PCMLTFA / FINTRAC – Canadian AML

The Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA) is the Canadian federal statute that establishes Canada's AML and counter-terrorist-financing framework. It is supervised and enforced by the Financial Transactions and Reports Analysis Centre of Canada – FINTRAC. Every fintech operating in or from Canada must determine whether it is a reporting entity, and if so, register with FINTRAC before offering services.

Who is a reporting entity

The Act covers banks, credit unions, trust and loan companies, life insurers, securities dealers, money services businesses (MSBs), real-estate brokers, accountants, casinos, and a handful of others. Most fintechs sit in the MSB category. Since 2020-06-01, foreign MSBs that direct services to Canadian customers are also obligated to register, even without a Canadian establishment. Operating without registration when registration is required is a criminal offence.

Crypto activities trigger MSB registration when an entity is in the business of dealing in virtual currency – exchange, transfer, custody. The PCMLTFA travel-rule rules for virtual currency apply at the CAD 1,000 threshold and require originator and beneficiary information to travel with the transfer.

The compliance program

The Act and its regulations require every reporting entity to maintain a compliance program with five mandatory elements:

• A designated compliance officer with the authority and resources to operate the program
• Written policies and procedures, kept current and approved by senior management
• A documented risk assessment covering products, services, channels, customer types, and geographies
• Ongoing training for staff, agents, and other authorized representatives
• A biennial effectiveness review, conducted by an independent reviewer, with a written report

FINTRAC examiners walk through each element. Programs that exist on paper but cannot show ongoing operation (training records, risk-assessment refresh, evidence of policy revisions in response to findings) routinely receive deficiency notices.

Customer identification and records

Identification methods are prescribed: government-issued photo ID method, credit-file method, dual-process method, affiliate or member method, and a few others. Each has its own data-capture and verification rules. Beneficial-ownership identification is required at lower thresholds than the U.S. and is one of the most-cited deficiency categories in FINTRAC notices.

Records must be retained for the prescribed periods (typically five years) and produced on demand. The records cover account information, transaction tickets, large-cash records, large-virtual-currency records, EFT records, beneficial-ownership records, and supporting documentation for STRs and other reports.

Reports and reporting cadence

• STR – Suspicious Transaction Report: filed as soon as practicable after measures are taken that allow you to determine the transaction is reportable. There is no calendar deadline, but unreasonable delay is itself a deficiency.
• LCTR – Large Cash Transaction Report: CAD 10,000+ in cash, filed within 15 days.
• LVCTR – Large Virtual Currency Transaction Report: CAD 10,000+ in virtual currency, filed within 15 days.
• EFTR – Electronic Funds Transfer Report: CAD 10,000+ EFT, filed within 5 working days.
• TPR – Terrorist Property Report: filed without delay.

Voluntary self-declarations of non-compliance are also part of the regime. Filing one before discovery materially reduces administrative monetary penalty (AMP) exposure if a deficiency is later identified.

FINTRAC examinations and enforcement

FINTRAC conducts compliance examinations on a risk-based cycle. Examiners review the program, sample records and reports, evaluate the risk assessment, test the effectiveness review, and walk individual transactions end-to-end. Findings can result in administrative monetary penalties, Notices of Violation, public name-and-shame, and criminal referral in extreme cases. The named-entity AMP regime has produced multi-million-CAD penalties against banks, casinos, and crypto exchanges.

How FinQub supports FINTRAC compliance

Every workflow event – customer identification, transaction screening, watchlist match, alert disposition, decision rationale – is logged to a hash-chained tamper-evident audit trail with framework tagging that includes PCMLTFA. Reportable-transaction triggers (LCTR, LVCTR, EFTR, STR) are first-class events with their own audit metadata. The biennial effectiveness review and examiner walkthroughs query the same chain rather than parallel reconciliations across vendor dashboards.

FinQub does not file reports on your behalf. The reporting entity remains the legal filer and is responsible for the suspicion determination, the report content, and timeliness. What FinQub provides is the operational substrate that produces the evidence FINTRAC examiners want and removes the parallel-reconciliation tax that consumes most of an exam cycle.