FINTRAC Enhanced Measures: When Standard Casino KYC Isn’t Enough

Standard casino KYC under FINTRAC’s regime covers identity verification at account opening, large cash transaction reporting at $10,000 and above, and suspicious transaction reporting. For a significant category of clients, that baseline is not enough. The Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA), S.C. 2000, c. 17, at subsection 9.6(3), mandates that casinos take “the special measures referred to in the regulations” whenever risk has been assessed as high, or in other prescribed circumstances. Those circumstances are not rare edge cases. They arise every time a casino onboards a foreign politically exposed person, every time ongoing monitoring reveals escalating transactional risk, and every time a business risk assessment flags a client segment or product as high-risk. Casinos that treat enhanced measures as a discretionary overlay on standard KYC are misreading the law.

The Statutory Architecture: PCMLTFA s. 9.6(3) and the PCMLTFR

The obligation to apply enhanced measures flows from two interlocking instruments. The Proceeds of Crime (Money Laundering) and Terrorist Financing Act at subsection 9.6(3) provides that if a reporting entity considers the risk referred to in subsection 9.6(2) to be high, or if prescribed circumstances exist, it must take the special measures set out in the regulations. The Proceeds of Crime (Money Laundering) and Terrorist Financing Regulations (PCMLTFR), SOR/2002-184, then give those measures operational content. For casinos specifically, Part 1 of the PCMLTFR establishes reporting and record-keeping triggers: receipt of $10,000 or more in cash in a single transaction must be reported together with the information set out in Schedule 1, as must equivalent thresholds for virtual currency and international electronic funds transfers.

The compliance program requirements sit in PCMLTFR subsection 9.6(2), which requires every reporting entity to develop and apply written policies and procedures assessing money laundering and terrorist financing risk in the course of its activities. Enhanced measures, under FINTRAC’s Compliance Program Requirements guidance (Guide 4), are defined as the additional controls and processes a casino puts in place to manage and reduce risks associated with high-risk clients and business areas. The key phrase in the guidance is unambiguous: a casino must develop and apply written policies and procedures for the enhanced measures it will take for any risk it identifies as high. Ad hoc enhancement of monitoring or identity verification after a suspicious event does not satisfy the obligation. The framework must exist before the high-risk client arrives.

When Are Enhanced Measures Required?

Three principal triggers require a casino to move beyond standard KYC and activate its enhanced measures framework.

A high-risk finding from the business or client risk assessment is the first trigger. FINTRAC’s Risk Assessment Guidance distinguishes between inherent risk, which is the risk that exists before controls are applied, and residual risk, which remains after mitigation. A casino’s business-based risk assessment must evaluate the nature of its client base, products, delivery channels, and geographic exposure. Where the inherent risk in any of those dimensions is assessed as high, the reporting entity must apply enhanced measures to that risk area. A casino offering virtual currency deposits to clients in FATF-designated high-risk jurisdictions will, in most cases, be unable to avoid a high-risk assessment in that product-jurisdiction combination.

The second trigger arises from the client-level risk assessment. Ongoing monitoring of a business relationship must be conducted at a frequency appropriate to the risk level. If monitoring reveals that a client’s activity has become inconsistent with their known profile, through volume spikes, unusual deposit patterns, or unexplained changes in payment method, the casino must re-assess the client’s risk rating. Where that reassessment produces a high-risk finding, enhanced measures must apply from that point forward.

The third trigger is categorical: foreign politically exposed persons (PEPs), and family members and close associates of foreign PEPs, are automatically classified as high-risk under Canadian law. No further risk assessment is required to reach that conclusion. FINTRAC’s PEP and Heads of International Organizations (HIO) guidance states this directly, you must treat persons you determine to be foreign PEPs or family members and close associates of foreign PEPs as posing a high risk. The identification of a foreign PEP is itself the risk-assessment conclusion, the casino’s job is detection, not deliberation about risk level.

Domestic PEPs and HIOs: A Different Standard

The treatment of domestic PEPs, those who currently hold or have held within the last five years a specific office in or on behalf of the Canadian federal, provincial, territorial, or municipal government, differs from the treatment of foreign PEPs. A domestic PEP under PCMLTFA subsection 9.3(3) covers positions including Governor General, lieutenant governor, head of government, member of the Senate or House of Commons, member of a legislature, deputy minister or equivalent, ambassador, attaché or counsellor of an ambassador, military officer of general rank, president of a Crown corporation, head of a government agency, judge of a provincial appellate court, Federal Court of Appeal, or Supreme Court of Canada, leader or president of a political party represented in a legislature, and mayor, reeve, or similar chief officer of a municipal or local government.

Heads of international organizations (HIOs), persons who currently hold or have held within the last five years the position of head of an international organization established by the governments of states, a head of an institution established by such an organization, or a head of an international sports organization, also fall under this framework.

