Last week, FINTRAC's public penalty against VersaBank set the calibration for what procedural rigour now costs under Bill C-12. This week, the federal government tabled Bill C-29, the Financial Crimes Agency Act, creating a dedicated federal investigator for financial crime. Read together, the two bills (and OSFI's April 14 Annual Risk Outlook) complete a three-layer regulatory stack that has been signaled for several budgets and is now operational.
For Canadian DTIs, credit unions, fintechs, and especially non-bank lenders, the calibration matters more than any single line item in the legislation. Three pillars, one direction of travel.
Pillar One: Supervision (FINTRAC, Bill C-12)
Bill C-12 came into force on March 26, 2026. FINTRAC now operates with AMP ceilings up to 40x the prior maxes: Minor violations rose from $1,000 to $40,000; Serious from $100,000 to $4,000,000; Very Serious from $500,000 to $20,000,000. A cumulative cap applies for entities at the greater of $20 million or 3% of prior-year gross global revenue. All compliance-program violations are now Very Serious; a new offence covers programs that are not reasonably designed, risk-based, and effective.
The VersaBank case (a $42,075 AMP made public on May 5) was assessed under the prior framework. It is the last datapoint from the legacy regime and the first signal of where FINTRAC is willing to take a federally regulated bank for procedural failures rather than substantive AML findings.
Pillar Two: Enforcement (Financial Crimes Agency, Bill C-29)
Tabled April 27, Bill C-29 sets up the Financial Crimes Agency as a specialized federal law enforcement body. Its mandate is to investigate financial crime and contribute to the recovery of proceeds of crime; the statutory definition is intentionally broad and covers (i) federal-act offences involving financial assets (including digital assets); (ii) designated Criminal Code offences from which proceeds are derived; and (iii) offences under the PCMLTFA.
Two design choices deserve attention. First, Davies notes that the FCA is positioned as the missing federal counterpart to FINTRAC, which has long supervised reporting entities without a dedicated investigator partner. Second, the explicit inclusion of digital assets in the mandate creates a federal enforcement counterpart to both provincial securities regulators and the emerging Bank of Canada-administered Stablecoin Act. Crypto-asset exchanges, digital-payment providers, custodians, stablecoin issuers, and fintech operators should read the bill carefully; conduct that adversely affects the integrity of Canada's financial system or markets could now attract a dedicated federal investigation.
Pillar Three: Prudential (OSFI, Annual Risk Outlook + Credit Risk Guideline)
OSFI released its 2026-2027 Annual Risk Outlook on April 14 and named non-bank financial institutions the second-largest threat to Canada's financial system, behind only real-estate-secured lending. The regulator warned that the opaque nature of private capital markets can mask structural weaknesses and that highly leveraged exposures could intensify losses in a stress event.
The numbers behind the concern, as catalogued in FundMore's May 12 Fathom launch release, are striking: non-bank residential mortgage debt has grown to more than $401 billion, a 19% jump since 2020. In Ontario alone, FSRA counts 65,233 private mortgages worth $32 billion, with delinquency rates running roughly 11 times higher than the headline bank figure. Over 50% of Canadian mortgages are set to renew between January 2026 and the end of 2027, and OSFI expects that wave to push more borrowers into the alternative channel.
OSFI is also drafting a new Credit Risk Management Guideline to tighten how lenders manage credit risk; industry consultation is open through July 29, 2026. For non-bank lenders that have historically operated on spreadsheets, email, and cobbled-together point solutions, the compliance bar is rising before the renewal wave breaks.
How the Three Pillars Interact
Each pillar alone is significant; the operating implication is in the combination. Under the prior regime, a procedural failure produced a modest AMP and (rarely) a public release. Under the new stack, the same fact pattern sits inside a 40x penalty ceiling (FINTRAC), can be referred to a dedicated federal investigator (FCA), and is examined against tightened prudential expectations (OSFI). The supervisory expectation has shifted from "do you have a policy" to "does the policy work, can you prove it, and would it withstand independent investigation."
Three readings worth taking forward:
Effectiveness is the next examination axis. Programs that exist on paper but cannot produce evidence of outcomes (threshold tuning logs, high-risk client treatment artefacts, STR quality reviews against peer-volume benchmarks) are formally exposed across all three pillars.
Non-bank lenders carry the heaviest delta. OSFI's opacity warning, the 11x Ontario delinquency gap, and the renewal-wave math put non-bank lenders at the centre of the new framework. The institutions that internalize that early, by investing in documented underwriting rigour, traceable decisioning, and proper KYC, will avoid being the first datapoint inside the new regime.
Compliance infrastructure is now a competitive moat. Bank-grade tooling (KYC and identity verification, document classification, fraud detection, AML, audit trails) used to be the price of being federally regulated. Under the new stack it is the price of operating at all. Vendors that close the infrastructure gap will shape the market.
The Industry Response: FundMore Fathom
On May 12, FundMore announced Fathom, a freemium underwriting, CRM, and compliance platform purpose-built for private lenders, MICs, and alternative mortgage originators. The product brings the same AI-powered underwriting, KYC and identity verification, AML and fraud detection, document classification, OCR, property valuation, title search, compliance-insurance, and customer-engagement infrastructure currently powering Canada's leading federally regulated lenders (a platform with over $60 billion in mortgage applications processed; SOC 2 Type 2 certified since 2021; NIST 800 compliant; pursuing ISO 42001 AI certification) to the non-bank tier, with no upfront cost.
FundMore CEO Chris Grimes put the design intent plainly: "OSFI just told the country that opacity in non-bank lending is a systemic risk, and they're right. The problem isn't that private lenders are reckless. The problem is that the infrastructure that keeps bank-tier lenders compliant, auditable, and fraud-resistant has been priced out of reach for everyone else." The Fathom waitlist is live now; public beta opens summer 2026.
Strategic Takeaway
Bill C-29 appears to be a single new agency. Read against Bill C-12 and OSFI's Annual Risk Outlook, it is the third leg of a stool that now stands. Supervision, enforcement, prudential oversight; one direction of travel. The institutions that read the package together and invest in compliance-forward infrastructure before the renewal wave breaks will write the next chapter of Canadian lending; the ones that wait will be the case studies.
Frequently Asked Questions
Q: What does Bill C-29 actually create?
A: Bill C-29 establishes the Financial Crimes Agency, a specialized federal law-enforcement body with a statutory mandate to investigate financial crime and contribute to the recovery of proceeds of crime. The definition of financial crime is intentionally broad and covers offences under federal acts involving financial assets (including digital assets), designated Criminal Code offences from which proceeds are derived, and offences under the PCMLTFA.
Q: How does the FCA relate to FINTRAC?
A: FINTRAC is the supervisor; the FCA is the investigator. Under the prior framework, FINTRAC supervised reporting entities and could impose administrative monetary penalties but did not investigate financial crime itself. Davies notes that the FCA is positioned as the missing federal counterpart to FINTRAC; it adds dedicated investigative capacity to a supervisory regime that, under Bill C-12, also now operates with 40x penalty ceilings and a new effectiveness violation.
Q: Why does OSFI consider non-bank financial institutions a systemic risk?
A: Per the 2026-2027 Annual Risk Outlook, the opaque nature of private capital markets can mask structural weaknesses, and highly leveraged exposures could intensify losses in a stress event. The numbers support the concern: non-bank residential mortgage debt has grown to more than $401 billion (a 19% jump since 2020), and Ontario private-mortgage delinquency rates run roughly 11 times the headline bank figure.
Q: What is the OSFI Credit Risk Management Guideline, and when does it land?
A: OSFI is drafting a new Credit Risk Management Guideline to tighten how lenders manage credit risk. Industry consultation is open through July 29, 2026. The expectation is that the final guideline will require documented underwriting rigour, traceable decisioning, and proper KYC across every reporting entity.
Q: Does the FCA cover crypto and stablecoins?
A: Yes. The Bill C-29 definition of financial crime explicitly includes digital assets. Gowling WLG flags that this creates a federal enforcement counterpart to provincial securities regulators and the Bank of Canada-administered Stablecoin Act. Crypto-asset exchanges, digital-payment providers, custodians, stablecoin issuers and fintech operators should read the bill carefully.
Q: What is FundMore Fathom, and who is it for?
A: Fathom is a freemium underwriting, CRM, and compliance platform purpose-built for private lenders, MICs, and alternative mortgage originators, with no upfront cost. It includes AI-powered underwriting, KYC and identity verification meeting FINTRAC obligations out of the box, document gathering, classification, fraud detection and OCR, property valuation, title search and compliance insurance, and end-to-end customer engagement. The waitlist is live now; public beta opens summer 2026