AMLBot Academy

Crypto Compliance in Canada: MSB Registration, AML Rules, and Key Requirements

AMLBot Team

12 min read
Updated: Apr 24, 2026
Crypto Compliance in Canada: MSB Registration, AML Rules, and Key Requirements

On March 26, 2026, two pieces of federal legislation received Royal Assent that materially expanded Canada's AML/CFT regulatory framework. The amendments to the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA) introduced new statutory standards for compliance programs — requiring them to be "reasonably designed, risk-based, and effective" — strengthened the administrative penalty framework, and established universal FINTRAC enrolment for all reporting entities. The same legislative package enacted the Stablecoin Act, bringing stablecoin issuers serving Canadian users within the MSB registration perimeter for the first time. Canada is not a jurisdiction where crypto businesses can operate and figure out compliance later. Since 2014, when it became one of the first countries to extend AML legislation to virtual currency businesses, Canada has maintained a clear and increasingly rigorous regulatory framework — centered on FINTRAC (the Financial Transactions and Reports Analysis Centre of Canada) and the PCMLTFA. Any business that deals in virtual currency, transfers funds, or provides exchange services to persons in Canada must register as a Money Services Business, implement a full AML compliance program, verify customer identities, monitor transactions, and report suspicious activity.

This article explains who needs to comply with crypto regulations in Canada, how FINTRAC's MSB registration framework works, what AML requirements apply in practice, and what happens when businesses fail to meet those obligations.

Who Needs to Comply with Crypto Regulations in Canada

Crypto compliance in Canada is not limited to businesses physically located in the country. Under the PCMLTFA, both domestic and foreign entities that direct services at persons or entities in Canada are captured by the regulatory framework — regardless of where the business is incorporated or operates.

The categories of crypto businesses that must comply include:

  • Crypto Exchanges. Any entity that provides virtual currency exchange services — converting fiat to crypto, crypto to fiat, or crypto to crypto — on behalf of customers. This includes both centralized exchanges and platforms that facilitate peer-to-peer trading.
  • Virtual Currency Transfer Services. Entities that transfer virtual currency on behalf of clients — moving assets from one address or account to another at a customer's request.
  • Custodial Services. Businesses that hold, safeguard, or administer virtual currency or the keys that control access to it on behalf of customers.
  • Crypto Brokers and OTC Desks. Entities that facilitate large-volume or negotiated virtual currency transactions on behalf of institutional or individual clients.
  • Payment Processors Handling Virtual Currency. Businesses that accept virtual assets as payment on behalf of merchants or that settle merchant transactions in crypto.
  • Foreign Entities Serving Canadian Users. A business that does not have a place of business in Canada but directs any of the above services at persons or entities in Canada must register as a Foreign MSB with FINTRAC. FINTRAC guidance clarifies that a client is deemed to be "in Canada" if they have an address in Canada, the identity document used for verification was issued by a Canadian government, or their banking or payment service is based in Canada.
(Source: PCMLTFA, Part 1; FINTRAC, Guidance on Who Must Register as an MSB, fintrac-canafe.gc.ca)

The regulatory grey areas that remain concern fully decentralized, non-custodial services and DeFi protocols. FINTRAC has clarified that the MSB framework applies to entities that deal in virtual currency as a service to others — not to individuals using virtual currency for personal purchases, or to software developers who build non-custodial tools without providing services on behalf of clients. However, as the 2026 PCMLTFA amendments demonstrate, Canada's regulatory perimeter is expanding, not contracting. Businesses operating in grey areas should monitor FINTRAC's updated guidance and consider whether their operational model may trigger registration obligations.

FINTRAC and MSB Registration Explained

FINTRAC — the Financial Transactions and Reports Analysis Centre of Canada — is Canada's financial intelligence unit and the federal agency responsible for overseeing compliance with the PCMLTFA. For crypto businesses, FINTRAC is the primary regulator. Registration as a Money Services Business is the gateway to lawful operation.

What Is an MSB in Crypto

Under the PCMLTFA, a Money Services Business is any person or entity engaged in the business of foreign exchange dealing, remitting or transmitting funds, issuing or redeeming money orders or similar instruments, dealing in virtual currency, or providing crowdfunding platform services. The "dealing in virtual currency" category — added when Canada extended its AML framework to crypto in 2014 — captures the core activities of most crypto businesses.

In practical terms, FINTRAC considers a person or entity to be "dealing in virtual currency" if they provide virtual currency exchange services or virtual currency transfer services to customers. The distinction is functional: the regulation captures entities that provide services involving virtual assets to others, not individuals or businesses that use virtual currency for their own purchases.

(Source: PCMLTFA, s. 5(h.1); FINTRAC, Guidance on Money Services Businesses and Foreign Money Services Businesses, fintrac-canafe.gc.ca)

Unlike some jurisdictions (notably the EU under MiCA), Canada does not impose minimum capital requirements for MSB registration. There are no registration fees, and the application process is typically completed within six to eight weeks. However, the absence of upfront financial barriers does not mean the obligations are light — the compliance program requirements that follow registration are substantive, and FINTRAC enforces them through examinations and administrative monetary penalties.

When MSB Registration Is Required

MSB registration is required before a crypto business begins operations — not after. The triggers are:

  • Providing Exchange Services. Converting fiat currency to virtual currency, virtual currency to fiat, or one virtual currency to another — at the request of a customer.
  • Transferring Virtual Currency. Moving virtual assets from one address, wallet, or account to another on behalf of a client.
  • Holding a Permit, License, or Registration Related to These Services. FINTRAC guidance specifies that entities that hold any permit or license related to money services — or that advertise by any means that they provide such services — must register, even if the service has not yet been fully launched.
  • Directing Services at Canadian Users. Foreign entities that provide any of the above services to persons or entities in Canada must register as Foreign MSBs. This obligation applies regardless of physical presence in Canada.

Registration must be renewed every two years. Following the 2026 PCMLTFA amendments, both domestic and foreign MSBs must submit criminal record checks for their CEO, president, directors, and any person who directly or indirectly controls 20% or more of the entity — both at initial registration and at each biennial renewal.

(Source: PCMLTFA, as amended March 2026; Canada Gazette, Part 1, Vol. 158, No. 27 — MSB Registration Framework Amendments)

For a deeper exploration of Canada's crypto regulatory landscape, including provincial requirements (Québec's QMSBA, British Columbia's Money Services Businesses Act), see our webinar on crypto regulation in Canada explained.

Core AML Requirements for Crypto Businesses

Once registered as an MSB, a crypto business must implement and maintain a comprehensive AML/CFT compliance program. The March 2026 PCMLTFA amendments elevated this requirement by explicitly codifying that compliance programs must be reasonably designed, risk-based, and effective — a standard FINTRAC had applied in practice during examinations for years, but which now has direct statutory authority.

(Source: PCMLTFA, as amended March 26, 2026 — compliance programme standards)

In practical terms, the compliance program must include:

  • Designated Compliance Officer. A named individual with sufficient authority, access to information, and independence to oversee the compliance program. FINTRAC expects the compliance officer to have relevant financial sector experience and the ability to implement and enforce AML policies without organizational obstruction.
  • Written Policies and Procedures. Documented AML/CFT policies covering customer identification, risk assessment, transaction monitoring, reporting, record retention, and internal escalation. These policies must be current, reviewed regularly, and approved by senior management.
  • Enterprise Risk Assessment. A documented assessment of the money laundering and terrorist financing risks specific to the business — considering the nature of products and services offered, customer types, geographic exposure, delivery channels, and transaction volumes. The risk assessment must inform how compliance resources are allocated and how monitoring intensity is calibrated.
  • Employee Training Program. Regular, documented training for employees, agents, and any persons acting on behalf of the MSB — covering AML/CFT obligations, risk identification, internal procedures, and blockchain-specific risks relevant to the business's operations.
  • Biennial Effectiveness Review (Independent Testing). FINTRAC requires MSBs to conduct an independent review of their compliance program at least once every two years to assess whether the program is operating effectively and meeting regulatory requirements. This review must be conducted by a person who is independent of the compliance function.
(Source: FINTRAC, Compliance Programme Requirements, fintrac-canafe.gc.ca; PCMLTFA, as amended March 2026)

