Know Your Supplier (KYS): Vendor Verification and Compliance in Canada

Know Your Supplier (KYS) is the structured due diligence process that organisations apply to vendors, contractors, and supply chain partners before and during a business relationship. In Canada, the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA), FINTRAC's compliance expectations, the Corruption of Foreign Public Officials Act (CFPOA), and provincial laws — notably Quebec's Loi 25 — together create a multi-layered compliance framework for managing third-party relationships.

According to the Canadian Anti-Fraud Centre (CAFC) Annual Report 2025, Business Email Compromise (BEC) targeting accounts payable and procurement departments is among the fastest-growing fraud categories in Canada, causing hundreds of millions in losses annually. A structured KYS programme is one of the most effective controls to close this vulnerability.

What KYS Covers and Why It Is Required in Canada

A robust KYS programme addresses three risk dimensions: legal identity (Business Number, provincial corporate registry, beneficial ownership), financial standing (credit profile, court records, absence of insolvency proceedings), and regulatory reputation (FINTRAC screening, OSFI guidance compliance, adverse media, PEP connections).

The PCMLTFA (as amended by Bill C-31 and the 2019 AML/ATF regime amendments) requires reporting entities — including banks, credit unions, money service businesses, securities dealers, and mortgage brokers — to identify and verify the identity of clients and, in specific circumstances, the beneficial owners of entities with which they conduct transactions. FINTRAC oversees compliance and can impose administrative monetary penalties of up to $500,000 per violation for individuals and up to $2 million per violation for entities.

OSFI's B-8 Guideline (Deterring and Detecting Financial Crimes, effective 2023) explicitly requires federally regulated financial institutions (FRFIs) to extend AML controls to their third-party service providers and vendors when those relationships present elevated financial crime risk. This guidance effectively creates a KYS obligation for FRFIs managing outsourced services.

The Corruption of Foreign Public Officials Act (CFPOA) creates criminal liability for Canadian companies that benefit from bribery of foreign public officials by their agents and suppliers, mirroring the UK Bribery Act and US FCPA. The Department of Justice's enforcement record emphasises that adequate third-party due diligence is the primary defence.

The 5-Step KYS Verification Process in Canada

Step 1 – Document collection. Before engaging a new supplier, collect: a current corporate profile from the provincial registry (Corporations Canada for federal corps, or provincial equivalents), Business Number (BN) verified with the CRA, the most recent filed annual return or financial statements, the beneficial owner register entry (as required under the CBCA or applicable provincial law), and banking details with a void cheque or banker's letter confirming account ownership.

Step 2 – Identity and registration verification. Search the supplier's corporate status on Corporations Canada or the relevant provincial registry (e.g., Ontario Business Registry, British Columbia Corporate Online, Registraire des entreprises du Québec (REQ)). Verify Business Number via the CRA Business Registry. Check for insolvency or receivership proceedings via the Office of the Superintendent of Bankruptcy Canada.

Step 3 – FINTRAC and sanctions screening. Screen against the Consolidated Canadian Autonomous Sanctions List, UN Security Council lists, and OFAC SDN list for USD-denominated transactions. For PCMLTFA reporting entities, Politically Exposed Persons (PEPs) and Heads of International Organizations (HIOs) screening is mandatory under PCMLTFA sections 9.3-9.4. Use real-time screening tools with daily update feeds.

Step 4 – Adverse media and CFPOA due diligence. For suppliers with government connections, international operations, or in high-risk sectors, supplement identity verification with structured adverse media screening covering corruption, labour violations, and environmental incidents. Align the questionnaire with ISO 37001:2016 (Anti-bribery Management Systems) as recommended in the CFPOA compliance guidance from Justice Canada.

Step 5 – Ongoing monitoring. Configure automated alerts for corporate registry changes (director changes, dissolution), Office of the Superintendent of Bankruptcy publications, and sanctions list updates. Any request to change banking details must trigger an independent callback verification — the number one vendor fraud vector in Canadian businesses.

False Supplier Fraud in Canada: Key Controls

Canadian compliance professionals frequently ask: "How do we safely validate an EFT routing change from a supplier?"

Fraud patterns documented by the CAFC are consistent: attackers research corporate directories, identify key AP contacts, and send bank detail change requests from domains differing from the legitimate supplier's domain by one character. The request typically arrives days before a scheduled large payment.

