FINTRACPenaltyonNecosmart:STR,High-Risk,andVirtualCurrencyRecordkeepingLessonsforMSBs

FINTRAC announced on May 14, 2026 that it had imposed a $693,742.50 administrative monetary penalty on 13010431 Canada Inc., also operating as Necosmart. FINTRAC described Necosmart as a money services business in Edmonton, Alberta, and stated that the penalty was imposed on March 27, 2026 after a compliance examination.

For Canadian MSBs, crypto MSBs, foreign exchange dealers, and virtual currency operators, this is a useful case study because the violations sit across the full compliance operating system: suspicious transaction reporting, written policies and procedures, enhanced measures for high-risk clients and transactions, documented risk assessment, and virtual currency transaction records.

Rockwell treats public FINTRAC penalties as case studies. The point is not to dwell on the named company. The point is to identify the control failures that another MSB can prevent before an examination turns into a public enforcement matter.

what FINTRAC found

FINTRAC's May 14 release lists five administrative violations. Each one maps to a control that should be owned, evidenced, and tested inside an MSB compliance program.

• Suspicious transaction reporting: FINTRAC cited multiple separate occasions where suspicious transaction reports were not submitted despite reasonable grounds to suspect that transactions were related to a money laundering or terrorist activity financing offence.
• Policies and procedures: FINTRAC found that written compliance policies and procedures were not developed and applied in a way that stayed current and, for an entity, approved by a senior officer.
• High-risk clients and transactions: FINTRAC cited failure to adequately develop and apply enhanced measures to mitigate high-risk clients and transactions.
• Risk assessment: FINTRAC identified failure to assess and document the risk of a money laundering or terrorist financing offence while considering prescribed factors.
• Virtual currency records: FINTRAC cited insufficient occupation and transactional information for virtual currency exchange transaction tickets.

the pattern behind the penalty

The Necosmart penalty is not just an STR case. STR failures are often the downstream result of upstream weakness: incomplete KYC information, shallow transaction records, generic risk scoring, unclear reviewer ownership, and escalation paths that are understood informally but not evidenced in a way an examiner can follow.

That matters because FINTRAC examinations test more than whether a policy exists. They test whether the policy is operational. If a client is high-risk, the file should show how that risk was identified, what enhanced measures were applied, who reviewed the activity, what transaction context was available, and why the business did or did not file a report.

Virtual currency activity raises the bar again. An MSB that deals in virtual currency needs transaction records that preserve the context needed for review, reporting, and reconstruction. Missing occupation or transaction details can weaken the entire review chain because the compliance team cannot defend its decision-making after the fact.

what Rockwell would review first

For an MSB looking at this penalty and asking whether the same issues could appear in its own examination, Rockwell would start with the evidence trail. The question is not whether the company intends to comply. The question is whether the company can prove how compliance decisions are made.

• STR decisioning: Are alerts, case notes, reviewer rationale, escalation decisions, and filing timelines documented in one defensible workflow?
• AML/ATF program design: Are policies approved by senior leadership, tailored to the actual business model, and updated when products, channels, jurisdictions, or vendors change?
• KYC/KYB and virtual currency records: Does the company collect the client and transaction data needed to support monitoring, reporting, sanctions screening, and examination response?
• High-risk controls: Are enhanced measures defined, triggered, reviewed, and evidenced for high-risk clients, transactions, products, and geographies?
• Effectiveness review readiness: Can an independent reviewer test the program and trace issues from policy to transaction file to remediation record?

why this matters for Canadian MSB compliance

FINTRAC stated that suspicious transaction reporting is critical to its ability to generate actionable financial intelligence for law enforcement and national security agencies. That is why STR failures tend to receive serious attention. But the rest of the Necosmart findings show the broader lesson: an MSB cannot rely on heroic manual review if the program around that review is incomplete.

A durable MSB compliance program connects risk assessment, client due diligence, transaction monitoring, reviewer evidence, escalation, reporting, and remediation. When one part is weak, the rest of the program becomes harder to defend.

turn enforcement lessons into audit-ready work

Rockwell Advisory works with Canadian MSBs, crypto MSBs, foreign MSBs, and fintech operators on AML/ATF program design, named CAMLO support, FINTRAC registration, reporting oversight, KYC/KYB frameworks, monitoring, and effectiveness review readiness.

If this penalty looks uncomfortably close to your own operating model, the next step is not another template. It is a focused review of the controls that would be tested in an examination.

Review Rockwell's crypto MSB compliance support, or explore outsourced compliance officer support for Canadian MSBs that need operating help, not just advisory notes.