Skip to content
2,151 standards indexed across 19 jurisdictions View the Atlas
3 hubs live · 3 more in the pipeline See all compliance topics
Daily news + multi-week series Browse all insights
3 tools live · 4 interactive tools in development Roadmap
AGLC · Incident Reporting 16 min read Jun 25, 2026

AGLC Incident Reporting and Breach Notification: A Compliance Guide for Alberta iGaming Registrants

Alberta iGaming registrants face a three-channel notification regime from day one. This guide maps every reportable incident category, timeline, and parallel PIPA and FINTRAC obligation.

Matt Denney

By

Founder, gamingcompliance.io · 15 yrs in iGaming compliance

Published Jun 25, 2026 16 min read Filed AML & KYC

Alberta’s regulated iGaming market opens on July 13, 2026, and from that date every registrant faces a live obligation under the AGLC Internet Gaming Notification Matrix. That document, referenced throughout the AGLC Go-Live Compliance Guide (last updated January 2026), divides reporting duties into two streams: incident-based notifications and regulatory submissions. Getting the stream wrong, using the wrong channel, or, most critically, conducting an internal investigation before notifying AGLC of suspected criminal activity, constitutes a condition-of-registration breach under the Standards and Requirements for Internet Gaming (SRIG). This guide maps every category of reportable event, the correct notification channel, the applicable timeline, and the parallel obligations that arise under Alberta’s Personal Information Protection Act (PIPA) and the federal Proceeds of Crime (Money Laundering) and Terrorist Financing Act.

The Regulatory Architecture Behind the Reporting Obligation

Notification obligations in Alberta iGaming do not flow to a single recipient. The AGLC Go-Live Compliance Guide identifies three separate channels, each with a distinct scope.

iGamingCompliance@aglc.ca is the primary address for most incident-based notifications and regulatory submissions, including registration and renewal matters.

AiGC (Alberta’s iGaming Corporation) receives all AML-related and financial reporting. The AGLC FAQ explicitly directs AML and FINTRAC process inquiries to AiGC, and the Go-Live Compliance Guide assigns AML and income reporting to AiGC, not AGLC directly. Operators who route suspicious transaction reports through the AGLC compliance inbox rather than AiGC are sending them to the wrong recipient.

DueDiligence@aglc.ca handles changes to ownership, financial interest holders, and key employees. These are not ordinary incident reports, they are structural disclosure obligations with their own timelines.

Key requirement: Registrants must understand requirements in the Internet Gaming Notification Matrix before going live. The Matrix governs both which events must be reported and the specific channel and timeline that applies to each. Reviewing the Matrix at setup, not post-incident, is the compliance baseline.

The SRIG itself is the foundation of these obligations. The version signed January 14, 2026 (with Section 4.6 updated March 17, 2026) sets the substantive requirements. The Go-Live Compliance Guide operationalises them into a submission framework. Both documents must be read together.

What Constitutes a Reportable Material Incident?

The SRIG groups reportable events across several sections. The broadest category sits in Section 5 (Information Technology and Security Requirements), but integrity events under Section 4 and AML events under the general operator obligations each generate their own distinct notification duties.

Suspected Criminal Activity, Fraud, and Cheating

The SRIG is explicit: it is a condition of registration to immediately report illegal or suspected illegal activities to AGLC. The verbatim obligation covers suspicious activity, evidence of cheating at play, theft, and other suspected criminal offences. The reporting channel is AGLC’s Customer Care Centre by telephone at 1-800-561-4415, not email. Email is the default channel for many reports, but criminal-activity reports require the live voice channel.

“It is a condition of registration to immediately report illegal or suspected illegal activities to AGLC. Registered Operators or Goods or Services Suppliers must facilitate the participation of all staff they employ to assist with any AGLC or police investigation.”

The sequencing rule that follows this obligation is operationally critical: registrants must contact AGLC or police before conducting any internal investigation that may involve criminal activity. This is not a drafting preference, it is a registration condition. Compliance teams that have internal investigation protocols routed to legal counsel before external notification should review those protocols against this requirement. Additionally, registrants must immediately secure any materials that could serve as evidence and keep them secure until handed over to an AGLC Inspector or police officer.

Source: AGLC, Standards and Requirements for Internet Gaming (SRIG), Section 5: Information Technology and Security Requirements, Reporting and Notification, issued January 14, 2026, authority: Board Chair.

IT and System Incidents

Section 5 of the SRIG requires registrants to establish and document IT operations and incident management procedures. Those procedures must include proactive monitoring and immediate action to correct incidents of non-compliance with the SRIG standards. Event and security logs must be retained for at least one year online and seven years in archive, or as otherwise required by regulation. These retention requirements directly affect post-incident evidence availability and must be built into the registrant’s incident response architecture before go-live.

System outages that affect the delivery of a lottery scheme, create material data integrity risks, or produce non-compliance with the SRIG technical standards are reportable events under the Notification Matrix. The specific timeline and channel for system outages are set out in the Matrix document, which registrants must obtain from AGLC through the compliance application package process initiated by contacting iGamingCompliance@aglc.ca.

Player Data Breaches

The SRIG requires that data collection and protection for player personal information meet the requirements of pertinent Alberta privacy legislation. Player personal information may only be used for the lottery schemes conducted and managed by AGLC or AiGC. A breach of player data therefore triggers obligations under two separate regimes simultaneously: the SRIG Notification Matrix and PIPA Alberta.

The SRIG establishes the regulatory notification duty to AGLC. PIPA establishes the parallel duty to the Office of the Information and Privacy Commissioner (OIPC) of Alberta and, where warranted, to affected individuals. These are concurrent obligations that must be managed in parallel, not sequentially.

Sports and Event Betting Integrity Events

Section 4.6 of the SRIG (updated March 17, 2026) creates a dedicated integrity-reporting chain for sport and event betting operators. Registered operators must establish controls to identify unusual or suspicious betting activity and report such activity to an Independent Integrity Monitor. The International Betting Integrity Association (IBIA) has been licensed by AGLC as Alberta’s Independent Integrity Monitor and uses its Global Monitoring and Alert Platform to detect and assess irregularities across the market.

The escalation sequence under the SRIG works as follows. An operator that identifies unusual betting activity reports it to the Independent Integrity Monitor (IBIA). The IIM promptly disseminates the report to all member sport and event betting operators. Each operator must then review the report and notify the IIM whether they have experienced similar activity. If the IIM determines that the unusual activity rises to the level of suspicious activity, it must immediately notify all entities with which it has an information-sharing relationship, including sport betting suppliers, the appropriate governing authority for the sport or event, and any other organisations or individuals identified by AGLC.

Comparable regulators in other Canadian jurisdictions have enforced integrity reporting requirements. The AGCO’s enforcement record in Ontario indicates that failures to identify and report suspicious betting activity can result in significant financial penalties. Alberta’s regulatory architecture mirrors comparable provincial models for integrity monitoring, and AGLC has stated that it has reviewed comparable frameworks and designed its requirements accordingly, meaning the requirements that remain carry full weight.

Notification Timelines: Immediate, and the Notification Matrix

The SRIG draws a clear distinction between events that require immediate notification and those governed by structured timelines in the Notification Matrix. The table below summarises the categories and their associated channels based on the SRIG and the Go-Live Compliance Guide.

Event Category Notification Channel Timeline
Suspected criminal offence, cheating, theft, or suspicious activity AGLC Customer Care Centre, 1-800-561-4415 (telephone) Immediately (registration condition)
Unusual / suspicious betting activity Independent Integrity Monitor (IBIA); IIM escalates to AGLC and governing bodies Immediately upon identification
Player data breach triggering AGLC Notification Matrix iGamingCompliance@aglc.ca Per Notification Matrix timeline
IT / system incident affecting compliance with SRIG standards iGamingCompliance@aglc.ca Per Notification Matrix timeline
AML suspicious transaction report (STR) AiGC (anti-money laundering channel) As soon as practicable under PCMLTFA
Key-employee / ownership / financial-interest change DueDiligence@aglc.ca Per Notification Matrix timeline
Regulatory submissions (monthly reporting) AGLC portal (access set up pre-launch by AGLC) Monthly cadence per Matrix

The Notification Matrix document itself is not a public-facing static PDF but a registrant-specific compliance instrument distributed as part of the compliance application package. Registrants must obtain the current version directly from AGLC’s iGaming Compliance Branch and should not assume that the Notification Matrix circulating in industry channels reflects the version in effect at their go-live date. AGLC has indicated its intention to update guidance as the market matures.

Key Personnel Changes: the Due Diligence Channel

Changes to ownership, financial interest holders, and key employees are routed through DueDiligence@aglc.ca, not through the general compliance inbox. This separation reflects the SRIG’s three-pronged registration architecture, under which background checks on key individuals are a discrete track from operational compliance. The SRIG requires registrants to maintain accurate records and financial control forms and to ensure all communications with AGLC or its representatives are accurate. A misrepresented or late-reported key-personnel change carries the same risk of registration consequence as a misrepresented initial application, Section 2.1 of the SRIG states that false or misleading statements may result in refusal or revocation of registration.

In practice, compliance teams should build a personnel-change workflow that routes any change to a director, senior officer, compliance officer, or person with a material financial interest through DueDiligence@aglc.ca as a first step, concurrent with (not after) any internal HR or legal review. Operators whose compliance frameworks were designed for Ontario’s AGCO should note that AGLC has created a separate dedicated inbox for these notifications, whereas the Ontario regime channels most notifications through a unified compliance framework.

PIPA Alberta: Parallel Privacy Breach Obligations

Does PIPA apply to private iGaming operators in Alberta?

Yes. Alberta’s Personal Information Protection Act (PIPA), in force since January 1, 2004 and overseen by the Office of the Information and Privacy Commissioner (OIPC) of Alberta, applies to all private-sector organisations operating commercially in Alberta. This includes corporations, partnerships, and unincorporated associations. An iGaming operator registered with AGLC that collects, uses, or discloses player personal information in the course of its commercial activities is subject to PIPA. The federal PIPEDA does not apply in Alberta for intra-provincial commercial activities precisely because PIPA has been declared substantially similar to PIPEDA by the federal Governor in Council.

When must an operator notify the OIPC?

Under PIPA, a private-sector organisation must notify the OIPC of a breach of security safeguards involving personal information under its control if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual. This is the same “real risk of significant harm” (RROSH) threshold used in PIPEDA. The OIPC’s guidance on PIPA breach notification tracks the Privacy Commissioner of Canada’s PIPEDA guidance closely, because both regulators jointly developed the accountability framework referenced in the PIPEDA breach guidance.

There is no fixed 72-hour deadline under PIPA (unlike the UK GDPR and Alberta’s public-sector POPA, which apply a 72-hour and “as soon as feasible” standard respectively to public bodies). The PIPA standard for private sector organisations is “as soon as feasible” after the organisation determines that the breach has occurred. For a registered iGaming operator holding real-time player data including financial transaction history, KYC documents, and responsible gambling records, “as soon as feasible” should be interpreted as a matter of hours to days, not weeks. Organisations that have experienced a RROSH breach and delayed notification by weeks have faced adverse findings from the OIPC.

The breach notification to the OIPC must also be accompanied by notification to affected individuals. That individual notification must contain sufficient information to allow each person to understand the significance of the breach to them and to take steps, where possible, to reduce the risk of harm or mitigate it. For iGaming operators, this means the notification cannot simply state that “a data incident occurred”, it must specify what categories of data were affected and what steps the player can take, such as changing account credentials or monitoring for identity fraud.

PIPA record-keeping obligation: Under the parallel PIPEDA framework (which models the PIPA obligation), organisations must keep a record of every breach of security safeguards involving personal information under their control, regardless of whether it meets the RROSH threshold. The OIPC may request access to breach records at any time. Alberta iGaming operators should maintain a breach register from day one, capturing all security incidents even those assessed as below the notification threshold.

What does a player data breach look like for an iGaming operator?

The SRIG’s data protection requirements provide a practical frame. Player personal information is defined broadly to include all data collected as part of account creation, KYC verification, financial transactions, and gaming activity. A breach may arise from: unauthorised access to player accounts through credential stuffing, a third-party supplier or subservice provider suffering a systems compromise that exposes data the operator transferred to them, internal access by an employee without authorisation, or a system misconfiguration that makes player account data publicly accessible. All of these scenarios trigger both the SRIG Notification Matrix obligation (report to AGLC via iGamingCompliance@aglc.ca) and, if the RROSH threshold is met, the PIPA obligation to notify the OIPC and affected players.

Alberta’s data governance context has become more complex following Bill 31 (the Red Tape Reduction Statutes Amendment Act, 2026), which passed provisions allowing AGLC to sell customer data from the Play Alberta platform to private companies. While that provision applies to AGLC as a public body (not to registered private operators), it has elevated provincial scrutiny of data-handling practices across the Alberta iGaming ecosystem and the OIPC has been publicly active in this space.

FINTRAC: Suspicious Transaction Reporting and the AiGC Channel

Registered operators and registered Goods or Services Suppliers in Alberta are designated reporting entities under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA). The SRIG states that registrants must establish and maintain a comprehensive internal AML and terrorist financing program in compliance with the PCMLTFA, associated regulations, FINTRAC guidelines, and the designated reporting entity’s AML/TF policies and procedures. Anti-money laundering internal controls must align with those of the designated reporting entity under PCMLTFA.

The critical structural point is the channel split. FINTRAC reporting, Suspicious Transaction Reports (STRs), Large Cash Transaction Reports (LCTRs), and Electronic Funds Transfer Reports, runs through AiGC, not through AGLC’s iGaming Compliance inbox. The AGLC FAQ explicitly directs AML and FINTRAC process inquiries to AiGC. Operators must maintain copies of all reports filed with FINTRAC and supporting documentation, and those records must be accessible as part of AiGC’s compliance oversight function.

Under FINTRAC’s guidance, the STR obligation arises when there are reasonable grounds to suspect that a transaction is related to the commission or attempted commission of a money laundering or terrorist activity financing offence. The reasonable grounds standard is lower than balance-of-probabilities and is assessed based on facts, context, and indicators present at the time the decision is made. FINTRAC permits and expects operators to file reports even before a transaction is completed, where the attempted transaction meets the threshold. The obligation to not tip off the client is statutory: an operator cannot inform a player that an STR has been filed or will be filed.

The SRIG adds a further obligation specific to the Alberta market: operators must specify times and situations, based on risk assessment, where they will ascertain and reasonably corroborate a player’s source of funds. They must also ensure that mechanisms are in place to lawfully share information related to high-risk, suspicious, or criminal activities with other operators that may be subject to similar activity. This cross-operator information-sharing obligation goes beyond standard FINTRAC compliance and reflects Alberta’s intent to build an integrated intelligence function across the regulated market.

Registered Operators and registered Goods or Services Suppliers must implement and maintain a comprehensive internal AML and terrorist financing program in compliance with the PCMLTFA, associated regulations, FINTRAC guidelines and the designated reporting entity’s AML/TF policies and procedures.

Post-Incident Reporting and the Enforcement Consequences of Non-Compliance

The SRIG’s enforcement framework assigns supervisory authority to AGLC Inspectors. Where an inspector has reasonable and probable grounds to believe a violation of the Gaming, Liquor and Cannabis Act, the Gaming, Liquor and Cannabis Regulation, or board policy has occurred, the inspector has authority to require the registrant to correct the situation. The inspector prepares an Incident Report setting out the details of the alleged violation. That Incident Report must be dated when the investigation is finalised, and a copy must be given to the registrant within ten working days of its completion. The Vice President, Regulatory Services Division may then refer the matter to the Board for review and decision.

Sanctions available to the Board include warnings, requirements to cease specific activities, financial penalties, suspension, and revocation of registration. The SRIG makes clear that failure to comply with these policies may result in sanctions. Comparable provincial regulators have imposed financial penalties for compliance deficiencies, signalling the enforcement environment that Alberta’s framework is designed to support.

Post-incident, registrants should expect AGLC to require evidence of: the timeline of discovery and notification, the actions taken to contain the incident, any evidence preserved for investigation purposes, the remediation steps implemented, and, for data breaches, confirmation of whether PIPA notifications were made to the OIPC and affected individuals. Operators whose incident response documentation cannot reconstruct this timeline will face evidentiary difficulties in any Board hearing.

Building a Compliant Notification Programme Before July 13

The Go-Live Compliance Guide is clear that registrants must understand the requirements in the Notification Matrix before going live. That means incident-response procedures, notification templates, channel mapping, and staff training must all be in place before the first bet is accepted, not after the first incident occurs.

A compliant notification programme for an Alberta iGaming registrant should address the following elements. A documented incident classification framework must define which events fall into each notification category, criminal activity, IT/system incident, player data breach, integrity event, AML flag, or key-personnel change, and map each to the correct channel. Escalation protocols must specify who within the organisation has authority to make the decision to notify AGLC, the OIPC, AiGC, or FINTRAC, and at what point in the assessment process that notification must be triggered. Evidence preservation procedures must ensure that logs, records, and communications are secured on identification of any potential incident, consistent with the SRIG’s instruction to immediately secure materials that could serve as evidence. A breach register must be established and maintained from the first day of operation, capturing all security incidents regardless of RROSH assessment.

For operators already registered in Ontario under the AGCO Registrar’s Standards for Internet Gaming, the Alberta framework shares its broad architecture but differs in material respects: the AML channel runs through AiGC rather than directly through the regulator, the criminal-activity notification requires a telephone call to a specific number rather than an email, and the Notification Matrix is a registrant-specific document rather than a publicly standardised form. Operators should not assume that their Ontario incident-response procedures can be applied to Alberta without review. For a detailed comparison of the two provincial frameworks, see our analysis of the key regulatory differences between AGCO and AGLC.

Qualified legal counsel with Alberta gaming and privacy law expertise should be engaged to review any incident-response programme against the current version of the Notification Matrix before go-live, as the Matrix document is subject to ongoing revision and AGLC has signalled its intent to update standards as the market develops.

Source: AGLC, Internet Gaming Go-Live Compliance Guide, last updated January 2026, AGLC, Standards and Requirements for Internet Gaming (SRIG), January 14, 2026 (Section 5 IT and Security Requirements) and March 17, 2026 (Section 4.6 Sports and Event Betting); Personal Information Protection Act (PIPA Alberta), in force January 1, 2004, overseen by the OIPC of Alberta, FINTRAC Guidance on Suspicious Transaction Reporting, under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act.

Key Resources

AGLC Standards and Requirements for Internet Gaming (SRIG), January 14, 2026 (updated March 17, 2026). Primary compliance instrument. Available via aglc.ca/igaming.

AGLC Internet Gaming Go-Live Compliance Guide, January 2026. Sets out the three notification channels and confirms the Notification Matrix framework. Available via the AGLC iGaming Registration page.

AGLC Internet Gaming Notification Matrix, registrant-specific document, request via iGamingCompliance@aglc.ca as part of the compliance application package.

Personal Information Protection Act (PIPA Alberta), in force since January 1, 2004. Administered by the Office of the Information and Privacy Commissioner of Alberta at oipc.ab.ca.

FINTRAC Guidance, Reporting Suspicious Transactions, available at fintrac-canafe.gc.ca. Governs STR obligations under the PCMLTFA for designated reporting entities including casinos and iGaming operators.

For background on the broader AGLC registration framework, see our guide to what registered operators must know about the AGLC SRIG framework.

Matt Denney

Matt Denney

Editorial · gamingcompliance.io

Reads the primary source so you don't have to. Fifteen years inside iGaming compliance: operator, supplier, and crown-corporation lottery.

Related coverage · also tagged AML & KYC

Browse all →

AML & KYC

UKGC Anti-Money Laundering: What UK Licensed Operators Must Have in Place

Jul 10 · 14 min read

AML & KYC

MGA AML Requirements: Malta’s Casino Due Diligence Framework Explained

Jul 3 · 16 min read

AML & KYC

New Jersey DGE AML Requirements: What Atlantic City and Online Casino Licensees Must Meet

Jun 27 · 16 min read

The Tuesday brief, every week.

One email. Every regulator change we surface, every standard we re-index, every enforcement decision we read. No marketing, no fluff.

Unsubscribe with one click. We'll never share your address.