At one of Canada’s many payments startups, the head of compliance has more than a decade of experience—and about 400 hours of data entry drudgery to complete in the next five weeks.

That’s how long the startup’s CEO estimates it will take to file the backlog of reports about its customers’ transactions that piled up during the five months the country’s anti-money-laundering agency was unable to process them. The agency took down its systems for security reasons after a March 2024 cybersecurity breach.

Almost a year after it happened, the hack at Fintrac—the Financial Transactions and Reports Analysis Centre of Canada—is still causing chaos and stress for the country’s thousands of small financial services businesses. Some have had to scramble to convince banks to continue to do business with them. Others have been unable to operate at all.

The hack and its yearlong fallout have come at a time of unprecedented attention on Canada’s long criticized money laundering controls. Prime Minister Justin Trudeau has promised to work with the U.S. to prevent money laundering as part of a deal to delay the 25 per cent tariffs President Donald Trump threatened to impose on Canada. Meanwhile, the Canadian Bankers Association has called for an overhaul of Fintrac’s reporting system in the wake of TD Bank’s guilty plea in the U.S. over anti-money-laundering failures, and Canada is also about to undergo an international review of its system for fighting financial crime.

Fintrac has said the hack did not involve any classified systems and no data was stolen. Most systems have been back online since the fall of 2024, although some businesses and compliance consultants say they are still waiting for access.

Earlier this month, Fintrac informed businesses they have until March 31 to file their backlogged transaction reports or risk penalties, according to an email The Logic obtained.

The CEO of the payments startup, whom The Logic has agreed not to name because they are worried about damaging their company’s relationship with Fintrac, said they will be racing to file information that is now extremely out of date.

“It’s kind of pointless because … months later, those funds are gone,” they said. “A terrorist act, if it was planned, may have already happened.”

In an email, Fintrac spokesperson Erica Constant said any reporting delays resulting from the hack haven’t affected Canada’s large financial institutions—which are responsible for 96 per cent of the reports the agency receives—because they were able to continue to use a secure data feed. Fintrac has provided more than 2,400 disclosures to law enforcement since the cyber incident, up 35 per cent from the previous year, she said.

However, Suzanne Creighton, an anti-money-laundering consultant, said the year of havoc wreaked by the cyber breach demonstrates “something has gone drastically wrong” at Fintrac. She said she isn’t confident that the agency can effectively handle the deluge of backlogged reports coming its way.

“They’re going to get swamped,” she said. “I don’t think they can manage it.”

Fintrac requires that financial institutions and other money-processing businesses file reports, flagging transactions that are high in value or that raise red flags for potential criminal activity. The valuable data from these reports help law enforcement conduct investigations.

The digitization of money and commerce has made Fintrac’s job more complicated. Payments, a key function of the financial system that used to be the remit of banks, are increasingly processed by fintechs like PayPal and Stripe, as well as many smaller companies. The number of crypto-trading platforms operating in Canada exploded in the early 2020s as well.

To help the agency keep up with the changing economy and amid alarming reports of a growing money laundering problem in the country, the federal government greatly expanded the types of institutions that must report to Fintrac and the kinds of transactions they must flag. Casinos, jewelers, real estate brokers and others suddenly faced new obligations.

As a result, the number of firms registered with Fintrac as money-services businesses almost doubled from 2019 to 2021, from about 1,300 to just over 2,400, with about 2,800 now listed as being actively registered.

Ottawa further expanded Fintrac’s jurisdiction in response to the 2022 convoy protests against COVID-19 restrictions, which received high-profile financing from crowdfunding platforms and crypto. A wide range of payments firms then had to register as money-services businesses and file reports to the agency.

In 2024, the final phases of this mandate expansion were set to go into effect. The thousands of businesses newly falling under its jurisdiction were getting used to their nascent responsibilities.

Fintrac was also preparing an update to its tech platforms for registering businesses and collecting reports. In the best of circumstances, the spring of 2024 would have been a busy, challenging time for the agency.

Then, on March 2 of last year, the whole system went down.

It was a Saturday. Souzan Esmaili, CEO of the training and consulting firm Toronto Compliance & AML Enterprise, had her team working over the weekend on filings for a client. Fintrac’s reporting system was working unusually slowly. “We thought it was maybe a connection issue initially,” she said. The next day, when Fintrac issued a statement saying there had been a cyber breach, “We realized that, no, there has been an attack.”

Fintrac’s brief statement said the cyber breach did “not involve the centre’s intelligence or classified systems” and that the agency had “taken its corporate systems offline in order to ensure their integrity.” By the end of the month, Esmaili and her clients grew concerned about the backlog of reports that was piling up.

“It gave us chills in our bones that suspicious transactions were not getting reported,” she said. “What is going to happen? And is that going to have a snowball effect later on, on the whole country itself?”

In mid-April, the agency invited affected businesses and industry associations to a video call to learn about “our path forward for resumption of reporting,” according to an email obtained by The Logic. One participant, who shared detailed notes with The Logic, said the call began with 180 people, a number that continued to climb as it proceeded and that prompted the Fintrac staffers hosting it to express surprise at the turnout. (The Logic agreed not to name the participant because of the sensitivity of the private meeting.)

