. Terms used here are defined in the AML and KYC glossary.
How to choose the right method
For digital-first firms onboarding customers remotely, the government-issued photo ID method applied with facial recognition and liveness is usually the strongest fit: it confirms the live human, it scales, and it records itself. The credit file and dual-process methods remain useful fallbacks where biometric capture is not available or the risk profile calls for corroboration. The right answer is risk-based, which is exactly the standard FINTRAC now holds you to.
FAQ
What methods does FINTRAC accept to verify identity?
FINTRAC accepts several methods, the most common being the government-issued photo identification method, the credit file method, and the dual-process method. It also recognises reliance on an affiliate or another reporting entity, and the use of an agent or mandatary. A reporting entity has to use an accepted method and record which one it used.
What is the government-issued photo ID method?
It verifies identity by confirming that an authentic, valid, and current government-issued photo identity document belongs to the person, and that the person is who they claim to be. AI-powered facial recognition with liveness, matched to an authentic document, is a modern way of applying this method, because it confirms the live human and records the decision.
Does FINTRAC require liveness or biometric verification?
FINTRAC does not mandate a specific technology by name. It requires the verification to be done by an accepted method and, under Bill C-12, for the program to be reasonably designed, risk-based, and effective. For remote onboarding, liveness and facial recognition are how firms show the chosen method actually confirms a real, present person.
Is a credit check enough to verify identity for FINTRAC?
The credit file method is an accepted method on its own when its conditions are met, including a credit file that has existed for at least three years. However, a credit file confirms a record exists, not that the live applicant is that person, so higher-risk flows often pair it with a document or biometric check. Synthetic identities are specifically built to pass credit checks.
What is the dual-process method?
The dual-process method verifies identity using information from two different reliable and independent sources, each confirming at least two of the person's name, address, and date of birth, in combinations FINTRAC specifies. It is used where a photo document or usable credit file is not available.
How long do you have to keep identity verification records?
Reporting entities have to keep records of how identity was verified, including the method used and the information relied on, for the retention period FINTRAC sets, and be able to produce them on request. Keeping the evidence is as important as choosing the method, because an examination tests the record, not the intention.
Sources
Apply the right method, and evidence it.
Book a demo and we will show you how BriteBase applies the government-issued photo ID method with facial recognition and liveness, and records every decision for an examiner. No retainers. No hourly rates.