Compliance program requirements


November 2021

This guidance came into effect on June 1, 2021.

The compliance program requirements under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA) and associated Regulations apply to all reporting entities (REs).

This guidance answers the following questions:

  1. What is a compliance program and what are the requirements related to my compliance program?
  2. Who can be a compliance officer and what are the responsibilities of a compliance officer?
  3. What are the requirements related to my compliance policies and procedures?
  4. What are the requirements related to my risk assessment?
  5. What are enhanced measures?
  6. What are the requirements related to my training program and plan?
  7. What are the requirements related to my two-year effectiveness review and plan?

1. What is a compliance program and what are the requirements related to my compliance program?

A compliance program is a program established and implemented by an RE and is intended to ensure their compliance under the PCMLTFA and associated Regulations. A compliance program forms the basis for meeting all of your reporting, record keeping, client identification and other know-your-client requirements under the PCMLTFA and associated Regulations. All REs must establish and implement a compliance program.Footnote 1

Specifically, all REs must implement the following elements of a compliance program by:Footnote 2

2. Who can be a compliance officer and what are the responsibilities of a compliance officer?

Depending on the size of your business, you could be the appointed compliance officer, or it could be another individual, such as:

If you are a person rather than an entity, such as a sole proprietor, you can appoint yourself as the compliance officer, or you may choose to appoint someone else to help you implement the compliance program.

As a best practice, the appointed compliance officer of a larger business should not be directly involved in the receipt, transfer or payment of funds. The appointed compliance officer should also have independent oversight and be able to communicate directly with those parties who make decisions about the business such as senior management or the board of directors.

Appointing someone to be your compliance officer alone does not fulfil your compliance program requirements. The appointed compliance officer is responsible for implementing all elements of a compliance program.Footnote 3 Therefore, a compliance officer needs to:

A compliance officer may delegate certain duties to other employees. For example, the compliance officer of a large business may delegate responsibility to an individual in another office or branch. However, the compliance officer remains responsible for the implementation of the compliance program.

While the compliance officer is appointed, it is the RE's responsibility to meet its compliance program requirements under the PCMLTFA and associated Regulations.

3. What are the requirements related to my compliance policies and procedures?

Your compliance policies and procedures must beFootnote 4:

Your policies and procedures should be made available to all those authorized to act on your behalf, including employees, agents and any others that deal with clients, transactions, or other activities.

Your compliance policies and procedures should cover at minimum the following requirements as applicable to you as an RE:

Your compliance policies and procedures should also include the processes and controls you have put in place to meet your requirements, including:

Your policies and procedures must also describe the steps you will take for all the obligations that require you to take reasonable measures. For example, when you are required to take reasonable measures to obtain information to include in a report, your policies and procedures must describe the steps you will take, which could include asking the client. 

If your RE sector has an industry association or governing body that has provided you with a generic set of policies and procedures, you must tailor them to your business.

The level of detail in your compliance policies and procedures will depend on your business's size, structure, and complexity, and degree of exposure to ML/TF risks.

4. What are the requirements related to my risk assessment?

Your compliance program must include policies and procedures that you develop and apply to assess your ML/TF risks in the course of your activities.Footnote 5 When assessing and documenting your ML/TF risks, you must consider the following:Footnote 6

If, at any time, you consider the risk of an ML or TF offence to be high, you must take enhanced measures.

Please see FINTRAC's Risk assessment guidance for further information on risk assessments and risk mitigation.

5. What are enhanced measures?

Enhanced measures are the additional controls and processes that you have put in place to manage and reduce the risks associated with your high-risk clients and business areas. As part of your compliance program, you must develop and apply written policies and procedures for the enhanced measures that you will take for any ML or TF risks you identify as high.Footnote 8

Your policies and procedures for enhanced measures must include:Footnote 9

Enhanced measures to mitigate risk can include:

6. What are the requirements related to my training program and plan?

If you have employees, agents or mandataries, or other persons authorized to act on your behalf, you must develop and maintain a written, ongoing compliance training program.Footnote 10 Your training program should explain what your employees, agents or mandataries, or other persons authorized to act on your behalf, need to know and understand, including:

You must institute and document a plan for your ongoing compliance training program and for delivering the training.Footnote 11 Your training plan should cover how you will implement your ongoing compliance training program and its delivery. This includes documenting the steps you will take to ensure your employees, agents or mandataries, or other persons authorized to act on your behalf receive an appropriate level of training relevant to their duties and position, on an ongoing basis. Your training plan should include information about the following:

Training recipients

Your training plan should explain who will receive training. Training recipients should include those who:

Training topics and material

Your training plan should outline the topics that will be covered in your training program. It should also include the sources of the training materials that will cover these topics.

