On October 11, 2024, the rules changed for every mortgage broker, administrator, and lender in Canada. Under amendments to the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA), the mortgage sector became a regulated reporting entity under FINTRAC for the first time. (Source: FINTRAC, Mortgage Administrators, Brokers and Lenders guidance page)
If you're a licensed mortgage broker in Canada and you haven't built a formal compliance program yet, you're not in a grace period. You're out of compliance.
This article covers what you're actually required to do, what documents you need to collect and keep, what transactions you're required to report, and where FINTRAC is finding gaps when it examines brokerages. The penalty data in here is real. The compliance failures are drawn from actual enforcement records. Read this as a working guide, not an overview.
One note before we start: this article is informational, not legal advice. FINTRAC's requirements are results-oriented rather than prescriptive, which means the way you implement them will vary depending on your brokerage size and structure. If you're uncertain about your specific obligations, consult a compliance professional or legal counsel familiar with the PCMLTFA.
Why Mortgage Brokers Are Now Under FINTRAC
Real estate transactions have long been recognized as a vehicle for money laundering in Canada. Property purchases allow illicit funds to be integrated into the legitimate financial system, and mortgage transactions sit at the center of that process. The federal government's 2025 Assessment of Money Laundering and Terrorist Financing Risks in Canada assessed the real estate sector as high risk. (Source: MNP, FINTRAC Penalties Reveal Real Estate Broker Compliance)
FINTRAC's mandate under the PCMLTFA is to detect, prevent, and deter money laundering and terrorist financing by requiring businesses exposed to these risks to identify clients, keep records, and report specific transactions. As of October 11, 2024, mortgage brokers, administrators, and lenders are explicitly included in that mandate. (Source: Fasken, New AML Requirements for Mortgage Sector, October 2024)
This is not a soft introduction. In 2024–25, FINTRAC issued 23 Notices of Violation, the largest number in one year in the Centre's history. In real estate alone, penalties on brokerages since 2020 have reached about $2.6 million, with an average penalty of roughly $110,000 and 24 firms sanctioned. Enforcement is active and the mortgage sector is now directly in scope.
The Five Elements of a FINTRAC Compliance Program
Every mortgage broker operating in Canada must build and maintain a compliance program. That program must contain five elements: appointing a compliance officer, developing written policies and procedures, conducting a risk assessment, maintaining an ongoing training program, and completing an effectiveness review at least every two years. (Source: CHBA, Anti-Money Laundering Compliance; CMBA-BC, Understanding the New FINTRAC Changes)
1. Appoint a Compliance Officer
This individual is responsible for implementing the compliance program and will be the first point of contact for FINTRAC. For a sole proprietor or independent broker, this is you. For a larger brokerage, it should be a senior person with actual authority and resources to do the job, not an administrative role.
FINTRAC will ask who your compliance officer is during any examination. The designation needs to be documented.
2. Develop Written Policies and Procedures
Your policies and procedures must outline what requirements need to be met and how your program will meet them. At minimum they must address: the compliance regime, reporting suspicious transactions, terrorist property, large cash transactions, record keeping, ascertaining identities, use of personal information, business relationships, and third-party determination.
A critical point from enforcement data: FINTRAC imposed a $107,250 penalty on Manor Windsor Realty Ltd. on November 27, 2025, in part for failure to maintain up-to-date, senior-officer-approved policies and procedures. "We have a document" is not enough. Policies need to be current, approved at the senior level, and actually reflect how your brokerage operates.
3. Conduct a Risk Assessment
This is where most brokerages are failing. Among real estate brokers that received administrative monetary penalties, 88 percent failed to conduct risk assessments that met FINTRAC's standards. The most common shortfalls included failing to assess all risk factors in sufficient detail, including those related to clients and business relationships, products and delivery channels, geographic location, and new developments and technologies. (Source: MNP)
FINTRAC also flagged deficiencies where brokers used a generic checklist without providing further documentation or rationale. These forms were deemed insufficient to assess and document money laundering and terrorist financing risks. In some cases, compliance programs failed to define mitigation measures and did not provide sufficient details relating to risk levels.
In plain terms: downloading a template checklist and filing it is not a risk assessment. Your risk assessment needs to reflect your actual client base, the geographies you work in, the types of transactions you process, and the specific vulnerabilities of your practice.
4. Ongoing Employee Training
FINTRAC cited failure to run an ongoing training program as one of the violations in the $107,250 penalty against Manor Windsor Realty. Training needs to be documented, updated when requirements change, and completed by everyone in your brokerage who handles client files or transactions. A one-time onboarding session in 2024 does not satisfy the "ongoing" requirement.
5. Effectiveness Review Every Two Years
At least a biennial testing program must be implemented to assess the AML program and ensure it is effective and current. This assessment can be conducted by either internal or external auditors and FINTRAC expects rapid remediation of identified gaps or deficiencies.
If your compliance program was built in October 2024, your first effectiveness review is due by October 2026. Put it in your calendar now.
