Enhanced Due Diligence (EDD) in Canada: Complete FINTRAC & PCMLTFA Compliance Guide

Enhanced Due Diligence (EDD) is the heightened level of customer verification required under Canadian law when a business relationship presents elevated risk of money laundering or terrorist financing. Under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA), S.C. 2000, c. 17, and the regulations administered by FINTRAC (Financial Transactions and Reports Analysis Centre of Canada), EDD is not discretionary — specific statutory triggers make it a legal obligation for Canadian reporting entities. Amendments to the PCMLTFA Regulations (SOR/2002-184) that came into force in April 2025 have significantly updated these obligations, with phased implementation extending through 2026.

For a broader overview of the AML compliance landscape, see our document compliance guide.

This article is provided for informational purposes only and does not constitute legal, financial, or regulatory advice. Regulatory references reflect the PCMLTFA framework as of May 2026. Consult a qualified legal or compliance professional for guidance specific to your organisation.

What Is Enhanced Due Diligence (EDD) Under Canadian AML Law?

EDD is the most intensive tier of the customer due diligence framework mandated by the Financial Action Task Force (FATF) and implemented in Canada through the PCMLTFA and its regulations. Canadian law establishes three levels of customer due diligence:

• Simplified measures: applicable only where risk is demonstrably low for specific customer categories recognised by FINTRAC guidance
• Standard Customer Due Diligence (CDD): the baseline identification and verification required for most business relationships (PCMLTFA Regulations, ss. 57–65)
• Enhanced Due Diligence (EDD): mandatory additional measures applied where higher risk is identified (PCMLTFA Regulations, ss. 66–68; FINTRAC Guidance on High-Risk Indicators)

A point that frequently arises among Canadian compliance teams is whether EDD is confined to specific statutory categories — Politically Exposed Persons (PEPs), high-risk countries — or whether it extends to any elevated-risk relationship. The answer is the latter. FINTRAC's guidance on high-risk indicators makes clear that the risk-based approach requires EDD whenever a reporting entity's own risk assessment identifies elevated risk, even where no named statutory category is present. Treating EDD as a checklist limited to PEPs and FATF-listed countries alone would leave firms exposed to significant regulatory and enforcement risk.

FATF Recommendation 10 requires ongoing due diligence throughout the business relationship; Recommendation 12 mandates specific EDD measures for Politically Exposed Persons. Canada is currently undergoing a FATF Mutual Evaluation, with heightened enforcement scrutiny expected through 2026–2027.

When Is EDD Required in Canada? PCMLTFA Triggers

The PCMLTFA Regulations (ss. 66–68) and FINTRAC's guidance on high-risk indicators establish the situations that require EDD measures. The April 2025 amendments clarified and expanded several of these triggers.

The April 2025 amendments: The PCMLTFA Regulations (SOR/2002-184), substantially amended in April 2025, introduced changes that directly affect EDD procedures. Key updates include revised definitions of PEPs and HIOs, expanded triggers for enhanced monitoring of virtual currency transactions, and updated thresholds for Large Cash Transaction Reports (LCTRs). The phased implementation schedule — with certain provisions taking effect in 2025 and others in 2026 — means reporting entities should review their EDD policies against both the current and forthcoming requirements. FINTRAC has published updated guidance on the amendments to assist compliance teams with the transition.

The EDD Process: 7 Steps for FINTRAC Compliance

A defensible EDD process follows seven sequential steps. Weaknesses in any of these steps are a primary focus of FINTRAC compliance examinations.

Step 1 – Enhanced identity verification

Standard CDD identification must be supplemented with additional independent sources. For individuals, this means obtaining the Social Insurance Number (SIN) combined with a provincial driver's licence or Canadian passport, plus a second supporting document. For legal persons, certified constitutional documents and official registry extracts are required. Verification against authoritative databases (Corporations Canada for federal entities; provincial registries for provincially incorporated entities) must be documented.

Step 2 – Beneficial ownership verification

Under amendments to the Canada Business Corporations Act (CBCA) enacted in 2022, federally incorporated companies must maintain a register of individuals with significant control (ISC) — those holding 25% or more of shares or votes. EDD requires going beyond the client's self-declaration to cross-reference with Corporations Canada, provincial registries, or the Registre des entreprises du Québec (REQ) for Québec entities. The full ownership chain must be mapped to identify all beneficial owners at or above the 25% threshold.

Step 3 – Source of funds (SOF) verification

Source of funds refers to the origin of the specific money involved in the transaction or relationship. Documentary evidence is required: bank statements, sale proceeds documentation, loan agreements, payroll records, and government benefit statements where applicable. A bank statement alone, without documentation explaining the origin of those funds, is insufficient for EDD purposes.

Step 4 – Source of wealth (SOW) verification

Source of wealth is distinct from source of funds: it addresses how the client has accumulated their overall wealth over time. For PEPs, PPP (Politically Prominent Persons) relationships, and high-net-worth clients with complex profiles, this requires multi-year tax returns, salary history, business valuations, and inheritance documentation. Conflating SOF and SOW is a recurring finding in FINTRAC compliance examinations. Both are required for a complete EDD file.

