AML Compliance Guidelines: Canada

Canada is a high-income, developed country with abundant resources. It ranks as the 10th largest country in the world by GDP and the second largest by land area.

According to the National Risk Assessment of Canada, criminal activity generates billions of dollars in illicit proceeds annually, fueling money laundering. Canada’s open economy, broadly accessible and sophisticated financial system, extensive coastline and land border, sizeable immigrant population, and cross-border payments create opportunities for criminal exploitation.

Canada has implemented a strong anti-money laundering and anti-terrorism financing (AML/ATF) framework to address these risks and protect its financial system and reputation.

Overview of the AML/ATF Regulatory Framework

Canada’s AML regulatory framework is overseen by FINTRAC, the financial intelligence unit, and governed by the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA). This legal instrument mandates applying a risk-based approach to AML compliance in accordance with the FATF recommendations.

Regulatory Authorities

Financial Transactions and Reports Analysis Centre of Canada (FINTRAC)

Canada’s FINTRAC assumes the dual role of a financial intelligence unit and the anti-money laundering and anti-terrorist financing supervisor. It facilitates Canada’s efforts to counter terrorism financing, money laundering, and sanctions evasion. It monitors and ensures the reporting entities are compliant with obligations mandated by Canada AML regulations; in doing so, it issues guidelines, interpretive notes, and instructions to the reporting entities and imposes administrative monetary penalties in case of any violations. As a financial intelligence unit of Canada, it also collects, analyzes, and disseminates reports of suspicious transactions to the investigative authorities to clamp down on risks of serious and organized crimes in the country.

 Royal Canadian Mounted Police (RCMP)

The Royal Canadian Mounted Police (RCMP) ‘s role in implementing the AML framework in Canada is mainly linked to property seizure, property restraint, and investigations of suspected cases of money laundering and terrorism financing. In addition, AML/ATF legislation requires reporting entities to submit terrorist property reports to the RCMP and the Canadian Security Intelligence Service (CSIS).

Office of the Superintendent of Financial Institutions (OSFI)

OSFI is the prudential regulator of Canada and supervises more than 400 federal financial institutions, including banks, life insurance, pension funds, mortgage, and finance companies. Although OSFI is not directly linked with AML compliance supervision, reports of FINTRAC citing a lack of AML control may trigger OSFI’s examination of the financial institutions’ overall compliance culture and financial health and soundness. In addition, OSFI has a limited role in monitoring sanctions compliance for federally regulated financial institutions. OSFI-regulated FIs must submit monthly reports to OSFI anything related to the names present in:

• Justice for Victims of Corrupt Foreign Officials Regulations
• Regulations Establishing a List of Entities

Key AML Laws in Canada

Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA)

The PCMLTFA establishes the foundation for Canada’s efforts to detect and deter money laundering and terrorist financing and paves the way for the investigation and prosecution of verified cases linked to these crimes. It contains provisions mandating that financial and non-financial sectors meet requirements like client identification, record-keeping, and reporting suspicious transactions. Additionally, the PCMLTFA establishes FINTRAC and supports fulfilling Canada’s international commitments to fight transnational crimes, especially money laundering and terrorist financing.

Reporting Entities (REs) under PCMLTFA in Canada

• Financial Entities
  • Banks
  • Fintechs
  • Payment Service Providers
  • Money Services Businesses (MSBs)
  • Money Exchange
  • Dealers in Virtual Currencies
  • Life Insurance
  • Crowdfunding Platforms
  • Factoring Companies
  • Mortgage Companies
  • Finance Companies
  • Leasing Companies
  • Securities Dealers
• Armored Cars
• Casinos
• British Columbia Notaries
• Dealers in Precious Metals and Precious Stones
• Accountants and Accounting Firms
• Real Estate Brokers, Sales Representatives, and Real Estate Developers

