iGaming AML Compliance: FINTRAC and FinCEN Obligations for Online Casino Operators

Online casino operators holding licences in Canada’s regulated provinces or the United States are not simply gaming licensees. They are designated reporting entities under federal financial crime statutes. In Canada, that means the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA) and FINTRAC oversight. In the United States, it means the Bank Secrecy Act (BSA) and FinCEN regulation under 31 CFR Part 1021. The two frameworks share the same foundational architecture but diverge on thresholds, timing, programme mechanics, and enforcement posture. Operators that treat AML compliance as a single undifferentiated programme across both jurisdictions will, at some point, discover gaps that neither regulator considers acceptable.

Both frameworks map against five core programme pillars: compliance officer, written programme, risk assessment, training, and transaction reporting. Where FINTRAC and FinCEN overlap, where they diverge, and what that means for operators running online casino products in Ontario, Alberta, and US-licensed states simultaneously are the operational questions this guide answers directly.

The Statutory Foundations: PCMLTFA and the Bank Secrecy Act

Canada’s AML framework for casinos rests on the PCMLTFA, enacted in 2000 (S.C. 2000, c 17), and its associated Proceeds of Crime (Money Laundering) and Terrorist Financing Regulations (PCMLTFR, SOR/2002-184). FINTRAC, established under the same statute, is Canada’s financial intelligence unit and the AML/ATF supervisor for all reporting entities, including casinos. FINTRAC’s compliance guidance documents translate the statutory obligations into operational requirements, and FINTRAC examiners use those guidance documents as the basis for compliance examinations.

In the United States, the foundational statute is the Bank Secrecy Act, formally the Currency and Foreign Transaction Reporting Act of 1970, as amended. The BSA’s casino-specific implementing regulations sit in Title 31 of the Code of Federal Regulations, Part 1021, administered by FinCEN, the US financial intelligence unit within the Department of the Treasury. The Anti-Money Laundering Act of 2020 amended and strengthened the BSA framework, and FinCEN’s Bank Secrecy Act Advisory Group continues to refine guidance for regulated sectors.

A casino reporting entity under PCMLTFA that simultaneously holds a US gaming licence faces two parallel compliance architectures, and satisfying one does not discharge the other.

What Does a Compliant AML Programme Require?

Under FINTRAC’s compliance programme guidance, a reporting entity must establish and implement a compliance programme intended to ensure compliance with all obligations under the PCMLTFA and associated Regulations. FINTRAC’s guidance identifies seven components: a compliance officer, compliance policies and procedures, a risk assessment, enhanced measures where required, an ongoing training programme and plan, a two-year effectiveness review and plan, and record keeping sufficient to support all of the above.

Under 31 CFR Part 1021.210, a casino’s written AML programme must include at minimum: a system of internal controls to ensure ongoing compliance, independent testing for compliance, conducted by the casino’s internal audit function or by an outside party, designation of an individual or individuals responsible for day-to-day coordination and monitoring of the AML programme, and training for appropriate personnel. These four requirements are sometimes called the “four pillars” of a BSA casino programme, to which a fifth, a customer identification programme component, was added by FinCEN rulemaking following the USA PATRIOT Act.

A compliance programme is established and implemented by a reporting entity and is intended to ensure that the reporting entity meets all its obligations under the PCMLTFA and associated Regulations., FINTRAC Compliance Program Requirements Guidance

The Compliance Officer: Parallel Obligations, Different Standards

FINTRAC’s guidance defines the compliance officer as “the individual, with the necessary authority, that you appoint to be responsible for the implementation of your compliance program.” There is no prescribed minimum qualification standard in the PCMLTFR itself, but FINTRAC’s examination practice expects the designated officer to have a working knowledge of the Act, the Regulations, and the reporting entity’s sector-specific obligations. For casinos, this includes fluency with casino disbursement reporting, large cash transaction reporting, and the electronic funds transfer obligations that apply to online operations, alongside suspicious activity reporting requirements under FinCEN rules.

FinCEN’s requirement under 31 CFR Part 1021.210 is functionally similar: the programme must designate an individual or individuals responsible for day-to-day coordination and monitoring of the programme. In the US context, larger casino operations typically designate a dedicated BSA Officer, a title used in practice though not mandated by name in the regulation. That officer is responsible for filing, record-keeping oversight, training, and liaising with examiners from FinCEN or state gaming regulators who conduct BSA compliance reviews on FinCEN’s behalf.

