Recent developments in anti-money laundering regulation

Overview of Canada’s anti-money laundering legislation

Money laundering refers to disguising the origins of money obtained through criminal activity, making it appear as though it comes from legitimate sources. Canada’s Criminal Code sets out offences related to money laundering that apply to all Canadians. These offences include not only dealing with the proceeds of crime or being reckless as to such dealings, but also conspiracy, aiding or abetting in such dealings. Importantly, the Criminal Code has a wide jurisdictional scope. Even if an act is legal in another country, any proceeds derived from it are still treated as proceeds of crime in Canada if that same act would be considered illegal under Canadian law if it were conducted in Canada.

Unlike the Criminal Code, the PCMLTFA—administered by FINTRAC—only applies to certain reporting entities (REs) which are considered higher-risk for money laundering, including financial entities, securities dealers and money services businesses (including certain PSPs and other fintechs). It imposes compliance obligations on REs and enables FINTRAC to collect financial intelligence in order to detect and deter money laundering and terrorist financing. These obligations include:

1. Compliance program. Appointing a chief AML officer (CAMLO), conducting risk assessments of products and clients, and conducting an effectiveness review every two years.
   • Know Your Client (KYC) procedures. Ascertaining client identity in accordance with the PCMLTFA, including beneficial ownership and third-party determination, and politically exposed person (PEP) screening.
2. Transaction monitoring. Establishing processes to identify suspicious activity and monitor clients based on their risk levels.
3. Transaction reporting. Submitting certain reports to FINTRAC, including suspicious transaction, large cash and virtual currency transaction reports, and electronic funds transfer reports.
4. Record keeping. Retaining records, generally for five years, depending on record type.

In recent years, spurred by FATF changes, the federal government has actively expanded the scope of the PCMLTFA. Four updates are of particular relevance for financial institutions (FIs):

• Reporting entity categories. Recent amendments to the PCMLTFA have expanded the categories of REs to include mortgage lenders, brokers and administrators, factoring companies, cheque cashing entities (considered MSBs) and entities involved in the financing or leasing of personal property. Effective October 1, 2025, title insurers and acquirer services in relation to private automated banking machines will also become REs. FIs should ensure that their clients with activities in these categories are complying with the PCMLTFA or require them to justify why they are exempt.
• Sanctions evasion reporting. REs must submit a suspicious transaction report to FINTRAC without delay if they reasonably suspect a transaction or attempted transaction is related to the commission or attempted commission of money laundering, terrorist financing, or sanctions evasion. Sanctions evasion consists of violations of the United Nations Act (UN Act), the Special Economic Measures Act (SEMA) or the Justice for Victims of Corrupt Foreign Officials Act (Sergei Magnitsky Law) (JVCFOA). FINTRAC has identified certain tactics used to circumvent sanctions, including using intermediary jurisdictions to set up complex networks of shell and front companies and non-resident bank accounts, and using alternative financial channels, including cryptocurrencies and other emerging financial technologies.
• Listed person or entity property reports. Formerly known as “Terrorist Property Reports”, as of October 1, 2025, REs must immediately report to FINTRAC—in addition to the existing obligation to report to the RCMP or CSIS—any property in their possession or control that belongs to individuals or entities designated under Canadian sanctions legislation (the Criminal Code, the UN Act, SEMA or JVCFOA). REs should understand the different reporting standards: the Criminal Code requires reporting when one knows that the property is owned or controlled by or on behalf of a terrorist group, whereas the UN Act, SEMA and JVCFOA require reporting when there is a reason to believe that property is owned, held or controlled (directly or indirectly) by a listed or designated person.
• Information sharing. As of spring 2025, REs may voluntarily share information with each other, without client consent, if it is reasonable for detecting or deterring money laundering, terrorist financing or sanctions evasion, and if client knowledge or consent would undermine these efforts. The receiving RE can only use the information for these purposes. Before sharing, REs must create and submit a code of practice to the Office of the Privacy Commissioner for approval and to FINTRAC for review. However, details on how and with whom information will be shared remain unclear.

Looking ahead, the federal government has proposed further changes to the PCMLTFA through Bill C-2, the Strong Borders Act, introduced in June 2025. Key amendments include an increase in administrative monetary penalty amounts by a factor of 40 and mandatory registration for all REs (not just MSBs and foreign MSBs). Additionally, Bill C-2 would prohibit certain REs, as well as persons or entities engaged in a “business, profession or the solicitation of charitable financial donations from the public”, from accepting cash payments, donations or deposits of $10,000 or more in a single transaction or series of related transactions. FIs would also be precluded from accepting any third-party cash deposits. These changes significantly broaden the PCMLTFA’s scope and may accelerate a shift toward digital payments and virtual currencies for both legitimate and illegitimate transactions.

Considerations for banking MSBs and PSPs

In the payments space, the Retail Payments Activities Act (RPAA), which is administered by the Bank of Canada, was enacted in 2021 to regulate PSPs by protecting end-user funds and managing operational risk. The RPAA contains registration and reporting requirements and provides for information sharing between the Bank of Canada and FINTRAC. Notably, the RPAA’s registration requirements came into effect on September 8, 2025.

Under the RPAA, PSPs must use a trust account, or a segregated account with insurance or a guarantee to safeguard end-user funds from creditors if the entity fails. MSBs and PSPs may be viewed as higher risk clients to bank, and smaller FIs should ensure that they are comfortable with the risks of banking them and have appropriate policies and procedures to mitigate the risks. FIs should ensure that a MSB or PSP account holder meets applicable registration requirements (or have a valid reason for exemption). Additionally, fintechs are increasingly stepping outside the mould of traditional banking, including by becoming dealers in virtual currency. Of note for a bank are situations where a fintech offers digital vaults to store digital currency (i.e., a virtual safety deposit box). This falls outside the scope of the MSB or PSP, and therefore the fintech would not be subject to the rigorous requirements of the PCMLTFA or RPAA. FIs wishing to bank with such a client would need to consider the risks under both the PCMLTFA and the Criminal Code. Further, some of the smaller/medium-sized banks that are not direct settlement clearers may be constrained by the risk tolerances of their direct clearers.

Conclusion

As Canada’s regulatory landscape continues to evolve and in light of FINTRAC’s propensity to levy administrative monetary penalties, FIs must stay informed in order to navigate growing compliance complexities.