Crypto Asset Reporting Compliance: FINTRAC, CRA & CARF 2026

Canadian crypto businesses face a convergence of reporting obligations in 2026. FINTRAC enforces anti-money laundering and counter-terrorist financing (AML/CTF) obligations under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA), while the Canada Revenue Agency (CRA) is advancing implementation of the Crypto-Asset Reporting Framework (CARF) — the OECD's multilateral standard for automatic exchange of crypto-asset tax information. Any business in Canada that deals in virtual currency, operates a crypto exchange, or provides crypto-related financial services must navigate both frameworks simultaneously. This guide sets out what is required, what changes in 2026, and what operational steps are needed to remain compliant.

Regulatory disclaimer: This article provides general information only and does not constitute legal or compliance advice. Regulatory requirements vary by business model, province, and asset type. Consult qualified legal counsel and review the current FINTRAC guidance and CRA publications for your specific circumstances.

What Is CARF and How It Applies to Canadian Crypto Businesses

CARF (Crypto-Asset Reporting Framework) is an OECD-developed standard requiring crypto-asset service providers to collect, verify, and report user identity information and transaction data to their national tax authority — in Canada's case, the CRA — which then exchanges that data with foreign tax authorities under bilateral agreements.

Canada committed to implementing CARF as part of the G20/OECD multilateral framework at the 2023 G20 Leaders' Summit. The CRA has been collecting crypto transaction data informally through tax audits and has issued guidance on the tax treatment of crypto-assets since 2013. CARF formalises and automates this data collection.

CARF applies to Reporting Crypto-Asset Service Providers (RCASPs) — entities that, as a business, provide services effectuating Exchange Transactions and Transfer Transactions in Crypto-Assets. This captures:

• Crypto exchanges and trading platforms operating in or serving Canadian residents
• Crypto wallet providers facilitating third-party transfers
• Crypto payment processors enabling crypto-denominated purchases
• Brokerage and custodial services holding crypto-assets on behalf of clients

CARF operates alongside Canada's existing Common Reporting Standard (CRS) obligations. Where CRS covers financial accounts (including some crypto held through financial institutions), CARF specifically targets crypto-asset transactions that may fall outside the CRS definition of a financial account. Together, they create near-comprehensive tax transparency for digital assets.

For context on how CARF aligns with global regulatory trends, see our article on MiCA crypto identity verification requirements in 2026.

FINTRAC and PCMLTFA: Canada's Existing Crypto AML Framework

Virtual currency dealers have been designated reporting entities under the PCMLTFA since June 2020. FINTRAC requires mandatory registration as a Money Services Business (MSB), full KYC verification at onboarding, ongoing transaction monitoring, and submission of prescribed transaction reports.

Canada's AML/CTF framework for crypto predates most other G7 jurisdictions. The PCMLTFA amendments that came into force in June 2020 brought virtual currency dealers squarely within the MSB category — alongside currency exchange businesses, money transfer operators, and payment service providers. Unregistered operation is a criminal offence.

FINTRAC Transaction Reporting Obligations

FINTRAC requires reporting entities — including virtual currency dealers — to submit three types of mandatory reports:

Importantly, FINTRAC extended virtual currency transaction reporting to capture large virtual currency transactions: where a reporting entity receives virtual currency equivalent to CAD $10,000 or more in a single transaction, a Large Virtual Currency Transaction Report (LVCTR) must be filed within 10 working days.

All FINTRAC reports are submitted through the FINTRAC F2R secure reporting system. FINTRAC publishes sector-specific guidance at https://www.fintrac-canafe.gc.ca.

Compliance Programme Requirements

Every MSB — including virtual currency dealers — must maintain a written compliance programme covering: a designated compliance officer, written policies and procedures, a risk assessment, an ongoing training programme for staff, and an effectiveness review every two years. FINTRAC's compliance examination process assesses all five elements. Deficiencies in any element can trigger administrative monetary penalties (AMPs) independent of actual reporting failures.

For a detailed breakdown of AML obligations applicable to reporting entities, see our AMLD6 compliance guide for obliged entities — which cross-references international standards relevant to Canadian firms with EU operations.

Which Canadian Businesses Must Register and Report

Any business that deals in virtual currency as a core service must register with FINTRAC as an MSB. This includes foreign businesses that offer services to Canadian residents even without a Canadian physical presence.

The PCMLTFA's extra-territorial reach is particularly significant for crypto businesses. A foreign exchange serving Canadian customers is treated as a foreign MSB (FMSB) and must register with FINTRAC separately from domestic MSBs. The obligations are materially the same.

