Language selection

Government of Canada / Gouvernement du Canada

Search

Administrative monetary penalty on Xeltox Enterprises Ltd.

[2025-10-22]

Xeltox Enterprises Ltd, also operating under the name Cryptomus and previously known as Certa Payments Ltd, is a reporting entity in the money services business sector that provides virtual currency transaction services. Sabina Salim Kizi Berdieva of Bukhara, Uzbekistan is listed as its sole director. Kakhanova Renata Andreyevna of Almaty, Kazakhstan, acting as a representative of Xeltox Enterprises Ltd., filed for a trademark for the Cryptomus name and branding with the Canadian Intellectual Property Office on September 11, 2024.

Xeltox Enterprises Ltd. is incorporated in British Columbia and is registered as operating from a Vancouver address (Suite 170, 422 Richards Street) associated with a mailbox service. This address is different from the address found in the British Columbia Registry Services. During FINTRAC’s examination in March 2025, representatives of Xeltox Enterprises Ltd. communicated with FINTRAC from Uzbekistan and Spain, as Xeltox Enterprises Ltd. had no employees working in Canada.

On July 17, 2025, FINTRAC proposed an administrative monetary penalty of $176,960,190 on Xeltox Enterprises Ltd. for 2,593 instances across 6 types of violations where the entity contravened the Proceeds of Crime (Money Laundering) and Terrorist Financing Act and associated Regulations, each causing severe harm and demonstrating significant, widespread non-compliance with regulatory requirements and subject to a penalty.

The nature of these violations include:

Following the issuance of the Notice of Violation, Xeltox Enterprises Ltd. submitted representations to FINTRAC’s Director and Chief Executive Officer (CEO) with respect to the violations and the proposed penalty pursuant to the reporting entity’s rights under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act. In reviewing the details of the case and the representations submitted by Xeltox Enterprises Ltd., FINTRAC’s Director and CEO found that Xeltox Enterprises Ltd. committed all 2,593 contraventions of the Proceeds of Crime (Money Laundering) and Terrorist Financing Act and associated Regulations across all 6 types of violations and confirmed the administrative monetary penalty of $176,960,190 on October 16, 2025, finding that the penalty was appropriate based on the nature of the violations, the volume of the instances, and to ensure compliance within a high-risk sector.

Nature of violation

Violation #1

Failure of a person or entity to report financial transactions that occurred in the course of its activities and in respect of which there are reasonable grounds to suspect that the transactions are related to the commission or the attempted commission of a money laundering or a terrorist activity financing offence that occurred on 1,068 separate occasions during the period of July 1, 2024 – July 31, 2024, which is contrary to section 7 of the Proceeds of Crime (Money Laundering) and Terrorist Financing Act

Xeltox Enterprises Ltd., operating as Cryptomus, failed to submit 1,068 transaction reports where there were reasonable grounds to suspect that one or more transactions or attempted transactions were related to the commission or attempted commission of a money laundering or terrorist activity financing offence. This failure results in the loss of critical financial information that could have been used by FINTRAC to produce actionable financial intelligence for the investigation and prosecution of money laundering and terrorist financing offences. In these 1,068 instances, Xeltox Enterprises Ltd. failed to report suspicious transactions to FINTRAC despite known indicators of potential money laundering or terrorist financing, as outlined below:

  • Funds or virtual currency are added or withdrawn from a virtual currency address or wallet with direct and indirect exposure links to known suspicious sources, including Dark Web marketplaces, mixing/tumbling services, questionable gambling sites, illegal activities (e.g., ransomware) and/or theft reports.
  • Client sends or receives virtual currency from an address that is known to be associated with a darknet marketplace (e.g., ASAP Market (formerly ASEAN), Mega Darknet Market, Blacksprut Market, and OMG!OMG! Market) or has direct or indirect exposure to darknet marketplaces.
  • Transactions involve persons or entities identified by the media, law enforcement and/or intelligence agencies as being linked to criminal activities.
  • A transaction has direct or indirect transactional exposure to virtual currency exchanges or services located in Russia or in another high-risk jurisdiction with weak anti-money laundering regulations.
  • Virtual currency addresses match addresses on recognized watch lists such as the list of the Office of Foreign Assets Control (OFAC) or law enforcement information.

