FINTRAC Identification Requirements: The Complete KYC Guide for MSBs

FINTRAC Identification Requirements: KYC Rules for MSBs in Canada

FINTRAC requires every regulated business to identify its clients before or at the time of certain transactions. For money services businesses, this means verifying who your client is, confirming their identity using one of three approved methods, determining whether they are acting on behalf of someone else, and keeping records of what you collected.

These are your Know Your Client obligations under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act. They are not optional, and failing to follow them correctly is one of the most common findings during a FINTRAC examination.

Here is exactly how they work.

What This Article Covers

When identification is required and what the applicable thresholds are
Three approved methods for verifying individual client identity
How to identify business clients and confirm beneficial ownership
Politically exposed persons (PEPs) and heads of international organizations
Third-party determination obligations
Record keeping requirements and how long to store them
Common identification failures during FINTRAC examinations
Identification records when buying an MSB

When Are You Required to Identify a Client?

Not every transaction triggers an identification obligation. The threshold depends on the type of service your MSB provides.

Transaction Thresholds for MSBs

Cash Transactions

$3,000 or more

You must identify the client for any cash transaction at or above this amount.

Funds or Value Transfers

$1,000 or more

Identification is required when you send or receive $1,000 or more on behalf of a client.

Virtual Currency

$1,000 or more

Any transaction involving virtual currency, including buying or selling cryptocurrency on a client’s behalf.

Currency Exchange

$3,000 or more

Identification is required for any exchange of $3,000 or more in foreign currency.

The 24-Hour Aggregation Rule Applies Here Too

If a client conducts multiple transactions with your business in a single 24-hour period that together meet or exceed the applicable threshold, you must treat them as a single transaction. The identification obligation applies to the aggregate, not each individual transaction.

This means your staff need to be checking whether a client has transacted earlier in the day before deciding whether identification is required on a new transaction.

How to Identify an Individual Client

FINTRAC gives you three approved methods to verify a client’s identity. You must use one of them. Making a judgment call based on something else is not compliant, regardless of how confident you are in the result.

Government-Issued Photo ID

In-Person

This is the most straightforward method and the one most businesses default to for in-person transactions.

You ask for a government-issued document that shows the client’s name, photograph, and either a date of birth or address. Common examples include a driver’s licence, passport, and provincial health card where permitted.

The document must be valid, meaning it must not be expired. You check it in person, confirm it appears genuine, and record the document type, number, jurisdiction of issue, and expiry date.

You cannot use a photocopy of the document for this method. The review must happen in person.

Credit File Method

Remote

This method is used when the client is not physically present or when you want to verify identity electronically.

You confirm the client’s identity by referring to information held by a Canadian credit bureau, provided the credit file has been active for at least three years. You use the file to match identifying information the client provides against what the bureau holds on record.

The credit file must come from a recognized Canadian credit agency. Foreign credit files do not satisfy this requirement.

Dual Process Method

Two Sources

If neither of the first two methods is suitable, you can use the dual process method. This involves consulting two separate, reliable sources that together confirm the client’s identity.

The combination must confirm at least two of the following: the client’s name and address, the client’s name and date of birth, or the client’s name and a confirmation that they hold an account at a Canadian financial institution.

Examples of sources that qualify include utility bills, bank statements, government correspondence, or similar documents. Both sources must be independent of each other and independent of the client.

Identifying Clients Who Are Not Present

For remote transactions, you cannot use the in-person photo ID method unless an agent completes the verification on your behalf.

Most remote identification uses the credit file method or the dual process method. FINTRAC also permits the use of an identification service provider, a third-party company that verifies identity against authoritative sources, provided the service meets FINTRAC’s standards.

The method you use must be recorded with the results. We verified the client online with no further documentation is not compliant.

How to Identify a Business Client

When your client is a corporation, partnership, or other legal entity rather than an individual, the identification process is different.

What You Must Confirm for a Business

You need to verify the existence of the entity and confirm that the person transacting on its behalf has the authority to do so.