A meaningful structural difference exists in provincial iGaming frameworks built on top of PCMLTFA. The AGCO Registrar’s Standards for Internet Gaming, section 6.02, require operators to implement and enforce AML policies and procedures “to support obligations under the PCMLTFA.” The AGLC Standards and Requirements for Internet Gaming (issued January 14, 2026, under AGLC Board Chair authority) go further, requiring registered operators to “establish and maintain a comprehensive internal AML/TF program in compliance with the PCMLTFA, associated regulations, FINTRAC guidelines and the designated reporting entity’s AML/TF policies and procedures.” The provincial iGaming compliance officer role cannot be separated from federal AML obligations: they constitute the same programme, assessed by two regulators.

Written Policies and Procedures: What Both Regulators Require

FINTRAC’s compliance programme requirements specify that policies and procedures must be written, kept up to date, approved by a senior officer (for entities), and made available to all those acting on the reporting entity’s behalf, including employees, agents, and others dealing with clients or transactions. At minimum, the written documentation must cover the compliance programme itself (compliance officer appointment, risk assessment, training, and the two-year review), know-your-client obligations, record keeping, reporting, and any applicable enhanced measures. The PCMLTFR at paragraph 156(1)(a) makes the written form a legal requirement, not a best practice.

Under 31 CFR Part 1021.210, the AML programme must itself be written. This is an explicit regulatory requirement. The written programme must be approved by senior management. FinCEN’s examination guidance further expects the programme to be commensurate with the casino’s size, location, and the risks associated with its products, customers, and geographic exposure. For an online casino operation, the risk profile differs materially from a land-based property: there is no cash in the traditional sense, but the volume of electronic funds transfers, the pseudonymity of payment methods, and the speed of deposit-withdrawal cycles create distinct vulnerabilities that a well-drafted programme must address explicitly.

Risk Assessment: The Methodological Divergence

FINTRAC defines a risk assessment as “the review and analysis of your business to identify and assess the risk of money laundering, terrorist activity financing and sanctions evasion related to your clients, affiliates, products, services, delivery channels, new developments or technology, and geographic locations where you do business.” The risk assessment must be documented, kept current, and applied to drive the calibration of policies, procedures, and ongoing monitoring. The PCMLTFR at SOR/2002-184 section 156 makes the risk assessment a mandatory element of the compliance programme structure.

FINTRAC’s risk assessment guidance specifies that casinos must consider client risk, geographic risk, product and service risk, delivery channel risk, and the risk arising from new technologies. For an online casino, the delivery channel assessment is particularly significant: internet-based gaming offers no physical observation of the client, deposits may arrive through multiple payment methods, and withdrawals can be directed to accounts that differ from the funding source.

FinCEN’s approach under 31 CFR Part 1021.210 frames risk implicitly through the “commensurate with risk” standard applied to the written programme as a whole. FinCEN has issued separate examination procedures in the BSA Examination Manual for Casinos and Card Clubs, which walk examiners through a risk-based review of programme elements. The AGCO Registrar’s Standards section 6.01 require operators in Ontario to “conduct periodic risk assessments to determine the potential for unlawful activities, including money laundering, fraud, theft and cheat at play.” The AGLC SRIG 2026-03-17 requires risk-based policies and controls with “escalating measures to address players that engage in behaviors consistent with money laundering, terrorist financing or sanction evasion indicators.”

Anti-money laundering internal controls must align with those of the designated reporting entity under PCMLTFA. Reasonable measures must be in place to identify and prevent suspected money laundering activities in the iGaming site., AGLC Standards and Requirements for Internet Gaming, 2026-03-17

Transaction Reporting: Thresholds, Types, and Timelines

Transaction reporting is where the FINTRAC and FinCEN frameworks diverge most operationally for online casino operators.

Under FINTRAC, casinos must file the following report types with Canada’s financial intelligence unit: suspicious transaction reports (STRs) for any transaction where there are reasonable grounds to suspect a money laundering or terrorist financing offence, large cash transaction reports (LCTRs) for any single cash transaction of CAD 10,000 or more, large virtual currency transaction reports for virtual currency transactions at the same CAD 10,000 threshold, casino disbursement reports for disbursements of CAD 10,000 or more, and electronic funds transfer reports for international transfers of CAD 10,000 or more. STRs must be submitted “as soon as practicable,” which FINTRAC’s guidance explains as a priority obligation that should take precedence over other tasks, completed promptly with any delay requiring a reasonable explanation.

