Canadian dealerships offering vehicle financing or leasing became reporting entities under the PCMLTFA on April 1, 2025. The education year is over. Year two is examination season. Here's the complete picture: who's covered, what's required, what examiners look at, and what the technology gap costs dealerships that get it wrong.
April 1, 2025 was the date Canadian auto dealerships joined the reporting entity population under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA). On that date, any dealership offering financing or leasing of passenger vehicles, or any vehicle valued at $100,000 or more, became subject to FINTRAC's anti-money-laundering framework. The first year was structured as an education window, with FINTRAC emphasizing outreach and guidance over enforcement. That year has ended. Year two is examination season.
More than 13 months after the effective date, FINTRAC has shifted its posture decisively toward enforcement. The PCMLTFA amendments that received Royal Assent on March 26, 2026 expand FINTRAC's penalty authority materially, with statutory ceilings reaching 40 times previous maximums for prescribed violations. Bill C-12, introduced October 8, 2025, proposes universal enrolment requirements that would bring every dealership formally onto FINTRAC's enrolment register, on top of the obligations that already apply.
This guide covers the complete PCMLTFA framework for Canadian auto dealerships in 2026: who is covered, what every dealership must have in place, what examiners look at in practice, and how dealerships can use deepidv's verification engine and agentic compliance suite to compress the compliance load from a procedural drag to a one-click step at the F&I desk.
If your dealership offers financing or leasing on vehicles in Canada, you are a reporting entity under the PCMLTFA. You must maintain a written AML/ATF compliance program with senior-officer approval, verify customer identity using FINTRAC-prescribed methods, file large cash transaction reports for any cash payment of $10,000 CAD or more, file suspicious transaction reports without delay even when a transaction does not proceed, maintain records for five years, conduct an independent effectiveness review at least every two years, and train every employee whose role touches an AML control. The education window is over. Examinations have started.
The expansion of PCMLTFA to financing and leasing entities was not random. The Financial Action Task Force (FATF) had flagged vehicle financing as a known money laundering vector for years. Luxury and exotic vehicles in particular are routinely used to launder funds through structured financing arrangements, captive lender pass-throughs, and trade-in cash components that combine to legitimize otherwise traceable currency.
FINTRAC's first-year posture explicitly emphasized engagement, outreach, and guidance over enforcement. The agency stated that it would focus on developing sector-specific guidance, industry consultation, and capability-building for new reporting entities. That posture was time-limited. As of April 1, 2026, the engagement window closed and examination capacity has been allocated to the dealership population.
The Used Car Dealers Association of Ontario (UCDA) and other industry associations submitted comments during the original consultation arguing for a later effective date and a longer education window. The original proposed effective date had been October 1, 2025, but the implementation was accelerated to April 1, 2025. Dealerships that operated on the assumption of the longer runway now face a compressed timeline to remediate any compliance gaps.
A "financing or leasing entity" is subject to the PCMLTFA when it engages in the business of financing or leasing of property in any of the following categories:
Passenger vehicles, defined under the regulations as motor vehicles designed or adapted primarily to carry no more than 10 individuals on highways and streets. Excluded from the definition: ambulances, hearses, motor vehicles clearly marked for policing activities, motor vehicles clearly marked and equipped for emergency medical or fire response, and utility trucks.
Property valued at $100,000 or more, excluding real property (which falls under separate FINTRAC obligations covered in our real estate broker guide).
Property for business purposes, excluding real property.
The reporting obligation attaches to the dealership operating the financing or leasing function. Dealerships that source all financing through third-party lenders without any in-house finance product may be outside the reporting entity scope, but the practical reality is that almost every Canadian dealership of meaningful scale has at least some in-house captive financing exposure that brings it within the regulatory perimeter.
The PCMLTFA framework applies to dealerships with the same core obligations that apply to banks, credit unions, and other long-regulated entities. Compliance is not optional. The dealership must build and maintain each of the following.
Every dealership must designate a compliance officer and maintain a written program approved by a senior officer. The program must document the dealership's risk-based approach, articulate policies and procedures, define a training plan, and establish the review cycle. Generic compliance manuals downloaded from the internet do not satisfy this obligation. FINTRAC examines whether the program reflects the dealership's actual risk profile, transaction mix, and operational footprint.
The dealership must conduct and document a risk assessment that addresses products and services, geography, clients, and other PCMLTFA-defined dimensions. Across all reporting entity sectors, 63 percent of penalized firms had risk assessment deficiencies. The most common findings are insufficient detail, generic checklists without analysis, and missing dimensions specific to the dealership's business (for example, exotic vehicle financing, fleet leasing, cross-border buyer flows).
Identity verification must be conducted using FINTRAC-prescribed methods at every PCMLTFA-defined trigger point. For dealerships, the primary trigger is the establishment of a financing or leasing relationship. FINTRAC accepts documentary, credit file, dual process, reliance, and affiliate or agent methods. Whatever method the dealership uses, it must be reliable and proportionate to the risk.
