From AML to AI: regulatory developments in the financial services landscape From AML to AI: regulatory developments in the financial services landscape

2026 is poised to be a pivotal year for compliance and enforcement in the Canadian financial services industry. From enhanced anti-money laundering (AML) measures and administrative monetary penalties (AMPs) to payment services regulation under the Retail Payment Activities Act (RPAA) and artificial intelligence governance, financial institutions and payment service providers (PSPs) will face heightened expectations and evolving regulatory frameworks that demand proactive adaptation and robust risk management.

Enhanced AML measures

We expect to see continued enforcement action from the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) in 2026 as the Canadian government maintains its focus on national security and its borders. Significantly, FINTRAC quietly revised several guidance documents to remove references to its willingness to work with reporting entities and provide opportunities to correct non-compliance prior to imposing an AMP. 

As of October 31, 2025, FINTRAC had imposed 20 AMPs in 2025, among the largest number in the regulator’s history for a single year. More are likely to follow. The total amount of the AMPs imposed in this period exceeded $200 million. On October 22, 2025, FINTRAC imposed the largest penalty in FINTRAC’s history — approximately $176.9 million against a virtual currency transaction services business. This penalty reflected 2,593 instances of six types of violations under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA) and associated regulations. Increased enforcement action and larger penalties mean that more actions are being appealed. Of the 20 AMPs that have been imposed in 2025 to date, seven are in the process of being appealed to the Federal Court of Canada.

Although AMPs are at a historic high, they could get even higher. As previously discussed, on June 3, 2025, the federal government introduced Bill C-2, the Strong Borders Act, which proposes significant amendments to the PCMLTFA, including the introduction of a new AMP framework. If enacted, the maximum AMP for prescribed violations would increase by a factor of 40. A very serious violation, such as a failure to file a single suspicious transaction report, could give rise to an AMP of $20 million. Where there are multiple violations, cumulative penalties could be as high as the greater of $20 million and 3% of the entity’s gross global revenue. In addition, certain violations would be reclassified. For example, a failure to ensure that a compliance program is reasonably designed, risk-based and effective or a failure to fulfil certain other compliance program requirements would be designated as very serious violations that could attract the highest level of AMP. 

Other key changes proposed by Bill C-2 include a requirement that all entities subject to the PCMLTFA must register with FINTRAC.

On October 8, the government introduced Bill C-12, Strengthening Canada’s Immigration System and Borders Act, which amends Bill C-2 to remove certain more controversial provisions of that bill. However, Bill C-12 leaves the proposed changes to the AMP framework, as well as the requirement to register, essentially untouched. 

More frequent OSFI AMPs

We also expect to see the Office of the Superintendent of Financial Institutions (OSFI) taking a more aggressive approach to AMP enforcement in 2026. In its Letter to Industry issued on September 11, 2025, OSFI announced that it has revised its approach to assessing the statutory penalty criteria to align with its high appetite for early intervention. While the statutory penalty criteria themselves and the penalty amounts have not changed, OSFI has signaled that it will have a lower tolerance for contraventions. This means that penalties may be issued for lower levels of potential negligence and harm, and more frequently in 2026.

Focus on compliance for PSPs

With the RPAA now fully in force, the Bank of Canada’s focus will likely shift from registering PSPs to ongoing compliance matters. Accordingly, PSPs should ensure they can demonstrate that their safeguarding of funds framework (if applicable) and their risk management and incident response framework meet the requirements of the RPAA and its regulations, as well as the Bank of Canada’s expectations in its guidance. While we may not see any significant enforcement action from the Bank of Canada in these early days, this could change as 2026 progresses. 

The change of control requirements under the RPAA are also starting to have an impact on transactions involving the acquisition of a PSP. Under the RPAA, an acquisition of control, defined as a direct or indirect acquisition of at least 33% of the voting shares of a PSP, triggers a requirement to submit a new application to the Bank of Canada for registration. PSPs will need to take into account the time to obtain registration approval in connection with a sale of the PSP or any equity issuances or sales that cross the threshold for approval.

On the positive side for PSPs, progress has been made towards allowing access to the Real-Time Rail (RTR) payment system to qualifying PSPs. Changes to the Canadian Payments Act that expand Payments Canada’s membership to registered PSPs, among others, are now in force. And as discussed in our Osler Update, Payments Canada published its Participation Guide for Payment Service Providers [PDF] which outlines eligibility criteria, the pathway to participation in the RTR and the technical, operational and business requirements for RTR participants. While the RTR is not yet fully operational, testing has commenced and will continue throughout 2026. Interested PSPs should take advantage of the coming year to assess preparedness for participation and plan for the necessary resource allocation and technical developments.

Accelerated innovation is occurring with respect to payments and the use of stablecoins in particular, and blockchain-based ledgers as a means of facilitating international payments is expanding. For example, SWIFT, along with a group of more than 30 global financial institutions, is working on such a ledger. This increased activity has captured the attention of the federal government. The government announced its intent in Budget 2025 to regulate the issuance of fiat-backed stablecoins by non-prudentially regulated issuers and to amend the RPAA to enable the regulation of PSPs that carry out payment functions using prescribed stablecoins. Further detail regarding stablecoin adoption and acceleration are contained in our Osler Legal Outlook article.

Artificial intelligence

OSFI’s final Guideline E-23 – Model Risk Management is scheduled to come into force on May 1, 2027. Banks, federally regulated insurance companies, and trust and loan companies (FRFIs) will need to turn their focus in 2026 to the development and rollout of revised model risk management frameworks that cover the use of artificial intelligence and machine learning (AI/ML) models throughout the model lifecycle. A key challenge will be operationalizing the guideline’s requirements for third-party “black box” models, where limited transparency into underlying algorithms or data inputs complicates compliance. FRFIs will need to structure their third-party model governance in a way that reflects their risk appetite and aligns with OSFI’s expectations for third-party risk management under OSFI Guideline B-10.  

We expect to see more enhanced AI/ML-related due diligence processes and discussions regarding contractual controls over and practical limitations on data and assumptions used in third-party model development. To date, OSFI’s focus on AI/ML has been aimed at model risk. In light of other rapidly evolving AI/ML regulatory developments both domestically and internationally, such as ethical AI standards and emerging global AI governance frameworks, we will wait to see if OSFI broadens its regulatory focus. Regardless, the year 2026 will be a critical period, as FRFIs navigate the complexities of operationalizing E-23 while aligning with other broader regulatory and technological trends in AI governance.

Further discussion regarding adoption of AI is found in our Osler Legal Outlook articles regarding agentic AI and copyright and AI.

A rapidly changing landscape to be carefully monitored

In 2026 and beyond, the Canadian financial services industry will need to navigate an increasingly complex regulatory landscape marked by intensified enforcement, evolving compliance requirements and the integration of new technologies. Whether addressing increased enforcement trends, ensuring compliance or operationalizing new requirements, financial services providers must prioritize robust risk management and governance frameworks in the face of heightened regulatory expectations.