FINTRAC 2026 Legislative Amendments: What Canadian MSBs, Fintechs and Crypto Platforms Must Know

FINTRAC's Most Significant Legislative Changes in Years Just Received Royal Assent

On March 26, 2026, two pieces of Canadian legislation received Royal Assent and fundamentally restructured the country's anti-money laundering and counter-terrorist financing (AML/CFT) compliance landscape. The Strengthening Canada's Immigration System and Borders Act and the Budget 2025 Implementation Act together introduced the most consequential amendments to the Proceeds of Crime (Money Laundering) and Terrorist Financing Act that Canadian compliance teams have seen in years.

FINTRAC has since published implementation guidance confirming that the changes are real, that they are coming into force on staggered dates, and that further regulatory detail will follow. For businesses currently subject to the Act, including MSBs, fintechs, crypto platforms, VASPs, banks, insurance companies, securities dealers, and real estate sectors.

The way to deal with these changes is not to wait. It is to begin assessing program gaps now, before FINTRAC's new enforcement tools are live.

AMLI Analysis: Both acts received royal assent on March 26, 2026. Higher enforcement stakes, higher program standards, and mandatory registration for a broader class of financial actors, including stablecoin issuers. You must prepare now.

What Is the Proceeds of Crime (Money Laundering) and Terrorist Financing Act?

The Proceeds of Crime (Money Laundering) and Terrorist Financing Act is Canada's primary AML/CFT legislation. It governs the obligations of "reporting entities" businesses legally required to identify customers, report suspicious transactions, keep records, and maintain AML compliance programs.

Reporting entities under the Act include:

• Money services businesses (MSBs), including foreign MSBs serving Canadian customers

• Banks and federally regulated financial institutions

• Life insurance companies

• Securities dealers and investment firms

• Real estate agents, brokers, and developers

• Casinos

• Accountants and accounting firms in certain contexts

• Virtual asset service providers (VASPs) and crypto trading platforms

FINTRAC, the Financial Transactions and Reports Analysis Centre of Canada, is the federal intelligence and supervisory agency responsible for administering the Act. It collects financial transaction reports, produces financial intelligence for law enforcement, and conducts compliance examinations of reporting entities. When FINTRAC finds non-compliance, it can impose Administrative Monetary Penalties (AMPs). These 2026 amendments introduce a new AMP framework with materially different scope and consequence than what existed before.

The Six Key Amendments from the Strengthening Canada's Immigration System and Borders Act

The Strengthening Canada's Immigration System and Borders Act was introduced as immigration and border security legislation. Buried within it, however, are six structural amendments to the Act that will reshape how Canadian compliance programs are designed, how FINTRAC enforces, and how the broader AML ecosystem operates.

Amendment 1: A New Administrative Monetary Penalties Framework

The 2026 amendments substantially restructure the existing AMP penalty architecture, creating new categories of violations, revised penalty ranges, and potentially revised processes for challenging or appealing FINTRAC's penalty decisions.

FINTRAC's enforcement actions have increased in frequency and severity over the past three years. The introduction of a new AMP framework signals that Parliament has given FINTRAC sharper teeth. Businesses that have historically viewed AML compliance as a documentation exercise will face a new cost calculation. Review your program now for undocumented gaps, identify any outstanding FINTRAC examination findings, and develop documented remediation plans before the new framework comes into force.

AMLI Analysis: This is a signal, not a technical update. Parliament is telling FINTRAC to enforce harder. Businesses with known program gaps, untested policies, or unresolved examination findings are most at risk under the new penalty regime.

Amendment 2: Compliance Programs Must Be Reasonably Designed, Risk-Based, and Effective

This amendment codifies a three-part statutory standard for AML compliance programs. Programs must be reasonably designed, risk-based, and effective. These are no longer merely supervisory expectations. They are enforceable legal requirements.

"Reasonably designed" means purpose-built for your specific business model, products, and customer base and not built on generic templates last updated years ago. Risk-based means your strongest controls must concentrate where your highest risks actually are, supported by a credible and current risk assessment. Effective is the hardest standard because it is results-oriented. A program is effective if it actually detects suspicious activity, generates quality STRs, and demonstrates that controls are working as designed. Effectiveness testing through internal audits, transaction monitoring reviews, and STR quality assessments is no longer optional.

