PCMLTFA for Online Casino Operators: What Canada’s AML Act Actually Requires

Every online casino conducting business in Canada is a designated reporting entity under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA), S.C. 2000, c. 17. That classification is not contingent on volume, corporate structure, or provincial licensing status. It is triggered by the nature of the activity, and the obligations that follow are both broad and operationally intensive. FINTRAC’s September 2025 administrative monetary penalty against the Saskatchewan Indian Gaming Authority, totalling CAD $1.175 million, underscores that casino-sector enforcement is active, material, and on the public record.

What the PCMLTFA Is and Why It Applies to You

The PCMLTFA was enacted in 2000 as Canada’s primary federal statute for detecting, preventing, and deterring money laundering and terrorist financing. It establishes the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) as Canada’s financial intelligence unit and AML/ATF supervisor. FINTRAC reports to Parliament through the Minister of Finance. Its mandate is to generate actionable financial intelligence for law enforcement and national security agencies while ensuring compliance from designated reporting entities across regulated sectors.

The Act creates obligations through its own provisions and through a suite of subordinate instruments. The operative regulatory texts for casino operators are the Proceeds of Crime (Money Laundering) and Terrorist Financing Regulations (PCMLTFR), SOR/2002-184, the Proceeds of Crime (Money Laundering) and Terrorist Financing Suspicious Transaction Reporting Regulations (PCMLTFSTRR), SOR/2001-317, and the Proceeds of Crime (Money Laundering) and Terrorist Financing Administrative Monetary Penalties Regulations (PCMLTFAMPR), SOR/2007-292. The PCMLTFA itself received amendments as recently as 2026, with two separate amendment citations (2026, c. 3 and 2026, c. 4) brought into force on 26 March 2026, meaning operators must verify the current version of the Act against the consolidated text on the Department of Justice website.

Are Online Casinos Actually Covered by the PCMLTFA?

Yes. Section 5 of the PCMLTFA lists the persons and entities subject to the Act’s requirements. Paragraphs 5(k) through 5(k.3) capture casinos. The PCMLTFR, SOR/2002-184, defines a “casino” for the purposes of the PCMLTFA and the PCMLTFSTRR as any government, organization, board, or operator referred to in those paragraphs of the Act. This definition encompasses provincially regulated online gaming operators. An operator registered with AGCO and iGaming Ontario, or with AGLC and Alberta’s iGaming Corporation, is a casino for PCMLTFA purposes and inherits the full suite of federal reporting, record-keeping, client identification, and compliance program obligations.

Provincial licensing does not substitute for or modify federal AML obligations. The AGCO Registrar’s Standards for Internet Gaming make this layering explicit: Standard 6.02 requires that anti-money laundering policies and procedures be implemented and enforced to support obligations under the PCMLTFA specifically, and that internal controls align with those of the designated reporting entity under the Act. Standard 6.03 extends this to source-of-funds ascertainment on a risk-assessed basis and to mechanisms for sharing information about high-risk or suspicious activities with other operators. The federal and provincial layers are cumulative, not alternative.

The Five Mandatory Report Types

FINTRAC requires casino reporting entities to submit five categories of report through the FINTRAC Web Reporting System (FWR) or via batch submission using a public key certificate. Each report type carries its own triggering conditions, prescribed timelines, and field-completion standards.

Report Type	Trigger	Timeline
Suspicious Transaction Report (STR)	Reasonable grounds to suspect a transaction is related to the commission or attempted commission of a money laundering or terrorist financing offence	As soon as practicable after measures enabling the determination are completed
Large Cash Transaction Report (LCTR)	Receipt of CAD $10,000 or more in cash in a single transaction, or aggregate within the 24-hour rule	Within 15 calendar days of the transaction date
Electronic Funds Transfer Report (EFTR)	International EFT of CAD $10,000 or more (single or aggregated under the 24-hour rule)	Within 5 working days of the transfer date
Casino Disbursement Report (CDR)	Disbursement of CAD $10,000 or more to or on behalf of a person in a single or aggregated transaction	Within 15 calendar days of the disbursement
Large Virtual Currency Transaction Report (LVCTR)	Receipt of virtual currency equivalent to CAD $10,000 or more (single or 24-hour aggregate)	Within 5 working days of the transaction date

The 24-hour rule applies to LCTRs, EFTRs, and LVCTRs. Under PCMLTFR section 126, a reporting entity must aggregate two or more amounts received within a consecutive 24-hour window when those amounts total CAD $10,000 or more and the reporting entity knows the transactions were conducted by, on behalf of, or for the benefit of the same person or entity. For foreign currency cash receipts, the conversion to Canadian dollars must use the Bank of Canada exchange rate in effect at the time of the transaction.

