FINTRAC Compliance Program Requirements for Online Casinos: All Seven Components Explained

Every casino operating in Canada, including every online casino, is a reporting entity under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA), S.C. 2000, c. 17. That status triggers a comprehensive compliance program obligation under the Proceeds of Crime (Money Laundering) and Terrorist Financing Regulations (PCMLTFR), SOR/2002-184. FINTRAC enforces that obligation directly, with administrative monetary penalties that can reach seven figures: in September 2025, the Saskatchewan Indian Gaming Authority (SIGA) was fined CAD $1.175 million for AML compliance violations, according to Canadian Gaming Business and CBC, September 2025. For online casinos operating under provincial frameworks in Ontario or Alberta, FINTRAC compliance sits alongside, and is distinct from, the AML obligations imposed by AGCO’s Registrar’s Standards and the AGLC’s Standards and Requirements for Internet Gaming (SRIG). Meeting the provincial standard does not discharge the federal obligation.

FINTRAC’s compliance program guidance structures the requirements around seven components. Six are set out in PCMLTFR s. 156(1), supported by the broader compliance program requirement in PCMLTFR s. 9.6: the appointment of a compliance officer, written compliance policies and procedures, a documented risk assessment, written enhanced measures for high-risk situations, a training program with a supporting plan, and a two-year effectiveness review. The seventh, recordkeeping, is a distinct obligation under PCMLTFA that is integral to every other component and is a primary examination target in its own right. This article maps each component to its regulatory basis, explains what FINTRAC specifically requires, and flags the operational gaps that most frequently surface during examinations.

Scope: Which Casinos Are Reporting Entities?

The PCMLTFR defines “casino” as a government, organization, board, or operator referred to in any of paragraphs 5(k) to (k.3) of the PCMLTFA. This definition captures provincially regulated online casinos, including those operating under commercial agreements with iGaming Ontario or Alberta’s iGaming Corporation. The definition is not limited to physical premises. Any entity operating an online gaming platform that falls within those paragraphs of the PCMLTFA carries the full suite of reporting entity obligations: suspicious transaction reporting, large cash transaction reporting, large virtual currency transaction reporting, electronic funds transfer reporting, casino disbursement reporting, and the compliance program requirements addressed in this article.

Compliance officers at multi-provincial operators should note that the federal FINTRAC obligation applies once, at the entity level, regardless of how many provincial markets the operator is active in. The casino’s designated reporting entity relationship, typically the operator holding the PCMLTFA registration, is the anchor for the entire compliance program. Ontario-licensed operators who have structured their group through a holding company or management company arrangement should confirm with qualified legal counsel which legal entity carries the reporting entity status, because FINTRAC’s examination will be directed at that entity.

Component One: Appointing a Compliance Officer

PCMLTFR paragraph 156(1)(a) requires every reporting entity to appoint a compliance officer responsible for implementing the compliance program. FINTRAC guidance defines the compliance officer as “the individual, with the necessary authority, that you appoint to be responsible for the implementation of your compliance program.” The authority element is not ceremonial. FINTRAC guidance is explicit that merely making an appointment does not fulfil the compliance program requirement.

Appointing someone to be your compliance officer alone does not fulfil your compliance program requirements. The appointed compliance officer is responsible for implementing the compliance program and must have the authority to do so.

For a large business, the compliance officer should be at a senior level with direct access to senior management and the board of directors. As a best practice, the compliance officer of a larger business should not be directly involved in the receipt, transfer, or payment of funds, to preserve independent oversight. For smaller operators or sole proprietors, the owner or operator may self-appoint. The practical implication for online casinos, which typically operate within complex group structures, is that the nominated individual must demonstrably control the compliance program, not merely sign off on reports produced by others.

Component Two: Written Compliance Policies and Procedures

PCMLTFR paragraph 156(1)(b) requires written compliance policies and procedures. FINTRAC guidance specifies that these must be written and in a format accessible to the intended audience, kept up to date to reflect legislative changes and internal process changes, and approved by a senior officer if the reporting entity is a corporate entity. The policies must be made available to all those authorised to act on the casino’s behalf, including employees, agents, and any other persons who deal with clients or transactions.

