Canadian regulators issued $25 million in penalties in a single year. Regulatory expert Harrison Jordan tells Dynamic Business why Australian startups face the same risk.
What’s happening: Regulatory enforcement against fast-growing companies is intensifying on both sides of the Pacific. In Canada, anti-money laundering regulator FINTRAC issued 23 notices of violation in 2025 totalling more than $25 million, according to Substance Law founder Harrison Jordan.
Why this matters: For Australian startup founders in fintech, payments, crypto and adjacent sectors, the regulatory environment has shifted. By February 2025, AUSTRAC had already taken action against 13 crypto remittance and digital currency exchange providers, with over 50 more under investigation.
There is a version of startup success that ends not with an acquisition or an IPO, but with a letter from a regulator. For founders in fintech and payments, that scenario is becoming less theoretical.
Harrison Jordan, Founder of Substance Law, a Toronto-based firm specialising in regulatory compliance for highly regulated industries, has watched the pattern repeat. “Growth creates blind spots,” he says. “The systems that worked early on break down, and by the time founders realise there’s a problem, they’re already facing enforcement action.”
Growth creates blind spots
Jordan’s observations are drawn from the Canadian context, but the structural problem he describes is not unique to any single jurisdiction. In 2025, Canada’s anti-money laundering regulator FINTRAC issued 23 notices of violation totalling more than $25 million, and referred 32 cases of non-compliance directly to law enforcement for potential criminal investigation, more than double the previous year, according to Jordan.
The pattern is familiar to founders. A startup builds a compliant enough product for its first few hundred users. Transaction volumes rise. Customer numbers grow. And the compliance infrastructure that was adequate at launch quietly becomes a liability.
“The issue is that they’re optimising for the wrong timeline,” Jordan says. “They think they’ll upgrade their compliance systems when they raise the next round or hit profitability. But regulatory scrutiny doesn’t wait for your funding milestones.”
The gaps regulators find first
Jordan identifies three recurring triggers that lead to enforcement action: incomplete customer identification, inadequate suspicious transaction reporting, and insufficient record-keeping.
“These sound basic, but they’re deceptively complex at scale,” he explains.
For Australian founders, the warning is directly applicable. AUSTRAC, Australia’s financial intelligence unit and AML/CTF regulator, can pursue a wide range of enforcement sanctions including civil and criminal penalties, enforceable undertakings, infringement notices, remedial directions, and the power to cancel or suspend registrations of crypto asset exchange providers and designated remittance services.
The stakes are not abstract. In September 2024, AUSTRAC issued infringement notices to 16 businesses for compliance reporting failures. When two of those businesses, Castra and Princeton, did not pay their notices, AUSTRAC proceeded to commence court action. AUSTRAC Acting CEO Katie Miller stated at the time that compliance reporting is fundamental to a reporting entity’s AML/CTF obligations.
Australia’s tightening net
The enforcement environment Australian startups now operate in is materially different from even two years ago. By February 2025, AUSTRAC had already taken action against 13 crypto remittance and digital currency exchange providers, with over 50 more under investigation.
That activity reflects broader structural changes to the regulatory framework. On 29 November 2024, Parliament passed the AML/CTF Bill, marking a significant overhaul of Australia’s AML/CTF regime to bring it in line with international standards. The majority of the reforms commence on 31 March 2026 for existing reporting entities, with newly captured tranche-two entities required to comply by 1 July 2026.
Those tranche-two entities are significant for founders who assumed they were outside AUSTRAC’s reach. The reforms extend compliance obligations to real estate, legal, accounting and company service providers, sectors that previously operated without formal AML/CTF requirements. As Dynamic Business has reported on the growing compliance burden facing Australian businesses, awareness of critical regulatory changes remains a persistent gap, with more than half of Australian small businesses potentially unaware of updates that affect them.
Jordan’s experience in Canada mirrors what Australian lawyers are now advising locally. “We regularly work with startups that thought they were outside FINTRAC’s scope, only to find out they should have registered months or even years ago,” he says.
Digital currency exchange providers must register with AUSTRAC or face a penalty of up to two years’ imprisonment or a fine of up to AUD 156,500, or both, for failing to register.
Build before you scale
Jordan’s advice to founders is consistent regardless of jurisdiction: compliance infrastructure needs to be built for the scale you are heading toward, not the scale you are at today.
His practical recommendations cover four areas. First, a proper risk assessment that analyses where the business model creates money laundering or terrorism financing exposure, which then informs policies, transaction monitoring thresholds and reporting obligations. Second, a designated compliance officer with genuine authority, access to executive decision-makers, and the resources to keep current with regulatory changes. Third, automated transaction monitoring systems capable of flagging suspicious patterns, generating reports and maintaining audit trails as volumes increase. And fourth, regular internal audits.
“Conduct quarterly compliance checks, at a minimum,” Jordan says. “Look at a sample of transactions, verify that customer identification procedures were followed, and check that suspicious activity was properly flagged.”
On what the regulatory environment will demand going forward, Jordan is direct. “Startups that will scale successfully are those treating compliance as infrastructure. That means building monitoring capabilities before you hit growth milestones, maintaining relationships with regulators through proactive communication, and budgeting for compliance the same way you budget for product development.”
Australia faces a Financial Action Task Force mutual evaluation in 2026, and the tight reform timeline reflects urgency to meet FATF’s standards. For Australian founders, that external pressure on the regulator is also pressure on them. The window to get compliance infrastructure in order before enforcement attention arrives is narrowing, and as Jordan puts it, “the time to build compliance infrastructure is now, while you’re still in control of the timeline.”
Keep up to date with our stories on LinkedIn, Twitter, Facebook and Instagram.