Identity Verification: Who You Must Verify and When
Identity verification is mandatory when you establish a new business relationship with a client. Brokers must verify the identity of a client when they initially establish their business relationship and, in specified circumstances, must verify their clients' identity again. (Source: CMBA-BC)
More specifically, high-risk scenarios require enhanced due diligence. In situations where a third party is involved in large financial transactions, you must obtain detailed information about that third party and their relationship with your client. (Source: CMBA-BC, Understanding the New FINTRAC Changes)
As of October 1, 2025, new requirements also came into force around unrepresented parties. Real estate professionals must now verify the identity of any unrepresented party to a real estate transaction and determine whether a third party is involved. (Source: McCarthy Tetrault)
Politically Exposed Persons (PEPs) and Heads of International Organizations (HIOs): Brokers must take reasonable measures to determine whether a client is a domestic or foreign politically exposed person or head of an international organization if they receive from them $100,000 or more in cash or virtual currency. Brokers must also take reasonable measures to determine whether a client is a family member or close association of such an individual. (Source: CMBA-BC)
What Records You Must Keep
Records must be kept in such a way that they can be provided to FINTRAC within 30 days upon request. The retention period is five years from the date a record was created or the date the business relationship ended, whichever is later. (Source: FINTRAC official guidance)
Client information records: Full name, address, date of birth, occupation, and the nature of the business relationship. This sounds straightforward, but enforcement data shows it isn't being done properly. Recordkeeping failures were identified in 63 percent of the real estate brokers that received administrative monetary penalties. The most common issues included missing or incomplete client information, identification, and receipt of funds records. (Source: MNP)
Receipt of funds records: This is where many brokers are falling short without realizing it. Receipt of funds records that were flagged as missing included the account number, account type, and name of account holder for the account affected by the transaction, as well as the method by which the funds were received. Many brokers retain a copy of a bank draft, but bank drafts do not include the account number, account type, and name of all account holders, and are therefore insufficient to satisfy the receipt of funds recordkeeping requirement. (Source: MNP)
Business relationship records: Documentation of the purpose and intended nature of the relationship, updated through ongoing monitoring.
Third-party records: When a third party is involved in a transaction, detailed information about that party and their relationship to your client.
The consistent theme across enforcement cases is not that brokers are ignoring recordkeeping entirely. It's that they're keeping incomplete records, or records that don't contain the specific fields FINTRAC requires. A file full of documents that's missing the account type on the receipt of funds record is still a compliance failure.
What Transactions You Must Report
There are four categories of reports mortgage brokers are required to submit to FINTRAC:
Suspicious Transaction Reports (STRs): When there are reasonable grounds to suspect that a transaction is related to money laundering or terrorist financing. This is the most consequential reporting obligation. The STR threshold is not proof or certainty — it is reasonable grounds to suspect. The failure to file an STR when red flags are present is one of the most common violations in FINTRAC enforcement across all sectors.
A real example: FINTRAC imposed a $148,912.50 penalty against Century 21 Heritage Group Ltd. on December 10, 2025, for failure to file a suspicious transaction report on a deal where regulators identified multiple red flags, including a foreign buyer from a high-risk jurisdiction, rapid changes of control between related parties, and links to an industry that could serve as a venue for human trafficking. The brokerage is appealing the penalty. The appeal is ongoing and the penalty stands unless overturned.
Large Cash Transaction Reports (LCTRs): Required when receiving $10,000 or more in cash in a single transaction. The 24-hour rule applies: if multiple cash transactions from the same client total $10,000 or more within a 24-hour period, they are treated as a single large cash transaction and must be reported.
Large Virtual Currency Transaction Reports (LVCTRs): Required when receiving virtual currency equivalent to $10,000 or more in a single transaction. LVCT reports must be submitted within five working days after receiving the virtual currency. The 24-hour rule also applies. (Source: BCFSA Advisory)
Terrorist Property Reports (TPRs): Required when property is identified as being owned or controlled by a terrorist or terrorist group. Rare in typical brokerage practice, but the obligation exists and must be addressed in your written policies.
One important clarification on STRs: in the Norwich Real Estate case (2024 FC 1996), Norwich acknowledged it had been required to submit STRs even while law enforcement was already investigating the parties involved. The practical lesson is clear — "the police already know" does not remove your obligation to file. What the case also illustrates is that mitigating factors can influence the penalty amount when FINTRAC calculates consequences.
Ongoing Monitoring: A Continuing Obligation
Compliance under FINTRAC is not a one-time exercise at the start of a client relationship. When you establish a business relationship with a client, you must periodically perform continuous monitoring of that business relationship based on your risk assessment. Ongoing monitoring means you must detect any suspicious transactions that must be reported, ensure current records regarding client identification and beneficial ownership information, reevaluate the risk associated with a client's transactions and activities, and assess whether transactions match the client information you've acquired. (Source: Fasken)
For most mortgage brokers, this practically means reviewing client files at meaningful intervals — particularly for clients you work with repeatedly across multiple transactions — and updating your records when their circumstances change.
