Vendor Due Diligence Checklist: Canadian Third-Party Risk Assessment Guide

Vendor due diligence is the structured, documented process of evaluating a supplier or third-party service provider before entering into a commercial relationship and at regular intervals throughout that relationship. It covers financial health, legal standing, regulatory compliance, cybersecurity posture, ESG practices and supply chain exposure. In Canada, vendor due diligence obligations arise from an overlapping federal and provincial framework: the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA), FINTRAC reporting obligations, OSFI Guideline B-10 for federally regulated financial institutions, PIPEDA at the federal level, and Quebec's Loi 25 — which came into full force in September 2023 and imposes requirements that are stricter than any other Canadian privacy statute.

This article is for informational purposes only and does not constitute legal, financial, or regulatory advice. For advice on your specific situation, consult a qualified professional.

What Is Vendor Due Diligence in Canada?

Vendor due diligence (VDD) is a formal, risk-based assessment of a third party — supplier, outsourced service provider, technology partner or subcontractor — designed to identify, measure and document the risks that party introduces to the commissioning organisation. It goes beyond administrative onboarding checks to cover the complete risk profile: financial, legal, operational, technological and ethical dimensions.

VDD sits within the broader framework of Third-Party Risk Management (TPRM). For a comprehensive overview of the TPRM lifecycle, see our dedicated article: Third-Party Risk Management — Complete TPRM Guide.

Conflating a basic supplier onboarding process with structured due diligence is the most common source of regulatory exposure for Canadian firms — it creates documentary gaps that FINTRAC examiners and OSFI reviewers identify first during compliance examinations.

Canadian Regulatory Framework (PCMLTFA, FINTRAC, OSFI B-10, PIPEDA/Law 25)

Five primary frameworks govern vendor due diligence obligations for Canadian organisations in 2026, each with distinct scope and enforcement mechanisms.

PCMLTFA (Proceeds of Crime (Money Laundering) and Terrorist Financing Act, S.C. 2000, c. 17)

The PCMLTFA is Canada's primary anti-money laundering and counter-terrorist financing statute. It applies to a broad range of reporting entities — financial institutions, money services businesses, real estate brokers, accountants, dealers in precious metals and stones, and others designated under the Act. Reporting entities must identify clients, verify their identity, keep prescribed records and report certain transactions to FINTRAC.

The cash transaction reporting threshold under the PCMLTFA is CAD 10,000. Any single cash transaction at or above this threshold must be reported to FINTRAC within 15 business days. Suspicious transaction reports (STRs) must be submitted regardless of amount when there are reasonable grounds to suspect that a transaction relates to money laundering or terrorist activity financing (PCMLTFA, S.C. 2000, c. 17).

For vendor due diligence purposes, the PCMLTFA requires that entities acting as intermediaries or processing payments on behalf of a reporting entity are themselves assessed for AML/CFT compliance, including verification of their FINTRAC registration status and AML program adequacy.

FINTRAC (Financial Transactions and Reports Analysis Centre of Canada)

FINTRAC is Canada's financial intelligence unit and the primary AML/CFT regulator. All reporting entities under the PCMLTFA must register with FINTRAC and comply with its guidelines on client identification, record-keeping and reporting. FINTRAC has the authority to conduct compliance examinations and to impose administrative monetary penalties (AMPs) for non-compliance, with penalties reaching CAD 500,000 per violation for individuals and CAD 1,000,000 per violation for entities.

When assessing a vendor that itself qualifies as a reporting entity — a payment processor, money services business, or financial intermediary — confirming active FINTRAC registration and reviewing the vendor's AML compliance program is a core due diligence step.

OSFI Guideline B-10: Third-Party Risk Management (2023)

OSFI Guideline B-10, revised in 2023, sets out the Office of the Superintendent of Financial Institutions' expectations for federally regulated financial institutions (FRFIs) managing third-party risks. The guideline requires FRFIs to maintain a comprehensive third-party risk management program that covers identification, risk assessment, due diligence, contract management and ongoing monitoring for all material third-party arrangements (OSFI).