For online casino operators, the casino disbursement report obligation is frequently underestimated. Any disbursement from the casino to a client of CAD 10,000 or more, which in an online context includes withdrawals to payment methods and bank accounts, triggers the obligation. The FINTRAC electronic reporting system accepts both individual reports and batch submissions using a public key certificate.

Under the BSA and 31 CFR Part 1021, US casinos must file Currency Transaction Reports (CTRs) for cash transactions exceeding USD 10,000, and Suspicious Activity Reports (SARs) where the casino knows, suspects, or has reason to suspect that a transaction of USD 5,000 or more involves funds from illegal activity, is designed to evade BSA reporting requirements, or lacks any apparent lawful purpose. SARs are filed with FinCEN using Treasury Department Form 90-22.47 and are subject to a strict tipping-off prohibition: the casino is prohibited from disclosing to the subject that a SAR has been filed, and SAR filings are exempt from Freedom of Information Act disclosure.

A critical distinction for operators: structuring, the deliberate breaking up of transactions to fall below the USD 10,000 CTR threshold, is itself a federal crime under the BSA, and casinos that fail to detect and report structuring activity face the same penalties as if they had failed to file the underlying CTR. FINTRAC’s guidance adopts a comparable position: attempted transactions that do not complete but suggest structuring intent may still require an STR.

Training: Frequency, Scope, and Documentation

FINTRAC’s compliance programme requirements specify that the training programme must cover the compliance policies and procedures, and related record-keeping, client identification, and reporting requirements. The guidance mandates a written training plan and requires documentation of training delivery, including who received training, the date it was provided, and the results of any testing used to measure understanding. The two-year effectiveness review must include a review of the training programme and plan.

Under 31 CFR Part 1021.210, the written AML programme must include training for appropriate personnel. FinCEN’s examination guidance interprets this to mean training tailored to the employee’s role: front-line staff who interact with customers need to recognise suspicious activity, AML compliance staff need in-depth training on BSA obligations, regulatory changes, and typologies, audit staff need to understand how to test programme effectiveness. The training requirement is ongoing, not a one-time onboarding exercise.

For online casino operations, where many staff interact with customers only through digital systems rather than in person, training programmes must address the digital typologies specific to iGaming: rapid deposit-withdrawal cycling with minimal play, multi-account operations, unusual payment method patterns, and the use of bonus structures or free play as a mechanism to convert criminal funds into seemingly legitimate withdrawals. Both FINTRAC and FinCEN examiners expect training records to demonstrate that these platform-specific risks have been addressed.

Independent Testing and the Two-Year Review

FINTRAC requires every reporting entity to conduct a two-year effectiveness review at a minimum. The review must be carried out by an internal or external auditor, or by the reporting entity itself if no auditor exists, and must test whether the compliance programme has gaps or weaknesses that would prevent effective detection of money laundering, terrorist financing, or sanctions evasion. FINTRAC’s guidance specifies what the review must cover: knowledge of policies and procedures, client identification, large cash transaction reporting accuracy and timeliness, suspicious transaction reporting, electronic funds transfer reporting, risk assessment application, and the adequacy of ongoing monitoring. The results must be documented, and any required updates must be planned and tracked.

FinCEN’s independent testing requirement under 31 CFR Part 1021.210 is structurally parallel but framed differently: the testing must be conducted by the casino’s internal audit function or by a qualified outside party, and that function must be independent of the day-to-day programme operations. The BSA Examination Manual for Casinos specifies that examiners will review whether the testing was genuinely independent, whether findings were reported to senior management and the board, and whether deficiencies identified in testing were remediated. A pattern of repeated findings without remediation is treated as a programme failure, not merely an audit observation.

According to Canadian Gaming Business (August 2025), BCLC has contested a CAD 1 million FINTRAC penalty in court, and according to the same outlet (September 2025), the Saskatchewan Indian Gaming Authority received a CAD 1.175 million FINTRAC fine. Both actions signal that FINTRAC is prepared to impose substantial administrative monetary penalties against casino operators for compliance programme deficiencies, including failures in record keeping and reporting. While these cases involve land-based and lottery operations, the regulatory standards apply identically to online gaming operators designated as casinos under the PCMLTFA.

Where Canada and the US Diverge: Key Operational Differences

The most operationally significant divergence concerns the casino definition and revenue threshold. PCMLTFA applies to all casinos as a named sector without a revenue floor: any operator that meets the statutory definition of a casino is a reporting entity with the full suite of obligations. Under 31 CFR Part 1021, the programme requirements apply to casinos with gross annual gaming revenue exceeding USD 1,000,000, and to card clubs with gross annual gaming revenue exceeding USD 10,000,000. Online casino operators entering the US market under state licences in New Jersey, Michigan, or Pennsylvania should confirm their precise classification under federal law and whether state regulatory AML requirements add further obligations on top of the federal floor.

