Canada Financial Crime & AML Compliance: Regulators, Laws, and What Foreign Banks Need to Know

Who regulates financial crime in Canada?

FINTRAC, the Financial Transactions and Reports Analysis Centre of Canada, is the national financial intelligence unit and the compliance supervisor for all entities covered under the PCMLTFA. That dual role is unusual. Most jurisdictions separate FIU analysis from supervisory enforcement; Canada doesn't. FINTRAC collects and analyzes financial intelligence, discloses it to law enforcement and national security agencies, and independently conducts compliance examinations. When it finds violations, it issues administrative monetary penalties under a published calculation framework.

OSFI, the Office of the Superintendent of Financial Institutions, supervises federally regulated financial institutions: banks, trust companies, and insurance companies. OSFI doesn't enforce the PCMLTFA directly. What it does is assess whether institutions have adequate AML governance, risk management, and control infrastructure. OSFI's Guideline E-13 sets supervisory expectations that go beyond the statutory minimum. When OSFI finds a gap during a prudential examination, it expects the board and senior management to fix it, and it follows up.

FCAC, the Financial Consumer Agency of Canada, protects consumers of financial services. Its AML relevance is indirect: conduct issues that intersect with customer rights can draw FCAC scrutiny alongside FINTRAC review.

The RCMP's Financial Crime Program handles major money laundering, fraud, and corruption investigations. Integrated Proceeds of Crime (IPOC) units are joint RCMP and provincial police teams that target ML proceeds cases using intelligence FINTRAC discloses to law enforcement.

Canada is a FATF member. The 2016 FATF Mutual Evaluation of Canada found weaknesses in beneficial ownership transparency and FINTRAC's enforcement posture. Both findings drove subsequent legislative amendments.

What are the key AML and fraud laws in Canada?

The Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA) is the backbone. Enacted in 2000 and substantially amended in 2006, 2014, 2019, and 2022, it defines who is a reporting entity (banks, credit unions, money services businesses, real estate brokers, casinos, dealers in precious metals and stones, accountants, and others), specifies what reports must be filed, and sets CDD and record-keeping obligations. Everything else flows from here.

The Criminal Code of Canada establishes the ML offense under s.462.31: knowing that property is proceeds of crime, converting, concealing, or possessing it. Penalty on indictment: up to ten years imprisonment.

The Corruption of Foreign Public Officials Act (CFPOA) criminalizes bribery of foreign public officials. It's relevant for banks with correspondent relationships in high-risk jurisdictions and for clients operating internationally. The SNC-Lavalin prosecution under the CFPOA was the highest-profile Canadian test of the statute.

PIPEDA, the Personal Information Protection and Electronic Documents Act, governs how personal data is collected, used, and disclosed. It creates a genuine tension for compliance teams: the PCMLTFA requires collecting customer information and retaining it for five years, while PIPEDA imposes consent and retention limits. AML purposes fall under PIPEDA's law enforcement exception, but cross-border data transfers to third-party processors still require contractual protections. Bill C-27 (the Consumer Privacy Protection Act) would replace PIPEDA and increase penalties to 5% of global annual revenue, but had not received Royal Assent as of mid-2026.

Canada's framework maps closely to the FATF standards. A risk-based approach is required by both FINTRAC and OSFI: institutions must calibrate controls to actual ML/TF exposure, not run uniform procedures across all customers and products. FATF Recommendation 10 on customer due diligence and FATF Recommendation 11 on record-keeping are directly implemented in the PCMLTFA and its Regulations.

Sanctions law is separate from FINTRAC reporting. Canada runs autonomous sanctions through the Special Economic Measures Act (SEMA), the United Nations Act, and the Justice for Victims of Corrupt Foreign Officials Act (the Magnitsky law). Lists are maintained by Global Affairs Canada and must be screened against independently of FINTRAC filing obligations.

What controls do Canada regulators expect?

