A New Era of Enforcement Has Arrived

In March 2026, FINTRAC revoked the registrations of over 47 crypto-linked Money Services Businesses in a single enforcement sweep — the largest action of its kind in Canadian history. The message is clear: the era of light-touch oversight for digital asset businesses in Canada is over.

This wave of revocations comes at a pivotal moment. Canada's implementation of the OECD's Crypto-Asset Reporting Framework (CARF) took effect on January 1, 2026, and the first automatic information exchanges with international tax authorities are scheduled for 2027. For fintech companies and digital asset service providers operating in Canada, compliance is no longer optional — it is existential.

Why FINTRAC Is Revoking Registrations

FINTRAC's enforcement actions have targeted MSBs that failed to meet their obligations under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA). The most common grounds for revocation include:

• Inadequate AML/CTF programs: Businesses that lacked documented risk-based compliance programs, including internal policies, a designated compliance officer, KYC procedures, and transaction monitoring systems.
• Failure to respond to information requests: MSBs that did not provide timely updates to FINTRAC when requested, including changes to business details and beneficial ownership information.
• Deficient record-keeping and reporting: Failure to file suspicious transaction reports (STRs), large cash transaction reports, or electronic funds transfer reports as required.

The revocations span crypto exchanges, wallet providers, and virtual currency ATM operators. FINTRAC has signalled that additional enforcement rounds are expected throughout 2026, with a particular focus on businesses facilitating cross-border virtual currency transfers.

CARF Is Now Live — Are You Ready?

Effective January 1, 2026, Canada's CARF legislation — enacted through amendments to the Income Tax Act — requires all Reporting Crypto-Asset Service Providers (RCASPs) to collect, verify, and report detailed user and transaction data to the CRA.

The scope of CARF is broad. Reportable activities include:

• Crypto-to-fiat and crypto-to-crypto exchanges
• Transfers to and from unhosted (self-custodied) wallets
• Staking rewards and airdrops
• Transactions involving stablecoins and certain NFTs

RCASPs must perform enhanced due diligence on all users, including Tax Identification Number (TIN) validation and jurisdiction-of-residence verification. The first annual reports covering 2026 transactions are due in 2027, and the CRA will exchange this data automatically with partner jurisdictions under international agreements.

For businesses that also hold MSB registration with FINTRAC, this creates a dual compliance obligation: AML/CTF requirements under the PCMLTFA, and tax reporting requirements under CARF. Gaps in either regime can trigger enforcement from separate regulators.

Practical Steps to Protect Your Business

Whether you are an established crypto exchange, a DeFi platform with Canadian users, or a fintech startup handling digital asset payments, here is what you should be doing right now:

• Audit your AML program immediately. Review your compliance framework against FINTRAC's current expectations: documented policies, a named compliance officer, risk assessments, ongoing monitoring, and staff training. If any element is missing or outdated, remediate before the next enforcement cycle.
• Implement CARF data collection infrastructure. Ensure your systems capture TINs, tax residency information, and granular transaction data for all users. Retro-fitting this after year-end is not viable — the obligation began on January 1, 2026.
• Prepare for XML-based reporting. CARF reports must be filed in a prescribed XML format. Work with your technology and compliance teams — or an external advisor — to build and test your reporting pipeline well before the 2027 filing deadline.
• Monitor the Retail Payment Activities Act (RPAA). Expected 2026 reforms may require crypto payment providers to register under the RPAA, adding a third layer of regulatory obligation. Stay ahead of this by tracking Bank of Canada and Department of Finance announcements.
• Engage qualified advisors. The intersection of FINTRAC, CRA, and emerging payments regulation is complex. Proactive advisory support is significantly less costly than responding to an enforcement action after the fact.

The Bottom Line

Canada is rapidly aligning its digital asset regulatory framework with international standards. FINTRAC's aggressive enforcement posture and the activation of CARF signal that regulators expect full, demonstrable compliance — not just registration. Businesses that treat compliance as a checkbox exercise risk losing their ability to operate in Canada entirely.

The good news: with the right systems and guidance in place, meeting these obligations is entirely achievable. The key is to act now, not after a notice arrives.

Need guidance? Reach out to our team — no pressure, no jargon.