The F&I desk is where this obligation is operationally tested. A finance manager rushing a customer through identification at month-end is the single most common origin of recordkeeping failures, and recordkeeping failures appear in 63 percent of FINTRAC AMPs.
Three reports drive most of the regulatory burden:
Large Cash Transaction Reports (LCTRs) must be filed for any single cash payment of $10,000 CAD or more, or for two or more cash payments within 24 hours that aggregate to $10,000 or more.
Suspicious Transaction Reports (STRs) must be filed without delay when the dealership has reasonable grounds to suspect a transaction is related to money laundering or terrorist financing. The STR requirement is triggered by the suspicion, not by the transaction closing. A customer who walks away from a deal after the dealership flags concerns still produces an STR obligation.
Large Virtual Currency Transaction Reports (LVCTRs) apply when virtual currency payments are made or received in amounts of $10,000 or more in equivalent CAD value.
Every PCMLTFA-required record must be retained for five years, accessible to FINTRAC within 30 days of a request. This includes customer information records, identification records, receipt-of-funds records, large cash transaction records, transaction logs, and account opening records.
The dealership must commission an independent review of the AML program at least every two years. The reviewer must be qualified, independent of the compliance officer, and authorized to examine the full scope of the program. Over half of FINTRAC AMPs cite missing or inadequate prescribed reviews.
Every employee whose role touches an AML control must receive ongoing, documented training. Training plans must specify frequency, delivery method, and content scope. Training records must demonstrate completion by named individuals. FINTRAC examiners routinely ask for training rosters during examinations.
A FINTRAC examination for a dealership follows the same general framework that applies to other reporting entity sectors. The examiner issues a notification call, then a formal request letter, then conducts document review, interviews, and a findings report.
In practice, the examiner targets evidence that the program operates as documented, not just that it exists. Specific evidence requests for dealerships typically include: the complete written compliance program with senior-officer approval signatures, the most recent risk assessment, sample customer identification records for a defined audit period, complete LCTR and STR submission logs with detailed transaction context, training records by named employee, the most recent prescribed review report, and operational records for any transactions flagged or near-threshold.
The F&I desk is the highest-leverage examination area for dealerships. Examiners often request a sample of finance applications from the audit period and trace each one through the identification, screening, and recordkeeping process. Gaps in any step produce findings, and findings compound into penalty calculations.
The AMP regime in March 2026 substantially raised the ceiling for non-compliance. The new statutory authority allows penalties up to 40 times prior maximums for prescribed violations, with ability-to-pay considerations factored in. For an entity, very serious violations now carry penalties up to multiples of the prior $500,000 ceiling.
Industry-specific AMPs in the dealership population have not yet been published in volume because the population only became reporting entities in April 2025, but the trajectory across adjacent sectors is the clear leading indicator. MSBs, real estate brokers, and other newly added populations have all faced penalty quanta exceeding initial expectations. The British Columbia Lottery Corporation's appeal of a $1,075,000 penalty for administrative deficiencies, the $176 million in cumulative penalties FINTRAC issued in the most recent enforcement wave, and the Pan Pacific Platinum Real Estate Services $282,000 penalty all point in the same direction.
The public-notice mechanism amplifies the consequence. FINTRAC publishes the dealership name, deficiencies, and penalty amount on its public register, with reputational impact that precedes any appeal outcome. For dealerships dependent on lender relationships, OEM franchise agreements, and consumer trust, a public penalty notice has commercial implications well beyond the cash amount.
Three failure modes account for the majority of dealership compliance exposure.
Manual customer identification at the F&I desk is the primary failure source. A finance manager photographs a driver's license, files it in the deal jacket, and moves on. There is no facial biometric match, no liveness check, no automated screening against sanctions or PEP lists. The recordkeeping requirement is technically met on the document side, but the verification quality is insufficient to pass a FINTRAC examination's substantive review. When examiners ask how the dealership confirmed the customer was actually the person on the license, the answer is usually "the finance manager looked at them."
The STR trigger misunderstanding is the second most common failure. Many dealerships still believe an STR only fires when a transaction closes and money laundering is confirmed. The statutory threshold is reasonable grounds to suspect, which is materially lower than reasonable grounds to believe. STRs filed late or not at all produce 51 percent of report-filing penalties across reporting entities.
The prescribed review gap is the most easily preventable failure. A dealership that has never commissioned an independent review of its AML program is exposed to a near-guaranteed examination finding. The review is a fixed-cost operational decision that pays for itself the first time it surfaces a remediable gap before FINTRAC does.
The technology gap underneath all three failures is the same. Manual processes cannot scale to the volume of finance applications a typical dealership processes, cannot enforce policy consistency across multiple F&I managers, and cannot produce the cryptographic audit trail that a defensible examination response requires. Detailed analysis of why manual identity verification fails in high-volume settings is covered in our buyer evaluation framework for identity verification software.