AMLI Analysis: The term "Effective" is performing significant statutory work here. FATF greylisted Kuwait in February 2026, not because it lacked AML laws, but because its controls were not operationally effective. Canadian businesses with technically compliant but functionally weak programs now face the same scrutiny by statute.

Amendment 3: Clarifying Anonymous Account Prohibition and Defining Anonymous Client

This amendment clarifies the requirements related to the prohibition on anonymous accounts and introduces a statutory definition of "anonymous client." The definition will likely capture scenarios where a beneficial owner, ultimate controlling party, or account holder's identity cannot be verified to the required standard.

Review your onboarding workflows for any gap between account activation and completed identity verification. For crypto platforms and VASPs, assess whether your account structure, wallet attribution, or transaction processing creates scenarios where beneficial ownership or control cannot be determined. Review policies on dormant accounts, accounts opened through introducers or agents, and accounts where the beneficial owner differs from the account holder of record.

AMLI Analysis: A statutory definition removes interpretive room. If FINTRAC defines "anonymous client" broadly, any product feature or customer type that creates distance between account activity and verified identity becomes a direct compliance exposure.

Amendment 4: Mandatory FINTRAC Enrollment for All Reporting Entities

This amendment requires all businesses subject to the Act to formally enroll with FINTRAC. Previously, registration applied specifically to MSBs. Banks, insurance companies, securities dealers, real estate professionals, accountants, and casinos were subject to the Act's full obligations but had no formal enrollment process. That gap is now being closed.

Not all at once, though. Mandatory enrollment for non-MSB reporting entities comes into force in 2027 through future regulatory implementation. MSBs are not waiting for 2027. Their registration obligations are live now and have been for years.

If your business is a domestic or foreign MSB and you are not currently registered with FINTRAC, that is not a future problem. It is a present one. Foreign MSBs serving Canadian customers have carried registration obligations since 2019. This amendment signals that FINTRAC intends to enforce those obligations more aggressively across the board.

For non-MSB reporting entities, 2027 gives you runway. It does not give you permission to ignore it. Confirm your entity classification now. Understand what enrollment will require. Monitor FINTRAC's Modernization and Upcoming Changes page for the implementation date and guidance. Build it into your compliance calendar before it becomes a deadline you are scrambling to meet.

AMLI Analysis: For the first time, FINTRAC will have a formal registry of every reporting entity it supervises, not just MSBs. If you are an MSB and not registered, act now. Everyone else: 2027 is the target. Start preparing today. 

Amendment 5: FINTRAC Disclosures to the Commissioner of Canada Elections

This amendment enables FINTRAC to provide financial intelligence disclosures to the Commissioner of Canada Elections, the independent officer responsible for enforcing the Canada Elections Act.

Electoral financing is a known financial crime vector globally. Illicit funds routed through political donations, third-party advertising campaigns, or campaign financing structures represent a meaningful money laundering and foreign interference risk. For most reporting entities, the immediate operational impact is indirect; this is an inter-agency channel, not a new customer obligation. Businesses that process payments to political campaigns or partisan advertising services should nonetheless ensure their typologies and monitoring scenarios cover political financing flows.

AMLI Analysis: FINTRAC's mandate is expanding. Businesses in payment corridors adjacent to political financing should treat this as a typology update, not background noise.

Amendment 6: Supervisory Information Sharing with the Financial Institutions Supervisory Committee

This amendment enables FINTRAC to exchange supervisory information on federally regulated financial institutions (FRFIs) with other members of the Financial Institutions Supervisory Committee (FISC), including OSFI, the Bank of Canada, the CDIC, and the FCAC.

Your FINTRAC compliance examination findings can now be formally shared with OSFI and other FISC members. The information silos between Canada's financial regulators are closing. A significant weakness in your AML program identified by FINTRAC may now have direct implications for your OSFI supervisory relationship. Ensure your AML and prudential compliance functions are aligned, remediate any outstanding FINTRAC findings before they become shared supervisory intelligence, and brief your board accordingly.

AMLI Analysis: Regulatory silos are being dismantled in Canada and globally. For FRFIs, AML compliance is no longer a FINTRAC-only conversation. Your entire regulatory relationship is now interconnected.

