What Crypto Exchanges Need to Know About FINTRAC Compliance in 2026

If you run a crypto exchange that serves Canadian customers, FINTRAC compliance is not optional. It is a legal obligation with real enforcement consequences, and the bar has risen significantly heading into 2026. Penalties for non-compliance now routinely reach seven figures, and FINTRAC has made it clear that the "we didn't know" defense carries zero weight.

I've spent years building and auditing compliance programs at major exchanges, including time at Binance working through some of the most complex regulatory challenges in the industry. What I've seen again and again is that the companies that get into trouble are not the ones running scams. They're legitimate businesses that underestimated the specificity of what FINTRAC requires, tried to apply generic AML frameworks without adapting them to Canadian law, or simply moved too slowly as the regulations evolved.

This guide is the practical breakdown I wish I had when I first started navigating FINTRAC crypto compliance. It covers who needs to register, exactly what your obligations are, what changed in the 2025-2026 regulatory cycle, and how to build a compliance program that doesn't just check boxes but actually survives an examination.

Who Needs to Register as a Money Services Business

Under Canada's Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA), any business that deals in virtual currency and provides services to Canadian persons must register with FINTRAC as a Money Services Business (MSB). This is the foundational requirement for FINTRAC MSB registration and everything else flows from it.

The scope is broad. You need to register if you perform any of the following activities involving virtual currency:

• Exchanging virtual currency for fiat funds or other virtual currencies — This covers both centralized exchanges and any platform that facilitates conversion, including OTC desks.
• Transferring virtual currency — If your platform enables users to send crypto from one wallet to another, including internal transfers between user accounts, you fall under this category.
• Receiving virtual currency as payment for goods or services on behalf of another person or entity — Payment processors and merchant service providers handling crypto are included.
• Issuing or dealing in virtual currency — Token issuers and dealers who create or distribute new virtual currency instruments.

The critical nuance that catches many foreign exchanges off guard: FINTRAC's jurisdiction is based on where your customers are, not where your company is incorporated. If you are a Cayman Islands-registered exchange with Canadian users, you need to register. If you are a decentralized protocol with a frontend that Canadian users access, the question of whether you need to register is one you should be answering with outside counsel, not ignoring.

FINTRAC MSB registration itself is a straightforward online process, but the registration is only the first step. It signals to FINTRAC that you exist, and from that point forward, they expect you to operate a fully compliant program. Registering without building the program behind it is worse than not registering at all, because it puts you directly on FINTRAC's radar with nothing to show during an examination.

Key Compliance Obligations

Once registered, a crypto exchange operating under FINTRAC's jurisdiction must meet several core obligations. These are not suggestions. Each one is independently enforceable, and failure on any single dimension can result in administrative monetary penalties (AMPs) or criminal referral.

Know Your Customer (KYC)

KYC for crypto exchange compliance in Canada goes well beyond collecting a name and email address. FINTRAC requires you to verify the identity of every person and entity you do business with, using specific methods defined in the regulations.

For individuals, you must verify identity before or at the time of the first transaction of $1,000 CAD or more. Acceptable methods include:

• Government-issued photo identification document method — You must verify the document is authentic, current, and issued by a federal, provincial, or foreign government. The name on the document must match what the client provided.
• Credit file method — Consulting a Canadian credit file that has existed for at least three years and verifying that the information matches.
• Dual-process method — Using two independent, reliable sources to verify name, address, and date of birth.

For entities, you must confirm the existence of the corporation, trust, or partnership through articles of incorporation, partnership agreements, or other formation documents, and identify beneficial owners who hold 25% or more ownership or control.

A common mistake I've seen at multiple exchanges: treating KYC as a one-time onboarding event. FINTRAC requires ongoing monitoring and periodic re-verification based on risk. A customer you onboarded in 2023 with a low-risk profile who is now transacting $200,000 monthly needs to be re-evaluated. Your compliance program must define when and how this happens.

Record Keeping

FINTRAC mandates that you retain specific records for a minimum of five years after the date of the last business transaction. For crypto exchanges, the key records include:

• Large virtual currency transaction records — Any transaction of $10,000 CAD or more (or equivalent), whether single or aggregated within a 24-hour period from the same client.
• Client identification records — All documents and information used to verify identity, including copies of government ID, credit file confirmations, and the method used.
• Virtual currency transfer records — For every transfer of $1,000 or more, you must record the transaction details, wallet addresses, client information, and any associated originator/beneficiary data.
• Suspicious transaction reports and related documentation — Internal notes, escalation records, and the analysis that led to the filing decision.
• Risk assessment records — Your business-wide risk assessment and individual client risk ratings, including the rationale.