To verify the entity’s existence, you review documentation such as a certificate of incorporation, articles of association, a partnership agreement, or an equivalent document issued by the relevant government authority. The document must confirm the entity’s name and its nature.

Beneficial Ownership

This is the part of business client identification that most MSBs do not handle correctly.

For any business client, you are required to take reasonable steps to confirm the identity of every individual who owns or controls 25 percent or more of the entity. These are the beneficial owners.

You do this by asking the client directly and recording the information they provide. You also take reasonable steps to verify that information, which may include reviewing ownership documents, corporate registers, or other reliable sources.

Reasonable steps does not mean accepting whatever the client tells you without any verification. It means making a genuine effort to confirm what you are told against available documentation. If you cannot confirm beneficial ownership, that is a risk factor that must be documented and considered as part of your ongoing client risk assessment.

Politically Exposed Persons and Heads of International Organizations

FINTRAC requires you to determine whether a client is a politically exposed person (PEP) or head of an international organization (HIO). These are individuals who hold or have held senior public positions and whose financial activity may carry a higher risk of corruption or money laundering.

Who Qualifies as a PEP or HIO

Domestic PEPs include Canadian heads of state, senators, members of parliament, senior government officials, and judges of the Supreme Court.

Foreign PEPs are individuals who hold or have held equivalent positions in foreign governments.

HIOs are individuals who lead or have led an international organization such as the United Nations or NATO.

Close family members and known associates of PEPs and HIOs may also fall under enhanced scrutiny.

What You Must Do When a Client Is a PEP or HIO

For domestic PEPs and HIOs, you must take reasonable measures to determine whether a client falls into this category and, if so, treat the relationship as higher risk in your ongoing monitoring.

For foreign PEPs, the obligations are stricter. You must determine that the source of funds is consistent with your knowledge of the client, take enhanced measures to assess the risk of the relationship, and obtain senior management approval before proceeding with the transaction.

These requirements apply at account opening and on an ongoing basis as your client relationship develops.

Third-Party Determination

Every time a client transacts in a way that triggers an identification obligation, you must also determine whether they are acting on behalf of a third party.

A third party is someone other than the client who instructed the transaction or who is the real beneficiary of it.

Ask the client directly. If a third party is involved, collect their name, address, date of birth for individuals, and the nature of their relationship to the client. This goes into your records alongside the identification information. Missing it is a separate finding from an incomplete identification record.

Record Keeping for Client Identification

Collecting identification is only half the obligation. Keeping accurate, complete records of what you collected is the other half.

What You Must Record

For every identification you conduct, your records must include:

The client’s name
The method you used
The document type and number if applicable
The jurisdiction that issued it
The date the verification was performed

For business clients, records must include the name and nature of the entity, the names of beneficial owners, and the documents you relied on to verify existence and ownership.

For PEPs and HIOs, you must record the determination you made, the information you relied on, and any enhanced measures taken.

How Long to Keep Records

Retention Period

At least 5 years from the date of the transaction

For ongoing client relationships, the five years runs from the date of the last transaction.

Records must be stored in a way that allows you to produce them quickly during an examination. Records that technically exist but cannot be retrieved efficiently are a practical compliance failure.

Common Identification Failures During FINTRAC Examinations

Four gaps appear regularly when FINTRAC reviews MSB identification practices.

Using expired documents. Staff accept a driver’s licence or passport without checking the expiry date. The document looked valid. It was not.

Not aggregating same-day transactions. A client buys $2,000 in foreign currency in the morning and another $2,500 in the afternoon. Both fall under the $3,000 threshold individually. Together they exceed it. No identification is collected because neither transaction triggered the check in isolation.

Incomplete beneficial ownership records. The corporate client is identified, but nobody collected the names of the individuals who own 25 percent or more of it. The entity record exists. The beneficial ownership record does not.

No record of the identification method. The client was identified, but the file only shows a copy of the document. There is no record of which method was used, the document number, or the date of verification. During an examination, an incomplete record is treated similarly to no record at all.