The distinction from foreign PEPs is material. Domestic PEPs and HIOs, along with their family members and close associates, must be treated as high-risk only if the casino’s risk assessment concludes that there is a high risk of a money laundering or terrorist financing offence being committed. That determination is risk-sensitive, not automatic. Where the casino concludes through its risk assessment that a domestic PEP relationship does not present high risk, the enhanced measures framework is not triggered, though standard KYC and ongoing monitoring obligations remain. Where high risk is found, the prescribed measures apply with the same force as for foreign PEPs.

What Enhanced Measures Require in Practice

FINTRAC’s Compliance Program Requirements guidance specifies that a casino’s written policies and procedures for enhanced measures must include two mandatory elements, plus a non-exhaustive list of additional steps the casino may take to mitigate risk.

The first mandatory element is the additional steps, based on assessment of the risk, the casino will take to verify the identity of a person or entity. For a standard client, identity verification through the government-issued photo identification method, the credit file method, or the dual-process method satisfies the requirement. For a high-risk client, that baseline verification is the floor, not the ceiling. The policies must specify what additional verification steps apply, which for most casinos operating at meaningful risk levels will include checks against commercial PEP/sanctions databases, adverse media screening, and verification of beneficial ownership beyond the 25% threshold used for standard corporate due diligence.

The second mandatory element covers any other additional steps the casino will take to mitigate the risks, including ensuring that client identification information and beneficial ownership information is updated at a frequency appropriate to the level of risk, and conducting ongoing monitoring of business relationships at a frequency appropriate to the level of risk. The guidance does not prescribe a specific review interval, whether quarterly, semi-annually, or annually, because FINTRAC’s framework is risk-based rather than prescriptive. FINTRAC’s exam teams review client records specifically to assess whether the frequency of ongoing monitoring is adequate and carried out in accordance with the client’s risk level assessment. Casinos whose policies state only that “high-risk clients will be monitored more frequently than standard clients” without defining what that means in practice will not satisfy this requirement.

Beyond those two mandatory elements, FINTRAC’s guidance identifies a menu of enhanced measures a casino can apply. These include obtaining additional information on a client from public databases and the internet, obtaining information on the client’s source of funds or source of virtual currency, obtaining information on the source of the client’s wealth, obtaining information on the reasons for attempted or completed transactions, and obtaining senior management approval to commence or continue a business relationship.

Source of Funds vs. Source of Wealth: Why the Distinction Matters

Two of the most frequently conflated enhanced measure obligations are source of funds and source of wealth. FINTRAC’s guidance treats them as distinct requirements, and the distinction is operationally significant for casino compliance teams.

Source of funds refers to the origin of the particular funds used to carry out a specific transaction or attempted transaction, specifically how those funds were acquired, not where they came from geographically. A client depositing $50,000 in a single transaction must be able to account for the origin of those $50,000 specifically: salary, business income, proceeds of a property sale, an inheritance, or another identified and documented source.

Source of wealth refers to the origin of the client’s total wealth, meaning the activities and means by which the client accumulated their overall asset base. For high-risk clients, including foreign PEPs and those identified as high-risk through the risk assessment, both must be established. FINTRAC’s PEP guidance states that once a person is determined to be a PEP, HIO, or a family member or close associate in applicable circumstances, the casino must take reasonable measures to establish the source of the funds or source of virtual currency used for a transaction or expected to be deposited, and the source of the person’s wealth. Where a transaction or account activity is inconsistent with the information held about source of funds or source of wealth, the casino must follow up. Where the information remains inconsistent or the response unsatisfactory, and there are reasonable grounds to suspect money laundering or terrorist financing, a suspicious transaction report must be filed with FINTRAC.

Once you determine that a person is a politically exposed person, head of an international organization, or a family member or close associate of a politically exposed person or head of an international organization, you must take reasonable measures to establish the source of the funds or source of virtual currency used for a transaction or that is expected to be deposited into an account, and the source of a person’s wealth.

The Senior Officer Approval Requirement

Obtaining senior management approval before commencing or continuing a high-risk business relationship is a prescribed enhanced measure under the PCMLTFR. In the casino context, this means that before onboarding a client classified as high-risk, or before deciding to continue a relationship with a client whose risk rating has escalated to high, a senior officer must review and approve the decision.

The PCMLTFR’s definition of “senior officer” in respect of an entity encompasses a director who is a full-time employee, the chief executive officer, chief operating officer, president, secretary, treasurer, controller, chief financial officer, chief accountant, chief auditor, chief actuary, or any person who performs any of those functions, and any other officer who reports directly to the entity’s board of directors, chief executive officer, or chief operating officer. Casinos cannot satisfy this requirement by delegating approval authority to a compliance analyst or mid-level manager unless that person falls within the definition.

