As of October 1, 2025, title insurers and private ATM operators are officially subject to the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA). This decision was a logical culmination of a years-long tightening of anti-money laundering regulation in Canada. To understand who falls under FINTRAC requirements in 2025, it is necessary to understand the reasons and mechanisms behind these changes.
This expansion of FINTRAC oversight brings two previously unregulated sectors under the umbrella of Canada’s anti-money laundering (AML) regime. For owners of affected businesses, a new era of compliance is beginning: preparing for FINTRAC’s new requirements requires a systematic approach, investment, and an understanding of the risks.
Regulation of private ATM operators is aimed at strengthening oversight at the network level, where funds enter payment systems, and addresses the risks identified by the Cullen Commission in 2022 regarding the use of private ATMs for laundering cash. This refers to so-called white-label ATMs — machines not owned by traditional banks and installed in stores, gas stations, and entertainment venues.
According to Canada’s 2023 assessment, white-label ATMs are particularly vulnerable to money laundering activity, and an RCMP assessment in 2008 showed that organized crime groups had infiltrated this industry, and that up to $315 million could be laundered annually through such ATMs, potentially up to $1 billion per year. These figures prompted the regulator to close an obvious loophole in the financial control system.
The key issue: for private ATM operators, the challenge often lies in scale — many are small businesses with limited compliance infrastructure. A business owner with a dozen machines must now meet the same requirements as a large financial services provider — including registration as an MSB, development of policies, staff training, and reporting to FINTRAC.
Title insurers are now regulated as reporting entities under the PCMLTFA — this is any person or organization providing insurance against loss or defects in title to real or personal property under the Insurance Companies Act, extending AML/ATF oversight to a previously unregulated part of the real estate sector and countering title fraud and other property-related risks.
According to the federal government, fraud — a known precursor to money laundering — is increasing in the real estate sector, with more cases of criminals using title fraud to illegally seize ownership rights to homes and profit from their value. Title insurance plays an important role in property transfers and mortgage financing, but until October 2025 this industry remained outside the regulator’s field of view.
Important caveat: given the business model of title insurers, in which they do not have direct contact with title insurance purchasers, the final amendments were adjusted to remove beneficial ownership requirements, and to exempt title insurers from the definition of third parties and from politically exposed person requirements. This is a reasonable compromise between the need for oversight and the realities of business processes.
For private ATM operators, the mandatory first step is registration with FINTRAC as a Money Services Business (MSB). Operators must now register as an MSB, implement a compliance program, verify customer identities, keep records, and report prescribed transactions. It is important to understand: this process is not instantaneous and requires careful preparation.
You must provide documents to confirm the existence of your organization and disclose the ownership, control, and structure of your legal entity — if your business is a corporation, you must provide a certificate of incorporation or the most recent version of any other document confirming the corporation’s existence, including its name, address, and the names of its directors, as well as a document setting out the ownership, control, and structure of the corporation.
Compliance obligations for new MSB entities include providing criminal record checks. The regulations will require domestic MSBs to provide criminal record checks for their chief executive officer, president, directors, and each person who owns or controls directly or indirectly 20 percent or more of the MSB or MSB shares to FINTRAC upon registration (and re-registration) every two years, and the regulations will require MSB agents that are legal entities to provide criminal record checks for their chief executive officer, president, directors, and any person who owns or controls directly or indirectly 20 percent or more of the legal entity or the legal entity’s shares.
The list of key documents includes:
The MSB/fMSB registration process usually takes 5-6 months, followed by an additional 1-3 months for bank account approval. This means that a business needs to begin preparation well before the planned launch of operations or before the end of the transition period.
During the first year, FINTRAC will emphasize outreach and education to support the readiness of this newly regulated group of organizations. This does not mean a complete absence of oversight, but it does provide some flexibility for adaptation. During the first year, FINTRAC will focus on education and awareness to support new reporting entities as they establish their compliance programs.
Critically important: FINTRAC requires updates within 30 days — keeping information current makes renewal of registration straightforward. Any changes in business structure, address, owners, or key personnel must be reported to the regulator promptly.
MapleBiz specialists help clients at all stages of MSB registration: from document preparation to interaction with FINTRAC and receipt of registration confirmation. Our experience in corporate law and financial regulation allows us to minimize the risk of refusal and shorten application processing times.
All reporting entities must implement the following compliance program elements: appoint a compliance officer responsible for implementing the program; develop and apply written compliance policies and procedures that are kept up to date and, in the case of an organization, approved by a senior officer; conduct a business risk assessment to assess and document the risk of money laundering or terrorist financing offenses in the course of business; develop and maintain a written, ongoing compliance training program for employees, agents, or authorized persons; establish and document a plan for the ongoing compliance training program and provide training (training plan); establish and document a plan to review the compliance program in order to test its effectiveness and conduct this review at least every two years (biennial effectiveness review).