The Stablecoin Act: What Crypto Operators and Digital Asset Platforms Need to Know

The Budget 2025 Implementation Act contains the Stablecoin Act, a new statute that establishes specific AML/CFT requirements for stablecoin issuers operating in or from Canada.

A stablecoin is a type of digital asset designed to maintain a stable value relative to a reference asset, most commonly a fiat currency like the Canadian or US dollar. Unlike Bitcoin or Ethereum, stablecoins are designed to hold a predictable, fixed value for use in payments, transfers, and financial transactions. This makes them function as a direct substitute for fiat currency and directly relevant to AML/CFT frameworks.

Canada's Stablecoin Act gives Parliament's answer to a long-contested regulatory debate: stablecoin issuers operating in or from Canada are subject to AML/CFT obligations and must register with FINTRAC as money services businesses.

Once in force through future regulatory amendments, stablecoin issuers will be required to register with FINTRAC as MSBs and comply with all MSB obligations under the act, including customer identification, recordkeeping, transaction reporting, and AML compliance program requirements. The Stablecoin Act is not yet in force; its obligations will take effect through future regulatory amendments. But the direction is unambiguous: if you issue, manage, or redeem stablecoins in Canada or for Canadian customers, you are in FINTRAC's regulatory perimeter.

AMLI Analysis: Canada is not allowing stablecoin operators to self-exclude from AML/CFT by calling their product a technology. Full MSB obligations apply: registration, CDD, record keeping, STR reporting, and compliance programs. If you issue stablecoins, start compliance planning now.

The following business types should treat this as directly relevant:

• Companies that mint or redeem tokenized fiat currency products backed by reserves

• Crypto platforms offering branded stablecoins or stable-value tokens

• Payment companies building on stablecoin rails for settlement or treasury management

• DeFi protocols with stablecoin issuance mechanisms

• Fintechs using stablecoins as an internal settlement layer for cross-border payment products

Even businesses that do not directly issue stablecoins but rely on stablecoin infrastructure; for example, a payment processor settling in USDC, should monitor the regulatory amendments closely. Depending on how "issuer" is defined, facilitation or redemption functions may also be captured.

Coming Into Force: What the Staggered Timeline Means for Your Compliance Planning

Various provisions will take effect on different dates. Not all six amendments are live today. Some require order in council, regulatory amendment, or FINTRAC guidance before becoming enforceable. The Stablecoin Act specifically requires future regulatory amendments before its MSB registration requirement becomes enforceable but the underlying statute is already law. FINTRAC will update its guidelines as each provision comes into force and has directed businesses to monitor the Modernization and Upcoming Changes Impacting Reporting Entities page for implementation updates.

AMLI Analysis: A staggered timeline is not a reason to wait. Use it to close program gaps, update risk assessments, remediate documentation issues, and prepare for enrollment. The penalty framework, the effectiveness standard, and the enrollment requirement are all coming. The only open question is when.

What Your Compliance Program Needs to Do Now: A Practical Response Framework

Step 1: Conduct a Gap Assessment Against the New Effectiveness Standard

Reviewing a policy document does not satisfy the new statutory requirement that programs be "reasonably designed, risk-based, and effective." Commission an internal or external effectiveness review. Assess STR quality: are your reports identifying real suspicious activity or filed defensively? Test your transaction monitoring: are alert parameters calibrated to your actual risk profile? Review your risk assessment: does it reflect your current business, customer base, products, and delivery channels? Document everything. An undocumented program gap that existed before March 26, 2026, is now a statutory exposure.

Step 2: Confirm Your Enrollment Status with FINTRAC

If your business is subject to the Act, confirm you are enrolled with FINTRAC. This applies to domestic and foreign MSBs, VASPs, crypto trading platforms, and any entity type added to the Act's scope in recent years. If you are not enrolled and you are a reporting entity, begin the enrollment process immediately. Do not wait for FINTRAC to initiate contact.

Step 3: Update Your Risk Assessment and Anonymous Client Controls

Review onboarding flows for any gap between account activation and completed CDD. Assess whether your product features create scenarios where beneficial ownership cannot be determined. Update your risk assessment to include anonymous client risk as an explicit category. Document the review even if no immediate changes are required.

Step 4: If You Issue Stablecoins or Use Stablecoin Infrastructure, Start Now

Conduct a legal assessment of whether your stablecoin-related activities will fall within the definition of "stablecoin issuer" as it will be defined in the regulatory amendments. Begin building or adapting your AML compliance program to MSB standards. Monitor FINTRAC's Modernization and Upcoming Changes page for guidance on the Stablecoin Act's implementation timeline.

Step 5: Verify Your FINTRAC Contact Information and Regulatory Monitoring Setup

Subscribe to FINTRAC updates at fintrac-canafe.gc.ca. Assign a team member responsibility for monitoring FINTRAC's Modernization page after each regulatory development. Ensure your FINTRAC registration information, including contact details, business description, and reporting officer information, is current and accurate.

The Bigger Picture: Canada's AML Overhaul in Global Context

The 2026 FINTRAC amendments are part of a broader global movement toward outcome-based, operationally effective AML/CFT supervision.

In the United States, the FinCEN NPRM published April 7, 2026 signals a shift from technical rule-following to demonstrable effectiveness. The European Union's new AMLA, set to directly supervise high-risk institutions starting in 2028, follows the same logic. At FATF, the February 2026 greylisting of Kuwait, a jurisdiction with a well-developed regulatory framework, was based on operational effectiveness gaps, not the absence of laws. Canada's effectiveness standard amendment directly mirrors FATF's evaluation criteria.

For businesses operating across Canada, the US, UAE, or Australia, the 2026 amendments are a signal that compliance posture must be assessed globally and not jurisdiction by jurisdiction in isolation.

AMLI Analysis: The effectiveness standard, the new AMP framework, and the Stablecoin Act are all moving Canada's AML regime toward one thing: programs that actually work. Businesses treating FINTRAC compliance as a documentation exercise are now facing a statutory standard they have not previously been held to. This is the moment to close that gap.

Frequently Asked Questions

Are these amendments in effect now?

Both Acts received Royal Assent on March 26, 2026, so they are law. However, various provisions will come into force on different date; some immediately and others through Orders in Council or future regulatory amendments. The Stablecoin Act's MSB registration requirement specifically requires future regulatory amendments before it becomes enforceable. FINTRAC will publish implementation guidance as each provision comes into force.

Who is affected by the mandatory enrollment requirement?

All businesses currently subject to the Act that are not yet enrolled with FINTRAC — including domestic and foreign MSBs, VASPs, crypto trading platforms, and any entity type that has become subject to the Act in recent years. If your business qualifies as a reporting entity and you have not enrolled, the mandatory enrollment amendment exposes you to direct compliance risks.

What does "effective" mean under the new program standard?

Effectiveness is results-oriented. A program is effective if transaction monitoring identifies suspicious activity, STRs capture real suspicious behavior, customer risk ratings reflect genuine risk levels, and the program is tested and reviewed regularly. Effectiveness is demonstrated through documented outcomes: audit results, STR quality metrics, and transaction monitoring calibration reviews. A policy manual alone is not evidence of effectiveness.

Does the Stablecoin Act apply to businesses that use stablecoins but do not issue them?

The Act's scope will be determined by future regulatory amendments. The current statutory framework focuses on issuers. Businesses using stablecoins for settlement or payments without issuing them may or may not be captured depending on how key terms are defined. Monitor FINTRAC's implementation guidance closely and seek legal advice if your business involves stablecoin infrastructure.

How does the new AMP framework affect businesses with existing FINTRAC examination findings?

Outstanding findings will be assessed under whatever penalty framework is in force when FINTRAC takes enforcement action. Remediate known deficiencies before the new AMP framework comes into force. Documented remediation demonstrates good faith and materially reduces enforcement risk.

Get In Touch Now

The 2026 FINTRAC amendments are a statutory reality that requires action now, before enforcement tools are sharpened, before registration requirements are triggered, and before your banking partners and regulatory supervisors begin asking questions you are not prepared to answer.

At AML Incubator, we offer:

• AML Program Effectiveness Reviews to assess whether your program meets the new statutory standard

• FINTRAC Enrollment and Registration Support for businesses required to complete enrollment

• Stablecoin and VASP AML Program Design for crypto operators and stablecoin issuers

• CAMLO and MLRO Services for fintechs, MSBs, and digital asset platform.

If your business is subject to the act and you are not certain your compliance program meets the 2026 standard, book a discovery call to review your current posture, identify gaps, and build a remediation roadmap before FINTRAC's new enforcement tools are live.