Violation #1 is classified by the regulations as a Very Serious violation. The imposed penalty takes into account the criteria in section 73.11 of the Proceeds of Crime (Money Laundering) and Terrorist Financing Act and section 6 of the Proceeds of Crime (Money Laundering) and Terrorist Financing Administrative Monetary Penalties Regulations.

Violation #2

Failure to comply with a ministerial directive – Proceeds of Crime (Money Laundering) and Terrorist Financing Act, section 11.43

Xeltox Enterprises Ltd., operating as Cryptomus, failed to comply with the Ministerial Directive on Financial Transactions Associated with the Islamic Republic of Iran. Specifically, the examination of the money services business revealed 7,557 instances where Xeltox Enterprises Ltd. failed to report to FINTRAC transactions originating from Iran, conducted between July 1, 2024 and December 31, 2024, regardless of the amount. Xeltox Enterprises Ltd. was to treat these 7,557 transactions as high risk, verify the identity of the sender(s)/beneficiary(ies) of the transactions, exercise due diligence, maintain a record of the transactions and report the transactions to FINTRAC. Xeltox Enterprises Ltd. failed to complete any of its obligations under the Iran Directive.

Failing to comply with a minister's directive could interfere with the achievement of the objectives described under paragraphs 3(c) and (d) of the Proceeds of Crime (Money Laundering) and Terrorist Financing Act with respect to fulfilling Canada's international commitments to fight transnational crime, particularly money laundering/terrorist financing, and enhancing Canada's targeted measures to protect its financial system from money laundering/terrorist financing. Non-compliance with a minister's directive poses a very high risk to the integrity of Canada's financial system and the safety of Canadians. This is because detection and mitigation measures would not be applied to transactions originating from or destined to a foreign state or a foreign entity that has an ineffective or insufficient anti-money laundering and anti-terrorist financing regime. This could mean that suspicious transactions related to money laundering or terrorist financing offences could remain undetected, posing a risk to the financial system and the safety of Canadians.

Violation #2 is classified by the regulations as a Very Serious violation. The imposed penalty takes into account the criteria in section 73.11 of the Proceeds of Crime (Money Laundering) and Terrorist Financing Act and section 6 of the Proceeds of Crime (Money Laundering) and Terrorist Financing Administrative Monetary Penalties Regulations.

Violation #3

Failure to develop and apply written compliance policies and procedures that are kept up to date and, in the case of an entity, are approved by a senior officer – Proceeds of Crime (Money Laundering) and Terrorist Financing Regulations, paragraph 156(1)(b)

FINTRAC determined Xeltox Enterprises Ltd., operating as Cryptomus, had incomplete and inadequate policies and procedures. FINTRAC found that the policies and procedures documents of Xeltox Enterprises Ltd. were not tailored to reflect the organization’s operations in practice and had not been kept up to date as required by the Proceeds of Crime (Money Laundering) and Terrorist Financing Regulations. Specifically, FINTRAC found several deficiencies in key areas such as:

  • Business relationship;
  • Ongoing monitoring;
  • Know-your-client practices;
  • Politically Exposed Persons, Heads of International Organizations, and third-party determinations;
  • Reporting obligations on suspicious transactions, terrorist property and large virtual currency transactions;
  • Travel rule; and
  • Ministerial Directives on Russia, North Korea and Iran.

Policies and procedures are critical in a compliance program as they set out and communicate important principles and standards that employees and delegated persons with compliance responsibilities must meet in a consistent manner. Documented policies and procedures also serve to ensure clarity and consistency in business operations. Failing to develop, apply, and keep written compliance policies and procedures up to date can result in not meeting other requirements set out in the Proceeds of Crime (Money Laundering) and Terrorist Financing Act and associated Regulations, and under-values sound business practices designed to minimize a business’ exposure to money laundering and terrorist activity financing. Partially documented policies and procedures potentially leave employees, or those acting on behalf of the business, unaware of the exact actions to take or appropriate decisions to make, in order to comply, when specific situations arise in practice.

Violation #3 is classified by the regulations as a Serious violation. The imposed penalty takes into account the criteria in section 73.11 of the Proceeds of Crime (Money Laundering) and Terrorist Financing Act and section 6 of the Proceeds of Crime (Money Laundering) and Terrorist Financing Administrative Monetary Penalties Regulations.

