What your business needs to know about FINTRAC’s Anti-Money Laundering (AML) compliance crackdown

Breaking down the data

Trends in AMPs

By analyzing the 49 penalties issued as of March 31, 2025, we can identify the most impacted business sectors. The three sectors that received the most AMPs include:

• Real estate brokerages: 17 penalties issued
• Money services businesses (MSBs): 16 penalties issued
• Banks: Seven penalties issued

This trend aligns with FINTRAC’s evolving examination focuses. From 2020 to 2023, the sectors with the most FINTRAC examinations were MSBs, real estate, and securities dealers. However, from 2023 to 2024, FINTRAC had a greater examination focus on financial entities, as the sector joined MSBs, securities dealers, and real estate in being the most examined sectors during this period.

While these sectors tend to come up most often in FINTRAC examinations, it's important to remember that any business covered under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act — known as Reporting Entities — should stay alert and ready. FINTRAC can initiate an examination at any time, no matter the industry, size, or scale of the business.

Severity of AMPs

There also appears to be a trend in penalties becoming more severe and common in recent years, as summarized in the table below. According to FINTRAC’s public notice of AMPs, from 2020 to 2024, total penalties levied toward non-compliant Reporting Entities have increased by 40 times.

The table below highlights the sectors with the most severe penalties to date. Historically, banks and MSBs have received the largest AMPs, averaging at $3.2 million and $481,000, respectively. However, in contrast, the average AMP for the remaining sectors is approximately $130,000.

As the federal government's latest proposed changes include issuing 40 times higher penalties, this is a wake-up call for businesses that have yet to take compliance seriously.

Common AML program shortfalls

By looking at the specific violations that have led to AMPs, businesses may be able to pinpoint areas where their compliance program may be falling short. While some of these issues stem from simple oversight, others may indicate a weakness or significant gap in your compliance programs.

By analyzing the 49 penalties that were issued to Reporting Entities as of March 31, 2025, the following common AML program shortfalls were identified.

1. Policies and procedures

Sixty-three percent of Reporting Entities received AMPs related to their policies and procedures. These relate to the documentation and implementation of the policies and procedures.

The most common penalty in this category relates to the documentation and/or implementation of ongoing monitoring procedures. These businesses did not apply, conduct, or have sufficient ongoing monitoring measures in place for their business relationships.

Other common policy and procedure penalties are related to third-party determination, record-keeping, reporting, ministerial directives, and client identification requirements.

2. Risk assessments

Sixty-three percent of Reporting Entities received AMPs related to their risk assessment. Of those, the three most common areas of the risk assessment that were deficient include:

• Inadequate consideration of geographic risks
• Failure to consider all products and delivery channels
• Inadequate consideration of the risk associated with clients and business relationships

Entities are repeatedly missing sufficient detail when considering and documenting the risks their business faces. Additionally, it is important for entities to document a methodology for the business-based and client-based risk assessments, and the rationale to support the risk levels determined by the organization.

3. Missed reports

Fifty-one percent of Reporting Entities missed report filings:

• Suspicious transaction reports: 20 violations
• Electronic funds transfer reports: Six violations
• Large cash transaction reports: Six violations
• Large virtual currency transaction reports: One violation

Sometimes, entities might not realize that the systems they’ve put in place to catch all reportable activity aren’t working as expected. This can lead to missed reports or overlooked aggregations.

Another common deficiency area relates to data accuracy and consistency, which can lead to inaccuracies in the disclosures sent to FINTRAC. With the wholesale changes implemented in FINTRAC’s reporting forms, businesses should pay special attention to the quality of data reported to FINTRAC, making sure all information on file is reported accurately and that reasonable measures were taken to fill out all applicable sections.

4. Prescribed reviews

A prescribed review tests the effectiveness of your compliance program and is required, at minimum, every two years. Forty-one percent of Reporting Entities received AMPs related to their prescribed review. We further observed that 65 percent of those failed to institute and document a review, and the other 35 percent had inadequate reviews.

Entities need to ensure their reviews occur every two years at a minimum and that these reviews cover all areas of their compliance program in sufficient detail to identify possible areas of non-compliance.

5. Record keeping

Thirty-one percent of Reporting Entities received AMPs related to their record-keeping. The most repeated penalties are related to client and identity verification information. Entities must ensure required information is recorded at the time of onboarding/transaction and maintained on file.

6. Training programs

Thirty-one percent of Reporting Entities received AMPs related to their training programs. Entities failed to develop and maintain a written ongoing compliance training program, had incomplete and/or outdated training program documentation, or failed to implement and deliver the training program to staff.

What this means for your business

If you’re wondering whether your business is at risk, keep this in mind: AMPs aren’t only reserved for large financial institutions or MSBs. Businesses of all sizes are being penalized for failing to meet FINTRAC’s expectations. Here are three takeaways from the data above:

Compliance is no longer an option: The cost of non-compliance is increasing dramatically — by 40 times, to be exact.

Your reputation could be at risk: Publicized penalties can destroy customer trust.

Regulatory scrutiny is growing: Compliance is something you should take more seriously than ever.

It is important to stay up-to-date with FINTRAC’s guidance and develop an AML compliance program that meets the requirements and addresses current risk trends.

An effective AML compliance program includes these five pillars:

1. Appoint a compliance officer: A compliance officer is responsible for implementing your compliance program in line with FINTRAC’s guidelines.
2. Develop and implement policies and procedures: These policies and procedures should detail how FINTRAC requirements are met, including recordkeeping, reporting, and ongoing monitoring obligations.
3. Risk assessment: The risk assessment must assess AML risks specific to your business and specify how you mitigate those risks. Both a business-based and relationship-based risk assessment should be documented, including a methodology for each.
4. Training: A training plan and program for all staff, agents, and mandataries should be documented and implemented.
5. Prescribed review: Every two years (at minimum), you must test the effectiveness of your compliance program through an internal or external assessment.

Learn more in our AMPs series

This article is the first of our four-part series on administrative monetary penalties. Stay tuned for part two of the series, where our advisors dig deeper into AMPs, their impact on financial institutions, and emerging trends.