Skip to content
2,151 standards indexed across 19 jurisdictions View the Atlas
3 hubs live · 3 more in the pipeline See all compliance topics
Daily news + multi-week series Browse all insights
3 tools live · 4 interactive tools in development Roadmap
AGLC · Ongoing Compliance 18 min read Jun 6, 2026

Alberta iGaming Ongoing Compliance: Reporting, Audits, and What AGLC Expects After Launch

Post-launch compliance for Alberta iGaming operators: AGLC reporting obligations, audit requirements, enforcement mechanics, and multi-jurisdiction management. Built for live operators.

Matt Denney

By

Founder, gamingcompliance.io · 15 yrs in iGaming compliance

Published Jun 6, 2026 Updated Jun 11, 2026 18 min read Filed Jurisdiction Profiles

Registration and go-live certification mark the beginning of AGLC’s scrutiny, not the end. Once an operator is live in Alberta’s regulated iGaming market, a distinct and demanding set of ongoing obligations takes effect: periodic regulatory reporting, independent audit requirements, event-driven notifications, material change disclosures, and the ever-present possibility of a directed audit or enforcement referral to the AGLC Board. This guide covers the full post-launch compliance lifecycle for operators and goods or services suppliers (GSSs) registered under Alberta’s Standards and Requirements for Internet Gaming (SRIG), issued January 14, 2026, and updated March 17, 2026.

Source: AGLC, Standards and Requirements for Internet Gaming (SRIG), Sections 2, 4, and 5, issued January 14, 2026 (authority: AGLC Board Chair); AGLC Internet Gaming Go-Live Compliance Guide, January 2026, AGLC Internet Gaming Notification Matrix.

The Two-Track Reporting Structure: AGLC and AiGC

Alberta’s dual-authority model creates two parallel reporting obligations that must not be conflated. The Alberta Gaming, Liquor and Cannabis Commission (AGLC) serves as the regulator responsible for registrations, standards enforcement, and most operational and incident reporting. Alberta’s iGaming Corporation (AiGC), a Crown agency, manages commercial agreements and is the designated recipient for anti-money laundering reporting and financial and income reporting.

The AGLC Go-Live Compliance Guide is explicit about which channel receives which submission. Most incident-based notifications and regulatory submissions go to AGLC’s iGaming Compliance Branch at iGamingCompliance@aglc.ca. AML reporting and financial reporting flow directly to AiGC. Changes to ownership, financial interest, or key employees must be directed to AGLC’s Due Diligence Unit at DueDiligence@aglc.ca. Routing a submission to the wrong entity does not discharge the obligation, and operators must ensure their internal compliance calendar maps each reporting type to the correct recipient.

“AiGC is responsible for the commercial agreement with operators, anti-money laundering (AML), public complaints, and financial and income reporting.”

A monthly reporting portal managed by AGLC is in development, with account access to be configured for registrants prior to submission deadlines. Until that portal is confirmed operational, operators should contact iGamingCompliance@aglc.ca to initiate their reporting setup and confirm current submission mechanics before the first reporting cycle falls due.

What Must Be Reported and How Often

The AGLC Internet Gaming Notification Matrix is the authoritative reference for all post-launch reporting obligations. It distinguishes between two classes of submission: incident-based notifications and periodic regulatory submissions. Operators must understand both classes because they carry different triggers, timelines, and routing rules.

Periodic Regulatory Submissions

Monthly reporting is the baseline cadence for regulatory submissions under the SRIG framework. The Notification Matrix specifies what must be reported, in what format, and at what frequency. Financial and income reporting under the AiGC commercial agreement is a separate obligation governed by that agreement’s terms, and operators should treat AiGC reporting requirements as additive to, not substitutive of, AGLC Notification Matrix submissions. The Go-Live Compliance Guide confirms that a dedicated portal for monthly submissions is being built, with a link to be distributed to registrants before deadlines become active. Operators should not wait for the portal to launch before establishing internal workflows for data extraction, verification, and sign-off on monthly submissions.

Event-Driven Incident Notifications

Certain events trigger immediate or near-immediate notification obligations under the SRIG and the Notification Matrix. The SRIG states that it is a condition of registration to immediately report illegal or suspected illegal activities to AGLC. The specific requirements include the following.

Suspicious behaviour, fraud, cheating at play, and unlawful activities, whether attempted or completed, must be reported in accordance with the Notification Matrix. Operators must report any and all suspicious activity to AGLC’s Customer Care Centre (1-800-561-4415) immediately upon detection. Contacting AGLC or police must occur before any internal investigation that may involve criminal activity. Any materials that could serve as evidence must be secured immediately and kept secure until handed over to an AGLC Inspector or police officer.

