FINTRAC's New Administrative Monetary Penalties Framework (2026): What Every Canadian Reporting Entity Must Know

The Strengthening Canada's Immigration System and Borders Act (Bill C-12) received Royal Assent on March 26, 2026. Buried inside that legislation, alongside the immigration provisions that dominated the headlines, was a complete overhaul of FINTRAC's administrative monetary penalties framework under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA). For MSBs, fintechs, crypto platforms, and every other reporting entity operating in Canada, this is the enforcement update that matters most in 2026.

Penalties are higher. New enforcement tools have been introduced. Compliance agreements are now mandatory for certain violations. And the changes apply to every violation that occurs on or after March 26, 2026.

If you haven't reviewed your AML program against this new framework, that review is now overdue.

What FINTRAC's Administrative Monetary Penalties Framework Actually Is (and Why It Just Changed Everything)

FINTRAC has had the authority to issue administrative monetary penalties since December 30, 2008. That's not new. What is new is the scale, the structure, and the enforcement behind that authority.

Under the existing framework, the one that still governs violations that occurred entirely before March 26, 2026, penalties are tiered by the degree of importance of the violation. Minor violations carry a maximum of $1,000. Serious and very serious violations carry maximums of $100,000 per violation for individuals and $500,000 per violation for entities. Multiple violations can be stacked, so total penalty exposure can exceed those individual caps. But the caps themselves have remained unchanged for years.

The new framework changes that. Penalty maximums can now rise to up to 40 times the current limits. That means a very serious violation for an entity, which previously maxed out at $500,000, now has a potential ceiling of $20,000,000. Per violation.

That is the new legislated framework. And it applies to every violation that occurs on or after March 26, 2026.

But the penalty increase is only part of the story. The architecture of enforcement has changed in ways that matter more than the numbers alone.

The Five Changes That Define the New Framework

The Strengthening Canada's Immigration System and Borders Act restructures how FINTRAC identifies non-compliance, responds to it, and requires businesses to correct it.

Here is exactly what changed, and what each change means in practice:

Take these five changes together and what you see is not just higher fines. You see a regulator that now has a tiered enforcement toolkit, from compliance agreements to compliance orders to penalties to law enforcement referrals, with clear legislative authority behind each level.

This new framework is a system.

AMLI Analysis: The introduction of compliance orders is the change that gets the least attention but carries the most structural weight. An order is a formal regulatory instrument that requires demonstrated corrective action. Businesses that cannot show an organized, evidence-based response to a compliance order will find themselves in a significantly more difficult position than businesses that can.

What Has Not Changed and Why That Matters

For all that is new, the transition is not a hard reset.

FINTRAC has been clear:
Violations that occurred entirely before March 26, 2026 continue to be assessed under the existing policy, with the existing penalty amounts and processes.

The new framework applies forward.

The mechanism that makes this workable is examination scoping. FINTRAC will scope its examination review periods so that each assessment falls entirely within one legislative framework. You will not face a hybrid assessment where some violations are calculated under the old rules and others under the new. Each examination period is governed by a single set of rules whichever framework was in force for that period.

March 26, 2026 is the pivot date. Every violation that occurs on or after that date is evaluated under the new regime. That means the 40x penalty ceiling. That means mandatory compliance agreements. That means compliance orders. There is no grace period and no transition window. The date passed and the new standard is already in force.

The new bar is also a different bar. It is whether your program is effective and reasonably designed.

A policy document that exists but cannot demonstrate function does not meet that standard.A risk assessment that is current on the cover page but has not been stress-tested against how your business actually operates does not meet that standard.
The question FINTRAC is now equipped to ask and penalize is whether your compliance program works, not just whether it exists. This matters because compliance programs do not reset themselves on a legislative date. Gaps that existed before

March 26, 2026 tend to persist unless they are actively identified and corrected. If your program has structural weaknesses incomplete policies, missing risk assessments, undertrained staff, unmonitored transaction reporting processes those same weaknesses are still present today. In a framework where violations carry up to 40 times the previous penalty exposure and where program effectiveness is the standard, the cost of that persistence has changed materially.