On the call, an official from the Canadian Centre for Cyber Security—a federal agency that’s part of the Communications Security Establishment—offered few details about the investigation. A “malicious actor” gained access they shouldn’t have had, they said, “causing damage” and prompting Fintrac to take down its reporting system while it worked on putting new security controls in place. Officials repeatedly stressed the hacker didn’t transfer any sensitive data. 

Because Fintrac was already planning to update its systems for submitting reports, an official said, the agency would wait until those new systems were ready before bringing everything back online. In the meantime, companies with access to a secure data feed—mostly large financial institutions—could keep using it. Officials told those without such access to file urgent reports about terrorism, child abuse and ongoing police investigations through Canada Post’s Epost system for sending secure electronic documents, and to keep the other records to file later.

Things would be “business as usual” for most organizations, an official said. Fintrac promised to be “reasonable” in its approach to organizations unable to file reports while the system was down.

For fintechs and small money-services businesses—whose ranks now included thousands of firms new to dealing with Fintrac, from accountants to armoured car operators, thanks to the agency’s expanded mandate—the ensuing months were anything but business as usual. 

Fintrac didn’t bring its web reporting system back online until late August, meaning many organizations had built up five and a half months worth of backlogged reports. The Logic spoke with nine executives and compliance consultants who said Fintrac’s communication during that period was poor. Confusion was rampant over how to file Epost reports, how to gain access to the secure data feed used by large financial institutions and what obligations businesses had who were unable to report at all, they said.

“While Fintrac has held various meetings and has published some updates on their website, overall communication has been lacking,” said David Vijan, CEO of the compliance consulting firm Outlier Solutions. “Small to midsize businesses in some sectors may have received even less communication on the incident.”

One compliance consultant, whom The Logic agreed not to name because of the sensitive nature of their work, said many small money-services businesses are not very technically savvy. Many were unable to invest the time and money necessary to access Fintrac’s secure data feed, which would have let them keep filing reports.

Some businesses considered leaving the country because of the headaches, the consultant said. “The backlog that needs to be dealt with created a lot of problems. A lot of businesses simply said, ‘I’m going to move out of Canada.’” Two other consultants said issues related to the hack delayed some firms’ plans to launch.

Meanwhile, Fintrac took another key system down for months as it worked to improve security and make updates following the breach: the online registry for money-services businesses, which lets firms apply for and renew their licences with the agency. That posed major problems for their relationships with banks, which would be running afoul of federal rules if they worked with companies that weren’t properly registered.

Joseph Iuso, executive director of the Canadian Money Services Business Association, said about 10 of his members told him their banks threatened to stop working with them—which would spell the end of their businesses—if they couldn’t prove their licences were in good standing with Fintrac. “‘The registry says you are supposed to renew in September. It’s now December. If you don’t get this sorted, we’re going to close your bank.’ I have heard that and I have seen it,” Iuso said, saying the issue was more common with foreign banks.

One executive at a Canadian fintech, whom The Logic agreed not to name, said they had to scramble to find a new bank to work with for a planned product launch.Their original bank backed out because the company couldn’t demonstrate its Fintrac licence was in good standing while the registry was down, the executive said. “It put the existence of that product at risk.” Fintrac did not answer The Logic’s questions about the issues with the registry or its impact on the businesses required to use it.

Fintrac brought its reporting and licensing systems back online in late August. Three executives and compliance professionals told The Logic the new reporting system is buggy and finicky. One consultant told The Logic a client had to re-file 200 reports because they checked the wrong box in the form.

The consequences of making a mistake can be harsh. “If it’s done incorrectly, it’s essentially as if you didn’t file,” one executive said. “You’ve got to get them right. It’s a tricky situation.” Fintrac did not answer The Logic’s questions about these complaints.

Three people told The Logic they aren’t confident Fintrac has the resources to analyze and act on the deluge of reports coming its way. There could be dire consequences to the reports—which might contain intelligence on human trafficking, drug cartel activity and terrorist financing—sitting in the electronic equivalent of a filing cabinet. Fintrac did not address these concerns when The Logic asked it for comment.

Fintrac is under pressure to get its affairs in order in advance of a review of the country’s financial crime controls by the Financial Action Task Force, an international body. The stakes of the review are high. Countries the task force deems insufficiently compliant with international standards are considered high risk, which could mean less foreign investment and more stringent due diligence on deals.

That looms over the future—but for small businesses up against the March 31 reporting deadline, the problems are here today. The CEO of the startup with an estimated 400 hours worth of work to do before the deadline is trying to get access to Fintrac’s secure data feed to automate some of the drudgery, while also trying their best not to make any mistakes using the new system.

“You can have your data,” they said. “But don’t expect me to hire three people to do this for you. That’s ridiculous.”

Correction: An earlier version said the head of compliance at the payments startup featured at the beginning of this story had a law degree. The story has been updated.