FinCEN's record $80M penalty on Canaccord (6 March 2026) exposed gamed trade surveillance and 160 unfiled SARs. What the broker-dealer case means for AML teams.
Table of contents
Canaccord Genuity took a record $80 million FinCEN penalty on 6 March 2026, the largest ever against a broker-dealer, for years of gamed trade surveillance and at least 160 unfiled suspicious activity reports. The order is the clearest signal yet that regulators judge an AML programme by what it catches, not by what its manual says.
- The $80 million FinCEN penalty against Canaccord Genuity, announced on 6 March 2026, is the largest the agency has ever imposed on a broker-dealer for Bank Secrecy Act violations.
- The conduct ran from March 2018 to June 2024, while Canaccord was one of the most active market makers in over the counter microcap and penny stocks.
- FinCEN found trade surveillance was "intentionally narrowed" to reduce the number of flagged transactions, and that the firm failed to file at least 160 suspicious activity reports.
- The penalty splits into $35 million to the Treasury, $20 million credited each to the SEC and FINRA, and $5 million suspended pending a SAR lookback; the SEC added a separate $20 million penalty and a censure.
- By November 2025 Canaccord had exited its US over the counter wholesale market making business.
What did FinCEN actually find?
On 6 March 2026 the Financial Crimes Enforcement Network announced a historic penalty against Canaccord Genuity, the US broker-dealer arm of the Canadian group, for wilful violations of the Bank Secrecy Act between March 2018 and June 2024. FinCEN found that the firm did not develop and maintain an effective anti money laundering programme, did not conduct required due diligence on correspondent accounts for foreign financial institutions, and failed to file at least 160 suspicious activity reports. Crucially, Canaccord admitted the conduct was wilful and that it continued despite repeated SEC examination findings flagging the same deficiencies. The firm's own surveillance, in FinCEN's words, was "intentionally narrowed" to cut the number of flagged transactions. That single finding is why this is a record FinCEN penalty rather than a routine fine.
| Element | Detail | Source |
|---|---|---|
| FinCEN civil money penalty | $80 million (record for a broker-dealer) | FinCEN |
| Payable to the US Treasury | $35 million | FinCEN |
| Credited for SEC and FINRA payments | $20 million each | FinCEN |
| Suspended pending a SAR lookback | $5 million | FinCEN |
| Separate SEC penalty | $20 million plus a censure | SEC |
| Conduct period | March 2018 to June 2024 | FinCEN |
| Unfiled suspicious activity reports | At least 160 | FinCEN |
How did the failures happen inside the firm?
The mechanics matter more than the number, because they are the part other firms can repeat. Canaccord ran a high risk line of business, OTC market making in low priced microcap and penny stocks, exactly the corner of the market where pump and dump and wash trading concentrate. Its trade surveillance generated reports on that activity, but those reports were often left unreviewed, were stripped of critical data elements, and were deliberately tuned to surface fewer alerts. One customer whose account stayed open at the firm was later barred from the penny stock industry by the SEC for his role in microcap fraud. This is not a story about a missing policy. The firm had monitoring, then quietly narrowed it until it stopped producing inconvenient work. A control that is configured to see less is worse than no control, because it manufactures false comfort and a paper record of diligence that never happened.
What does this change for your AML obligations?
The order maps onto specific Bank Secrecy Act duties, and each one is a question a compliance team should now be able to answer with evidence. First, AML programme effectiveness: you must be able to show the programme detects and reports the typologies in your actual book, not that a document exists. Second, suspicious activity reporting: unreviewed alerts and narrowed thresholds do not discharge the SAR obligation, and a backlog becomes a lookback. Third, correspondent account due diligence: the BSA requires enhanced diligence on foreign financial institution accounts, and Canaccord was penalised for skipping it. Fourth, surveillance integrity: tuning a model to reduce alert volume, without a documented risk rationale, now reads as concealment rather than calibration. The throughline is that all four rest on knowing your customer well enough to recognise abnormal activity, the same foundation that decentralised KYC and credible transaction monitoring are built on.
What is still uncertain or at risk?
Several things are unresolved, and they are where the exposure sits. The wilfulness finding is the multiplier: because Canaccord ignored repeated examination findings, FinCEN treated the conduct as deliberate, which is what pushed an ordinary programme gap into a record FinCEN penalty. That precedent puts every firm sitting on unremediated exam findings at sharper risk, because the same wilfulness logic could turn their own backlog into a comparable FinCEN penalty. The $5 million SAR lookback is open ended in practice, since the scope, period and cost of reconstructing years of missed reports are rarely known in advance, and the firm pays twice, once for the original gap and once to rebuild it under supervision. There is also individual accountability to watch, as surveillance that was "intentionally narrowed" implies decisions by named people, not an abstract system. And there is a market wide question: other active OTC market makers now have to ask whether their own alert tuning would survive the same scrutiny. The safe assumption is that it would not unless every threshold change carries a written, risk based justification.
How does $80 million compare, and why is it a milestone?
For years the working assumption in parts of the securities industry was that serious AML enforcement was a banking problem, and that a broker-dealer with a written programme had done enough. The FinCEN penalty ends that assumption. At $80 million it is, by FinCEN's own account, the largest ever imposed on a broker-dealer for Bank Secrecy Act violations, and it was paired with SEC and FINRA actions so the firm faced all three of its regulators at once. A FinCEN penalty delivered alongside parallel SEC and FINRA orders is a coordinated message to the whole sector, not a one regulator warning shot. The consequence was not only financial. By November 2025 Canaccord had wound down its US OTC wholesale market making business and shrunk its trade execution arm, which shows that an AML failure of this kind can end a line of business, not merely tax it. For a compliance leader the benchmark is simple: the cost of effective monitoring is now plainly smaller than the cost of a programme that looks effective and is not.
How should compliance teams respond?
The practical steps are concrete. Treat any unremediated examination finding as a live enforcement risk and close it on a documented timeline. Never tune a surveillance threshold to reduce alert volume without a written, risk based rationale that an examiner could read. Concentrate monitoring on your highest risk products rather than spreading it evenly. Keep a complete, exportable audit trail so you can evidence what was reviewed, when, and why, because the cheapest defence against a lookback is having the history ready. And ground all of it in identity: monitoring is only as good as the customer record beneath it. This is the model Zyphe is built for, with identity verified by reading the NFC chip to ICAO 9303 and eIDAS standards, a reusable credential rather than a stored honeypot, and an exportable audit trail on every check. You can see the flow on the how it works page, or book a demo to test it against your own onboarding and monitoring.
The bottom line
The Canaccord order is a record number, but its lasting weight is the standard it sets. A FinCEN penalty of this size, built on a wilfulness finding and gamed surveillance, says that a programme is judged by what it detects and reports, and that quietly tuning controls to see less is now read as concealment. Firms that remediate findings promptly, justify every threshold change, and keep a defensible, exportable audit trail grounded in verified identity will be ready for the examination Canaccord failed, rather than rebuilding the record under a lookback.
Cited sources
- FinCEN assesses historic $80 million penalty against Canaccord Genuity (FinCEN news release)
- Canaccord Genuity consent order No. 2026-01 (FinCEN, PDF)
- FinCEN imposes record penalty on a broker-dealer: compliance lessons, Holland & Knight
- FinCEN, SEC and FINRA assess an $80 million penalty against a broker-dealer, Paul, Weiss
Michelangelo Frigo(Co-Founder at Zyphe)Michelangelo Frigo is a privacy and identity infrastructure expert and co-founder of Zyphe.