The five-year retention period is a minimum. I recommend retaining compliance records for seven years, because FINTRAC examinations can look back further than five years when investigating patterns, and you don't want to be in a position where you destroyed records that turn out to be relevant to an ongoing investigation.

Your record-keeping system must allow you to retrieve any record within 30 days of a FINTRAC request. In practice, if you can't pull records within a few days, you're going to have a difficult examination. Invest in proper data architecture from the start.

Suspicious Transaction Reporting (STR)

This is where most crypto exchanges fail their FINTRAC examinations. Not because they don't file STRs, but because their process for identifying and assessing suspicious activity is inadequate.

You are required to file a Suspicious Transaction Report with FINTRAC when you have reasonable grounds to suspect that a transaction or attempted transaction is related to the commission or attempted commission of a money laundering or terrorist financing offence. The key word is "reasonable grounds to suspect," which is a lower bar than "reasonable grounds to believe." You don't need certainty. You need articulable reasons.

For crypto exchanges, common indicators that should trigger STR assessment include:

• Transactions involving wallets associated with darknet markets, sanctioned entities, or known fraud schemes (your blockchain analytics tool should flag these automatically).
• Rapid cycling of funds through the platform — depositing and withdrawing similar amounts in a short period without apparent trading purpose.
• Clients who structure transactions just below reporting thresholds (e.g., multiple deposits of $9,900 CAD).
• Use of multiple accounts or identities by the same individual.
• Transactions that are inconsistent with the client's stated purpose or risk profile.
• Clients who are evasive or provide inconsistent information when asked about the source or purpose of funds.
• Sudden significant changes in transaction patterns.

STRs must be filed within 30 days of the determination that reasonable grounds to suspect exist. You must not tip off the client that an STR has been filed or is being considered. This "no tipping off" rule is absolute and violations carry criminal penalties.

Build a three-layer STR process: automated flagging through your transaction monitoring system, Level 1 analyst review with clear escalation criteria, and a final determination by your Chief Compliance Officer or designated senior officer. Document every step. FINTRAC will ask to see your assessment process, not just the reports you filed.

The Travel Rule

The travel rule requires that when you send a virtual currency transfer of $1,000 CAD or more on behalf of a client, you must include the originator's name, account number or reference, and the address (or date of birth or client number) with the transfer. As a receiving institution, you must take reasonable measures to obtain this information.

Canada's implementation of the travel rule for virtual currency, which aligns with FATF Recommendation 16, has been one of the most operationally challenging requirements for exchanges. The reason is simple: there is no universally adopted technical protocol for transmitting travel rule data between virtual asset service providers (VASPs).

In practice, most exchanges handle this through one of several interoperability solutions — TRISA, Shyft/Veriscope, Notabene, or Sygna — or through bilateral agreements with counterparty exchanges. If you are sending to a self-hosted wallet where there is no receiving VASP, you must still collect the beneficiary information from your client and retain it on file.

FINTRAC has indicated in recent guidance that they expect exchanges to demonstrate that they are making genuine, documented efforts to comply with the travel rule, even where full compliance is technically constrained. "We tried and here is the evidence" is a defensible position. "We didn't implement anything because it's hard" is not.

Recent 2025-2026 Regulatory Updates

The regulatory landscape for FINTRAC crypto compliance has shifted meaningfully over the past twelve months. If your compliance program was last updated before mid-2025, you likely have gaps. Here are the changes that matter most:

Expanded Scope of Virtual Currency Definitions

FINTRAC's updated guidance issued in late 2025 broadened the definition of what constitutes a "virtual currency" for reporting purposes. Stablecoins, wrapped tokens, and certain DeFi protocol tokens are now explicitly included. If your platform lists any of these instruments and you were previously treating them as outside the reporting framework, that position is no longer tenable.

Enhanced Beneficial Ownership Requirements

Amendments to the PCMLTFA regulations that took effect in mid-2025 lowered the beneficial ownership identification threshold from 25% to 20% for certain high-risk entity categories, including entities incorporated in jurisdictions with weak AML regimes. Your entity onboarding and ongoing monitoring processes need to reflect this change. If your KYC forms still reference a flat 25% threshold, they need to be updated.