“You must submit a Large Cash Transaction Report to FINTRAC in accordance with the 24-hour rule. That is, you must submit a report when you receive 2 or more amounts in cash that total $10,000 or more within a consecutive 24-hour window, and you know that the transactions are conducted by the same person or entity, conducted on behalf of the same person or entity (third party), or for the same beneficiary.”

STR submission requires no minimum threshold. The standard is “reasonable grounds to suspect,” which is a lower bar than the balance of probabilities and expressly lower than the criminal standard of proof. FINTRAC is explicit that using a higher financial threshold as a de facto STR trigger is a common deficiency it identifies during assessments. Once the compliance function has completed the measures that enable a suspicion determination, the STR must be submitted. The STR must include the facts, context, and indicators that led to the conclusion, described with specificity. FINTRAC guidance notes that even where a client did not provide identification because asking would risk tipping them off, the STR structure still requires submission with whatever information is available.

What Must a Casino’s Compliance Program Include?

FINTRAC defines a compliance program as all elements that a reporting entity is legally required to have under the PCMLTFA and its associated Regulations. Those elements, each independently enforceable, are a designated compliance officer, written policies and procedures, a documented risk assessment, a training program and plan, and a two-year effectiveness review and plan.

The compliance officer must be an individual with the necessary authority to implement the compliance program. For entities, the compliance policies and procedures must be approved by a senior officer. The policies must be written, kept current, and accessible to all personnel authorized to act on behalf of the reporting entity, including employees, agents, and any others involved in client-facing or transaction-processing roles. PCMLTFR paragraph 156(1)(a) provides the legal reference for the policies and procedures obligation.

The risk assessment is not a one-time exercise. PCMLTFR section 156 requires ongoing assessment of the risk that products, services, delivery channels, geographic context, and client populations present for money laundering and terrorist financing. For casino operators, this means maintaining a documented assessment of both player-level risk and systemic risk, with the results feeding directly into the calibration of client due diligence intensity, monitoring frequency, and enhanced measures triggers.

The two-year effectiveness review, governed by PCMLTFR subsections 156(3) and 156(4), must produce a written report covering the methodology of the review, the findings, any action plans arising from deficiencies identified, and the status of implementing updates made during the reporting period. FINTRAC’s assessment teams specifically examine whether policies and procedures updates made outside the formal review cycle are documented alongside those made as a result of the review itself.

Client Identification and Know-Your-Client Obligations

Casino reporting entities must verify the identity of persons who conduct or attempt to conduct transactions that trigger identification obligations under the PCMLTFR. Verification methods are prescribed and include the government-issued photo identification document method, the credit file method, the dual-process method, the agent or mandatary method, and the reliance method. Each method carries specific documentation requirements. For verification performed via reliance on another reporting entity, the casino must have a written agreement in place requiring that the other entity provide all referenced identification information as soon as feasible upon request.

Where a person fails to provide adequate identification, the casino may accept an alternate form of identification, but must then follow a risk-based timeline for obtaining the required form within 6 to 12 months, as described in FINTRAC’s casino client identification guidance. Ongoing monitoring must reflect the elevated risk profile of that client during that period.

For entities, identity verification requires confirming existence through prescribed records, ascertaining the name and address of the entity, and for corporations specifically, obtaining the names of directors. The beneficial ownership threshold under FINTRAC guidance is 25% direct or indirect ownership or control of shares, units, or the entity. Ultimate beneficial owners must be natural persons, not holding entities.

Politically Exposed Persons and Heads of International Organizations

Casino reporting entities must determine whether clients are politically exposed persons (PEPs), heads of international organizations (HIOs), or family members and close associates of either. The PCMLTFA, at section 9.3(3), defines the head of an international organization as a person who holds or has held, within a prescribed period, the office or position of head of an international organization established by governments of states, an institution of such an organization, or an international sports organization.

