Running a Money Services Business (MSB) in Canada comes with clear obligations under FINTRAC rules, and one of the most important is building a strong risk-based approach (RBA). Many MSB owners wonder how to create an MSB risk assessment for FINTRAC without overcomplicating things. The good news is that you do not need to be a lawyer or a compliance officer with decades of experience to do it right. What you do need is a practical framework that helps you identify risks, design controls, and keep the assessment current.

This guide breaks down the three key parts of an MSB RBA in plain English: identifying inherent risks, applying controls, and keeping the assessment updated. Along the way, we will answer common questions such as what risks must Canadian MSBs identify, how to score inherent risk in an MSB, and what is residual risk in an MSB.

Identifying inherent risks

The first step in an RBA is to map out the types of products, services, delivery channels, client types, and geographies your MSB is involved in. Each of these areas can expose you to different levels of money laundering or terrorist financing risk.

For example, non-face-to-face onboarding through online platforms often carries more risk than meeting customers in person because it is harder to verify identity. Certain payment corridors, such as remittances to high-risk jurisdictions, can also increase exposure. Third-party cash agents represent another higher risk factor since you are relying on another party to follow the same compliance standards.

When thinking about how to score inherent risk in an MSB, keep the method simple. You could use a three-level scale (low, medium, high) or a numerical scale (1 to 5). The key is to rate each risk factor in a way that is clear and consistent. Avoid jargon—think about how you would explain the rating to a new employee on their first day. For instance:

• Low risk: Customers who provide valid Canadian ID in person and send money domestically
• Medium risk: Established businesses using international transfers in moderate-risk countries
• High risk: Individuals using third-party agents to send funds to a high-risk country without face-to-face verification

By clearly mapping out and scoring these categories, you set a foundation that will help you later determine what controls you need.

For more guidance, FINTRAC provides a detailed breakdown of risk considerations for MSBs in its Risk-Based Approach Guidance.

Controls and mitigation

Once you have identified your inherent risks, the next step is linking them to appropriate controls. This is where many small MSBs worry they need to build expensive or complex systems. In reality, proportionality is the principle that matters. Your controls should be strong enough to match your risk exposure, but right-sized so they are practical for your business.

Some examples of controls include:

• Stronger Know Your Customer (KYC) procedures for high-risk customers
• Enhanced due diligence such as collecting additional documents or verifying source of funds
• Limits on transaction size or frequency to prevent unusual spikes
• Velocity checks to flag multiple rapid transfers by the same customer
• Sanctions screening against global and Canadian watchlists
• Manual reviews of unusual transactions or red flags

For small MSBs, proportionality might mean applying enhanced due diligence only for high-risk corridors, rather than every customer. If your MSB only operates domestically, your control framework may be simpler, but you still need to document why that approach is appropriate.

By aligning each risk with a reasonable control, you reduce your exposure and create what regulators call residual risk. Residual risk in an MSB simply means the level of risk that remains after you apply your controls. This is what FINTRAC will expect you to demonstrate if they review your risk assessment.

For detailed examples of suspicious indicators, FINTRAC has a guidance page on MSB transactions.

Ongoing review and updates

Creating an RBA is not a one-time exercise. FINTRAC expects MSBs to review their risk assessment annually or whenever something material changes in their business. Do MSBs need to update their RBA every year? Yes, and also whenever there is a significant shift—like launching a new product, opening a new corridor, or starting to use new technology.

An effective review involves:

• Checking whether your risk ratings still make sense given your client base and services
• Adjusting ratings when new risks appear or old ones decrease
• Recording the reasons for changes in a way that is easy to follow later
• Communicating updates to staff and ensuring your systems reflect new controls

For example, if you notice more customers from a new region, you may need to adjust your geography risk rating. Or if you implement a new sanctions screening tool, you may decide that residual risk for certain corridors has decreased. The important part is that you document these decisions and can show FINTRAC how they connect to your compliance program.

Bringing it all together

Building a risk-based approach is one of the most important compliance tasks for any MSB. By breaking it into three parts—identifying inherent risks, designing controls, and reviewing annually—you can create a clear, effective framework without overcomplicating the process.

If you are unsure where to start or want to ensure your RBA meets FINTRAC’s expectations, Comply North can help. Our team offers MSB Registration Support and even provides a Chief Compliance Officer as a Service, giving you professional and reliable expertise without the overhead of hiring full-time. With direct connections to FINTRAC and the best price in the industry, we make compliance accessible for MSBs of all sizes.Contact Comply North today to learn how we can support your MSB in building and maintaining a strong risk-based approach.