PROCESSING...

Anti-Money Laundering
Consulting Services & Strategies

0 Items - Total: $0.00 CAD

New Beneficial Ownership Discrepancy Reporting

Effective October 1, 2025, Canadian anti-money laundering (AML) reporting entities regulated by the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) are required to report to Corporations Canada any material discrepancies identified between the beneficial ownership information that they have obtained and that is listed in Corporations Canada’s database.

Background

This requirement was introduced to enhance the reliability of beneficial ownership information available to authorities and the public, and to reduce the opportunities for misuse of Canadian corporate structures in money laundering, tax evasion, and sanctions avoidance schemes. Since the usefulness of the beneficial ownership information depends on the accuracy of the information, amendments under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA) now will require reporting entities to flag material discrepancies between the information provided by a corporation incorporated under the Canada Business Corporations Act (CBCA) and what is recorded in the registry, thereby supporting Corporations Canada in maintaining an accurate database.

A “material discrepancy” exists where beneficial ownership information collected by a reporting entity substantively contradicts what is publicly disclosed. While the regulations give limited guidance, missing beneficial owners are considered material, while minor typographical errors are not. Currently, the definition of “material” remains imprecise, which may create some uncertainty for compliance teams.

Who Must Comply

The requirement applies to reporting entities who have the existing obligation to take reasonable measures to confirm the accuracy of beneficial ownership information when they first obtain it and in the course of conducting ongoing monitoring of their business relationships.

Discrepancy reporting applies only to CBCA corporations that are active on the Corporations Canada registry.

When to Report

Reporting entities are required to report a material discrepancy to Corporations Canada within 30 days after the day on which it is identified when the following criteria are met:

  • A client is an active CBCA corporation; and
  • The reporting entity determines that the corporation is high-risk for money laundering, terrorist financing, or sanctions evasion; and 
  • When there is a material discrepancy in beneficial ownership information that is not resolved within 30 days. Note there is no requirement to address the material discrepancy directly  with the customer. 

In these cases, reporting entities must check the Corporations Canada registry when a high-risk relationship is first identified and continue to check during ongoing monitoring of that high-risk business relationship.

If a previously reported discrepancy is identified again (i.e., during the course of ongoing monitoring) and it has not been resolved, it must be reported again. If there are other issues related to corporate status or registry info (not beneficial ownership information), this information can still be reported to Corporations Canada, but it must be done so separately. Voluntary reporting is permitted if the client is considered low-risk, but discrepancies are still found.

Reporting Steps

Reports are submitted through Corporations Canada’s online portal (accessed through the registry). The process is as follows:

  1. Ensure your reporting entity is registered for FINTRAC Web Reporting (FWR), and that the individual completing the reporting has an active My ISED account with Corporations Canada.
  2. Search the corporation on the Corporations Canada website to confirm it is an active CBCA corporation.
  3. While in Corporations Canada’s online portal, from the page connected to the corporation about which the discrepancy is being reported, select “Report an Issue” (currently a link at the bottom right of the page). This will prompt a My ISED login.
  4. Complete the discrepancy form with:
    • Reporting entity details (legal name, RE number, location, compliance contact/email). This information will auto-populate after the first report. 
    • Corporation details (name and incorporation number for the company you are reporting on).
    • Selecting the reason for reporting a discrepancy (reporting as required under PCMLTFA or voluntary).
    • Discrepancy details (nature of inconsistency, date identified).
  5. Review the information for accuracy and submit the report.
  6. A confirmation screen will appear, including a reference number 
  7. Corporations Canada will validate the report and issue an acknowledgment within 10 business days.
  8. Keep a copy of the acknowledgement as evidence of the completed discrepancy reporting.
  9. If the discrepancy has not been resolved by the next time you complete periodic monitoring for the entity, the process is repeated.

For more detailed steps on reporting, you may refer to the guidance on submitting a beneficial ownership discrepancy report or the following Corporations Canada demo video, which together provide a comprehensive overview.

 

Note that inaccurate or incomplete reporting entity information will result in an invalid Beneficial Ownership discrepancy report. Amendments to submitted reports are currently not possible, and a new report will have to be submitted. 

Reporting entities must retain the report acknowledgment and other supporting documentation as evidence of meeting obligations. 

We’re Here To Help

If you would like assistance in understanding what these changes mean to your business, or if you need help updating your compliance program and processes, please get in touch.

CMSBA 2025 Fall Conference

The Canadian MSB Association 2025 Fall Conference brings together industry professionals from MSBs, payment service providers, fintech, armoured car services, regtech and more. Over two days, attendees will engage in sessions exploring:

  • Implementation of the March 2025 PCMLTFA amendments
  • RPAA supervision go-live and lessons learned so far
  • New reporting expectations for STRs, EFTRs, sanctions, and beneficial ownership
  • Operational risk frameworks and incident response under RPAA/R
  • Approaches to safeguarding end-user funds via trust, insurance, or guarantees
  • Challenges around financial access, de‑risking, and bank onboarding in the evolving landscape

Attendees can expect a mix of insights, best practices, and peer networking across both in-person and virtual formats. Join over 200+ professionals from across MSBs, fintech, regtech, armoured car services, and more.

