AML and KYC for Alberta iGaming Operators: FINTRAC Obligations, AGLC Standards, and PIPA

Alberta’s regulated iGaming market opened on July 13, 2026, and every registered operator entered that market as a reporting entity under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA). That status is not optional and is not conferred by AGLC registration: it arises automatically by statute. Operators who have built their compliance programmes primarily around the AGLC Standards and Requirements for Internet Gaming (SRIG, issued January 14, 2026) must understand that the SRIG’s internal-controls requirements operate in addition to, not instead of, FINTRAC’s obligations. In several areas the SRIG sets a materially higher standard than PCMLTFA minimums.

This article maps the full AML/KYC obligation stack for Alberta iGaming operators: FINTRAC reporting thresholds, client identification, PEP and HIO screening, enhanced due diligence triggers, source of funds requirements, transaction monitoring, five-year record retention, and the interaction between KYC data collection and the Personal Information Protection Act (PIPA). Compliance officers should treat this as a structured reference rather than a substitute for formal legal advice tailored to their specific operating model.

Operator Status Under the PCMLTFA: Why “Casino” Matters

Under the PCMLTFA, the term “casino” captures government-operated gaming organizations and private operators licensed or registered under provincial lottery schemes. AGLC-registered operators providing internet gaming under the iGaming Alberta Act fall within that definition. The PCMLTFA imposes a distinct and mandatory compliance programme structure on casinos that differs from the requirements applied to financial institutions, money services businesses, and other reporting entity categories.

FINTRAC supervises reporting entities directly and independently of provincial gaming regulators. A finding by AGLC that an operator’s internal controls are satisfactory provides no protection against a FINTRAC administrative monetary penalty. The Saskatchewan Indian Gaming Authority received a C$1.175 million penalty from FINTRAC in September 2025 (according to Canadian Gaming Business, September 12, 2025), and the BC Lottery Corporation faced a C$1 million fine that it subsequently appealed (according to Casino.org, August 28, 2025). Both cases illustrate that gaming regulators with mature AML frameworks are not immune from FINTRAC enforcement.

What Reporting Obligations Apply to Alberta iGaming Operators?

FINTRAC requires casino reporting entities to file six categories of reports. Four are directly relevant to online gaming operations.

A Large Cash Transaction Report (LCTR) is required whenever a casino receives C$10,000 or more in cash in a single transaction, or two or more cash amounts totalling C$10,000 or more that are made within 24 consecutive hours by or on behalf of the same person or entity. In an online environment, “cash” extends to certain aggregated payment scenarios, but the primary exposure for iGaming operators arises through deposit mechanics and payment processor integrations that could facilitate structuring. The LCTR must be filed within 15 days of the transaction.

A Suspicious Transaction Report (STR) must be submitted as soon as practicable, FINTRAC guidance describes this as prioritising the STR above other tasks, whenever there are reasonable grounds to suspect that a completed or attempted transaction is related to money laundering or terrorist financing. There is no monetary threshold for STRs. The obligation arises from reasonable grounds to suspect, a lower standard than reasonable grounds to believe. Operators must not tip off the client that an STR has been filed.

An Electronic Funds Transfer Report is required for international EFTs of C$10,000 or more. For Alberta iGaming operators, this will be triggered by cross-border deposit and withdrawal flows involving international payment processors or e-wallets. The report must capture sender and beneficiary information to a standard that supports downstream intelligence use.

A Large Virtual Currency Transaction Report is required when C$10,000 or more in virtual currency is received in a single transaction. Operators accepting cryptocurrency deposits must have automated monitoring in place for this threshold.

For records rather than reports, a separate threshold applies: operators must keep a record of every funds transfer of C$3,000 or more, capturing the name and address of the requester, the account number or client reference, and the name of the beneficiary financial institution.

Client Identification: What Must Be Verified and When?

FINTRAC requires reporting entities to verify client identity using prescribed methods before providing certain services. For casino operators, identity verification is required when a client conducts a transaction at or above the applicable threshold, when an STR is being prepared, and when the operator has doubts about the accuracy or adequacy of previously collected identification information.

The AGLC SRIG imposes an additional and operationally earlier trigger. Under section 4.4, player accounts must undergo age and identity verification before any account becomes active. The SRIG specifies that identity verification must authenticate the legal name, physical address, and date of birth of the individual at a minimum, and must confirm that the player does not appear on any exclusion lists or prohibition registers. This verification must be completed before a player is permitted to wager, not only when a reporting threshold is reached.

This is one of the clearest examples of the SRIG exceeding FINTRAC minimums. FINTRAC’s threshold-based identity verification permits some account activity before a client’s identity is fully verified, the SRIG closes that gap entirely by making account activation contingent on successful verification.