For prohibited persons and self-excluded players, discrepancy reports must be submitted to AGLC within 72 hours of any prohibited person attempting to enter or remain on an iGaming site. This 72-hour window is a hard deadline, not a best-practice target.

Any of the operator’s registered officers, directors, shareholders, or owners who are charged with or convicted of an offence under the Criminal Code (Canada), the Excise Act (Canada), the Food and Drug Act (Canada), or the Income Tax Act must be reported to AGLC immediately. This notification obligation applies regardless of whether the charge relates to gaming activity.

72-Hour Rule: Discrepancy reports for prohibited persons who attempt to access an iGaming site must reach AGLC within 72 hours of the attempt. This deadline is set by AGLC SRIG Section 5.7.4 and is not subject to operator discretion on timing.

Sports and event betting operators carry an additional layer of event-driven reporting. The SRIG requires operators to identify unusual or suspicious betting activity and report it to an Independent Integrity Monitor. If that monitor determines the activity rises to the level of suspicious, immediate notification must go to all relevant parties, including governing sport authorities and any entity with an information-sharing relationship with the monitor. This chain-of-notification obligation means operators cannot treat sports integrity reporting as a purely internal matter.

Audit Requirements: Internal Controls, CAM, and Independent Oversight

What does the AGLC audit requirement actually mean in practice?

The SRIG requires registered operators and GSSs that run critical gaming systems to develop and maintain a Control Activity Matrix (CAM). The CAM summarises all controls related to the iGaming site and identifies where third-party suppliers are involved. It must be independently audited to confirm that controls are designed to ensure compliance with the SRIG. That independent audit must be conducted either by an internal audit function that was not involved in developing the CAM, or by a designated external auditor. The audit results, confirming compliance, must be submitted with the CAM. The CAM is not a one-time registration artefact: it is a live regulatory document subject to ongoing review by AGLC.

The SRIG also requires that a process be in place to periodically review internal controls and processes for effectiveness and to document, remedy, and adjust controls where deficiencies or gaps are identified. Substantial changes to the operator’s control environment must be communicated to AGLC in a timely manner. Internal controls documentation must be available to AGLC for regulatory purposes at all times.

AGLC-Directed Audits: The Regulator’s Escalation Tool

The most consequential audit provision in the SRIG is the directed-audit power. When AGLC considers it necessary for regulatory assurance purposes, it may direct a registered operator or GSS to retain an independent auditor and produce audit reports. Although the operator retains the auditor in these circumstances, the auditor reports directly to AGLC, not to the operator. This structural feature means operators cannot manage the output of a directed audit through normal client-auditor engagement channels. The SRIG is explicit on this point: the intent is to allow AGLC to commission third-party assurance where it has regulatory concerns, with the auditor accountable to the regulator rather than to the registrant.

“When directed, registered Operators and registered Goods or Services Suppliers must retain an independent auditor to carry out audits and provide audit reports. Although the auditor would be retained by the registered Operator or registered Goods or Services Supplier in these circumstances, it would report directly to AGLC.”

The best defence against a directed audit is a robust ongoing internal audit programme that AGLC can inspect on request. The SRIG requires that internal and external auditors be granted access to all relevant systems, documentation, and resources for the purpose of conducting an audit. The compliance oversight function and internal audit function must have direct and unrestricted access to the board or governance structure and must report on all important issues on a regular basis or as necessary.

Governance Structures Supporting Audit

The board or governance structure must establish committees to oversee the compliance and audit oversight functions, with appropriate terms of reference covering composition and accountabilities. Board members and committee members must understand the business’s operations and have the skills, training, experience, and independence to carry out their fiduciary responsibilities. The SRIG also mandates an independent whistleblowing process that allows employees to anonymously report deficiencies or gaps in the control environment, as well as incidents of possible non-compliance. Issues raised through this process must be addressed and communicated to the board in a timely manner.