The senior officer approval requirement creates a governance checkpoint that forces high-risk relationship decisions to the most senior levels of the casino’s management structure. Compliance teams must maintain an approval log, recording the date, approving officer, basis for approval, and any conditions imposed, as part of the records supporting the enhanced measures applied to each high-risk client. FINTRAC’s two-year effectiveness review obligation under the PCMLTFR, which requires testing whether the compliance program is working as intended, will typically include a sample review of these records.

Ongoing Monitoring: Frequency and Documentation

Standard ongoing monitoring requires a casino to monitor business relationships and keep the resulting records current. Enhanced ongoing monitoring for high-risk clients requires the casino to define, apply, and document a monitoring frequency that is calibrated to the level of risk. What calibration looks like in practice will depend on the client’s profile, transaction volumes, and the risk factors that triggered the high-risk classification.

A foreign PEP who is a head of state of a country with significant FATF concerns, depositing large volumes through multiple payment channels, will require more intensive monitoring than a domestic PEP who held a provincial legislative seat fifteen years ago and whose transactions are low-volume and consistent. Both require enhanced monitoring, neither requires identical monitoring. The key compliance obligation is that the monitoring frequency is documented in the client file, is demonstrably risk-proportionate, and is actually carried out at the documented frequency.

Transaction monitoring for high-risk casino clients must include review of deposit and withdrawal patterns against the expected profile established at onboarding and updated at each enhanced KYC review, scrutiny of payment method changes, cross-referencing against sanctions lists maintained under the United Nations Act, the Special Economic Measures Act, and the Justice for Victims of Corrupt Foreign Officials Act (Sergei Magnitsky Law), and regular adverse media screening. Where monitoring reveals activity inconsistent with the client’s profile, the casino must document its assessment and, where grounds for suspicion exist, file a suspicious transaction report.

Family Members and Close Associates: The Perimeter Problem

One of the most practically challenging aspects of the FINTRAC enhanced measures framework is the extended perimeter it applies to family members and close associates of PEPs and HIOs. The family member category under the PCMLTFR encompasses the PEP’s or HIO’s spouse or common-law partner, biological or adoptive children, parents, parents-in-law (the mother or father of their spouse or common-law partner), and siblings (children of their mother or father).

The permanence rules are asymmetric. Once a casino determines that a person is a family member of a foreign PEP, including a deceased foreign PEP, that person remains a family member of a foreign PEP permanently, and no further determination is required. Family members of domestic PEPs and HIOs retain that status until five years after the domestic PEP or HIO has left office. The permanence of the foreign PEP family member classification means that a client whose parent was a foreign head of state twenty years ago remains within the PEP family member perimeter indefinitely.

Close associates present a different challenge: the definition is not fixed by statute but depends on whether the associate is widely and publicly known to maintain a close personal or business relationship with the PEP or HIO. Identifying close associates requires active due diligence, typically open-source research, commercial database screening, and in some cases direct questioning of the client, rather than a passive administrative check. The FINTRAC guidance notes that step-family relationships do not fall within the family member definition unless a child is legally adopted, but recommends considering step-family members as potential close associates.

Enhanced Measures in the Ontario Context

For casinos operating in Ontario’s regulated iGaming market, FINTRAC obligations run alongside the AGCO’s Registrar’s Standards for Internet Gaming. Standard 6.02 of the AGCO’s Standards requires operators to implement and enforce anti-money laundering policies and procedures supporting obligations under the PCMLTFA. That standard explicitly requires that copies of all reports filed with FINTRAC and supporting documentation be retained. Ontario-registered operators therefore carry both the FINTRAC enhanced measures obligation under the PCMLTFA and the AGCO’s operational standards requirement to have documented AML policies, creating a dual-compliance structure where FINTRAC examination findings and AGCO audit findings can arise from the same underlying gap.

Compliance teams at Ontario-registered operators should note that the iGO Operator Agreement and AGCO Standards together require a documented compliance programme that can be audited by both authorities. A gap in the enhanced measures framework, whether undocumented monitoring frequencies, absent senior officer approval records, or generic source-of-funds procedures that do not distinguish high-risk clients, will expose the operator to regulatory action from both FINTRAC and the AGCO simultaneously. For further detail on how the Ontario dual-authority model affects AML compliance obligations, see Ontario iGaming at Year Three: AGCO Compliance Lessons for New Entrants.

Alberta’s iGaming market, which opened in July 2026 under the AGLC’s Standards and Requirements for Internet Gaming, imposes equivalent PCMLTFA obligations. Operators registered in Alberta carry the same FINTRAC enhanced measures obligations as their Ontario counterparts, the federal AML regime applies regardless of the provincial licensing authority. The comparison of how Ontario and Alberta structure their AML-adjacent compliance expectations is explored in AGCO vs AGLC: Key Differences in Ontario and Alberta Internet Gaming Regulation. For a broader reference on how the AGCO registration framework intersects with federal AML obligations, the AGCO registration requirements profile covers the full regulatory architecture.

