FINTRAC's2026-27PlanSignalsMoreRisk-BasedSupervision.ReportingEntitiesNeedBetterEvidence.

FINTRAC's 2026-27 Departmental Plan is worth reading as more than a planning document. It describes where supervision is heading: earlier interventions, stronger administrative monetary penalties where warranted, serious non-compliance disclosures to law enforcement, and a more sophisticated risk-based framework informed by Canada's 2025 money laundering and terrorist financing risk assessment.

For reporting entities, the message is practical. The compliance program has to show how risk is identified, how controls are applied, how reports are reviewed, and how evidence is preserved before FINTRAC asks for it.

Risk-based supervision only works for the business if the business can prove how its risk-based decisions are made.

what FINTRAC says it will prioritize

FINTRAC says it will intensify its supervisory efforts through a comprehensive, risk-based approach. The plan points to higher-risk threats and sectors, including fentanyl and illicit opioids, fraud, trade-based and professional money laundering, human trafficking, transnational organized crime, terrorism financing, sanctions evasion, extortion, virtual assets, shell companies, charities, and online gaming.

The plan also describes a next-generation reporting entity portal intended to streamline reporting, provide real-time guidance and regulatory updates, and integrate MSB registration and universal enrolment. That signals a supervisory environment where expectations may become clearer, but response times and evidence quality may also matter more.

why this matters for reporting entities

A risk-based approach is not a licence to be vague. It requires the business to connect its actual operating model to specific controls. If an MSB deals in virtual currency, the risk assessment should not read like a generic financial services template. If a real estate brokerage faces beneficial ownership, geography, or PEP risk, those risks should connect to onboarding, review, monitoring, and escalation procedures.

FINTRAC's plan describes three supervision pillars: monitoring compliance through a risk-based approach, enforcing obligations through tools such as administrative monetary penalties and non-compliance disclosures, and engaging reporting entities with outreach and sector-specific guidance.

That combination means reporting entities should expect more than a check-the-box review. They should expect FINTRAC to ask whether the program is tailored, current, tested, and supported by records.

what Rockwell would review first

Rockwell would use the 2026-27 plan as a readiness checklist. The goal is not to predict every examination focus. The goal is to make sure the program can withstand a risk-based review when FINTRAC asks how the business identified, mitigated, and monitored its actual risks.

• Risk assessment quality: Does the document connect clients, products, services, delivery channels, geography, virtual assets, fraud, sanctions, and sector-specific risks to controls?
• Policy ownership: Are written policies current, approved by senior leadership, and updated when the business changes?
• Reporting workflow: Are STR, EFTR, LCTR, and LVCTR processes assigned, evidenced, reviewed, and filed on time?
• High-risk handling: Are enhanced measures triggered, documented, reviewed, and tied to client and transaction behaviour?
• Effectiveness review readiness: Can an independent reviewer trace a control from policy to file to monitoring evidence to remediation?

the virtual currency and online gaming signal

The plan specifically references expanded oversight of virtual currency activities and deeper understanding of money laundering risks in online gaming. Those are useful signals for fintechs, crypto MSBs, payment companies, gaming-related businesses, and financial institutions that interact with those sectors.

A business does not need to be the highest-risk actor in the market to feel supervisory pressure. If its products, customers, geographies, or transaction channels intersect with FINTRAC's priorities, the program should be able to explain the controls in plain evidence.

what better evidence looks like

Better evidence is not more paper for its own sake. It is a clean trail that shows how the compliance program works in the real business.

• A risk assessment that names actual products, client segments, jurisdictions, transaction types, and business changes.
• Monitoring logic that explains why alerts trigger, who reviews them, and how exceptions escalate.
• STR decision records that show facts, rationale, reviewer ownership, escalation history, and filing accountability.
• Training records that connect staff duties to the typologies and risks the business actually faces.
• Remediation records that show what changed after testing, examination findings, or internal issues.

prepare before the intervention

FINTRAC's plan makes clear that supervision is becoming more targeted, more data-informed, and more closely connected to national financial-crime priorities. Reporting entities should not wait for a request letter to discover that their program has weak evidence.

Review Rockwell's effectiveness review readiness support, or explore outsourced compliance officer support if your program needs stronger ownership, cleaner evidence, and a risk-based compliance cadence before the next review.