On May 5, FINTRAC published its first public penalty against a federally regulated bank in months: a $42,075 administrative monetary penalty against VersaBank, the London, Ontario Schedule I bank. The figure is modest enough that the headline coverage moved past it inside a news cycle. For Canadian AML and risk leaders, that would be the wrong place to leave it.
The case is the last datapoint from the prior framework and the first explicit signal of where FINTRAC is willing to take a federally regulated bank for procedural failures rather than substantive money-laundering findings. Read against the new Bill C-12 ceilings that came into force five weeks earlier, the calibration is the story.
FINTRAC issued the penalty on February 23, 2026, under the framework in place at the time; VersaBank paid in full, and the case is closed. The two violations cited:
1. Failure to develop and apply written compliance policies and procedures kept up to date and approved by a senior officer.
2. Failure to take special measures for high-risk clients.
Neither finding alleges money laundering; both are program-hygiene findings. FINTRAC noted in the release that "Canada's Anti-Money Laundering and Anti-Terrorist Financing Regime is in place to protect the safety of Canadians and the security of Canada's economy" and that the agency "will take appropriate actions when they are needed." The signal: procedural rigour is now the trigger for public enforcement against a Schedule I bank.
Bill C-12, the Strengthening Canada's Immigration System and Borders Act, received Royal Assent on March 26, 2026, and amended the PCMLTFA AMP framework across all dimensions that matter for enforcement. Three changes carry the weight:
Penalty maxes multiplied by 40x. Minor violations rose from $1,000 to $40,000. Serious from $100,000 to $4,000,000. Very Serious from $500,000 to $20,000,000. A new cumulative cap applies for entities at the greater of $20 million or 3% of prior-year gross global revenue.
All compliance-program violations are elevated to Very Serious. DLA Piper notes that under the amendments, every violation related to compliance-program adequacy is now classified as Very Serious. The VersaBank fact pattern (policies not kept current, high-risk measures not applied) sits squarely inside the Very Serious classification under the new rules.
A new effectiveness violation. The amendments add a standalone Very Serious offence: failing to ensure that the compliance program is reasonably designed, risk-based, and effective. Miller Thomson highlights that effectiveness is now examinable in its own right, not as a soft factor. A program that documents process but cannot produce evidence of outcomes is a Very Serious violation.
Penalty math is the headline change; toolkit changes are the operational change. Bill C-12 also introduced:
Mandatory compliance agreements for prescribed violations. These agreements were optional under the prior framework; they are now mandatory in defined circumstances, which moves them from a negotiation lever to a fixed enforcement step.
Compliance orders as a standalone enforcement tool. FINTRAC can now issue an order requiring specific corrective action; contravention of the order is itself a violation, separate from the underlying conduct.
An explicit ability-to-pay criterion in penalty calculation. Size of the entity is now a formal factor in calibrating the dollar figure. For Schedule I banks and large credit unions, the ceiling is meaningful; for smaller reporting entities, the calibration tempers the headline maxes.
STR volume benchmarking. Below-peer suspicious-transaction reporting volumes can now trigger effectiveness scrutiny. Low reporting volume is no longer a quiet operating signature; it is a flag that invites review.
Three readings worth taking forward:
Procedural failures are public-penalty material. The case confirms that FINTRAC will pursue a Schedule I bank for a written policy on currency and high-risk client measures. The threshold for federal bank enforcement is lower than the historical assumption.
The dollar figure is now disconnected from the fact pattern. The same conduct, examined under the post-March 26 framework, sits inside the Very Serious classification with a $20-million ceiling. The VersaBank dollar figure should be read as the legacy print and not the forward calibration.
Effectiveness is the next examination axis. Programs that exist on paper but cannot produce evidence of outcomes are now formally exposed. The control inventory has to include effectiveness artifacts (threshold tuning logs, high-risk client treatment evidence, STR quality reviews) alongside the policy documents themselves.
A $42,075 penalty against a single federally regulated bank rarely changes a CIO or CCO's quarterly priorities. This one should. The VersaBank case is the calibration event that bridges the prior AMP regime and the C-12 framework; it tells every Canadian DTI which behaviours FINTRAC is willing to publicly penalize, and the new ceilings tell them what those behaviours now cost. The institutions that internalize the signal early (treating procedural rigour, effectiveness evidence, and STR-volume benchmarking as board-grade priorities) will avoid being the first datapoint inside the new regime.
At FundMore, we read every regulatory shift from the lender's seat.
Q: What violations was VersaBank cited for?
A: Two violations under the PCMLTFA: failing to develop and apply written compliance policies and procedures kept up to date and approved by a senior officer, and failing to take special measures for high-risk clients. Neither finding alleges money laundering. FINTRAC published the case on May 5, 2026 with a $42,075 penalty paid in full.
Q: When did Bill C-12 take effect, and what does it change?
A: Bill C-12 received Royal Assent on March 26, 2026 and amended the PCMLTFA AMP framework. The headline change is a 40x increase in penalty maxes across all three violation classes; secondary changes include a cumulative cap for entities at the greater of $20 million or 3% of prior-year gross global revenue, elevation of all compliance-program violations to Very Serious, and a new effectiveness offence.
Q: Why does the VersaBank penalty matter if it was assessed under the old framework?
A: The case is the last benchmark from the prior regime and the first public signal of FINTRAC's willingness to penalize a Schedule I bank for procedural failures rather than substantive AML findings. Examinations covering periods on or after March 26 use the new framework; the same fact pattern under C-12 ceilings would sit inside Very Serious classification with a maximum of $20 million.
Q: What does the new effectiveness violation actually require?
A: The amendments added a standalone Very Serious offence for failing to ensure that the compliance program is reasonably designed, risk-based, and effective. Effectiveness is now examinable in its own right; a program that documents process but cannot produce evidence of outcomes (threshold tuning, high-risk client treatment, STR quality) is exposed.
Q: Can low STR reporting volumes really trigger a FINTRAC review?
A: Yes. Miller Thomson notes that suspicious-transaction reporting volumes that sit below peer benchmarks can now trigger effectiveness scrutiny. Low volume is no longer a quiet operating signature; it flags a review of whether the program is generating the outputs the framework expects.
Q: What should a Canadian AML or compliance leader prioritize first?
A: Three priorities. First, audit policy currency and senior-officer approval cycles; the VersaBank case shows that lapsed approvals and stale procedures alone are sufficient for enforcement-grade action. Second, document the high-risk client treatment lifecycle end-to-end with artifacts that prove special measures are applied, not just defined. Third, build an effectiveness review into the second-line audit calendar; threshold tuning logs, peer-volume benchmarking against STR submissions, and outcome evidence should sit alongside the policy library.