FATF Travel Rule for Crypto VASPs: Canada Compliance Guide 2026

Canada implemented its crypto Travel Rule requirements through amendments to the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA) and the associated Proceeds of Crime (Money Laundering) and Terrorist Financing Regulations (PCMLTFR). These amendments, effective June 1, 2021, require all Virtual Asset Service Providers (VASPs) — called "money services businesses" (MSBs) dealing in virtual currency — to register with FINTRAC (Financial Transactions and Reports Analysis Centre of Canada) and to apply Travel Rule requirements for transactions at or above CAD 1,000. This threshold aligns with the FATF baseline but differs from the EU's zero-threshold approach. This guide explains Canadian VASP obligations in 2026.

This article is provided for informational purposes only and does not constitute legal, financial, or regulatory advice. Regulatory references are accurate as of the publication date. Consult a qualified professional for advice specific to your situation.

Canada's Travel Rule: PCMLTFA Framework

The Canadian Travel Rule for virtual currency is established under Sections 9.3 and 9.4 of the PCMLTFA and detailed in Part 1, Division 5 of the PCMLTFR. The rule applies when a VASP (MSB dealing in virtual currency) sends or receives a virtual currency transfer of CAD 1,000 or more.

FINTRAC published updated guidance on the Virtual Currency Travel Rule in April 2023, clarifying that MSBs must collect originator and beneficiary information before transmitting the virtual currency, and must receive and retain this information when acting as the beneficiary MSB. The guidance is available at fintrac-canafe.gc.ca.

Data Required Under the Canadian Travel Rule

For transactions of CAD 1,000 or more:

FINTRAC Registration as an MSB

Every VASP operating in Canada must register with FINTRAC as an MSB dealing in virtual currency, regardless of whether it is also regulated provincially as a money transmitter. Failure to register with FINTRAC is a federal criminal offence under Section 73.1 of the PCMLTFA, carrying penalties of up to five years imprisonment and/or a $2 million fine for a first offence.

Registration is done through the FINTRAC MSB Registry, and MSBs must renew their registration every two years.

Canadian Regulatory Framework: FINTRAC, OSFI, and CRA

FINTRAC — Financial Intelligence Unit

FINTRAC is Canada's financial intelligence unit and anti-money laundering regulator for MSBs. It receives Suspicious Transaction Reports (STRs), Large Virtual Currency Transaction Reports (LVCTRs) for transactions of CAD 10,000 or more, and Terrorist Property Reports. FINTRAC conducts compliance examinations of registered MSBs, and can levy administrative monetary penalties (AMPs) of up to $1 million per violation.

FINTRAC issued new guidance in 2025 specifically on crypto mixing services and privacy coins, noting that accepting transactions from known mixing services or privacy coins creates heightened ML/TF risk that requires enhanced due diligence.

OSFI — Office of the Superintendent of Financial Institutions

OSFI regulates federally chartered banks and insurance companies. Crypto businesses that are not federally regulated financial institutions fall outside OSFI's direct supervision, but OSFI has published guidelines on crypto risk for the banks and insurers it regulates — including guidance on crypto asset exposure limits and due diligence requirements when banking crypto businesses.

Canada Revenue Agency (CRA)

The CRA requires that crypto transactions be treated as taxable events (capital gains or business income). VASPs must keep records of client transactions sufficient to allow for tax reporting. The CRA has access to FINTRAC reports and has used them in tax investigations.

KYC Document Requirements in Canada

Documents for Individual Customers

For individual clients, Canadian VASPs must collect and verify under the PCMLTFR:

• Canadian passport, provincial/territorial driver's licence, or Canadian Permanent Resident Card — acceptable government-issued photo ID
• Social Insurance Number (SIN) — used for tax reporting; not required at onboarding but VASPs may collect it for transactions above reporting thresholds
• Proof of address (not older than three months): utility bill, bank statement, or government correspondence
• For enhanced due diligence: source of funds documentation

Documents for Corporate Customers

For legal entity clients:

• Certificate of Incorporation from the relevant provincial or federal authority (Corporations Canada for federally incorporated entities)
• Provincial business registration documentation (e.g., Ontario Business Registry, British Columbia Corporate Registry)
• Business Number (BN) from the CRA — Canada's equivalent of the UK's Companies House number
• Identity documents for all beneficial owners (25% threshold under PCMLTFA)
• Identity documents for authorized signing officers

CheckFile processes over 3,200 document types across 32 jurisdictions with 24-language OCR support, enabling Canadian compliance teams to handle both domestic and cross-border onboarding — including dual English/French documentation common in federal entities — within a single KYC workflow.

Provincial Variations and Quebec's Unique Requirements

Quebec: AMF Québec and Loi 25

Quebec operates a distinct regulatory environment for financial services:

• AMF Québec (Autorité des marchés financiers) regulates financial products and services in Quebec, including certain crypto-related activities not covered by the federal PCMLTFA framework
• Loi 25 (Loi modernisant des dispositions législatives en matière de protection des renseignements personnels, in force since September 2023) imposes privacy obligations on businesses collecting personal data in Quebec — including KYC data — that are significantly stricter than PIPEDA
• Quebec-based VASPs must ensure their KYC data processing complies with both PIPEDA and Loi 25

PIPEDA and Privacy Requirements

The federal Personal Information Protection and Electronic Documents Act (PIPEDA) governs how private-sector organizations collect, use, and disclose personal information. For VASPs, this means:

• Customer consent or a legitimate purpose (legal obligation) must exist for collecting KYC data
• Customers have the right to access their data and request corrections
• Data must be protected with appropriate security safeguards
• Data breach notification is mandatory to both the OPC (Office of the Privacy Commissioner) and affected individuals

Unhosted Wallets: Canadian Approach

FINTRAC's 2023 guidance does not impose a specific unhosted wallet ownership verification requirement equivalent to the EU's Article 19 (Regulation (EU) 2023/1113). However, VASPs must apply a risk-based approach — and transfers to or from unhosted wallets are considered higher risk, warranting enhanced due diligence (collecting additional information about the purpose of the transfer and the source of funds).

Travel Rule Messaging in the Canadian Market

Canadian VASPs transacting with US VASPs must reconcile the Canadian CAD 1,000 threshold with the US $3,000 threshold — a transaction between CAD 1,000 and USD 3,000 may trigger Travel Rule obligations in Canada but not in the US.

Compliance Checklist for Canadian VASPs

• Register with FINTRAC as an MSB dealing in virtual currency
• Implement AML/ATF compliance program as required by PCMLTFA s. 9.6
• Implement Travel Rule data collection for all virtual currency transfers ≥ CAD 1,000
• File Large Virtual Currency Transaction Reports (LVCTRs) for transactions ≥ CAD 10,000
• Screen all customers against FINTRAC's designated persons list and OSFI's consolidated sanctions list
• Ensure PIPEDA compliance for customer data handling (+ Loi 25 if operating in Quebec)
• Retain Travel Rule records for five years
• Select and integrate a Travel Rule messaging protocol

For more on the international AML framework affecting Canadian VASPs, see our articles on FATF high-risk countries and AML compliance and AML transaction monitoring rules.

Frequently Asked Questions

Is the Canadian Travel Rule threshold CAD 1,000, regardless of transaction type?

Yes. The PCMLTFR applies the CAD 1,000 threshold to all virtual currency transfers sent or received by MSBs, regardless of whether the transfer is domestic or international. There is no separate threshold for international transfers — Canada applies a single threshold consistently, unlike the proposed US distinction between domestic ($3,000) and international ($250 proposed).

Do foreign crypto exchanges need to register with FINTRAC to serve Canadian customers?

Yes. Foreign MSBs that provide virtual currency exchange or transfer services to Canadian residents are required to register with FINTRAC under the PCMLTFA, even if they have no physical presence in Canada. FINTRAC has stated that geographic location is not a determining factor — what matters is whether the business is serving clients in Canada.

Does the PCMLTFA's Travel Rule apply to NFT platforms?

FINTRAC has clarified that NFTs that function primarily as collectibles or digital art — without being used as payment or exchange mechanisms — are not virtual currencies under the PCMLTFA. However, platforms that allow NFTs to be exchanged for virtual currency at scale may be caught under the definition of virtual currency exchange. This area is evolving.

How do Quebec's Loi 25 obligations affect KYC data retention?

Loi 25 gives Quebec residents stronger rights over their personal data than PIPEDA, including a right to data portability and a right to have data deleted. However, PCMLTFA obligations to retain KYC records for five years override the Loi 25 deletion right for data required by law to be kept for compliance purposes.

What are the penalties for non-compliance with FINTRAC's Travel Rule requirements?

FINTRAC can impose administrative monetary penalties (AMPs) ranging from $1 to $1,000,000 per violation, depending on severity. Criminal charges under the PCMLTFA carry penalties of up to $2 million and/or 5 years imprisonment for a first offence. FINTRAC publishes its penalty decisions on its website, which has reputational consequences beyond the financial penalty.