How to Verify a Person Online Lawfully: A Practitioner's Guide

Verifying a person online lawfully requires matching the right regulatory framework to the right method: government ID review via live video, dual-process checks, credit-file cross-referencing, or structured OSINT against public registries. Each method carries distinct compliance obligations under PCMLTFA, provincial law society rules, and PIPEDA that Canadian legal professionals must navigate precisely.

In fiscal 2022-23, FINTRAC processed over 35 million financial transaction reports, with a notable portion linked to remote client onboarding that lacked rigorous identity checks. When a single unverified identity can expose a firm to regulatory sanction, the question is not whether to verify a person online but precisely how to do so in a way that is both operationally sound and legally defensible.

Why Online Identity Verification Matters for Legal and Compliance Professionals

The growing demand for remote identity verification in Canadian legal practice

Post-2020, the shift to virtual practice permanently altered how Canadian law firms onboard clients. Firms increasingly complete entire retainer agreements without a single in-person meeting, which requires structured processes for lawful remote verification methods in Canadian practice. The Law Society of BC and the Federation of Law Societies of Canada both issued updated guidance to address this reality. For practitioners, the keywords "online" and "verify" are no longer procedural afterthoughts; they describe the default workflow.

What are the legal risks of failing to verify a person's identity online?

Failure to confirm the identity of the person being retained creates cascading exposure. A bad actor who gains access to legal services through a false identity can use a firm as a conduit, generating the risk of a money laundering and terrorist financing investigation and placing the firm directly in regulators' crosshairs. The Canadian Anti-Fraud Centre reported identity fraud cost Canadians an estimated $530 million in 2022. Consequences range from FINTRAC administrative penalties and Law Society discipline to civil liability and, in serious cases, criminal exposure for facilitation.

The limits of online identity confirmation are well documented in legal commentary: without a structured process, a practitioner has no defensible record that any check was actually performed.

Regulatory landscape: FINTRAC, the Law Society of BC, and federal compliance obligations

The Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA) is the primary federal instrument, administered by FINTRAC. Provincial law societies layer additional verification standards on top of federal anti-money laundering rules. The Federation of Law Societies of Canada sets a national floor. Non-compliance with FINTRAC reporting obligations can trigger fines of up to $500,000 per violation, a figure that concentrates the mind of any compliance officer reviewing onboarding procedures.

---

Core Legal Framework Governing Online Identity Verification in Canada

Canadian identity-verification law has evolved in distinct stages: a pre-digital era when physical presence was the only accepted standard, a transitional period from 2016 to 2019 when FINTRAC began recognising dual-process online checks, and the current framework that explicitly contemplates remote video and credit-file methods. Understanding which rules apply at which stage helps practitioners build a defensible process today.

Federal Obligation	Governing Instrument
Client identification for reporting entities	PCMLTFA and FINTRAC Regulations SOR/2002-184
Personal data collected during verification	PIPEDA / Bill C-27 CPPA (in transition)
Law firm verification standards	Provincial Law Society Rules and Federation Model Code
Unlawful investigative access	Criminal Code ss. 342.1, 184, 423

The government-standard identity proofing controls developed in the UK provide a useful comparative benchmark when Canadian firms calibrate their internal frameworks against international practice.

Client identification obligations under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act

The PCMLTFA, enacted in 2000 and significantly amended in 2019, obliges reporting entities, including certain legal professionals, to identify clients before providing designated services. Reference PCMLTFR SOR 2002 Regulation 64 specifies the acceptable identification methods for remote contexts. FINTRAC's compliance guidance, updated in 2022, lists three accepted remote methods: government-issued photo ID review, dual-process confirmation, and credit bureau check. Practitioners must maintain identity records and verify that the records obtained are genuine, current, and directly associated with the individual presenting them.

Money laundering and terrorist financing compliance is not optional for legal professionals who fall within the definition of a reporting entity. Firms must build verification into their intake process as a structured, documented step, not an informal check.

How provincial law society rules shape virtual verification standards

Not all provincial law societies have identical rules, and the differences matter in practice. The Law Society of BC's virtual-commissioning framework and the Law Society of Ontario's guidance diverge on procedural detail, particularly around real-time video requirements. The Federation of Law Societies of Canada's Model Code sets a floor, not a ceiling; provinces may impose stricter requirements. Most provinces formalised remote verification options in 2020. Practitioners should consult a law firm due diligence verification framework to map their obligations across jurisdictions before building an intake protocol.

Privacy constraints under PIPEDA and provincial equivalents when conducting online checks

Collecting a person's data to verify their identity constitutes a "collection" under PIPEDA, requiring a lawful purpose and meaningful consent. Quebec's Law 25 (Bill 64), which came into full force in 2023, introduced the strictest provincial privacy standard in Canada, with breach notification requirements and expanded rights of access for data subjects. Data minimisation is a core PIPEDA principle: firms should collect only what is necessary to confirm identity and should not retain personal data beyond the five-year retention period mandated by FINTRAC.