Registration/More Info: Buy your ticket here

Identification Triggers for Factoring Companies

Background

We recently sought clarification from FINTRAC as it relates to identification requirements that Factoring Companies (Factors) must comply with.

Factors supply liquidity to a customer in exchange for the cash value of a certain amount of the customer’s accounts receivable (i.e. invoices) to be collected later by the factoring company. A factor is defined as a person or entity that is engaged in the business of factoring, with or without recourse against the assignor.

If you missed it, Factors became reporting entities under the PCMLTFA effective April 1, 2025. As a reporting entity, Factors must have in place a compliance program and comply with various requirements, including identification requirements.  Please refer to our previous blog post on Factors that outlines full requirements that factors must comply with.

Identification Requirements

Factors must confirm identification using prescribed methods for individuals and entities where they are required to keep a record as defined under section 24.14 of the

Proceeds of Crime (Money Laundering) and Terrorist Financing Regulations.

Section 24.14 states a factor shall keep the following records in respect of every factoring agreement that it enters into:

(a) an information record in respect of the person or entity with whom it enters into the agreement;

 (b) if the information record is in respect of an entity, a record of the name, address and date of birth of every person who enters into the agreement on behalf of the entity and the nature of the person’s principal business or their occupation;

 (c) if the information record is in respect of a corporation, a copy of the part of official corporate records that contains any provision relating to the power to bind the corporation in respect of transactions with the factor;

 (d) a record of the financial capacity of the person or entity with which it enters into the agreement and the terms of the agreement;

 (e) for any payment it makes; and

 (f) a receipt of funds record in respect of every amount of $3,000 or more that it receives, unless the amount is received from a financial entity or public body or from a person who is acting on behalf of a client that is a financial entity or public body.

As it relates to the last record, funds may come from a party other than the factoring client (a third party) and in such instances it is not sufficient to rely on identification that would have been completed for the factoring client, but rather the third party would have to be identified.

Below is a response from FINTRAC:

Under the PCMLTFA, specifically section 24.14(f), a receipt of funds record must be kept for every amount of $3,000 or more, unless the funds are received from a financial entity, public body, or a person acting on behalf of such an entity.

In response to your question:
If funds are received from a party other than the identified factoring client, identification requirements may still apply depending on who that third party is.

If the third party is not:

    • a financial entity,
    • a public body, or
    • acting on behalf of one,

then yes, identification and a receipt of funds record would be required, even if the factoring client has already been identified. This is because the receipt of funds record pertains to who the funds are actually received from, not just who the factoring agreement is with.

Identification of the factoring client alone is not sufficient if funds are received from another party who does not fall under the exemptions in s. 24.14(f). The source of funds must be identified and recorded accordingly.

The factoring company must take reasonable measures to identify the sender, document those efforts, and keep a receipt of funds record.

While this may prove to be challenging in some instances, demonstrating that reasonable measures were taken becomes critical.

We’re Here To Help

If you would like assistance in understanding what this mean to your business, or if you need help in creating or updating your compliance program and processes, please get in touch.

Securities Dealers See Rising FINTRAC Penalties

We’re seeing FINTRAC ramp up Administrative Monetary Penalties against all sectors, however, for securities dealers we’re starting to see some heavy hits, something we haven’t seen before, signaling a graduated approach to compliance assessments by FINTRAC.

On July 3, 2025, FINTRAC announced an Administrative Monetary Penalty of $544,500 against an investment dealer headquartered in Vancouver, British Columbia. Additionally, on February 13, 2025, FINTRAC announced an Administrative Monetary Penalty of $66,000 against, a Wealth Management Securities Dealer in Ontario.

Securities dealers must fulfill specific obligations as required by the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA) and associated Regulations, to help combat money laundering and terrorist activity financing in Canada. As defined under the PCMLTFA, a securities dealer means a person or entity authorized under provincial legislation to engage in the business of dealing in securities or any other financial instruments or to provide portfolio management or investment advising services.

FINTRAC has the legislative authority to issue administrative monetary penalties (AMPs) to reporting entities that are found to be non-compliant with the PCMLTFA and associated Regulations. For more information, see Penalties for non-compliance.

Between the two notices, it was found that following compliance examinations, the following failures were found, which resulted in the AMPs:

  • Failure to develop and apply written compliance policies and procedures that are kept up to date; and, in the case of an entity, are approved by a senior officer. Specifically, the firm did not sufficiently develop and document its compliance policies and procedures in relation to know your client and record keeping requirements.
  • Failure to assess and document the risk of a money laundering or terrorist financing offence, taking into consideration prescribed factors. Specifically, the firm’s risk assessment was incomplete, as it did not clearly outline the risks associated with its clients and did not contain assessment of all the required categories. In addition, the risk assessment did not document an adequate methodology for the assessment of its money laundering and terrorist financing risks.
  • Failure to institute and document the prescribed review of its policies and procedures, risk assessment and training program. Specifically, the scope of a review did not cover the firm’s risk assessment. Additionally, the review did not specify how the organization ensured that its compliance program was tested for effectiveness.
  • Failure to submit suspicious transaction reports where there were reasonable grounds to suspect that transactions or attempted transactions were related to a money laundering or terrorist activity financing offence.
  • Failure to take the prescribed special measures for high risk.