Stricter AMP Framework

FINTRAC published a revised penalty framework in 2025 that significantly increased the maximum administrative monetary penalties for repeat violations and for violations that demonstrate systemic compliance failures. The maximum per-violation penalty for a failure to report now exceeds $500,000 for entities, and FINTRAC has shown a willingness to levy penalties at the higher end of the range when they find that an exchange was aware of its obligations and failed to meet them.

Cross-Border Information Sharing Expansion

New memoranda of understanding between FINTRAC and several international counterparts — including FinCEN (United States), FCA (United Kingdom), and AUSTRAC (Australia) — have expanded the scope and speed of cross-border information sharing. For exchanges that operate across multiple jurisdictions, this means that a compliance failure identified in one country is increasingly likely to trigger scrutiny in Canada and vice versa. Siloed compliance programs organized by jurisdiction are a liability.

Guidance on DeFi and Unhosted Wallets

FINTRAC issued interpretive guidance in early 2026 on the obligations of VASPs when their clients interact with decentralized finance protocols and unhosted (self-custodial) wallets. The core position: if your exchange is the on-ramp or off-ramp, you bear the compliance burden. You must collect information about the source and destination of funds even when those funds pass through DeFi protocols or peer-to-peer transactions before or after touching your platform. This is consistent with the broader FATF approach but represents the first time FINTRAC has stated it this explicitly for Canadian-regulated entities.

Common Compliance Gaps

Having reviewed compliance programs at exchanges of all sizes, from early-stage startups to top-20 global platforms, these are the gaps that appear most frequently and cause the most damage during examinations:

Inadequate Transaction Monitoring Calibration

This is the single biggest problem I see. Exchanges deploy a blockchain analytics tool and a transaction monitoring system, set the default rules, and never calibrate them. The result is either a flood of false positives that overwhelm the compliance team (leading to alert fatigue and missed genuine suspicious activity) or thresholds set so high that real risks pass through undetected. Your monitoring rules must be calibrated to your specific business — your customer demographics, transaction volumes, product mix, and risk appetite. Review and recalibrate at least quarterly.

Weak or Missing Risk Assessments

FINTRAC requires both a business-wide risk assessment and individual client risk assessments. Many exchanges have a business-wide risk assessment that was written once and filed away. It doesn't reflect the current product lineup, customer base, or threat landscape. Individual client risk assessments are often binary (high/low) without meaningful differentiation or without a clear methodology for how the rating was assigned. FINTRAC examiners will pull individual client files and ask you to walk them through the risk rating. If your answer is "the system assigned it," that's insufficient.

Incomplete Compliance Training

Every employee who interacts with clients, handles transactions, or has access to client data must receive AML/ATF compliance training within 30 days of starting and at least annually thereafter. "We have a training module" is not enough. You need to demonstrate that the training is relevant to the employee's role, that it covers your specific obligations under the PCMLTFA, and that you assess whether employees understood and retained the material. Keep attendance records, quiz scores, and records of any follow-up training provided to employees who didn't meet the bar.

No Effectiveness Review

FINTRAC requires that your compliance program undergo an independent effectiveness review every two years. "Independent" means conducted by someone who is not responsible for implementing the compliance program — either an external consultant or an internal audit function that reports independently of the compliance team. Many exchanges either skip this entirely or conduct a self-assessment and call it an effectiveness review. FINTRAC will identify this immediately and it undermines the credibility of your entire program.

Poor Documentation Culture

If it isn't documented, it didn't happen. I cannot stress this enough. FINTRAC examiners are not interested in hearing about the great work your compliance team does verbally. They want to see written policies, written procedures, written risk assessments, written training records, written STR analysis, and written escalation decisions. Every compliance decision of any significance should be documented with the date, the decision-maker, the rationale, and the outcome. Build this culture from day one.

How to Build a Compliance Program That Works

Building a FINTRAC-compliant program for a crypto exchange is not a weekend project. It requires deliberate architecture. Here is the framework I recommend, based on what I've seen work at scale:

Step 1: Appoint a Chief Compliance Officer

The PCMLTFA requires that you designate a person responsible for the compliance program. This person must have the authority and resources to implement the program effectively. In practice, your CCO should report directly to the CEO or board, not to operations or engineering. Compliance that reports to the business line it's supposed to oversee is compliance that gets overruled when it's inconvenient. Choose someone who understands both the regulatory landscape and your specific business. If you can't hire a full-time CCO immediately, engage an experienced compliance consultant as interim CCO while you build out the team.

