MSB compliance primer: AML and sanctions expectations in Canada

Money services businesses sit at the centre of Canada’s AML regime. They handle currency, cross-border value, and (for virtual currency dealers) digital assets at scale, often for customers who do not have access to traditional banking. FINTRAC examines MSBs more frequently than any other sector and, since the March 2026 increase, with materially higher Administrative Monetary Penalty (AMP) exposure on the line. This primer is the operating manual.

What is a money services business under Canadian law?

An MSB is defined in section 5(h) of the PCMLTFA and the Proceeds of Crime (Money Laundering) and Terrorist Financing Regulations. A person or entity is an MSB if it engages in any of these activities for the public:

• Foreign exchange dealing.
• Remitting or transmitting funds by any means.
• Issuing or redeeming money orders, traveller’s cheques, or similar negotiable instruments (excluding cheques payable to a named person or entity).
• Dealing in virtual currency (exchanging, transferring, or providing transfer services).

A foreign MSB that directs services at persons in Canada is treated equivalently and must register with FINTRAC as a foreign MSB.

Registration with FINTRAC

Every MSB and foreign MSB must register with FINTRAC before conducting its first activity. Registration covers all eligible activities and is renewable every two years. The FINTRAC MSB guidance sets out the application requirements. Operating without registration is itself a violation of the PCMLTFA.

The Canadian AML framework that applies to MSBs

Three layers govern MSB compliance:

1. The PCMLTFA and its regulations. Define the substantive obligations: registration, the compliance program, KYC and recordkeeping, reporting, and sanctions.
2. FINTRAC guidance and notices. Operational interpretation of the regulations: compliance program requirements, sector guidance, and the AMP policy.
3. Bill C-12 and the new effectiveness standard. A compliance program must now be reasonably designed, risk-based and effective. We covered the standard in detail in our Bill C-12 guide. The practical implication for MSBs: examiners now test outcomes, not just whether policies exist.

The five PCMLTFA program pillars, as MSBs operate them

FINTRAC examines every MSB against five program pillars. Each one has MSB-specific operational expectations.

• Compliance officer (CAMLO). A named, qualified Chief Anti-Money Laundering Officer with documented authority and a reporting line that does not run through the customer-facing business. For lean MSBs, a fractional CAMLO is the standard pattern; we covered the role in the fractional CAMLO guide.
• Risk assessment. A written ML/TF risk assessment that reflects the MSB’s products (remittance, FX, money orders, virtual currency), customer base, geographic exposure, and channels. The risk assessment is the document examiners read first. It must drive control calibration, not sit on a shelf.
• Policies and procedures. Written and version-controlled, covering: customer identification, KYC and beneficial ownership, ongoing monitoring, sanctions and PEP screening, suspicious activity escalation, reporting, recordkeeping, and training.
• Training program. Role-based, evidenced by completion records, and refreshed on a defined cadence. Frontline staff need different training than the CAMLO. Training must produce detectable behavioural change in alerts and escalations.
• Independent effectiveness review. Conducted at least every two years by a party genuinely independent of the operating program, with findings tracked to closure.

The MSB compliance stack

The three layers of an MSB compliance program, and what each must cover, in one view.

Reporting obligations specific to MSBs

The reports FINTRAC expects from an MSB, with thresholds and deadlines:

Reports are filed electronically via FINTRAC’s F2R reporting channels (the F2R API for high-volume integration, or the FINTRAC Web Reporting System for lower volumes). The compliance program must specify which channel is used and how filings are reconciled with the underlying case file.

KYC, beneficial ownership, and identification thresholds

Identification triggers for MSBs are tighter than for many other reporting entities. The key thresholds:

• Currency exchange. Identify the customer for any transaction of CAD $1,000 or more.
• Money transfer / remittance. Identify the customer for any transfer at CAD $1,000 or more, including the originator and beneficiary fields required by the Travel Rule.
• Issuance of negotiable instruments. Identify the customer for CAD $3,000 or more.
• Virtual currency transfer. Identify the customer at CAD $1,000 or more, with originator and beneficiary information transmitted under the Travel Rule (see our Travel Rule requirements primer).
• Account-style relationships. Identify on account opening, regardless of transaction value, and confirm beneficial ownership where the customer is a legal entity.

