Crypto and the Travel Rule: where Canadian VASPs are getting it wrong
Canadian crypto firms face overlapping registration, travel rule, and large virtual currency reporting obligations. The most common failure modes, and how to fix them.
Canadian crypto-asset service providers operate at the intersection of three regimes: securities regulation through the CSA, prudential and consumer-protection oversight in some provinces, and AML obligations under the PCMLTFA. The AML piece is where most enforcement risk now lives, and it's where program maturity varies the most across the industry.
Registration and scope
Most crypto firms dealing with the public in Canada must be registered with FINTRAC as money services businesses (MSBs) or foreign MSBs. Registration is not a one-time event: changes in services, ownership, or directors require updates, and lapsed or inaccurate registration is itself a finding that examiners look for first.
The Travel Rule in practice
The Travel Rule requires originator and beneficiary information to accompany virtual currency transfers above the threshold. In practice, three failure modes are common:
- Inbound transfers from counterparties that don't transmit required information, with no documented decisioning on whether to accept, return, or freeze.
- Outbound transfers where required fields are populated incorrectly or incompletely.
- Self-hosted wallet transfers handled inconsistently across the customer base, with no clear policy.
Large virtual currency transaction reports
Reporting obligations for large virtual currency transactions have matured, but firms still struggle with aggregation logic, 24-hour rule application, and the linkage between reportable transactions and the underlying customer record. Examiners specifically look for whether the reported data ties cleanly back to your KYC and transaction history.
Sanctions and high-risk jurisdictions
Crypto's borderless nature means sanctions exposure is constant. Address screening, jurisdictional risk scoring, and ministerial-directive compliance need to be operationalized, not handled ad hoc when something flags.
What 'good' looks like for a Canadian VASP
- A risk assessment that explicitly addresses crypto-specific typologies and is refreshed when products or counterparties change.
- An onboarding flow that captures the customer profile, source of funds, and intended activity, and ties them to ongoing monitoring rules.
- Travel Rule, large virtual currency, and STR workflows that share a single customer and transaction record, not parallel spreadsheets.
- Sanctions and jurisdictional screening that runs continuously, not only at onboarding.
- An audit trail that lets an examiner trace any reported transaction back to the customer, the decision, and the evidence.
The takeaway
The Canadian crypto compliance bar has risen meaningfully and quietly. Firms that built early, lightweight programs to satisfy registration are now finding those programs don't survive examination. The good news is that the operational pattern, connected customer record, consistent monitoring, defensible audit trail, is well understood. The work is in implementing it.
FAQ
What is the Travel Rule for Canadian crypto firms?
The Travel Rule under the PCMLTFA requires originator and beneficiary information to travel with a virtual currency transfer at CAD $1,000 and above. The originator VASP must capture and transmit the information; the beneficiary VASP must receive it. See the requirements explainer at /resources/fintrac-travel-rule-requirements-canada.
Where do Canadian VASPs get the Travel Rule wrong most often?
Three common failure modes: relying on counterparty messaging protocols that the counterparty does not actually support, treating unhosted-wallet transfers as out of scope (they are not), and storing Travel Rule data in a way that cannot be reproduced on FINTRAC request within a reasonable time.
How does Travel Rule capture interact with LVCTRs?
The Large Virtual Currency Transaction Report (LVCTR) is a separate filing at CAD $10,000 and above. The Travel Rule data set is the spine of the LVCTR. Capturing Travel Rule cleanly in the system of record means the LVCTR comes out clean; capturing it separately is the deficiency examiners find most often.
Does Canada accept TRP, OpenVASP, or TRISA for counterparty messaging?
Canada accepts compliant counterparty messaging protocols (including IVMS 101-aligned protocols such as TRP, OpenVASP, and TRISA) provided the information that ends up captured matches the regulatory minimum. The protocol is a means, not the obligation; the obligation is the information.
What does FINTRAC expect for unhosted-wallet transfers?
Enhanced due diligence on the customer and on the destination wallet. Reliance on counterparty messaging that does not exist (because the counterparty is unhosted) is not an acceptable substitute for the underlying obligation to know who is sending and receiving the value.
Sources
Reading is useful. A conversation is faster.
Book a call and we'll tell you, plainly, where your program stands and what to fix first. No retainers. No hourly rates.
Book a call