Of all the findings, the ones that netted the highest AMP were related specifically to:

  • Failure to submit suspicious transaction reports where there were reasonable grounds to suspect that transactions or attempted transactions were related to a money laundering or terrorist activity financing offence.
  • Failure to take the prescribed special measures for high risk.

Failures in suspicious transaction reporting continue to be a big focus for FINTRAC and a trend with the larger value AMPs that we’ve been seeing.

Securities dealers are responsible for the following requirements under the PCMLTFA and associated Regulations:

  1. Compliance program:
    1. Appoint a compliance officer who is responsible for implementing the program. The Compliance Officer must always have access to management and the authority to carry out their duties.
    2. Develop and apply written compliance policies and procedures that are kept up to date and, in the case of an entity, are approved by a senior officer. Policies and procedures must be detailed and reflect the reporting entities business model.
    3. Conduct a risk assessment of your business to assess and document the risk of a money laundering or terrorist activity financing offence occurring in the course of your activities. The categories that must be assessed are outlined in guidance.
    4. Develop and maintain a written, ongoing compliance training program for your employees, agents or mandataries, or other authorized persons.
    5. Institute and document a plan for the ongoing compliance training program and deliver the training (training plan).
    6. Institute and document a plan for a review of the compliance program for the purpose of testing its effectiveness, and carry out this review every two years at a minimum (two-year effectiveness review). The review must test all parts of your compliance program as well as operations.
  2. Know your client:
    1. verifying client identity,
    2. politically exposed persons, heads of international organizations, their family members and close associates, beneficial ownership, and
    3. third party determination.
  3. Transaction reporting:
    1. Suspicious Transaction reporting
    2. Listed Person or Entity Property Reports
    3. Large Cash Transactions reporting
    4. Large Virtual Currency Transaction reporting; and
    5. Reporting suspected sanctions evasion.
  4. Record keeping;
  5. Foreign branches, foreign subsidiaries and affiliates; and
  6. Ministerial directives

We’re Here To Help

If you need help in creating or updating your compliance program and processes, are due for a Compliance Effectiveness Review, or have general questions on your compliance obligations,  please get in touch.

What to Expect When FINTRAC Comes Knocking

Written with Heidi Unrau

FINTRAC’s New Assessment Approach – It’s Not Just Exams Anymore

Every request, meeting, form, or call with the Financial Transaction and Reports Analysis Centre of Canada (FINTRAC), Canada’s anti-money laundering (AML) regulator and financial intelligence unit (FIU), is a potential assessment activity. If your business is subject to the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA), the regulator could contact you at any time. In 2025, FINTRAC significantly expanded and diversified its compliance assessment toolkit.

FINTRAC’s assessment activities are not limited to full-blown compliance examinations, and the regulator is increasingly using other assessment tools. These include a wider range of formal and informal touchpoints, each of which can carry consequences and should be taken seriously. Here’s what you need to know to prepare, respond, and stay one step ahead when FINTRAC contacts you.

Yes, These Are All Assessment Activities

Many organizations are surprised to learn that not every FINTRAC interaction is labelled as an “examination,” although a range of activities are used to assess FINTRAC reporting entities. While some of these activities may be more informal than examinations, they are not unimportant.

In 2025, common FINTRAC assessment activities include, but are not limited to:

A woman peeking out from behind a stack of folders on a desk.

Data Hide and Seek

  • Information Requests
  • Supervisory Risk Assessment Questionnaires (SRAQs)
  • Compliance Self-Attestations
  • Monitoring Meetings
  • Action Plans
  • Examinations

Each of these activities serves as an opportunity for FINTRAC to understand and evaluate how well your organization is meeting its AML compliance obligations. Responding late, incorrectly, or incompletely can impact your risk score, trigger follow-up activities including examinations, or even result in penalties.

Information Requests

FINTRAC can request a wide range of information from reporting entities related to AML compliance. Where no personal information (PI) is being requested, these requests may be delivered by email rather than by more secure channels such as Canada Post’s secure messaging system.

However, reporting entities that prefer to respond via a secure channel can request this, and FINTRAC will generally accommodate their request. If an information request is unclear or if the timeframes are not feasible for your business, it is important to contact FINTRAC as soon as possible to resolve the issue.

Supervisory Risk Assessment Questionnaires (SRAQs)

SRAQs are Excel forms sent through Canada Post’s secure platform, often after a call or meeting with FINTRAC to explain the process. They include detailed questions about your business structure, risk levels, and electronic funds transfers.

Some fields may be pre-filled by FINTRAC, but must be reviewed. The SRAQ will generally have questions about your risk assessment, and you may be asked whether your risk assessment aligns with Canada’s National Risk Assessment (NRA).

Compliance Self-Attestations

These detailed PDF forms are also delivered securely, either with a SRAQ or on their own, and may follow a call or meeting with FINTRAC to explain the process. The self-attestation form asks about your Compliance Officer, AML policies and procedures, risk assessment, training, and compliance effectiveness reviews (audits). The responses must be specific (tailored to your business, documentation, and processes), and questions often overlap with the SRAQ.

The self-attestation questionnaire commonly asks who approved your policies, and whether compliance effectiveness reviews (audits) led to action plans. The final section of the attestation form requires sign-off from the person completing it, attesting to the accuracy and completeness of the information provided.

Monitoring Meetings

Monitoring meetings are common for larger or higher-risk businesses and are used to follow up on issues like reporting errors, self-declared non-compliance, or action plan progress. Be ready to explain past issues and decisions, particularly where FINTRAC is actively monitoring the remediation of an issue, including deficiencies observed by FINTRAC through examinations or other assessment activities. Detailed records help keep these meetings focused and efficient.

Action Plans

FINTRAC may request an action plan to correct deficiencies observed in the course of its assessment activities, or subsequent to a voluntary self-declaration of non-compliance. An action plan describes the deficiencies, the steps that are being taken to address and correct the issues, and the expected timelines. In some cases, FINTRAC may request updates to action plans in conjunction with monitoring meetings.

Examinations

FINTRAC selects businesses for examinations based on factors like risk score, past findings, or industry trends. Examinations may be in-person or remote, and full-scope (covering a broad range of AML compliance requirements) or targeted (covering only a narrow scope, such as high-risk customers and enhanced due diligence activities).

The examination process generally begins with a notification call, followed by a formal letter, document review, interviews, and concludes with a findings report. As PI and other sensitive information is exchanged with FINTRAC in this process, written communication is usually through Canada Post’s secure online portal. If serious deficiencies are discovered, FINTRAC may issue a Notice of Violation, which accompanies an administrative monetary penalty (AMP).

Take Every Request Seriously, The Consequences Are Real

A single poorly handled request can escalate to a formal examination or enforcement action, up to and including an AMP. For example:

  • Information Requests might ask for detailed operational data, like wallet addresses, transaction volumes, geographic reach, etc., that must be provided within specific timeframes.
  • SRAQs and Self-Attestations often probe the strength and scope of your compliance program, training, policies, and controls.
  • Monitoring Meetings may seem routine, but they serve as real-time evaluations of progress or issues.

Even if you think your compliance program is strong, you can’t rest on your laurels. Giving too much, too little, or the wrong kind of information can still cause problems.

Timing & Scope Matter, So Speak Up Early

One of the most preventable mistakes? Not raising concerns early. If you receive a request that:

  • Requires more time than you realistically have
  • Involves an impractical volume of data
  • Touches on sensitive or operationally risky areas (like sending wallet addresses via unencrypted email, for example)
  • Is unclear or difficult to fulfill, or
  • Seems misaligned with your actual business structure…

Reach out to FINTRAC right away! They may allow accommodations like a secure file upload option or deadline extensions. FINTRAC  will also be able to clarify or refine the scope of their request, but you have to ask early. Proactive communication helps avoid mistakes and shows a good-faith effort to comply.

Documentation is Protection

Formal or informal? It doesn’t matter. If you interact with FINTRAC, document everything:

  • The requests received and your interpretations,
  • Deadlines and communication
  • What data you provided and how
  • Who internally approved or reviewed the responses

Keep a central record, like a shared folder or internal compliance log, to track all relevant information. Where there is something unusual about your business or processes, consider whether or not it makes sense to include explanations either in writing or during a meeting with FINTRAC.

Common Errors to Avoid

These are the biggest issues that trip up even experienced teams:

  • Not answering the question asked: Too much or too little detail can both be problematic, and providing information that doesn’t address the question makes you seem disorganized at best.
  • Assuming foreign compliance standards apply: FINTRAC’s mandate is to ensure compliance with Canadian requirements, and straying from this focus can imply that you’re not well-versed when it comes to the Canadian AML framework.
  • Underestimating the data lift: Raw data is often messier and harder to extract than expected. Plan accordingly and start pulling data and organizing your response early.
  • Auditor independence: If your auditor is also your AML program creator, expect scrutiny for lack of independence.

Make an Action Plan, Even if You’re Not Asked

There is some variance in terms of whether or not action plans are requested after FINTRAC examinations. Today, they’re becoming an unspoken expectation, though you may not be asked for your action plan until the next time that you’re faced with an assessment activity. Best practice? Develop an internal action plan, even if  FINTRAC doesn’t ask for one. Examiners, auditors, and your leadership team will expect to see how you’ve addressed gaps. Your action plan should:

  • Outline findings and fixes
  • Assign owners and timelines
  • Track milestones and updates

If you’ve already had an examination or audit and didn’t document an action plan, it’s not too late. Your plan can include work already completed to address any deficiencies.

Is This Really From FINTRAC? How to Tell

Some recent FINTRAC requests look different from what businesses are used to, which has caused confusion. And to make matters worse, there have been documented cases of scammers impersonating FINTRAC and other regulators. Here’s how to tell if the request is legitimate:

  • Check the Sender: Legit emails come from @fintrac-canafe.gc.ca or @fintrac-canafe.canada.ca.
  • Look for legal references: Real requests often cite the PCMLTFA (for example, section 63.1(2) of the PCMLTFA).
  • Expect formal language: Clear instructions, deadlines, and specific data requests are standard.
  • Templates included: FINTRAC may attach Excel or PDF forms to complete. These will not be in a “zipped” format or other format that cannot be scanned for malicious elements.
  • No contact name? Still valid: Some are signed by the team or department without a specific person named.
  • Delivery method: Sensitive items may come through Canada Post’s secure epost system, but where this is the case, reporting entities will generally receive a phone call first.

If you’re unsure, don’t ignore it. Verify through FINTRAC’s official contact channels, not by replying to a suspicious email.

Final Reminder: Treat Every Touchpoint as an Evaluation

A call. An email. A simple questionnaire or data request. It’s all part of a broader assessment process. These activities carry weight, can impact your risk profile, and may lead to further scrutiny if not handled correctly.

Treat every request seriously and respond with care. If something is unclear, the scope seems off, or if you need more time, speak up early! Proactive communication prevents misunderstandings and protects your organization from costly consequences.

Need a Hand?

If you’re unsure how to interpret a request, need help crafting a response, or want to strengthen your overall compliance approach, Outlier Compliance Group is here to help. Please get in touch.

New Reporting Entity: Factoring Companies

Background

On March 26, 2025 final amendments to the Proceeds of Crime (Money Laundering) and Terrorist Financing Regulations were officially published in the Canada Gazette (SOR/2025-68). This round of anticipated changes introduces three company types that will become reporting entities. Below, we summarize the requirements that Factoring Companies will have to comply with as of April 1, 2025.

Factoring Companies (Factors)

Factors supply liquidity to a customer in exchange for the cash value of a certain amount of the customer’s accounts receivable (i.e. invoices) to be collected later by the factoring company. A factor is defined as a person or entity that is engaged in the business of factoring, with or without recourse against the assignor.

Requirements

All reporting entities (including Factoring Companies, as of April 1, 2025) must have in place a compliance program as defined under the PCMLTFA and associated regulations. The following is a summary of the requirements, as well as links to FINTRAC guidance (some of which will need to be updated).

Program Elements

  • Appoint a compliance officer who is responsible for implementing the compliance program and have oversight. The Compliance Officer must always have access to management and have the authority to carry out their duties.
  • Develop and apply written compliance policies and procedures that describe what is required under law and how these obligations will be met. These must be kept up to date and approved by a senior officer.
  • Conduct and document a risk assessment of your business. This assessment should include all activities that could make an entity vulnerable to money laundering or terrorist financing, as well as the mitigating controls that are put into place to prevent such risks.
  • Develop and maintain an ongoing compliance training program for your staff and agents. Everyone that deals with customers, customer funds, or transactions must receive AML and ATF training at least annually.
  • Conducting compliance effectiveness reviews. This is an audit that tests a company’s AML and ATF program and its effectiveness. These reviews must be completed at least once every two years.

Operational Elements

  • Reporting certain transactions. Where there are reasonable grounds to suspect that a particular financial transaction is related to the commission of a money laundering or terrorist activity financing offence, a Suspicious Transaction Report must be summitted to FINTRAC. This includes Large Cash and Large Virtual Currency reporting.
  • Follow ministerial directives and perform watchlist screening. Where a company may be in possession of funds or property that belong to a terrorist (either an individual or an organization) or a listed person, a Listed Person or Entity Report must be submitted to FINTRAC.
  • Identifying customers. Upon entering into a factoring agreement or when an information record is created, Factoring Companies will need to verify the identity of a customer using prescribed methods for individuals and entities.
  • Conducting transaction monitoring.
  • Conducting enhanced due diligence and enhanced transaction monitoring for high-risk customers.
  • Keeping certain records. In addition to keeping records related to the requirements above, Factoring Companies are required to keep the following records:
    • an information record in respect of the person or entity with whom it enters into the agreement;
    • if the information record is in respect of an entity, a record of the name, address, and date of birth of every person who enters into the agreement on behalf of the entity and the nature of the person’s principal business or their occupation;
    • if the information record is in respect of a corporation, a copy of the part of official corporate records that contains any provision relating to the power to bind the corporation in respect of transactions with the factor;
    • a record of the financial capacity of the person or entity with which it enters into the agreement and the terms of the agreement;
    • for any payment it makes, a record of:
      • the date of the payment,
      • if the payment is in funds, the type and amount of each type of funds involved,
      • if the payment is not in funds, the type of payment and its value,
      • the method by which the payment is made,
      • the name of every person or entity involved in the payment, and
      • every account number or other equivalent reference number connected to the payment; and
    • a receipt of funds record in respect of every amount of $3,000 or more that it receives, unless the amount is received from a financial entity or public body or from a person who is acting on behalf of a client that is a financial entity or public body.

What Next?

Factoring Companies should start working on developing their compliance program immediately if they have not done so already. FINTRAC has updated their sector-specific guidance page with relevant information for this new reporting entity and should be read.

We’re Here To Help

If you would like assistance in understanding what these changes mean to your business, or if you need help in creating or updating your compliance program and processes, please get in touch.

New Reporting Entity: Financing and Leasing Entities

Background

On March 26, 2025 final amendments to the Proceeds of Crime (Money Laundering) and Terrorist Financing Regulations were officially published in the Canada Gazette (SOR/2025-68). This round of anticipated changes introduces three company types that will become reporting entities. Below, we summarize the requirements that Financing and Leasing Entities will have to comply with as of April 1, 2025.

Financing and Leasing Entities

A financing or leasing entity is defined as a person or entity that is engaged in the business of financing or leasing of:

  • property, other than real property or immovables, for business purposes;
  • passenger vehicles in Canada; or
  • property, other than real property or immovables, that is valued at $100,000 or more.

