Every reporting entity under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (including, since April 1, 2025, dealerships and leasing companies who finance on their own paper) must maintain a compliance program with five required elements. Not four, not "most of them": FINTRAC's guidance treats all five as mandatory, and the absence of any one is a violation on its own.

Here's what each element actually means for a financing or leasing business.

1. A designated compliance officer

Someone must be appointed to be responsible for the program: by name, not by department. In a small dealership this is typically the dealer principal or controller; in a larger group it may be a dedicated role.

What examiners look for: the appointment is documented, the person actually knows the program, and they have the authority to make it stick, including with the sales team on a busy Saturday.

2. Written policies and procedures

Your policies and procedures describe how your business meets its obligations: how you identify clients and when, what records you keep and where, how staff recognize and escalate suspicious activity, how reports get filed, and who does each step.

The most common failure isn't a missing binder: it's a binder that doesn't match reality. If your procedure says "ID is verified before contract signing using the government-issued photo ID method" and your deal files show photocopied IDs collected days later, the mismatch is the finding.

3. A documented risk assessment

You must assess and document the money-laundering and terrorist-financing risk of your business across your clients and business relationships, products and services, delivery channels, and geography, and describe how you mitigate the higher-risk parts.

For a dealership or leasing company, that means honestly answering questions like: do we take large cash deposits? Do we write deals for clients we never meet in person? Do we finance for out-of-province or corporate buyers whose ownership is opaque? High-risk answers aren't a problem: an undocumented or unmitigated high risk is.

4. An ongoing training program

Everyone who deals with clients or handles transactions needs training on your obligations and your procedures, and the training must be ongoing, not a one-time onboarding slide.

The operative word at exam time is records: who was trained, on what, when, with evidence of completion. See the FAQ below for what counts.

5. A two-year effectiveness review

At least every two years, the program must be tested for effectiveness and the results documented: were policies followed? Were records complete? Did training happen? What gaps were found and what was the follow-up plan?

The review can be done internally (by someone other than the compliance officer where feasible) or externally. For financing and leasing businesses, whose obligations took effect April 1, 2025, the clock is already running: the first review falls due by April 2027 at the latest, and doing one earlier is both allowed and wise.

The thread that ties them together: evidence

Notice the pattern. Every element is really two requirements: do the thing, and be able to prove you did the thing. That's why a program built the week before an exam fails: the documents can be written quickly, but the records (deal-level ID evidence, training completions, a dated risk assessment) only exist if they were captured as business happened.

Run your own gap check against these five elements with the free 12-item readiness checklist, or let Provasure generate the program documents, capture the evidence deal-by-deal, and track training automatically.


Sources: FINTRAC's compliance program requirements are set out in its official guidance at fintrac-canafe.canada.ca. Always verify your obligations against the current guidance.