Step 5 – Senior management approval

PCMLTFA regulations require senior management approval — or approval from a designated equivalent — before establishing a business relationship with a PEP or high-risk client, and for continuing a relationship where a client is subsequently identified as a PEP. This approval must be documented, attributed to a named individual with appropriate authority, dated, and retained on file.

Step 6 – Enhanced ongoing monitoring

EDD relationships require more intensive transaction monitoring: lower alert thresholds, more frequent review cycles, and heightened scrutiny of any deviation from the established client profile. For PEPs, profile updates should occur at least every six months. Any material change in risk profile — new political appointment, corporate restructuring, change of country, new beneficial ownership — must trigger an immediate review.

Step 7 – FINTRAC reporting and record retention

Where monitoring identifies suspicious activity, a Suspicious Transaction Report (STR) must be filed with FINTRAC without tipping off the client. Transactions in cash of CAD $10,000 or more require a Large Cash Transaction Report (LCTR) filed with FINTRAC within the prescribed timeframe. Records must be retained for five years after the end of the business relationship (PCMLTFA Regulations, s. 105).

EDD Documentation: What Canadian Institutions Must Collect

The table below sets out the documentation typically required by client category. The risk-based approach requires adaptation to specific circumstances.

For a sector-by-sector due diligence checklist, see our customer due diligence checklist by sector.

CDD vs EDD: Key Differences Under PCMLTFA

Ongoing Monitoring and Suspicious Transaction Reporting

Ongoing monitoring under Canadian law is a continuous obligation, not a periodic formality. For EDD clients, this means:

• Scheduled periodic reviews: at minimum every six months for PEPs, and at least annually for other EDD-designated clients — more frequently where risk indicators warrant
• Transaction monitoring: automated detection of transactions that deviate from the established client profile, with timely human review of flagged activity
• Event-triggered reviews: any material change — political appointment, corporate restructuring, sanctions designation, movement to a high-risk jurisdiction — must prompt immediate reassessment regardless of the scheduled review cycle
• Suspicious Transaction Reporting: where monitoring identifies suspicious activity, an STR must be filed with FINTRAC promptly and without tipping off the client. The PCMLTFA prohibits disclosure of the fact that an STR has been filed (PCMLTFA s. 8)
• Large Cash Transaction Reporting: any single cash transaction of CAD $10,000 or more must be reported to FINTRAC via an LCTR, subject to the specific exemptions provided by the regulations

According to FINTRAC's Annual Report 2024, FINTRAC received over 2 million STR and LCTR reports in fiscal 2024 — reflecting both the scale of the Canadian financial sector and the increasing reach of the reporting regime. In 2024, FINTRAC published six administrative monetary penalty (AMP) decisions totalling over CAD $7.3 million, demonstrating active enforcement across sectors. According to the ACFE 2024 Report to the Nations, only 37% of fraud cases are detected through manual controls — illustrating the limitations of purely manual monitoring programmes.

For a full picture of Canadian AML obligations, see our anti-money laundering compliance guide.

Privacy law and EDD data collection: The collection of sensitive personal data for EDD purposes is subject to both the federal Personal Information Protection and Electronic Documents Act (PIPEDA) and, for organisations operating in Québec, the provincial Loi 25 (Loi sur la protection des renseignements personnels dans le secteur privé, L.R.Q., c. P-39.1 — reformed 2022–2023). Loi 25, administered by the Commission d'accès à l'information (CAI), requires that any personal data processing system — including KYC and EDD systems — be subject to a Privacy Impact Assessment (évaluation des facteurs relatifs à la vie privée, EFVP) before deployment. The purpose limitation and data minimisation principles under both PIPEDA and Loi 25 mean that EDD data collection must be demonstrably proportionate to the identified risk level. OSFI's prudential expectations for federally regulated financial institutions add a further layer of oversight on data governance within EDD programmes.

Automating EDD with CheckFile

Manual EDD processes are resource-intensive, inconsistent, and prone to documentation gaps. The collection of supporting documents, verification of their authenticity, cross-referencing with PEP and sanctions lists, beneficial ownership mapping, and five-year archiving — each step creates operational risk when handled through disconnected workflows. FINTRAC expects reporting entities to maintain systems and controls proportionate to their risk exposure.

CheckFile automates the critical steps of the EDD workflow:

• Document authenticity verification across more than 3,200 document types in 32 jurisdictions, with deepfake detection and tamper analysis covering Canadian identity documents including provincial driver's licences and Canadian passports
• Structured data extraction (OCR and semantic validation) that feeds directly into client records, eliminating manual re-keying and reducing transcription error
• Cross-document consistency checks — verifying that names, dates, addresses, and reference numbers are coherent across all documents in the EDD file, including SIN validation and registry cross-referencing
• Compliant archiving with full audit trails of actions and decisions, retained for the legally required five-year period under PCMLTFA Regulations s. 105

The platform integrates via API with document management systems, PEP and sanctions screening tools, and existing CRM infrastructure. Explore our solutions for banking and KYC, our approach to security, and our pricing.

