On March 26, 2026, Bill C-12 — formally the Strengthening Canada’s Immigration System and Borders Act — received Royal Assent. Buried beneath the immigration and border security headlines were sweeping amendments to Canada’s anti-money laundering framework that every PCMLTFA reporting entity needs to understand. Maximum penalties increased by 40 times. Compliance agreements became mandatory. And FINTRAC’s authority to judge whether your compliance program actually works was written directly into law.[1]
This isn’t a minor adjustment. For banks, credit unions, money services businesses, securities dealers, real estate professionals, and a growing list of newly regulated sectors, Bill C-12 fundamentally changes the stakes of non-compliance. Here is what changed — and what it means for each sector.
The Penalty Math Is Unrecognizable
Before Bill C-12, the maximum Administrative Monetary Penalties (AMPs) under the PCMLTFA were $1,000 for minor violations, $100,000 for serious violations, and $500,000 for very serious violations. Bill C-12 multiplied each of those ceilings by 40. Minor violations now carry a maximum of $40,000. Serious violations reach $4,000,000. Very serious violations hit $20,000,000 — and cumulative AMP exposure is now capped at the greater of $20 million or 3% of gross global revenue for entities (for individuals, the cap is the greater of $4 million or 3% of gross global income).[2]
That 3% of gross global revenue figure matters for large, multi-jurisdictional entities. It means FINTRAC’s financial reach scales with your organization’s size — the bigger the firm, the bigger the potential exposure. And FINTRAC has already demonstrated it is willing to use its full authority. In 2025, it issued 30 AMPs — up from just 8 in 2021 — including a $176,960,190 penalty against Xeltox Enterprises Ltd. for approximately 2,500 violations, and a $19,552,000 penalty against Peken Global Limited for failure to register as a foreign money services business, report large virtual currency transactions, and submit suspicious transaction reports.[3]
Notably, FINTRAC recently revised its AMP policy to remove language that previously described AMPs as “not issued automatically” and as a “last resort.” According to Torys LLP’s Q1 2026 analysis, this signals a deliberate shift toward using penalties as a primary enforcement tool rather than a measure of final resort.[3]
Compliance Agreements Are Now Mandatory
Bill C-12 restructures the compliance agreement framework, requiring FINTRAC to enter into a compliance agreement in prescribed circumstances. Prescribed’ violation is a legal term and a specific category of breach defined in the PCMLTFA regulations (or by statute where the Act uses that term) for which FINTRAC is given particular enforcement powers.
Under the previous PCMLTFA framework, compliance agreements between FINTRAC and a non-compliant entity were discretionary — a tool FINTRAC could deploy, but was not required to use. Bill C-12 eliminates that discretion. If a reporting entity is found to have committed a prescribed violation of the PCMLTFA, it must now enter into a mandatory compliance agreement with FINTRAC.[1]
If an entity refuses to enter a compliance agreement, or fails to comply with its terms, the PCMLTFA now requires FINTRAC’s Director to issue a formal compliance order. Non-compliance with that order carries penalties of up to $30,000,000 or 3% of gross global revenue — whichever is greater. What was a negotiated conversation has become a legally compelled process with severe escalating consequences.[2]
The Effectiveness Standard Is the Real Shift
The penalty increases and mandatory compliance agreements are significant. But the change that will generate the most compliance work over the next two to three years is quieter and harder to pin down: Bill C-12 requires AML compliance programs to be “reasonably designed, risk-based and effective.” Not just present. Not just documented. Effective.[1]
Before this amendment, FINTRAC examinations largely assessed whether a compliance program existed and whether required elements were documented. The new standard gives FINTRAC the legislative authority to go further — to assess whether your program is appropriately designed for your actual risk profile, whether your controls function as intended, and whether gaps are being identified and addressed. According to Torys LLP, this means FINTRAC examiners can now conduct a functional quality assessment rather than a documentation checklist review.[3]
For many reporting entities, this is the hardest obligation to satisfy quickly. A binder of policies and a compliance officer title on an org chart will no longer be enough to withstand scrutiny. Programs need to be tested, risk assessments need to be current, and the controls need to demonstrably catch what they are designed to catch.