Synthetic identity fraud has escalated dramatically in vehicle finance through 2025-2026. The same generative AI tooling that produces convincing fake driver's licenses for synthetic identity fraud in mortgage origination feeds directly into auto finance applications. Synthetic identity packages combine an AI-generated identity document with fabricated supporting documents (pay stubs, utility bills, employment verifications) that pass manual review at near-100 percent rates.
Vehicle finance is an attractive target because the underwriting decision-to-funding window is short, the loss given default is relatively contained, and the synthetic identity can be used multiple times across multiple dealerships before any one institution recognizes the pattern. A finance manager reviewing scanned documents on a screen has effectively no chance of detecting a sophisticated synthetic identity package.
The defense is not better visual review. It is cryptographic identity verification with active liveness detection, deepfake-specific document forensics, and a unified watchlist screen against sanctions, PEP, and adverse media in a single workflow.
deepidv compresses the F&I compliance step from a 12-to-15-minute manual workflow into a single tap. When a customer applies for financing or a lease, the dealership initiates a verification from the deepidv Back Office dashboard or via API integration with the dealership management system. The customer receives a secure link on their phone, captures their identity document, passes facial biometric matching with active liveness detection, and gets screened against PEP and sanctions lists. The full verification completes in under 30 seconds.
deepidv's verification engine accepts government-issued identification from 211 countries, which matters for dealerships that finance or lease to recent immigrants, international students, or buyers with non-Canadian primary documentation. The same workflow handles every document type without configuration changes.
The deepfake document defense is built into the document authentication layer. FaceX/TripleLock identifies synthetic identity attacks that defeat conventional document review, including AI-generated identity documents, deepfake selfie attacks during the liveness step, and presentation attacks designed to defeat traditional facial recognition. Detection accuracy on synthetic documents in the deepidv dataset exceeds 99 percent, with detailed performance metrics in our 2026 liveness detection comparison.
Every verification produces a cryptographically signed record. The deepidv chain layer, live in production on Base mainnet as of May 2026, signs each verification with AWS KMS hardware-key custodianship and anchors a hourly Signed Tree Head to the blockchain. FINTRAC examiners can independently verify any past verification at proof.deepidv.com.
For risk-based ongoing monitoring, Arbiter continuously screens the dealership's customer base against sanctions list updates, PEP changes, and adverse media. The compliance officer reviews flagged events rather than chasing a manual screening calendar. SAR drafting is supported by Luna, the deepidv AI compliance co-pilot trained on 162+ regulatory bodies including FINTRAC.
Five-year recordkeeping is automatic. Every verification, every screening result, every transaction log is retained with cryptographic provenance and is accessible to FINTRAC within the 30-day response window.
For dealerships preparing for their first FINTRAC examination, the deepidv Back Office produces the examiner-facing evidence package: complete records by customer, training completion rosters, prescribed review export, LCTR and STR submission logs, and policy-document trail with version control. The dealership's compliance officer reviews and signs; the platform produces the evidence.
Q: Does my dealership need to register with FINTRAC right now? A: Today, no. Dealerships are reporting entities subject to PCMLTFA obligations but, unlike money services businesses, are not required to formally register or enrol with FINTRAC. Bill C-12 proposes universal enrolment, which would change this once regulations are published in the Canada Gazette, Part II.
Q: What if my dealership only offers financing through third-party lenders and doesn't have any captive finance? A: If the dealership has no direct financing or leasing role, it may be outside the reporting entity scope. However, most dealerships have at least some financing exposure (signing finance contracts in-house even when funded by third-party lenders) that brings them within scope. Legal review of the specific facts is recommended.
Q: How is the $100,000 threshold for non-passenger vehicles applied? A: The threshold applies to the value of the property being financed or leased, not the financing amount. A $120,000 vehicle financed with a $30,000 down payment is still in scope.
Q: Do trade-ins count toward the $10,000 cash threshold? A: Trade-ins themselves are not cash, but cash components of a deal (whether from the customer or applied to trade-in equity) count toward the $10,000 LCTR threshold. Aggregation rules apply within 24-hour windows.
Q: What happens if my dealership has not been compliant since April 1, 2025? A: FINTRAC's first-year posture was educational, which provides some buffer for good-faith program build during 2025. However, the agency's expectation as of 2026 is that every dealership has a compliant program in place. Dealerships that are behind should commission a gap assessment and a prescribed review immediately. Penalty exposure increases the longer the gap remains.
Q: Can I delegate identity verification to a third-party provider? A: Yes. FINTRAC permits identity verification conducted through reliable third-party electronic providers. The dealership remains legally responsible for the verification. Provider contracts, accuracy testing, and supporting documentation should be maintained.
Go live in minutes. No sandbox required, no hidden fees.
From AMLD6 to state-level FinTech regulations, the compliance landscape for identity verification is shifting rapidly. Here is what your compliance team needs to know.
Generative AI has broken the assumptions underlying most identity frameworks. Regulators are responding with new rules, and the industry must adapt. Here is the current state of AI identity regulation worldwide.
The global AML regime generates more false positives than it catches genuine money laundering. Here is why static rule-based monitoring fails — and what AI-driven approaches change.