Key obligations under PCMLTFA

AML Compliance Program

To meet the obligations of AML regulations and Ministerial Directives, every reporting entity must develop and implement an AML compliance program. This FINTRAC compliance program should consist of six mandatory elements:

• Appointment of a compliance officer to implement the compliance program
• Assessment of risks of ML/TF offenses in carrying out business activities
• Written and kept up-to-date compliance policies and procedures, approved by senior management
• Increased scrutiny and enhanced measures for business activities and clients identified as high-risk
• Ongoing training and awareness program, including a written training plan
• Effectiveness review of compliance program (every 2 years)

Risk Assessment

The execution of a risk-based approach (RBA) is fundamentally reliant on precise risk assessment. In essence, RBA is a process that determines the intensity and frequency of monitoring and controls required to mitigate the identified risks sufficiently.

Reporting entities are required to assess the possibility of money laundering, terrorism financing, or sanctions evasions during their business activities by taking the following factors into account:

• Clients and business relationships
• Products, services, and delivery channels
• Geographical locations associated with their operations
• Other relevant factors

Businesses should incorporate the results of businesswide and national risk assessments with the individual circumstances of each customer when building a client’s risk profile. While smaller companies can rely on simple classification of their clients as low, medium, or high risk, a more sophisticated scoring system should be adopted by larger businesses.

From an AML perspective, inherent risk is the probability of money laundering or terrorist financing in a business activity before implementing control or mitigating measures. Residual risk is the minimal level of risks that still exist after applying control or mitigation measures. Businesses should determine their level of risk tolerance or risk appetite before applying mitigation measures.

Know Your Client Obligations

When to verify?

REs are required to verify the identity of customers, beneficiaries, or any third party acting on behalf of a customer in certain cases, including the following:

• When establishing a business relationship
• Large cash transactions of $10,000 or more
• Large virtual currency (VC) transactions of $10,000 or more
• Suspicious transactions
• Virtual Currency Transfer of $1,000 or more
• Exchange of foreign currency of $3,000 or more
• Exchange between VC of $1,000 or more
• International Electronic Funds Transfer of $1,000 or more
• Issuing, selling, or redeeming money orders of $3,000 or more

How do I verify?

REs can use one of the following methods to verify the identity of persons and entities.

• Methods to verify the identity of a person
  • Government-issued photo identification method (in-person/online)
  • Credit file method (Only through Canadian credit bureau)
  • Dual-process method (Using at least two different reliable sources)
  • Affiliate or member method
  • Reliance method (Confirming with a RE who already verified identity)
• Methods to verify the identity of an entity
  • Confirmation of existence method
  • Reliance method
  • Simplified identification method

Use of Personal Information

The use of personal information in Canadian commercial activities is protected under the Personal Information Protection and Electronic Documents Act (PIPEDA) or similar provincial legislation. REs are required to inform the customer about collecting personal information, except in cases where such information is collected, to file reports with FINTRAC.

Business relationship requirements

A business relationship is a contract between a reporting entity and a client to carry out financial transactions or provide services related to financial transactions. When an RE enters a business relationship with a client, it varies by sector and depends on their activities and services. However, if an RE generally opens an account or carries out a transaction for which identity verification is required, a business relationship is formed. REs must obtain information about the purpose and intended nature of a business relationship and retain this information for up to 5 years after a business relationship ends or a transaction is executed.

Ongoing Monitoring:

Reporting entities should conduct periodic monitoring of their clients

• Ensuring information about the following is kept up to date
  • Client identification
  • Beneficial ownership
  • Intended nature and purpose of the business relationship
• Identifying  any threshold transactions that need to be reported
• Reassessment of risks associated with client activities and transactions
• Ensuring client activities and transactions match the information obtained during identification and risk assessment.

Beneficial ownership requirements

Beneficial ownership requirements apply whenever REs are obliged to verify an entity’s identity. The type of beneficial ownership information required depends on whether the entity is a corporation, a trust, or an entity other than a corporation or trust. This information can be obtained from the entity directly or searched through publicly available information.