“Identity verification shall be undertaken before a player is allowed to place a wager. Third-party service providers may be used for identity verification as allowed by the regulatory body.”

Third-party KYC providers are permissible under both frameworks, but registered operators bear full responsibility for the adequacy of any third-party verification conducted on their behalf. The AGLC SRIG is explicit that operators are responsible for the actions of third parties they engage for any aspect of their gaming business in Alberta.

PEP and HIO Screening Requirements

Politically exposed persons (PEPs) and heads of international organizations (HIOs) are statutory categories under the PCMLTFA. A PEP is a person entrusted with a prominent public function, encompassing heads of state, ministers, senior legislators, senior military officers, senior executives of state-owned enterprises, and comparable roles, whether in Canada or abroad. An HIO is a person who heads an international organisation. The definitions extend to family members and close associates of both categories.

Casino operators must take reasonable measures to determine whether a client or the beneficial owner of a client is a PEP, a HIO, or a family member or close associate of either. This screening obligation is not threshold-triggered. It applies to every new client relationship and must be applied on an ongoing basis as risk profiles evolve.

Where a client is identified as a foreign PEP, enhanced due diligence is mandatory. The operator must take reasonable measures to establish the source of funds and source of wealth for that client, obtain senior management approval for the business relationship, and conduct enhanced ongoing monitoring of the relationship. For domestic PEPs and HIOs, the obligation is risk-based: EDD applies when the operator has determined that the client presents a higher ML/TF risk. FINTRAC’s compliance guidance requires that this risk determination be documented and that the rationale be retained as part of the client record.

FINTRAC’s compliance programme requirements specify that policies and procedures must address the handling of PEPs, HIOs, their family members, and their close associates. This must be written into the operator’s programme document, not merely applied as an informal workflow.

Enhanced Due Diligence Triggers Beyond PEPs

PEP and HIO status is the most clearly defined EDD trigger, but it is not the only one. FINTRAC’s risk assessment framework requires casino operators to identify all factors that elevate the ML/TF risk of a business relationship or transaction, and to apply measures proportionate to that elevated risk.

Standard EDD triggers for online gaming operators include clients whose source of funds cannot be verified through normal means, clients whose transaction patterns are inconsistent with their stated purpose or profile, clients located in or transacting through FATF-identified high-risk or monitored jurisdictions, clients using complex or opaque corporate ownership structures, and clients requesting unusually large or rapid withdrawals relative to their deposit history.

The AGLC SRIG adds a player risk-profiling obligation that goes beyond FINTRAC’s risk assessment framework in scope. Under the SRIG’s operational requirements, registered operators must have policies and a programme in place to assess and monitor player risk profiles in order to support the identification of players at moderate or high risk. The SRIG further requires that operators have an effective mechanism for monitoring player behaviour in a way that proactively identifies those who may be at risk of harm. While the SRIG frames this obligation primarily in responsible gambling terms, the same behavioural monitoring infrastructure is directly applicable to detecting unusual financial patterns that could indicate ML/TF activity.

Operators building transaction monitoring systems should design a unified monitoring architecture that satisfies both the FINTRAC risk-assessment obligation and the SRIG’s player behaviour monitoring requirement, rather than maintaining two separate systems.

Source of Funds: When Verification Is Required and What Is Acceptable

Source of funds (SOF) verification is not a blanket requirement for all players. FINTRAC requires it for foreign PEPs and where the risk assessment indicates elevated ML/TF risk. Operators must establish clear SOF trigger points based on cumulative deposit thresholds, transaction velocity, and behavioural indicators, and document those trigger points in their written policies.

Acceptable SOF documentation for online gaming clients typically includes payslips, bank statements, tax returns, confirmation of investment or asset sale proceeds, and equivalent certified documents for business income. For clients claiming income from a business, beneficial ownership documents and accounts may also be required. The standard is not that the operator is satisfied the funds are legitimate: it is that the operator has taken reasonable measures to establish that fact, and that those measures are proportionate to the assessed risk.

For high-risk clients, including foreign PEPs, the source of wealth (SOW) must also be established. SOW goes deeper than SOF: it addresses the total accumulation of the client’s assets, not merely the origin of the specific funds being deposited. In practice, this requires a combination of documentary review, open-source intelligence, and senior management sign-off before the relationship is continued or expanded.

Operators that apply SOF verification only when a single deposit crosses a fixed monetary threshold will fail FINTRAC’s risk-based expectations. The trigger must be the risk profile of the client and the transaction, not a mechanical threshold applied uniformly.

Transaction Monitoring: The FINTRAC and SRIG Standards

FINTRAC’s compliance programme requirements mandate ongoing monitoring of business relationships. At a minimum, the monitoring programme must include a review of transactions to assess whether suspicious transactions have been reported, a review of large cash transactions to confirm they were reported accurately and on time, and a review of EFTs to assess compliance with reporting obligations.

The FINTRAC effectiveness review, conducted at minimum every two years by an internal or external auditor, must test the adequacy of the monitoring programme. A monitoring system that generates reports without generating appropriate STRs, or that produces STRs inconsistently with the operator’s risk assessment, will fail this review.

The AGLC SRIG’s approach to unlawful activity monitoring, set out in the internal controls requirements under section 4.11, requires operators to conduct periodic risk assessments to determine the potential for unlawful activities including money laundering, fraud, theft, and cheat at play. Operators must also ensure that all relevant individuals involved in the operation, supervision, or monitoring of the gaming site remain current in the identification of techniques or methods used for the commission of crimes.

Significantly, the SRIG requires operators to report suspicious behaviour, cheating at play, and unlawful activities in accordance with the notification matrix. The AGLC notification matrix operates as a standards-based judgment tool linked to the SRIG, and notifications to AGLC under the matrix operate alongside, not instead of, STR filing obligations to FINTRAC.

Record-Keeping Requirements: Five Years Is the Floor

Under the PCMLTFA and associated Regulations (SOR/2002-184), casino operators must retain records for five years from the date a transaction is completed, the business relationship ends, or the record is created, whichever is applicable. This applies to identity verification records, client risk assessment records, all transaction records including LCTRs and EFT records, STR supporting documentation, and copies of all reports filed with FINTRAC.

FINTRAC’s compliance guidance is explicit that copies of all reports filed with FINTRAC and the supporting documentation used to prepare them must be retained and made available for inspection. In Ontario, the AGCO Registrar’s Standards for Internet Gaming (Standard 6.02) echo this requirement, mandating that copies of all FINTRAC reports and supporting documentation be retained. The AGLC SRIG imposes the same obligation through its general records and accuracy requirements under section 2.3.

Records must be stored in a form and format that allows them to be produced to FINTRAC, law enforcement, or AGLC inspectors on request. The SRIG gives AGLC inspectors the right to access all records, documents, and books of account, and operators are required to assist inspectors and provide access without delay. Storing records in formats that require proprietary software to decode, or in systems that are inaccessible during normal operations, does not satisfy this obligation in practice.

PIPA Alberta: How Privacy Law Intersects with KYC Obligations

Alberta’s Personal Information Protection Act (PIPA, S.A. 2003, c. P-6.5, consolidated to September 1, 2025) applies to every private-sector organisation conducting business in Alberta. For iGaming operators, PIPA governs the collection, use, disclosure, and retention of the personal information gathered through the KYC and AML processes required by FINTRAC and the SRIG.

Under PIPA section 16(1), an organisation may use personal information only for purposes that are reasonable. Under section 19(1), disclosure is also limited to reasonable purposes. These principles create a direct tension with the broad data appetites common in AML compliance programmes: operators who collect detailed financial information for SOF verification cannot repurpose that data for marketing or product personalisation without a separate and distinct consent basis.

The interaction with FINTRAC reporting requires careful structuring. FINTRAC STR filing is a legal obligation, and PIPA’s disclosure-without-consent provision at section 20(a) permits disclosure where a reasonable person would consider it to be clearly in the individual’s interests. The PCMLTFA mandates STR filing, that statutory obligation provides the legal basis for disclosure to FINTRAC without player consent, and the tipping-off prohibition in the PCMLTFA means operators must not inform the player that an STR has been filed.

Retention schedules present a practical compliance challenge. PIPA requires that personal information be retained only as long as necessary for the purposes for which it was collected. FINTRAC mandates a five-year retention period. These obligations can be reconciled by documenting the FINTRAC-mandated retention period as the lawful basis for retaining KYC and transaction records beyond their operational usefulness, and by implementing automated deletion protocols at the five-year mark unless a regulatory hold is in place.

The data privacy dimension has political salience in Alberta. A 2026 news report raised concerns about Bill 31, which permits AGLC to sell customer data held under the Play Alberta brand, drawing a challenge from the Alberta Privacy Commissioner, who described it as a precedent-setting conflict with the Protection of Privacy Act (POPA). While this directly affects AGLC as a public body rather than private operators (who are subject to PIPA rather than POPA), the episode signals that Alberta regulators and lawmakers are actively scrutinising data governance in the gaming context. Operators building KYC data architectures should anticipate that data practices will face regulatory attention from both FINTRAC and Alberta’s Office of the Information and Privacy Commissioner.

