The Canadian financial transactions regulator FINTRAC significantly expanded its oversight perimeter in 2025 by adding new categories of businesses to the list of reporting entities. Understanding whether your company falls under the regulator’s jurisdiction is critical to building an adequate compliance system and avoiding administrative penalties.
Money services businesses (MSB) are required to register with FINTRAC before starting operations in Canada, even if they already hold a provincial license. The MSB category includes companies engaged in money transfers, currency exchange, issuance of payment instruments, and cheque cashing. As of April 2025, cheque-cashing providers, factoring companies, and leasing companies were also added to this group. Failure to comply with MSB requirements can result in a fine of up to $250,000 under summary procedure or up to $500,000 upon conviction, as well as imprisonment for up to five years.
The regulator pays particular attention to MSB agent networks. MSBs that engaged agents before October 1, 2025, must complete the initial due diligence review of their integrity by October 1, 2027. This includes obtaining criminal record checks and verifying the agent’s right to act on behalf of the MSB. MapleBiz helps MSBs complete the full registration cycle and build an agent oversight system, minimizing the risk of sanctions.
Providers of acquiring services for private ATMs are now required to register as MSBs, implement compliance programs, verify clients, keep records, and report certain transactions. ATMs not owned by banks, credit unions, or other provincially regulated deposit-taking institutions are considered private. Regulation of acquiring companies is aimed at strengthening oversight at the network level, where funds enter payment systems, and addresses the risks identified by the Cullen Commission in 2022 regarding the use of private ATMs for money laundering.
The acquiring provider connects a private ATM to payment networks (Interac, Visa, Mastercard), processing cash withdrawals. In the first year, FINTRAC is focusing on educational programs and outreach to support the readiness of this new regulated group. Nevertheless, failure to have a compliance program in place by the deadline carries serious consequences.
Title insurers are now regulated as reporting entities under the PCMLTFA, where a title insurer is a person or organization providing insurance against loss or defects in title to real or personal property under the Insurance Companies Act. Most mortgage lenders require title insurance, making these companies an important control point in the real estate transaction chain. This inclusion expands oversight over a previously unregulated part of the real estate market, addressing risks of title fraud and other title-related issues.
FINTRAC’s audit structure ensures that examinations are conducted sequentially, taking into account the type, nature, size, and complexity of the business, and focusing on areas where the company is vulnerable to money laundering or terrorist financing risks. Knowing the stages of an audit helps minimize stress for the team and demonstrate readiness to cooperate with the regulator.
The audit begins with an official notice that FINTRAC sends to the company in writing. When the regulator requests documents, client records, and transaction records in advance, it is done to conduct the audit more efficiently and minimize disruption to the business during the visit. The request specifies the areas under review—for example, client identification policies, suspicious transaction reports for a certain period, and staff training logs.
Compliance program documents (policies and procedures) created or amended after the date of the notice may lead to a finding of non-compliance with the compliance program requirements. It is important to have up-to-date documentation in place when the notice is received, rather than trying to “catch up” with the regulator after the process has begun. MapleBiz advises clients on timely updates to compliance policies to avoid such issues.
FINTRAC conducts both on-site and off-site audits depending on the company’s risk profile and transaction volume. An on-site audit involves inspectors being present at the company’s office to interview staff and review physical records and systems. An off-site audit is limited to analyzing documents provided remotely and conducting telephone interviews.
For small MSBs or operators of several ATMs, an off-site audit is more likely, while large acquiring providers or title insurers with a broad geographic footprint may face an on-site visit. Both forms are equally serious in terms of the consequences of any violations found.
Interviews conducted with staff during the audit that reveal a lack of understanding of the requirements (FINTRAC interviews random employees about regulatory requirements to assess the effectiveness of training) become grounds for findings of deficiencies. Inspectors ask questions about client verification procedures, how an employee recognizes a suspicious transaction, and access to company policies.
At the same time, FINTRAC selects transaction samples for detailed analysis—how complete the client data is, whether reports were filed within the required timeframes, and whether actions matched documented procedures. The regulator assesses the degree of non-compliance: how much information is missing from the required document, how many times the violation is repeated, whether this indicates gaps in the compliance program, and also attempts to identify the root cause of the non-compliance.
At the end of the audit, inspectors hold a closing meeting (exit meeting) with management and the compliance officer, where they present preliminary findings and give the company an opportunity to provide additional explanations. After that, FINTRAC sends an official findings letter classifying the identified compliance status as fully compliant, partially compliant, or non-compliant.
The results are color-coded: green — full compliance (no violations found), yellow — partial compliance (something is there, but the company missed details), red — non-compliance (in most cases, nothing was implemented or the reporting deadline was missed). If serious violations are identified, FINTRAC may issue a notice of deficiency requiring the situation to be corrected within the specified timeframe or immediately begin the penalty process.
Preparing for a FINTRAC audit begins with an inventory of documentation. Records must be kept in such a way that they can be provided to FINTRAC within 30 days upon request. Failure to provide the requested documents on time is itself a violation.
MSBs are required to conduct an AML compliance effectiveness assessment every two years, covering all policies and procedures documentation as well as operational testing to verify that procedures are being properly followed. The risk assessment must take into account the client base, geographic scope of operations, products offered, and service delivery channels. The document must be approved by the company’s senior officer.
MSBs are required to have a Compliance Officer (the person responsible for overseeing the AML and ATF program), whose appointment must be documented in writing, and FINTRAC notes that this is likely the easiest area in which to achieve full compliance. Nevertheless, out of 612 MSBs examined, four were found non-compliant—usually market newcomers who do not understand Canadian requirements.
FINTRAC checks which methods the company uses to verify clients—individuals and legal entities. This method requires a valid, current identity document issued by a federal, provincial, or territorial government, which must contain the full name, unique identification number, and photograph. For corporations, proof of existence is required (certificate of incorporation or registry extract).
In Canada, beneficial owners are considered to be persons who directly or indirectly own or control 25% or more of a corporation or organization, and FINTRAC’s beneficial ownership requirements include obtaining information on ownership, control, and structure and taking reasonable measures to confirm the accuracy of that information. Reporting entities must now consult the Corporations Canada database when meeting beneficial ownership requirements for federal corporations assessed as high risk for money laundering, terrorist financing, or sanctions evasion during onboarding or ongoing monitoring.
Failure to submit suspicious transaction reports (STR) is one of the most serious violations. FINTRAC expects companies to file STRs when there are reasonable grounds to suspect that a transaction is related to money laundering or terrorist financing, regardless of the amount. The report must be filed as soon as possible once the suspicion arises.
Inspectors analyze transaction logs for the review period, identifying patterns that should have raised alarms: payment structuring (smurfing), transactions involving high-risk jurisdictions, and inconsistencies with the client profile. Failure to file STRs in such cases results in penalties. Copies of all reports submitted to FINTRAC must be retained for at least 5 years from the date of filing.
MSBs are required to have policies and procedures describing the company’s regulatory obligations and what is done to meet them, documented in writing, and the procedures must cover both staff and agents (if the MSB has agents). The training program must be regular, with attendance records and testing of knowledge retention.
MapleBiz specialists develop comprehensive training programs for MSBs, ATM operators, and title insurers, tailored to the specifics of the business and including practical scenarios for recognizing suspicious transactions.
The most sophisticated compliance program is useless if staff do not understand it in practice. Audits are one of the main activities FINTRAC uses to assess whether companies adequately implement and maintain a compliance program, which is important for detecting and mitigating money laundering and terrorist financing risks.
Prepare employees for typical inspector questions: “How do you verify a client when opening an account?”, “Give an example of a suspicious transaction,” “Who do you report suspicions to?”, “Where are the company policies and how often have you updated them?” Answers should be specific and consistent with documented procedures.
Avoid memorized wording—inspectors can tell the difference between genuine understanding and an attempt to recite policy text. It is better if an employee explains the procedure in their own words, mentioning the real tools they use (software, checklists, forms).