Every reporting entity under the PCMLTFA needs a compliance program with five elements: written policies and procedures, a designated compliance officer at the senior management level, a written risk assessment, an ongoing employee training program, and a two-year effectiveness review. Miss any one of these and FINTRAC can issue a penalty before examining anything else.

Customer due diligence is mandatory at account opening and on an ongoing basis. For individual customers, identity verification must use a FINTRAC-approved method: government-issued photo ID, credit bureau confirmation, or a dual-process approach combining two independent sources. For corporate clients, banks must verify the entity's legal existence and identify all ultimate beneficial owners holding 25% or more of shares or voting rights.

Transaction monitoring must be risk-based. FINTRAC doesn't mandate a specific system, but it expects institutions to detect suspicious patterns and file an STR within 30 days of forming reasonable grounds to suspect a transaction is related to ML or TF. There's no monetary threshold for STRs. Large cash transaction reports (LCTRs) are required for any single cash transaction of CAD 10,000 or more. Electronic funds transfer reports (EFTRs) cover international transfers of CAD 10,000 or more.

Sanctions screening against Canada's Consolidated Autonomous Sanctions List is required before processing transactions or opening accounts. This list is maintained by Global Affairs Canada and updated without notice when new designations are made.

PEP screening is statutory under the PCMLTFA. Reporting entities must take reasonable measures to determine whether a customer is a domestic PEP, a foreign PEP, or a head of an international organization. Foreign PEPs require enhanced measures: senior management sign-off for new relationships and more intensive ongoing monitoring. FATF Recommendation 12 sets the global standard Canada follows, and FINTRAC has penalized institutions specifically for weak PEP identification procedures.

Record-keeping obligations run for five years from the end of the business relationship. The specific records required depend on the type of entity and transaction, but broadly cover identity verification documents, transaction records, and correspondence related to financial activity.

What is unique about compliance in Canada?

Several things consistently trip up foreign banks entering Canada.

Real estate is the sector with the most documented ML risk. The Cullen Commission (British Columbia, June 2022) found that approximately CAD 5.3 billion was laundered through the province in 2018 alone, based on academic estimates commissioned by the inquiry. The Commission documented a specific pattern at Lower Mainland casinos where staff accepted large volumes of cash from known associates of drug trafficking networks, with the funds then moving into luxury real estate. FINTRAC's examination of real estate brokers and developers has increased sharply since the report's publication.

Beneficial ownership transparency moved faster in Canada than in most G7 countries. The Canada Business Corporations Act was amended to require corporations to maintain a register of individuals with significant control. The federal government launched a public beneficial ownership registry in January 2024 through Corporations Canada. Provincially incorporated companies remain subject to separate provincial rules, which are less consistent. For banks assessing corporate customers, the federal registry is a useful starting point but doesn't cover the full picture. FATF Recommendation 15 on new technologies is relevant here: regulators expect institutions to use digital registry data in their CDD processes.

Crypto and VASP regulation is ahead of many comparable jurisdictions. Cryptocurrency exchanges and crypto asset trading platforms must register as money services businesses with FINTRAC and comply with the full PCMLTFA regime. FINTRAC has examined several platforms since 2020 and has issued penalties in the sector.

Correspondent banking creates dual exposure. Canada's large banks clear US dollars through US correspondent institutions, which means AML obligations under both FINTRAC and FinCEN can apply to the same transaction flows. Teams managing Canadian operations should read the US AML compliance framework alongside the Canadian rules.

Credit unions are provincially regulated, not OSFI-supervised, and their AML compliance oversight sits with provincial authorities. The quality of supervision varies by province. For banks with correspondent or referral relationships to credit unions, this fragmentation matters.

Finally: FINTRAC reports can be filed in English or French. Under the Official Languages Act, federally regulated entities must be capable of serving customers in either official language.

Recent enforcement actions in Canada

FINTRAC's enforcement posture hardened significantly between 2020 and 2024. The regulator moved from predominantly educational guidance to formal penalty proceedings with published decisions.

