Casino AML Compliance Policies and Procedures: What FINTRAC Requires in Writing

Under paragraph 156(1)(a) of the Proceeds of Crime (Money Laundering) and Terrorist Financing Regulations (PCMLTFR, SOR/2002-184), every casino that is a reporting entity under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA) must establish and maintain written policies and procedures that describe how it meets its AML and anti-terrorist financing obligations. FINTRAC’s Compliance Program guidance, at Section 3, translates that legislative requirement into an operational specification: what the document must say, who must approve it, how it must be kept current, and which subject-matter areas it must cover at minimum. Getting any of those four dimensions wrong creates a documentable deficiency that FINTRAC examiners will record and, where serious enough, convert into an administrative monetary penalty (AMP).

The September 2025 AMP of CAD 1.175 million issued to the Saskatchewan Indian Gaming Authority (SIGA), a First Nations casino operator in Saskatchewan, reinforced how seriously FINTRAC treats compliance program deficiencies in the casino sector, according to CBC and Canadian Gaming Business reporting from September 2025. A separate FINTRAC compliance examination of iGaming Ontario, covering the period September 2023 to February 2024, was still unresolved as of the iGaming Ontario Annual Report 2024, 2025, with the regulator having communicated preliminary findings in July 2025 and an AMP remaining a possible outcome. Both situations illustrate that written program gaps are a primary examination target, not a secondary concern.

What Counts as a “Compliance Policy and Procedure” Under FINTRAC’s Definition?

FINTRAC defines compliance policies and procedures as a written methodology outlining the obligations applicable to a reporting entity’s business under the PCMLTFA and its associated Regulations, and the corresponding processes and controls the entity puts in place to address those obligations. The definition appears across multiple FINTRAC guidance documents and is not sector-specific, the same definitional standard applies to financial entities, money services businesses, and casinos alike.

That definition has two operative parts. The first is the word “methodology”: the document must explain how the casino addresses each obligation, not merely acknowledge that the obligation exists. A policies-and-procedures document that lists AML requirements without describing the casino’s own processes for meeting them fails the methodology test. The second operative part is “processes and controls”: the document must describe the actual controls deployed, including who is responsible for each step, what triggers action, and what records are generated.

In practice, compliance teams should structure their written policies and procedures as a two-layer document. The policy layer states the casino’s commitments and risk appetite in relation to AML and terrorist financing. The procedures layer translates each commitment into a step-by-step operational process assigned to a named role or function. FINTRAC examiners assess both layers.

The Four Core Documentation Requirements

Section 3 of FINTRAC’s Compliance Program guidance sets out four requirements that apply to the form and maintenance of written policies and procedures, each of which flows directly from the PCMLTFR.

Written and accessible format

Policies and procedures must be written and in a form or format that is accessible to their intended audience. FINTRAC does not mandate a specific format, and the guidance does not require a single consolidated document. A casino may maintain its policies and procedures as a suite of separate documents, provided the suite is coherent and each component is accessible to the staff who need it. The accessibility requirement is not satisfied by storing policies in a system to which front-line staff have no practical access. If cashiers, cage supervisors, and AML analysts cannot readily retrieve and consult the relevant procedures, the accessibility condition is not met, regardless of what the document contains.

Kept up to date

Written policies and procedures must be kept current. The obligation to update is continuous, not periodic: any change in legislation, any change in internal processes, and any other change that would make the existing document inaccurate triggers an update obligation. FINTRAC’s guidance makes explicit that the two-year effectiveness review cycle, which is a separate requirement under paragraph 156(1)(f) of the PCMLTFR, does not substitute for real-time updates. A casino that discovers a process change in month three of a review cycle cannot defer the policy update until the next scheduled review. Equally, when the PCMLTFA or its regulations are amended, the written policies must reflect those amendments promptly. Compliance teams should maintain a standing update protocol that ties policy revision to a legislative monitoring function.

