Canada’s Financial Transactions and Reports Analysis Centre (FINTRAC) imposed a record-breaking fine of C$176.96 million approximately US$126 million on Xeltox Enterprises Ltd., the British Columbia-based company operating the cryptocurrency exchange Cryptomus formerly known as Certa Payments Ltd..
This penalty marks the largest ever issued by FINTRAC for violations of the Proceeds of Crime and Terrorist Financing Act (PCMLTFA), highlighting escalating regulatory scrutiny on Canada’s rapidly growing virtual currency sector.
FINTRAC identified multiple systemic failures in Cryptomus’s anti-money laundering (AML) and counter-terrorist financing (CTF) compliance program, including: Failure to Report Suspicious Transactions.
Register for Tekedia Mini-MBA edition 19 (Feb 9 – May 2, 2026): big discounts for early bird.
Tekedia AI in Business Masterclass opens registrations.
Join Tekedia Capital Syndicate and co-invest in great global startups.
Register for Tekedia AI Lab: From Technical Design to Deployment (next edition begins Jan 24 2026).
The exchange did not submit suspicious transaction reports (STRs) for 1,068 instances in July 2024 involving known darknet markets and virtual currency wallets linked to criminal activity. These included high-risk crypto transfers exceeding C$10,000 that should have been flagged under PCMLTFA requirements.
Between July 1 and December 31, 2024, Cryptomus failed to report 7,557 electronic funds transfers originating from Iran, in violation of sanctions reporting obligations. The company lacked complete and effective policies for ongoing client monitoring, “know-your-client” (KYC) verification, and risk assessments. This created vulnerabilities allowing potential exploitation by illicit actors.
Under PCMLTFA, crypto exchanges like Cryptomus are classified as money services businesses (MSBs) and must maintain records, verify client identities, and report specified transactions to FINTRAC to combat money laundering and terrorist financing.
FINTRAC emphasized that the virtual currency industry’s expansion amplifies risks of sanctions evasion and illicit finance, underscoring the need for robust compliance controls to protect Canada’s financial system. Industry observers note this fine aligns with a global trend of stricter enforcement, contrasting with generally improving compliance among other Canadian crypto operators.
The Proceeds of Crime and Terrorist Financing Act (PCMLTFA) is Canada’s primary legislation aimed at preventing money laundering and terrorist financing. Administered by the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC), it imposes specific obligations on regulated entities, including cryptocurrency exchanges classified as money services businesses (MSBs).
Registration with FINTRACMSBs, including crypto exchanges, must register with FINTRAC before conducting business. Registration involves providing detailed information about the business, its owners, and compliance officers, with renewals required every two years.
Compliance Program Entities must establish a robust anti-money laundering (AML) and counter-terrorist financing (CTF) compliance program, including: Appointing a Compliance Officer: A designated individual responsible for overseeing AML/CTF measures.
Written Policies and Procedures: Documented guidelines to detect, prevent, and report suspicious activities. Evaluate the risk of money laundering and terrorist financing based on clients, services, and geographic exposure.
Ongoing training for staff to recognize and handle suspicious transactions. Regular audits at least every two years to ensure the compliance program remains effective. Verify the identity of clients for transactions meeting specific thresholds using government-issued ID or other reliable documents.
Continuously monitor client activities to identify suspicious patterns or changes in risk profiles. Identify and apply enhanced due diligence for PEPs and their associates, who pose higher risks due to their influence.
Maintain detailed records for at least five years, including: Client identification documents. Transaction details such as amount, date, parties involved. Large cash transaction records of C$10,000 or more. Receipts of funds and account statements. Records must be readily accessible for FINTRAC audits.
Entities must submit specific reports to FINTRAC within prescribed Report transactions suspected of being linked to money laundering or terrorist financing, regardless of the amount, within 30 days of detection.
Report cash transactions of C$10,000 or more within 15 days. Report international electronic transfers of C$10,000 or more within 5 business days. Report transactions involving jurisdictions or entities subject to Canadian sanctions (e.g., transfers from Iran, as in the Cryptomus case).
Screen clients and transactions against sanctions lists. Report any transactions involving sanctioned jurisdictions or individuals immediately. For virtual currency transfers, MSBs must include originator and beneficiary information with the transfer, similar to traditional wire transfers.
Ensure receiving entities are compliant with equivalent regulations. Failure to meet PCMLTFA requirements can result in fines, as seen in the Cryptomus case C$176.96 million for multiple violations. Fines up to C$2 million, imprisonment up to 5 years, or both for willful violations.
Public naming of violators and potential loss of operating licenses. Cryptomus was fined for failing to: Submit 1,068 STRs for suspicious crypto transactions linked to darknet markets. Report 7,557 electronic transfers from Iran, violating sanctions rules.
Maintain an adequate compliance program, including KYC and risk assessment failures. The PCMLTFA ensures Canada’s financial system is protected from illicit activities, with crypto exchanges facing heightened scrutiny due to their vulnerability to misuse.
Earlier in 2025, Cryptomus was also banned from trading securities in British Columbia by the provincial regulator. No response from Cryptomus has been publicly detailed, but the penalty serves as a stark warning to the sector.