You are required to appoint a person who will be responsible for implementing the compliance program. This is not a formal title — the compliance officer (often referred to as the CAMLO — Chief Anti-Money Laundering Officer) must have sufficient authority, knowledge, and resources to perform their duties.
The requirements for the officer include:
For private ATM operators, the challenge often lies in scale — many operators are small businesses with limited compliance infrastructure, and reporting, recordkeeping, and training requirements can seem burdensome without specialized compliance expertise. In such cases, it is advisable to engage external specialists.
You are required to develop and apply written compliance policies and procedures that must be kept up to date and include enhanced measures to mitigate high risks. Policies cannot be copied from a template — they must reflect the specifics of your business, clients, geography of operations, and products.
Key policy sections:
Your written policies must be specific to your business model and risk profile and clearly explain how you meet AML obligations, and the policies must be approved by senior management, understandable to staff, and regularly reviewed to reflect regulatory changes.
You are required to conduct a risk assessment of your business’s activities and relationships. The risk-based approach (RBA) is the foundation of modern regulation: the higher the risk posed by the customer, product, or channel, the stricter the controls must be.
The assessment should cover:
Risk assessments form the basis of your AML program — identify and document risks in each area, including controls and risk mitigation strategies, and update the assessment whenever your business or risk exposure changes. Documentation is key to demonstrating compliance during FINTRAC examinations.
You are required to develop and maintain a written ongoing compliance training program for employees, agents, and other persons authorized to act on your behalf. Training cannot be a one-time event — it is an ongoing process that adapts to regulatory changes and identified risks.
The program should include:
Provide regular AML training for employees, agents, and onboarding staff — training should cover roles and responsibilities, customer identification procedures, detection of suspicious transactions, and reporting requirements. Training should be practical rather than theoretical — staff should understand what to do in specific situations.
You are required to establish and document a review of the effectiveness of your compliance program (policies and procedures, risk assessment, and training program) at least every two years for the purpose of testing effectiveness. This is not an internal self-audit — the review must be independent and objective.
Testing ensures that your AML program remains effective and current — regular assessment helps identify problems early and demonstrate continuous improvement, and these reviews identify and address weaknesses before FINTRAC finds them. The results of the review must be documented and presented to management with a plan to remedy the identified deficiencies.
MapleBiz offers a full range of services for building and auditing compliance programs for MSBs: policy development, risk assessments, staff training organization, and biennial effectiveness reviews. Our lawyers and compliance specialists have a deep understanding of FINTRAC requirements and help businesses not merely comply formally, but build truly effective protection against financial crime.
Failure to comply with FINTRAC requirements poses a dual threat: direct financial losses in the form of fines and indirect reputational damage that can paralyze a business.
Non-compliance is now an offense under the PCMLTFA, punishable on summary conviction by a fine of up to $250,000 or imprisonment for up to two years, or on indictment by a fine of up to $500,000 or imprisonment for up to five years. This is criminal liability applied in especially serious cases.
However, the main enforcement tool is administrative monetary penalties (AMPs). The amounts of AMPs recently imposed on securities dealers ranged from $49,500 to $544,500. For the cryptocurrency sector, the amounts are even higher: an AMP of $176,960,190 is the largest AMP ever issued by FINTRAC in Canada’s history.
The changes have led to unprecedented penalties, culminating in a record fine of CAD 176.9 million against a crypto platform in October 2025 — for Canadian reporting entities, from MSBs and securities dealers to cryptocurrency exchanges and banks, this marks a new era of enforcement. The size of the penalty depends on the severity of the violation, its recurrence, and the scale of the business.
Categories of violations:
Under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act, administrative monetary penalties are intended to encourage behavioral change in non-compliant organizations — in 2024-25, FINTRAC issued 23 notices of violation for business non-compliance, the highest number in a single year in the Centre’s history, totaling more than $25 million.
An expired registration means you cannot legally operate as an MSB — this status is visible in FINTRAC’s public registry, which banks and payment processors actively monitor, operating without valid registration exposes you to FINTRAC administrative monetary penalties, these penalties are public and can damage your reputation, and although it is not automatic, expired status often leads to frozen or closed accounts, loss of correspondent relationships, and reputational harm.
This is a critical risk. Banks and payment providers are becoming increasingly cautious in choosing clients because of their own AML obligations. An MSB without FINTRAC registration, with expired registration, or with publicly announced penalties risks being de-banked — when financial institutions refuse service. Without a bank account, the business is effectively paralyzed.
When FINTRAC issues an AMP, it publishes a public notice summarizing both the deficiencies and the amount of the penalty, which creates reputational and financial risk, and FINTRAC has issued notice that additional details about the nature of violations are now included in public notices for all AMPs imposed on a reporting entity. The publicity of penalties strengthens their deterrent effect and makes reputation protection a critically important reason for robust compliance.
