Mortgage administrators, brokers, and lenders became FINTRAC reporting entities on October 11, 2024. The first year was education. Year two is examination season. Penalties reach $100,000 per missing program element and up to $500,000 for very serious entity violations. This is the complete year-two compliance picture.
On October 11, 2024, Canada's mortgage sector formally entered the federal anti-money-laundering regime. Mortgage administrators, mortgage brokers, and mortgage lenders became reporting entities under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA), subject to the same framework that has applied to banks, credit unions, and money services businesses for decades. The first year was structured as an education window. The second year, now underway, is examination season.
Penalties for non-compliance are not abstract. The administrative monetary penalty (AMP) framework permits FINTRAC to impose penalties of up to $100,000 for each missing element of a compliance program, with statutory ceilings up to $500,000 for very serious violations by an entity. The PCMLTFA amendments that received Royal Assent on March 26, 2026 raise that ceiling materially further, with new authority permitting penalties up to 40 times prior maximums for prescribed violations. The British Columbia Lottery Corporation faced a $1,075,000 penalty for administrative deficiencies; equivalent enforcement against mortgage sector entities is not a hypothetical.
This guide covers the full PCMLTFA framework for Canadian mortgage administrators, brokers, and lenders: who is covered, what every entity must have in place, how FINTRAC examines the sector, where compliance most often fails, and how deepidv's verification engine and agentic compliance suite compresses the heaviest part of the mortgage compliance load into one click per applicant.
If you are a mortgage administrator, broker, or lender in Canada, you are a reporting entity. You must maintain a written AML/ATF compliance program with senior-officer approval, conduct a risk-based assessment, verify client identity using FINTRAC-prescribed methods, establish and monitor business relationships, file STRs without delay when grounds exist, file LCTRs for cash payments of $10,000 CAD or more, file LVCTRs for virtual currency transactions over $10,000, retain records for five years, commission an independent effectiveness review at least every two years, and train every employee whose role touches an AML control. The education year is over. Mortgage sector examinations have started.
The October 11, 2024 effective date brought Canada into closer alignment with Financial Action Task Force (FATF) expectations. For most of the prior decade, non-bank mortgage lending in Canada grew faster than the regulated population that covered it, creating an enforcement gap that FATF and domestic policy reviews had repeatedly flagged. Real estate is one of the primary destinations for laundered funds, and mortgages are the financial instrument that most often carries those funds into the formal financial system.
The October 2024 amendments were the most significant expansion of PCMLTFA coverage since the 2008 inclusion of real estate brokers. The March 26, 2026 amendments extended that expansion materially. The penalty regime now includes the ability for FINTRAC to impose compliance orders, mandatory compliance agreements, and increased maximum penalties calibrated to the seriousness of the violation. FINTRAC also gained expanded information-sharing powers with domestic and international counterparts, tightened rules on politically exposed persons and heads of international organizations, and new obligations relating to virtual currency.
The Canadian Association of Private Lenders (CAPL) and several mortgage industry bodies have publicly argued that the AMP regime treats minor paperwork deficiencies with the same severity as intentional facilitation of financial crime. The legislative direction is set. Mortgage sector entities that operate on the assumption of regulatory leniency are exposing themselves to penalty multipliers that did not exist when their compliance programs were designed.
Provincial regulators continue to operate alongside the federal regime. British Columbia's Financial Services Authority (BCFSA) issued an advisory in November 2023 reminding mortgage registrants of the upcoming FINTRAC obligations. BCFSA's role under the BC Mortgage Brokers Act is separate from FINTRAC's federal authority; compliance with one does not satisfy the other. Mortgage brokers operating in BC must maintain both compliance tracks.
The PCMLTFA defines three sub-populations in the Canadian mortgage sector, all of which became reporting entities on October 11, 2024.
Mortgage administrators are persons or entities that, on behalf of another person or entity, collect mortgage payments, monitor compliance with mortgage agreements, manage mortgage portfolios, or otherwise administer mortgage transactions. The administration role does not require origination authority; it covers any entity that touches the operational handling of mortgages on behalf of holders.
Mortgage brokers are persons or entities that act as intermediaries between borrowers and lenders to arrange mortgage transactions. Brokers operate under provincial registration regimes (such as the BC Mortgage Brokers Act, Ontario's Mortgage Brokerages, Lenders and Administrators Act, and equivalent legislation in other provinces) and are now also subject to federal FINTRAC obligations.
