Setting Internal Controls for Crypto Payments

If your business accepts Bitcoin, the informal approach of "one person handles it" works fine at low volumes. Once more than a handful of employees touch the process, or once transaction sizes grow, that informality creates real exposure: funds can be sent to wrong addresses, records can go missing at tax time, and a single compromised device can drain a wallet.

Internal controls are the documented rules, roles, and checks that reduce those risks. This guide describes how they generally work for crypto payments at small to medium Canadian businesses, and which Canadian regulatory touchpoints you will want to keep in mind. Nothing here is legal or tax advice; your accountant, legal counsel, and a compliance professional can tailor these ideas to your specific situation.

Why Crypto Payments Need Their Own Control Framework

Most businesses already have controls around cash, cheques, and bank transfers: dual authorization above a dollar threshold, segregation of duties between the person who initiates a payment and the person who approves it, and monthly reconciliation against a bank statement.

Bitcoin does not fit neatly into those templates. A few properties that change the risk picture:

• Transactions are final. A Bitcoin payment sent to the wrong address cannot be recalled the way a wire transfer sometimes can. That irreversibility puts a premium on controls that run before a transaction, not after.
• Private keys are the asset. Whoever controls the private key controls the bitcoin. An employee with access to an unencrypted wallet file could move funds without a paper trail in the way a traditional transfer would leave one.
• FINTRAC has reporting obligations for crypto. Businesses that deal in virtual currency at or above certain thresholds must register with FINTRAC as a money services business (MSB) and meet record-keeping, know-your-client (KYC), and large-transaction reporting requirements. The specific thresholds and covered activities are defined in the Proceeds of Crime (Money Laundering) and Terrorist Financing Act and its regulations; the rules have changed before and may change again, so verify current requirements with a compliance professional.
• CRA treats crypto as a commodity. Every receipt of Bitcoin is a taxable event in some form, and every subsequent disposition may trigger a capital gain or business income event depending on how CRA characterizes your activity. That means your bookkeeping system needs a record of the CAD fair-market value at the time of each transaction.

Because of that last point, your crypto controls and your accounting controls are closely linked.

Authorization and Segregation of Duties

The core principle of segregation of duties is that no single person should be able to initiate, approve, and record a transaction without another set of eyes involved. For crypto:

Transaction authorization thresholds. A written policy might state that any outbound payment under $500 CAD equivalent can be authorized by a designated employee, payments between $500 and $5,000 require manager sign-off, and anything above $5,000 requires two approvals. The thresholds are illustrative; the point is that they exist in writing and are enforced.

Separation of custody and accounting. Ideally, the employee who holds wallet access is not the same employee who reconciles transaction records against the general ledger. Where a small business does not have enough staff to fully separate these roles, compensating controls like monthly review by an owner or external bookkeeper can partially substitute.

Vendor/customer address whitelisting. Some wallet software and payment processors support address whitelisting: outbound transfers can only go to pre-approved addresses. Setting this up for recurring counterparties reduces the risk of a social-engineering attack where an employee is tricked into sending funds to a fraudulent address. The guide on protecting your business from Bitcoin payment scams covers the attack patterns that controls like this are designed to stop.

Wallet Access and Key Management

How private keys are held is the most operationally critical control, because key theft means fund loss with limited recourse.

Hardware vs. software custody. A hardware wallet keeps private keys offline and requires physical confirmation for each transaction. Software wallets are more convenient but expose keys to the same attack surface as any networked device. Many businesses use software (hot) wallets for day-to-day receiving and periodically sweep larger balances to cold storage. The tradeoffs are covered in detail at hot wallet vs. cold storage for business Bitcoin.

Multi-signature arrangements. A multisig wallet requires a threshold of keyholders (for example, 2 of 3) to co-sign any outbound transaction. This is the crypto equivalent of dual-control for a bank account and is practical for businesses where any single person having unilateral custody is a concern.

Access provisioning and offboarding. Your control policy should specify who is authorized to generate or import keys, where backup seed phrases are stored (and how they are physically secured), and what happens when an employee with wallet access leaves the company. Failing to rotate or revoke access on employee departure is a common gap.

For a fuller treatment of the storage decision, including the tradeoffs between custody at a payment processor versus self-custody, see how to store the Bitcoin your business receives safely.

Record-Keeping for CRA and FINTRAC

Good records serve two purposes: they support your tax filings, and they satisfy any regulatory obligations your business has.

What to capture per transaction. For each inbound or outbound Bitcoin transaction, a complete record typically includes the transaction ID (on-chain hash), the date and time, the amount in BTC and the CAD fair-market value at the time of the transaction, the identity of the counterparty (where known), and the business purpose.

Source of CAD valuations. CRA expects you to use a reasonable and consistent method for converting crypto to CAD. Most businesses use the closing price on a reputable exchange on the transaction date, or a time-of-transaction spot rate from a data provider. Whichever method you choose, apply it consistently and document it in your accounting policy.

Retention periods. CRA's general rule is a six-year retention period for business records from the end of the tax year they relate to. FINTRAC's record-keeping requirements for MSBs are also on the order of five years. Confirm the current rules with your accountant or compliance adviser, since record-keeping requirements can be updated by regulation.

FINTRAC MSB registration. If your business "deals in virtual currency" within the meaning of FINTRAC's regulations, you may be required to register as an MSB and implement an anti-money-laundering (AML) compliance program. That program includes its own set of written policies, KYC procedures, employee training, and a designated compliance officer. The scope of "dealing in virtual currency" is defined in regulation and does not apply to every business that merely accepts Bitcoin as payment, but the line is not always obvious. A compliance professional can help you determine whether registration applies.

A Practical Control Checklist

The following items represent common starting points when building a crypto payment policy. They are not exhaustive and do not substitute for professional advice.

Control area	What to document or implement
Authorization	Spending thresholds and approval matrix in writing
Custody	Who holds keys; hardware vs. software wallet decision
Multi-sig	Whether required above a certain balance or transaction size
Address management	Whitelisting for recurring counterparties
Reconciliation	Frequency, who performs it, who reviews it
Offboarding	Key rotation / revocation process when employees leave
Record format	Fields captured per transaction (TXID, CAD value, date, purpose)
Retention	Where records are stored; backup policy; retention period
FINTRAC	MSB registration determination; AML program if applicable
Tax	CAD valuation method; consistent application

Review these controls at least annually and whenever there is a significant change in transaction volume, personnel, or regulation.

Frequently Asked Questions

Does every Canadian business that accepts Bitcoin need to register with FINTRAC?

Not automatically. FINTRAC's MSB registration requirement applies to businesses that "deal in virtual currency" as defined in the regulations, which covers activities like exchange, transfer, and dealing. A retailer that accepts Bitcoin as one of several payment methods may not fall within the definition, but the boundary depends on the specifics of the activity. FINTRAC publishes guidance on its website, and a compliance professional can assess your situation against the current rules.

What happens if a transaction is sent to the wrong address?

Bitcoin transactions are irreversible once confirmed on the blockchain. There is no central authority to request a reversal. If the address belongs to a known counterparty, you can contact them directly to arrange a return, but they are under no technical obligation to comply. This is why outbound transaction controls, including address verification and whitelisting, matter more for crypto than for many other payment methods.

How do we handle the CAD value for Bitcoin received at different times during the day?

CRA requires a "reasonable" method applied consistently. Common approaches include the spot rate at the time of each transaction, or the closing price on a recognized exchange for the transaction date. Using a publicly verifiable data source (such as a major Canadian exchange's published daily price) and documenting the source in your accounting policy gives you a defensible position. Confirm the approach with your accountant before you adopt it.

Is a written crypto payment policy legally required?

For most businesses, there is no statute that explicitly requires a written crypto payment policy in the way that, for example, FINTRAC requires a written AML compliance program from registered MSBs. That said, a written policy is useful evidence that your business exercised reasonable care in the event of a dispute, a CRA audit, or an internal incident. It also makes onboarding new employees and enforcing consistent procedures considerably easier in practice.

Can we use a payment processor instead of managing keys ourselves?

Yes, and many small businesses do. A payment processor handles custody on your behalf, typically converting Bitcoin to CAD before the funds reach your bank account. That approach shifts the key-management risk to the processor but introduces counterparty risk and may limit your ability to hold Bitcoin as an asset on the balance sheet. Whether processor-based or self-custody arrangements suit your business depends on your operational needs and risk tolerance; the storage comparison at hot wallet vs. cold storage for business Bitcoin is a useful starting point for that decision.

---

Accept Bitcoin Canada is an independent educational resource. Nothing in this guide is financial, tax, legal, or compliance advice. CRA, FINTRAC, and provincial rules change; confirm current requirements with a qualified professional before you act.