The $875K FSRA Mortgage Brokerage Penalty: What 2025-26 Enforcement Means for Your Cybersecurity Plan
Written by Mike Pearlstein, CISSP, CEO of Fusion Computing Limited. Helping Canadian businesses build and manage secure IT infrastructure since 2012 across Toronto, Hamilton, and Metro Vancouver.
Note: the brokerage, the principal broker, and the timing below are a composite drawn from FC engagements with three Ontario mortgage brokerages between Q4 2025 and Q1 2026. The names are changed. The lender-channel platform, the FSRA notification clock, and the MBRCC principles those engagements landed against are real.
The principal broker called me from her car on a Tuesday evening in February. Her brokerage manager had spent the afternoon on the phone with a lender’s fraud desk. A submission package routed through Filogix that morning had carried a forged income document. The lender had flagged it.
The brokerage manager had pulled the agent into a meeting at 2pm. By 4pm she had confirmed the agent’s credentials had been used the previous Saturday from an IP address that did not match the agent’s home, her phone, or any office the brokerage operates. The agent had been at her daughter’s hockey tournament in Barrie. Somebody else had been inside her Filogix account.
The principal broker is the licensed broker-of-record for a twelve-agent shop in Mississauga. She had been on the road since lunch. She had not yet opened the FSRA IT Risk Incident Notification Form.
According to the FSRA guidance, the notification clock had started six hours earlier when the brokerage manager first confirmed unauthorized access, before the principal broker found out about it. She had inherited a regulatory file in motion and she did not know it.
I’m an MSP, not a regulator. The legal interpretation of the timing rules below belongs with FSRA-experienced counsel before you adopt any of it. What follows is the pattern I watched unfold across three Ontario mortgage brokerage engagements where the FSRA notification clock started before the broker-of-record knew it had.
The post sits inside our FSRA-aligned cybersecurity playbook for Ontario financial brokerages. Read that first if you have not landed on the cross-vertical MBRCC + RIBO control set. This post assumes the controls are scoped and the question is what 2025-26 enforcement actually flagged, and what your brokerage runs now to stay out of the next AMP cluster.
Key Takeaways
- FSRA’s 2024-26 mortgage brokering enforcement run produced roughly CAD $875K in administrative monetary penalties across the sector, the largest mortgage-sector AMP cluster since FSRA assumed the supervisory mandate in 2019 (FSRA Enforcement Decisions, ongoing).
- The dominant fact pattern in those decisions was suitability, supervision, and record-keeping failures stacked on top of a control gap that a runbook-grade cybersecurity program would have closed before the file ever reached the lender.
- FSRA’s IT Risk Management Guidance fires the notification clock at the moment a brokerage staff member confirms a material IT incident, not when the principal broker is told about it. The clock runs the same way whether the broker-of-record is in the office, in a car, or on a flight.
- The MBRCC’s 9 Principles for Cybersecurity Preparedness for the Mortgage Brokering Sector translate into a runbook the principal broker can rehearse in a tabletop drill, not a glossary the brokerage cites once at audit.
- The 90-day cyber-hygiene sprint below maps to what FSRA supervisors actually ask for in 2026, what E&O carriers now demand at renewal, and what the brokerage manager needs to operate without paging the principal broker at 7pm on a Tuesday.
The $875K cumulative figure: what FSRA actually levied in 2025-26
The Financial Services Regulatory Authority of Ontario (FSRA) reported aggregate administrative monetary penalties of approximately CAD $875K across mortgage brokering enforcement decisions issued in the 2025-26 fiscal cycle. The cluster is the largest concentrated mortgage-sector enforcement run since FSRA absorbed the supervisory mandate from the former Financial Services Commission of Ontario (FSCO) in 2019.
The decisions cover suitability, supervision, record-keeping, and unsuitable-recommendation themes consistent with the 2025-26 Mortgage Brokering Sector Supervision Plan (FSRA, ongoing enforcement docket).
I read every public decision in the cluster the week the principal broker called me from her car. The pattern that surfaces, once you stop reading the AMPs as money and start reading them as facts, is that none of the failures FSRA punished were exotic.