Training methods for delivery

Your training plan should describe the training method(s) that you will use to deliver your ongoing compliance training program. Training methods could include self-directed learning (where recipients read materials on their own, register for on-line courses or use e-learning materials), information sessions, face-to-face meetings, classroom, conferences, and on-the-job training where instruction is provided. Instructors can be in-house personnel or an external service provider, but they should have knowledge of the PCMLTFA and associated Regulations. If you decide to use in-house personnel, you may need to hire or allocate staff to provide training. If you decide to use an external service provider, you may need to determine whether their services and training content are suitable for your business. You can use one or more training methods. The method(s) that you choose may depend on the size of your business and the number of people that need to be trained.

Training frequency

Your training plan should describe the frequency of your ongoing compliance training program. Training can be delivered at regular intervals (for example, monthly, semi-annually, annually), when certain events occur (for example, before a new employee deals with clients, after a procedure is changed), or by using a combination of both.

Your ongoing compliance training program and plan should be tailored to your business's size, structure and complexity, and its degree of exposure to ML/TF risk. For example, if you are a large business, you may decide to provide different types of training to your employees, agents or mandataries, or other persons authorized to act on your behalf based on their specific roles and duties (for example, general or specialized training). This should be explained in your training plan.

Your training program should also include a record of the training that has been delivered (for example, the date the training took place, a list of the attendees who received the training, the topics that were covered). Training records will help you keep track of the training and assist you in scheduling the next training dates. They will also demonstrate that you are carrying out your training program on an ongoing basis.

**Note: If you are a sole proprietor with no employees, agents or other individuals authorized to act on your behalf, you are not required to have a training program nor are you required to have a training plan in place for yourself.

7. What are the requirements related to my two-year effectiveness review and plan?

A two-year effectiveness review is an evaluation that must be conducted every two years (at a minimum) to test the effectiveness of the elements of your compliance program (policies and procedures, risk assessment, and ongoing training program and plan). You must start your effectiveness review no later than two years (24 months) from the start of your previous review. You must also ensure that you have completed your previous review before you start the next review.

The purpose of an effectiveness review is to determine whether your compliance program has gaps or weaknesses that may prevent your business from effectively detecting and preventing ML/TF. Your effectiveness review will help you determine if:

The review must be carried out and the results documented by an internal or external auditor, or by yourself if you do not have an auditor.Footnote 12 Your review should be conducted by someone who is knowledgeable of your requirements under the PCMLTFA and its associated Regulations. Also, as a best practice, to ensure that your review is impartial, it should not be conducted by someone who is directly involved in your compliance program activities. Regardless of who carries out the review, as an RE it is your responsibility to ensure that the review is conducted (at a minimum) every two years and that the review tests the effectiveness of your compliance program.

You must also institute and document a plan for the two-year effectiveness review of your compliance program.Footnote 13 This plan should describe the scope of the review and must include all the elements of your compliance program. The breadth and depth of review for each element may vary depending on factors such as the complexity of your business, transaction volumes, findings from previous reviews, and current ML/TF risks. Your plan should not only describe the scope of the review, but it should include the rationale that supports the areas of focus, the time period that will be reviewed, the anticipated evaluation methods and sample sizes. 

The evaluation methods can include, but are not limited to, interviewing staff, sampling records and reviewing documentation. The following are examples of what can be included in your review:

You should also document the following in your two-year effectiveness review:

If you are an entity, you must report, in writing, the following to a senior officer no later than 30 days after the completion of the effectiveness review: Footnote 14

Date Modified: