MSB License in Canada: Bank-Ready Blueprint

Serving Canadian users with a crypto or payments product usually means stepping into the MSB (Money Services Business) framework, not a generic “VASP” label. This operator-first blueprint shows how to scope your model, assemble a production-ready compliance stack, and sequence work so v1 ships without rework. For a step-by-step overview of the process and deliverables, see MSB license in Canada.

At a Glance

• In scope if you’re in the flow of funds: exchange/brokerage, transfers/remittances, on/off-ramps, or hosted wallets/custody.
• Evidence over promises: reviewers and banks want screenshots, logs, and case notes that prove controls work.
• Keep v1 narrow: launch with a focused feature set (e.g., spot only, no margin) to reduce review cycles.
• Bank-ready posture: segregation of client assets, reconciliation, sanctions coverage, Travel Rule, and incident runbooks.

Scope: Are You an MSB?

Forget labels—map your actual flows. Draw onboarding → funding → action → withdrawal and mark who controls funds and keys at each step. If your platform exchanges, transfers, or custodies client assets (fiat or crypto), expect MSB obligations and a full AML/ATF program. Non-custodial tools can be lighter, but embedded routing or order-matching can still bring you in scope.

Model Choices (and How They Change Your Burden)

• Non-custodial app: lower custody risk, but watch for brokerage-like execution or order books that trigger market obligations.
• Custodial wallets: design for key management (HSM/multisig), hot/cold segregation, dual approvals, and withdrawal allow-lists.
• Exchange/OTC: keep v1 to spot; match conduct standards with monitoring typologies and fair-marketing rules.
• Payments/remittance/on-ramp: emphasize KYC/KYB depth, sanctions hits handling, source-of-funds, and Travel Rule interoperability.

Document roles across legal entities (who serves whom, from where), data flows, and decision rights. Ambiguity here turns into long clarification loops.

Documents You’ll Prepare (Typical Pack)

• Corporate: articles, registers, org chart, ownership attestations; any shareholder agreements.
• People & ownership: IDs, proof of address, CVs for directors/officers/UBOs; fitness/background confirmations where applicable.
• Business plan: feature scope, customer segments, jurisdictions, corridors, pricing, and realistic unit economics.
• Compliance program: AML/ATF manual, sanctions policy, KYC/KYB standards, Travel Rule method, transaction monitoring, escalation/STR flow, training calendar.
• Tech & security: wallet/key design, change management, incident response, vendor matrix and due diligence, pen-test policy.
• Custody & safeguarding: segregation policy, approvals, reconciliation routine, insurance stance (if applicable).
• Financials: 12–24-month budget, liquidity runway, capital policy, continuity scenarios.
• Customer docs: T&Cs, risk disclosures, fee schedule, complaints handling, marketing standards.

Compliance-by-Design (So It Works in Production)

• KYC/KYB: verify retail identities; for businesses collect corporate docs and UBOs; risk-rate and refresh on a defined cadence.
• Sanctions screening: onboarding and continuous; include counterparties and material vendors.
• Travel Rule: for qualifying transfers, transmit originator/beneficiary data. Pick an interoperable provider early and show message exchange working in your corridors.
• Monitoring: rules + machine assistance; typologies for mules, mixers, chain-hopping, sanctioned exposure. Keep case notes with timestamps and outcomes.
• Recordkeeping: searchable logs for onboarding, risk decisions, transfers, alerts, and STRs, retained for the required period.

Reviewers value evidence. Add a lightweight evidence pack to your submission: anonymized screenshots, sample logs, alert workflow, and example case closures.

Custody Architecture (What Passes Scrutiny)

• Key governance: HSM or audited multisig; role-based access; emergency key rotation procedures.
• Segregation: separate client assets from operational funds; ledger alignment and daily/weekly reconciliation with approval trails.
• Withdrawal controls: dual approvals, velocity/amount limits, address allow-lists for higher-risk cohorts.
• Incident response: clear playbooks for wallet compromise, vendor outage, chain forks, and sanctions hits.
• Change management: controlled releases, rollback paths, and audit logs for privileged actions.

Banking & PSPs: The Questions You’ll Actually Get

• Who are you and who owns you? Clean UBO tree and fit-and-proper evidence for controllers.
• What exactly do you do? One-page narrative aligned with your site, contracts, and policies.
• How do funds move? Diagram of flows, corridors, expected volumes, top counterparties, currencies.
• How do you keep illicit funds out? Sanctions, KYC depth, monitoring thresholds, and escalation artifacts.
• Can you safeguard client assets? Segregation, approvals, reconciliation evidence, and custody vendor due diligence.

Many teams open with a fintech-friendly EMI/PSP for speed and cards, then add a traditional bank for redundancy and currencies. Choosing providers that already support your corridors avoids costly re-onboarding later.

Timeline & Sequencing (Keeps Momentum)

1. Model mapping & gap analysis (1–2 weeks): diagram flows; decide custodial vs non-custodial; list vendors and corridors; define minimum viable scope.
2. Policy drafting (2–4 weeks): build AML/ATF, Travel Rule, monitoring, custody, and security policies tied to real product behavior.
3. Pre-filing alignment (1–2 weeks): appoint the Compliance Officer; finalize vendor choices; tidy the org chart and decision rights; prepare evidence pack.
4. Submission & clarifications: file a complete pack; respond with short, evidenced answers (policy excerpt, screen, log) to keep momentum.
5. Go-live readiness (parallel): integrate providers, test approvals and withdrawals, run a tabletop incident drill, finalize reporting templates and MI.

Resist scope creep. Add staking, leverage, or complex market features only after the base is live and stable.

Cost Buckets (Budget Without Surprises)

• One-off setup: advisory/policy drafting, application preparation, legal reviews.
• Technology & security: KYC/KYB vendor, Travel Rule solution, custody tooling, monitoring stack, security testing.
• Ongoing compliance: officer time, audits, monitoring and reporting, training, renewals.

Chasing the lowest headline fee usually backfires. Under-budgeting creates gaps that delay approvals or block banking.

Risk Checklist (Avoid These Five)

• Policy–product mismatch: manuals claim controls your app hasn’t implemented yet.
• Fuzzy custody narrative: unclear key management, no dual controls, weak reconciliation trail.
• Travel Rule “later”: intent isn’t enough—show working messages for your main corridors.
• Entity role confusion: cross-border group without a clean service map (who serves whom, from where).
• Vendor due diligence gaps: thin assessments for custodians/KYC/monitoring tools you rely on.

FAQ

Is every crypto product an MSB in Canada?
No. It depends on whether you’re in the flow of funds and whether features map to exchange, custody, or payment services.

Can non-custodial tools avoid the heavy lift?
Often lighter, yes—until you embed brokerage/matching or settlement. Validate scope before committing to your build.

How long does it take?
Depends on completeness and complexity. Narrow scope + evidence-backed answers typically move faster.

What do banks actually want?
Segregation, reconciliation, AML in action, Travel Rule working, and credible governance—shown with logs, screens, and minutes.

Need a hand? LegalBison is an international advisory firm that helps crypto and fintech teams obtain the permissions they need, design workable compliance programs, and secure banking. The team blends legal precision with practical build-out so founders can launch safely and scale with confidence. Learn more at legalbison.com.