Under OSFI B-10, a FRFI must conduct risk-based due diligence before entering any material third-party arrangement and must document its assessment of the third party's financial viability, operational resilience, information security practices and regulatory standing. Concentration risk — where multiple critical functions depend on a single third party or a small number of providers — must be explicitly identified and managed.

PIPEDA and Provincial Privacy Laws (including Quebec's Loi 25)

The Personal Information Protection and Electronic Documents Act (PIPEDA) is Canada's federal private-sector privacy law, applicable to organisations that collect, use or disclose personal information in the course of commercial activity. PIPEDA requires that vendors processing personal data on behalf of a contracting organisation implement comparable safeguards and that the contracting organisation remains accountable for how its vendors handle that data. The Office of the Privacy Commissioner of Canada (OPC) enforces PIPEDA.

Quebec's Loi 25 (An Act to Modernize Legislative Provisions as regards the Protection of Personal Information) is now in full force as of September 2023 and applies to any organisation that collects or uses personal information about Quebec residents, regardless of where the organisation is headquartered. Loi 25 imposes stricter obligations than PIPEDA, including mandatory privacy impact assessments (PIAs) before communicating personal information outside Quebec, a right to data portability, and heightened requirements for automated decision-making. Enforcement rests with the Commission d'accès à l'information du Québec (CAI).

CBCA Beneficial Ownership and Sanctions (SEMA)

The Canada Business Corporations Act (CBCA) was amended in 2023 to require all CBCA-incorporated companies to create and maintain a register of individuals with significant control (ISC). This register must be updated annually and upon any material change. When conducting vendor due diligence on a Canadian-incorporated counterparty, verifying the accuracy and currency of its ISC register — available through Corporations Canada for federal companies — is a mandatory step for regulated entities.

Canada's sanctions framework is administered through the Special Economic Measures Act (SEMA) and the Justice for Victims of Corrupt Foreign Officials Act (Magnitsky Act). All vendor directors and ultimate beneficial owners must be screened against Canada's consolidated autonomous sanctions list as well as the UN Security Council sanctions list.

Our platform analysis of 45,000+ vendor files shows 14.2% contain blocking errors — expired documents, UBO identity mismatches, or Business Number discrepancies — that manual review processes consistently fail to catch.

7-Step Vendor Due Diligence Checklist for Canadian Businesses

This checklist covers the complete vendor assessment cycle from initial onboarding through ongoing monitoring. It is applicable across sectors and should be calibrated to the risk tier assigned to each vendor. For a broader checklist covering all business due diligence scenarios, see: Due Diligence Checklist for Businesses — Complete Guide.

Step 1 — Identity Verification and Initial Qualification

• Collect legal identity documents: Certificate of Incorporation (federal or provincial), articles of incorporation, registered address confirmation
• Obtain and verify the CRA Business Number (BN): a 9-digit number assigned by the Canada Revenue Agency to identify the business entity for federal tax purposes
• For Quebec-incorporated vendors: obtain the Numéro d'entreprise du Québec (NEQ) from the Registraire des entreprises du Québec
• Identify and verify all individuals with significant control (ISC) holding 25% or more — cross-reference against the CBCA ISC register via Corporations Canada for federal companies
• Confirm no active insolvency proceedings via the Office of the Superintendent of Bankruptcy Canada (OSB) registry

Step 2 — Legal and Regulatory Compliance Checks

• Verify current corporate status via Corporations Canada (federal) or the relevant provincial registry
• Obtain most recent audited financial statements or reviewed financial statements
• Check for judgments, writs and executions in relevant provincial courts
• Confirm sector-specific licences and registrations: FINTRAC registration (where applicable), provincial securities registrations, provincial law society membership (LSO for Ontario, Barreau du Québec for Quebec)
• For financial intermediaries: confirm active FINTRAC registration and review AML compliance program documentation