The subject-matter scope of the policies is substantial. At a minimum, the policies must cover the compliance program components themselves (officer, risk assessment, training, effectiveness review), know your client requirements (client identity verification, politically exposed persons, heads of international organisations, their family members and close associates, beneficial ownership, business relationships, and ongoing monitoring), recordkeeping obligations, reporting obligations (suspicious transactions, large cash and virtual currency transactions, electronic funds transfers, casino disbursements), and the casino’s approach to third-party agents or mandataries where applicable.

FINTRAC guidance draws an important operational point: if an industry association or governing body has provided a generic set of policies and procedures, the reporting entity must tailor them to its own business. Generic policies that have not been adapted to the casino’s specific client base, product mix, delivery channels, and risk profile will not satisfy the requirement. The level of detail required scales with the casino’s size, structure, complexity, and risk exposure.

Component Three: Risk Assessment

PCMLTFR subsection 9.6(2) and paragraph 156(1)(c), read together with subsection 156(2), require the casino to develop and apply policies and procedures to assess its money laundering, terrorist activity financing, and sanctions evasion risks. The risk assessment must consider four dimensions: the casino’s clients, business relationships, and correspondent banking relationships, including their activity patterns and geographic locations, the products, services, and delivery channels offered, the geographic locations where the casino conducts its activities, and any other relevant factors specific to the business.

The risk assessment is not a static document. FINTRAC guidance requires it to be updated to reflect changes in the business, new products or delivery channels, changes to the client base, and legislative or regulatory developments. Online casinos are particularly exposed to geographic and product-mix changes: adding a new payment method, entering a new provincial market, or integrating a new software supplier can all alter the risk profile materially and may require the risk assessment to be revised ahead of the next scheduled review cycle.

The output of the risk assessment directly feeds the enhanced measures component. Any risk rated as high must generate a corresponding enhanced measure. Failure to connect the risk assessment outcome to tangible controls is one of the most common gaps FINTRAC identifies during examinations. The risk assessment must also be applied at the client level: a review of a sample of client records is a standard examination step, checking whether the casino’s assigned risk rating for individual clients reflects the documented risk assessment methodology.

Component Four: Written Enhanced Measures for High-Risk Situations

PCMLTFR paragraph 156(1)(c) and subsection 156(2), supplemented by PCMLTFR subsection 9.6(2), require written policies and procedures for enhanced measures whenever a money laundering, terrorist activity financing, or sanctions evasion risk is assessed as high. Enhanced measures are not optional responses to elevated risk, they are mandatory written controls that must be in place before the risk materialises.

FINTRAC guidance specifies that the enhanced measures policies must include the additional identity verification steps the casino will take for high-risk persons or entities, and any other additional steps to mitigate risk. Those additional steps include, at minimum: updating client identification information and beneficial ownership information at a frequency appropriate to the risk level, and conducting ongoing monitoring of business relationships at a frequency appropriate to the risk level. Beyond those minimums, FINTRAC guidance identifies a non-exhaustive list of enhanced measure options: obtaining additional client information from public databases and the internet, obtaining information on the client’s source of funds or source of wealth, obtaining additional information on the purpose and intended nature of the business relationship, and conducting enhanced ongoing monitoring.

For online casinos, the practical categories triggering enhanced measures include clients assessed as high-risk based on geographic indicators (clients transacting from high-risk jurisdictions as designated by the Financial Action Task Force), politically exposed persons and their family members and close associates, and clients exhibiting transaction patterns inconsistent with their stated profile. The AGLC’s SRIG 2026-03-17, which governs Alberta online casino operators, specifically requires operators to “specify times and situations, based on the assessment of risk, where the Operator will ascertain and reasonably corroborate a player’s source of funds,” a requirement that maps directly onto FINTRAC’s enhanced measures framework for source-of-funds verification at the federal level.

Component Five: Ongoing Training Program and Plan

PCMLTFR paragraph 156(1)(e) requires the casino to develop and maintain an ongoing compliance training program and a written training plan. The training program must cover employees, agents, and any other persons authorised to act on the casino’s behalf in connection with clients, transactions, or compliance-related activities. The training content must address the reporting entity’s compliance policies and procedures, the related recordkeeping, client identification, and reporting requirements that apply to the casino’s specific business.