Canada’s PCMLTFA framework also includes a sanctions evasion dimension that is explicitly incorporated into FINTRAC’s compliance programme requirements, requiring risk assessments and ongoing monitoring to address sanctions evasion risk alongside money laundering and terrorist financing. FINTRAC’s guidance references this as a distinct category requiring dedicated attention within the risk assessment, policies and procedures, and training components.

The US framework has a parallel sanctions layer administered by the Office of Foreign Assets Control (OFAC), which sits outside the BSA/FinCEN architecture but whose obligations, primarily the requirement to screen customers and transactions against OFAC’s Specially Designated Nationals list, are practically inseparable from a BSA programme for any casino. Operators structuring cross-border programmes should map both the FINTRAC sanctions evasion obligations and the OFAC screening requirements as distinct elements of their global compliance architecture.

A further divergence concerns virtual currency. FINTRAC has established explicit large virtual currency transaction report obligations, requiring casinos to file a report for virtual currency transactions of CAD 10,000 or more. FinCEN has issued guidance on virtual currency and has applied BSA obligations to certain virtual currency businesses, but the specific casino-sector treatment of virtual currency transactions under 31 CFR Part 1021 remains an area of active regulatory development. Operators that accept cryptocurrency deposits should seek legal advice on the current US federal treatment before launching that payment vertical. For a detailed comparison of how provincial iGaming frameworks in Canada layer on top of the federal PCMLTFA obligations, see our analysis of AGCO and AGLC internet gaming regulation.

Provincial iGaming Compliance and the Federal AML Layer

Ontario and Alberta operators face an additional layer of complexity that purely federal analyses miss. Both the AGCO Registrar’s Standards (section 6.02) and the AGLC SRIG 2026-03-17 explicitly cross-reference PCMLTFA obligations. In Alberta, the SRIG requires operators to align their internal AML controls with “those of the designated reporting entity under PCMLTFA,” meaning the operator’s programme must be consistent with the programme maintained by the crown entity (AGLC) that holds designated reporting entity status. This creates an obligation to coordinate with AGLC on programme elements, not merely to run an independent parallel programme.

The AGLC SRIG further requires operators to “specify times and situations, based on the assessment of risk, where the Operator will ascertain and reasonably corroborate a player’s source of funds,” a standard that goes beyond the PCMLTFA’s prescribed transaction reporting thresholds and requires active source-of-funds enquiry calibrated to the operator’s own risk assessment. This is an enhanced measure requirement embedded in the provincial technical standards document, not only in federal AML regulation.

In Ontario, the AGCO Registrar’s Standards require operators to maintain copies of all reports filed with FINTRAC and supporting documentation as part of their records. This means FINTRAC filing records are within scope of an AGCO compliance examination as well as a FINTRAC examination, creating a dual audit exposure that underlines why AML records management cannot be treated as a separate silo from the broader iGaming compliance programme. For operators new to the Ontario market, the compliance lessons from three years of AGCO enforcement are covered in our Ontario iGaming compliance guide.

Key Resources

FINTRAC Compliance Program Requirements Guidance, FINTRAC’s primary guidance document for all reporting entities, covering all seven programme components under PCMLTFA and PCMLTFR SOR/2002-184. Available at fintrac-canafe.gc.ca.

Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA), S.C. 2000, c 17, The enabling statute for Canada’s AML/ATF regime and FINTRAC’s supervisory authority. Available through the Department of Justice Canada at laws-lois.justice.gc.ca.

31 CFR Part 1021, Rules for Casinos and Card Clubs, The FinCEN regulatory framework for casino AML programmes under the Bank Secrecy Act. Current version available at ecfr.gov, last amended 6 May 2026.

AGCO Registrar’s Standards for Internet Gaming, Ontario’s iGaming technical and compliance standards, including section 6.01 (unlawful activity prevention) and section 6.02 (AML under PCMLTFA). Available at agco.ca.

AGLC Standards and Requirements for Internet Gaming (2026-03-17), Alberta’s iGaming compliance standards, including the AML/TF programme requirements and source-of-funds obligations. Issued January 14, 2026, under AGLC Board Chair authority. Available at aglc.ca. Start building your dual-jurisdiction compliance programme today by consulting the FINTRAC guidance document and mapping your casino’s transaction flows against both PCMLTFA and 31 CFR Part 1021 requirements.