Is your financial entity prepared for FINTRAC’s anti-money laundering (AML) compliance crackdown?

Financial entities are a key target for money laundering activities, and are subject to a high degree of scrutiny from the Financial Transaction and Reports Analysis Centre of Canada (FINTRAC), Canada’s financial intelligence unit and AML supervisor. In recent years, FINTRAC has increased its anti-money laundering (AML) focus on financial entities and issued administrative monetary penalties (AMPs) to 10 non-compliant financial entities as of June 30, 2025. These penalties can range up to millions of dollars, and Bill C-2 (the Strong Borders Act), which recently passed its first reading in the House of Commons, proposes increasing AMPs by 40 times. As the regulatory landscape continues to evolve, it is essential that your organization maintains a strong and proactive AML compliance framework, ensuring full and ongoing adherence to all regulatory requirements.

Let’s review the recent AMPs issued to financial entities and the most common shortfalls in AML compliance programs.

What are the current enforcement trends in the sector?

We have identified recent trends by analyzing FINTRAC’s public notice of AMPs for financial entities published from 2020 to June 30, 2025. In total, the 10 penalties imposed during this timeframe amounted to a total of nearly $23 million, with the highest penalty at $9.5 million and the lowest penalty standing at $116,160 — showcasing the cost of noncompliance.

AMPs issued to financial entities from 2020-2025

These AMPs were issued to seven banks, with the monetary value totalling approximately $22 million (average penalty amount of $3.2 million). The remaining AMPS were issued to three credit unions, with AMPs totalling approximately $448,000 (with an average penalty amount of $149,000).

It is also important to note that the highest penalty amounts were issued in 2023 and 2024. This potentially signals a shift toward greater scrutiny of the sector by FINTRAC, which is directly leading to more significant penalties.

What are the common shortfalls in AML compliance programs?

Understanding where financial entities are falling short of FINTRAC’s expectations can provide you with a helpful starting point to assess your AML program’s strengths and potential weaknesses.

Reporting requirements

Out of the 10 entities that received AMPs:

• 100% had missed filing suspicious transaction reports (STRs)
• 20% had missed filing electronic funds transfer reports (EFTRs)
• 10% had missed filing large cash transactions reports (LCTRs)
• 10% had issues with STR data quality

While FINTRAC did not specify the root cause of the unfiled reports, instances where financial entities do not realize that the systems and/or transaction monitoring software they’ve implemented to detect reportable activity aren’t working as expected are common.

Another deficiency area relates to data quality, which can lead to inaccuracies in the disclosures sent to FINTRAC. With the wholesale changes in FINTRAC’s reporting forms, which now require significantly more information, financial entities should pay more attention to the quality and completeness of data reported to FINTRAC to ensure all information on file is reported accurately and that reasonable measures are taken to complete all applicable sections.

Special measures and ongoing monitoring

Financial entities must apply special measures to high-risk clients and perform ongoing monitoring procedures for all clients regardless of their respective risk ratings. Violations relating to ongoing monitoring of business relationships impacted five of the 10 financial entities that received AMPs. The shortfalls in this area included the following:

• Failing to conduct or follow the entity’s documented ongoing monitoring procedures (e.g., reassessing a client’s risk rating), special measures, and enhanced due diligence procedures, and/or failing to keep records of the measures taken and information obtained through these procedures.
• Insufficient review and monitoring of a client’s activity to determine whether the transactions were consistent with the information obtained and the risk assessment of the client.
• Automated transaction monitoring rules and alerts that were ineffective in raising concerns and/or inadequacies in investigating, assessing, and submitting STRs in a timely manner (i.e., lack of adequate testing and tuning of rules to ensure effectiveness).
• Not reviewing a client’s ongoing transactions to determine if there were any new or subsequent transactions meeting the reasonable grounds to suspect threshold once an STR is submitted for a client.

Policies and procedures

Financial entities are required to develop policies and procedures that address their AML obligations. Forty percent of the financial entities that received AMPs had insufficient policies and procedures, including:

• Insufficient detail in the financial entity’s procedures for staff to action them. An example is procedures with inadequate information about how ongoing monitoring is performed and what information is reviewed and recorded.
• Policies and procedures that are inconsistent with FINTRAC’s guidance. An example is referencing the reasonable grounds to believe threshold when discussing STR filings, which is a higher threshold than the required reasonable grounds to suspect
• Insufficient coverage of required topics, for example, ministerial directives, ongoing monitoring of business relationships, client identification, beneficial ownership, politically exposed persons, and heads of international organizations.

Risk assessments

Financial entities are required to perform risk assessments to identify and mitigate money laundering risks. Forty percent of financial entities that received AMPs failed to conduct risk assessments that met FINTRAC’s standards. Shortfalls included:

• Failing to include and assess all risk factors in sufficient detail relating to clients and business relationships (including client location), products and delivery channels, geographic locations of the financial entity, and new developments and technology, including the likelihood and impact of each risk factor.
• Failing to consider higher risk factors (such as client location/geography or certain transactions/activities being higher risk) and not properly risk rating clients conducting higher-risk transactions.
• Failing to exercise appropriate oversight of customer risk rating solutions and the effectiveness of any interim measures when switching software/systems.

Prescribed review

A prescribed review is the independent assessment of your AML compliance program and is required every two years, at minimum. As three of the 10 financial entities that received AMPs had violations relating to their prescribed review, financial entities should ensure their reviews are being conducted by a qualified independent party. It is also crucial to ensure that the reviews cover all areas of the financial entity’s compliance program and the regulatory obligations applicable to the sector in sufficient detail. The identified shortfalls included failing to assess:

• The effectiveness of some requirements related to record-keeping.
• The completeness and effectiveness of the policies and procedures, and risk assessment.