FINTRAC 2026: New PCMLTFA Amendments Every Canadian MSB and PSP Must Understand

On March 26, 2026, two pieces of federal legislation received Royal Assent, triggering a material expansion of Canada’s AML/CFT regulatory framework. The Strengthening Canada’s Immigration System and Borders Act and the Budget 2025 Implementation Act both contain significant amendments to the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA) and its associated Regulations.

FINTRAC published its official implementation roadmap on April 13, 2026. Some provisions took effect immediately on Royal Assent. Others — including universal enrolment and the stablecoin MSB registration requirement — are tied to future regulatory amendments to be published in the Canada Gazette, Part II.

If you operate as a money services business, payment service provider, or any other reporting entity under the PCMLTFA, these amendments affect your obligations, your penalty exposure, and in some cases, whether you are required to be registered or enrolled with FINTRAC at all.

What Changed and When

Not all amendments came into force simultaneously. The table below summarises the key components and their effective dates:

Amendment	Effective Date
New AMP framework (higher maximums, compliance agreements, compliance orders)	March 26, 2026
Compliance programme must be “reasonably designed, risk-based and effective”	March 26, 2026
Prohibition on anonymous accounts clarified; definition of “anonymous client” introduced	March 26, 2026
FINTRAC disclosures to Commissioner of Canada Elections	March 26, 2026
FINTRAC joins Financial Institutions Supervisory Committee	March 26, 2026
Universal enrolment for all businesses subject to the Act	Canada Gazette, Part II (pending)
Stablecoin issuers required to register with FINTRAC as MSBs	Canada Gazette, Part II (pending)

This staggered approach is consistent with how Canada has historically implemented AML regulatory reform — immediate legislative authority, with operational mechanics developed through subordinate regulation. For most reporting entities, the immediate priorities are the AMP framework upgrade and the new compliance programme standard.

New Administrative Monetary Penalties Framework

The amendments to the Proceeds of Crime (Money Laundering) and Terrorist Financing Administrative Monetary Penalties Regulations represent the most significant structural change to FINTRAC’s enforcement toolkit in years.

Higher Maximum Penalties

The maximum AMPs that FINTRAC may impose for prescribed violations have been increased. FINTRAC is currently updating its AMP policy and will publish guidance on the specific maximums and the criteria used to calculate individual penalty amounts. The existing lessons from Canada’s historic $176M FINTRAC AML penalty — issued to TD Bank — already demonstrated that FINTRAC is willing to use its enforcement authority at scale. The new framework raises the ceiling further.

Ability to Pay as a Criteria

For the first time, FINTRAC will be required to consider an entity’s ability to pay when determining the quantum of an AMP. This is a meaningful procedural protection for smaller MSBs and fintechs who previously had no formal mechanism to raise financial capacity as a relevant factor.

Compliance Agreements in All AMP Cases

Under the amended framework, compliance agreements will be mandatory in all cases where an AMP is imposed — not just in selected circumstances. A compliance agreement documents the remediation steps the penalised entity commits to taking. This formalises a rehabilitative element into every enforcement outcome and creates a compliance paper trail that FINTRAC can monitor.

Compliance Orders: A New Enforcement Tool

Compliance orders are a new instrument that FINTRAC may now issue independently of AMPs. These orders can require a reporting entity to take specific corrective action. Crucially, contravening a compliance order is itself designated as a new violation under the Act — meaning non-compliance with a remediation directive can generate a second, independent penalty.

Elevated Violations: Serious to Very Serious

Certain compliance programme violations that were previously classified as “serious” have been elevated to “very serious.” This reclassification has direct consequences for penalty quantum. FINTRAC’s penalty grid uses violation severity as a primary input — a “very serious” classification at the top tier of the grid produces materially higher AMPs than the same conduct classified as “serious.”

FINTRAC has not yet published the updated policy with the specific reclassified violations, but the direction is clear: gaps in compliance programme design and execution are now treated with the same severity as individual transaction-level failures.

Compliance Programme Standards: Reasonably Designed, Risk-Based, and Effective

This amendment, also in force as of March 26, 2026, introduces a statutory articulation of what a compliant AML programme must be. The PCMLTFA now expressly requires that compliance programmes be:

• Reasonably designed — structured in a way that is fit for purpose relative to the nature, size, and risk profile of the business
• Risk-based — calibrated to the actual ML/TF risks the entity faces, not applied uniformly across all customers and products
• Effective — operationally capable of detecting, deterring, and reporting suspicious activity

This language should be familiar to practitioners — it tracks the standard FINTRAC has applied in examinations for years, and mirrors the FATF Recommendations’ risk-based approach framework. What changes is that it is now in the Act itself, giving FINTRAC explicit statutory authority to find a violation on the grounds that a programme fails to meet this tripartite standard — even if individual elements are technically present.