AMLI Analysis: The pivot date is not a prompt to ask when you last reviewed your program. It is the date on which the enforcement consequences for every gap in your program became dramatically higher. If gaps exist today, they are being evaluated under the new standard right now.

Compliance Agreements: What Mandatory Actually Means

The introduction of mandatory compliance agreements for prescribed violations is one of the most operationally significant changes in the new framework, and one of the least understood.

Under the old framework, penalty notices were largely transactional. A notice of violation was issued. The business paid, or made representations, or pursued review. The enforcement process was linear and finite.

Compliance agreements change that dynamic. A compliance agreement is a formal, documented commitment by a reporting entity to take specific corrective actions within a defined timeline. It is an ongoing obligation that requires the business to demonstrate that it has fixed the underlying problem.

For businesses that receive a compliance agreement, the compliance function is no longer just a regulatory obligation that sits in the background. It becomes an active, documented, evidenced commitment that FINTRAC will follow up on.

This matters in several ways.

Compliance agreements require documentation. You cannot enter into one and then run your program informally. Every corrective action that the agreement requires needs to be implemented, evidenced, and capable of being shown to a regulator on request.

Compliance agreements require resourcing. Corrective action takes time, expertise, and organizational commitment. A business that does not have a capable compliance function in place when it receives a compliance agreement will struggle to fulfill it.

Compliance agreements are new territory for most reporting entities. FINTRAC is still developing the guidance that will govern how compliance agreements work in practice. That guidance is coming but the obligation to enter into them is already law.

AMLI Analysis: A compliance agreement is the beginning of a new enforcement process. The business that treats it as a box to check is the business that ends up in a compliance order. The business that treats it as an opportunity to demonstrate genuine corrective action is the one that closes the file.

Compliance Orders: FINTRAC's New Enforcement Layer

The introduction of compliance orders as a formal enforcement tool deserves its own section, because compliance orders represent something that has not existed in FINTRAC's toolkit before.

A compliance order is distinct from a penalty. A penalty is a financial consequence for past non-compliance. A compliance order is a regulatory directive requiring future corrective action. FINTRAC can now issue an order mandating that a reporting entity take specific steps to address non-compliance.

The practical implications of a compliance order are significant:

An order is on the record. It is a formal regulatory instrument. It will factor into FINTRAC's compliance history assessment for any future examination.

An order requires a response. Unlike a penalty that can be paid and closed, an order requires the business to actually do something and demonstrate that it has done it.

An order is a step in a progression. FINTRAC now has the ability to move from an informal notice to a compliance agreement to a compliance order to a penalty to a law enforcement referral. Each step represents an escalating enforcement posture. Compliance orders sit in the middle of that progression. They are not the worst thing that can happen. But they signal that FINTRAC views the non-compliance as serious enough to require supervised correction.

FINTRAC is still developing the full policy guidance on compliance orders. What the legislation makes clear is that the authority exists, it is in force for violations and it will be used.

AMLI Analysis: Think about compliance orders the way you think about formal warnings in any regulated context. But they are a signal that the regulator has moved from monitoring to management. Businesses that respond to compliance orders with organized, evidence-based corrective action exit the process. Businesses that do not find themselves in a penalty calculation under the new, higher limits.

Why the Ability-to-Pay Criterion Changes More Than You Think

The inclusion of ability to pay as a criterion for determining penalty amounts sounds like a concession. It is not.

Under the old framework, penalty calculations were based on three criteria: the purpose of AMPs (to encourage compliance, not punish), the harm done by the violation, and the reporting entity's compliance history.

Under the new framework, it is.

On the surface, this looks like a protection for smaller businesses, a mechanism that prevents a penalty from being disproportionately large relative to a business's financial capacity. And in part, it is that.