Senior officer approval

Where the reporting entity is a corporation or other entity, the written policies and procedures must be approved by a senior officer. FINTRAC does not define “senior officer” for this purpose in the same way the Canada Business Corporations Act does, but the intent is clear from context: the approver must hold sufficient authority within the organization to bind it to the documented methodology. In practice, this means at least a C-suite officer or a board-delegated officer. Approval must be documented, typically through a formal sign-off page with the approving officer’s name, title, and date of approval. A compliance program reviewed by the compliance officer alone, without an independent senior officer sign-off, does not satisfy this requirement for an entity. Casinos that operate as subsidiaries of larger gaming groups should confirm that the approving officer has authority over the subsidiary, not only the group.

Availability to authorized persons

Policies and procedures should be made available to all those authorized to act on behalf of the casino, including employees, agents, and any others who deal with clients, transactions, or other activities. FINTRAC uses the word “should” in its guidance language here, but the underlying rationale is clear: a written methodology that authorized personnel cannot access cannot govern their conduct. FINTRAC examiners routinely test whether front-line staff are aware of the relevant procedures and can locate them. A casino that cannot demonstrate staff access during an examination is exposed to findings of inadequate program implementation even where the written document itself is substantively complete.

What Must the Written Policies Cover? The Minimum Content Areas

FINTRAC’s Compliance Program guidance Section 3 identifies the minimum subject-matter areas that a casino’s written policies and procedures must address, applicable as relevant to casinos as reporting entities. These are not optional thematic suggestions, they are the baseline that FINTRAC examiners will check against during a compliance examination.

Minimum Content Area	What the Written Policies Must Address
Compliance program	Requirements for the appointed compliance officer, the risk assessment, the ongoing training program and plan, and the two-year effectiveness review and plan (including review of policies, risk assessment, and training program)
Know your client (KYC)	Processes for verifying client identity, handling of politically exposed persons (PEPs) and heads of international organizations (HIOs), their family members and close associates, and ongoing monitoring requirements
Business relationships	Procedures governing the establishment and maintenance of business relationships, including the ongoing monitoring obligations attached to those relationships
Beneficial ownership	Procedures for obtaining, confirming, and recording beneficial ownership information for entities
Third party determination	Processes for determining whether a client is acting on behalf of a third party and for recording third-party information
Reporting to FINTRAC	Process and criteria for identifying, assessing, and submitting Suspicious Transaction Reports (STRs), Large Cash Transaction Reports (LCTRs), casino disbursement reports, and large virtual currency transaction reports
Record keeping	Procedures for creating and retaining all records required under the PCMLTFR, including the retention periods prescribed by the relevant Regulations
Enhanced measures	Procedures for applying enhanced due diligence to high-risk clients and transactions, including the measures triggered when a client is determined to be a foreign PEP or to pose a high risk of money laundering or terrorist financing

For casinos specifically, the reporting obligations column requires particular attention. Casinos are subject to reporting requirements that do not apply to most other reporting entity sectors: the casino disbursement report, which must be submitted to FINTRAC when a casino disburses CAD 10,000 or more in cash or chips during a gaming session. The written policies must describe the casino’s process for identifying disbursements that meet the threshold, aggregating disbursements within the prescribed period, and submitting the report within the required timeframe. Policies that address LCTRs and STRs but omit the disbursement reporting procedure are incomplete.

The STR process section of the written policies must go beyond a statement that the casino will report suspicious transactions. FINTRAC guidance makes clear that the policies must outline the casino’s process and criteria for how it identifies and assesses suspicious transactions, and what happens when an automated or triggering system is in place to detect suspicious activity. Casinos with transaction monitoring systems must document the logic governing those systems and the escalation process that follows a system alert.

How Does the KYC Section of Written Policies Work for Casinos?

Casinos face KYC obligations that are structured differently from account-based financial institutions. Unlike banks, casinos verify client identity at the transaction level for specific activities rather than at account opening in all cases. The written policies must describe the processes the casino follows to verify identity for each triggering event: receipt of cash or chips of CAD 10,000 or more, casino disbursements meeting the threshold, and any other transaction that triggers an identity verification obligation under the relevant Regulations.