An MSB that has a written AML policy from 2021 that has never been updated, tested, or adjusted to reflect changes in its product mix or customer risk profile is, under this standard, operating a compliance programme that is neither reasonably designed nor effective — regardless of how comprehensive the original document was.

For a practical framework on what a compliant programme looks like, the five-element FINTRAC AML programme framework remains the structural foundation. The new statutory standard makes the quality and ongoing maintenance of each element a legal requirement, not merely good practice.

The FINTRAC AML requirements guide and MSB AML audit requirements provide detailed guidance on the components FINTRAC examines. The question MSB operators need to answer is not whether they have a compliance programme — it is whether that programme would withstand scrutiny against the new statutory standard. An independent AML audit answers that question before FINTRAC does.

Anonymous Accounts and the New Definition of Anonymous Client

The amendments also clarify the prohibition on anonymous accounts — a requirement that existed under the PCMLTFA but lacked a precise statutory definition of what constituted an “anonymous client.” That gap is now closed.

FINTRAC will update its guidance to outline the specific parameters of the new definition. For most well-run MSBs and PSPs, this formalises practices already required under KYC obligations — you cannot open or maintain an account without verifying the identity of the account holder. The KYC and CDD requirements for Canadian MSBs cover the identity verification framework in detail.

The practical risk here is for MSBs that operate in high-volume, low-touch transaction environments — prepaid card issuers, certain virtual currency dealers, or businesses using simplified onboarding flows. If your onboarding process has any pathway through which a customer can transact without completed identity verification, that pathway is now explicitly captured by the statutory prohibition, and regulators have a defined target to examine against.

---

Universal Enrolment: A Structural Shift in FINTRAC’s Oversight Perimeter

The most architecturally significant change in the Strengthening Canada’s Immigration System and Borders Act — for the broader Canadian business community — is the introduction of universal enrolment.

Currently, FINTRAC registration is required for specific categories of reporting entity: MSBs (including foreign MSBs operating in Canada), casinos, and certain other designated businesses. All other reporting entities — accountants, real estate brokers, dealers in precious metals and stones, notaries, and others — are subject to PCMLTFA obligations but are not required to register or enrol with FINTRAC.

The universal enrolment amendment changes this. All businesses subject to the PCMLTFA will be required to enrol with FINTRAC. The coming into force date is tied to Regulations to be published in the Canada Gazette, Part II, so the implementation timeline is not yet confirmed. However, the legislative authority is now in place.

This is a significant expansion of FINTRAC’s supervisory visibility. Enrolment creates a registry of obligated entities, enabling FINTRAC to plan examinations, monitor compliance, and identify non-registrants — all of which were significantly harder when large categories of reporting entity operated outside any formal enrolment mechanism.

For businesses that are already registered MSBs or PSPs, this amendment has no immediate operational impact. For those who are subject to the PCMLTFA but not currently registered, the implementation of universal enrolment will bring a new administrative obligation and, more importantly, will bring them within FINTRAC’s examination perimeter in a way they may not have experienced before.

---

Stablecoin Issuers: The FINTRAC MSB Registration Requirement Is Coming

The Budget 2025 Implementation Act enacts the Stablecoin Act, establishing the regulatory framework for stablecoin issuers that create stablecoins and make them available for purchase — directly or indirectly — by persons in Canada.

Once the associated Regulations are published in the Canada Gazette, Part II, stablecoin issuers will be required to:

• Register with FINTRAC as money services businesses dealing in virtual currency
• Comply with the PCMLTFA obligations applicable to MSBs in the virtual currency dealing category

The Bank of Canada will maintain a public registry of stablecoin issuers, creating a parallel transparency mechanism alongside FINTRAC registration.

Canada’s approach to stablecoin regulation has been developing incrementally. The complete guide to Canada’s stablecoin framework provides detailed context on where this sits within the broader regulatory architecture. The FINTRAC registration requirement for stablecoin issuers is consistent with Canada’s treatment of other virtual currency businesses — which have been required to register as MSBs since 2020.

For stablecoin issuers currently operating in Canada without FINTRAC registration, the coming into force of these Regulations will create a hard deadline. The MSB registration process and the common mistakes to avoid in MSB registration are directly relevant to any issuer preparing for this transition.

Issuers who have been operating on the assumption that their product is not captured by existing virtual currency MSB obligations should seek regulatory legal advice now — not after the Regulations are published. The compliance programme, KYC policies, and transaction monitoring infrastructure required for MSB registration take time to build. The complete AML programme blueprint provides a roadmap for entities starting from scratch.

Other Amendments: Elections Disclosures and Supervisory Information Sharing

Two further amendments took effect on March 26, 2026, with less immediate operational impact for most reporting entities but significant structural implications for FINTRAC’s role in the Canadian regulatory architecture.

Commissioner of Canada Elections as a new disclosure recipient. FINTRAC may now provide financial intelligence disclosures to the Commissioner of Canada Elections. This extends FINTRAC’s disclosure mandate beyond law enforcement and national security agencies to include electoral integrity oversight — a notable expansion reflecting growing concerns about the intersection of money laundering and political financing.