An MSB that has a written policy from 2022 that has never been updated, tested, or adjusted to reflect changes in its product mix, customer base, or risk profile will not meet the new statutory standard — even if the individual elements of the program are technically present. The 2026 amendments make it explicit that FINTRAC can find a violation on the grounds that a program fails to be effective, not just that it fails to exist.

💡
For a broader overview of how these requirements fit within the global AML framework, see our guide to AML Requirements for Crypto Businesses.

Transaction Monitoring and Risk Detection

FINTRAC expects registered MSBs to maintain systems capable of detecting suspicious transactions and identifying patterns consistent with money laundering or terrorist financing. In the crypto context, this means monitoring on-chain transaction activity — not just fiat banking flows — for risk signals that include:

  • Interaction with High-Risk Wallets. Transactions involving wallet addresses associated with mixers, sanctioned entities, darknet markets, ransomware, or known fraud clusters.
  • Structuring and Aggregation Patterns. FINTRAC specifically watches for transaction splitting — structuring deposits or withdrawals to stay below the CAD $10,000 large transaction reporting threshold, or failing to aggregate related transfers within a 24-hour period. Monitoring systems must flag patterns across multiple transactions, not just individual transfers.
  • Rapid Cross-Chain or Cross-Platform Movement. Funds that are deposited, converted, and withdrawn in rapid succession — or that move across multiple blockchains through bridge protocols — exhibit behavior consistent with layering techniques designed to obscure fund origins.
  • Inconsistency with Customer Profile. Transaction activity that is inconsistent with the customer's declared purpose, expected volume, or geographic profile — such as a retail customer suddenly processing institutional-scale volumes, or a customer in a low-risk jurisdiction receiving funds from high-risk regions.

Manual Monitoring — reviewing individual wallet addresses and transactions without automated support — does not scale and is consistently identified as a deficiency in compliance examinations.

💡
For crypto businesses processing meaningful transaction volumes, automated Crypto Transaction Monitoring Solutions are an operational necessity — enabling continuous risk assessment, real-time alert generation, and the documented audit trails that FINTRAC expects during examinations.

KYC Requirements in Canada

Customer identification and verification is a mandatory component of the AML compliance program for every registered MSB. Under the PCMLTFA and associated regulations, crypto businesses must verify the identity of their customers before conducting transactions or establishing a business relationship.

In practical terms, KYC requirements for crypto businesses in Canada include:

  • Customer Identity Verification. Verifying the identity of individual customers using government-issued photo identification or through a credit file, and verifying the identity of entity customers by confirming their legal existence and identifying their beneficial owners.
  • Beneficial Ownership Identification. For legal entity customers, identifying all individuals who directly or indirectly own or control 25% or more of the entity — and verifying their identity.
  • Ongoing Client Identification Obligations. KYC is not a one-time event. MSBs must keep customer information current and must re-verify identity when they have doubts about the accuracy of information previously obtained. The 2026 amendments also clarified the prohibition on anonymous accounts — closing a gap in the previous legislation by providing a precise statutory definition of what constitutes an anonymous client.
  • Third-Party Determination. MSBs must determine whether a customer is acting on behalf of a third party — and if so, verify the identity of that third party.
(Source: PCMLTFA, associated regulations on client identification; FINTRAC, Methods to Verify the Identity of an Individual, fintrac-canafe.gc.ca)
💡
For businesses seeking to implement or upgrade identity verification workflows, AMLBot offers a dedicated Crypto KYC Verification solution. For a detailed breakdown of KYC requirements across jurisdictions, see our guide to Crypto KYC Requirements.

Reporting Obligations and Record Keeping

Registered MSBs are subject to specific reporting obligations under the PCMLTFA — and failure to report is one of the most frequently cited violations in FINTRAC enforcement actions.

  • Suspicious Transaction Reports (STRs). MSBs must report to FINTRAC any financial transaction for which there are reasonable grounds to suspect that it is related to money laundering or terrorist financing. There is no minimum dollar threshold for STRs — the obligation applies regardless of transaction amount.
  • Large Virtual Currency Transaction Reports (LVCTRs). MSBs must report to FINTRAC any virtual currency transaction of CAD $10,000 or more — whether received in a single transaction or in multiple transactions within a 24-hour period that aggregate to $10,000 or more. The 24-hour aggregation logic is critical and is a specific area FINTRAC tests during examinations.
  • Terrorist Property Reports. MSBs must report to FINTRAC any property in their possession or control that they know is owned or controlled by a listed terrorist entity. Following the 2026 amendments, a new sanctioned property report category has been added, requiring reporting when MSBs hold property subject to Canadian sanctions regulations.
  • Electronic Funds Transfer Reports. MSBs must report international electronic funds transfers of CAD $10,000 or more, whether sent or received.

Record keeping requirements are equally specific. MSBs must retain records of all reported transactions, customer identification documents, transaction receipts, and compliance program documentation for a minimum of five years. Records must be maintained in a format that is accessible and retrievable for FINTRAC examination purposes.

(Source: PCMLTFA, Part 1, Reporting Requirements; FINTRAC, Reporting Obligations for MSBs, fintrac-canafe.gc.ca)

What Happens If You Don't Comply

The consequences of non-compliance with the PCMLTFA are concrete and escalating — particularly following the 2026 amendments, which strengthened FINTRAC's penalty framework.

  • Administrative Monetary Penalties (AMPs). FINTRAC has the authority to impose AMPs for violations of the PCMLTFA and associated regulations. Penalties can be applied per violation — meaning that a business with multiple compliance deficiencies across reporting, KYC, monitoring, and recordkeeping can face cumulative penalties that escalate rapidly.
  • Criminal Charges. Operating an MSB without registration, or willfully failing to comply with PCMLTFA reporting requirements, can result in criminal charges. Non-compliance offences under the PCMLTFA carry penalties that include fines and imprisonment.
  • Registration Revocation or Denial. FINTRAC can revoke or refuse to renew the registration of an MSB that fails to meet compliance requirements. Once registration is revoked, the business cannot lawfully operate — and the revocation is recorded in FINTRAC's public MSB registry.
  • Loss of Banking Access. Canadian banks and payment processors conduct their own due diligence on MSB clients. A crypto business that cannot demonstrate FINTRAC registration and a functioning compliance program will face immediate difficulty obtaining or maintaining banking relationships — a problem compounded by the fact that FINTRAC's public registry allows banks to verify registration status directly.
  • Provincial Exposure. Beyond the federal framework, crypto businesses may face additional obligations under provincial legislation. Québec's Money-Services Businesses Act (QMSBA) requires separate provincial MSB registration administered by Revenu Québec. British Columbia's Money Services Businesses Act (Royal Assent May 2023) will similarly require provincial registration once fully in force. Non-compliance at the provincial level compounds federal exposure.

How to Become Compliant in Canada

For crypto businesses entering the Canadian market — or existing operators assessing their compliance posture against the 2026 amendments — the path to compliance follows a defined sequence:

  • Determine Whether You Qualify as an MSB. Assess whether your business activities — exchange, transfer, custody, payment processing — trigger MSB registration under the PCMLTFA. If you serve Canadian users from outside Canada, assess whether you qualify as a Foreign MSB.
  • Register with FINTRAC. Complete the MSB registration through FINTRAC's online portal. Prepare the required information: corporate structure, beneficial ownership details, criminal record checks for key personnel (CEO, directors, 20%+ owners), and a description of services offered. Registration is free and typically processed within six to eight weeks.
  • Build Your AML Compliance Program. Appoint a compliance officer. Conduct an enterprise risk assessment. Draft written policies and procedures covering KYC, transaction monitoring, reporting, sanctions screening, Travel Rule obligations, and recordkeeping. Design and implement a training program for all relevant personnel.
  • Implement KYC and Customer Verification. Deploy identity verification procedures that meet FINTRAC's requirements — including government-issued ID verification, beneficial ownership identification, third-party determination, and ongoing client monitoring.
  • Deploy Transaction Monitoring. Implement automated systems capable of detecting suspicious activity, flagging structuring patterns, identifying high-risk wallet interactions, and generating the alerts and documentation required for STR filing and examination readiness.
  • Establish Reporting and Recordkeeping Systems. Configure systems to generate and submit STRs, LVCTRs, terrorist property reports, and EFT reports to FINTRAC within required timeframes. Embed the 24-hour aggregation logic for large virtual currency transactions into your operational workflow.
  • Schedule Your Biennial Effectiveness Review. Plan for independent testing of your compliance program within two years of launch — and track remediation of any findings to completion. The 2026 amendments make effectiveness a statutory requirement, not merely a best practice.

Conclusion

Crypto compliance in Canada operates within one of the most clearly defined and actively enforced regulatory frameworks in the world. The PCMLTFA, administered by FINTRAC, establishes specific obligations for MSB registration, AML program implementation, customer identification, transaction monitoring, suspicious activity reporting, and recordkeeping — and the March 2026 amendments have raised the statutory standard from "present" to "effective." For crypto businesses that operate in or serve users in Canada, the compliance pathway is straightforward: register, build the program, implement the controls, and prepare for examination. The cost of doing so is a known operational expense. The cost of not doing so — administrative penalties, criminal charges, registration revocation, and loss of banking access — is invariably greater.

FAQ

Do Crypto Companies Need to Register with FINTRAC in Canada?

Yes, most crypto businesses operating in or serving clients in Canada must register as a Money Services Business (MSB) with FINTRAC. This applies to exchanges, brokers, and platforms involved in transferring or managing crypto assets.

What Is MSB Registration in Crypto?

MSB registration is a requirement for crypto companies in Canada that perform activities like exchanging, transferring, or safeguarding digital assets. It allows FINTRAC to monitor compliance with AML regulations.

Is KYC Mandatory for Crypto Businesses in Canada?

Yes, crypto businesses must verify customer identity as part of their AML program. KYC helps prevent fraud, money laundering, and sanctions violations.

What Are AML Requirements for Crypto Companies in Canada?

Crypto companies must implement an AML program that includes risk assessment, internal controls, transaction monitoring, customer verification, and reporting of suspicious activity.

Do Foreign Crypto Companies Need to Comply with Canadian Regulations?

Yes, if they provide services to Canadian users or operate within Canada, they may be required to register as a Foreign MSB and follow local AML and KYC rules.

What Transactions Must Be Reported in Canada?

Crypto businesses must report suspicious transactions and large virtual currency transactions of CAD $10,000 or more to FINTRAC, as well as terrorist property and certain electronic funds transfers.

How Does FINTRAC Monitor Crypto Activity?

FINTRAC relies on reports from registered businesses, compliance examinations, and data analysis to detect suspicious behavior and enforce compliance with the PCMLTFA.

Do Non-Custodial Crypto Services Need to Comply with AML Rules?

It depends on the business model. Fully decentralized and non-custodial services may fall outside some requirements, but this remains a regulatory grey area that FINTRAC's updated guidance continues to narrow.

What Happens If a Crypto Company Does Not Comply with Canadian AML Laws?

Non-compliance can result in administrative monetary penalties, criminal charges, registration revocation, loss of banking relationships, and reputational damage.

What Tools Help Crypto Companies Stay Compliant in Canada?

Crypto businesses typically use KYC solutions for identity verification and Transaction Monitoring tools (KYT) to detect suspicious activity and manage risk in real time.

Sign up For More Like This

Enter your email
Subscribe