The Compliance Programme: Structural Requirements That Often Go Unbuilt

FINTRAC requires all reporting entities to have a written, senior-officer-approved compliance programme that covers five elements: a designated compliance officer with sufficient authority, written, current policies and procedures, a risk assessment specific to the operator’s business, products, delivery channels, and client base, an ongoing training programme with records of training delivered, and a two-year effectiveness review conducted by an auditor not directly involved in the compliance programme’s operation.

The two-year effectiveness review is frequently underweighted in pre-launch programme builds. It must test whether the operator’s actual practices match the written programme, whether the risk assessment is identifying and mitigating ML/TF risk effectively, and whether STRs and other reports are being filed accurately and on time. An effectiveness review that confirms the programme is theoretically well-designed but does not test operational outputs will not satisfy FINTRAC’s expectations.

The AGLC SRIG’s Control Activity Matrix (CAM) requirement adds a second audit layer. Before going live in Alberta’s iGaming market, registered operators must provide a CAM summarising their processes and controls related to the iGaming site. The CAM must be independently audited to confirm that controls have been designed to ensure compliance with the SRIG. This audit must be conducted by a unit not involved in developing the CAM, or by a designated external auditor. The CAM and its audit are AGLC-specific requirements with no direct FINTRAC equivalent, and they must be submitted before market entry.

Operators entering Alberta from Ontario should note that the AGCO Registrar’s Standards contain analogous AML obligations under Standard 6.02, including the PCMLTFA reference and the FINTRAC reporting requirement. The AGLC SRIG maps to similar principles, but the CAM audit requirement and the notification matrix framework operate differently. A full mapping of the Ontario framework is available in our analysis of Ontario iGaming compliance requirements.

The AGLC Control Activity Matrix audit and the FINTRAC two-year effectiveness review are not interchangeable. One tests SRIG compliance before market entry, the other tests PCMLTFA programme effectiveness at a minimum every two years after launch.

Where AGLC Standards Exceed FINTRAC Minimums: A Summary

The PCMLTFA establishes the mandatory floor. The AGLC SRIG raises that floor in the following areas.

Account activation: The SRIG requires identity verification before any wagering, not only at PCMLTFA threshold triggers. Player risk profiling: The SRIG mandates a documented programme to assess and monitor player risk profiles on an ongoing basis, going beyond the FINTRAC ongoing monitoring obligation in its systematic and proactive character. Third-party accountability: The SRIG holds registered operators explicitly responsible for the actions of third parties engaged in any aspect of gaming operations, reinforcing the operator’s PCMLTFA responsibility for KYC conducted by outsourced providers. Notification matrix: The SRIG requires suspicious activity to be reported to AGLC through the notification matrix, in addition to the STR obligation to FINTRAC. CAM audit: The SRIG requires a pre-launch independent audit of the operator’s internal controls, a requirement with no PCMLTFA equivalent. Background checks on key individuals: The SRIG requires operators to notify AGLC immediately if any officer, shareholder, director, or owner is charged with or convicted of offences under the Criminal Code, Excise Act, Food and Drug Act, or Income Tax Act, a continuing obligation that reinforces the integrity screening implicit in FINTRAC’s risk assessment framework.

Compliance teams should build their AML/KYC programmes with the SRIG requirements as the operational standard and treat FINTRAC obligations as the statutory baseline that must also be fully satisfied. Where the two frameworks address the same area, the higher standard governs the operator’s conduct. Qualified legal counsel with experience in both Canadian AML law and Alberta gaming regulation should be engaged to validate the programme design before market entry.

Key Resources

AGLC Standards and Requirements for Internet Gaming (SRIG), issued January 14, 2026, signed by the AGLC Board Chair. Available at aglc.ca.

Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA), S.C. 2000, c. 17 and associated Regulations (SOR/2002-184). Available via laws-lois.justice.gc.ca.

FINTRAC Compliance Program Requirements Guidance. Available at fintrac-canafe.gc.ca. Covers written programme structure, risk assessment, training, and the two-year effectiveness review.

Personal Information Protection Act (PIPA) Alberta, S.A. 2003, c. P-6.5, consolidated to September 1, 2025. Published by Alberta King’s Printer.

AGCO Registrar’s Standards for Internet Gaming (Ontario). Standard 6.02 sets out PCMLTFA and FINTRAC obligations for Ontario operators and provides a useful reference comparator for Alberta-bound compliance teams. See also our Ontario iGaming compliance guide for a full mapping of the Ontario framework.