Where a casino uses the affiliate or member method to rely on another reporting entity’s prior identity verification, the written policies must describe the processes followed, including how the casino confirms the prior verification meets the required standard, what information is recorded, and how the casino accesses the records of the relying entity on request. FINTRAC examiners will test this description against the actual process in place.

The PEP and HIO provisions require dedicated procedures in the written policies. Foreign PEPs must be treated as high-risk. The written policies must state that obligation, describe the measures the casino applies when it determines a client is a foreign PEP or a close associate of one, and document how ongoing monitoring is calibrated for high-risk clients. Where the casino’s risk assessment concludes that domestic PEPs or HIOs pose a high risk, the same enhanced measures apply, and the written policies must reflect that conclusion.

Compliance policies and procedures are a written methodology outlining the obligations applicable to your business under the PCMLTFA and its associated Regulations and the corresponding processes and controls you put in place to address your obligations.

The Two-Year Effectiveness Review and Its Relationship to Written Policies

Paragraph 156(1)(f) of the PCMLTFR requires reporting entities to conduct a two-year effectiveness review of their compliance program. For written policies and procedures, the review has specific documentation requirements that are separate from, but linked to, the initial drafting obligations.

The two-year review must assess whether the written policies and procedures are being followed in practice. FINTRAC’s guidance describes the scope of this assessment: it includes testing whether client identification policies are being followed (through record sampling), whether STRs and LCTRs are being submitted correctly and on time, whether ongoing monitoring is being conducted at a frequency appropriate to client risk levels, and whether agents or mandataries are following the casino’s policies when they perform compliance activities on the casino’s behalf.

The review must be conducted by an internal or external auditor who is sufficiently independent from the compliance function being reviewed. The findings of the review must be documented, and the documentation must record the deficiencies identified, the action plans developed to address them, any updates made to the policies and procedures during the review period that were not triggered by the review itself, and the implementation status of updates made as a result of prior reviews. This documentation is what FINTRAC examiners will review to assess whether the two-year review obligation has been met. A review that occurred but was not documented to this level of specificity provides limited protection in an examination.

Subsections 156(3) and 156(4) of the PCMLTFR set out the specific content that the two-year effectiveness review report must contain. Compliance teams should treat these subsections as a checklist when preparing the review output document, not as general guidance to be interpreted loosely. FINTRAC’s examination methodology tests the review documentation against those subsection requirements directly.

What FINTRAC Looks for During an Examination of Written Policies

FINTRAC compliance examinations of casinos assess the written policies and procedures both on their face and against operational reality. A document that is substantively complete but not reflected in staff practice will generate findings in both the documentation and the implementation dimensions.

Examination teams assess whether all eight minimum content areas are addressed, whether the document is current relative to the current state of the legislation and the casino’s processes, whether senior officer approval is documented with a dated signature, whether the most recent version is accessible to the staff who need it, and whether the processes described in the document match the processes actually followed, as tested through transaction sampling, staff interviews, and record review.

The iGaming Ontario FINTRAC examination covering the September 2023 to February 2024 period demonstrates that even sophisticated, provincially regulated operators face scrutiny at this level. FINTRAC communicated preliminary findings to iGaming Ontario in July 2025, and an AMP remained a live possibility as of the iGaming Ontario Annual Report 2024, 2025. Ontario-registered operators should note that their FINTRAC obligations as reporting entities exist independently of their obligations to the AGCO under the Registrar’s Standards for Internet Gaming. AGCO Standard 6.02 requires operators to implement and enforce AML policies and procedures that support PCMLTFA obligations and to ensure that internal controls align with those of the designated reporting entity under the PCMLTFA. That alignment obligation means an Ontario operator’s written policies must satisfy both frameworks simultaneously.