Step 2: Conduct a Business-Wide Risk Assessment

Before you write a single policy, you need to understand your risk exposure. Your business-wide risk assessment should evaluate:

• The products and services you offer and their inherent ML/TF risks.
• The geographies you serve, including the ML/TF risk ratings of those jurisdictions.
• Your customer types (retail, institutional, high-net-worth) and their risk profiles.
• Your delivery channels (web, mobile, API) and how they affect your ability to monitor transactions and verify identities.
• The virtual currencies you list and any heightened risks associated with privacy coins or novel token types.

This risk assessment is the foundation of everything else. Your KYC thresholds, monitoring rules, training priorities, and resource allocation should all flow from it. Review and update it at least annually, or whenever there is a material change to your business.

Step 3: Write Policies and Procedures

Your compliance policies and procedures manual should cover every obligation under the PCMLTFA and its associated regulations. At minimum, it needs sections on:

• Client identification and verification procedures, including enhanced due diligence for high-risk clients.
• Transaction monitoring rules, escalation criteria, and alert-handling procedures.
• STR identification, assessment, filing, and record-keeping procedures.
• Large virtual currency transaction reporting procedures.
• Travel rule implementation procedures.
• Sanctions screening procedures (both at onboarding and on an ongoing basis).
• Record-keeping standards and retention schedules.
• Training program structure and frequency.
• Effectiveness review schedule and methodology.

Write these procedures in plain language. The audience is your compliance analysts, not lawyers. If a new analyst cannot read your STR procedure and know exactly what to do when they receive a flagged alert, the procedure needs to be rewritten.

Step 4: Implement Technology

You need three core technology components for effective crypto exchange compliance in Canada:

• Identity verification platform — Automated document verification, liveness checks, and sanctions/PEP screening. Solutions like Jumio, Onfido, or Sumsub are standard in the industry.
• Blockchain analytics — Chainalysis, Elliptic, or TRM Labs for on-chain risk scoring, counterparty identification, and wallet screening. This is non-negotiable for any exchange handling material volume.
• Transaction monitoring system — Either a dedicated AML transaction monitoring platform or custom-built rules engine that can flag suspicious patterns across both fiat and crypto transactions. The key requirement is configurability: you must be able to tune rules to your specific risk assessment.

Step 5: Train Your Team

Develop role-specific training materials. Your customer support team needs different training than your compliance analysts, who need different training than your engineering team. Everyone needs to understand what money laundering and terrorist financing look like, why compliance matters, and what their specific responsibilities are. Run tabletop exercises with realistic scenarios. The best compliance training I've seen is not lecture-based; it's case-study-based, walking through real examples (anonymized, of course) of how suspicious activity was identified, assessed, and reported.

Step 6: Schedule Your Effectiveness Review

Don't wait until the two-year deadline approaches. Engage your independent reviewer early, give them full access, and treat their findings as a roadmap for improvement, not a threat. The best compliance programs I've audited are the ones where the leadership team genuinely wants to know what's broken. The worst are the ones where the review is treated as a formality to check a box.

Step 7: Prepare for FINTRAC Examinations

FINTRAC can examine your compliance program at any time, with or without notice. The best preparation is continuous readiness: maintain clean records, keep your policies current, and ensure your team can articulate and demonstrate the compliance program from memory. Conduct internal mock examinations at least once a year. Identify weaknesses before FINTRAC does.

The Cost of Getting It Wrong

This isn't theoretical. FINTRAC has issued administrative monetary penalties to crypto businesses operating in Canada, and the amounts are substantial. Beyond the financial penalties, non-compliance carries reputational damage that can be existential for a crypto business. Banking partners will de-risk you. Institutional clients will walk. Regulators in other jurisdictions will take note.

More importantly, the PCMLTFA carries criminal penalties for willful non-compliance, including imprisonment. If FINTRAC finds that you knowingly failed to report suspicious transactions or deliberately circumvented your obligations, they can refer the matter to law enforcement. This is not a hypothetical risk; it is an outcome that has occurred in the Canadian financial services sector.

Building Compliance as a Competitive Advantage

Here is the perspective I want to leave you with: compliance is not just a cost center. In the crypto industry, where trust deficits are real and regulatory clarity is still emerging, a genuinely strong compliance program is a competitive advantage. It opens doors to banking relationships that are closed to non-compliant competitors. It enables institutional partnerships. It builds the kind of credibility that survives market downturns and regulatory crackdowns.

The exchanges that will thrive in Canada over the next decade are the ones that treat FINTRAC crypto compliance not as a burden to be minimized but as a discipline to be mastered. The regulatory direction is clear: requirements will only increase. Building right today is cheaper than rebuilding under enforcement pressure tomorrow.