Violation #4

Failure of a person or entity to assess and document the risk referred to in subsection 9.6(2) of the Act, taking into consideration prescribed factors, which is contrary to subsection 9.6(1) of the Proceeds of Crime (Money Laundering) and Terrorist Financing Act and Proceeds of Crime (Money Laundering) and Terrorist Financing Regulations, paragraph 156(1)(c)

Xeltox Enterprises Ltd., operating as Cryptomus, did not assess and document risks related to money laundering and terrorist financing activity.

Xeltox Enterprises Ltd. failed to consider the risks of their products, services, and delivery channels, risks related to new developments and technologies, or other relevant factors. Xeltox Enterprises Ltd. also failed to establish risk assessment processes for clients and business relationships. Finally, Xeltox Enterprises Ltd. did not assess the specific geographical risks that are associated with its operations.

Assessing and documenting money laundering and terrorist financing risks ensures that reporting entities are aware of their potential exposure and vulnerability. Failing to assess and document the risks of money laundering and terrorist financing prevents reporting entities from identifying areas of its operations that are vulnerable to being exploited for these purposes, and prevents appropriate mitigation measures from being put in place. This can also lead to failing to identify high-risk clients and business relationships for which enhanced risk mitigation measures must be applied. This can further result in the failure to detect and report suspicious transactions to FINTRAC.

Violation #4 is classified by the regulations as a Serious violation. The imposed penalty takes into account the criteria in section 73.11 of the Proceeds of Crime (Money Laundering) and Terrorist Financing Act and section 6 of the Proceeds of Crime (Money Laundering) and Terrorist Financing Administrative Monetary Penalties Regulations.

Violation #5

Failure to submit notification of change to money services business registration – Proceeds of Crime (Money Laundering) and Terrorist Financing Registration Regulations, paragraph 4(b) and section 5

FINTRAC found 4 instances where Xeltox Enterprises Ltd., operating as Cryptomus, failed to maintain up-to-date registration information with the Centre. During the examination, Xeltox Enterprises Ltd. admitted that it only deals in virtual currency, as opposed to what appeared on its money services business registry application. Xeltox Enterprises Ltd. further admitted that the phone number provided was not affiliated with Xeltox Enterprises Ltd., that the e-mail addresses provided to FINTRAC with its registrations were inaccessible and had not been updated and, finally, Xeltox Enterprises Ltd. admitted that the company’s legal name was Xeltox Enterprises Ltd., but that its operating name was Cryptomus and that this was not updated in the registration.

The money services business registration information lets FINTRAC know of the types of activities, products and services provided by money services businesses that could be used for money laundering and terrorist financing, such as cash transactions and transferable monetary instruments, international electronic funds transfers, informal remittance systems and foreign currency exchanges. Money services business registration information also includes details on a business’ model and size. This information allows FINTRAC to understand the complexity of the business’ operations and helps to assess the risks and consequences of non-compliance. Registration information that is not submitted in the prescribed manner or that is incomplete, outdated, or unclear diminishes the effectiveness of FINTRAC's compliance activities and its ability to ensure compliance in the money services business sector.

Violation #5 is classified by the regulations as a Serious violation. The imposed penalty takes into account the criteria in section 73.11 of the Proceeds of Crime (Money Laundering) and Terrorist Financing Act and section 6 of the Proceeds of Crime (Money Laundering) and Terrorist Financing Administrative Monetary Penalties Regulations.

Violation #6

Failure to report a large virtual currency transaction of $10,000 or more in the course of a single transaction, together with the prescribed information – Proceeds of Crime (Money Laundering) and Terrorist Financing Regulations, paragraph 30(1)(f)

Xeltox Enterprises Ltd., operating as Cryptomus, failed to submit large virtual currency transaction reports with the prescribed information.

Using blockchain analytics, FINTRAC identified that Xeltox Enterprises Ltd. failed to report at least 1,518 transactions meeting the threshold for large virtual currency transaction reporting between July 1, 2024 and July 31, 2024.

Failure to submit a prescribed report such as a Large Virtual Currency Transaction Report results in a loss of intelligence for FINTRAC which may prevent it from using that information to carry out its mandate per paragraphs 40(b) and 40(d) of the Proceeds of Crime (Money Laundering) and Terrorist Financing Act.

Violation #6 is classified by the regulations as a Minor violation. The imposed penalty takes into account the criteria in section 73.11 of the Proceeds of Crime (Money Laundering) and Terrorist Financing Act and section 6 of the Proceeds of Crime (Money Laundering) and Terrorist Financing Administrative Monetary Penalties Regulations.

Related link

Date Modified: