Bill C-12 and Universal FINTRAC Enrolment: What Reporting Entities Should Prepare Before the Rules Go Live

Bill C-12 is about visibility, governance, enforcement, and proof that a compliance program actually works.

Bill C-12 received Royal Assent on March 26, 2026. That moment marked the most significant update to Canada's anti-money laundering regime in years, and one that goes well beyond the penalty increases that most commentators have focused on.

Many businesses are hearing that mandatory FINTRAC registration is coming. That is not true, and it is causing unnecessary confusion. The more precise issue is universal FINTRAC enrollment for reporting entities under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA) combined with stronger enforcement and significantly higher expectations for AML program effectiveness.

It’s not that FINTRAC can now levy higher fines. What changed is the regulatory architecture itself. FINTRAC now has stronger supervisory tools, a formal compliance agreement mechanism, publicly disclosed enforcement actions, and a mandate to expand enrollment to reporting entities that are not currently in the registration system.

Bill C-12 is about who FINTRAC can see, how deficiencies can become formal enforcement issues, and whether a business can prove its AML program actually works.

Businesses should not wait until the final enrollment regulations are published. They should use this period to confirm whether they are reporting entities, review their AML program, update their risk assessment, and prepare for stronger FINTRAC scrutiny.

Bill C-2 vs. Bill C-12: Why Businesses Are Confused

The market confusion is understandable. 

Bill C-2, formally the Strong Borders Act, was the broader omnibus proposal introduced by the federal government. It contained AML reforms alongside border security measures, cash seizure powers, and other provisions. Not everything in Bill C-2 became law on the same timeline, and some proposals, particularly those relating to cash and border measures, should be monitored but should not be treated as fully active law unless confirmed.

Bill C-12 carried forward the core AML reforms and received Royal Assent on March 26, 2026. Bill C-12 is now law but not every measure is fully operational immediately. Universal FINTRAC enrolment, for example, is expected to apply to reporting entities not already required to register, but the operational details and timing depend on future regulations.

The table below summarises the key distinction:

For AML compliance purposes: Bill C-12 is the operative statute. Its enforcement architecture is active now. Universal enrollment details are still coming through regulations.

What Universal FINTRAC Enrollment Means

Some reporting entities have long been required to register with FINTRAC. Money services businesses (MSBs) and foreign MSBs are the most prominent examples; registration for those categories is a specific, existing obligation with defined timelines and renewal requirements.

Universal enrolment is different in scope. It is expected to bring other categories of reporting entities, those subject to the PCMLTFA but not currently required to register, into a formal enrollment framework with FINTRAC.

The objective is regulatory visibility. FINTRAC needs to know who is operating in the regulated space before it can supervise those entities effectively. Enrolment is the mechanism for establishing that visibility.

What the enrollment process will look like operationally, what information is required, what timelines apply, how renewals will work; depends on regulations that have not yet been finalized. Businesses should not assume enrollment will be a simple online form. They should also not assume the process of confirming their reporting entity status, gathering relevant information, and preparing their documentation will be quick.

The recommended idea: "Reporting entities subject to the PCMLTFA should prepare for universal FINTRAC enrolment once the supporting regulations are finalized."

Who May Be Affected

The question is not whether a business operates in Canada. The key question is whether the business carries out activities covered under the PCMLTFA.

Categories of reporting entity include:

• MSBs and foreign MSBs

• Fintechs and payment companies carrying out covered functions

• Crypto businesses and stablecoin-related businesses

• Securities dealers

• Real estate brokers, agents, and developers

• Accountants and accounting firms carrying out covered activities

• Dealers in precious metals and stones

• Casinos

• Life insurance companies, brokers, and agents

• Cheque cashers

• Private ATM acquirers

• Title insurers

• Factoring, financing, and leasing businesses

• Businesses unsure whether they qualify as reporting entities

Businesses that are uncertain whether they qualify should not assume they do not. Misclassification, treating an AML obligation as not applicable is the kind of blind spot that becomes a serious enforcement issue. Confirming reporting entity status is a compliance task. It is also the prerequisite for everything that follows.

What Bill C-12 Has Already Changed

The following changes are now law. Some supporting regulations are still being developed, but the enforcement architecture is operative.

Higher administrative monetary penalties.

The penalty caps under the PCMLTFA have been substantially increased. See FINTRAC's AMP policy for the updated schedule. The previous regime allowed penalties that serious operators could treat as a manageable cost. The new regime is designed to remove that calculation entirely.

Mandatory compliance agreements for certain violations.

FINTRAC can now formally require a non-compliant entity to enter a compliance agreement; a binding, documented commitment to remediate identified deficiencies. Compliance agreements are not informal guidance. They are enforceable and create a formal regulatory record.

Compliance orders.

Where compliance agreements are not entered into, are insufficient, or are not followed, FINTRAC has authority to issue compliance orders. These create an enforceable formal record and escalate the regulatory consequences for entities that fail to correct their programs.

Public enforcement and reputational risk.

FINTRAC can now publicly disclose enforcement actions and the names of entities subject to those actions. Reputational exposure is now a real, operational component of the enforcement toolkit. The Canadian market and banking partners will be watching.

Compliance programs must be reasonably designed, risk-based, and effective.

The statutory language has always required risk-based AML programs. What is different now is the enforcement architecture that sits behind that requirement. A program that is technically documented but operationally hollow will not hold up under the scrutiny this regime enables.

Greater FINTRAC visibility and stronger supervisory tools.

The combination of universal enrolment, expanded examination powers, and the compliance agreement and order mechanisms means FINTRAC will have substantially more visibility into the reporting entity population, and substantially more tools to act on what it finds.

Why This Is More Than a Penalty Increase

Most competitor commentary on Bill C-12 has focused on the penalty numbers. That understates what has actually changed.

The penalty increase is the visible change. The structural change is the enforcement escalation pathway that now exists to identify, document, escalate, and publicly disclose AML compliance failures.

Under the previous regime, FINTRAC's tools for addressing a weak compliance program were limited. An examination could result in a finding. That finding might lead to a penalty. For resourced operators, the process was manageable.

Under Bill C-12's framework, the process is different. A finding can lead to a compliance agreement. A compliance agreement creates a binding remediation obligation with a regulatory record. Non-compliance can lead to a compliance order. A compliance order creates a formal enforcement file. And the entire sequence can be publicly disclosed; with the entity named.

That changes the risk calculation entirely. The biggest issue is regulatory visibility: FINTRAC will have stronger tools to identify, supervise, correct, and publicly pressure weak compliance programs. A business that received a minor finding in the past has no guarantee the same deficiency will be treated as minor going forward.

The flow below illustrates how a compliance gap can escalate under the new framework:

Every reporting entity should wonder "If FINTRAC examined our program tomorrow, what would they find, and what would happen next?"

What Businesses Should Do Now

The operational details of universal enrolment have not yet been published. It is an opportunity to prepare before the regulatory expectations become fully operative. The following is a practical readiness checklist.

1. Confirm whether the business is a reporting entity.

Determine whether your business carries out activities covered under the PCMLTFA. If the answer is uncertain, that uncertainty is itself the first compliance risk to address. Businesses operating without clarity on their regulatory status are exposed.

2. Identify whether the business is already registered or may need enrollment.

MSBs, foreign MSBs, and other currently-registered categories should confirm their registration is current, complete, and accurately reflects their operations. Other reporting entities should begin preparing for the enrollment framework now.

3. Review ownership, directors, business activities, addresses, agents, and operating names.

Universal enrolment will likely require disclosure of this information. Gathering and verifying it takes time. Discrepancies between registered information and operational reality are a compliance gap in their own right.

4. Update AML policies and procedures.

Review your AML documentation against your current operations. A policy that was drafted at launch and has not been updated since does not reflect what the business actually does today. Identify every area where the policy does not match operational reality and prioritise remediation by risk level.

5. Refresh the AML risk assessment.

The risk assessment is the foundation of a risk-based program. If it has not been updated in the past 12 to 18 months or if the business has changed significantly, it does not accurately reflect the current risk profile. An outdated risk assessment undermines every other component of the program.

6. Review KYC, KYB, beneficial ownership, sanctions, and PEP controls.

These are the areas FINTRAC examinations focus on most closely. Gaps in customer due diligence, beneficial ownership identification, or sanctions screening are not minor findings. They go to the core of program effectiveness.

7. Test transaction monitoring and escalation processes.

Pull your alert volume, review completion rates, and SAR filing rates. If those numbers do not tell a coherent story about a functioning monitoring program, address calibration and operational process before an examiner does it for you.

8. Review STR, LCTR, EFTR, LVCTR, and other reporting workflows where applicable.

Reporting obligations under the PCMLTFA are specific and threshold-driven. Ensure the workflows that produce those reports are documented, tested, and assigned to individuals who understand the requirements.

9. Check recordkeeping quality.

KYC records, beneficial ownership files, transaction records, and STR documentation must be organised, current, and retrievable. A compliance program that is functionally reasonable but cannot produce records in a regulatory examination context has a significant operational gap.

10. Review staff training records.

AML training must be current, documented, and role-specific. Employees in customer-facing, monitoring, and reporting roles must understand their obligations. Training completed at onboarding and never refreshed does not meet the standard.

11. Prepare for possible FINTRAC clarification requests.

As FINTRAC expands its visibility into the reporting entity population, some entities will receive clarification requests about their operations, risk profile, or compliance program. Having documentation in order and a designated point of contact for FINTRAC correspondence is a basic operational readiness step.

12. Conduct or schedule an AML effectiveness review.

An independent effectiveness review assesses whether the AML program is actually working as designed. It is the most credible mechanism an entity has to demonstrate to FINTRAC that its compliance function is genuine. If you have not had one in the past two years, schedule one now.

13. Assign internal responsibility for regulatory updates.

Bill C-12 is now law but its implementation will continue to evolve through regulations, FINTRAC guidance, and operational updates. Designate someone internally to track those developments and ensure the AML program responds to them as they are published.

Get In Touch 

AML Incubator provides practical AML compliance support for Canadian reporting entities navigating Bill C-12 and universal FINTRAC enrolment. The work is implementation-focused, building, assessing, and remediating compliance programs that need to function in a more visible and more enforceable regulatory environment.

Services most directly relevant to reporting entities preparing for this environment:

• FINTRAC enrolment readiness: Confirming reporting entity status, preparing registration and enrolment documentation, and managing FINTRAC correspondence.

• MSB registration support: Registration, renewals, and regulatory correspondence for MSBs and foreign MSBs, including crypto MSBs and payment businesses.

• Independent effectiveness review: Assessing whether the AML program is operationally functional, identifying gaps, and producing a remediation roadmap.

• Regulatory remediation: Supporting entities that have received FINTRAC findings, compliance agreements, or compliance orders and need to demonstrate corrective action.

• Outsourced CAMLO and MLRO services: Providing qualified, named compliance officer coverage for entities that need an accountable individual without hiring full-time.

🌐 amlincubator.com   

📧 hello@amlincubator.com