But consider what it also means in practice. FINTRAC's assessors now need to understand a reporting entity's financial position as part of the penalty calculation. That means financial information about your business may be relevant to an AMP assessment. It means the relationship between your compliance investment and your financial capacity will be visible to regulators.

It also means that for large, well-resourced businesses, the argument that a penalty was too high relative to their capacity will carry less weight. The ability-to-pay criterion works both ways. It can reduce penalties for businesses that genuinely cannot absorb them. It provides less protection for businesses that have the resources to invest in compliance but chose not to.

AMLI Analysis: Do not read ability to pay as a safety valve. Read it as a factor that FINTRAC will apply with full knowledge of your business's financial context. The businesses that have invested in genuine compliance infrastructure are better positioned under this criterion than the ones that have not, regardless of their absolute financial size.

What the New Framework Reveals About FINTRAC's Enforcement Direction

The five changes in the new AMP framework are not isolated technical amendments. They are a signal.

FINTRAC has had penalty authority since 2008. For nearly 18 years, that authority existed within a framework that has remained largely stable. The decision to overhaul it now, with higher maximums, new enforcement tools, mandatory agreements, and formal orders, reflects a regulatory posture that is actively shifting.

Canada's financial intelligence framework has faced pressure on multiple fronts. The grey-listing risk that FATF assessments create. The rapid growth of crypto and virtual currency businesses operating as MSBs. The complexity of cross-border transaction flows. The recognition that paper compliance programs, programs that look right on file but do not function in practice, are not achieving the regulatory outcomes the PCMLTFA was designed to deliver.

The new AMP framework is FINTRAC's response to that pressure. It is the legislative foundation for a more active, more consequential enforcement posture.

Every reporting entity in Canada should read the new framework as a statement of regulatory intent, not just a change to penalty calculations. FINTRAC is signaling that compliance that cannot be evidenced, tested, and demonstrated on demand is compliance that will now carry substantially higher consequences.

AMLI Analysis: The businesses that will feel this framework most acutely are the ones with programs that were adequate on paper but never built for scrutiny. The distinction between a program that exists and a program that functions is about to become much more financially significant.

How the New Framework Interacts With Your Existing AML Program

Every mandatory component of a FINTRAC-compliant AML program now exists in a higher-stakes enforcement environment. That means each gap in each component carries a higher potential consequence than it did before.

Here is how the changes map against the core compliance program requirements:

Compliance policies and procedures. Policies that are outdated, generic, or do not reflect how your business actually operates are a documentation gap. Under the new framework, there is a documentation gap that sits within reach of significantly higher penalties and potentially, a compliance order requiring correction.

Risk assessment. A stale risk assessment, one that does not reflect current products, services, geographies, and client base, is a gap FINTRAC examiners can identify quickly. It is a gap that can trigger mandatory corrective action.

Ongoing monitoring. Transaction monitoring that is not calibrated to your actual risk environment, or that cannot produce evidence of function during an examination, is a serious compliance gap. It is also one of the more common findings in FINTRAC examinations.

Training. Training programs that are delivered once with regulatory changes are an easy gap for examiners to identify. The absence of training records is evidence of a program that cannot demonstrate effectiveness.

Effectiveness review. The requirement to test whether your compliance program actually works has been part of the PCMLTFA framework for years. Under the new AMP structure, the businesses that cannot produce effectiveness review results are the ones most exposed.

AMLI Analysis: Run a gap assessment against the five new framework changes now. The question is whether it meets the old standard in a way that can be evidenced, tested, and demonstrated under examination because the consequences of failing that test just changed materially.

What to Do in the Next 30 Days

The new framework is already in force. Violations that occur from March 26, 2026 onward are subject to it. That includes violations that occur today, while your team is reading this.

