FINTRAC Compliance Officer: What the Role Legally Requires for Canadian Casinos

Every casino that falls within the definition of a reporting entity under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA) must appoint a compliance officer. That obligation is set out in PCMLTFA s. 9.6(1) and operationalised through the Proceeds of Crime (Money Laundering) and Terrorist Financing Regulations (PCMLTFR), SOR/2002-184, s. 156(1). The appointment is not a formality. Seven legally distinct responsibilities attach to the role, and FINTRAC’s examination methodology assesses each one individually. A casino that appoints a compliance officer without equipping that individual with the authority, access, and resources the framework demands will fail an examination on the compliance program element alone, regardless of how well its transaction reporting performs.

Who Counts as a Casino Under PCMLTFA

The PCMLTFR defines “casino” as a government, organisation, board, or operator referred to in any of paragraphs 5(k) to (k.3) of the Act. This covers land-based casinos licensed under provincial authority, online casinos operated by or under agreement with provincial lottery corporations, and card clubs meeting the prescribed threshold. Provincial lottery corporations conducting online gambling, including those in Ontario and Alberta operating within their respective regulated iGaming frameworks, are covered as reporting entities and must maintain a compliant compliance program under PCMLTFA.

The definition matters for compliance officers because it determines the scope of the AML program they are responsible for implementing. A compliance officer appointed by a provincial lottery corporation overseeing a multi-site or multi-channel operation bears a structurally different burden than one appointed for a single land-based facility, even though the same statutory obligations apply to both. The AGLC Standards and Requirements for Internet Gaming 2026 are explicit that registered operators in Alberta must comply with PCMLTFA, associated regulations, and FINTRAC guidelines, and that anti-money laundering internal controls must align with those of the designated reporting entity under the Act.

Who Can Be a Compliance Officer

FINTRAC’s compliance guidance states that, depending on the size of the business, the compliance officer could be a senior manager, the owner or operator of a small business, or someone from a senior level who has direct access to senior management and the board of directors of a larger business. Where the reporting entity is a person rather than an entity, such as a sole proprietor, that individual may self-appoint as compliance officer or may choose to designate someone else.

Three structural requirements define the role for entity reporting entities. The compliance officer must be at a senior level. They must have the necessary authority to implement the compliance program. They must have direct access to both senior management and the board of directors. FINTRAC’s guidance expressly states that, as a best practice, the appointed compliance officer of a larger business should not be directly involved in the receipt, transfer, or payment of funds. This separation of function is not a statutory requirement, but FINTRAC examiners treat its absence in large operations as a deficiency in the compliance program design.

“Appointing someone to be your compliance officer alone does not fulfil your compliance program requirements.”, FINTRAC, Compliance Program Requirements Guidance

The seniority requirement has operational consequences that compliance teams sometimes underestimate. A casino that designates a mid-level AML analyst as its compliance officer, without ensuring that individual has a direct reporting line to the board, has not met the requirement. The person filling the role need not carry the title “Chief Compliance Officer,” but they must occupy a position in the organisational hierarchy that gives them unmediated access to decision-makers. In practice, the compliance officer function at casino-scale operations is typically held by a Vice President, Head of Compliance, or equivalent, with a direct reporting line to the Chief Executive Officer or board audit committee.

The Seven Core Responsibilities Under PCMLTFR s. 156(1)

PCMLTFR s. 156(1) sets out the five required elements of a compliance program, and the compliance officer is the individual legally responsible for their implementation across the board. Read together with the broader FINTRAC compliance guidance, seven discrete responsibility clusters attach to the role.

Compliance policies and procedures. The compliance officer is responsible for establishing and maintaining written policies and procedures that cover, at minimum, all obligations applicable to the casino under the PCMLTFA and associated Regulations. Under PCMLTFR s. 156(1)(a), these policies and procedures must be approved by a senior officer if the reporting entity is an entity. The policies must be kept current, including updates triggered by legislative changes and internal process changes, and must be accessible to all those authorised to act on behalf of the casino.

Risk assessment. The compliance officer must develop and document a risk assessment that identifies the money laundering and terrorist financing risks specific to the casino’s products, services, client base, geographic exposure, and delivery channels. This assessment must inform the calibration of the policies and procedures and is a living document, not a one-time exercise. FINTRAC examiners review whether the risk assessment is proportionate to the actual risk profile of the operation.

Ongoing compliance training program. The compliance officer must develop and implement a written training program for all employees, agents, and others authorised to act on behalf of the casino. The training program must cover all PCMLTFA obligations applicable to the business. FINTRAC’s guidance specifies that the training program should address identification of suspicious transactions, reporting thresholds, client identification procedures, and the specific risk indicators relevant to the casino sector.

Transaction reporting. The compliance officer bears ultimate accountability for ensuring that all required reports are submitted to FINTRAC accurately and within prescribed timelines. For casinos, this covers large cash transaction reports (transactions of CAD 10,000 or more in cash), suspicious transaction reports (STRs), electronic funds transfer reports, large virtual currency transaction reports, and casino disbursement reports. The compliance officer’s policies and procedures must set out the internal process for identifying, assessing, and submitting each report type.

Client identification and record-keeping. The compliance officer is responsible for ensuring that know-your-client procedures are implemented and followed, that client identity is verified by prescribed methods when required, and that records are kept for the periods specified in the Regulations. For casinos, client identification obligations are triggered at the transaction thresholds prescribed under the PCMLTFR, including thresholds tied to the value of transactions conducted in a gaming session.

Ongoing monitoring. The compliance officer must ensure that the casino monitors business relationships on an ongoing basis, assesses client behaviour against the risk rating assigned to that client, and updates risk ratings when circumstances change. The compliance officer’s procedures must specify the frequency of monitoring commensurate with client risk levels.

Two-year effectiveness review. Under PCMLTFR s. 156(1)(f), the compliance officer must ensure that the effectiveness of the compliance program is reviewed at minimum every two years. The review must be conducted by an internal or external auditor and must test the effectiveness of the policies and procedures, risk assessment, and ongoing training program. The compliance officer must ensure that findings from the review are documented and that any deficiencies are remediated through a documented action plan.

What FINTRAC Looks at During an Examination

FINTRAC conducts compliance examinations of casinos under its supervisory mandate. The examination process assesses whether the five compliance program elements are present, documented, implemented, and effective. Examiners review the written compliance policies and procedures to assess whether they are current and approved by a senior officer. They test a sample of client records to verify whether client identification was conducted in accordance with the policies. They check whether suspicious transactions were reported and whether large cash transactions were filed accurately and on time.

Critically, FINTRAC assesses whether the compliance officer has the authority and organisational standing to carry out the role. An examination finding that the designated compliance officer lacks board access, or that the compliance program has never been reviewed for effectiveness, will result in a violation finding regardless of whether individual transaction reports were filed correctly. The compliance program element and the transaction reporting element are assessed independently.

FINTRAC’s published harm done assessment guides confirm that compliance program violations carry standalone penalty exposure. Under the administrative monetary penalty (AMP) regime in force since December 30, 2008, penalties are calibrated by the harm done to FINTRAC’s mandate and the base penalty amount for the relevant violation category.

Recent FINTRAC Enforcement Against Canadian Casinos

FINTRAC’s enforcement activity against Canadian gaming operations intensified markedly in mid-2025. According to Canadian Gaming Business, the BC Lottery Corporation received a CAD 1 million administrative monetary penalty in August 2025 relating to AML compliance program deficiencies. BCLC indicated it intended to contest the penalty in court. In the same enforcement cycle, according to CBC reporting in September 2025, CNE Casino received a CAD 199,000 penalty for failing to comply with risk assessment requirements under the PCMLTFA. Separately, the Saskatchewan Indian Gaming Authority (SIGA) received a CAD 1.175 million penalty and also signalled an intent to appeal, according to Casino.org in September 2025.

The three actions together represent more than CAD 2.3 million in penalties against Canadian casino operations in a single six-week period. The pattern is consistent with FINTRAC’s publicly stated priority of examining the casino sector, which the Financial Action Task Force has identified as a high-risk sector for money laundering in successive mutual evaluations of Canada.

How the FINTRAC Role Compares to the UK MLRO

The UK equivalent of the FINTRAC compliance officer is the Money Laundering Reporting Officer (MLRO), required under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 and the Proceeds of Crime Act 2002 (POCA). The UKGC’s Licence Conditions and Codes of Practice condition 15.2.3 imposes casino-specific AML reporting obligations on licensees, requiring them to ensure all reportable events are notified to the National Crime Agency via suspicious activity reports.

The structural parallels between the two roles are significant. Both require appointment of an identified individual with sufficient seniority and independence. Both require the role-holder to have board-level access. Gibraltar’s AML Code of Practice for Remote Gambling, which aligns with the UK POCA framework, specifies that licence holders must clearly identify a board member with strategic responsibility for AML/CFT issues, and that the MLRO must be a member of any risk management committee reviewing customer accounts that raise AML concerns. The Gibraltar Code further specifies that the ability of the MLRO to oversee AML/CFT obligations must not be compromised by commercial responsibilities or conflicts of interest.

The material differences are in reporting architecture and the specific triggers for escalation. The UK MLRO submits suspicious activity reports to the National Crime Agency, the Canadian compliance officer submits suspicious transaction reports to FINTRAC. The UK regime imposes a more explicit consent-seeking mechanism before proceeding with a transaction after internal suspicion is formed, while the Canadian regime focuses on the filing obligation once reasonable grounds to suspect exist. The UK framework also places more explicit statutory liability on the MLRO personally for failures in the nominated officer function, creating a direct criminal exposure for the individual in cases of wilful non-compliance.

How the FINTRAC Role Compares to the US BSA Compliance Officer

Under 31 CFR Part 1021, each US casino must develop and implement a written AML compliance program. The regulatory text requires, at minimum, a system of internal controls, independent compliance testing, personnel training, and “an individual or individuals to assure day-to-day compliance.” FinCEN’s rules deliberately avoid the term “compliance officer” in favour of the functional descriptor “individual or individuals,” but supervisory guidance from FinCEN and the casino regulators in Nevada, New Jersey, and other states has consistently interpreted this as requiring a designated person with defined accountability.

The structural contrast with the Canadian model is notable. PCMLTFR s. 156 explicitly requires the appointment of a named compliance officer with seniority and board access requirements. The US BSA framework is more permissive in its drafting, allowing the compliance function to be distributed across multiple individuals, though in practice the casino examination process by FinCEN, the Nevada Gaming Control Board, and the New Jersey Division of Gaming Enforcement focuses on identifying a single accountable person. The US framework also requires the compliance program to be tested by independent internal or external auditors, which mirrors the FINTRAC two-year effectiveness review requirement, though the US does not impose a fixed two-year cycle by regulation.

For operators holding or seeking licences in both Canada and a US jurisdiction, the most significant operational point is that the Canadian framework names the compliance officer in statutory text and attaches seven discrete responsibilities to that named individual. US regulators assess the program, Canadian regulators assess both the program and whether the specific individual appointed to run it has the organisational standing the law requires.

Practical Implications for Canadian Casino Compliance Teams

The compliance officer appointment is a legally prescribed act with consequences for how the entire compliance program is structured. Three practical points follow directly from the statutory text.

The compliance officer must be identifiable to FINTRAC at any point. If the individual holding the role changes, the casino must update its records and ensure the incoming compliance officer has equivalent seniority and board access before the transition takes effect. Leaving the role unfilled, even briefly during a personnel transition, constitutes a compliance program deficiency.

The compliance officer’s authority must be documented, not assumed. The organisational structure, including reporting lines, escalation pathways, and the compliance officer’s explicit mandate to implement the program without commercial interference, should be recorded in a board resolution, terms of reference, or equivalent corporate document. FINTRAC examiners assess whether the compliance officer genuinely has the authority the framework requires, not merely whether someone holds the title.

The two-year effectiveness review cycle must be tracked and resourced in advance. The review must be conducted by an internal or external auditor, meaning the compliance officer must either commission an external engagement or ensure that an internal audit function with the requisite independence and technical competence is available. The review deliverable must be a written report with findings and, where deficiencies are identified, a documented action plan with timelines for remediation.

Casinos operating in Ontario’s regulated iGaming market under the AGCO framework, or preparing for Alberta’s market launch under the AGLC, face an additional compliance layer: the AGCO Registrar’s Standards for Internet Gaming Standard 6.02 requires that AML policies and procedures to support PCMLTFA obligations are implemented and enforced, and that copies of all reports filed with FINTRAC are retained. The compliance officer at these operations therefore carries obligations traceable to two regulatory frameworks simultaneously. For a detailed breakdown of how the AGCO and AGLC frameworks compare at the operational level, see AGCO vs AGLC: Key Differences in Ontario and Alberta Internet Gaming Regulation.

Operators and compliance professionals should consult qualified legal counsel for jurisdiction-specific application of PCMLTFA and PCMLTFR obligations, particularly where operations span multiple provinces or involve cross-border elements that engage international AML frameworks.

The AGCO Standards Standard 6.02 confirms explicitly that FINTRAC obligations run alongside provincial gaming obligations for online casino operators in Ontario. Compliance officers working within Ontario’s regulated market should review the Ontario iGaming enforcement record carefully, the AGCO has made clear through its audit and registration processes that AML compliance is assessed as a prerequisite for registration and continued operation. For an analysis of how that enforcement pattern has developed, see Ontario iGaming at Year Three: AGCO Compliance Lessons for New Entrants.

Key Resources

FINTRAC, Compliance Program Requirements Guidance, the primary reference for all compliance officer obligations, accessible via the FINTRAC guidance portal at fintrac-canafe.gc.ca.

Proceeds of Crime (Money Laundering) and Terrorist Financing Act, S.C. 2000, c. 17, section 9.6 governs the compliance program appointment and program requirements at the statutory level.

Proceeds of Crime (Money Laundering) and Terrorist Financing Regulations, SOR/2002-184, section 156 sets out the five compliance program elements and the senior officer approval requirement for policies and procedures. Available via the Department of Justice Canada legislation database.

FINTRAC, Penalties for Non-Compliance, public penalty notices and harm done assessment guides, available at fintrac-canafe.gc.ca/pen/1-eng.

FinCEN, 31 CFR Part 1021, the US BSA compliance program requirements for casinos and card clubs, for comparative reference. To ensure your compliance program meets current requirements and withstands FINTRAC examination, review the FINTRAC Compliance Program Requirements Guidance and consult with qualified legal counsel to validate your specific compliance officer appointment structure and program documentation.