The Sumsuber

Verification knowledge hub

Canada Amends its AML Law—Here’s What Changed and How to Comply [Updated July 2021]
4 min read

Canada Amends its AML Law—Here’s What Changed and How to Comply [Updated July 2021]

In June 2021, amendments to the PCMLTFA, Canada’s AML law, came into force. FINTRAC, Canada’s financial regulator, will only begin assessing compliance with the amendments on April 1st, 2022. This gives businesses some time to prepare; our article can help.

The highlights

  1. Who’s affected
  2. What’s changed
  3. Sanctions
  4. What’s next

Who’s affected

The new updates impact Canadian and foreign businesses that are obligated to follow Canadian AML law and report to FINTRAC (the Financial Transactions and Reports Analysis Centre of Canada). These include:

  • Financial institutions (banks, credit firms, etc.);
  • Money Service Businesses (crypto companies, foreign exchanges, etc.);
  • Insurance companies;
  • Real estate businesses;
  • Casinos;
  • Security dealers;
  • Accounting firms;
  • Agents of the crown;
  • British Columbia notaries;
  • Dealers in precious metals and stones.

Notably, certain non-Canadian businesses must also comply with the new AML requirements. These are so-called foreign Money Service Businesses—companies that don’t have a place of business in Canada but direct and provide their services to Canadians. This can be an offshore crypto platform that advertises to and onboards Canadian users.

What’s changed

From unified PEP checks to new reporting obligations, the latest amendments have introduced several key changes that require businesses to revise their KYC and KYB procedures. Click on the toggles to see a detailed analysis of all the major updates:

Before: There was no requirement to keep records and file reports for large crypto transactions.

After: All businesses must keep a “large virtual currency transaction record” and file reports to FINTRAC if they receive C$10,000 (around $8,000/€6,800) and more in cryptocurrency within 24 hours.

How to comply: The new amendments require businesses to record information about crypto transactions over C$10,000. This should include:

  • The date of the transfer;
  • Names, addresses, and date of births of participants in the transaction;
  • The amount and type of cryptocurrency;
  • The exchange rate;
  • All other transaction identifiers.

This information must be sent to FINTRAC via the web reporting system within five working days after the transfer.

Note that the latest rules have simplified transaction reporting. While previous obligations required filing a separate report for each transaction over C$10,000, the new requirements permit businesses to create a single report for all transfers made by a customer within 24 hours. This is called the 24-hour rule; and it works for both electronic and crypto transfers.

Before: The FATF Travel Rule only targeted financial institutions that send or receive electronic fiat transfers.

After: The Travel Rule now extends to crypto and electronic fiat transfers made by financial institutions, domestic and foreign Money Service Businesses, and casinos.

How to comply: Businesses must collect names, account numbers, and addresses of senders and recipients in crypto or electronic fiat transfers over C$1,000 (around $800/€680).

In most cases, companies have already collected personal data on a given client during the initial KYC process. This means that clients only need to provide information about the person they are sending money to. 

Also, financial platforms are required to share Travel Rule data on transacting parties.

To safely transmit data, businesses can join a data sharing network, such as OpenVASP, Shyft, or Trisa. To become a member, businesses must submit an application and undergo due diligence procedures.

Learn how to comply with the Travel Rule in the most efficient way with our ultimate guide.

Before: Only financial entities, securities dealers, life insurance companies, and money services had to check beneficiaries.

After: When entering into a partnership with another legal entity, businesses must verify the identities of any beneficiaries as part of their KYB procedure. Importantly, businesses must update this information on an ongoing basis.

How to comply: Businesses must collect and verify two types of data: 1) information about the partner company and 2) the identities of the beneficial owners. Let’s take a closer look:

  1. Information about beneficiaries. This includes names of directors as well as the names and addresses of other beneficiaries. Under Canadian legislation, beneficial owners are individuals who directly or indirectly own or control at least 25% of a company, regardless of where the company is located. Businesses need to perform a standard KYC/AML procedure to obtain and confirm the identities of beneficiaries;
  2. Information on company ownership, control, and structure. Businesses must identify legal entities and natural persons who have a percentage of shares in the company. It’s important to record the total percentage of shares owned along with the names of every individual involved.

Businesses can verify beneficial ownership through a partner company’s corporate documents or external data sources. The latter could include the securities and shareholders registers, articles of incorporation, etc.

Before: Only financial entities, securities dealers, money services businesses, and life insurance companies were subject to Politically Exposed Persons (PEP) screenings.

After: All businesses must check whether a customer is a PEP, HIO (Head of International Organization), or an associate of either at the onboarding stage.

How to comply: To determine whether clients are PEPs, businesses must screen them against domestic and international PEP lists. Since it’s hard to guarantee that these lists are updated on a regular basis, it’s best to supplement with adverse media checks.

If a client happens to be a PEP, the business must request that he or she submits their sources of funds and wealth or determine this through publicly available data.

Learn about PEP onboarding red flags and how to deal with them in our comprehensive guide.

Before: Businesses that offered prepaid payment products weren’t subject to AML regulations.

After: Financial and insurance businesses that issue prepaid payment products (like prepaid cards) have to follow AML requirements.

How to comply: Businesses must verify account holders, conduct suspicious activity reporting, and establish record-keeping, among other key AML obligations. KYC checks must also be performed on payments of C$1,000 (around $800/€680) or more to these accounts.

We’ve made a guide on all verification methods available in Canada and how to use them—check it out here.


Fines for non-compliance with AML regulations in Canada range from just one Canadian dollar to C$500,000 (around $400,000/€340,000) per violation. The exact amount depends on the degree of the breach. For instance, a one-time failure to report a large transaction can cost businesses up to C$1,000 (around $800/€680), while repeat violations of record-keeping obligations can result in fines of up to C$500,000.

Severe violations of these AML rules can lead to even greater penalties. For instance, multiple suspicious activity reporting violations carry fines of up to С$2 million ($1,6m/€1,4m) and/or 5 years imprisonment for directors, AML officers, or any other individual involved.

What’s next

The latest amendments to Canada’s AML laws have wide implications for both domestic and foreign businesses. Although FINTRAC will only begin enforcement in April 2022, businesses should use this time wisely to get fully compliant and avoid severe sanctions.

We’ll continue to track AML changes in Canada and will update this article on an ongoing basis. Save it to your reading list so you don’t miss any important news.

Staying compliant with new FINTRAC requirements can be much easier with our complete AML/KYC solution. Request a demo.

See Sumsub in action