FINTRAC's enforcement surge: what two years of penalties tell us

Over the last 24 months, FINTRAC has moved from a posture of guidance and remediation to one of visible, public enforcement. The number of administrative monetary penalties (AMPs) issued, and the average dollar value attached to each, has climbed in a way that cannot be dismissed as an isolated cycle. For Canadian non-bank reporting entities, this is the single most important compliance trend to absorb.

What changed

Three things shifted in parallel. First, FINTRAC's examination capacity expanded, which means more entities are seeing on-site or virtual examinations on shorter cycles. Second, the regulator narrowed its tolerance for the same recurring deficiencies, incomplete risk assessments, late or missing reports, weak ongoing monitoring, and training gaps. Third, the public naming convention has been used more aggressively, turning what used to be a private compliance matter into a reputational event.

Where the penalties are landing

Looking across published notices, four categories of violation drive the majority of recent AMPs:

• Failure to submit suspicious transaction reports (STRs), or submitting them late, without sufficient narrative, or without supporting evidence.
• Deficient compliance program documentation, risk assessments that are generic, policies that don't match actual operations, or training records that can't be produced.
• Inadequate ongoing monitoring, relationships rated low risk that should have been escalated, or risk ratings that were never refreshed after material changes.
• Recordkeeping failures, missing beneficial ownership information, incomplete know-your-client (KYC) records, or transaction records that can't be reconstructed for an examiner.

Why lean teams are disproportionately exposed

Larger banks absorb examination findings inside dedicated remediation programs. Money services businesses, payment service providers, crypto firms, and credit unions typically don't have that buffer. A single examination cycle can surface dozens of findings, and the cost of remediation, consultants, software, hiring, frequently exceeds the AMP itself. The compounding effect is what makes this trend particularly painful for sub-100-person firms.

What good looks like in 2026

Firms that come through examinations cleanly tend to share a few traits. Their risk assessment is a living document tied to actual customer and transaction data, not a PDF refreshed annually. Their alerts and cases produce a defensible audit trail by default, with timestamps, decisions, and evidence attached. Their training is role-specific and tracked. And they can produce any record an examiner asks for in minutes, not days.

The takeaway

The enforcement curve is unlikely to flatten. The firms that treat compliance as an operating system, not a binder, are the ones avoiding the headlines. Every other firm is one examination away from finding out where their gaps are.