For corporations — names of all directors and name and address of all persons who directly or indirectly own or control 25% or more of the corporation

For widely held or publicly traded trusts — name and addresses of all the trustees and beneficiaries who directly or indirectly own or control 25% or more units of the trust

For trusts — name and address of all the settlors, trustees, and known beneficiaries of the trust

For entities other than trusts or corporations — name and addresses of all the persons who own or control 25% or more of its stake

The beneficial ownership must be verified through different prescribed methods, including company registers, shareholder registers, trust deeds, and other official documents, searching publicly available information, or consulting commercial databases. All beneficial ownership information, including information about the ownership and control structure, shall be kept for at least five years after the last business transaction.

Third-party determination requirements

A third part is a person instructing another person to perform an activity or transaction on their behalf. Financial Action Task Force and other ML/TF authorities have observed that third parties have been used in various cases of money laundering and terrorism financing. It is an attempt by the criminals to distance themselves from the illegal proceeds. If a third party is identified in a case, REs must obtain certain information about the third party, like name, address, date of birth, and occupation. Records should be retained for at least 5 years from the day it was created.

Politically Exposed Persons (PEP) Requirements

Reporting entities are required to identify if any of their clients or beneficial owners is a domestic PEP or a Foreign PEP, a Head of an International Organization (HIO), a family member, or a close associate of such person:

• When establishing a business relationship
• When conducting periodic monitoring of clients
• When a fact is detected about existing clients
• When receiving, paying, or transferring $100,000 in cash or virtual currency
• When processing an international electronic funds transfer of $100,000

All foreign PEPs, their family members, and close associates must be treated as high-risk clients. Domestic PEPs, HIOs, their family members, and close associates shall be considered high-risk if the risk of ML/TF offenses is assessed as high.

If a person is determined to be a foreign PEP, they remain a foreign PEP forever (including deceased foreign PEP). On the other hand, Domestic PEPs and HIOs remain Politically Exposed Persons for five years after they cease to hold their position or become deceased.

Measures required for PEPs:

• Establish and obtain information about the source of funds and source of a person’s wealth
• Obtain senior management approval to establish or continue a business relationship
• Enhanced measures for identity verification
• Other enhanced measures to mitigate risks include:
  • Enhanced measures to keep client and beneficial ownership information up to date
  • Enhanced monitoring to ensure the client activities align with the knowledge and information of the customer

Transaction reporting

REs must create reports about certain transactions and assets and submit them to the FINTRAC. Different entities may have to submit different reports depending on their industry and the nature of business activities. In general, these reports can be divided into two categories: threshold reports and non-threshold reports. The following reports need to be submitted irrespective of the amount involved:

• Suspicious Transaction Reports (STR)
• Terrorist Property Reports (TPR)
• Sanction Evasion

The following reports only need to be submitted if a certain limit or threshold is reached:

• Large Cash Transaction Reports of $10,000 or more
• Large Virtual Currency Transaction Reports of $10,000 or more
• International Electronic Funds Transfers of $10,000 or more
• Casino Disbursements of $10,000 or more

When assessing the requirement to file a threshold transaction, all similar or linked transactions should be aggregated using the 24-hour rule. According to this rule, all transactions executed within a 24-hour period with the same beneficiary, initiator, or third party are considered a single transaction for reporting purposes.

Terrorist Property Reports (TPR)

REs are required to file a TPR with FINTRAC under PCMLTFA as soon as the disclosure requirements are triggered under the Criminal Code (section 83.1) or the Regulations Implementing the United Nations Resolutions on the Suppression of Terrorism (RIUNRST) ( section 8). However, disclosure requirements are not limited to REs; every person in Canada and every Canadian outside Canada is required to disclose information related to terrorist property to the RCMP or CSIS.

A terrorist property is a property directly or indirectly associated with a person listed under the RIUNRST schedule, a listed entity under the Criminal Code, or a person who attempted or carried out terrorist activity. The FINTRAC guide suggests that terrorist property can also be identified through publicly available information, media articles, or official, publicly available lists (e.g., OFAC or EU lists).

Travel Rule

Financial entities, money service businesses, and casinos must meet the travel rule requirements. The travel rule requires that specific information be included in the transfer message sent or received in electronic funds transfers or virtual currency transfers. This information includes the name, address, account number, and any other reference number of the originator and beneficiary of the transfer.

Record keeping

Reporting entities must maintain certain records of accounts, transactions, client identification, reports, and other due diligence activities. These records shall be retained for at least five years after a business relationship ends or five years after a record is created or a transaction is conducted.

Ministerial directives

Reporting entities must adhere to ministerial directives that require them to apply countermeasures on transactions to or from designated foreign jurisdictions or entities. All the transactions to or from these jurisdictions must be treated as high-risk and dealt with accordingly. The Ministry of Finance issues these directives, and as of January 2025, three directives have been issued which designated the following foreign jurisdictions:

• Russia
• Islamic Republic of Iran
• Democratic People’s Republic of Korea (DPRK — North Korea)

Penalties for Non-Compliance

Failure to comply with obligations mandated by the PCMLTFA may result in criminal charges or administrative monetary penalties (AMPs). FINTRAC has the legal authority to impose AMPs on reporting entities non-compliant with the PCMLTFA and associated Regulations. These AMPs are imposed after violations are detected by examining a reporting entity’s AML compliance program.

Administrative penalties for a violation can be up to $100,000 for a person and $500,000 for an entity. Criminal penalties can be as high as a $2,000,000 fine, five years in prison, or both.

On November 5, 2024, the FINTRAC imposed an administrative monetary penalty (AMP) of $2,457,750 on Exchange Bank of Canada, a bank headquartered in Toronto, Ontario, for committing three violations. Among other violations, the FINTRAC examination indicated that the bank closed a review of a high-risk client without considering the presence of high ML/TF risk indicators, specifically, a relevant negative article in the media. Despite the context outlined in the negative media article, the bank didn’t pursue the matter to obtain additional details on the client’s source of funds.

On April 9, 2024, FINTRAC imposed an administrative monetary penalty (AMP) of $9,185,000 on Toronto-Dominion Bank, a bank headquartered in Toronto, Ontario, for committing five violations. The FINTRAC examination determined that the bank failed to file suspicious activity reports in 20 instances, including instances where the bank was aware of relevant negative media related to clients and transactions that showed ML/TF risk indicators.

AML Compliance Challenges for the Gambling Sector

Canada’s updated assessment of the inherent risks of money laundering highlighted that some sectors, such as banking, MSBs, real estate, and casinos, are more vulnerable to ML risks than others. The fact that a high proportion of casino clients are one-time and transactions are anonymous until the identification requirements are triggered after certain thresholds are met makes this sector even more vulnerable. Particularly, investigations in Project ATHENA discovered how casinos were exploited for money laundering through bank drafts having roots in underground banking. The report also highlighted the high risk of using complex corporate structures and trusts to hide actual ownership, particularly by leveraging gatekeeper professions like real estate brokers, accountants, and legal professionals.

Regulatory Guidelines and Best Practices

FINTRAC has published comprehensive guidelines for each sector supervised under Canada’s AML regulations on its website. Other bodies and authorities offer different sector-specific guidelines, such as the Investment Industry Regulatory Organization of Canada (IIROC) guidance for the securities industry, Chartered Professional Accountants Canada (CPA) guidance for the accounting sector, and British Columbia Financial Services Authority BCFSA’s guidance for the Real Estate Sector.