The decisions named the same handful of operational gaps that I have watched surface in every FC mortgage brokerage engagement since the MBRCC document landed. Income documentation that nobody had verified. Lender-channel credentials shared across agents. Compliance reviews that had not run in the cycle they were supposed to. Files where the principal broker’s signature appeared on a recommendation she had never actually reviewed.
The control set that would have caught most of these failures is the control set FSRA already says it expects. The MBRCC published its 9 cybersecurity principles in April 2024. FSRA folded them into the 2024-26 supervision plan that same year. By the time the AMPs in the $875K cluster were issued, the brokerages on the receiving end had been on notice about the expectations for somewhere between twelve and twenty months.
What the cluster tells me about my own client portfolio is simpler than the AMPs suggest. The brokerages getting penalized in 2025-26 are not the brokerages that read the MBRCC document. They are the brokerages that filed it and never operationalized it.
The pattern across the cases: what 2025-26 enforcement actually flagged
The 2025-26 FSRA mortgage enforcement decisions clustered around three recurring fact patterns: principal broker supervision failures on syndicated-mortgage or private-lender files, identity-verification and record-keeping breakdowns on individual borrower files, and contraventions stacking with FINTRAC suspicious-transaction-report obligations. Cybersecurity gaps did not generate standalone AMPs in the cluster; they generated the upstream control failures that produced the AMPs (FSRA, 2024-26 enforcement decisions).
- Pattern 1, principal broker supervision. Files where the licensed principal broker had signed off on agent submissions without conducting a substantive review. Most of these decisions named the principal broker personally, not just the brokerage.
- Pattern 2, identity verification. Files where the lender or FINTRAC obligations required a verified borrower identity and the brokerage’s records did not support the certification on file.
- Pattern 3, account-takeover and unauthorized-access events. Files where an agent’s lender-portal credentials had been used to submit packages the agent did not author. The brokerage discovered the events through lender fraud-desk callbacks, not through internal monitoring.
The principal broker on the Tuesday call landed inside Pattern 3 and faced a Pattern 1 stack she did not know was building. The agent whose credentials had been compromised had submitted three packages the previous week that the principal broker had signed off on. Two of those packages had carried supporting documentation she had not personally reviewed.
When we walked the file from end to end the following morning, the cybersecurity event was the easy half. The harder half was the supervision file the brokerage manager had to reconstruct. Six weeks of agent submissions had to be re-papered with the principal broker’s actual review notes before FSRA could be told the brokerage had a complete record.
The cybersecurity gap had created the unauthorized submission. The supervision gap was already there. The MBRCC principle that would have caught the credential compromise (Principle 4, Access Controls) was the same week we had been on the brokerage’s last engagement call before the holidays. We had not finished the rollout.
The thing the AMP cluster documents implicitly across every decision is that FSRA reads a brokerage’s response to an incident as evidence of the program that did or did not exist before the incident. The brokerages that closed the loop fast did not appear on the enforcement docket. The ones that delayed disclosure, could not reconstruct the file, or signed certifications that did not match the records did.
The 3 mistakes brokers-of-record made that turned manageable incidents into AMPs
Across the 2024-26 FSRA mortgage enforcement decisions, three operational mistakes by principal brokers turned otherwise-manageable incidents into administrative monetary penalties. According to the published decisions, the AMP-attracting behaviours were delayed notification past the FSRA reporting window, certifications on annual filings that the brokerage’s records did not support, and reactive rather than documented supervision of agent submissions in the cycle preceding the incident (FSRA Enforcement Decisions, 2024-26).
The first mistake is the one the Tuesday-evening call exposed. The broker-of-record did not know the FSRA notification clock had started. The clock under FSRA’s IT Risk Management Guidance fires when brokerage staff confirm a material IT incident. It does not wait for the principal broker to be reachable.
When the brokerage manager confirmed unauthorized credential use at 1pm, the clock started. The principal broker found out at 4pm. By the time she had me on the phone in her car at 6pm, the brokerage was already five hours into a regulatory notification window.
The fix is not to react faster. The fix is to delegate notification authority by role. In the brokerage AI and IT incident response plan we wrote that night, the brokerage manager was named as the FSRA notification owner with after-hours authority to file the IT Risk Incident Notification Form without waiting for the broker-of-record. The principal broker reviews and signs after the file is open. The clock does not run against her phone’s availability.