Here is the sequence of actions that matters most:

One. Confirm your AML program documentation is current. Policies, procedures, and risk assessment should reflect how your business operates today.

Two. Review your FINTRAC correspondence trail. Every clarification request, every information demand, every examination letter. Confirm there are no outstanding responses, no missed deadlines, and no gaps in your reply history.

Three. Identify whether your compliance program has been through an effectiveness review in the last 12 months. If not, that review is now more urgent than it was before March 26, 2026.

Four. Assess your ability-to-pay position honestly. Understand what FINTRAC might see if a penalty calculation required financial disclosure. Make sure your compliance investment is proportionate to that position.

Five. Brief senior leadership and the board. The new AMP framework is a business risk issue. The potential penalty exposure under the new limits is material enough to require board-level awareness.

Six. Ask your compliance function one question: if FINTRAC opened an examination today, could we produce organized, current, evidenced documentation for every component of our AML program? If the answer is anything other than yes, that gap is now your highest compliance priority.

AMLI Analysis: Thirty days is not a long time. But it is enough time to identify your highest-exposure gaps, prioritize remediation, and begin the documentation work that makes an examination less dangerous. The businesses that start this week are in a materially better position than the ones that wait.

FINTRAC's New AMP Framework: Questions We Hear Most Often

Does the new framework apply to violations that happened before March 26, 2026?

No. FINTRAC has been explicit: violations that occurred entirely before March 26, 2026 continue to be assessed under the existing administrative monetary penalties policy, with the existing penalty amounts. The new framework applies to violations that occur on or after March 26, 2026.

What are a "prescribed violation" and a "compliance order violation"?

These are categories of violations that FINTRAC is defining under the new framework. Prescribed violations are those that will attract mandatory compliance agreements. Compliance order violations are those that can trigger compliance orders. FINTRAC is still developing the full policy guidance on these categories, but the obligation to comply with them is already legislated.

What does a compliance agreement actually require?

A compliance agreement is a formal, documented commitment to take specific corrective actions within a defined timeline. It is an ongoing obligation. FINTRAC is developing guidance on how compliance agreements will work in practice. What is clear is that they are mandatory for prescribed violations and require demonstrated corrective action.

How much higher are the new penalty maximums?

The new framework increases maximum penalty amounts by up to 40 times current limits. Under the current framework, a very serious violation carries a maximum of $500,000 per violation for an entity. Under the new framework, that ceiling rises to up to $20,000,000 per violation. Multiple violations can be stacked.

Does my program need to change if it was compliant before March 26, 2026?

Yes. The new framework changes the enforcement consequences for gaps that may have always existed in your program. A program that was borderline adequate at the old penalty levels may now carry exposure that requires immediate remediation. The dividing date is a legislative trigger.

What does AML Incubator do in a new framework environment?

We assess your program against the current framework honestly. We identify gaps, prioritize remediation, and build the documented evidence trail that makes your program defensible under examination. We can serve as your outsourced CAMLO, run effectiveness reviews, rebuild risk assessments, and support you through any FINTRAC examination or enforcement process from notice to resolution.

Get In Touch Now

If you want to assess your program's position under the new AMP framework, or if you are already facing an examination or enforcement process, these AMLI resources cover the areas that matter most.

• CAMLO & MLRO Services for AML Compliance Ongoing compliance ownership, regulatory coordination, and day-to-day AML program management for reporting entities that need a capable, embedded compliance function.
• AML Audit & Effectiveness Review Services A structured review of whether your AML program, documentation, and evidence trail are strong enough to withstand FINTRAC scrutiny under the new enforcement framework.
• FINTRAC MSB Registration Registration, updates, remediation, and regulatory response so your registration status and compliance documentation reflect how your business actually operates.

Ready to assess your position under the new framework?

Book a Discovery Call to review your AML program against the updated AMP structure, identify gaps, and build the evidence trail that protects your business.

🌐 amlincubator.com 📧 hello@amlincubator.com