The October 2025 Updates You Need to Know About
The rules that came into effect in October 2024 were not the end of the changes. As of October 1, 2025, new obligations came into force requiring reporting entities to report material discrepancies between their records and a company's registry filings to the federal beneficial ownership registry, triggered when they assess a high risk of money laundering or terrorist financing. (Source: McCarthy Tetrault)
This means your compliance program built in late 2024 may already need updating. The two-year effectiveness review cycle does not protect you from interim regulatory changes. When FINTRAC publishes new requirements, your written policies and procedures need to reflect them.
The Penalty Structure
Administrative monetary penalties issued by FINTRAC are tiered by violation severity: from $1 to $1,000 for minor violations, up to $500,000 for very serious violations in the case of an entity. (Source: Fasken)
Criminal penalties under the PCMLTFA are significantly more severe. Failure to report suspicious transactions can result in fines up to $2 million and/or 5 years imprisonment. Failure to report a large cash transaction can result in fines up to $500,000 for the first offence and $1 million for subsequent offences. Failure to meet record-keeping requirements can result in fines up to $500,000 and/or 5 years imprisonment. (Source: CHBA)
Beyond the direct financial penalties, non-compliance with FINTRAC requirements can constitute conducting business in a manner prejudicial to the public interest under provincial mortgage broker legislation. In BC specifically, that falls under section 8(1)(i) of the Mortgage Brokers Act, which means FINTRAC non-compliance can put your provincial licence at risk as well. (Source: BCFSA Advisory)
Where Brokerages Are Actually Failing: A Summary
Drawing from MNP's analysis of all FINTRAC enforcement actions against real estate brokers and the specific penalty cases published by FINTRAC, the failures cluster around the same areas repeatedly:
Risk assessments that are too generic. 88 percent of brokers that received penalties failed to conduct risk assessments meeting FINTRAC's standards. The most common issue is treating the risk assessment as a form to complete rather than an actual analysis of the broker's specific risk exposure.
Recordkeeping gaps on receipt of funds. 63 percent of penalized brokers had recordkeeping failures. The specific gap most often cited is receipt of funds records that don't capture the required account details because brokers are relying on bank drafts, which don't contain that information.
Policies that are outdated or not approved at the senior level. Written policies need to be current and signed off by a senior officer. A document that hasn't been reviewed since October 2024 is already at risk of being out of date given the October 2025 amendments.
Failure to file STRs when red flags are present. The most serious financial penalties come from this failure. Red flags don't require certainty — they require reasonable grounds to suspect. If something about a transaction feels wrong, the obligation to file exists.
Training that isn't ongoing. A one-time session doesn't satisfy the requirement. Training needs to be documented, repeated, and updated as requirements change.
A Practical Compliance Checklist for Mortgage Brokers
This is not a substitute for professional compliance advice, but it is a starting point for assessing where you stand.
Compliance program structure
- Compliance officer designated in writing
- Written policies and procedures document exists, is current, and has been approved by a senior officer
- Risk assessment completed and documented with your specific client base, geography, and transaction types in mind (not a generic template)
- Staff training program documented and scheduled on a recurring basis
- Effectiveness review scheduled (due within two years of program implementation, and every two years after)
Client onboarding
- Identity verification process documented and consistently applied at the start of every new business relationship
- PEP/HIO screening process in place for transactions involving $100,000 or more in cash or virtual currency
- Third-party determination process documented
Records
- Client information records include full name, address, date of birth, occupation, and nature of the business relationship
- Receipt of funds records capture account number, account type, and name of account holder (not just a copy of the bank draft)
- All records retained for five years and producible within 30 days of a FINTRAC request
Reporting
- Process documented for identifying and filing Suspicious Transaction Reports
- Process documented for Large Cash Transaction Reports ($10,000+)
- Process documented for Large Virtual Currency Transaction Reports ($10,000+ in virtual currency)
- Team understands that STR obligation exists regardless of whether law enforcement is already involved
Ongoing monitoring
- Process in place for periodic review of existing client relationships
- Records updated when client circumstances change
- Compliance program reviewed and updated when FINTRAC publishes new requirements (most recently October 2025)
Where to Go From Here
FINTRAC has published sector-specific resources for mortgage brokers directly on their website, including a 12-minute compliance program video and a self-assessment tool. (Source: FINTRAC, Mortgage Sector Compliance Program Requirements video, 2024) These are worth working through with your compliance officer or the person responsible for your program.
CMBA-BC has also published resources specific to BC brokers, and partnered with a KYC identity verification provider to help brokers meet their client identification obligations. If you're in BC, their member resource area is a practical starting point.
The consistent message from FINTRAC's enforcement activity is that they are looking for programs that genuinely reflect how a brokerage operates, not programs that exist on paper. Generic checklists, outdated policies, and incomplete records are the recurring failures. A compliance program that is specific, documented, and actually followed is what protects you.
This article was written for informational purposes and does not constitute legal advice. FINTRAC's requirements are results-oriented and how they apply to your brokerage will depend on your specific circumstances. Consult a compliance professional or legal counsel familiar with the PCMLTFA for guidance specific to your situation.
Sources: FINTRAC (fintrac-canafe.gc.ca), CMBA-BC, Fasken Martineau, MNP, BCFSA, CHBA, McCarthy Tetrault, Canadian Mortgage Professional (mpamag.com), DLA Piper, Fintracking.ca