Categories of businesses that must register and comply include:

• Centralised crypto exchanges (spot trading, derivatives)
• Decentralised exchange operators where the operator has control over user funds or facilitates onboarding
• Crypto ATM operators (a significant grey area — FINTRAC guidance treats these as dealing in virtual currency)
• NFT marketplaces where transactions involve convertible virtual currency
• Stablecoin issuers and redeemers
• Crypto lending and yield platforms where the operator controls the underlying assets
• Payment processors accepting and disbursing crypto

Provincial securities considerations: The Canadian Securities Administrators (CSA) have determined that many crypto-asset trading platforms are dealing in securities or derivatives, and therefore must register with provincial securities regulators. In Quebec, this involves the Autorité des marchés financiers (AMF Québec), which has published its own registration framework for crypto-asset trading platforms. Businesses in Quebec must therefore navigate both federal FINTRAC obligations and AMF Québec's provincial securities and derivatives requirements.

CheckFile's KYC verification platform is built to support multi-jurisdictional onboarding, including the document types and verification methods prescribed by FINTRAC and accepted by provincial regulators.

KYC Data Requirements: SIN, Government-Issued ID, and Corporate Documents

For individual clients, FINTRAC requires identity verification using a government-issued photo identification document. For corporate clients, verification of existence and beneficial ownership is mandatory. CARF adds the requirement to collect and report the taxpayer identification number — in Canada, the Social Insurance Number (SIN) for individuals.

Individual Client Identification

FINTRAC prescribes specific methods for verifying individual identity. The primary method — applicable to virtually all crypto businesses — is the government-issued photo ID method: examining a valid, government-issued photo identification document that contains the client's name, photograph, and either a date of birth or address. Accepted documents include:

• Canadian passport
• Provincial or territorial driver's licence
• Permanent Resident (PR) Card
• Canadian Citizenship Card (where photo is present)
• Provincial or territorial identity card

For remote onboarding (the standard in crypto), FINTRAC's credit file method, dual-process method, and technology-based verification (TBV) using an accredited identity verification service are all permitted alternatives, provided they meet the regulatory standard of reasonable measures.

For CARF purposes, the CRA will require reporting entities to collect and report the Social Insurance Number (SIN) as the Canadian Taxpayer Identification Number (TIN) for Canadian resident individuals. Where clients are non-residents, the foreign TIN must be collected. Businesses must obtain SINs at onboarding and update records where TINs change.

Corporate Client Identification (KYB)

For corporate clients, FINTRAC requires verification of the entity's existence and beneficial ownership:

• Existence: Confirm via a certificate of incorporation (Corporations Canada or provincial registry), a trust deed, or other equivalent government document
• Beneficial ownership: Identify and verify all individuals who own or control, directly or indirectly, 25% or more of the entity
• Corporate structure documentation: For complex structures, document the chain of ownership

Quebec's Loi 25 (Law 25, formally An Act to modernize legislative provisions as regards the protection of personal information) imposes additional obligations on businesses handling personal information, including SINs. Any crypto business processing Quebec residents' SINs must implement a formal privacy impact assessment (PIA), appoint a privacy officer, and comply with data minimisation and retention requirements under Loi 25 — obligations that layer on top of FINTRAC's record-keeping rules and PIPEDA (Canada's federal private sector privacy law).

For broader identity verification architecture, see our document compliance guide.

CRA Reporting Timeline and CARF Implementation Deadlines

Canada has committed to CARF implementation as part of the OECD multilateral framework. The CRA is expected to begin receiving CARF reports by 2027, with automatic information exchange commencing thereafter. Businesses should treat 2026 as a preparation year.

As of June 2026, the CRA has not yet published final CARF regulations under the Income Tax Act, but the government has signalled implementation through the 2023 Fall Economic Statement and subsequent budget consultations. The trajectory is clear:

Businesses should use 2026 to:

1. Audit existing KYC data for completeness — particularly SIN collection for Canadian residents and foreign TINs for non-resident clients
2. Implement due diligence procedures to classify clients by residence and reportability under CARF
3. Configure reporting systems capable of generating CARF-format reports (the OECD has published the XML schema)
4. Train compliance staff on the distinction between CARF (tax reporting) and FINTRAC STR/LVCTR obligations (AML reporting)

The CRA publishes guidance on crypto-asset taxation and reporting at https://www.canada.ca/en/revenue-agency.html. Businesses with complex structures should seek qualified tax counsel now, rather than waiting for final regulations.

Penalties for Non-Compliance with FINTRAC and CRA Rules

Non-compliance with FINTRAC obligations exposes businesses to administrative monetary penalties of up to CAD $1 million per violation for entities, and up to CAD $500,000 for individuals. Criminal penalties under the PCMLTFA include fines and imprisonment. CRA penalties for failure to report are assessed under the Income Tax Act and can include substantial per-failure penalties.

