FINTRAC Risk Assessment for Online Casinos: Building and Maintaining a PCMLTFR-Compliant Framework

Under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA) and its associated Proceeds of Crime (Money Laundering) and Terrorist Financing Regulations (PCMLTFR, SOR/2002-184), every casino operating in Canada is a reporting entity required to establish and maintain a documented compliance program. The risk assessment is not optional and cannot be delegated to a generic industry template without customisation. FINTRAC’s Compliance Program Requirements guidance is explicit: you must complete and document your own risk assessment, and it must reflect the specific activities, clients, and channels of your business. For online casino operators whose client base is geographically dispersed, whose payment flows involve third-party processors and sometimes virtual currency, and whose customer relationships are entirely non-face-to-face, the risk assessment carries amplified complexity compared to a land-based facility.

FINTRAC issued a CAD $1.175 million administrative monetary penalty to the Saskatchewan Indian Gaming Authority in September 2025. According to Canadian Gaming Business and CBC reporting at the time, the action related to AML compliance failures across the organisation’s casino operations. The penalty is the largest levied against a Canadian casino under the administrative monetary penalties framework, and it marks a clear signal that FINTRAC’s supervisory examination of the casino sector has intensified. Online operators carrying any gaps in their risk assessment documentation should treat that action as a concrete benchmark for what non-compliance costs.

What Is the Legal Basis for the Risk Assessment Requirement?

Section 5 of the PCMLTFA designates casinos as reporting entities. The PCMLTFR, at paragraph 156(1)(b) and paragraph 156(1)(c), requires that every reporting entity’s compliance program include written policies and procedures, and that those policies and procedures be applied to assess money laundering (ML), terrorist activity financing (TF), and sanctions evasion risks in the course of the entity’s activities. The obligation is to assess and document, not merely to have internal awareness.

The compliance program itself, as defined in FINTRAC’s published guidance, encompasses five elements: a designated compliance officer, written policies and procedures, a risk assessment, a training program, and a two-year effectiveness review. The risk assessment sits at the centre of this architecture. Every other element flows from it: policies and procedures must address the risks identified, enhanced measures must respond to risks rated as high, training must ensure staff can apply the risk-based approach, and the effectiveness review must test whether the risk assessment is being applied in practice.

A compliance program is established and implemented by a reporting entity that is intended to ensure compliance with all obligations under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act and associated Regulations. All elements, compliance officer, policies and procedures, risk assessment, training program, effectiveness review, are legally required.

The Six Prescribed Risk Factors

The PCMLTFR, as reflected in FINTRAC’s Compliance Program Requirements guidance at the risk assessment requirements section, specifies the factors a reporting entity must consider when assessing and documenting its ML, TF, and sanctions evasion risks. For online casinos, each factor carries specific operational weight.

Prescribed Factor	Core Consideration	Online Casino Exposure
Clients, business relationships, and correspondent banking relationships	Activity patterns and geographic locations of clients	Cross-border players, anonymous sign-up flows, PEPs, high-volume depositors
Products and services	Inherent risk carried by each product or service offered	High-volatility slots, live dealer games, loyalty point systems, rapid-withdrawal features
Delivery channels	How business relationships are established and how transactions are conducted	Fully digital onboarding, no face-to-face interaction, affiliate-referred registrations
Geographic location(s) where you conduct business	Risk associated with countries or regions of operation or client origin	Players resident in FATF-listed jurisdictions, high-corruption-index countries, sanctioned states
Technology used to deliver products or services	Systems and tools that could introduce or amplify ML/TF risk	Virtual currency acceptance, e-wallet integrations, automated KYC tools, APIs to third-party processors
Any other relevant factor	Business-specific circumstances not captured above	White-label arrangements, B2B platform relationships, multi-jurisdiction licensing

FINTRAC does not prescribe a single method for conducting the risk assessment. The guidance explicitly states that FINTRAC provides an internationally recognised risk-based approach (RBA) as one way of meeting the obligation, but reporting entities are free to develop their own approach provided it addresses all required factors and is documented. What FINTRAC does prescribe is that the assessment cover both inherent risk (the risk before controls are applied) and inform the mitigation measures deployed to produce the residual risk the business actually carries.

Inherent Risk, Residual Risk, and the Rating Framework

FINTRAC’s Risk Assessment Guidance draws a clear distinction between inherent risk and residual risk. Inherent risk is the level of ML/TF risk your business activities and client relationships create before you implement any controls. Residual risk is what remains after controls and mitigation measures are applied. The risk assessment process, as described in the guidance, focuses on identifying and rating inherent risks so that controls can be calibrated against them.

