VASP compliance primer: AML and sanctions expectations for Canadian crypto firms

Canadian crypto firms operate under the same PCMLTFA regime as any other money services business, with two important additions: the Travel Rule on virtual currency transfers, and the Large Virtual Currency Transaction Report (LVCTR) at CAD $10,000. Layered on top, sanctions screening for virtual asset service providers now extends to wallet addresses, not just names. This primer is the operating manual for a Canadian VASP.

What is a VASP under Canadian law?

"VASP" is the term used by the Financial Action Task Force (FATF) for entities that deal in virtual assets. Canadian law does not use the term VASP directly. Instead, the PCMLTFA captures crypto firms as money services businesses (MSBs) where they deal in virtual currency for the public. Dealing in virtual currency includes:

• Exchanging virtual currency for fiat (and vice versa).
• Exchanging one virtual currency for another.
• Transferring virtual currency at the direction of a customer.
• Providing custody or holding accounts for virtual currency on behalf of customers.

A foreign crypto firm that directs services at Canadian customers is treated equivalently and must register with FINTRAC as a foreign MSB.

Registration with FINTRAC

Every Canadian VASP and every foreign VASP serving Canadian customers must register with FINTRAC as a money services business before its first virtual currency activity. Registration must be renewed every two years. The FINTRAC MSB guidance sets out the process. Securities regulators (CSA and provincial commissions) may impose additional registration where a virtual asset is also a security or a derivative; this primer focuses on the AML and sanctions framework.

The five PCMLTFA program pillars, as VASPs operate them

The five pillars are the same as for any reporting entity (CAMLO, risk assessment, policies and procedures, training, independent effectiveness review). Two pieces of that framework are VASP-specific in operation.

1. The risk assessment

A VASP risk assessment must explicitly cover virtual currency risk drivers: the pseudonymous nature of on-chain activity, cross-border-by-default settlement, mixing and tumbling, privacy coins, sanctioned address exposure, unhosted wallet activity, and the specific protocols and chains the VASP supports. A generic MSB risk assessment is insufficient.

2. The CAMLO’s scope

The Chief Anti-Money Laundering Officer needs working knowledge of blockchain analytics, the Travel Rule landscape, and the operational realities of unhosted-wallet due diligence. Many late-stage VASPs operate with a fractional CAMLO who specialises in crypto compliance; see the fractional CAMLO guide.

The VASP compliance stack

The three layers of a VASP compliance program, with VASP-specific items at each layer.

Reporting obligations specific to VASPs

The LVCTR is the VASP-specific report. It is filed for receipts of virtual currency at CAD $10,000 or more (single or aggregated over 24 hours) and requires the same originator and beneficiary information as the Travel Rule. Filing through FINTRAC’s F2R channels is the standard route.

The Travel Rule and virtual currency transfers

The Travel Rule under the PCMLTFA requires that originator and beneficiary information travel with a virtual currency transfer at CAD $1,000 or more. The minimum data set is:

• Originator (sender). Name, account number or unique transaction reference (the transaction hash for virtual currency), and address.
• Beneficiary (recipient). Name and account number or unique reference.
• Transfer details. Amount, virtual currency type, and timestamp.

Canada accepts compliant counterparty messaging protocols, including IVMS 101-aligned protocols such as TRP, OpenVASP, and TRISA, provided the information that ends up captured matches the regulatory minimum. The full requirements explainer is the Travel Rule primer; the most common failure modes are covered in Crypto and the Travel Rule.

Unhosted wallet due diligence

Where a counterparty wallet is unhosted (self-custodied, no VASP on the other side to message with), FINTRAC expects the Canadian VASP to conduct enhanced due diligence on the customer and on the destination wallet. Reliance on counterparty messaging that does not exist is not an acceptable substitute. Typical controls include:

• Customer attestation of unhosted wallet control (cryptographic proof of control through signed message or micro-deposit).
• Blockchain analytics screening of the destination wallet against sanctioned addresses, known mixers and tumblers, darknet markets, ransomware-associated clusters, and exchange-of-illicit-funds patterns.
• Risk-based limits on unhosted-wallet transfer size or frequency.
• Documented rationale for any unhosted transfer above a defined threshold.