Three controls prevent most Canadian false-supplier fraud:

1. Independent callback. Confirm any bank detail change by calling the number in your ERP system — not any number provided in the email.
2. Dual approval. Payment routing changes require two authorised approvers, including Finance leadership.
3. Automated account verification. An automated document verification service that cross-checks account holder identity against corporate registry data is the most scalable control. CheckFile supports over 3,200 document types in 32 jurisdictions, including Canadian federal and provincial corporate documents.

As of 2025, FINTRAC's updated guidance on electronic funds transfer obligations explicitly identifies payment redirection fraud as a financial crime risk requiring controls within the AML compliance programme.

For more on detecting document fraud patterns, see our analysis of AI-powered document fraud detection.

Quebec's Specific Requirements: REQ and Loi 25

Quebec adds important layers to the Canadian KYS framework:

Registraire des entreprises du Québec (REQ): Quebec-incorporated suppliers must be verified on the REQ portal. The REQ maintains the complete corporate records and publishes updated information on directors, shareholders, and annual filings.

Loi 25 (Law 25): Quebec's Act respecting the protection of personal information in the private sector (modernised by Bill 64, in force 2022-2023 in phases) imposes strict obligations on the collection, storage, and sharing of personal data — including data collected about suppliers' representatives and beneficial owners. Key obligations for KYS include:

• A privacy impact assessment (PIA) if using automated screening tools that process personal information
• Contractual clauses with any third-party data processor used for KYS screening
• Strict limitations on data retention — no keeping KYS data beyond what is necessary for the documented purpose
• An "index of personal information" (registre des fichiers) covering all KYS databases

These requirements go beyond PIPEDA's national baseline. Any Canadian company operating in Quebec or using Quebec-domiciled suppliers must align their KYS programme with Loi 25.

Building and Retaining the KYS Compliance File

The PCMLTFA (section 6) requires reporting entities to retain identification and verification records for five years from the date of the last business transaction. For non-reporting entities, best practice is to retain KYS files for the contract term plus five years, consistent with the general limitation period under the Limitations Act (Ontario) or the applicable provincial equivalent.

A compliant KYS file should include:

• Documents collected with verification timestamps
• Sanctions and PEP screening results with date and system version
• Beneficial owner register entries or equivalents
• Identity of approving personnel for each verification step
• Change log of all banking routing modifications with callback evidence

CheckFile stores all verification records in a tamper-evident audit trail meeting ISO 27001 standards, supporting your compliance file without additional manual overhead. View pricing plans for supplier verification workflows scaled to Canadian enterprise needs.

Frequently Asked Questions

Does KYS apply to all Canadian businesses, or only PCMLTFA reporting entities?

The PCMLTFA imposes direct obligations on reporting entities (banks, credit unions, MSBs, securities dealers, etc.). For other businesses, the CFPOA (all Canadian companies with international supply chains), provincial procurement rules, and indirect pressure from large buyers requiring supplier compliance certifications create a practical KYS framework. Provincial modern slavery legislation is also developing across Canada.

How do I verify beneficial ownership of a Canadian supplier?

For CBCA corporations, the Beneficial Owner Register (required since 2020) is held at the company level — you must request disclosure from the supplier, then verify against corporate registry records. Provincial registries vary: British Columbia's BC Registries has an accessible beneficial ownership registry; Quebec uses the REQ. FINTRAC's guidance (FINTRAC compliance guidance document 2019-3) provides specific requirements for beneficial ownership verification.

What is the difference between supplier qualification and KYS in Canada?

Supplier qualification assesses technical capability, quality, and commercial terms. KYS focuses specifically on legal identity, financial standing, beneficial ownership, and regulatory risk (sanctions, CFPOA, FINTRAC). Both can form part of an integrated vendor management framework, but they address different risk dimensions.

How often should KYS verification be renewed for Canadian suppliers?

Best practice is annual re-verification for all active suppliers, plus immediate re-verification at any triggering event: director changes, banking detail modifications, contract renewals, or adverse media alerts. High-risk suppliers — those in FATF-flagged jurisdictions, sectors under OSFI B-8 enhanced scrutiny, or government-connected entities — warrant continuous monitoring.

How do Loi 25 requirements affect our KYS screening tools in Quebec?

If your KYS screening tool processes personal information of Quebec residents (including supplier representatives), Loi 25 requires a Privacy Impact Assessment (PIA) before deploying the tool, privacy-protective contractual clauses with the tool provider, documented retention and deletion schedules, and registration of the KYS database in your "index of personal information." The Commission d'accès à l'information du Québec (CAI) oversees enforcement.

---

This article is for informational purposes only and does not constitute legal advice. Canadian regulatory obligations vary by province and sector. Consult qualified legal counsel for advice specific to your compliance programme.