How Identification Requirements Connect to Your Compliance Program

Your identification procedures are a required component of your MSB compliance program under the PCMLTFA.

The program must document the steps your staff follow when a transaction hits an identification threshold, the method used for in-person versus remote clients, how they handle business clients and beneficial ownership, how PEP and HIO determinations are made, and how records are stored and retrieved.

If a FINTRAC examination finds identification gaps, the next question is whether your compliance program required the right steps at all. A weak program is a separate finding from the missed identification.

For what a complete MSB compliance program must include, see our overview of MSB law in Canada. If you are facing administrative monetary penalties or FINTRAC revocation related to identification failures, see our guide to FINTRAC revocation and how to respond.

Identification Records When You Are Buying an MSB

If you are buying an MSB, the existing client identification records are part of what you inherit.

FINTRAC expects you to produce identification records for ongoing client relationships from the moment you take ownership. If the previous owner’s records are incomplete or inaccessible, that becomes your compliance exposure after closing.

A compliance review before signing should include a check of how identification records were collected and whether the methods used were compliant. See our guide to buying an MSB for what that review should cover.

Frequently Asked Questions About FINTRAC Identification Requirements

What documents does FINTRAC accept for client identification?

FINTRAC accepts three methods, not just one document type. In person, a government-issued photo ID such as a passport or driver’s licence works. For remote clients, you can use a Canadian credit file that has been active for at least three years, or the dual process method using two independent sources. The method you choose must match how the client is transacting with your business.

Do I need to identify every client for every transaction?

No. Identification is required only when a transaction meets the applicable threshold. For MSBs, those thresholds are $3,000 for cash transactions and foreign currency exchange, and $1,000 for funds transfers and virtual currency transactions. The 24-hour aggregation rule applies, so same-day transactions from the same client count together toward the threshold.

What is a beneficial owner under FINTRAC rules?

A beneficial owner is any individual who owns or controls 25 percent or more of a corporate entity. When your client is a business, you must take reasonable steps to identify all beneficial owners and record that information. Accepting what the client tells you without any attempt at verification does not meet FINTRAC’s reasonable steps standard.

How long do I need to keep client identification records?

At least five years from the date of the transaction. For ongoing client relationships, the five-year period starts from the date of the last transaction with that client. Records must be stored in a format that can be retrieved quickly. Records that exist but cannot be produced during an examination are treated the same as missing records.

What happens if I miss a client identification requirement?

A missed or incomplete identification is a violation of the PCMLTFA and becomes a finding in a FINTRAC examination. A pattern of missed identifications is treated more seriously and can lead to administrative monetary penalties. In cases of broader compliance breakdown, it can contribute to revocation proceedings against your MSB registration.

Conclusions

FINTRAC identification requirements are specific about who you must identify, when, how, and what you must record. There is no flexibility on the method, no substitute for the documentation, and no grace period during an examination for gaps that turn up.

If your MSB’s identification procedures were set up years ago and have not been reviewed since, it is worth checking them against the current requirements before FINTRAC does it for you.

Cloudhaus Law advises MSBs across Canada on compliance program requirements, FINTRAC examinations, and enforcement matters. Contact us for a free consultation.

Questions About Your FINTRAC Identification Obligations?

Cloudhaus Law advises MSBs across Canada on compliance program requirements, FINTRAC examinations, and enforcement matters. Free consultation. No commitment.

Book a Free Consultation Call (647) 965-0516

irbazwahab@cloudhauslaw.com

Irbaz Wahab

I'm Irbaz, a dual-licensed lawyer in Canada and the U.S., and founder of Cloudhaus Law. With a background in tech law from the City of Toronto, I've helped launch 70+ franchises in the GTA, advised Web3 projects with $22.5M+ in token market cap, and supported over 100 businesses across 10+ industries. At Cloudhaus Law, we turn legal expertise into strategic success.

Send an enquiry