To learn more about how CheckFile supports EDD programmes in Canada, visit CheckFile.ai.

Frequently Asked Questions

Do the April 2025 PCMLTFA amendments significantly change EDD procedures?

Yes — the April 2025 amendments to the PCMLTFA Regulations (SOR/2002-184) represent the most substantial update to the Canadian AML framework since the 2014 reforms. Key changes affecting EDD include: revised definitions of PEPs and Heads of International Organisations (HIOs) that broaden the categories of persons subject to mandatory EDD; expanded obligations for reporting entities dealing with virtual currency MSBs and VASPs; updated rules on beneficial ownership verification aligned with the 2022 CBCA amendments; and new record-keeping requirements for electronic funds transfers. The phased implementation schedule means certain obligations became effective immediately in April 2025, while others — particularly those affecting smaller reporting entities — phase in through 2026. Reporting entities should review their EDD policies and procedures against both the current regulatory text and the FINTRAC transition guidance to confirm compliance before the later phase-in dates.

Does EDD apply only to PEPs and high-risk countries, or to any elevated-risk client?

EDD applies to any higher-risk situation, not exclusively to the named statutory categories. FINTRAC's guidance on high-risk indicators is clear: EDD is required whenever a reporting entity identifies elevated risk through its own risk assessment, in addition to the specific triggers listed in the PCMLTFA Regulations. A firm that limits EDD to PEPs and FATF-listed countries while overlooking other elevated-risk clients — for example, clients with complex unexplained ownership structures or unusual transaction patterns — is non-compliant with the risk-based approach and exposed to AMP liability.

What is the difference between source of funds and source of wealth?

Source of funds (SOF) addresses the specific money involved in the transaction or relationship: where did this particular capital originate? Source of wealth (SOW) addresses the client's overall financial position: how was their total wealth accumulated over time? Both are required for a complete EDD file for PEPs and high-risk clients. A client may have a legitimate SOF (proceeds from a recent property sale) but an unclear SOW (unexplained historic wealth accumulation) — in which case the EDD file is incomplete without documenting both. Conflating SOF and SOW is a recurring finding in FINTRAC compliance examinations.

When does senior management approval need to be obtained for PEPs?

Canadian regulations require senior management approval before establishing a business relationship with a PEP and before conducting a PEP-related transaction where an ongoing relationship does not exist. Where an existing client is subsequently identified as a PEP — for example following a political appointment — approval should be obtained promptly and the EDD file updated before continuing the relationship. The approval must be documented, attributed to a named individual with appropriate seniority and authority, dated, and retained for the five-year record retention period.

What are the penalties for EDD failures under the PCMLTFA?

FINTRAC can impose administrative monetary penalties (AMPs) of up to CAD $500,000 per violation for individuals and up to CAD $1,000,000 per violation for entities. For "very serious" violations — those that FINTRAC determines pose a high risk to Canada's AML/ATF regime — penalties can reach up to CAD $20 million or 3% of the entity's global gross revenues, whichever is greater. Criminal prosecution under Criminal Code s. 462.31 can result in imprisonment of up to five years. In 2024, FINTRAC published six AMP decisions totalling over CAD $7.3 million across regulated sectors. OSFI may additionally impose supervisory measures on federally regulated financial institutions found to have inadequate EDD controls.

How does PIPEDA interact with EDD data collection?

EDD requires collecting sensitive personal information — identity documents, SINs, source of funds documentation — that falls within the scope of PIPEDA and, in Québec, Loi 25. Reporting entities must have a valid legal basis for collecting this information (typically the performance of a legal obligation under the PCMLTFA), must limit collection to what is necessary for the EDD purpose, and must retain records only for the period required by law. Loi 25 goes further than PIPEDA by requiring a formal Privacy Impact Assessment (évaluation des facteurs relatifs à la vie privée) before deploying any system that processes personal data, including KYC and EDD platforms. The Office of the Privacy Commissioner (OPC) at priv.gc.ca publishes guidance on PIPEDA compliance for financial services.

---

Regulatory references and sources

• Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA), S.C. 2000, c. 17 — laws-lois.justice.gc.ca
• PCMLTFA Regulations (SOR/2002-184) — laws-lois.justice.gc.ca
• FINTRAC — Guidance on high-risk indicators and EDD — fintrac-canafe.gc.ca
• FINTRAC Annual Report 2024 — fintrac-canafe.gc.ca
• FINTRAC — Administrative monetary penalties — fintrac-canafe.gc.ca
• FATF Recommendations 10 and 12 — FATF
• Canada Business Corporations Act — significant control register — canada.ca
• Office of the Privacy Commissioner — PIPEDA guidance — priv.gc.ca
• ACFE Report to the Nations 2024