Financial Institutions Supervisory Committee membership. The Director and CEO of FINTRAC is now a member of the Financial Institutions Supervisory Committee (FISC), and FINTRAC may exchange supervisory information on federally regulated financial institutions with other FISC members. This brings FINTRAC into the core supervisory coordination mechanism for Canadian financial institutions, alongside OSFI, the Bank of Canada, the CDIC, and the FCAC. For reporting entities that are also federally regulated — or that have significant dealings with them — this supervisory information sharing creates new pathways for compliance intelligence to flow between regulators.

What MSBs and PSPs Should Do Now

The amendments that are already in force — the new AMP framework and the compliance programme standard — require immediate attention. The amendments that are pending regulatory implementation — universal enrolment and stablecoin MSB registration — require monitoring and early preparation.

Immediate priorities:

1. Review your AML programme against the new statutory standard. “Reasonably designed, risk-based and effective” is now the legislative benchmark. If your programme has not been independently reviewed recently, you are unable to demonstrate effectiveness to an examiner. A FINTRAC MSB independent AML audit identifies gaps before FINTRAC does.

2. Understand the new AMP exposure. The elevation of certain violations from “serious” to “very serious” increases your maximum penalty exposure for compliance programme deficiencies. Review the AML audit checklist for 2025 against your current programme to identify which areas present the highest residual risk.

3. Audit your onboarding flows for anonymous account prohibition compliance. The statutory definition of “anonymous client” is coming. Use the period before FINTRAC publishes its updated guidance to review your onboarding process for any gaps in identity verification — particularly in digital, self-serve, or high-volume low-touch channels.

4. If you are a stablecoin issuer, begin FINTRAC MSB registration preparation now. Waiting for the Regulations is a strategy for being unprepared. The AML programme, governance structure, and KYC framework required for MSB registration should be in development now. See the MSB vs PSP licensing guide for context on how MSB registration sits within Canada’s broader payments licensing framework.

5. Watch the Canada Gazette for universal enrolment Regulations. If your business is a reporting entity but not currently registered or enrolled with FINTRAC, the universal enrolment requirement will bring you into FINTRAC’s formal supervisory perimeter. That transition requires compliance programme documentation, governance structures, and reporting infrastructure that many businesses have not yet developed.

ComplyFactor works with Canadian MSBs, PSPs, fintechs, and VASPs on AML programme development, FINTRAC compliance reviews, and fractional CAMLO/MLRO services. If you are assessing your exposure to these amendments, contact us to arrange a compliance gap review.

FAQ

When did the new FINTRAC amendments come into force?

The new AMP framework, compliance programme standard, and anonymous account clarifications came into force on March 26, 2026, the date of Royal Assent. Universal enrolment and the stablecoin MSB registration requirement will come into force in line with Regulations to be published in the Canada Gazette, Part II — dates not yet confirmed.

What does “reasonably designed, risk-based and effective” mean for my AML programme?

It means your programme must be structured appropriately for your business’s risk profile, calibrated to the actual ML/TF risks you face, and demonstrably capable of detecting and deterring financial crime. A static policy document that has not been tested or updated is unlikely to satisfy this standard. Independent testing and regular programme reviews are the primary mechanisms for demonstrating effectiveness.

What is a FINTRAC compliance order?

A compliance order is a new enforcement tool that FINTRAC can issue requiring a reporting entity to take specific corrective action. Unlike an AMP, which is a financial penalty, a compliance order is a directed remediation instruction. Failing to comply with a compliance order is itself a new violation under the PCMLTFA, creating potential for a second enforcement action.

Does the stablecoin MSB registration requirement apply to me?

If you issue stablecoins and make them available for purchase by persons in Canada — directly or through intermediaries — you will be required to register with FINTRAC as an MSB dealing in virtual currency once the associated Regulations come into force. The precise scope of “stablecoin issuer” will be defined in the Regulations. Issuers should seek legal advice on their current registration obligations under the existing virtual currency MSB framework, which may already capture their activities.

What is universal enrolment and how is it different from MSB registration?

Currently, only certain categories of reporting entity (MSBs, casinos, and others) must register with FINTRAC. Universal enrolment will extend a mandatory enrolment requirement to all businesses subject to the PCMLTFA — including those that are currently obligated entities but do not register. This is a significant expansion of FINTRAC’s supervisory perimeter. The implementation timeline depends on Regulations not yet published.

How do these amendments affect FINTRAC examination risk?

The new AMP framework raises the maximum penalties applicable to prescribed violations and elevates certain compliance programme violations to the “very serious” tier. Combined with the new statutory compliance programme standard, examinations now carry higher financial risk for entities with programme deficiencies. The introduction of compliance orders as a separate enforcement tool also means that an examination finding can generate ongoing legal obligations — not just a one-time penalty.