Mortgage lenders are persons or entities that originate mortgages and lend the funds, whether or not they retain servicing. The lender definition covers both regulated financial institutions (already covered under previous PCMLTFA obligations through their banking license) and non-bank lenders that were previously outside the regime.
The non-bank lender expansion is particularly significant. Private lending, alternative lending, and mortgage investment corporations (MICs) had grown into a substantial share of Canadian mortgage origination by 2023, much of it outside any federal AML oversight. The October 2024 amendments closed that gap.
The seven core obligations that apply across all reporting entity categories apply with equal force to the mortgage sector, with some sector-specific implementation requirements.
The mortgage sector entity must maintain a compliance program approved by a senior officer (defined under the PCMLTFA regulations) and reviewed at appropriate intervals. The program must designate a compliance officer with the seniority and resources to fulfill the role. The compliance officer designation matters: FINTRAC examines whether the named individual is actually empowered or whether the designation is nominal. A part-time compliance officer with no operational authority is a finding waiting to happen.
The PCMLTFA requires a documented risk assessment that addresses products and services, geography, clients and business relationships, and channels and intermediaries. Mortgage sector entities face several risk dimensions that other reporting entities do not, including the use of private financing structures, the role of mortgage agents and mandataries, and the higher money laundering risk profile of certain transaction patterns (cash-heavy refinancings, rapid serial refinancings, beneficial-ownership concerns, third-party involvement).
Identity verification must occur at PCMLTFA-defined trigger points. For mortgage sector entities, the primary triggers are account opening (the establishment of a business relationship) and certain transaction events. FINTRAC's methods guidance accepts documentary, credit file, dual process, reliance, and affiliate or agent methods. The verification must be reliable, proportionate to the risk, and properly documented.
The recordkeeping requirement extends to the supporting documents. Mortgage brokerages that scan applicant identity documents into the mortgage application file without retaining a separate, FINTRAC-compliant verification record may meet the application requirement but fail the PCMLTFA requirement. The two are distinct.
Mortgage brokerages routinely operate through licensed mortgage agents and sub-brokers acting as mandataries. The PCMLTFA permits mandataries to conduct identity verification on the brokerage's behalf, but the brokerage remains fully responsible for the verification and the supporting record. This requires a written agreement with each mandatary that addresses identity verification, documented oversight of mandatary verification work, and quality assurance sampling to confirm verifications meet FINTRAC standards.
The mandatary oversight obligation is one of the most consistently mishandled requirements in the mortgage sector. Brokerages assume that because a licensed agent conducted the verification, the obligation is met. FINTRAC examines whether the brokerage can demonstrate operational oversight of the agent's work. The absence of QA sampling is a near-guaranteed finding in any mandatary-heavy brokerage examination.
When a mortgage sector entity establishes a business relationship with a client (typically at account opening or at the initiation of a mortgage application), it must conduct periodic ongoing monitoring of that relationship based on a risk assessment. Ongoing monitoring covers refresh of client information, screening against updated sanctions and PEP lists, and review of transaction patterns for consistency with the established client profile.
The ongoing monitoring obligation is a continuous one. A one-time screen at account opening does not satisfy it. Manual ongoing monitoring across a mortgage book of any meaningful size is operationally infeasible. This is one of the highest-leverage technology investment cases in the mortgage compliance domain.
Mortgage sector entities must file:
Suspicious transaction reports (STRs) without delay when reasonable grounds exist to suspect a transaction is related to money laundering or terrorist financing. The trigger is suspicion, not confirmed wrongdoing.
Large cash transaction reports (LCTRs) for any single cash payment of $10,000 CAD or more, or for two or more cash payments within 24 hours that aggregate to $10,000 or more.
Large virtual currency transaction reports (LVCTRs) for any virtual currency transaction in amounts of $10,000 or more in equivalent CAD value.
Terrorist property reports when applicable.
Across all sectors, 51 percent of penalized reporting entities had missed report filings. The mortgage sector is unlikely to be an exception. The STR trigger threshold (reasonable grounds to suspect) is lower than most front-line staff understand, and the systems for catching aggregation across multiple transactions are non-existent in most brokerages.
Every PCMLTFA-required record must be retained for five years and accessible to FINTRAC within 30 days of a request. The records include client information records, identification records, receipt-of-funds records, large cash transaction records, transaction logs, account opening records, business relationship records, and ongoing monitoring records.
The PCMLTFA requires an independent effectiveness review of the AML program at least every two years. The reviewer must be qualified, independent of the compliance officer, and authorized to examine the full program scope (policies and procedures, risk assessment, training, ongoing monitoring, recordkeeping, and reporting). Over half of penalized reporting entities had no documented prescribed review.
The mortgage sector entity must train every employee whose role touches an AML control. Training plans must document frequency, delivery method, and content scope. Training records must demonstrate completion by named individuals. Mortgage brokerages with high agent turnover face elevated training compliance risk because the onboarding-to-training-completion gap creates a window of operational exposure.
Mortgage sector examinations follow the same general framework as examinations of other reporting entity populations. The examiner issues a notification call, then a formal request letter, then conducts document review, interviews with the compliance officer and key staff, and a findings report.
The specific evidence requests for mortgage sector entities typically include: the complete written compliance program with senior-officer approval signature, the most recent risk assessment with supporting analysis, sample client identification records for a defined audit period, mandatary oversight documentation including QA sampling results, complete STR and LCTR submission logs, ongoing monitoring documentation for a sample of business relationships, training completion records by named individual, the most recent prescribed review report, and operational records for any near-threshold or unusual transactions.
The mandatary oversight question is unique to the mortgage sector and the real estate sector. Examiners ask: who actually conducted this identity verification, did the brokerage have a written agreement with that person, and what evidence does the brokerage have that the verification met FINTRAC standards? Brokerages that cannot answer all three questions for sample records face high-leverage findings.
The AMP framework permits FINTRAC to impose penalties of up to $100,000 per missing element of a compliance program, with statutory ceilings up to $500,000 for very serious violations by an entity. The March 26, 2026 amendments raise these ceilings substantially, with new authority permitting penalties up to 40 times prior maximums for prescribed violations.
Penalty stacking is a structural feature of the regime. A mortgage brokerage with weak recordkeeping, an inadequate risk assessment, missing prescribed reviews, and missed STR filings can face multiple penalty assessments for each category. The cumulative penalty exposure for a brokerage with broad program deficiencies is significantly higher than any single violation.
Industry-specific AMPs in the mortgage sector have not yet been published in volume because the population only became reporting entities in October 2024. The trajectory across adjacent sectors is the leading indicator. Real estate broker penalties averaging $110,000 per case, MSB penalties in the seven-figure range, and the recent expansion of FINTRAC's authority all suggest that mortgage sector penalties will follow a similar curve.
Insurance products from D&O carriers do exist that can cover legal defense costs associated with FINTRAC investigations, but they do not cover the underlying AMPs. The carrier-side analysis treats FINTRAC penalty exposure as a quantifiable risk factor for mortgage sector insureds.
Four failure modes account for the majority of mortgage sector compliance exposure.
Manual remote applicant identification is the primary failure source. Mortgage applications are overwhelmingly digital and remote. The applicant uploads a scanned identity document. A mortgage agent reviews the image visually. The application proceeds. There is no facial biometric match, no liveness check, no deepfake document forensics, no automated screening. The recordkeeping requirement is technically met by retaining the scan, but the verification quality cannot withstand examination scrutiny.
Deepfake document attempts on mortgage applications surged in 2025-2026, with deepidv data showing a 30 percent year-over-year increase in detected synthetic identity attacks against mortgage applicants. The visual review process has effectively no defense against contemporary synthetic identity tooling.
Mandatary oversight gaps are the second most common failure. Brokerages assume that licensed mortgage agents conducting verification on their behalf are operating in compliance with PCMLTFA standards. FINTRAC asks for the QA sampling evidence and finds it absent.
Inadequate ongoing monitoring is the third common failure. The PCMLTFA requires periodic monitoring of business relationships, calibrated to risk. Manual ongoing monitoring is operationally infeasible at any meaningful scale. Most brokerages have no defensible ongoing monitoring program in place.
Prescribed review gaps are the fourth failure mode. The two-year independent review is straightforward and inexpensive relative to the cost of the finding it prevents. Brokerages that have not yet commissioned a first prescribed review since the October 2024 effective date are now overdue.
deepidv automates the most labor-intensive parts of mortgage sector FINTRAC compliance: client identity verification, mandatary oversight, and ongoing monitoring.
A single secure link sent to the applicant captures government-issued ID from any of 211 countries through the deepidv verification engine. The verification runs facial biometric matching with active liveness detection, deepfake document forensics, sanctions and PEP screening, and adverse media checks. The result is a cryptographically signed verification record retained for the five-year PCMLTFA window with proof of integrity at proof.deepidv.com.
For brokerages with mortgage agents and mandataries, the deepidv platform provides centralized oversight with per-agent audit trails, automated QA sampling tools, and exception-only review workflows. The brokerage compliance officer sees who conducted each verification, when, and whether the verification quality met internal QA thresholds. The mandatary oversight question that has tripped up so many mortgage brokerages becomes structurally answered, because every verification has an attributable owner and a complete record.
Ongoing monitoring is automated through Arbiter, deepidv's risk engine. Arbiter continuously screens the brokerage's client base against updated sanctions lists, PEP changes, adverse media, and risk events. The compliance officer reviews flagged events rather than chasing a manual screening calendar. For STR drafting, Luna (the deepidv AI compliance co-pilot) drafts initial SAR/STR narratives that the compliance officer reviews and submits.
Five-year recordkeeping is automatic. Every verification, every screening result, every ongoing monitoring event, every transaction log is retained with cryptographic provenance.
For brokerages preparing for their first FINTRAC examination, the deepidv Back Office produces the examiner-facing evidence package: complete client identification records, mandatary attribution with QA sampling results, ongoing monitoring documentation, training completion rosters, prescribed review export, STR and LCTR submission logs, and policy-document trail with version control.
deepidv is the verification engine and agentic compliance suite for mortgage administrators, brokers, and lenders that need their AML program to survive the first FINTRAC examination with zero findings.
Q: My brokerage has mortgage agents in multiple provinces. Does the PCMLTFA apply uniformly? A: Yes. The PCMLTFA is federal legislation that applies uniformly across Canada regardless of provincial registration regime. Provincial obligations (under BC's Mortgage Brokers Act, Ontario's MBLAA, etc.) apply alongside the federal PCMLTFA but do not replace it.
Q: Are private mortgage lenders covered if they operate through a Mortgage Investment Corporation (MIC)? A: Yes. The mortgage lender definition under the PCMLTFA covers any person or entity that originates a mortgage and lends the funds, regardless of the corporate vehicle. MICs that originate mortgages are subject to the framework.
Q: What is the difference between a mortgage broker and a mortgage administrator under the PCMLTFA? A: A broker arranges mortgage transactions between borrowers and lenders. An administrator collects payments and manages portfolios on behalf of holders. Some entities perform both functions, in which case all relevant obligations apply.
Q: Does identity verification at the brokerage satisfy the requirement, or do downstream lenders also need to verify? A: Each reporting entity has its own identification obligation. A lender taking a mortgage origination from a broker may rely on the broker's identity verification under FINTRAC's reliance method, provided the lender meets the conditions of that method (including a written agreement and accessibility of the broker's records).
Q: How often must ongoing monitoring of business relationships occur? A: The PCMLTFA requires monitoring at a frequency calibrated to the risk of the business relationship. Higher-risk relationships require more frequent monitoring. The methodology must be documented in the brokerage's compliance program and applied consistently.
Q: What happens when an STR is filed during a live application? A: The brokerage continues to process the application unless other legal grounds exist to halt it. The STR is filed in parallel; tipping off the client about the STR is a criminal offense under the PCMLTFA. The application decision proceeds based on the brokerage's commercial criteria.
Go live in minutes. No sandbox required, no hidden fees.
From AMLD6 to state-level FinTech regulations, the compliance landscape for identity verification is shifting rapidly. Here is what your compliance team needs to know.
Generative AI has broken the assumptions underlying most identity frameworks. Regulators are responding with new rules, and the industry must adapt. Here is the current state of AI identity regulation worldwide.
The global AML regime generates more false positives than it catches genuine money laundering. Here is why static rule-based monitoring fails — and what AI-driven approaches change.