The guidance recommends using a likelihood and impact matrix (set out in the guidance’s Annex 4) to produce a risk rating. Likelihood considers how probable it is that a given threat will exploit a vulnerability in your business. Impact considers the degree of harm that would result. Combining these two dimensions produces a rating, typically low, medium, or high, for each risk area. In practice, online casino compliance teams should map this matrix across each of the six prescribed factors and assign ratings at a granular level, not just at the level of the factor as a whole.

Assessing the “products and services” factor for an online casino requires rating each product line individually. A slot product with rapid-fire spin cycles and high maximum stakes carries different inherent risk from a poker offering, which introduces multi-player dynamics and potential collusion. A live dealer product with high table limits and international player access introduces yet another profile. The risk rating for the factor overall should reflect the composition of the product portfolio, not a single blended assumption.

Online Casino-Specific Risk Areas Requiring Dedicated Treatment

Cross-Border Players and Geographic Risk

Online casinos registered in Canada under the PCMLTFA routinely accept players whose residential address, IP address, and payment account are located in different jurisdictions. The geographic risk factor requires the assessment to identify which countries or regions your player base originates from, and to rate the ML/TF risk those locations introduce. FINTRAC’s risk assessment guidance identifies, as examples of higher-risk geographic indicators, countries on the FATF list of jurisdictions under increased monitoring, countries identified as primary money laundering concerns by US authorities, and countries with high scores on Transparency International’s Corruption Perceptions Index. An online casino that accepts players from any of these jurisdictions without explicit geographic risk ratings and corresponding enhanced measures is carrying an undocumented inherent risk.

The assessment should also address the geographic locations where the online casino conducts its business operations, not just where clients are located. This includes the jurisdiction of incorporation, the location of data processing infrastructure, and the locations of any third-party service providers that touch financial data.

Virtual Currency and Cryptocurrency Deposits

If the online casino accepts deposits in virtual currency (including Bitcoin, Ethereum, stablecoins, or any other cryptocurrency), the technology factor in the risk assessment must address this explicitly. FINTRAC’s large virtual currency transaction reporting obligations require casinos to report transactions of CAD $10,000 or more in virtual currency, applying the same 24-hour aggregation rule that governs large cash transaction reporting. The risk assessment obligation goes further than reporting thresholds, however: it must assess the inherent risk that virtual currency acceptance introduces as a payment channel.

Virtual currency transactions carry higher anonymity risk than traditional banking rails. Blockchain addresses are pseudonymous, chain-hopping and mixing services can obscure transaction histories, and the regulatory treatment of virtual currency exchanges varies significantly across jurisdictions. An online casino accepting cryptocurrency deposits must assess, at minimum, whether it can identify the beneficial owner of the sending wallet, whether it applies transaction monitoring to virtual currency flows with the same rigour as fiat flows, and whether it has access to blockchain analytics tools to detect structuring or mixing patterns.

Third-Party Processors and Payment Intermediaries

Online casinos frequently process player deposits and withdrawals through third-party payment processors, e-wallet providers, and payment aggregators. The risk assessment must address these arrangements as both a delivery channel risk and a business relationship risk. When a player funds their account via an e-wallet, the casino may have limited visibility into the original source of funds deposited into that e-wallet. Some e-wallet providers are not licensed in jurisdictions with equivalent AML/CFT standards, and certain e-wallet products accept cash deposits, making the ultimate source of funds even more opaque.

The compliance program requirement to document policies and procedures for third-party arrangements extends into the risk assessment: the casino must rate the risk introduced by each class of payment intermediary and document what enhanced measures apply when payment via higher-risk channels occurs. FINTRAC’s enhanced measures provisions, at PCMLTFR subsection 9.6(2) and Compliance Program Requirements guidance section 5, require that policies and procedures for enhanced measures specify the additional steps taken to verify identity and mitigate risk, calibrated to the risk level identified in the assessment. The risk rating assigned to third-party processor arrangements directly determines what additional due diligence triggers are appropriate.

Business-Based vs. Relationship-Based Assessments

FINTRAC’s risk assessment guidance distinguishes between two levels of assessment that must operate in parallel. The business-based risk assessment (sometimes called the entity-level assessment) evaluates the ML/TF risks inherent in the reporting entity’s overall activities, products, services, delivery channels, geography, and technology. This is the document most compliance teams think of when the “risk assessment” is discussed.

The relationship-based (or client-level) risk assessment is the downstream application of that entity-level framework to individual clients and business relationships. Once the business-based assessment has established the risk factors and rating criteria, the casino applies those criteria to each client to produce an individual risk profile, rated low, medium, or high, that then determines the frequency and depth of ongoing monitoring. FINTRAC’s guidance sets out, in Annex 5, higher risk indicators for relationship-based assessments. For online casinos, these include clients who are politically exposed persons (PEPs), clients who use multiple payment methods, clients whose spending patterns are inconsistent with their stated source of funds, and clients who have previously been the subject of a suspicious transaction report (STR).

The two levels are interdependent: the entity-level assessment identifies which client characteristics elevate risk, and the relationship-level assessment applies that logic to individual accounts. Both must be documented. An online casino cannot satisfy FINTRAC’s requirements by having a robust entity-level document that is never operationalised into client risk ratings, and it cannot satisfy them by applying client ratings without the underlying entity-level rationale to support them.

Documenting the Risk Assessment

The PCMLTFR requires that the risk assessment be documented. FINTRAC’s guidance states that the documentation should cover the methodology adopted, the reasons for considering a risk factor as presenting a low, medium, or high risk, the outcome of the assessment, and the information sources used. For online casinos, the document must be substantive: a written analysis that a FINTRAC examiner can read and understand without reference to oral explanation, not a checklist with ticks.

A compliant risk assessment document for an online casino should contain the following elements: an executive summary identifying the overall inherent risk level of the business, a factor-by-factor analysis applying the prescribed PCMLTFR categories, the methodology used to rate risks, whether FINTRAC’s recommended likelihood-and-impact matrix or an alternative approach, the inherent risk ratings for each factor and sub-factor, a description of the existing controls and mitigation measures applied, the residual risk ratings after controls, the enhanced measures applied to high-risk areas, and the date of the assessment and the date of the next scheduled review. Where information sources were used, such as FATF mutual evaluation reports, national risk assessments, Transparency International data, or FINTRAC’s own typologies publications, those sources should be cited in the document.

You are responsible for completing and documenting your own risk assessment. FINTRAC does not prescribe how a risk assessment should be conducted. Rather, FINTRAC’s guidance explains an internationally recognised way of conducting a risk assessment using a risk-based approach and provides tools that may help reporting entities meet their risk assessment obligations.

The Two-Year Effectiveness Review

What the Review Must Cover

The PCMLTFA and PCMLTFR require reporting entities to conduct a two-year effectiveness review at minimum. FINTRAC’s guidance defines this as a review conducted every two years (at a minimum) by an internal or external auditor to test the effectiveness of policies and procedures, the risk assessment, and the training program. This is not a risk assessment update in itself. It is an independent audit of whether the compliance program, including the risk assessment, is functioning as designed.

For the risk assessment specifically, the effectiveness review must include a review of a sample of client records to assess whether the risk assessment was applied in accordance with the documented risk assessment process, and a review of a sample of client records to assess whether the frequency of ongoing monitoring is adequate and carried out in accordance with the client’s risk level assessment. These two elements together test whether the entity-level risk assessment is actually being operationalised at the client level.

When to Update the Assessment Outside the Two-Year Cycle

The two-year cycle is a minimum. Online casino compliance teams should treat the risk assessment as a living document that is updated whenever there is a material change in the business that alters the risk profile. Such triggers include launching a new product or game vertical, introducing a new payment method (including any cryptocurrency), entering a new geographic market, adding a new third-party processor or platform provider, extending player acceptance to a new country, or a significant change in the regulatory or typologies environment. FINTRAC publishes strategic intelligence, operational alerts, and casino-specific typologies guidance that should be reviewed at least annually to determine whether the risk assessment remains current.

For online operators registered in Ontario under the AGCO Registrar’s Standards for Internet Gaming, there is a parallel obligation under Standard 6.02, which requires that AML policies and procedures to support obligations under the PCMLTFA be implemented and enforced, and that all FINTRAC reports filed be supported with appropriate documentation. The AGCO standards reinforce FINTRAC’s requirements rather than replace them: operators in Ontario carry both sets of obligations concurrently. The AGCO vs AGLC compliance comparison maps these obligations across Ontario and Alberta for operators active in both provinces. For the full AGCO licensing and registration profile, including AML obligations under the Registrar’s Standards, see the AGCO registration requirements guide.

Enhanced Measures: What High-Risk Ratings Require

Where the risk assessment identifies a factor, sub-factor, or client relationship as high risk, the PCMLTFR, at subsection 9.6(2) and as reflected in FINTRAC’s Compliance Program Requirements guidance, requires the reporting entity to take enhanced measures. Those measures must be documented in written policies and procedures and must include, at minimum, additional steps to verify the identity of a person or entity, and any other additional steps to mitigate the identified risk, including updating client identification and beneficial ownership information at a frequency appropriate to the risk level, and conducting ongoing monitoring at a frequency appropriate to the risk level.

For online casinos, high-risk enhanced measures commonly include source of funds and source of wealth documentation for high-volume players, enhanced transaction monitoring thresholds and alert parameters for clients rated high risk, senior management approval for establishing or continuing business relationships with PEPs, additional due diligence on third-party processors that operate in or channel funds from higher-risk jurisdictions, and blockchain analytics screening for clients using virtual currency deposit channels.

The link between the risk assessment rating and the enhanced measures applied must be traceable. An examiner reviewing the compliance program should be able to follow the chain from the risk factor rating in the assessment document, through the enhanced measures policy, to the actual client records showing that enhanced due diligence was conducted. A high risk rating with no corresponding enhanced measures, or enhanced measures prescribed in policy but not applied to client records, are the types of finding that produce administrative monetary penalties.

How FINTRAC Examines Risk Assessment Compliance

When FINTRAC undertakes a compliance examination, the risk assessment is one of the five pillars it tests. The examination will verify that the reporting entity has a documented risk assessment, that the assessment addresses the prescribed factors under the PCMLTFR, and that the risk assessment has been applied to client records through appropriate risk ratings and monitoring frequencies. FINTRAC’s guidance on its examination approach includes a review of a sample of client records to assess whether the risk assessment was applied in accordance with the risk assessment process, and a review of whether suspicious transactions were reported where required.

Administrative monetary penalties (AMPs) are the civil enforcement mechanism under the PCMLTFA. They are scaled by the severity of the violation, whether the entity is an individual or a corporate entity, and whether the violation was minor, serious, or very serious. Non-compliance with risk assessment documentation obligations can be characterised as a serious or very serious violation depending on the breadth of the gap. The SIGA penalty of CAD $1.175 million, reported by Canadian Gaming Business in September 2025, illustrates the scale of AMPs that FINTRAC is willing to impose on casino-sector reporting entities. Compliance teams should consult qualified legal counsel for advice on the specific penalty framework and how it applies to their organisation’s circumstances.

Practical Build Sequence for a New or Revised Assessment

Compliance teams building or substantially revising a risk assessment should follow a structured sequence. Gather current business data as the starting point: the full product catalogue, all active payment methods and processors, the geographic profile of the current player base (using registration and payment data, not just stated residential address), the onboarding channel mix, and any recent STR or large cash or virtual currency transaction reports filed. This data is the empirical foundation of the assessment.

Apply the six prescribed PCMLTFR factors to that data, rating each sub-factor for likelihood and impact to produce inherent risk ratings. Document the rationale for each rating with reference to the data gathered and any external sources consulted, such as FATF evaluations, FINTRAC typologies, and Canada’s national risk assessment. Map existing controls against each inherent risk to arrive at residual risk ratings. Where residual risk remains high, document the enhanced measures that will be applied and assign responsibility for implementing and monitoring them. Set a review date, name the compliance officer responsible for the assessment, and obtain senior management sign-off.

The document should be version-controlled. Each subsequent update, whether triggered by a material business change or the two-year review cycle, should be saved as a new version with a clear change log. This version history demonstrates to a FINTRAC examiner that the assessment is a living document subject to ongoing governance, not a one-time exercise filed and forgotten.

For a broader reference on AML and financial compliance obligations across Canadian and international iGaming jurisdictions, the AML and Financial Compliance hub covers FINTRAC, FIAU, FinCEN, and FATF frameworks in parallel. Operators looking for practical guidance on completing their next risk assessment update should review the risk assessment template and step-by-step build guide to ensure all prescribed factors are covered with appropriate documentation.

Key Resources

FINTRAC Risk Assessment Guidance, The primary FINTRAC guidance document explaining the risk-based approach, inherent and residual risk, the RBA cycle, and the annexes containing higher-risk indicators and the likelihood-impact matrix. Available at fintrac-canafe.gc.ca/guidance-directives/compliance-conformite/rba/rba-eng.

FINTRAC Compliance Program Requirements Guidance, Sets out the five elements of a compliant compliance program, including the specific risk assessment requirements and the two-year effectiveness review obligation. Available at fintrac-canafe.gc.ca/guidance-directives/compliance-conformite/1-eng.

Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA), S.C. 2000, c. 17, The primary statute designating casinos as reporting entities and establishing the compliance program mandate. Available at laws-lois.justice.gc.ca.

Proceeds of Crime (Money Laundering) and Terrorist Financing Regulations (PCMLTFR), SOR/2002-184, The regulations prescribing the specific risk assessment factors at paragraph 156(1)(c) and enhanced measures at subsection 9.6(2). Available at laws-lois.justice.gc.ca.

AGCO Registrar’s Standards for Internet Gaming, Standard 6.02, The parallel provincial obligation for Ontario-registered operators to implement and enforce AML policies and procedures in compliance with the PCMLTFA. Available at agco.ca.