The 24-hour aggregation rule applies: multiple transactions by or on behalf of the same person within 24 hours that together meet a threshold are treated as a single transaction.

Sanctions screening expectations

MSBs must screen customers, transactions, and beneficial owners against Canadian sanctions lists at onboarding and on a continuous basis. The required lists include:

• Special Economic Measures Act (SEMA) regulations, country by country (Russia, Belarus, Iran, others). Maintained by Global Affairs Canada.
• Justice for Victims of Corrupt Foreign Officials Act (JVCFOA) listings.
• United Nations Act regulations implementing UNSC sanctions.
• Criminal Code listed entities (terrorist entities) under sections 83.05 and following.
• OSFI Consolidated Lists. Operationally, the OSFI consolidated lists are the most practical source covering UN, SEMA, and Criminal Code listings in a single dataset.

MSBs serving customers exposed to US-jurisdiction activity should additionally consider OFAC SDN screening, since US extraterritorial sanctions enforcement can affect Canadian counterparty relationships.

The MSB technology stack

A defensible MSB technology stack covers six capabilities. Off-the-shelf or built in-house, they must integrate end to end:

• Digital onboarding and KYC. Document authenticity, liveness, name and address verification, beneficial ownership capture.
• Sanctions and PEP screening. Real-time at onboarding and on a continuous basis. Fuzzy matching, false-positive disposition workflow, audit trail of every hit and decision.
• Customer risk rating. Risk model that reflects product, geography, channel, occupation, and behaviour. Documented logic and refresh cadence.
• Transaction monitoring. Rule-based scenarios for the MSB’s actual products: structuring, threshold avoidance, velocity, remittance corridor risk, FX behaviour outliers. Increasingly layered with ML-based anomaly detection (see our AI and AML primer).
• Case management. One workflow for alert triage, investigations, escalation, STR drafting, and disposition with a defensible audit trail.
• FINTRAC reporting integration. Automated population and filing of STR, LCTR, EFTR, and LVCTR via F2R, with reconciliation back to the case record.

In-house expertise required

The minimum competent team for a Canadian MSB at modest volume:

• CAMLO. Named compliance officer with current Canadian PCMLTFA knowledge and the authority to halt activity. Many MSBs without in-house capacity engage a fractional CAMLO.
• One or more compliance analysts. Frontline triage of screening hits and transaction monitoring alerts, customer due diligence, and report drafting.
• Independent reviewer. A party with no operational involvement, engaged for the two-year effectiveness review. Often external.
• Operational backstop. Frontline staff trained to escalate, not adjudicate.

At higher volume (multi-channel remittance, large currency exchange operations, or VC dealer activity), additional dedicated investigators, a sanctions specialist, and a regulatory affairs lead are typical.

What FINTRAC examiners look for

The questions a current FINTRAC examination tends to lead with, applied to MSBs:

• Show me the current risk assessment and when it was last refreshed.
• Walk me through a sample of recent STRs and the underlying case files.
• How are sanctions hits disposed of, with what rationale, and by whom?
• Show me the training records for the past 12 months.
• Where is the audit trail for an alert that was closed without filing a report?
• What did the last independent effectiveness review surface, and how is each finding tracked to closure?

An MSB program that can answer those six questions inside a working day is materially harder to fine under the new AMP ceilings. Our audit-ready playbook covers the operational habits in more detail.

How BriteBase helps MSBs

BriteBase pairs the AML Operating Platform with a Canadian fractional CAMLO and practitioner bench, sold together as Compliance-as-a-Service. For Canadian MSBs without an in-house compliance team, the Managed AML tier covers the five pillars, the technology stack, and operational delivery on one predictable annual cost. For MSBs with their own compliance officer, the Platform tier provides the system of record at $6,000 CAD per year.

FAQ