The training plan must describe the frequency of training. FINTRAC guidance permits flexible delivery, including at regular intervals (monthly, semi-annually, or annually), event-triggered delivery (before a new employee deals with clients, or when a procedure changes), or a combination of both. For large online casinos with differentiated staff roles, the training plan should explain how general and specialised training is allocated across different functions, because FINTRAC guidance specifically notes that a large business may provide different training types based on role-specific duties.

The training program must include a record of training delivered, capturing at minimum the date of each training session, the list of attendees, and the topics covered. These records are a direct examination target: during an effectiveness review, the auditor will review the training records to assess whether training was actually delivered as planned and whether the content was appropriate to the roles and risk exposure of those trained. Training records that exist only at a generic level, without attendee lists or topic logs, will not satisfy this requirement for a casino of any scale.

Component Six: The Two-Year Effectiveness Review

PCMLTFR paragraph 156(1)(f), subsection 156(3), and subsection 156(4) together require the casino to carry out a review of its compliance program every two years at a minimum, for the purpose of testing its effectiveness. FINTRAC defines the two-year effectiveness review as “a review, conducted every two years (at a minimum), by an internal or external auditor to test the effectiveness of your policies and procedures, risk assessment, and training program.”

The purpose of an effectiveness review is to determine whether your compliance program has gaps or weaknesses that may prevent your business from effectively detecting and preventing money laundering, terrorist activity financing and sanctions evasion.

The review must be carried out and its results documented by an internal or external auditor, or by the reporting entity itself if it has no auditor. FINTRAC guidance states that the review should be conducted by someone knowledgeable of the requirements under the PCMLTFA and its associated Regulations, and, as a best practice, should not be conducted by someone directly involved in the compliance program activities being reviewed. The independence requirement is a best practice rather than a hard rule for smaller entities, but for any online casino of material size, the review should be assigned to an independent internal audit function or an external compliance reviewer.

The scope of the effectiveness review is specific and operational. FINTRAC guidance identifies the following review elements as required: a test of the compliance officer’s and relevant staff’s knowledge of policies, procedures, recordkeeping, client identification, and reporting requirements, a review of a sample of records to assess whether client identification policies are being followed, a review of agent or mandatary agreements and a sample of identity verification information they used, a review of transactions to assess whether suspicious transaction reports were filed, a review of large cash transactions to assess whether they were reported to FINTRAC accurately and within prescribed timelines, a review of electronic funds transfers where applicable, a review of a sample of client records to assess whether the risk assessment was applied consistently, and a review of the frequency of ongoing monitoring against client risk level assignments.

The effectiveness review must produce a written report. That report must document the review scope, the findings, any corrective action plans, any updates made to policies and procedures during the review period that were not triggered by the review itself, and the status of implementation of any updates. PCMLTFR subsection 156(4) requires the casino to retain the review documentation.

Component Seven: Recordkeeping

Recordkeeping obligations under PCMLTFA and the PCMLTFR run through every other component of the compliance program. The compliance program’s effectiveness is tested, in significant part, by examining records: records of client identity verification, records of training delivery, records of risk assessment application to specific clients, records of suspicious transaction report decisions (including decisions not to file), and records of the effectiveness review itself.

For online casinos, the digital nature of transactions creates both an advantage and a risk. Transaction logs, deposit and withdrawal records, and player account histories are typically available in machine-readable form and at high volume. The compliance challenge is not data availability but data accessibility for examination purposes: records must be retrievable in a form that allows FINTRAC examiners to trace specific transactions, specific client interactions, and specific compliance decisions. Where a casino operates across multiple platforms or uses third-party suppliers, the records architecture must ensure that all required records are retrievable by the reporting entity, not just by the platform or supplier.

FINTRAC examinations of online casinos will specifically test the connection between the casino’s large virtual currency transaction records and its large virtual currency transaction reports. Reports of large virtual currency transactions, a reportable category for casinos under the PCMLTFA, must be filed with FINTRAC, and the underlying records must support the reported information.

Interaction with Provincial AML Obligations

Online casinos licensed in Ontario under the AGCO Registrar’s Standards for Internet Gaming are required, under Standard 6.02, to implement and enforce AML policies and procedures to support their PCMLTFA obligations, including retaining copies of all reports filed with FINTRAC. The AGCO standard effectively treats FINTRAC compliance as a floor condition of Ontario licensing. Similarly, the AGLC SRIG 2026-03-17 requires registered operators to “develop and maintain a comprehensive internal anti-money laundering and terrorist financing (AML/TF) program in compliance with the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA), associated regulations, FINTRAC guidelines and the designated reporting entity’s AML/TF policies and procedures.”

A compliance failure at the FINTRAC level, such as inadequate policies, a missed effectiveness review, or an undertrained staff complement, is simultaneously a breach of the provincial operator’s registration conditions. FINTRAC and AGCO or AGLC do not coordinate their examinations in real time, but findings from a FINTRAC examination can be shared with provincial regulators and vice versa. Compliance teams operating in both Ontario and Alberta should treat the FINTRAC compliance program as the baseline, then map each additional provincial AML obligation onto that framework. For operators active in both provinces, a single compliance program document, appropriately scoped and cross-referenced to both AGCO and AGLC requirements, is operationally more sustainable than maintaining parallel documentation.

For a detailed mapping of how AGCO and AGLC differ on AML and other compliance obligations, see our comparison of AGCO vs AGLC regulatory requirements. For the broader Ontario compliance framework, our analysis of AGCO compliance lessons at year three addresses enforcement patterns and common gaps.

FINTRAC Enforcement: What Non-Compliance Costs

FINTRAC’s administrative monetary penalties (AMP) program operates under a framework calibrated to promote a change in behaviour rather than simply to punish. The AMP policy articulates six guiding principles: objectivity, reasonableness, transparency, fairness, consistency, and documentation. The severity of each penalty is assessed by weighing the extent of the non-compliance and its root cause against its adverse impact on FINTRAC’s mandate.

The September 2025 penalty against SIGA illustrates the scale of exposure. According to Canadian Gaming Business and multiple outlets (September 2025), SIGA was fined CAD $1.175 million for AML-related violations, and the authority indicated it intended to appeal. The enforcement action underscores that FINTRAC’s examination focus on the casino sector is active and that penalties for compliance program failures are material. Compliance teams should consult the FINTRAC penalties database directly for the most current enforcement decisions.

FINTRAC enforcement priorities in the casino sector consistently target compliance program gaps rather than isolated reporting failures. An examination that reveals a compliance officer with no operational authority, a risk assessment that has not been updated since initial licensing, training records that do not identify specific attendees, or an effectiveness review that has not been conducted within the required cycle will generate findings across multiple compliance program components simultaneously. Each finding carries independent penalty exposure. The cumulative penalty for a compliance program that is structurally deficient, as opposed to one with a single reporting lapse, is correspondingly higher.

Compliance officers should consult qualified legal counsel for jurisdiction-specific advice on FINTRAC obligations, particularly where group structures raise questions about which entity holds the reporting entity status and how compliance program responsibilities are allocated within the group. To begin implementing a compliance program aligned with FINTRAC requirements, start with the FINTRAC Compliance Program Requirements Guidance, and consider engaging an external compliance reviewer to conduct your initial risk assessment and policy development.

Key Resources

FINTRAC, Compliance Program Requirements Guidance, the primary reference document for all compliance program components, updated periodically by FINTRAC. Available at fintrac-canafe.gc.ca.

Proceeds of Crime (Money Laundering) and Terrorist Financing Regulations, SOR/2002-184, subsection 9.6 (compliance program requirement) and section 156 (detailed component obligations). Available via the Department of Justice Canada at laws-lois.justice.gc.ca.

FINTRAC Administrative Monetary Penalties Policy, explains the framework for penalty determination and the principles applied during AMP proceedings. Available at fintrac-canafe.gc.ca/pen/2-eng.

Proceeds of Crime (Money Laundering) and Terrorist Financing Act, S.C. 2000, c. 17, the enabling statute, including the casino definition trigger at paragraphs 5(k) to (k.3). Available at laws-lois.justice.gc.ca.