FINTRAC Issues Record $176.9 Million Penalty to Xeltox Enterprises (Cryptomus) — a Compliance Case Designed to Send a Message

October 22, 2025 — Ottawa. FINTRAC has issued one of the most severe enforcement actions in its history — a $176,960,190 administrative monetary penalty (AMP) against Xeltox Enterprises Ltd., operating under the name Cryptomus, a British Columbia–registered company providing virtual currency services.

The penalty covers 2,593 separate violations under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA) and its associated regulations. Unlike typical fines that can be negotiated or paid, this magnitude of penalty effectively signals regulatory termination — an administrative measure that ensures the business cannot viably continue operations within Canada's financial system.

The Case: A Virtual MSB Without a Canadian Presence

Xeltox Enterprises, incorporated in British Columbia, claimed to operate from Suite 170, 422 Richards Street in Vancouver — an address linked to a mailbox service. During FINTRAC's compliance examination in March 2025, the company's representatives communicated from Uzbekistan and Spain, and FINTRAC confirmed no employees were based in Canada.

Despite being registered as a Money Services Business (MSB), Xeltox appeared to operate entirely offshore, while servicing clients in Canada — a pattern increasingly under FINTRAC scrutiny.

The Violations: 2,593 Contraventions Across Six Categories

The scale and nature of violations committed by Xeltox demonstrate widespread and systemic non-compliance:

1. Failure to Report 1,068 Suspicious Transactions

Xeltox failed to submit reports on transactions tied to darknet markets, ransomware laundering, child exploitation material, and sanctioned jurisdictions. This includes transactions directly linked to ASAP Market, Mega Darknet Market, Blacksprut Market, and OMG!OMG! Market.

FINTRAC noted that Xeltox ignored "known indicators" of criminal activity, including wallet addresses linked to OFAC sanctions and darknet marketplaces.

2. Failure to Comply with the Ministerial Directive on Iran

The company failed to report 7,557 transactions involving Iranian sources or destinations, in breach of FINTRAC's Ministerial Directive on Financial Transactions Associated with the Islamic Republic of Iran. Such directives are non-negotiable obligations intended to protect Canada's financial system from exposure to global sanctions evasion networks.

3. Failure to Maintain a Written Compliance Program

Xeltox's AML policies were nonexistent or copied boilerplate, lacking coverage for essential areas such as business relationships, KYC, PEP screening, travel rule requirements, and suspicious transaction reporting.

4. Failure to Assess and Document AML/ATF Risks

The company had no risk-based approach, no documented assessments of client types, delivery channels, geography, or exposure to high-risk jurisdictions.

5. Failure to Maintain Accurate MSB Registration Data

Xeltox's registration details were inaccurate and outdated — including wrong email addresses, phone numbers, and business activity declarations.

6. Failure to Report 1,518 Large Virtual Currency Transactions (LVCTRs)

Why This Penalty Is Different

At $176.9 million, this AMP dwarfs previous FINTRAC penalties — including the $19.5 million penalty against KuCoin (Peken Global Ltd.) earlier this year.

This case appears less about cost recovery and more about regulatory deterrence:

• The volume of unreported high-risk activity suggests willful disregard rather than administrative error.
• The lack of a Canadian operational footprint indicates an attempt to exploit jurisdictional gaps.
• The imposition of a near-unpayable penalty serves as a clear signal: non-compliant offshore crypto platforms will be removed from the Canadian market by enforcement, not negotiation.

This marks a turning point in Canada's AML regime — especially for virtual asset service providers (VASPs) and foreign MSBs serving Canadian clients without proper oversight.

Key Lessons for Canadian and Foreign MSBs

The Xeltox case demonstrates how quickly a compliance breakdown can escalate from technical violations to existential consequences.

Here are practical takeaways for regulated entities:

1. If You Serve Canadians, You're Subject to Canadian Law

Geography offers no protection. FINTRAC's jurisdiction extends to any business directing services at Canadian clients, regardless of where servers, staff, or executives are located.

2. Automated Reporting Is Non-Negotiable

Manual reporting through FINTRAC's FWR (web-based reporting tool) is prone to error — especially for Large Virtual Currency Transaction Reports (LVCTRs), which the system does not automatically validate. An automated FINTRAC API connection drastically reduces risk.

3. Ministerial Directives Carry Enforcement Teeth

Ignoring a directive (such as the one concerning Iran) is treated as a Very Serious Violation — comparable to failing to report suspicious transactions.

4. Failure to Maintain MSB Registration = Regulatory Blindness

Outdated or inaccurate registration information is viewed as deliberate opacity. FINTRAC considers this a material impediment to compliance oversight.

5. Policy Templates Don't Cut It Anymore

Compliance programs must reflect real operations, customers, and risk exposure. Generic or unimplemented policies signal non-compliance by default.

The Bigger Picture: Enforcement by Design

The magnitude of this AMP — one that cannot realistically be paid — represents a shift from corrective to exclusionary enforcement. Where a business repeatedly or willfully disregards Canada's AML framework, FINTRAC's penalty functions not as a deterrent but as a regulatory shutdown order through financial means.

Expect similar scrutiny toward unregistered or pseudo-foreign MSBs using mailbox addresses or minimal Canadian presence to access the market.

Ensuring Your Compliance Program Can Withstand FINTRAC Examination

Under recent legislative changes — including Bill C-2 — reporting entities now face:

• Increased penalties (up to $20M per entity, plus imprisonment for certain offences), and
• Broader inspection powers allowing FINTRAC to audit based on reasonable grounds to believe an entity falls under the PCMLTFA.

Compliance is no longer about best effort — it's about verifiable, auditable precision.

Final Thoughts

The $176.9 million penalty against Xeltox Enterprises represents a watershed moment in Canadian AML enforcement. This is not merely a fine — it's a regulatory termination order that effectively removes a non-compliant entity from the Canadian market.

For businesses operating in Canada's financial system, the message is clear: compliance is not optional, and the cost of non-compliance can be existential. The era of hoping regulators won't notice or that penalties can be negotiated is over.

With automated compliance solutions like Comply+, MSBs and VASPs can ensure they meet every FINTRAC requirement while focusing on growing their business in Canada's evolving financial landscape.