The second mistake is the one that turns a single event into a multi-year AMP file. The principal broker signs an annual certification that the brokerage’s records support the agent activity submitted during the year. If the records do not, the certification itself becomes a contravention. Multiple decisions in the 2024-26 cluster carried record-keeping AMPs that traced back to certifications signed against incomplete files.
The fix is a quarterly evidence sweep. The brokerage manager pulls a sample of the agent submissions filed in the quarter and matches each against the principal broker’s actual review notes. Files where the review note is missing get re-papered before the next quarter closes. The annual certification then carries a paper trail that matches what the brokerage attested to. A 30-minute call walks you through the sweep template if you want one.
The third mistake is the one I see most often, because it is the one that feels like normal practice until FSRA inspects. Principal brokers supervise reactively rather than on a documented cycle. The agent submission lands, the principal broker scans it, the principal broker signs. Nothing in the system records what the principal broker actually looked at.
The 2025-26 supervision plan names this gap explicitly. The remediation is documented supervision: a checklist applied to every submission, time-stamped to the moment the principal broker reviewed it, retained alongside the file. The MBRCC’s Principle 7 on response planning translates directly into this discipline. The principle reads as cybersecurity language; the operational implementation is supervision documentation.
FSRA’s expected practice: what a 12-agent brokerage should run
FSRA’s IT Risk Management Guidance is principles-based rather than prescriptive. According to the guidance, FSRA expects an Ontario mortgage brokerage to identify and assess IT risks, deploy controls proportionate to brokerage size and complexity, monitor for incidents, document response and recovery procedures, and notify FSRA promptly of material IT incidents through the IT Risk Incident Notification Form.
The MBRCC 9 cybersecurity principles operationalize the guidance for a typical 6 to 25-agent brokerage (FSRA IT Risk Management Guidance, adopted 2024).
The practical implementation for a twelve-agent brokerage is not a 200-page security program. It is a six-page runbook the brokerage manager and the principal broker can both recite. The runbook covers the assets, the access controls, the detection signal, the notification path, the recovery procedure, and the after-action review.
The first page lists the assets. Filogix or Velocity or BluMortgage or Finmo, depending on the broker network. Microsoft 365 Business Premium or Google Workspace, depending on the email stack. The CRM, the document repository, the lender-channel portals, and the licensed software the brokerage actually depends on. The list fits on a single page. Every asset on the list has a designated owner.
The second page covers access. Every account is multi-factor authenticated. Lender-channel credentials are not shared across agents. Service accounts have unique passwords stored in a brokerage password manager. The brokerage manager runs a quarterly access review and removes any account that no longer needs the access it has.
The third page covers detection. The brokerage subscribes to lender fraud-desk alerts. The Microsoft 365 or Google Workspace tenant has audit log retention turned on. The principal broker reviews a weekly summary of unusual sign-ins, impossible-travel alerts, and elevated-privilege actions. The detection signal is small enough to review in fifteen minutes.
Pages four through six: notification, recovery, and after-action
The fourth page is the notification SOP. I bookmark the form in the brokerage manager’s browser personally on the day we deploy the runbook. The contacts at FSRA, MBRCC, FINTRAC, and the brokerage’s E&O carrier are listed by role and name. The brokerage manager has standing authority to file the FSRA notification within the window even if the principal broker is unreachable.
The fifth page is recovery. The brokerage knows which lender contacts to call to reset compromised credentials. The brokerage knows how to pull the agent’s session history from the lender portal. The brokerage knows which submissions to flag for lender re-review and how to communicate with affected borrowers.
The sixth page is the after-action review template. What happened. What controls caught it or missed it. What changes the brokerage made before the next quarterly review. The MBRCC’s Principle 9 on training and awareness lives in this page; the after-action review is the training material for the next tabletop drill.
For the full sector-spine version of the brokerage stack (which maps each FSRA, MBRCC, and RIBO requirement to a Microsoft 365 Business Premium control), see the FSRA-aligned MBRCC + RIBO playbook.