Requirements

All reporting entities (including Financing and Leasing Entities, as of April 1, 2025) must have in place a compliance program as defined under the PCMLTFA and associated regulations. The following is a summary of the requirements, as well as links to FINTRAC guidance (some of which will need to be updated).

Program Elements

  • Appoint a compliance officer who is responsible for implementing the compliance program and have oversight. The Compliance Officer must always have access to management and have the authority to carry out their duties.
  • Develop and apply written compliance policies and procedures that describe what is required under law and how these obligations will be met. These must be kept up to date and approved by a senior officer.
  • Conduct and document a risk assessment of your business. This assessment should include all activities that could make an entity vulnerable to money laundering or terrorist financing, as well as the mitigating controls that are put into place to prevent such risks.
  • Develop and maintain an ongoing compliance training program for your staff and agents. Everyone that deals with customers, customer funds, or transactions must receive AML and ATF training at least annually.
  • Conducting compliance effectiveness reviews. This is an audit that tests a company’s AML and ATF program and its effectiveness. These reviews must be completed at least once every two years.

Operational Elements

  • Reporting certain transactions. Where there are reasonable grounds to suspect that a particular financial transaction is related to the commission of a money laundering or terrorist activity financing offence, a Suspicious Transaction Report must be submitted to FINTRAC. This includes Large Cash and Large Virtual Currency reporting.
  • Follow ministerial directives and perform watchlist screening. Where a company may be in possession of funds or property that belong to a terrorist (either an individual or an organization) or a listed person, a Listed Person or Entity Report must be submitted to FINTRAC.
  • Identifying customers. Upon entering into an agreement for the listed activities under the definition above, Financing and Leasing Entities will need to verify the identity of a customer using prescribed methods for individuals and entities.
  • Conducting transaction monitoring.
  • Conducting enhanced due diligence and enhanced transaction monitoring for high-risk customers.
  • Keeping certain records. In addition to keeping records related to the requirements above, Financing and Leasing Entities are required to keep the following records:
    • an information record in respect of the person or entity with which it enters into the arrangement;
    • if the information record is in respect of an entity, a record of the name, address and date of birth of every person who enters into the arrangement on behalf of the entity and the nature of the person’s principal business or their occupation;
    • if the information record is in respect of a corporation, a copy of the part of official corporate records that contains any provision relating to the power to bind the corporation in respect of transactions with the financial leasing entity;
    • a record of the financial capacity of the person or entity with which it enters into the arrangement and the terms of the arrangement; and
    • in respect of every payment that it receives under the arrangement, other than a payment received from a financial entity or public body or from a person who is acting on behalf of a client that is a financial entity or public body, a record of
      • the date of the payment,
      • the name of the person or entity that makes the payment,
      • the amount of the payment and of any part of it that is made in cash, and
      • the method by which the payment is made.

What Next?

Financing and Leasing Entities should start working on developing their compliance program immediately if they have not done so already. FINTRAC has updated their sector-specific guidance page with relevant information for this new reporting entity and should be read.

We’re Here To Help

If you would like assistance in understanding what these changes mean to your business, or if you need help in creating or updating your compliance program and processes, please get in touch.

New Reporting Entity: Cheque Cashing

Background

On March 26, 2025 final amendments to the Proceeds of Crime (Money Laundering) and Terrorist Financing Regulations were officially published in the Canada Gazette (SOR/2025-68). This round of anticipated changes introduces three company types that will become reporting entities. Below, we summarize the requirements that cheque cashing businesses, who will be classified as either domestic or foreign money services businesses (MSBs), will have to comply with as of April 1, 2025.

Requirements

MSBs (including cheque cashing businesses) must register with the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) and have in place a compliance program as defined under the PCMLTFA and associated regulations. The following is a summary of the requirements that MSBs must comply with, as well as links to FINTRAC guidance.

Program Elements

  • Appoint a compliance officer who is responsible for implementing the compliance program and have oversight. The Compliance Officer must always have access to management and have the authority to carry out their duties.
  • Develop and apply written compliance policies and procedures that describe what is required under law and how these obligations will be met. These must be kept up to date and approved by a senior officer.
  • Conduct and document a risk assessment of your business. This assessment should include all activities that could make an entity vulnerable to money laundering or terrorist financing, as well as the mitigating controls that are put into place to prevent such risks.
  • Develop and maintain an ongoing compliance training program for your staff and agents. Everyone that deals with customers, customer funds, or transactions must receive AML and ATF training at least annually.
  • Conducting compliance effectiveness reviews. This is an audit that tests a company’s AML and ATF program and its effectiveness. These reviews must be completed at least once every two years.

Operational Elements

  • Register with FINTRAC before conducting prescribed transactions. The registration information must be kept up to date and renewed every two years;
  • Reporting certain transactions. Where there are reasonable grounds to suspect that a particular financial transaction is related to the commission of a money laundering or terrorist activity financing offence, a Suspicious Transaction Report must be summitted to FINTRAC. This includes Large Cash, Large Virtual Currency and Electronic Funds Transfer reporting;
  • Follow ministerial directives and perform watchlist screening. Where a company may be in possession of funds or property that belong to a terrorist (either an individual or an organization) or a listed person, a Listed Person or Entity Report must be submitted to FINTRAC;
  • Identifying customers. As it relates to cheque cashing services, MSBs will need to verify the identity of a customer using prescribed methods for individuals and entities where there is a request to cash one or more cheques that total $3,000 or more;
  • Conducting ongoing transaction monitoring for customers that have formed a business relationship;
  • Conducting enhanced due diligence and enhanced transaction monitoring for high-risk customers; and
  • Keeping certain records. MSBs must keep specific records. As it relates to cheque cashing activities (over $3,000) the following records must be retained:
    • the date when each cheque is cashed;
    • the person’s or entity’s name and address, the nature of their principal business or their occupation and, in the case of a person, their date of birth;
    • the total amount of the cheque or cheques;
    • the name of the issuer of each cheque;
    • the number of every account that is affected by the cashing of the cheque or cheques, the type of account and the name of each account holder;
    • every reference number that is connected to the cashing of the cheque or cheques and that has a function equivalent to that of an account number; and
    • if the cashing of the cheque or cheques involves virtual currency, every transaction identifier, including the sending and receiving addresses.

What Next?

Companies that perform cheque cashing activities should start working on developing their compliance program immediately if they have not done so already. FINTRAC has updated their sector-specific guidance page with relevant information for this new reporting entity and should be read.

We’re Here To Help

If you would like assistance in understanding what these changes mean to your business, or if you need help in creating or updating your compliance program and processes, please get in touch.

2025 AML Changes: New Import/Export Declarations, Information Sharing, Beneficial Ownership Transparency and New Reporting Entities

Background

On March 26, 2025 final amendments to the Proceeds of Crime (Money Laundering) and Terrorist Financing Regulations and creation of a new regulation were officially published in the Canada Gazette (SOR/2025-67 and SOR/2025-68). This round of anticipated changes introduces three company types that will become reporting entities. Additionally, the amendments bring in changes related to reporting of goods, information sharing, and beneficial ownership discrepancy reporting.

In traditional fashion, to make reading these changes a little easier, we (thanks Rodney) have created a redlined version of the regulations, with new content showing as tracked changes, which can be found in a combined document here.

While there are no substantial changes to the requirements from the draft amendments published on November 30, 2025 in the Canada Gazette, one noteworthy change is that the in-force date of most requirements was moved from October 1, 2025, to April 1, 2025, which will likely leave companies scrambling.

The incoming requirements are meant to improve Canada’s anti-money laundering (AML), anti-Terrorist Financing (ATF) and sanctions regime, and implement measures announced in Budget 2022, Budget 2023, Budget 2024, the 2023 Fall Economic Statement, and Canada’s last Parliamentary Review. On February 4, 2025, the Prime Minister issued the Directive on Transnational Crime and Border Security, which stated the urgent need to disrupt profits laundered by organized crime in connection with illegal trade in drugs such as fentanyl. The amendments provided in the finalized regulations were identified as key measures to support this Directive.

The regulatory impact analysis statement (RIAS) accompanying the finalized regulations indicates that these amendments are also needed for Canada to align to Financial Action Task Force (FATF) standards ahead of Canada’s next mutual examination by the FATF later in 2025. The RIAS states that FINTRAC is committed to working with reporting entities to ease the implementation process along this accelerated and exceptional timeline, and will put emphasis on engagement, outreach and guidance activities related to new regulatory obligations.

What’s Changed?

Trade Based Money Laundering (TBML)

The regulatory amendments introduce a new Proceeds of Crime (Money Laundering) and Terrorist Financing Reporting of Goods Regulation.   

Under the new regulation, anyone who is importing or exporting goods into or out of Canada needs to file a declaration with the Canada Border Services Agency (CBSA) as follows:

  • whether the goods are proceeds of crime as defined by subsection 462.3(1) of the Criminal Code or are goods related to money laundering, to the financing of terrorist activities or to sanctions evasion; and
  • that the goods are actually being imported or exported, as the case may be.

The amendments will also include seizure and forfeiture rules. Under the framework, the CBSA will have powers to seize and forfeit goods when they have reasonable grounds to believe that the goods are proceeds of crime or related to money laundering, terrorist financing, or sanctions evasion.

As part of the new requirements, there are substantial record-keeping obligations, including details such as the origin, making, purchase, importation, costs, and value of the goods, as well as records related to payments for the goods.

This change comes into force April 1, 2025.

Information Sharing

The regulatory amendments introduce measures to allow for reporting entities to share information with each other to detect and deter money laundering, terrorist financing, and sanctions evasion, while maintaining privacy protections for personal information.

Reporting entities that wish to share information (it’s voluntary) would be required to establish and implement a code of practice for disclosing, collecting and using personal information without consent. The code must:

  • describe the personal information of an individual that may be disclosed, collected or used without their knowledge or consent;
  • describe the purposes for which an individual’s personal information may be disclosed, collected or used without their knowledge or consent;
  • describe the manner in which an individual’s personal information may be disclosed, collected or used without their knowledge or consent;
  • describe the measures to be taken to ensure the protection of personal information, including measures concerning the retention of such information and the keeping of records; and
  • include information demonstrating that the code complies with the requirements of the Act.

The Code must be provided to the Office of the Privacy Commissioner of Canada (OPC) for approval, as well as to FINTRAC for comment in advance of use. The OPC must approve the code within 120 calendar days (an increase from the proposed 90 days in the draft amendments). The OPC will continue to have the ability to extend the deadline by an additional 15 days, provided it notifies the reporting entity. Reporting entities would be required to resubmit their Codes to the OPC and FINTRAC every five years regardless of changes or not. The OPC has published guidance on how to submit Codes for review and approval.

This change comes into force immediately.

Discrepancy Reporting

The amendments introduce a requirement for reporting entities dealing with a Canada Business Corporations Act (CBCA) corporation to report any material discrepancies found while obtaining and verifying the accuracy of beneficial ownership information under current AML requirements. The reporting requirement will not apply if the material discrepancy is resolved within 30 days (originally 15 days in the draft amendments) from the date it is identified. Currently, what is deemed to be material is not well defined (outside of missing beneficial owners). There are examples of what is considered not material.

The information with respect to the discrepancy includes:

  • Name of reported company and identifying number on its certificate of incorporation, amalgamation or continuance;
  • Date on which discrepancy was identified; and
  • Description of discrepancy.

This comes into force October 1, 2025.

New Reporting Entities

The regulatory amendments outline the inclusion of three new regulated entities, as announced in Budget 2024, which were highlighted as concerns during Canada’s last FATF mutual evaluation: factoring companies (referred to as “factors”), cheque cashing companies, and financing and leasing companies. These entities will be subject to the PCMLTFA as of April 1, 2025, and must implement compliance programs.

We have created a separate blog post for each of the newly regulated company types (factoring companies, cheque cashing companies, and financing and leasing companies) to make it easier to digest the requirements that apply to each of the new reporting entities.

What Next?

FINTRAC will be issuing and updating guidance related to the changes. While we await guidance, entities should start updating their compliance program and processes to reflect the new requirements as they apply to their business. New reporting entities should start working on developing their compliance program immediately if they have not already done so.

We’re Here To Help

If you would like assistance in understanding what these changes mean to your business, or if you need help in creating or updating your compliance program and processes, please get in touch.

FINTRAC Information Requests for Bitcoin ATM Operators

As compliance geeks, we’re compelled to open with some important caveats. This post is made by Outlier Compliance Group, which is a private consulting firm, and does not speak in any official capacity for the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC), Canada’s anti-money laundering (AML) regulator. If FINTRAC indicates something that does not align with the views expressed here, it’s safe to assume that their position is the correct one (and if that’s the case, please let us know).

What’s the issue?

Several clients and colleagues called us with questions about email requests for information received from FINTRAC in January/February 2025. These requests were received by virtual currency (VC) dealers that operate one or more automated teller machines (ATMs). To some, these emails seemed unusual, and in a time in which we’re all bombarded with scams, it makes sense to check the legitimacy.

As a first step, we always check the sender. In this case, the email was from MSBRegistration@fintrac-canafe.gc.ca which is a legitimate FINTRAC email address. All FINTRAC email addresses end in “@fintrac-canafe.gc.ca”. It is noteworthy that there may be some phishing red flags present, although these were legitimate emails:

  • The receiving company is not specified (other than by the receiver’s email address);
  • The intended recipient is not named (other than by the receiver’s email address), and at least one email that we saw was directed to “to whom it may concern”;
  • The request for information asks for a response by email, rather than a more secure channel such as Canada Post’s ePost service, which FINTRAC generally uses to receive information during examinations.

FINTRAC has confirmed that these requests for data are legitimate, and that businesses receiving the requests that prefer to send data via a secure method (ePost) may request to do so.

What’s being requested?

The subject line of the email is “Request for Wallet Addresses Information under subsection 63.1(2) of the PCMLTFA” and, as implied, FINTRAC is requesting comprehensive lists of the VC addresses used by the companies.

While the data being requested (virtual currency wallet addresses) is public in some ways (transactions are posted on public blockchains), not all wallets are attributed to specific businesses, and there are many reasons that a business may prefer to exchange this data with the regulator securely.

No time period is provided in the request, and for some companies, particularly those that use hierarchical deterministic wallet types, which generate new addresses for every transaction, this can mean thousands of addresses. If this is the case, we recommend reaching out to FINTRAC as soon as possible, as a smaller time period may suffice for the regulator’s analysis, depending on the transaction volumes.

What is Section 63.1(2) of the PCMLTFA?

The Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA) section 63.1(2) reads:

Obligation to provide information

(2) The person or entity on whom the notice is served shall provide, in accordance with the notice, the documents or other information with respect to the administration of Part 1 or 1.1 that the authorized person may reasonably require.

In plain language, this means that FINTRAC has the right to request information from reporting entities, and they are exercising this right by sending the request that you’ve received.

Did you receive an email?

If you are a VC ATM operator, and you aren’t sure if you’ve received a request, check your e-mail (including spam and deleted folders) using the search terms:

  • Request for Wallet Addresses Information under subsection 63.1(2) of the PCMLTFA; and/or
  • MSBRegistration@fintrac-canafe.gc.ca.

We aren’t sure if this request was sent to all VC ATM operators, or only a select group (again, we don’t speak for FINTRAC), but if you did receive a request, it’s important to respond to it within the time indicated in the email. Like all requests from regulators, it is time sensitive.

Need a hand?

If you have questions about how to respond to FINTRAC’s request, or AML generally, please feel free to contact us here, or by email at info@outliercanada.com.

Return to Blog Listing