Key takeaways
- FINTRAC's program standard moved from existence-based to effectiveness-based in March 2026.
- A program that is complete on paper but produces no STRs and shows no active monitoring can now fail an examination.
- The maximum penalty for serious violations rose from $100,000 to $4,000,000.
- STR quality is now assessed directly β low or zero filings in a high-risk business invite scrutiny.
For most of the PCMLTFA's history, a FINTRAC examiner asked one foundational question: does this business have a compliance program? If the documents existed and covered the required pillars, the program was, broadly, compliant. Bill C-12 retired that question.
Since March 2026, examiners ask a harder one: does the program work? The shift sounds subtle, but it changes what a defensible compliance program looks like β and it puts a large number of Canadian MSBs and PSPs at risk without their knowing it, because their documentation has not changed even as the standard it is judged against has.
What Bill C-12 actually changed
Before Bill C-12, FINTRAC's enforcement approach was primarily existence-based. The examination tested whether the required documentation was present and reasonably designed. Under Bill C-12, the standard became effectiveness-based: the program must be reasonably designed, risk-based, and effective in practice. The table below sets out the difference plainly.
The penalty increase draws the headlines, but the more consequential change is the finding trigger. A program can now generate findings not because something is missing, but because what is present does not appear to be working.
The "reasonably designed, risk-based, and effective" standard
The phrase appears in PCMLTFA s.9.6 and is now the lens for every examination. Each word carries weight, and the third is where most programs are exposed.
Reasonably designed
The program must be built to address the money laundering and terrorist financing risks the business actually faces β not a generic risk universe borrowed from a template. This is the part most existing programs satisfy.
Risk-based
Controls must be calibrated to the ratings in a documented risk assessment. A high-risk customer segment should attract enhanced due diligence; a low-risk one should not be over-controlled. The risk assessment is the spine β if it is generic, everything downstream is generic too.
Effective β the new part
This is the addition that changes the exam. A program is effective when it produces evidence that it is doing its job: alerts that get reviewed, escalations that get documented, STRs that get filed, training that gets completed and recorded. Effectiveness is not asserted β it is demonstrated through the trail the program leaves behind.
A program that ticks every box on paper but produces no STRs, applies no enhanced due diligence, and shows no evidence of active monitoring will not satisfy the new standard.
Five things to check before your next FINTRAC examination
If you do nothing else this quarter, work through these five. Each maps to a place where the effectiveness standard most often catches businesses out.
- Does your risk assessment match your actual customer base? Open it and compare the customer types it describes against the customers you onboarded last quarter. If they have diverged, the assessment β and everything calibrated to it β is stale.
- Can you show alerts being reviewed? Monitoring that generates no documented review trail reads, to an examiner, as monitoring that is not happening. The disposition record is the evidence.
- Is your STR volume plausible for your risk profile? Zero STRs from a high-risk remittance business is not a clean record β it is a question the examiner will ask. Be ready to explain it.
- Are training completions actually recorded? "We train our staff" is not evidence. Dated, role-specific completion records are.
- Has the program been independently reviewed in the last two years? The biennial independent effectiveness review is a legal requirement, not an optional extra β and it is the first thing an examiner asks for.
What this means in practice
The practical implication is that documentation and operation can no longer be managed separately. A policy that describes a procedure the business does not follow is now worse than a gap β it is a documented discrepancy between what you say and what you do, and the examiner tests one against the other.
For businesses whose programs were written at registration and never revisited, this is the moment to close the gap between the binder and the day-to-day. For businesses that have grown β new products, new corridors, new customer types β the risk assessment almost certainly no longer reflects reality, and every control calibrated to it has drifted with it.
Where to start
There is a logical order. Start with the risk assessment, because it drives everything else; then bring policies and monitoring into line with it; then confirm the whole thing with an independent review.
- If your program has drifted or predates March 2026, a focused AML advisory engagement or a full compliance program build closes the gap to the new standard.
- If you need a named, accountable officer to own the program going forward, a fractional compliance officer carries it as a live obligation.
- If you want to know where you stand before an examiner tells you, an independent AML audit tests effectiveness directly.
The standard has moved. The programs judged against it, for the most part, have not. Closing that distance is the single most valuable compliance task a Canadian MSB or PSP can undertake this year.
ComplyFactor is a specialist AML and regulatory compliance advisory firm working exclusively with MSBs, PSPs, fintechs, and VASPs across Canada's FINTRAC framework. Our advisors hold CAMS certification and bring direct FINTRAC examination experience to every engagement.
