Regulatory Compliance in Canada: PCMLTFA, OSFI & Digital Identity

Canadian financial institutions must comply with the PCMLTFA as amended in April 2025, and Bill C-2. Core requirements include: enterprise-wide ML/TF risk assessments that are reasonably designed, risk-based and effective; customer due diligence and beneficial ownership verification; ongoing transaction monitoring; record-keeping for a minimum of five years; and timely Suspicious Transaction Reports to FINTRAC. Bill C-2 raised administrative monetary penalties to up to C$20 million per very serious violation, or 3% of gross global revenue for cumulative violations.

The PCMLTFA now requires compliance programmes to be “reasonably designed, risk-based and effective.” FINTRAC no longer accepts that policies exist only on paper. Examiners want evidence that company risk assessments evolve dynamically with emerging threats, that suspicious transaction reports reflect genuine analytical investigation, and that monitoring systems are calibrated against current typologies. This shift from documentation to demonstrable effectiveness is the most significant development in Canadian financial regulation right now.

Under the PCMLTFA, reporting entities must file: Suspicious Transaction Reports (STRs) — no monetary threshold, filed as soon as reasonably practicable when there are reasonable grounds to suspect ML or TF; Large Cash Transaction Reports (LCTRs) for receipts of C$10,000 or more; Electronic Funds Transfer Reports (EFTRs) for international transfers of C$10,000 or more; and cross-border currency reports for physical transport of C$10,000 or more. Records must be kept for a minimum of five years.

From December 15, 2025, a government-issued photo ID is mandatory for account opening, profile updates and certain high-risk transactions in Canada. This is a minimum regulatory requirement, not a ceiling — regulators expect identity controls to go beyond document validation as threats such as deepfakes and synthetic identities become more sophisticated. Biometric verification with liveness detection and injection attack protection is increasingly expected as a complement to document-based KYC.

Bill C-2 (Strong Borders Act) significantly increased FINTRAC’s penalty authority. A single “very serious” violation can now result in an administrative monetary penalty of up to C$20 million. For multiple violations, cumulative penalties are capped at the greater of C$20 million or 3% of gross global revenue. At this scale, compliance stops being overhead and becomes a balance sheet risk variable. Consequences extend beyond fines: reputational damage, counterparty withdrawal and market access restrictions can compound enforcement findings.

Canada operates a distributed regulatory model with no single super-regulator. OSFI supervises prudential compliance for banks under the Bank Act. FINTRAC enforces AML/CFT obligations under the PCMLTFA. The Bank of Canada supervises approximately 1,500 payment service providers under the RPAA. FCAC oversees consumer protection and open banking. Provincial securities commissions regulate securities and crypto assets through the CSA. Global Affairs Canada administers sanctions. The OPC oversees biometric and personal data under PIPEDA.

Canada is undergoing a FATF mutual evaluation in 2025–2026. The FATF assesses whether a country’s AML/CFT system actually works — not just whether laws exist. The 2016 evaluation found weaknesses in beneficial ownership transparency, ML prosecution beyond drugs and fraud, and sanctions enforcement. Canada has since introduced the federal Beneficial Ownership Registry, expanded reporting obligations, and information-sharing provisions effective March 4, 2025. The evaluation will test whether these reforms deliver measurable outcomes, and FINTRAC examiner intensity will increase regardless of the outcome.

The Retail Payment Activities Act (RPAA) brought retail payment service providers under Bank of Canada supervision. Registration subjects entities to ongoing oversight, mandatory risk management frameworks, segregation of end-user funds and incident reporting. The Act applies to both domestic and foreign PSPs serving Canadian customers. Approximately 1,500 payment firms now fall under this supervision. Retail payments are treated as infrastructure with systemic implications, requiring bank-grade operational discipline.

Canada’s Consumer-Driven Banking Act (CDBA) creates a framework for secure financial data sharing with third-party applications. Part 1 received Royal Assent in June 2024. Bill C-15 (full framework with accreditation, security requirements and a screen-scraping ban) was before Parliament as of March 2026. FCAC is the designated supervisory authority. Budget 2025 specifically referenced “phishing-resistant, device-bound multi-factor authentication” for digital banking. Phase 1 covers read access and data sharing; Phase 2 extends to write access and payment initiation.

PIPEDA governs the collection, use and disclosure of personal information in Canada’s private sector. In August 2025, the Office of the Privacy Commissioner issued guidance classifying biometric data as highly sensitive information. This requires: explicit consent before collection; purpose limitation to the stated use only; data minimisation; strict retention limits with deletion when the purpose is fulfilled; and appropriate security safeguards. Provincial privacy laws add additional requirements — Quebec’s Law 25 imposes stricter standards in some areas, and British Columbia and Alberta each have their own PIPA.

Canada launched its first National Anti-Fraud Strategy in October 2025, treating scams as organised financial crime rather than consumer protection issues. Canadians lost C$643 million to fraud in 2024 — a nearly 300% increase since 2020, with only 5–10% of scams reported. Forthcoming Bank Act amendments will require banks to implement fraud detection policies, obtain express consent before enabling high-risk capabilities, and report fraud data to FCAC. A dedicated Financial Crimes Agency (legislation expected Spring 2026) will investigate complex financial crime. The Canadian Anti-Scams Coalition — 50+ organisations from financial services, telecoms, digital platforms, law enforcement and government — is coordinating cross-sector prevention.

Synthetic identity fraud combines real and fabricated attributes to create fictitious personas that build credit histories gradually before exploitation — exactly what standard document-based KYC cannot detect alone. Mule networks use clusters of accounts to move laundered funds in small transactions below the C$10,000 reporting threshold, with accounts operating normally for months before activation. Both require network-level detection. Since March 2025, Canadian reporting entities can share information voluntarily to detect cross-institutional patterns. Effective detection requires 1:N biometric deduplication, behavioural analytics and network link analysis across accounts.