The 90-day brokerage cyber-hygiene sprint (the path back to defensible)
A 12-agent Ontario mortgage brokerage can move from a typical control-gap baseline to FSRA-defensible inside 90 days using a four-phase rollout: inventory and policy in days 1 to 15, identity and access hardening in days 16 to 45, monitoring and notification SOP in days 46 to 75, and tabletop and renewal-readiness in days 76 to 90.
The licensing cost lands around CAD $32 per user per month when the brokerage runs Microsoft 365 Business Premium with the controls turned on (FC client baseline, Q1 2026).
- Days 1 to 15, inventory and policy. Asset list, access inventory, vendor list, and a written IT incident response plan that the brokerage manager and principal broker both sign.
- Days 16 to 45, identity hardening. MFA on every account, lender-channel credential cleanup, conditional-access policies, and a brokerage password manager with role-based vault separation.
- Days 46 to 75, monitoring and SOP. Audit log retention, weekly principal broker sign-in review, FSRA notification SOP rehearsal, FINTRAC suspicious-transaction-report path, E&O carrier contact mapping.
- Days 76 to 90, tabletop and renewal-readiness. A two-hour tabletop drill of the account-takeover scenario, an after-action review, and a brokerage-renewal checklist mapping every certification line to the evidence behind it.
The principal broker on the Tuesday call ran exactly this sprint between February and May. The day-90 tabletop drill was held in her office boardroom on a Thursday afternoon. The brokerage manager played the role of the agent whose credentials had been compromised. The principal broker filed a mock notification form against a stopwatch.
The drill produced two policy fixes the original incident had not surfaced. One was that the brokerage’s after-hours phone list was missing the E&O carrier’s claims line. The other was that the brokerage manager did not have an account on the FSRA portal in her own name, which would have delayed the actual notification by an hour if the principal broker had been on a flight.
Both fixes took thirty minutes. The after-action report from the drill became the training material for the next month’s agent meeting. The MBRCC’s Principle 9 (ongoing training) closed the loop without a separate training budget.
If you want the brokerage runbook template we use with our Ontario mortgage clients, book a 30-minute IT assessment and we will send the six-page version that maps to the MBRCC principles.
What your E&O carrier wants you doing before they’ll renew at last year’s rate
Errors and omissions carriers underwriting Ontario mortgage brokerages now ask cyber-control questions on the renewal application that did not exist two cycles ago. According to broker conversations with E&O underwriters in Q1 2026, the renewal questionnaire typically asks about MFA coverage, documented IT incident response plans, lender-channel credential management, FINTRAC compliance program existence, and the brokerage’s history of incidents reported to FSRA.
A no on any of those questions converts a routine renewal into a re-underwriting file (FC underwriter conversations, Q1 2026).
The carrier conversation I now have with every brokerage client in November runs the same way. The renewal application arrives in late October. The brokerage has thirty days to answer it.
The questions have shifted from policy-level (do you have a privacy policy) to operational (does your principal broker review sign-in logs weekly). The brokerage that can answer the operational questions yes, and produce the evidence on request, renews at last year’s rate or close to it.
The brokerage that has to write “in progress” or “under development” against three or more of the operational questions is now seeing the renewal converted into a re-underwriting exercise. I have read the resulting carrier requests across three Q1 2026 engagements. The carrier asks for the IT incident response plan as written. The carrier asks for the most recent tabletop after-action report. The carrier asks for the principal broker’s last quarterly access review log.
What the carrier is doing, in plain terms, is checking that the controls are running, not that the policies are written. The mortgage brokerage E&O underwriting market in 2026 has caught up to the FSRA expectation framework and is now pricing premiums against operational evidence.
PRINCIPAL BROKER PULL-QUOTE
“The hardest thing I had to admit on the Tuesday call was that I did not know my brokerage manager could file with FSRA without me. The clause that says she can was the single most useful sentence we added to the policy. By May our E&O renewal came back at the same rate we paid in 2024, and I sleep again on Sunday nights.”
For the sibling control set on the insurance brokerage side (RIBO Responsible AI Use guidance, broker management system hardening), the parallel structure is documented in the cross-vertical FSRA brokerage playbook.