Cybersecurity Obligations: The Post-Launch Upgrade Deadline

Requirement Timing Standard
SOC 2 Type 1 attestation Required at market launch All iGaming sites on operator’s registration
SOC 2 Type 2 or ISO 27001 (or AGLC-approved equivalent) Within 2 years of market launch Operator level, not currently required from third-party GSSs
Penetration testing Annually and after any material change APIs, authentication flows, ingress/egress controls
Access privilege reviews Quarterly Least privilege and separation of duties confirmed
Vulnerability remediation (Critical 9.0, 10.0) Within 48 hours of identification CVSS v3.1 framework
Vulnerability remediation (High 7.0, 8.9) Within 7 days CVSS v3.1 framework
Vulnerability remediation (Medium 4.0, 6.9) Within 30 days CVSS v3.1 framework
Attestations and supporting evidence for access reviews Retained at least 2 years SRIG Section 5

The SOC 2 upgrade from Type 1 to Type 2 (or ISO 27001) is an absolute deadline, not a target. With the Alberta market launching on July 13, 2026, operators must have their enhanced attestation in place by no later than July 2028. AGLC has stated this requirement applies at the operator level and is not currently required from third-party goods or services suppliers or subservices, but AGLC reserves the right to change that position, and operators carrying vendor-level SOC reports should confirm scope coverage against the live Alberta operating environment.

Material Change Notifications: Ownership, Technology, and Key Personnel

The SRIG treats material changes as mandatory notification events, not matters for operator discretion. Substantial changes to the operator’s control environment must be communicated to AGLC in a timely manner. Changes to ownership, financial interest, or key employees must be routed to AGLC’s Due Diligence Unit. The Due Diligence Unit is separate from the iGaming Compliance Branch, and submissions sent to the wrong address will not be treated as received.

On the technology side, the SRIG requires that GSSs make known any material threat or risk to the security or integrity of the gaming systems they supply. For operators, the penetration testing requirement that triggers after any material change effectively converts system architecture changes into mandatory security-review events. A platform migration, a new payment gateway integration, or a change to the random number generator stack all qualify as material changes that reset the penetration testing clock. Operators must build this trigger into their technology change management procedures from the outset, not as an afterthought when the change is already in production.

For sports and event betting systems, any modification or subsequent discovery of an undetected issue that impacts critical gaming system integrity, fairness, or security requires recertification by an Accredited Testing Facility (ATF). ATFs must be registered with AGLC, and certifications must not contain any limitation on AGLC’s use of the certification.

Records Retention: The Minimum Standard

The SRIG sets a minimum records retention period of three years for information, including logs, related to compliance with the law, the Standards and Requirements, and control activities, unless a longer period is specified elsewhere in the SRIG. Access privilege attestations and supporting evidence must be retained for at least two years. Operators managing data retention programmes across multiple jurisdictions should note that Alberta’s three-year minimum may be shorter than retention obligations under other frameworks: FINTRAC, for instance, requires five years for most AML-related records. Where two retention obligations apply to the same record, the longer period governs. Operators should consult qualified legal counsel when designing a multi-jurisdiction records retention policy.

How AGLC Enforcement Works in Practice

What triggers an AGLC investigation?

Under the SRIG and the Gaming, Liquor and Cannabis Act, an AGLC Inspector may initiate an investigation where there are reasonable and probable grounds to believe a violation has occurred. The Inspector prepares an Incident Report, which must be dated when the investigation is finalised. A copy of the Incident Report must be given to the registrant within 10 working days of completion. The Vice President, Regulatory Services Division, reviews the Report and may refer it to the Board where circumstances warrant. The Board then decides whether to hold a hearing under AGLC’s Board Hearing Panel Rules and Procedures.

Sanctions available to the Board include warnings, the requirement to cease activities related to the violation, conditions on the registration, suspension of the registration, and cancellation of the registration. The SRIG makes clear that the list of available sanctions is not exhaustive.

Operators must cooperate fully with AGLC inspectors and police officers. This means providing access to systems and system information, records, documents, books of account, and receipts, making staff available for interview, and conducting such tests as are reasonably necessary for the inspection. Registered operators must also ensure police and AGLC inspectors are able to monitor and participate in games, a right of access that is continuous, not limited to formal investigation periods.

What Ontario’s enforcement record signals for Alberta

Alberta’s AGLC has not yet built a public enforcement register comparable to the AGCO’s, but the Ontario record from the market’s first three years provides a reliable forward indicator of where scrutiny is likely to land. According to AGCO enforcement records, the regulator fined FanDuel Canada CAD $350,000 for failing to identify and report suspicious betting activity in Czech table tennis matches, a direct parallel to the Alberta SRIG’s requirement for operators to detect and report unusual or suspicious betting activity to an Independent Integrity Monitor. The AGCO fined theScore CAD $105,000 for responsible gambling monitoring failures involving a player who wagered $2.5 million over eight months without adequate operator intervention. Relax Gaming and Arrise Solutions each received CAD $40,000 penalties for supplying games to unregulated sites accessible to Ontario residents.

