Know Your Supplier (KYS): Vendor Verification Checklist for Canadian Procurement
Canada-specific KYS guide: FINTRAC, PCMLTFA, OSFI, PIPEDA compliance for procurement teams. 12-step vendor verification checklist, provincial variations, red flags.
Summarize this article with
ChatGPT
Claude
Perplexity
Gemini
GrokKnow Your Supplier (KYS) is the structured due diligence process used by Canadian procurement and compliance teams to verify the legal identity, beneficial ownership, sanctions profile, and bank account details of suppliers before and during a commercial relationship. In Canada, supplier verification obligations are anchored in federal legislation administered by FINTRAC (Financial Transactions and Reports Analysis Centre of Canada), with significant provincial variations โ particularly in Quebec under Loi 25 โ that create a layered compliance landscape.
The primary federal framework is the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA), enforced by FINTRAC, which requires reporting entities to verify the identity of clients and, by extension, key vendors. The Office of the Superintendent of Financial Institutions (OSFI) issues Guideline E-13 on third-party risk management for federally regulated financial institutions. Privacy obligations are governed federally by PIPEDA (Personal Information Protection and Electronic Documents Act) and provincially by Loi 25 in Quebec, Alberta's PIPA, and BC's PIPA.
Canadian procurement teams that automate their KYS process reduce manual processing time by 83% and cut the cost per supplier dossier by 67% (CheckFile platform data, internal analysis 2026).
What Is Know Your Supplier (KYS) in Canada?
KYS is the procurement-side equivalent of Customer Due Diligence (CDD), applying the same identity verification, beneficial ownership, and sanctions screening rigour to vendors that regulated entities apply to their customers under the PCMLTFA.
A complete Canadian KYS programme covers:
- Legal entity verification (federal or provincial incorporation, registered status)
- Beneficial ownership identification per PCMLTFA and Canada Business Corporations Act (CBCA) amendments
- OFAC and OSFI sanctions screening (Canadian Consolidated Autonomous Sanctions List)
- PEP checks for directors, officers, and beneficial owners under PCMLTFA definitions
- Adverse media screening for FINTRAC enforcement actions, RCMP investigations, and fraud
- Bank account ownership verification (institution number, transit, and account matching)
As of January 2024, amendments to the PCMLTFA under Canada's Budget Implementation Act 2022 require enhanced beneficial ownership verification for regulated entities dealing with higher-risk third parties, with penalties up to $2 million per violation (FINTRAC โ PCMLTFA compliance guidance).
Canadian Regulatory Framework for KYS
PCMLTFA (Proceeds of Crime and Terrorist Financing Act): Canada's primary AML/CFT statute, enforced by FINTRAC. Reporting entities (banks, credit unions, MSBs, real estate brokers, accountants, dealers in precious metals) must verify the identity of clients and establish business relationships under documented due diligence procedures that extend to vendor relationships.
OSFI Guideline E-13 (Third-Party Risk Management): the Office of the Superintendent of Financial Institutions requires federally regulated financial institutions to assess, manage, and monitor risk across their third-party relationships โ including vendors. The OSFI Guideline E-13 specifies documentation, contractual, and monitoring requirements.
Canada Business Corporations Act (CBCA) amendments: since June 2019, federal corporations must maintain a register of individuals with significant control (ISC) โ Canada's equivalent of the UBO register. Provincial equivalents exist in Ontario, BC, Manitoba, and other provinces. Verification of ISC data is a required element of KYS for federally incorporated vendors.
PIPEDA + Loi 25 (Quebec): federal PIPEDA and Quebec's Loi sur la protection des renseignements personnels dans le secteur privรฉ (Loi 25, fully in force September 2023) govern the collection and use of personal data in KYS processes. Quebec's Loi 25 is notably stricter than PIPEDA, imposing mandatory privacy impact assessments (PIAs) and explicit consent requirements for personal information collected across provincial borders.
| Regulation | Threshold | Primary KYS Obligation |
|---|---|---|
| PCMLTFA | Reporting entities (banks, MSBs, etc.) | CDD on clients and third parties in scope |
| CBCA / provincial ISC registers | Federal/provincial corporations | Beneficial ownership register and verification |
| OSFI E-13 | Federally regulated financial institutions | Third-party risk assessment and monitoring |
| PIPEDA + Loi 25 (QC) | All companies handling personal data | Privacy compliance in verification processes |
KYS Verification Checklist: 12 Required Steps
Steps 1โ4: Legal Entity Verification
| Document | Official Source | Review Frequency |
|---|---|---|
| Certificate of Good Standing (or provincial equivalent) | Corporations Canada / provincial registry | On onboarding + annually |
| Articles of incorporation | Corporations Canada / provincial registry | On onboarding |
| ISC register extract (beneficial owners) | Corporations Canada / provincial registry | On onboarding + on change |
| Business number (BN) / CRA registration | CRA โ Business Registration | On onboarding before first payment |
Steps 5โ6: Bank Account Verification
Authenticating the bank account holder (institution, transit, account number, and matching legal name) is the most effective defence against business payment fraud โ a category of financial crime where Canada has seen a 34% year-over-year increase according to the Canadian Anti-Fraud Centre. Verification must be repeated for every communicated banking change, using an independently verified communication channel separate from the notification.
Steps 7โ9: Sanctions, PEP, and Adverse Media Screening
Screening must cover the Canadian Consolidated Autonomous Sanctions List (Global Affairs Canada), the OFAC SDN list, and the UN Security Council consolidated list. PEP definitions under PCMLTFA include domestic and foreign politically exposed persons and heads of international organisations. Adverse media searches should cover FINTRAC administrative penalties, RCMP Financial Crime program actions, and Competition Bureau enforcement.
Steps 10โ12: Sectoral and Operational Checks
Depending on the supplier's sector: professional licences (provincial), ISO certifications, general liability and professional indemnity insurance, WSIB/WCB clearance certificates (provincial workers' compensation compliance), and GST/HST registration confirmation.
Ready to automate your checks?
Free pilot with your own documents. Results in 48h.
Request a free pilotRisk Scoring Model
| Risk Tier | Criteria | Review Cycle |
|---|---|---|
| Low | Federally/provincially registered, <CA$50K/year, non-regulated sector | Annual |
| Medium | Foreign-registered, CA$50KโCA$500K/year, or regulated sector | Semi-annual |
| High | >CA$500K/year, FATF grey/black-list jurisdiction, or regulated services | Quarterly + EDD |
| Critical | Strategic supplier, operations in sanctioned territories | Continuous monitoring |
The CheckFile Document Risk Index scores supplier dossiers in high-transaction sectors at an average of 6.2/10, justifying systematic automation to maintain verification completeness across large Canadian vendor portfolios.
KYS vs KYC vs KYB: Key Differences in Canada
| Process | Target | Primary Canadian Context |
|---|---|---|
| KYC (Know Your Customer) | Customers, account holders | Banks, credit unions (PCMLTFA CDD Rule) |
| KYB (Know Your Business) | Business partners, distributors | B2B onboarding, OSFI third-party risk |
| KYS (Know Your Supplier) | Vendors, subcontractors, service providers | Procurement, supply chain, accounts payable |
For the complete business entity verification process, see our guides on KYB business document verification and the vendor due diligence checklist.
Red Flags in Canadian Vendor Verification
Canadian compliance professionals identify these as high-priority warning signals:
- Banking change notification by email only, no call-back to a number on file
- Vendor federally or provincially dissolved but still issuing invoices
- ISC register not filed or showing a nominee director with no operating role
- BN (Business Number) does not match the legal entity name at CRA
- Refusal to provide a current Certificate of Good Standing or ISC register extract
- Invoice address in a different province from the registered office with no operational explanation
- GST/HST registration shows as inactive or cancelled
Quebec-Specific Considerations
Quebec's Loi 25 creates additional obligations for KYS processes involving personal data collected from Quebec-based vendors or used by Quebec operations:
- Privacy Impact Assessments (PIAs) are mandatory before implementing new KYS technology or sharing personal data with third-party verification platforms
- Explicit consent requirements for the collection of personal information exceed PIPEDA's implied consent framework
- Data residency: personal information about Quebec individuals must be assessed for cross-border transfer risk before being processed by servers outside Quebec/Canada
Automating Your Canadian KYS Process
Managing KYS manually for a portfolio of 100 active vendors means 200โ300 individual verifications per year. Manual processes create compliance blind spots as portfolios grow.
CheckFile automates the full KYS workflow: document collection, verification against Corporations Canada, provincial registries, CRA, and sanctions lists, PEP screening, and audit trail generation compliant with FINTRAC record-keeping requirements. See the document verification guide for the full methodology.
This article is for informational purposes only and does not constitute legal, financial, or regulatory advice under Canadian federal or provincial law. Consult a qualified Canadian compliance professional for advice specific to your situation.
Frequently Asked Questions
What is Know Your Supplier (KYS) in Canada?
KYS in Canada is the due diligence process by which procurement teams verify the legal identity (Corporations Canada or provincial registry), beneficial ownership (ISC register), sanctions profile (Global Affairs Canada consolidated list, OFAC), and bank account details of their suppliers โ under the PCMLTFA framework enforced by FINTRAC, and OSFI E-13 for financial institutions.
Is KYS mandatory under Canadian law?
Partially. KYS is directly required for PCMLTFA reporting entities in relation to vendors providing services in scope. OSFI E-13 mandates third-party risk management for federally regulated financial institutions. CBCA amendments require ISC registers for federally incorporated entities. Loi 25 in Quebec creates privacy obligations for all companies handling personal data in verification processes.
How does Quebec's Loi 25 affect KYS?
Loi 25 (fully in force September 2023) is stricter than federal PIPEDA. It requires Privacy Impact Assessments before implementing KYS systems that process personal data, explicit consent for non-essential data collection, and a published privacy policy listing how vendor personal data is used. Companies with operations in both Quebec and other provinces must comply with both Loi 25 and PIPEDA simultaneously.
What documents should I collect for vendor KYS in Canada?
The core Canadian KYS document set includes: Certificate of Good Standing (federal or provincial), articles of incorporation, ISC register extract (beneficial owners), CRA Business Number (BN) confirmation, bank account letter on company letterhead (with institution and transit number), WSIB/WCB clearance certificate, and any sector-specific licences. Each document must be verified against the authoritative source.
What is FINTRAC's role in supplier verification?
FINTRAC (Financial Transactions and Reports Analysis Centre of Canada) is Canada's financial intelligence unit. It enforces the PCMLTFA and requires reporting entities to implement Know Your Client (KYC) programmes. For procurement teams at non-reporting-entity companies, FINTRAC's published guidance still represents best practice for vendor due diligence, particularly around beneficial ownership verification and sanctions screening.
Stay informed
Get our compliance insights and practical guides delivered to your inbox.