The most consequential recent case involves TD Bank. In October 2024, TD Bank's US subsidiary pleaded guilty to conspiracy to commit money laundering and Bank Secrecy Act violations, paying USD 3.09 billion in combined penalties to the Department of Justice, FinCEN, and the OCC. The violations included systematic failures to monitor billions of dollars in transactions linked to drug cartel proceeds moving through US and Canadian accounts. FINTRAC separately issued an administrative monetary penalty against TD Bank in Canada for related control failures. FINTRAC publishes all AMP decisions at fintrac-canafe.gc.ca.

In 2022, FINTRAC assessed penalties against multiple MSBs and a real estate brokerage for deficiencies including missing LCTR filings, incomplete CDD records, and failure to complete the mandatory two-year effectiveness review. These cases reflect the enforcement priorities FINTRAC has consistently communicated.

The Cullen Commission's 2022 report was not itself an enforcement action, but it produced referrals to the RCMP and BC Securities Commission regarding specific casino operators and real estate practitioners.

For context on the monitoring failure pattern that FINTRAC now examines, the HSBC 2012 enforcement action is the canonical global case: a systematic breakdown in transaction monitoring that allowed drug cartel proceeds to move undetected for years. The Westpac 2020 enforcement action involved 23 million AUSTRAC reporting failures, including correspondent banking transactions that clearly warranted STRs. Both patterns are precisely what FINTRAC's examination teams now look for in Canadian institutions.

What foreign banks operating in Canada need to know

Foreign banks have two structural options under the Bank Act: a Schedule II bank (full federally regulated subsidiary) or a Schedule III branch. Schedule II subsidiaries are subject to full OSFI prudential supervision. Schedule III branches face one hard restriction: they can't accept deposits under CAD 150,000 from the general Canadian public. Both structures require approval from the Minister of Finance.

Licensing timelines run 12 to 18 months for a full subsidiary. OSFI manages the application process, and it's thorough: expect fit-and-proper assessments of directors and senior officers, detailed business plan review, capital adequacy analysis, and governance documentation.

There's no statutory Canadian-residency requirement for an MLRO in the PCMLTFA, but OSFI's supervisory practice effectively requires senior compliance staff based in Canada. OSFI holds boards and senior management accountable for AML governance, and a named compliance officer in-country is standard for all federally regulated institutions.

STR deadlines are strict. Thirty days from forming reasonable grounds to suspect. There's no consent regime (unlike the UK, no need to seek FINTRAC approval before proceeding with a transaction). However, disclosing that an STR has been filed is prohibited under s.8 of the PCMLTFA. This creates a specific staff-training requirement: employees must understand they can't tell a customer about a report.

Outsourcing compliance functions to a parent entity or group platform requires documentation. OSFI's Guideline B-10 on technology and operational risk from third-party arrangements applies. When personal data is processed outside Canada, PIPEDA requires contractual protections equivalent to Canadian standards. This limits how far a foreign parent's compliance infrastructure can handle Canadian customer data without local data-handling agreements.

FINTRAC reporting is electronic through the F2R portal. STRs, LCTRs, and EFTRs must all be filed via the portal. Foreign banks must build and test these technical integrations before launch. FINTRAC offers test environment access during the pre-launch period.

How FluxForce supports Canada compliance

FluxForce maps directly to what FINTRAC and OSFI examine. Real-time transaction monitoring flags suspicious patterns and generates STR draft documentation before the 30-day filing clock becomes a problem. Automated sanctions screening covers Canada's Consolidated Autonomous Sanctions List alongside OFAC, UN, and EU lists in a single workflow. PEP screening and adverse media screening handle domestic and foreign PEP categories as required by the PCMLTFA. Every decision is stored with full audit documentation, which simplifies responses when FINTRAC's examiners arrive. Book a demo to see how FluxForce fits a Canadian compliance program.