Sanctions screening for VASPs

Canadian VASPs screen at three levels:

• Name-based screening. Customers, beneficial owners, and (where transferred fiat goes international) transfer parties against SEMA, JVCFOA, the UN Act regulations, and the Criminal Code listed entities. The OSFI Consolidated Lists are the practical source.
• Wallet-address screening. Every deposit and withdrawal against lists of sanctioned wallet addresses. OFAC SDN-listed crypto addresses (including the Tornado Cash-adjacent and Garantex-associated addresses) are the most actively-tracked, but Canadian VASPs should also screen against the addresses associated with Canadian-listed entities.
• On-chain exposure analysis. Blockchain analytics that surface indirect exposure to sanctioned addresses through transaction chains. Direct screening alone misses the most common evasion patterns.

Canadian VASPs that serve US-jurisdiction users or interact with US-domiciled counterparties should also screen against the OFAC SDN list. US extraterritorial sanctions enforcement reaches non-US VASPs through US correspondent banking and US dollar settlement.

The VASP technology stack

A defensible Canadian VASP technology stack covers seven capabilities:

• KYC and identity verification. Document authenticity, liveness, name and address verification, beneficial ownership.
• Sanctions and PEP name screening. Real-time at onboarding and continuously on the customer book.
• Wallet-address screening. Real-time at every deposit and withdrawal. Sanctioned address lists, mixer and tumbler lists, exchange of illicit funds patterns.
• Blockchain analytics. On-chain transaction tracing, cluster attribution, exposure scoring, and case investigation. Major providers include Chainalysis, TRM Labs, and Elliptic.
• Travel Rule messaging. An IVMS 101-aligned protocol (TRP, OpenVASP, TRISA) with counterparty discovery, secure transmission, and audit trail.
• Transaction monitoring. Rules tuned to VC-specific patterns: structuring around the LVCTR threshold, rapid in-and-out patterns, mixer/tumbler indirect exposure, sanctioned-address proximity.
• Case management. One workflow that holds alerts, blockchain analytics output, customer files, dispositions, and LVCTR and STR drafting.

In-house expertise required

A Canadian VASP at meaningful volume needs:

• CAMLO with crypto and AML experience. Named compliance officer with current PCMLTFA knowledge, working understanding of blockchain analytics, and authority to halt activity. Fractional CAMLO is the standard pattern for late-stage VASPs without in-house leadership.
• Blockchain analytics analysts. Investigators who can read on-chain activity, work with Chainalysis or equivalent tooling, and document findings for STR or LVCTR support.
• Sanctions specialist. Owns the wallet-screening engine, list updates (including OFAC SDN crypto addresses where applicable), and disposition policy.
• Counterparty due diligence lead. Owns the policy and operations for unhosted wallet transfers and counterparty VASP discovery under the Travel Rule.
• Independent reviewer. Engaged for the two-year PCMLTFA effectiveness review. Should have prior VASP examination experience.

What FINTRAC examiners look for in a VASP

The questions a current FINTRAC examination of a VASP tends to lead with:

• Walk me through how you capture and transmit Travel Rule information for a virtual currency transfer above CAD $1,000.
• Show me the wallet-screening result for a deposit from a sanctioned address and your disposition rationale.
• How do you handle an unhosted wallet withdrawal at the customer’s request, and what is the documented threshold?
• Walk me through an LVCTR filing end to end, including the underlying case file and the originator information.
• Where is the audit trail for blockchain analytics output that contributed to a closed alert?

How BriteBase helps Canadian VASPs

BriteBase’s AML Operating Platform integrates KYC, name and wallet sanctions screening, transaction monitoring, Travel Rule messaging, LVCTR and STR drafting, and the full audit trail. Compliance-as-a-Service adds a fractional CAMLO with crypto compliance experience plus a Canadian practitioner bench to run the program day to day. For VASPs with their own in-house team, the Platform tier delivers the system of record at $6,000 CAD per year. Pricing details on the pricing page.

FAQ