Who Faces the Biggest Adjustment
All PCMLTFA reporting entities face the 40x penalty exposure. But the practical adjustment burden is not equal across sectors — it depends on how mature your existing compliance program is, and how recently you came under the PCMLTFA’s scope.[2]
Banks and credit unions have established AML programs, but the effectiveness standard raises the bar on what “good enough” looks like. Programs built to pass a documentation review may not hold up under a functional assessment that asks whether risks are being identified and controls are actually working. Additionally, Bill C-12 adds a statutory prohibition on opening anonymous or fictitious accounts — formalizing a practice most programs already require, but now carrying direct AMP exposure.
Money services businesses (MSBs) — currency exchanges, funds transfer services, cheque cashers, and virtual currency dealers — were already FINTRAC’s most-examined sector before C-12. The record Xeltox penalty of $176,960,190 was an MSB. With penalties now 40 times higher, a mid-size MSB facing a serious violation is looking at a potential fine of $4,000,000 instead of $100,000. For many smaller MSBs operating on tight margins, a single serious finding is now an existential financial event.
Securities dealers and investment dealers are now subject to the statutory prohibition on anonymous or fictitious accounts alongside the full 40x penalty framework. The real exposure here is the effectiveness standard — securities firms with high transaction volumes need monitoring systems that demonstrably keep pace with that activity.
Real estate professionals — mortgage lenders, brokers, and administrators — were brought under the PCMLTFA through earlier amendments and are now fully exposed to the C-12 penalty regime. The real estate sector has historically been identified by the Financial Action Task Force (FATF) as one of Canada’s highest-risk areas for money laundering. That designation makes FINTRAC examination of this sector a priority — not a distant possibility.
Factoring companies, financing and leasing companies, and cheque cashing businesses came under the PCMLTFA effective April 1, 2025 — meaning many of these businesses have had less than one year to build AML compliance programs from scratch. They are now operating under full FINTRAC examination authority with the C-12 penalty structure in place. Some of these entities may have minimal or no compliance infrastructure today.[4]
Private automated banking machine (ABM) acquirers and title insurers became reporting entities on October 1, 2025 — they have had less than six months under the PCMLTFA before the C-12 penalty structure arrived. These entities need to move quickly to establish programs that will meet the new effectiveness standard.[4]
Casinos are subject to the anonymous account prohibition and face the same 40x penalty exposure as other covered entities. Casinos have historically been a high-priority examination target for FINTRAC given the cash-intensive nature of their operations.
Why This Happened So Fast
Bill C-12 accelerated provisions that had previously been contained in Bill C-2, the Strong Borders Act. Two forces drove the pace. First, the Trump administration’s tariff pressure on Canada — tied in part to concerns about fentanyl flows and border security — created political urgency for Ottawa to demonstrate enforcement credibility quickly. Second, Canada’s FATF mutual evaluation looms: the onsite assessment took place in November 2025, with the plenary discussion scheduled for June 2026.[5] Canada’s last FATF evaluation in 2016 identified critical weaknesses in beneficial ownership transparency, real estate oversight, and enforcement. The AML amendments in C-12 are, in part, a response to international scrutiny of whether Canada has fixed those problems.[3]
The combined effect: Canada’s AML regime has been reformed under time pressure, with a newly empowered regulator, newly mandated standards, and penalties that make non-compliance a genuine financial threat for entities of every size. This isn’t a compliance update to file away. It’s a regime change that requires a program response.
How Tamlo Can Help
Tamlo International works with reporting entities across Canada’s AML/ATF compliance landscape — from program design and risk assessments to staff training and examination readiness. If your organization needs to assess how your current compliance program measures up against the new “reasonably designed, risk-based and effective” standard, or if you are one of the newly regulated entities that needs to build a program from the ground up, reach out to us at Tamlo International.
Sources
- McCarthy Tétrault — Canada’s AML Reform Advances: Bill C-12 Brings Hefty Penalties and Higher Compliance Expectations into Force (legal interpretation)
- MNP LLP — How Will Bill C-12 Impact AML Compliance in Canada? (legal interpretation)
- Torys LLP — FINTRAC’s AMPs: Where Are They Heading? (legal interpretation)
- FINTRAC — Modernization and upcoming changes impacting reporting entities (government guidance)
- FATF — Global Assessment Calendar — 5th Round Mutual Evaluations (international standard setter)