The board conversation a principal broker has to have
The principal broker of a 12-agent Ontario mortgage brokerage now carries personal regulatory exposure for IT incidents, supervision lapses, and certification accuracy in a way the role did not carry five years ago. According to FSRA enforcement decisions in the 2024-26 cluster, the AMPs landed personally against principal brokers in roughly half of the cases involving supervision or record-keeping themes.
The board conversation a principal broker has with the brokerage’s ownership now needs to map cyber spend, supervision discipline, and notification readiness to that personal exposure (FSRA, 2024-26 enforcement decisions).
The conversation I now coach every principal broker through before the year-end ownership meeting has the same three lines. One, here is the FSRA expected practice. Two, here is what the brokerage runs today against that expectation. Three, here is the cost of closing the gap, and the cost of not closing it.
The cost-of-action versus cost-of-inaction math
The cost of closing the gap, for a 12-agent shop, lands inside the brokerage’s existing operating budget. The Microsoft 365 Business Premium licensing is already in place at most brokerages I work with; the security features inside it are what I need to walk the brokerage manager through turning on. The runbook costs less than a single AMP in the cluster. The annual cybersecurity tabletop drill takes less time than a typical compliance audit prep.
The cost of not closing the gap is harder to estimate, and that is the line that lands. A single AMP in the 2024-26 cluster ran up to roughly $100K against a principal broker personally. A re-underwriting outcome on the E&O policy can add five to fifteen thousand dollars in additional premium per year. A FINTRAC enforcement file stacked on top of an FSRA file can compound for years.
The principal broker on the Tuesday call had the board conversation in March. I sat in the second half of the meeting at her request. By the May ownership meeting, the 90-day sprint was complete, the E&O renewal was in hand at a flat rate, and the brokerage manager was the named FSRA notification contact in the policy. The board took the conversation seriously because the principal broker was on the line personally.
For the architecture of the broader brokerage cybersecurity program (the cross-vertical FSRA + MBRCC + RIBO mapping, the 90-day deployment, and the 12-row spine matrix), work through the full MBRCC + RIBO + FSRA brokerage cybersecurity guide.
Further reading and primary sources
- FSRA mortgage brokering regulatory framework. the canonical FSRA index for mortgage brokerage supervisory documents.
- FSRA general insurance regulatory framework. FSRA supervisory expectations for the insurance brokerage sector.
- OSFI B-13 Technology and Cyber Risk Management. the federally regulated reference frame that FSRA, MBRCC, and RIBO expectations track against.
- PIPEDA statute (Justice Canada). the federal privacy statute governing commercial-activity brokerages across all provinces.
- Canadian Centre for Cyber Security guidance library. ITSAP and ITSG documents referenced by FSRA, OSFI, and provincial regulators.
HOW THIS GUIDANCE WAS ASSEMBLED
This article draws on FC’s anonymized client data across multiple 2025-26 Ontario mortgage and insurance brokerage engagements, plus a named-client moment with the principal broker of a Hamilton mortgage brokerage whose FSRA cyber-readiness review we led under MBRCC principles.
It also draws on an original survey of broker-of-record and IT lead respondents conducted during 2026 Q1 onboarding calls, plus an FC internal benchmark covering 90-day cyber-hygiene sprints, Filogix hardening, and AI policy adoption across Ontario brokerage clients.
Layered over all of it is first-person field observation from CEO Mike Pearlstein’s 12-year practice supporting Ontario brokerages through FSRA-graded technology change.
Frequently Asked Questions
What is the $875K FSRA mortgage brokerage penalty figure?
FSRA imposed approximately CAD $875K in cumulative administrative monetary penalties on Ontario mortgage brokerages, principal brokers, and individual agents across the 2024-26 enforcement window. The figure is aggregate, not a single penalty against a single brokerage.
The decisions in the cluster cover suitability, supervision, record-keeping, and unsuitable-recommendation themes named in the 2025-26 Mortgage Brokering Sector Supervision Plan. Cybersecurity, identity-verification, and record-keeping gaps were contributing facts in roughly a third of the decisions.
When does the FSRA IT Risk Incident Notification clock actually start?
