Insurance KYC Compliance in Canada 2026: FINTRAC, OSFI, and PCMLTFA

Canadian life insurance companies and insurance intermediaries have mandatory anti-money laundering (AML) and know-your-customer (KYC) obligations under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA). FINTRAC (Financial Transactions and Reports Analysis Centre of Canada) is the federal financial intelligence unit that receives suspicious transaction reports and cash transaction reports from insurance entities across Canada. For federally regulated insurers, the Office of the Superintendent of Financial Institutions (OSFI) also issues guidelines on corporate governance and risk management that complement FINTRAC requirements.

Canada's insurance regulatory framework differs from the EU's AMLD6 in several important ways: requirements apply selectively by product type, federal and provincial regulators share oversight, and Quebec has its own distinct data privacy framework under Loi 25.

This article is for informational purposes only and does not constitute legal, financial, or regulatory advice. Regulatory references are accurate as of the publication date. Consult a qualified professional for advice tailored to your situation.

The Canadian Insurance AML Framework

Life insurance companies are listed as "reporting entities" under Part I of the PCMLTFA when they issue, sell, or underwrite life insurance policies or annuity contracts. The FINTRAC Guideline 6E specifically addresses AML compliance requirements for life insurance companies and brokers.

FINTRAC's 2024 sector assessment identified customer identification deficiencies as the most prevalent compliance gap among insurance entities, accounting for approximately 60% of administrative penalties issued to the sector. This finding highlights the importance of robust KYC procedures. For broader compliance context, see our document compliance guide.

Which Insurance Products Trigger KYC Obligations in Canada?

The critical factor is whether the product involves cash surrender value or investment accumulation. Products with these features are "reporting entity" products requiring full AML compliance.

Core KYC Requirements Under PCMLTFA

FINTRAC's requirements for life insurance companies include four primary obligations:

1. Customer Identification

Under PCMLTFA and FINTRAC regulations, a life insurance company must verify the identity of every individual who enters into a business relationship or conducts a transaction of CAD $10,000 or more. Verification methods include:

• Government-issued photo ID: Canadian passport, provincial driver's licence, permanent resident card, or other FINTRAC-approved documents
• Credit file method: confirmed Canadian credit history of at least three years
• Dual-process method: two reliable sources of information confirming name + address, and name + date of birth
• Affiliate confirmation: where the client was already identified by an affiliated entity

For Social Insurance Number (SIN), FINTRAC does not require insurers to collect it for KYC purposes (unlike for tax reporting), but many insurers collect it for administrative purposes. Where SIN is collected, Privacy Act obligations apply.

2. Beneficial Ownership Verification

Since the 2019 amendments to PCMLTFA, life insurance companies must verify the beneficial ownership of corporations and other legal entities that take out policies. The threshold is 25% or more ownership or control. Verification requires:

• Reviewing corporate documents (articles of incorporation, shareholder register)
• Cross-referencing the Corporations Canada registry or applicable provincial registry
• Recording the identities of all beneficial owners meeting the threshold

3. Suspicious Transaction Reports (STRs) and Large Cash Transaction Reports (LCTRs)

• STR: filed with FINTRAC within 30 days when the insurer suspects a transaction is related to money laundering or terrorist financing — no minimum dollar threshold
• LCTR: filed within 15 business days of receiving CAD $10,000 or more in cash in a single transaction or multiple connected transactions within 24 hours

Reports are filed through FINTRAC's F2R system. All reports are confidential — tipping off the subject is an offence under PCMLTFA.

4. AML Program Requirements

Every reporting entity must implement a written AML compliance program that includes:

• A designated compliance officer
• Written policies and procedures
• Employee training (upon hire and at least every two years)
• Independent effectiveness review (every two years)
• A documented risk assessment

Provincial Regulatory Considerations

Unlike the federal FINTRAC/PCMLTFA regime, insurance companies are licensed and supervised at the provincial level for market conduct purposes. Key provincial variations include:

• Ontario: the Financial Services Regulatory Authority (FSRA) licenses insurers and supervises market conduct
• British Columbia: the BC Financial Services Authority (BCFSA) oversees insurance companies
• Quebec: the Autorité des marchés financiers (AMF Québec) supervises all financial services including insurance, with additional data privacy obligations under Loi 25 (Quebec's private sector privacy law, in force since September 2023)
• Alberta: the Alberta Insurance Council regulates insurance agents

Provincial regulators may impose market conduct requirements that supplement federal AML standards. Quebec's AMF is particularly active in AML supervision for financial entities in the province, issuing guidance on money service businesses and insurance intermediaries that goes beyond federal FINTRAC requirements in certain areas.