Where the Criminal Code creates exposure for unlawful investigative methods

Three Criminal Code provisions create direct exposure for practitioners who stray outside lawful verification methods. Section 342.1 prohibits unauthorised computer access; even accessing a semi-private profile through a fabricated credential may engage this section. Section 184 prohibits unlawful interception of private communications. Section 423 addresses criminal harassment, which deceptive surveillance can implicate. The practical step for any firm is simple: every data point collected during verification must come from a publicly accessible source or from information the subject has consensually disclosed. Review admissibility constraints on online evidence gathered for identity verification before deploying any automated data-collection tool. Defensible verification relies exclusively on lawful methods; pretexting to verify the identity of a client crosses a clear legal line.

---

Accepted Methods to Verify a Person's Identity Remotely

Choosing a remote verification method is structurally similar to choosing a lock grade for a vault: the value of what you are protecting should determine the strength of the mechanism. A single-factor check may be proportionate for low-risk onboarding; a multi-layered biometric and document review is warranted where the transaction risk is material. FINTRAC accepts three specific remote identity-verification methods, and industry practice has developed two additional supplementary approaches that responsible practitioners deploy in higher-risk contexts.

The five methods covered in this section:

1. Government-issued photo ID document review via live video session
2. Dual-process identity proofing combining two independent reliable sources
3. Biometric authentication with facial-recognition liveness detection
4. Credit file and financial-record cross-referencing
5. Combined document and biometric review for elevated-risk transactions

For an industry overview of lawful verification approaches across sectors, the MicroBilt resource maps how financial institutions and legal professionals deploy these methods in comparable compliance contexts.

Government-issued photo identification document review via live video session

The live video document review is the most widely used remote method in Canadian legal practice. The client holds a government-issued photo ID directly to the camera while the practitioner or a trained agent conducts a real-time inspection. Acceptable documents include Canadian passports, provincial driver's licences, and Permanent Resident cards. The practitioner must record the session reference, the document type, and the issuing authority. Live video is a firm requirement: static-photo submissions do not satisfy FINTRAC's standards because they cannot reliably verify that the document holder is present and alive at the time of the check. Each step of the session should be logged in the file.

Dual-process identity proofing: combining a reliable source with a secondary credential

Dual-process verification requires two independent and reliable sources, each confirming a different combination of the subject's name, address, and date of birth. A utility bill or bank statement may confirm name and address; a credit bureau file confirms name and date of birth. The two sources must be genuinely independent; two documents from the same institution do not satisfy the requirement. FINTRAC Compliance Guideline 6G sets out what qualifies as a "reliable source" for this purpose. Practitioners commonly use this method when live video is technically impractical, such as when a client is in a jurisdiction with limited bandwidth. Cross-referencing the data across both records reduces the probability of synthetic-identity fraud.

Biometric authentication technology and facial-recognition liveness checks

Liveness detection technology, offered by vendors including Jumio, iProov, and ID.me, uses active and passive challenges to confirm that a living person is presenting the document rather than a photograph or a mask. Reported benchmarks suggest liveness detection reduces spoofing attempts by roughly 80% compared with static-photo checks, making it a materially stronger verification solution for high-value matters. Biometric data is sensitive personal information under PIPEDA, and explicit consent from the user is required before collection. As of 2024, some provincial law societies have not yet issued specific guidance on biometric verification, so practitioners should document the consent process carefully and ensure the chosen vendor meets Canadian data-residency requirements.

Credit file and financial-record cross-referencing as a verification method

Canadian credit card bureaus Equifax and TransUnion both offer API-based identity-verification products that allow firms to cross-reference a subject's name, address, date of birth, and account history against a live credit bureau file. FINTRAC accepts a credit bureau file that has been in existence for at least three years as a standalone verification step in the dual-process method. The critical procedural step is obtaining the subject's written consent before pulling the file. The credit bureau check produces a data record that can be retained in the client file to demonstrate compliance at the point of a future FINTRAC audit.

What is the difference between identity proofing and authentication?

Identity proofing establishes that a person is who they claim to be; it is typically a one-time or periodic event conducted at onboarding. Authentication confirms, at each subsequent access point, that the person accessing a system or portal is the same verified individual. Legal professionals need both: proofing at intake, and authentication for ongoing secure client-portal access. A client who signs in to a matter-management portal three months after onboarding should be authenticated against the original verified identity record. For an explanation of where open-source intelligence fits within the proofing process, the guide to OSINT for legal professionals provides a structured framework.

---

Open-Source Intelligence Techniques for Confirming Real Identities Online

A fabricated online identity is not difficult to construct; it typically takes fewer than 30 minutes and costs nothing. What separates a genuine account from a synthetic persona is not the presence of a profile but the coherence and corroboration of the data points behind it. Structured OSINT methodology, applied lawfully, surfaces those inconsistencies. With LinkedIn hosting over 22 million registered Canadian users as of 2024, the volume of verifiable professional data available through open sources is substantial. A 2022 Stanford Internet Observatory study found that 1 in 8 reviewed profiles on certain platforms showed synthetic-identity signals, confirming that the problem is not theoretical.

Structured reverse image search to spot fake profiles and fabricated personas

The first step in any OSINT-based identity check is a structured reverse image search. Google Images, TinEye, and Yandex each index billions of images, and cross-referencing a profile photo against those databases takes seconds. A photo that appears across multiple unrelated contexts is a strong signal of a synthetic persona. Where available, practitioners should also extract EXIF metadata from image files, which can reveal the device, date, and geographic coordinates of the original capture. This method relies entirely on publicly indexed image data and requires no account access or server-side scraping. The search process is lawful, proportionate, and repeatable, which makes it suitable as a documented verification step.

How to audit an online presence across professional directories and public registries

Canadian public registries offer a reliable, lawful layer of identity corroboration. Key sources include provincial corporate registries such as the BC Registry and the Ontario Business Registry, Law Society member directories, College of Physicians and Surgeons registers, and federal SEDAR+ filings for publicly traded entities. Cross-referencing a person's claimed credentials against these registries is a publicly accessible step that requires no special access and generates no privacy concern. A discrepancy between a claimed title or business affiliation and the relevant registry data is a material red flag warranting further inquiry. For a structured approach to auditing professional credentials and registry data during business verification, a dedicated framework helps practitioners document each verification step consistently.

Social media checks: what signals separate genuine accounts from synthetic identities?

Observable signals that distinguish genuine accounts from fabricated personas include:

• Account creation date relative to the subject's claimed professional tenure, with a newly created account for a supposedly senior professional warranting scrutiny
• Consistency of photo metadata and geographic tags across posts over time
• Engagement patterns showing comments from verifiably real local users rather than generic or dormant accounts
• Whether the account sign-up email domain matches the subject's claimed employer or institution
• Number of mutual connections with independently verifiable individuals in the claimed industry or region
• Natural variation in post frequency, subject matter, and tone, which synthetic accounts often lack

Review why usernames and email addresses alone are insufficient identity signals before treating any single social indicator as conclusive.

Corporate and court-record searches as reliable sources of identity corroboration

Court records, including statement-of-claim filings and judgment registers, can confirm a person's full legal name, address, and relevant legal history. The Ontario Courts Public Portal, accessible since 2022, and BC Court Services Online both provide free public search functionality. Corporate-registry filings confirm directorship, registered address, and incorporation date. Under FINTRAC's compliance framework, these records qualify as "reliable sources" for dual-process verification, provided the data is current and consistent with other confirmed data points. Cross-referencing OSINT findings against court and corporate records is one of the most defensible steps a practitioner can take; it distinguishes OSINT-based identity corroboration from a formal background check and demonstrates structured, documented due diligence.

---

Document Verification Best Practices for Virtual Engagements

When a client uploads a photograph of their driver's licence through a client portal, how confident can a practitioner be that the document is genuine, unaltered, and actually belongs to the person on the other end of the call? The answer depends almost entirely on the robustness of the document-review process applied at the point of submission. Canadian passports include at least 13 security features, covering holograms, laser perforations, and UV-reactive ink. FINTRAC requires identity records to be retained for a minimum of five years. Over 50 document types are accepted under FINTRAC's identity-verification guidance, which makes a structured review matrix essential for any practice handling diverse client populations.

Document Type	Issuing Authority	Key Security Features to Check
Canadian Passport	Immigration, Refugees and Citizenship Canada	Laser-perforated page number, holographic overlay, UV-reactive ink, chip data
Provincial Driver's Licence	Provincial Ministry of Transportation	Ghost image, laser engraving, microprinting, UV patterns
Permanent Resident Card	Immigration, Refugees and Citizenship Canada	Biographic data chip, laser engraving, hologram, UV features
Certificate of Indian Status	Indigenous Services Canada	Laser engraving, photo, holographic security strip

Applying government-standard security feature checks for document review as a comparative benchmark strengthens a firm's documented review process, particularly when handling documents from clients outside Canada.

Which identity documents are acceptable proof of identity under Canadian compliance rules?

FINTRAC's guidance lists government-issued photo identification as the primary acceptable document category. Accepted documents include Canadian passports, provincial driver's licences, provincial ID cards, Permanent Resident cards, and Certificates of Indian Status. The document must be original, current, and issued by a federal, provincial, or foreign government. A document that has expired does not satisfy the requirement, regardless of how recently it expired. When practitioners receive digital copies, they must confirm that the image resolution is sufficient to inspect security features, and they should log the inspection findings in the client file with a date-stamped record.

Detecting document alteration: practical techniques for virtual review

Altered documents are frequently detected by examining pixel-level inconsistencies around text fields in high-resolution scans. During a live video session, practitioners should direct the client to tilt the document at multiple angles to reveal holographic overlays and reflective security elements that cannot be reproduced in a flat image. A reference object placed beside the document on camera allows the reviewer to assess proportions, since fraudulently printed documents frequently deviate from standard dimensions. Fonts on genuine government documents are applied through laser engraving or UV printing; inkjet-printed alterations produce different light-reflection characteristics that become visible when the document is rotated under a directed light source.

Maintaining a defensible verification record for regulatory audits

A verification record that will withstand a FINTRAC audit must contain, at minimum, the client's full legal name, the document type and number, the issuing authority, the document expiry date, and the date and method of verification. Where a live video session is used, the session log should reference the platform, the duration, and the name of the reviewer. For deposit account opening or financial-services onboarding, some institutions require a secondary confirmation record cross-referencing the document against a credit bureau file. Retention for five years is mandatory; many firms retain records for seven years to align with limitation periods. Structuring the record at the point of verification, rather than reconstructing it later, is the single most effective step a practitioner can take to demonstrate compliance.

Red flags warranting enhanced verification in high-risk client situations

Terrorist activity financing risk indicators are specifically enumerated in FINTRAC's operational guidance and include clients presenting newly issued documents, individuals reluctant to provide a second form of identification, and transactions involving virtual currency or jurisdictions on FATF's high-risk list. Enhanced verification is also warranted when a client's claimed occupation is inconsistent with the transaction value, when the identity of a client cannot be corroborated through any independent public source, or when the client requests unusually rapid completion of a transaction with limited documentation. Terrorist financing regulations in Canada require reporting entities to apply enhanced measures in any situation where the standard process produces inconclusive results rather than proceeding on incomplete verification.

---

Key Takeaways

• Confirm the credit bureau file or government-issued photo ID through a documented, real-time process at every onboarding, not as an afterthought; FINTRAC requires a minimum five-year retention of those records.
• Layer OSINT corroboration (reverse image search, registry cross-reference, court-record search) on top of formal verification methods to surface synthetic-identity signals that document review alone will not reveal.
• Apply the dual-process method when live video is impractical: two independent reliable sources confirming different combinations of name, address, and date of birth satisfy FINTRAC's standards.
• Map your obligations across federal (PCMLTFA, PIPEDA) and provincial (Law Society rules, Quebec Law 25) frameworks before building an intake protocol; the requirements differ by jurisdiction and transaction type.
• Document every verification step contemporaneously, including the reviewer's name, the method used, and the result; a well-constructed record is the firm's primary defence in a regulatory review.

---

FAQ

What methods does FINTRAC accept for remote identity verification?

FINTRAC's compliance guidance recognises three accepted remote methods:

1. Government-issued photo ID reviewed during a live video session
2. Dual-process verification using two independent reliable sources confirming name, address, and date of birth
3. Credit bureau check through a file that has been active for at least three years

Each method must be documented in the client file and retained for a minimum of five years.

Can a Canadian law firm use OSINT alone to verify a client's identity?

No. OSINT is a corroborative tool, not a standalone verification method under FINTRAC's framework. Open-source techniques such as reverse image search, registry cross-referencing, and court-record searches supplement formal document or dual-process verification by surfacing inconsistencies in a person's claimed identity. A firm relying solely on OSINT for identity verification would not satisfy its PCMLTFA obligations.

What are the privacy rules around collecting identity data during online verification?

Under PIPEDA, collecting personal data for verification purposes is lawful only where the firm has a genuine compliance purpose and obtains meaningful consent. Quebec's Law 25 imposes stricter requirements, including mandatory privacy impact assessments for certain technologies. Data minimisation applies: collect only the information necessary to confirm identity. Biometric data, such as facial-recognition outputs, is sensitive personal information and requires explicit, informed consent before collection.

How long must a Canadian firm retain identity-verification records?

FINTRAC regulations require a minimum five-year retention period for all identity-verification records from the date the business relationship ends or the transaction is completed. Many law firms retain records for seven years to align with provincial limitation periods. Records must be kept in a retrievable format and must include the document type, issuing authority, document number, and the date and method of the verification.

What criminal exposure exists for using deceptive methods to verify someone's identity online?

Criminal Code section 342.1 prohibits unauthorised computer access, and even accessing a restricted profile through a fabricated credential may engage this provision. Section 184 prohibits unlawful interception of private communications. Pretexting, creating a false profile to elicit information from a subject, can constitute fraud or criminal harassment under section 423. Defensible verification relies exclusively on publicly accessible data or information the subject has consensually provided.