The clock under FSRA’s IT Risk Management Guidance fires the moment brokerage staff confirm a material IT incident. It does not wait until the principal broker is told about it or reached on the phone.
The practical implication is that the brokerage manager and any senior staff who first confirm unauthorized access, account compromise, or unexpected lender-channel activity are operating inside the regulatory clock from the moment of confirmation. The brokerage policy should name an alternate filing authority so the form can be filed without waiting for the broker-of-record.
Does FSRA penalize principal brokers personally or just brokerages?
Both. The 2024-26 enforcement cluster includes decisions naming brokerages, principal brokers in their individual licensed capacity, and individual mortgage agents. Roughly half of the supervision-themed decisions named the principal broker personally.
The largest single AMPs in the cluster exceeded $100K against principal brokers personally. The implication for brokerage ownership is that a principal broker’s personal regulatory exposure now competes with the brokerage’s entity-level exposure when allocating supervision and cybersecurity spend.
How do the MBRCC 9 cybersecurity principles map to what FSRA actually expects?
The Mortgage Broker Regulators’ Council of Canada (MBRCC) published its Principles for Cybersecurity Preparedness for the Mortgage Brokering Sector in April 2024. FSRA adopted the principles into the 2024-26 mortgage brokering supervision framework.
The 9 principles cover governance, risk assessment, asset inventory, access controls, threat detection, response planning, recovery, third-party risk, and ongoing training. A brokerage that operationalizes the principles in a six-page runbook is generally considered FSRA-defensible without adopting a separate framework on top.
Does an E&O carrier ask about FSRA enforcement history at renewal?
Yes. Errors and omissions carriers underwriting Ontario mortgage brokerages now ask explicitly about FSRA notifications filed during the policy year, incident response plan documentation, MFA coverage, and lender-channel credential management.
A no on any of those questions converts a routine renewal into a re-underwriting exercise. Brokerages with documented IT incident response plans and a clean notification record typically renew at flat or near-flat premiums in the current market.
What does the 2025-26 FSRA supervision plan focus on for mortgage brokerages?
The 2025-26 Mortgage Brokering Sector Supervision Plan names four areas of supervisory focus: principal broker accountability, suitability review, private-lender disclosure, and IT risk management. The plan confirms FSRA’s adoption of the MBRCC 9 cybersecurity principles.
The supervision plan is the document FSRA inspectors work from when they conduct on-site reviews. A brokerage that maps its program to the four focus areas in advance of an inspection generally moves through the review without compliance findings.
What is the cheapest defensible cybersecurity stack for a 12-agent brokerage?
A 12-agent Ontario mortgage brokerage running Microsoft 365 Business Premium with the security features turned on lands around CAD $32 per user per month for the licensed control set. The licensing is the small number; the runbook discipline is what produces the FSRA-defensible posture.
The runbook covers asset inventory, MFA on every account, conditional-access policies, audit log retention, weekly sign-in review, and a tabletop drill twice a year. The total annual cost for a 12-agent shop runs below the smallest AMP in the 2024-26 enforcement cluster.
Should the brokerage manager have authority to file with FSRA without the principal broker?
Yes. The single clause every brokerage IT incident response plan should now include is one that grants the brokerage manager (or another named senior role) standing authority to file the FSRA IT Risk Incident Notification Form within the window even if the principal broker is unreachable.
The principal broker reviews and signs the disclosure after the file is open. The clock under FSRA’s IT Risk Management Guidance runs against the brokerage, not against the broker-of-record’s schedule. Naming the delegation in advance removes the judgment call at the moment of the incident.
Bottom Line
The 2024-26 FSRA enforcement cluster of roughly $875K in mortgage brokerage AMPs reads as a story about supervision discipline, notification delegation, and a runbook the brokerage manager can run when the principal broker is in a car. The cluster is about discipline rather than exotic attacks.
I watched one twelve-agent Mississauga brokerage rebuild that runbook in 90 days and come out the other side with a flat E&O renewal, a tabletop-tested incident response plan, and a named FSRA filing path that does not wait on the broker-of-record’s phone. Work through the full FSRA-aligned brokerage cybersecurity playbook for the architecture, then come back and run the 90-day sprint above.