The pattern across these Ontario enforcement actions is consistent: the violations that attract the largest penalties involve failures in system-level controls, with monitoring tools not triggering, intervention protocols not executing, and supply-chain compliance not policed. That pattern maps directly onto the AGLC SRIG’s emphasis on Control Activity Matrices, independent oversight functions, and the requirement that controls be system-enforced, not merely documented in policy.

Enforcement signal: Ontario’s AGCO has demonstrated that RG monitoring failures and sports integrity reporting gaps attract penalties of CAD $100,000, $350,000. Alberta operators should ensure their automated monitoring systems, not just their written policies, are functioning and logged before day one of live operations.

For a detailed review of how Ontario’s enforcement programme has evolved, including how the AGCO structures investigations and publicises decisions, see Ontario iGaming at Year Three: AGCO Compliance Lessons for New Entrants.

Responsible Gambling Controls as Ongoing Compliance Obligations

Responsible gambling obligations do not end at go-live. The SRIG requires system-enforced controls that must remain operational throughout the life of the registration. Players must receive periodic reminders to review their ability to set limits and to review their account activity. Where a player requests to relax or eliminate a previously established limit, the change must only be implemented after a cooling-off period of at least 24 hours, a requirement that must be enforced at the system level, not left to customer service discretion.

The centralised self-exclusion programme managed by AGLC requires an active API connection from each registered operator. As AGLC updates the centralised list of banned and self-excluded individuals, all registered player information must be checked against the updated list. This is not a batch process run at registration: it is a continuous integration obligation. Discrepancy reports when prohibited persons attempt access must reach AGLC within 72 hours, as noted above.

Risk profiling and intervention records, including manual adjustments to player risk scores, must be maintained to demonstrate compliance with the SRIG’s responsible gambling standards. These records are subject to inspection by AGLC and must be available to auditors on request. For a cross-jurisdictional view of how self-exclusion, deposit limits, and player intervention obligations compare across regulated markets, the Responsible Gambling Compliance hub covers all 17 jurisdictions profiled on this site.

AML Ongoing Obligations Under FINTRAC and PCMLTFA

AML reporting in Alberta runs on two tracks. Under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA) and FINTRAC guidelines, operators that qualify as designated reporting entities must file Suspicious Transaction Reports (STRs) and other prescribed reports directly with FINTRAC. This obligation exists independently of any AGLC or AiGC reporting requirement. The SRIG requires that AML internal controls align with those of the designated reporting entity under the PCMLTFA, meaning the operator’s FINTRAC compliance programme sets the floor for the AGLC-facing AML obligation.

AiGC serves as the point of contact for AML and financial reporting questions that relate to the commercial agreement and income reporting framework. The Go-Live Compliance Guide directs AML process inquiries to AiGC rather than AGLC’s iGaming Compliance Branch. Operators should map their AML team’s escalation paths to reflect this split: FINTRAC for statutory suspicious transaction and large cash transaction reporting, AiGC for commercial-agreement financial reporting, and AGLC for incident notifications involving suspected criminal activity under the Notification Matrix. For a deeper treatment of AML programme design, transaction monitoring, and source-of-funds obligations across regulated iGaming markets, see the AML and Financial Compliance hub.

The SRIG additionally requires operators to have mechanisms in place to lawfully share information related to high-risk, suspicious, or criminal activities with other operators that may be subject to similar activity. This cross-operator information sharing obligation is distinct from FINTRAC reporting and requires operators to have legal agreements and technical mechanisms in place to facilitate it.

Multi-Jurisdiction Operators: Managing Alberta Alongside Other Licences

Operators holding registrations in both Alberta and Ontario face two sets of reporting obligations that share broad architecture but differ in detail. The Notification Matrix structure in Alberta is framed as a standards-based judgment tool linked to the SRIG, while Ontario’s equivalent is a more granular versioned control artefact. Operators cannot simply port their Ontario compliance calendar to Alberta: each matrix must be mapped independently to ensure the correct triggers, timelines, and recipients are captured for each province.

For operators also holding licences with the UK Gambling Commission, the Malta Gaming Authority, or other regulators, Alberta’s obligations add a material layer to existing compliance programmes rather than replacing them. The SRIG’s three-year records retention minimum may fall short of FINTRAC’s five-year AML retention requirement. The SRIG’s penetration testing cadence (annual plus post-material-change) aligns broadly with good practice under ISO 27001, but the specific CVSS-based vulnerability remediation timelines (48 hours for Critical, 7 days for High, 30 days for Medium) are more prescriptive than many European regulators apply. Compliance teams managing a multi-jurisdiction programme should identify these points of divergence explicitly and ensure the more demanding standard governs where obligations overlap.

The structural comparison between Ontario and Alberta across registration fees, regulatory standards counts, self-exclusion architecture, and cybersecurity timelines is covered in detail in our AGCO vs AGLC: Key Differences in Ontario and Alberta Internet Gaming Regulation article.

Registration Renewal and Ongoing Registration Obligations

Registered operators must maintain a valid registration for the duration of their commercial agreement with AiGC, including any renewal periods. The AGLC iGaming Compliance Branch is the point of contact for registration renewals, using the iGamingCompliance@aglc.ca address. The annual registration fee of CAD $150,000 applies per iGaming site, and operators running multiple distinct sites must budget accordingly. AGLC retains discretion to impose additional standards and requirements on any registrant where it considers this necessary to maintain or enhance the integrity and public confidence in gaming.

The registration renewal process sits within the same dual-track structure as the initial application. Operators must satisfy AGLC standards on an ongoing basis and maintain their commercial agreement with AiGC in good standing simultaneously. A breach of the SRIG that results in AGLC enforcement action will also have consequences under the AiGC commercial agreement, and operators should treat the two compliance obligations as integrated, not independent, for renewal planning purposes.

For operators who completed the pre-launch registration process and are now managing a live Alberta operation, the full pre-launch compliance roadmap covered in Alberta iGaming Market Opening: What Registered Operators Must Know About the AGLC SRIG Framework remains the foundational reference for the compliance architecture within which all ongoing obligations operate.

Building a Compliance Monitoring Programme That Satisfies AGLC

The SRIG’s internal controls requirements set out a minimum architecture for the compliance monitoring programme that AGLC expects to see in place at all times. A process must exist to periodically review internal controls and processes for effectiveness. Controls must be documented and available to AGLC. Substantial changes must be communicated. The compliance oversight function must have direct and unrestricted access to the board. A whistleblowing mechanism must exist. These are not aspirational standards: they are conditions of registration.

Operators should structure their compliance monitoring programme around five functional pillars: a live Control Activity Matrix that is reviewed and updated when controls change, a quarterly access privilege review cycle with signed attestations retained for two years, an annual penetration testing programme coordinated with the technology team and scheduled to land before the anniversary of go-live, an incident notification workflow that maps every Notification Matrix trigger to a named internal owner with an escalation path to AGLC, and a board-level compliance committee with terms of reference that explicitly address the SRIG’s governance requirements.

The Notification Matrix deserves particular operational attention. Alberta’s matrix is designed as a standards-based judgment tool, meaning the trigger for notification is not always a bright-line threshold but a standards-grounded assessment of whether a reportable event has occurred. Compliance teams need documented internal procedures for making that judgment call, ideally with a named decision authority and a log of decisions taken, so that AGLC can review the reasoning if a notification is ever challenged as untimely or absent.

Key Resources

AGLC Standards and Requirements for Internet Gaming (SRIG), issued January 14, 2026, updated March 17, 2026, available at aglc.ca/igaming. This is the primary operational rulebook for all registered operators and GSSs.

AGLC Internet Gaming Go-Live Compliance Guide, January 2026, outlines go-live requirements and sets the framework for ongoing compliance reporting. Available at aglc.ca/igaming. AGLC has confirmed that future updates to this guide will include detailed ongoing post-launch compliance requirements and key processes.

AGLC Internet Gaming Notification Matrix, the authoritative reference for all incident-based and periodic regulatory submission obligations, including timelines and routing channels. Available at aglc.ca/igaming.

iGaming Alberta Act and Gaming, Liquor and Cannabis Act (Alberta), the two statutes underpinning registration authority and operator obligations in the province.

Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA) and FINTRAC guidelines, governing federal AML reporting obligations that apply to operators qualifying as designated reporting entities.

Matt Denney

Matt Denney

Editorial · gamingcompliance.io

Reads the primary source so you don't have to. Fifteen years inside iGaming compliance: operator, supplier, and crown-corporation lottery.

Related coverage · also tagged Jurisdiction Profiles

Browse all →

Jurisdiction Profiles

Isle of Man GSC Licence Types: Full Breakdown for Operators Entering the Market

Jul 6 · 14 min read

Jurisdiction Profiles

Peru’s MINCETUR Online Gambling Framework: Licensing, Tax, and 2026 Realities

Jun 3 · 15 min read

Jurisdiction Profiles

ROFUS Explained: How Denmark’s National Self-Exclusion Register Sets the Technical Standard

Jun 1 · 14 min read

The Tuesday brief, every week.

One email. Every regulator change we surface, every standard we re-index, every enforcement decision we read. No marketing, no fluff.

Unsubscribe with one click. We'll never share your address.