Conduct a mock examination—a simulation of a FINTRAC audit where an internal or external auditor plays the role of the inspector. Request documents as the regulator would, interview staff, and review transaction samples. Gaps identified during such an audit provide an opportunity to fix issues before the real audit.
Use the results of the internal audit to adjust procedures and provide additional training. Document the process—conducting regular internal audits in itself demonstrates a serious approach to compliance and may mitigate sanctions if the regulator identifies violations.
Analysis of penalties imposed by FINTRAC in 2025 reveals recurring patterns of violations. Understanding these mistakes allows you to build an effective defense.
Failure to develop and apply written compliance policies and procedures that are kept up to date and approved by a senior officer, as well as failure to assess and document the risk of a money laundering or terrorist activity financing offence, are typical violations. Many companies develop policies at launch but do not update them when the operating model changes, the geographic scope expands, or new products are introduced.
Set up a calendar for reviewing compliance documentation—at least annually, and preferably whenever there is a significant business change. All changes must be approved by the senior officer and communicated to staff through training. The date of the last update and the approving person’s signature should appear on every document.
An error in identifying beneficial owners is one of the most costly. Companies often take client-provided information at face value without verifying it through independent sources. For high-risk corporations, this can lead to sanctions.
Use available databases—Corporations Canada for federal corporations, provincial registries, commercial verification services. Document every step: which source was used, what information was obtained, who performed the verification, and when. If complete information is unavailable, document the reasonable measures taken.
If a company failed to file a financial transaction report with FINTRAC when required and then filed it after the audit notice date, the regulator will consider the requirement unmet. Late filing of an STR or Large Cash Transaction Report does not count as compliance with the obligation.
Implement an automated reminder system for reporting. An STR must be filed “as soon as possible,” but no later than 30 days from the moment grounds for suspicion are identified. A Large Cash Transaction Report must be filed within 15 days of receiving $10,000 or more in cash. Assign a responsible person and a backup, and track deadlines in an electronic system.
Changes to the administrative monetary penalties (AMP) regime in 2025 led to unprecedented fines, culminating in a record C$176.9 million penalty against a crypto platform in October 2025. Cumulative penalties can reach C$20 million or 3% of global revenue, whichever is greater, and although Bill C-2 is still under consideration, recent enforcement practice shows that FINTRAC is already applying this stricter logic.
The range of penalties is broad: from tens of thousands of dollars for small companies with procedural violations to hundreds of thousands and millions for systemic compliance program problems or widespread failure to file STRs. AMP amounts recently imposed on securities dealers ranged from $49,500 to $544,500. Under the new approach, FINTRAC regularly publishes the names, penalties, and violations of fined firms on its public penalties page, creating reputational risk alongside financial losses, and publication on FINTRAC’s website can damage the trust of banks, clients, and investors.
In addition to monetary sanctions, criminal charges are possible for knowingly facilitating money laundering. Non-compliance is an offence under the PCMLTFA, punishable on summary conviction by a fine of up to $250,000 or imprisonment for up to two years, or on indictment by a fine of up to $500,000 or imprisonment for up to five years. De-banking is another serious threat: banks sever relationships with MSBs that have compliance problems, effectively stopping the business.
MapleBiz specializes in legal support for businesses in the area of financial compliance, offering comprehensive solutions for MSBs, private ATM operators, and title insurers. Our specialists understand the specifics of Canadian regulation and know what FINTRAC inspectors focus on.
We help clients complete MSB registration on the first attempt, develop tailored compliance programs that take into account the specific business’s risk profile, create policies and procedures, and prepare for audits through mock examinations. If your company has already received a FINTRAC audit notice, MapleBiz provides prompt advice on document preparation and staff training.
If violations are identified by the regulator, we represent the client’s interests in the penalty appeal process and in developing a remediation plan. Our approach combines legal expertise with a practical understanding of operational processes, allowing us to create working, not merely formal, compliance systems. Contact MapleBiz for a consultation on building effective AML risk protection and preparing to interact with FINTRAC—it is an investment in the stability and reputation of your business.