Enforcement Context: FINTRAC’s Casino Focus

FINTRAC has made the casino sector a sustained enforcement priority. According to Canadian Gaming Business, in September 2025 FINTRAC imposed a $1.175 million penalty on the Saskatchewan Indian Gaming Authority for AML compliance failures. In the same period, reporting by The Logic described FINTRAC as targeting casinos specifically in what was characterised as an AML enforcement blitz. A further action against CNE Casino drew sector attention in August 2025, according to Gaming News Canada, with commentary questioning the scope of the action.

The enforcement pattern is consistent with FINTRAC’s published examination priorities. The Centre’s effectiveness reviews specifically test whether the frequency of ongoing monitoring is adequate, whether client risk assessments are documented and applied in accordance with the casino’s risk assessment process, and whether suspicious transactions were reported. Deficiencies in any element of the enhanced measures framework, including absent written policies, undocumented monitoring, or inadequate source-of-funds procedures for high-risk clients, represent the categories of failure that generate penalty notices.

Administrative monetary penalties under the PCMLTFA are tiered by violation type and can reach significant levels for continued non-compliance. FINTRAC publishes penalty notices naming the reporting entity and the nature of the violation. For online casino operators, a public FINTRAC penalty notice is a material reputational and licensing risk that extends beyond the penalty amount itself.

Compliance Programme Requirements: What Must Be in Writing

A casino’s enhanced measures framework is not satisfied by training staff to apply more scrutiny to high-risk clients. The PCMLTFR and FINTRAC’s Compliance Program Requirements guidance are explicit that the enhanced measures a casino will take for high-risk clients must be set out in written policies and procedures. Those written policies must specify, at minimum, the additional identity verification steps to be taken, the mechanism for ensuring client identification information is updated at a frequency appropriate to risk, and the ongoing monitoring frequency and approach for high-risk client relationships.

Beyond those mandatory elements, the written policies must address how the casino will establish source of funds and source of wealth, what triggers a request for senior officer approval, who qualifies as a senior officer for approval purposes, how approval decisions will be documented and stored, and how the casino will detect PEP and HIO status, including through commercial screening databases, direct questioning at onboarding, and periodic re-screening. The two-year effectiveness review, also required under the PCMLTFR, must include a review of client records to verify that enhanced measures are being applied as the written policies specify.

Your policies and procedures for enhanced measures must include the additional steps, based on assessment of the risk, that you will take to verify the identity of a person or entity, and any other additional steps that you will take to mitigate the risks, including steps to ensure client identification information and beneficial ownership information is updated at a frequency that is appropriate to the level of risk, and to conduct ongoing monitoring of business relationships at a frequency that is appropriate to the level of risk.

Compliance officers at Canadian casino operators, both land-based and online, must treat the enhanced measures framework as a distinct compliance programme element, not as a supplementary note to the standard KYC procedures. It requires its own section in the compliance programme documentation, its own training module, its own testing criteria in the effectiveness review, and its own record-keeping structure. Operators with questions about how this framework applies to their specific client base and risk profile should consult qualified Canadian AML legal counsel before the next effectiveness review cycle. For a broader view of how the AML and KYC compliance landscape intersects across global iGaming jurisdictions, the AML &amp, Financial Compliance hub covers FATF, FINTRAC, FIAU, and FinCEN requirements across multiple regulated markets. To assess your casino’s current enhanced measures framework against FINTRAC’s expectations, review the Enhanced Measures Framework assessment guide, which walks compliance teams through the mandatory elements and documentation requirements.

Key Resources

Proceeds of Crime (Money Laundering) and Terrorist Financing Act, s. 9.6, the statutory basis for the enhanced measures obligation: laws-lois.justice.gc.ca

Proceeds of Crime (Money Laundering) and Terrorist Financing Regulations (SOR/2002-184), Casino provisions, reporting thresholds, record-keeping requirements, and prescribed measures for casinos: laws-lois.justice.gc.ca

FINTRAC Compliance Program Requirements (Guide 4), full guidance on enhanced measures, written policies requirements, and the two-year effectiveness review: fintrac-canafe.gc.ca

FINTRAC Politically Exposed Persons and Heads of International Organizations Guidance, definitions, detection obligations, source of funds and source of wealth requirements, and the distinction between foreign and domestic PEPs: fintrac-canafe.gc.ca

FINTRAC Risk Assessment Guidance, framework for inherent and residual risk assessment, higher-risk indicators for casinos, and the risk-based approach cycle: fintrac-canafe.gc.ca