Step 3 — Sanctions, PEP and Adverse Media Screening

• Screen all directors and UBOs against Canada's SEMA consolidated sanctions list, the UN consolidated list and OFAC SDN list
• Check Politically Exposed Person (PEP) status for all directors, significant shareholders and ISC-listed individuals (both foreign and domestic PEPs — Canadian banks and MSBs must check both categories under the PCMLTFA)
• Run adverse media search covering past 5 years: fraud, bribery, money laundering, regulatory sanctions, RCMP investigations
• Screen against OSFI-regulated entities deregistration list and provincial securities commission enforcement actions (OSC, AMF Québec, BCSC)

Step 4 — Financial Health Assessment

• Review three most recent sets of annual financial statements: income statement, balance sheet, cash flow statement
• Calculate key ratios: current ratio, debt-to-equity, EBITDA margin, days sales outstanding
• Assess customer concentration risk — flag if a single customer exceeds 25% of revenue
• Review the PPSA (Personal Property Security Act) registry in the relevant province for any registered security interests against the vendor's assets

Step 5 — Operational and Technology Risk Assessment

• Review Business Continuity Plan (BCP) and Disaster Recovery (DR) documentation
• Verify ISO 27001, SOC 2 Type II, or equivalent certification for vendors handling sensitive or personal data
• Map sub-contractors and sub-processors — identify concentration risk where a single sub-supplier underpins multiple critical vendor relationships
• For OSFI B-10 regulated entities: verify the vendor's compliance with sub-contracting requirements, exit plans and data portability provisions
• Confirm contractual provisions for audit rights, notification of material incidents and regulatory access

Step 6 — Privacy and Data Protection Assessment

• Confirm the vendor's PIPEDA or provincial privacy law compliance status for data handling
• For vendors handling personal information of Quebec residents: confirm Loi 25 compliance, including PIA procedures and cross-border transfer safeguards
• Obtain a signed Data Processing Agreement (DPA) or Data Handling Agreement that specifies purpose limitation, retention periods and sub-processor controls
• Verify that the vendor has a documented privacy breach notification process meeting the 72-hour notification requirement under PIPEDA (breach of security safeguards regulations)

Step 7 — Scoring, Documentation and Ongoing Monitoring

• Assign an overall risk tier (Low / Medium / High / Critical) based on evidence from Steps 1–6
• Assemble a timestamped vendor dossier with all collected documents, check results and scoring rationale
• Set review frequency: annually for medium-risk, semi-annually for high-risk, event-triggered for critical
• Configure monitoring alerts for material trigger events: director changes, insolvency filings, new sanctions, FINTRAC enforcement actions, data breaches, OSFI orders

Organisations that formalise these 7 steps in a documented process reduce average per-file processing time by 60% and reduce audit-identified non-conformities by a factor of three, based on aggregated data from our platform at CheckFile.

Key Risk Categories

Every vendor presents a composite risk profile. The table below maps the principal risk categories, key alert indicators and relative priority by type of commissioning organisation operating in Canada.

For entities subject to OSFI Guideline B-10, ICT and concentration risk have been elevated to critical-priority categories, with mandatory documentation requirements, exit plans and notification obligations for vendors designated as material third parties (OSFI).

A weighted scoring matrix template, calibrated for Canadian regulatory requirements, is available in our Document Verification Guide.

Automating Vendor Due Diligence

Automation of vendor due diligence addresses three simultaneous pressures: the increasing volume of vendors requiring assessment, the growing complexity of overlapping federal and provincial regulatory frameworks, and the need for an auditable evidence trail that can withstand FINTRAC, OSFI or CRA scrutiny.

Our analysis of 45,000+ vendor files shows 14.2% contain blocking errors on our platform — expired certificates, discrepancies between declared ISC information and Corporations Canada records, or documents bearing indicators of tampering. Manual review processes, constrained by time and inconsistent checker training, fail to identify these errors in more than 40% of cases.

CheckFile automates the verification layer at each step of the checklist: OCR extraction of identity and registration data, cross-document consistency checks, cryptographic validation of official certificates, and daily-refreshed sanctions and PEP screening. The platform produces a timestamped, electronically signed vendor dossier that serves directly as audit evidence during FINTRAC compliance examinations, OSFI supervisory reviews or privacy authority inquiries.

