MSB License in Canada: What It Takes to Launch

Planning to serve Canadian users with a crypto or payments product? In Canada, the practical path is an MSB (Money Services Business) authorization with a production-ready compliance stack—not a generic “VASP” label. This piece lays out the operator view: scope, documents, controls, and sequencing so you can ship v1 without rework. For a step-by-step service overview, see MSB license in Canada.

At a Glance

• Scope first: if you exchange, transfer, or custody client assets—or run on/off-ramps—you’re likely in MSB territory.
• Bank-ready posture: segregation of client funds, working monitoring, and a clear counterparty narrative.
• Design for audits: policies must match product flows; keep evidence (screens, logs, tickets) handy.
• Start narrow: ship a lean feature set (e.g., spot only, no leverage) and add complexity later.

What “MSB” Means in Practice

Canada’s MSB regime focuses on whether you’re in the flow of funds. Reviewers care less about your marketing label and more about how users onboard, fund, transact, and withdraw. If your app or platform touches client money or digital assets, or facilitates exchange/transfer, expect MSB obligations and the need for a documented AML/ATF program.

Scope: Are You In or Out?

Common in-scope activities include:

• Exchange & brokerage: buying/selling crypto for clients, OTC, order routing, or market access.
• Hosted wallets/custody: you hold keys or can move client funds—high scrutiny by default.
• Transfers & payments: moving crypto between users or to external wallets; remittances, cash-in/cash-out.
• On/off-ramps: fiat–crypto conversion with settlement to client accounts.

Lower-touch models (non-custodial tools) may still fall in scope if you embed brokerage, matching, or settlement. Before building, diagram onboarding → funding → action → withdrawal and mark who controls funds at each step.

Choose a Model That Ships (and Stays Compliant)

• Non-custodial app: lighter on custody, but watch for any order-routing/trade execution that looks like brokerage.
• Custodial wallet: implement dual approvals, address allow-lists, hot/cold thresholds, reconciliation routines.
• Exchange/market: keep v1 to spot; defer margin/derivatives. Market features raise the bar on conduct and monitoring.
• Payments/remittance: emphasize sanctions, source-of-funds, and a working Travel Rule method.

Document where decisions are made, which entity serves which users, who holds keys, and how data moves. Ambiguity here creates long review loops.

Documents You’ll Need (Typical Pack)

• Corporate: articles, registers, organizational chart, shareholder agreements (if any).
• People & ownership: IDs, proof of address, CVs for directors/officers/UBOs; fitness/background confirmations where applicable.
• Business plan: product scope, customer segments, jurisdictions, corridors, pricing, and economics.
• Compliance program: AML/ATF manual, sanctions policy, KYC/KYB standards, Travel Rule method, monitoring procedures, escalation/STR flow, training plan.
• Tech & security: wallet/key design, vendor list & due diligence, incident response, change management, pen-test policy.
• Custody & safeguarding: segregation of client vs company assets, withdrawal approvals, reconciliation cadence, insurance (if applicable).
• Financials: 12–24-month budget, capital policy, liquidity runway, continuity scenarios.
• Customer docs: T&Cs, risk disclosures, fee schedule, complaints handling, fair-marketing standards.

Compliance-by-Design (Make It Work in Production)

• KYC/KYB: verify identities (retail) and company docs/UBOs (business). Risk-rate and refresh on a schedule tied to exposure.
• Sanctions screening: at onboarding and ongoing—for users, counterparties, and key vendors.
• Travel Rule: for qualifying transfers, transmit originator/beneficiary data. Pick an interoperable provider early and document your hand-off points.
• Monitoring: rules + machine assistance; cover typologies (mixers, chain-hopping, mules, sanctioned exposure). Keep case notes and timestamps.
• Recordkeeping: logs for onboarding, risk decisions, transfers, and alert outcomes—searchable and exportable.

Reviewers look for evidence, not promises. Screenshots of flows, system logs, and actual case tickets speed approvals.

Bank-Ready Posture (What Providers Check)

• Segregation & reconciliation: separate client assets from operational funds; daily/weekly recs with proof.
• Counterparty story: top exchanges, market makers, custodians; expected monthly volumes and geographies.
• Runway & governance: budget, cash position, board oversight (minutes/resolutions) and designated Compliance Officer.
• Controls in action: KYC/monitoring screenshots, STR/escalation logs, Travel Rule messages.

Many teams open with a fintech-friendly EMI/PSP for operations and cards, then add a bank for redundancy and currencies. Choose partners that already support your industry and corridors—re-onboarding mid-scale is costly.

Timeline & Sequencing (Keeps Momentum)

1. Model mapping & gap analysis (1–2 weeks): diagram user flows; decide custodial vs non-custodial; list partners and corridors.
2. Policy drafting (2–4 weeks): build AML/ATF, Travel Rule, monitoring, custody, and security policies tied to real product behavior.
3. Pre-filing alignment (1–2 weeks): appoint the Compliance Officer; confirm vendors (KYC, Travel Rule, custody); tidy org chart and decision rights.
4. Submission & clarifications: file a complete pack; respond with short, evidenced answers (policy excerpt, screen, log) to keep the clock moving.
5. Go-live readiness (parallel): integrate providers, test approvals and withdrawals, run a tabletop incident drill, finalize reporting templates.

Keep v1 tight. Add staking, leverage, or complex market features only after the base is live and stable.

Red Flags That Stall Approvals

• Policy–product mismatch: manuals claim controls the app doesn’t implement yet.
• Fuzzy custody narrative: unclear key management, no dual controls, weak reconciliation trail.
• Travel Rule “later”: intent isn’t enough—pick a solution and show messages moving.
• Entity role confusion: cross-border group without a clean service map (who serves whom, from where).
• Vendor due diligence gaps: no assessments for custodians/KYC/monitoring tools you rely on.

Operator’s Toolkit

• One-pager for banks/vendors: model, geos, corridors, volumes, counterparties, contacts.
• Data room: Corporate, Banking, Contracts, Accounting, Compliance; keep files dated and searchable.
• Monthly close checklist: reconciliations, alerts review, STR summary, cash and runway note to the board.
• Access control: limit who can move funds; dual approvals; emergency rollback paths for deployments.

FAQ

Is every crypto app an MSB in Canada?
Not automatically. It depends on whether you’re in the flow of funds and whether your features map to exchange, custody, or payment services.

Can non-custodial tools avoid the heavy lift?
Often lighter, yes—but embedded brokerage/matching can still bring you into scope. Validate before you commit.

How long does it take?
Timelines depend on completeness and complexity. Narrow scope + evidence-backed answers generally move faster.

What do banks actually want?
Segregation, reconciliation, AML in action, Travel Rule working, and credible governance—shown with logs, screens, and minutes.

Who can help

LegalBison is an international advisory firm that helps crypto and fintech teams obtain the permissions they need, design workable compliance programs, and secure banking. The team blends legal precision with practical build-out so founders can launch safely and scale with confidence. Learn more at legalbison.com.