FINTRACPenaltyonVersaBank:Policies,High-RiskMeasures,andLessonsforFinancialEntities

On 5 May 2026, FINTRAC announced an Administrative Monetary Penalty (AMP) of $42,075 on VersaBank, a bank headquartered in London, Ontario. The penalty was imposed on 23 February 2026 following a compliance assessment activity, for non-compliance with Part 1 of the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA) and associated Regulations. FINTRAC states that the penalty has been paid in full and the case is closed.

The release cites two administrative violations. Together they highlight recurring themes for financial entities: keeping the compliance program documentation credible at the governance level, and ensuring high-risk relationships actually receive elevated controls in practice, not only on paper.

⸻

What FINTRAC Found

Written compliance policies and procedures

FINTRAC requirement: Reporting entities must develop and apply written compliance policies and procedures that stay current. For an entity, those policies and procedures must be approved by a senior officer. The documents should translate PCMLTFA obligations into how the business identifies clients, keeps records, monitors activity, escalates red flags, and meets FINTRAC reporting timelines for instruments such as suspicious transaction reports and large cash transaction reports.

FINTRAC finding: VersaBank failed to develop and apply written compliance policies and procedures that were kept up to date and, as required for an entity, approved by a senior officer.

Why it matters: Policies are the bridge between board-level expectations and daily operations. When they drift out of date or lack formal approval, examinations tend to find downstream weaknesses in consistency, training, and execution. That increases the chance of missed or low-quality suspicious transaction reporting, which FINTRAC stresses is central to actionable financial intelligence for law enforcement and national security agencies.

⸻

Special measures for high-risk clients

FINTRAC requirement: Where regulations require special measures for higher-risk situations or relationships, reporting entities must implement them in a traceable way. For deposit-taking institutions, high-risk treatment typically interacts with customer risk ratings, enhanced due diligence, approval hierarchies, and monitoring intensity.

FINTRAC finding: VersaBank failed to take special measures for high-risk clients.

Why it matters: High-risk segments are where AML programs earn their keep. Gaps here signal that risk assessments, policies, and front-line execution are misaligned. Public AMPs in the banking sector reinforce that FINTRAC expects financial entities to demonstrate how elevated risk converts into concrete controls and documentation.

⸻

How Rockwell Advisory Supports Related Operational Priorities

Rockwell Advisory does not replace legal advice, policy drafting, or senior officer approvals. It is built to help reporting teams execute FINTRAC filings with greater consistency, speed, and auditability once your program defines what must happen for standard versus higher-risk activity.

• Structured FINTRAC reporting: Automate preparation and submission workflows for report types such as STRs, large cash transaction reports, large virtual currency transaction reports, and international electronic funds transfers, so operational steps map cleanly to what your approved procedures describe.
• reviewed STR narratives and classification: Reduce friction on high-stakes suspicious transaction reporting while preserving reviewer oversight, which supports consistent escalation behaviour across teams handling elevated-risk cases.
• Risk detection configuration: Use configurable and AI-driven risk indicators so monitoring intensity can reflect relationship risk in a transparent, adjustable way, complementing your institution policies on high-risk treatment.
• Audit trails: Maintain clearer evidence of preparation, review, and submission for examinations and internal testing, which pairs well with governance expectations around documented compliance programs.

For context on how Rockwell Advisory positions filing automation for Canadian reporting entities, follow the resource links in the callout below.

⸻

Broader Enforcement Context

FINTRAC quick facts accompanying the release note that in 2024-25 it issued 23 Notices of Violation, the largest annual count in the Centre's history, totalling more than $25 million. Since 2008, FINTRAC has imposed more than 150 penalties across most business sectors. AMPs are framed as tools to encourage behavioural change.

⸻

Takeaways for Compliance Leaders

• Calendar recurring senior-officer review and approval of policies so product, channel, and client-type changes do not silently leave procedures outdated.
• Test high-risk playbooks with sample cases and independent review, not only policy language.
• Align filing operations with those policies so STR and other FINTRAC outputs reflect the risk story your institution believes it is running.

VersaBank AMP size is modest compared with some multi-million-dollar cases, yet it is a clear signal that banks remain in active supervisory focus alongside casinos, money services businesses, real estate brokerages, and other reporting entity categories named in FINTRAC public messaging.