All AML-regulated entities must meet specific requirements, such as risk assessment, RBA application, PEP identification, and reporting suspicious transactions. Reporting entities must also check their customers against listed terrorist entities and individuals. Adopting technology-based AML solutions can simplify these obligations. Reliable AML screening can help reporting entities meet these obligations by checking their clients against records maintained by credible sources, such as courts, police, and other law enforcement agencies, industry regulators (regulatory enforcement), news agencies, and other commercial databases.

Sanctions Compliance in Canada

As the global economy has become more interdependent, economic sanctions have become an effective tool of foreign policy to respond to significant geopolitical events. All individuals and entities in Canada and Canadian persons or entities operating abroad must comply with Canadian sanctions laws.

United Nations Act (UNA)

As a UN member, Canada incorporates sanctions imposed by UN Security Council Resolutions in its legal framework through the United Nations Act (UNA). UNA empowers the Governor in Council to enact Regulations to adopt UN Sanctions that the Parliament will pass within 40 days; if not, it will be considered annulled after the period expires. Failure to meet obligations imposed by UNA may result in a fine of $100,000 or a maximum of 10 years imprisonment.

Canada Autonomous Sanctions

Special Economic Measures Act (SEMA)

The Special Economic Measures Act (SEMA) provides the basis for Canadian autonomous sanctions. The Ministry of Foreign Affairs of Canada monitors and enforces sanctions imposed under SEMA. Currently, 20 sanctions regimes operate under the SEMA to achieve foreign policy objectives related to international peace and security, corruption of foreign government officials, gross human rights violations, or other international obligations.

Justice for Victims of Corrupt Foreign Officials Act (JVCFOA)

Autonomous sanctions are also implemented under the Justice for Victims of Corrupt Foreign Officials Act (JVCFOA). This act is also known as Sergei Magnitsky Law. It empowers the Governor in the council to issue Regulations itoimpose prohibitions against foreign officials for gross human rights violations and corruption issues. There are 80 individual designations under this Act, independent of state-related sanctions.

Failure to meet any provision of SEMA or JVCFOA may result in a fine of $25,000 or one year’s imprisonment on summary conviction. A maximum penalty of five years imprisonment may be imposed on conviction on indictment.

Other Related Laws

Freezing Assets of Corrupt Foreign Officials Act (FACFOA)

The Freezing Assets of Corrupt Foreign Officials Act allows Canada to implement sanctions on corrupt foreign officials. These sanctions are implemented only after a foreign government requests in writing to freeze the assets of any corrupt officials of such foreign government. Currently, there are sanctions against persons from Ukraine and Tunisia under this Act.

Other than the above laws, specific prohibitions and restrictions on foreign persons and foreign states are also imposed through the Criminal Code, which prohibits dealing with property of terrorist groups, the Export and Import Permits Act to control transfer of goods and technology, and the Immigration and Refugee Protection Act to restrict entry of certain foreign persons in Canada.

Regulatory Guidance and Best Practices

The complexity surrounding Canada’s multiple sanctions laws and the severe consequences of non-compliance requires reporting entities to have an effective sanctions compliance program. REs should have systems in place for sanctions watchlist screening. FINTRAC guidance suggests that characteristics of a financial transaction associated with sanction evasion may include:

• Complex corporate structures
• Use of proxies and enablers
• Evasion of import/export (by rerouting and concealing end users)
• Use of intermediary jurisdictions (such as regional financial and trade hubs)
• Non-resident banking (offshore accounts to disassociate ultimate beneficiary)
• Virtual Currency and other alternative financial channels (increased anonymity)

Apart from the sanctions applicable by Canadian Laws, reporting entities should also consider the application of other international sanctions issued by the Office of Foreign Assets Control (OFAC) of the United States Department of the Treasury, European Union, and UK HM Treasury, based on currency involved and links of business activities with foreign jurisdictions.

Adopting a reliable sanctions screening solution can simplify and enhance sanctions compliance. A dependable solution not only provides comprehensive coverage with real-time updates but also minimizes the workload by reducing false positives.