FINTRAC Administrative Monetary Penalties (AMPs)

FINTRAC's AMP regime, substantially strengthened by 2019 amendments to the PCMLTFA, distinguishes between minor, serious, and very serious violations. Very serious violations — including failure to file STRs, operating without registration, or failure to implement a compliance programme — attract the highest penalties. FINTRAC publishes all AMP decisions (with entity names) on its website, creating significant reputational risk in addition to financial exposure.

Notably, the RCMP (Royal Canadian Mounted Police) may investigate and prosecute criminal offences under the PCMLTFA, including knowingly assisting money laundering through a virtual currency platform. The maximum criminal penalty is 14 years' imprisonment for the most serious offences.

CRA Penalties for Crypto Tax Non-Compliance

The CRA has existing powers under the Income Tax Act to assess penalties for failure to report income, including crypto gains. Under CARF, failure to provide required reports will attract specific per-failure penalties — the exact amounts will be set in the implementing regulations. Based on comparable CRS/FATCA penalty structures, penalties per failure to report an account or transaction are expected to be material.

Businesses should also note that the Office of the Privacy Commissioner (OPC) has jurisdiction over PIPEDA compliance, including the handling of SINs and other personal information collected for CARF purposes. Privacy breaches — including unauthorised disclosure of SIN data — can trigger separate regulatory proceedings and public reporting by the OPC.

Automating KYC Document Verification for Canadian Crypto Compliance

Automated document verification platforms allow Canadian crypto businesses to scale KYC onboarding, reduce manual error, and generate the audit trail required by both FINTRAC and the CRA for CARF compliance.

The volume and complexity of FINTRAC and CARF obligations make manual compliance processes operationally unsustainable at scale. For crypto businesses processing hundreds or thousands of onboardings per month, automation is not optional — it is the only practical path to consistent, auditable compliance.

CheckFile provides document verification infrastructure purpose-built for regulated financial services, including:

• Government-issued ID verification covering Canadian passports, driver's licences, and PR Cards, validated against FINTRAC's prescribed identity verification methods
• SIN collection and validation workflows integrated into onboarding flows, supporting CARF taxpayer identification requirements
• Corporate document verification (KYB) including Corporations Canada extracts, provincial registry documents, and beneficial ownership mapping
• Loi 25 and PIPEDA-compliant data handling, with configurable retention periods, consent capture, and data minimisation controls
• Audit-ready record keeping with timestamped verification events, document images, and verification method logs

Our security architecture is built around data residency in Canada, supporting OPC guidance on cross-border data transfers and Loi 25 requirements for Quebec-based businesses.

For businesses evaluating the cost of compliance infrastructure, see our pricing page for transparent per-verification pricing with no minimum commitments.

Frequently Asked Questions

Does CARF replace or duplicate FINTRAC's existing crypto reporting obligations?

CARF and FINTRAC obligations are entirely separate frameworks with different purposes. FINTRAC reporting (STRs, LVCTRs, EFTRs) serves AML/CTF purposes and is received by FINTRAC as Canada's financial intelligence unit. CARF reporting serves tax transparency purposes and is submitted to the CRA, which exchanges the data with foreign tax authorities. A crypto business in Canada must comply with both frameworks, and the KYC data collected for one purpose can generally support the other — but the reports go to different regulators and have different content requirements.

When does FINTRAC MSB registration need to be renewed, and what happens if it lapses?

FINTRAC MSB registration does not expire automatically, but registered entities must keep their registration current by updating FINTRAC when material changes occur (new services, new principals, change of address). Operating with an inaccurate registration is treated similarly to operating without registration and can attract administrative monetary penalties. FINTRAC conducts periodic compliance examinations of registered MSBs — typically every three to five years for lower-risk entities, more frequently for higher-risk businesses.

Are there additional provincial requirements beyond FINTRAC registration for crypto businesses in Quebec?

Yes. Quebec's AMF (Autorité des marchés financiers) requires crypto-asset trading platforms dealing in securities or derivatives to register separately under Quebec securities law. In addition, Loi 25 imposes stricter privacy obligations than PIPEDA for businesses handling Quebec residents' personal information — including SINs collected for CARF purposes. Businesses operating in Quebec should conduct a Loi 25 compliance gap analysis and implement a privacy impact assessment (PIA) for their KYC and CARF data collection processes.

What is the difference between a Large Virtual Currency Transaction Report (LVCTR) and a Suspicious Transaction Report (STR)?

An LVCTR is a mandatory report triggered by the objective fact of receiving virtual currency equivalent to CAD $10,000 or more in a single transaction — no suspicion is required, and no discretion is involved. An STR is triggered by reasonable grounds to suspect that a transaction is related to money laundering or terrorist financing — the threshold is subjective and can be triggered by transactions of any size. Both must be filed with FINTRAC, but they serve different intelligence purposes: LVCTRs support financial intelligence databases, while STRs flag potentially criminal activity for investigation. Failure to file an STR when grounds for suspicion exist is one of the most serious violations under FINTRAC's AMP framework.