PIPEDA, Loi 25, and Data Privacy for Insurance KYC

Canadian insurance companies must comply with federal and provincial privacy laws when collecting and processing KYC data:

For insurance companies operating in Quebec, Loi 25 (also known as Law 25 or "An Act to Modernize Legislative Provisions as Regards the Protection of Personal Information") imposes stricter obligations than PIPEDA, including:

• Privacy impact assessments (PIAs) for new or modified projects involving personal information
• A privacy officer designation requirement
• The right to data portability and the right to be forgotten (with limitations)
• 72-hour breach notification to the Commission d'accès à l'information (CAI)

The Social Insurance Number (SIN) is a protected identifier — its collection requires specific legal authority or explicit consent under the Privacy Act and PIPEDA.

Enhanced Due Diligence in the Canadian Insurance Context

FINTRAC and OSFI expect enhanced scrutiny for the following situations:

• Politically Exposed Persons (PEPs): PCMLTFA defines PEPs to include senior public officials, their family members, and close associates — both domestic and foreign PEPs
• High-risk jurisdictions: FATF grey and blacklisted countries, OSFI-identified high-risk markets
• Complex or layered corporate structures without clear economic rationale
• Non-face-to-face transactions: remote account opening requires additional verification steps

For domestic PEPs (including Members of Parliament, Senators, judges), senior management approval is needed before establishing the business relationship. Source of wealth and funds must be documented. See our enhanced due diligence compliance guide.

OSFI Guidelines for Federally Regulated Insurers

Federally regulated life insurance companies (those licensed under the Insurance Companies Act) must also comply with OSFI guidelines, including:

• OSFI Guideline B-6: Managing Legal and Regulatory Compliance Risk — requires an enterprise-wide AML risk assessment and a compliance program
• OSFI Guideline E-13: Regulatory Compliance Management — sets out expectations for the governance of AML within the three-lines-of-defence model
• IFRS 17 (Insurance Contracts Standard): while primarily an accounting standard, IFRS 17's enhanced disclosure requirements indirectly support AML risk management by improving transparency of insurance liability measurement

OSFI's supervisory framework for AML complements FINTRAC's reporting obligations. OSFI does not accept Suspicious Transaction Reports — these go exclusively to FINTRAC.

Automated KYC for Canadian Insurers

Canadian insurance companies can leverage automated document verification to meet FINTRAC's identity verification requirements at scale. CheckFile's platform supports Canadian document verification including:

• Canadian passports and provincial driver's licences (all provinces and territories)
• Permanent resident cards and immigration documents
• SIN verification (where applicable and consented)
• Corporate document validation for beneficial ownership identification

Key benefits for Canadian insurance compliance teams:

• Bilingual support: English and French for Quebec operations
• Provincial variation coverage: all provincial driver's licence formats
• Audit trail: complete, timestamped verification log for FINTRAC examination
• Integration: compatible with Canadian insurance core systems and policy administration platforms

See our pricing page and API integration guide for details.

FINTRAC Penalties and Enforcement

FINTRAC can impose administrative monetary penalties (AMPs) under PCMLTFA for non-compliance:

• For life insurance companies: up to CAD $1,000,000 per violation for serious violations
• For compliance officers: up to CAD $100,000 per violation personally
• FINTRAC publishes names of entities penalised — public list of AMPs

FINTRAC conducts examinations of reporting entities on a risk-based schedule. Examination findings are not public, but AMPs resulting from examination non-compliance are.

Frequently Asked Questions

Do independent insurance agents in Canada need their own AML programs?

Under PCMLTFA, independent life insurance agents and brokers who sell covered products are separate reporting entities and must have their own AML compliance programs. This is different from the US model where the primary obligation rests with the carrier.

How does Quebec's AMF differ from FINTRAC for insurance AML?

FINTRAC oversees AML/CTF compliance under PCMLTFA across Canada, including Quebec. The AMF Québec oversees insurance distribution market conduct within Quebec. Both authorities may inspect an insurer for their respective compliance areas. Quebec insurers must therefore satisfy both federal (FINTRAC/PCMLTFA) and provincial (AMF/Loi 25) requirements.

What is a Suspicious Transaction Report (STR) vs. a Large Cash Transaction Report (LCTR)?

An STR is filed when the insurer suspects money laundering or terrorist financing — there is no minimum dollar threshold. An LCTR is filed automatically when the insurer receives CAD $10,000 or more in cash in a single transaction or multiple related transactions in 24 hours, regardless of suspicion.

How often must Canadian insurers review their AML compliance program?

PCMLTFA requires an independent effectiveness review of the AML program at least every two years. The review can be conducted by internal audit or an external third-party reviewer, provided sufficient independence is maintained.

Does PIPEDA allow retaining KYC documents for five years?

Yes. PCMLTFA requires retention of KYC records for five years after the end of the business relationship. PIPEDA permits retention where legally required; PCMLTFA's five-year requirement is the applicable legal basis for this extended retention period.