Alberta-registered operators should expect equivalent scrutiny. The Alberta Gaming, Liquor and Cannabis Commission’s Standards and Requirements for Internet Gaming, applicable from the 13 July 2026 market opening, adopt comparable AML program requirements. Compliance teams preparing for Alberta’s regulated iGaming market should build their FINTRAC written policies in parallel with their AGLC program documentation, treating the two as a single integrated compliance architecture rather than separate exercises.

Practical Observations on Drafting Casino AML Written Policies

The currency obligation is the most operationally demanding of the four core requirements. Legislation changes, enforcement guidance evolves, FINTRAC publishes policy interpretation notices, and internal casino processes shift. Each of those events is a potential trigger for a policy update. Compliance teams should maintain a monitoring protocol that tracks FINTRAC guidance updates, PCMLTFR amendments, and any changes to the casino’s own processes, with a standing obligation for the compliance officer to assess whether a policy update is required within a defined period after each change is identified.

Senior officer approval must be re-obtained each time the written policies are materially updated. A policy document that was approved by the Chief Financial Officer in 2022 but has since been revised three times without re-approval fails the approval requirement for the current version. The approval page should carry the version number, the date of approval, and the approving officer’s name and title, creating an audit trail across revisions.

For the accessibility requirement, the practical standard is whether a front-line employee, facing a specific transaction type, can locate and apply the relevant procedure within a reasonable time. Policies buried in a shared drive under an ambiguous file name do not meet this standard in practice. Casinos that use compliance management systems or intranet portals for policy distribution are better positioned to demonstrate accessibility during an examination, provided those systems are actually used and staff can retrieve the current version.

Where the reporting entity is an entity, the written policies and procedures must be approved by a senior officer. Informal adoption or compliance-officer-only sign-off does not satisfy this requirement.

For the content areas, casinos should not limit their written policies to the eight minimum areas identified in FINTRAC’s guidance. Casino-specific risks, including the use of virtual currency, chip purchases and redemptions, junket arrangements, and large foreign-currency transactions, should each be addressed with procedures proportionate to the risk they present. FINTRAC’s guidance on suspicious transaction reporting recommends that the process for reporting in time-sensitive situations, such as suspected terrorist financing, be documented in the compliance policies and procedures specifically. That recommendation should be treated as a practical requirement for casinos operating at scale.

The GLI-19 standard for interactive gaming systems, applicable in multiple Canadian jurisdictions, independently requires operators to develop and implement AML procedures and policies that adequately address the risks posed by interactive gaming for money laundering and terrorist financing, including a system of internal controls, employee training, and the assignment of responsible individuals for AML reporting. For online casino operators, the written policies must reflect both the FINTRAC requirements and the technical standards applicable in each licensed jurisdiction.

Operators who require jurisdiction-specific legal advice on the application of PCMLTFA obligations to their specific business structure, corporate group arrangements, or agent relationships should engage qualified Canadian legal counsel. FINTRAC’s own policy interpretations database is a useful reference for fact-specific questions, but interpretations are non-binding and do not substitute for legal advice in contested examinations.

Key Resources

FINTRAC, Compliance Program Requirements Guidance, Section 3, Compliance Policies and Procedures Requirements: fintrac-canafe.gc.ca

Proceeds of Crime (Money Laundering) and Terrorist Financing Regulations, SOR/2002-184, paragraph 156(1)(a), subsections 156(3) and 156(4): laws-lois.justice.gc.ca

Proceeds of Crime (Money Laundering) and Terrorist Financing Act, S.C. 2000, c. 17: laws-lois.justice.gc.ca

FINTRAC, Casino Sector Guidance (identity verification, reporting, record keeping): fintrac-canafe.gc.ca

To ensure your casino’s compliance program meets all FINTRAC requirements and withstands examination, review the FINTRAC Compliance Program Requirements Guidance Section 3 directly and consider engaging a qualified AML compliance consultant to audit your written policies and procedures against the four core documentation requirements and eight minimum content areas outlined in this article.