Where a client is identified as a PEP or HIO, enhanced measures apply. These include taking reasonable measures to establish the source of funds used in the transaction or business relationship, conducting enhanced ongoing monitoring, and obtaining senior management approval to commence or continue the relationship. FINTRAC guidance links PEP identification directly to the sanctions framework: reporting entities must also consider measures against corrupt foreign officials under the Justice for Victims of Corrupt Foreign Officials Act (the Magnitsky Act, S.C. 2017, c. 21) as part of their risk assessment, and determine when this may require STR or listed person or entity property report submissions.

Casino Disbursement Reports: An Online-Specific Consideration

The Casino Disbursement Report is specific to casino reporting entities and deserves particular attention in an online context. A casino disbursement is a payment of funds by a casino to a person, with the CAD $10,000 threshold applying. In a brick-and-mortar context, the quintessential disbursement is a large cash payout at the cage. In an online context, withdrawals processed back to a player’s bank account, e-wallet, or payment card constitute disbursements for reporting purposes when they meet the threshold, whether as a single transaction or in aggregate under the 24-hour rule.

The PCMLTFR distinguishes “funds” from “virtual currency.” Funds means cash and other fiat currencies, and securities, negotiable instruments, or other financial instruments indicating a title or right to or interest in them, or a private key enabling access to fiat currency other than cash. Virtual currency is explicitly excluded from the definition of funds under PCMLTFR section 1(2) and PCMLTFSTRR section 1(2). A disbursement made in fiat currency triggers Casino Disbursement Report obligations, while a large disbursement in virtual currency triggers the Large Virtual Currency Transaction Report pathway instead.

FINTRAC’s Enforcement Powers

FINTRAC has had legislative authority to issue administrative monetary penalties (AMPs) to reporting entities since 30 December 2008, under Part 1.1 of the PCMLTFA. AMPs are civil penalties. The PCMLTFAMPR, SOR/2007-292, governs their calculation. FINTRAC’s published AMP policy describes the program’s guiding principles as objectivity, reasonableness, transparency, fairness, consistency, and documentation. Each non-compliance instance is assessed for the harm done to FINTRAC’s mandate, with separate harm-done assessment guides published for each compliance category: compliance program violations, LCTR/EFTR/CDR violations, STR violations, KYC violations, record-keeping violations, and others.

FINTRAC must make public all administrative monetary penalties imposed. The public notice requirement means every AMP against a casino reporting entity is a matter of permanent public record, with consequences for licensing fitness assessments in any jurisdiction where the operator seeks or holds authorisation.

Criminal penalties under Parts 1 and 1.1 of the PCMLTFA are available as an alternative enforcement pathway. FINTRAC may disclose information to law enforcement when it suspects on reasonable grounds that the information would be relevant to investigating or prosecuting a non-compliance offence under the PCMLTFA. The PCMLTFA expressly provides that criminal charges and AMPs cannot be issued against the same instances of non-compliance. The election between the two pathways lies with FINTRAC, not the reporting entity.

The September 2025 enforcement action against the Saskatchewan Indian Gaming Authority (SIGA), resulting in a penalty of CAD $1.175 million, demonstrates the scale AMPs can reach in the casino sector. SIGA announced its intention to appeal the penalty, according to Casino.org in September 2025. A separate action involving a non-profit Toronto casino operator contesting a CAD $199,000 FINTRAC fine in court, reported by Canadian Gaming Business in August 2025, illustrates that AMP disputes are being actively litigated. The appeal process does not suspend publication of the public notice.