The dual federal-provincial structure of Canadian regulation — particularly the distinction between PIPEDA and Loi 25 for Quebec-resident data, and between federal CBCA requirements and provincial corporate registries — makes consistent documentation especially important. Platforms that track jurisdiction-specific requirements reduce the risk of provincial non-compliance being overlooked.

For lending, leasing and asset finance teams processing high volumes of vendor and borrower dossiers, our dedicated module at /solutions/financement-leasing reduces per-file processing time by an average of 78%. Technical details on our security infrastructure are available at /securite. Review plans and pricing at /tarifs.

Automation does not remove human accountability from the final risk decision — it redirects compliance officer time from manual data gathering to analysis of complex, high-risk cases where professional judgement is genuinely needed.

Frequently Asked Questions

What is vendor due diligence and why is it required in Canada?

Vendor due diligence is a structured assessment of a supplier covering its financial, legal, regulatory and operational standing. In Canada, it is required by several overlapping frameworks: the PCMLTFA and FINTRAC regulations for reporting entities, OSFI Guideline B-10 for federally regulated financial institutions, PIPEDA and Quebec's Loi 25 where vendors process personal data, and CBCA beneficial ownership requirements for corporate counterparties. Failure to conduct and document adequate due diligence exposes organisations to FINTRAC administrative monetary penalties, OSFI supervisory action, and privacy authority enforcement.

What is the difference between standard and enhanced vendor due diligence in Canada?

Standard due diligence (CDD) covers the baseline checks: legal identity verification, Business Number confirmation, financial standing, and sanctions screening. Enhanced due diligence (EDD) is triggered by elevated risk indicators — vendors operating in FATF high-risk jurisdictions, PEP-connected directors, high-value contracts, or activities involving large cash transactions above the CAD 10,000 PCMLTFA threshold. EDD adds deeper ISC verification, source of funds analysis, more frequent periodic reviews and additional documentation requirements.

How does Quebec's Loi 25 affect vendor due diligence for Canadian businesses?

Quebec's Loi 25, fully in force since September 2023, imposes obligations beyond federal PIPEDA for any organisation collecting or using personal information about Quebec residents. For vendor due diligence, this means: conducting a privacy impact assessment (PIA) before sharing personal information with a vendor outside Quebec, obtaining the vendor's written undertaking to protect the information to a comparable standard, and incorporating specific contractual provisions. Organisations headquartered outside Quebec but with Quebec-resident data subjects — including employees and customers — are fully subject to Loi 25. The Commission d'accès à l'information (CAI) can impose penalties of up to CAD 25,000,000 or 4% of worldwide turnover for serious violations.

How often should vendor due diligence be renewed for Canadian businesses?

Review frequency depends on the risk tier assigned to the vendor and applicable regulatory obligations. Under OSFI Guideline B-10, ongoing monitoring is required for all material third-party arrangements, with formal periodic review at least annually. FINTRAC guidelines expect that the ongoing monitoring obligation for reporting entities covers vendors acting as intermediaries on an event-triggered and periodic basis. In practice, most Canadian compliance programmes apply semi-annual reviews for high-risk and critical vendors, annual reviews for medium-risk vendors, and event-triggered reviews for all vendors when material changes occur.

What documents must be collected for a Canadian vendor due diligence file?

The minimum document set for a Canadian vendor includes: Certificate of Incorporation or equivalent provincial document (within 3 months), CRA Business Number confirmation, ISC register excerpt (CBCA federal companies) or equivalent provincial beneficial ownership documentation, most recent audited or reviewed financial statements, valid professional liability and commercial general liability insurance certificates, and any sector-specific licences. For vendors processing personal data of Quebec residents, add: privacy impact assessment documentation, signed data processing agreement with Loi 25 provisions, and evidence of comparable safeguards. For payment processors and MSBs, add: current FINTRAC registration confirmation and AML program summary.