FINTRAC Penalty on Necosmart: MSB and Virtual Currency Lessons

FINTRAC's May 14, 2026 penalty against 13010431 Canada Inc., operating as Necosmart, is worth reading as more than another enforcement headline. It is a useful advisory for money services businesses that touch virtual currency, high-risk customers, and suspicious transaction reporting.

Following a compliance examination, FINTRAC imposed a $693,742.50 administrative monetary penalty on the Edmonton, Alberta MSB on March 27, 2026. The public release names five violation areas: suspicious transaction reports, written policies and procedures, enhanced measures for high-risk transactions and clients, documented risk assessment, and virtual currency exchange transaction ticket records.

That combination matters. This is not a narrow technical registration case. It connects the front end of compliance, where activity is detected and assessed, to the back end, where records and reports need to be complete enough to survive an examination.

What FINTRAC found

FINTRAC says Necosmart committed five administrative violations. Each one maps to a control that should be visible in a working MSB compliance program.

Suspicious transaction reporting: FINTRAC found failures to submit STRs on multiple separate occasions where there were reasonable grounds to suspect money laundering or terrorist activity financing.
Written policies and procedures: FINTRAC found that written compliance policies and procedures were not developed and applied in the required way, including being kept current and approved by a senior officer for an entity.
High-risk measures: FINTRAC found failures related to enhanced measures for high-risk transactions and clients.
Risk assessment: FINTRAC found a failure to assess and document money laundering and terrorist financing risk while considering prescribed factors.
Virtual currency exchange records: FINTRAC found a failure to keep sufficient occupation and transactional information for virtual currency exchange transaction tickets.

For MSBs, the lesson is not simply "file reports." The lesson is that FINTRAC expects a coherent chain of evidence: risk rating, monitoring, escalation, decisioning, reporting, and records that explain why the business acted, or why it did not.

STR failures remain the sharpest edge

Suspicious transaction reporting sits at the centre of this case. FINTRAC's quick facts repeat a point it has made often: STRs are critical to the Centre's ability to generate actionable financial intelligence for law enforcement and national security partners.

Operationally, STR quality depends on what happens before the report is drafted. A team needs enough transaction context to identify suspicious patterns, enough client context to understand why the activity is unusual, and a review workflow that keeps reasonable grounds to suspect from getting stuck in an inbox or spreadsheet.

If alerts are reviewed but the rationale is thin, the organization is exposed. If staff escalate concerns but there is no documented decision, the organization is exposed. If a risk indicator is known but does not flow into STR triage, the organization is exposed. The Necosmart release is a reminder that the STR process has to be managed as an evidence trail, not just as a final submission form.

Virtual currency records are a data-quality problem first

The virtual currency exchange ticket finding is also important. FINTRAC specifically points to insufficient occupation and transactional information. That type of issue usually begins upstream, in onboarding, transaction capture, or the handoff between product systems and compliance records.

For virtual currency MSBs, the practical question is simple: can your team reconstruct the transaction and the client context without asking five people to search five systems? If occupation, transaction details, client risk, wallet or counterparty context, and review notes live in disconnected places, recordkeeping becomes fragile.

This is where automation helps only if it is configured around the obligation. Pulling data into a workflow is not enough. The workflow needs to force the right fields, flag missing information, preserve reviewer decisions, and make exportable evidence easy to produce when FINTRAC asks.

Related Comply+ resources: If you are reviewing MSB or virtual currency reporting controls after this release, these pages are the fastest next step.

MSB reporting workflowsCrypto and virtual currency complianceFINTRAC AMP penalty schedule

High-risk controls need to show their work

FINTRAC also cited enhanced measures for high-risk transactions and clients. This is where many programs look stronger in policy than they do in practice. A risk assessment may say that certain activity is high-risk, but the examination question is whether that rating changed the actual treatment of the client or transaction.

Stronger evidence looks like this: a documented risk trigger, a higher review threshold, enhanced due diligence notes, approval or rejection logic, monitoring intensity, and a clear link between the risk and the final reporting decision. If high-risk treatment is only a label, it will not do much under review.

The timing is notable, but the release does not answer every framework question

FINTRAC says the penalty was imposed on March 27, 2026. That is one day after Bill C-12 received Royal Assent and introduced changes to the administrative monetary penalties framework. The release does not state which violation dates were in scope, and FINTRAC has separately said review periods will be scoped within the applicable legislative framework.

So the right takeaway is careful, not dramatic: reporting entities should track dates cleanly. For examinations around the March 26, 2026 transition, records should make it clear when activity occurred, when controls changed, when reports were assessed, and when remediation was implemented.

For more on that transition, see our overview of the Bill C-12 AMP framework changes.

What MSBs should check this week

Review recent STR decisions. Sample alerts that were closed, escalated, or reported. Look for clear rationale, timestamps, reviewer ownership, and supporting client or transaction context.
Test high-risk handling. Pick high-risk clients and transactions, then verify whether enhanced measures actually changed monitoring, review, approvals, or reporting decisions.
Check virtual currency exchange ticket completeness. Confirm that occupation and transactional information are captured consistently and can be retrieved without manual reconstruction.
Refresh policies against actual workflows. The written policy should match how the team really detects, escalates, reviews, submits, and records activity.
Rebuild the risk assessment evidence trail. Make sure prescribed risk factors are documented, connected to controls, and reviewed when products, geography, client types, or transaction channels change.

Bottom line

The Necosmart penalty is a strong advisory for MSBs because it joins together the pieces that often drift apart: STR judgment, high-risk treatment, risk assessment, policy governance, and virtual currency recordkeeping. FINTRAC is not only looking for a compliance program that exists. It is looking for one that produces usable evidence.

If your team cannot quickly show how suspicion, risk, records, and reporting decisions connect, the control is probably not as strong as it looks on paper.

FINTRAC Penalty on Necosmart: STR Failures, High-Risk Controls, and Virtual Currency Records