How the Regulatory Instrument Suite Flows from the Act

The PCMLTFA is the parent statute. It does not itself prescribe most of the operational details. Those details flow through the subordinate regulations, each carrying its own SOR number and amendment history. For casino operators, the operative instruments are:

Instrument	SOR / Citation	Primary Subject
Proceeds of Crime (Money Laundering) and Terrorist Financing Regulations	SOR/2002-184	Client identification, record keeping, compliance program, risk assessment, casino-specific thresholds
Proceeds of Crime (Money Laundering) and Terrorist Financing Suspicious Transaction Reporting Regulations	SOR/2001-317	STR form, content, and submission requirements
Proceeds of Crime (Money Laundering) and Terrorist Financing Administrative Monetary Penalties Regulations	SOR/2007-292	AMP calculation, violation categories, base penalty amounts
Proceeds of Crime (Money Laundering) and Terrorist Financing Registration Regulations	SOR/2007-121	MSB registration, defines terms shared across the regime
Cross-border Currency and Monetary Instruments Reporting Regulations	SOR/2002-412	Cross-border cash and instrument declarations

The PCMLTFR, SOR/2002-184, underwent substantive amendments between 2023 and 2025, with amendment citations under 2023, c. 26 and 2024, c. 15 and c. 17 coming into force across multiple dates from February 2025 through October 2025. Operators whose compliance policies were last reviewed before October 2025 must verify that their documentation reflects the current version of the Regulations.

What This Means for Ontario and Alberta Operators

Online casino operators registered in Ontario under the AGCO Registrar’s Standards for Internet Gaming face a compliance architecture that is explicitly dual-layer. The Registrar’s Standards at section 6.02 require AML policies and procedures aligned with obligations under the PCMLTFA, and require that copies of all FINTRAC reports be made available to the Registrar under the notification matrix. At section 6.03, operators must implement source-of-funds ascertainment protocols calibrated to their risk assessment, including the ability to escalate to transaction refusal or player exclusion for money laundering indicators. FINTRAC compliance is not merely a federal backstop, it is an explicit condition of provincial registration.

Alberta’s framework, administered by the AGLC and launching in July 2026, mirrors this structure under the AGLC Standards and Requirements for Internet Gaming. Operators entering Alberta must arrive with a mature FINTRAC compliance program already operational, since the provincial standards impose obligations that reference and build on the federal AML regime rather than creating a parallel or lighter-touch substitute. For a detailed comparison of how AGCO and AGLC standards interact, including differences in the AML notification matrix and operator obligations across both provinces, see our analysis of AGCO vs AGLC: Key Differences in Ontario and Alberta Internet Gaming Regulation.

Compliance officers managing Canadian online casino operations across one or both regulated provinces should maintain a single integrated AML/ATF compliance program that satisfies PCMLTFA obligations as the baseline and documents how provincial-specific obligations, including the notification matrix requirements, layer on top of that baseline. Operators should consult qualified legal counsel for jurisdiction-specific application of both the federal and provincial frameworks, particularly given the pace of recent regulatory amendments.

For operators also holding or considering European licences alongside a Canadian presence, the AML architecture differs materially. The UKGC operates as both a gambling regulator and an AML supervisor under its own licensing framework, meaning AML obligations flow directly through the Licence Conditions and Codes of Practice rather than through a separate financial intelligence statute. The Malta Gaming Authority splits AML supervision with the Financial Intelligence Analysis Unit (FIAU). Understanding how these supervisory models differ from FINTRAC’s centralised financial intelligence unit model is important for groups managing multi-jurisdictional compliance programmes. The AML and financial compliance hub covers FATF standards, FINTRAC, FIAU, FinCEN, transaction monitoring, and source-of-funds obligations across the major regulated jurisdictions.

Key Resources

Proceeds of Crime (Money Laundering) and Terrorist Financing Act, S.C. 2000, c. 17 (consolidated): laws-lois.justice.gc.ca/eng/acts/P-24.501/

FINTRAC Compliance Program Requirements Guidance: fintrac-canafe.gc.ca (search “compliance program requirements”)

FINTRAC Penalties for Non-Compliance: fintrac-canafe.gc.ca/pen/1-eng

FINTRAC Administrative Monetary Penalties Policy: fintrac-canafe.gc.ca/pen/2-eng

FINTRAC Casino Sector Guidance (Client Identification and KYC): fintrac-canafe.gc.ca (search “casino guidance”)

FINTRAC Suspicious Transaction Reporting Requirements: fintrac-canafe.gc.ca (search “STR guidance”)

FINTRAC Large Cash Transaction Reporting Requirements: fintrac-canafe.gc.ca (search “LCTR guidance”)