Canada sharply raises AML penalties and an 'effective' compliance-program test

In brief

• What: an amendment to Canada’s AML act (PCMLTFA) — higher penalties and a new effectiveness standard for compliance programs.
• Who issues it: FINTRAC / Department of Finance (Canada).
• Status / timing: Royal Assent on 26 March 2026; some provisions already in force, others phased in (to be verified with FINTRAC).

What changes

The act, which received Royal Assent on 26 March 2026, significantly raises the maximum administrative monetary penalties (AMPs): up to CAD 40,000 for a minor violation (previously CAD 1,000) and up to CAD 4,000,000 for a serious violation. A new “very serious violation” category is introduced for the absence of a compliance program that is “reasonably designed, risk-based and effective”. Provisions on private-to-private information sharing between reporting entities and strengthened supervisory powers also come into effect.

Who is affected

Canadian reporting entities under the PCMLTFA: banks, money service businesses (MSBs), payment service providers (PSPs), crypto exchanges, fintechs and other institutions.

What it means for non-financial firms

This is Canadian law affecting that country’s financial sector — it does not directly bind a non-financial company elsewhere. The signal, however, is clear and recurring worldwide: regulators no longer accept a “paper” compliance program and penalise ineffectiveness, while the upper penalty bands rise many times over. It is a good moment to check whether your firm even has a sanction screening obligation and whether it understands the difference between AML and sanctions. The “effective program” requirement matters most where compliance tends to be treated as a formality — for example in accounting firms serving many clients.

What’s next

The remaining entry-into-force dates will be announced in stages. Details and timeline: FINTRAC — Modernization and upcoming changes.