Solving Canada’s AML/KYC Puzzle: A Playbook for Online Gaming Operators


Canadians may be stereotyped as mild mannered and passive—but authorities overseeing Anti-Money Laundering (AML) and Know Your Customer (KYC) regulations are throwing some Hudson Bay ice over that perception.

FINTRAC flexes regulatory muscle

Since November 2023, the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) has fined three of the country’s biggest banks for noncompliance with AML and terrorist financing measures: Royal Bank of Canada for $5.5 million CAD, CIBC for $900,000 CAD, and TD Bank for $7.4 million CAD. 

FINTRAC has also played their hand very defiantly towards the gaming industry with the publication at the end of January 2024 of a special report on laundering crime proceeds through online gaming sites.

With an annual staffing increase of 28% in 2023 compared to the prior year, FINTRAC is arming up with personnel to investigate and enforce. This isn’t an episode of Suits; it’s a reminder of the potential pitfalls within the online gaming industry and the critical role of AML and KYC regulations in upholding integrity and combating illegal activity.

Charting the regulatory landscape

Canada’s AML/KYC framework hinges on two pillars: the Proceeds of Crime and Terrorist Financing Act (PCMLTFA) and FINTRAC. These regulations outline specific requirements for online gaming operators, including:

  • Customer identification and verification: KYC is the bedrock, to verify player identities using accepted documents like government-issued IDs.
  • Risk assessment: Classifying players based on their risk profile, considering factors like transaction size, frequency, and geographic location.
  • Transaction monitoring: Watching for suspicious activity like sudden spikes in betting amounts, unusual deposit/withdrawal patterns, and transactions originating from high-risk jurisdictions.

Background on the FINTRAC special report

Online gambling has surged globally, particularly amid the COVID-19 pandemic, with projections estimating the industry to grow to $100 billion USD by 2026. In Canada, this growth coincided with new regulatory changes, for example the legalization of single-event sports betting, which came into effect in August 2021, as well as the arrival of new gaming operators. 

However, concerns arise from transactions with sites operating both inside and outside regulatory authorities, especially those in jurisdictions with weak AML monitoring and enforcement measures.

Key findings of the report

FINTRAC highlighted the following findings in its report:

  1. Exploitation of financial entities: Bank accounts serve as conduits for laundering proceeds of crime through online gambling sites. Suspicious activities include excessive transfers, circular transactions, and deposits inconsistent with clients’ financial status. 
  2. Prepaid cards and vouchers: These are high-risk funding methods due to their potential to obscure fund sources. Clients often engage in frequent, rounded-sum purchases and reloadable card top-ups for online gambling.
  3. E-wallets and payment service providers: Criminals use these platforms to facilitate deposits and withdrawals between bank accounts and gambling sites. Organized crime groups have been observed depositing and withdrawing funds via wire transfers to financial institutions in Canada.
  4. Virtual currencies: Despite not being accepted in licensed Canadian sites, unlicensed platforms increasingly deal in virtual currencies, facilitating cross-border payments and anonymity. The report highlights sites that are at a higher risk of facilitating money laundering as including those that do not require KYC information from players, do not publish any information about their beneficial ownership, and do not impose any limits on volumes or values of bets.
  5. Exploitation of licensed platforms: Criminals may also misuse licensed gambling sites to launder proceeds of crime. One common approach is money launderers attempting to subvert or mislead online gaming sites KYC process, in order to conceal their identity and/or the source of their funds. This includes by providing false, stolen, and misleading information to gaming operators, such as forged identity and/or income verification documents.

Requirements for identification

In June 2021, the PCMLTFA issued guidance on when to verify the identity of a person. This  included a specific directive on requirements for casinos. There are a number of scenarios that are set out expressly, with some overlap with the guidelines of the FINTRAC January 2024 online gaming special report. Examples include suspicious transactions, large virtual currency transactions (C$10,000 or more), receipt of funds of $3,000 CAD or more, and foreign currency exchange transactions of $3,000 CAD (among others).

The PCMLTFA also provides specific guidance on methods to verify the identity of a person. These are to be selected subject to the risk-based approach to be adopted by the organization and include the following methods: (i) government-issued photo identification, (ii) credit files, (iii) dual-process, and (iv) an affiliate source. 

Where a photo ID is considered the strongest form of identification, the regulations specify that the ID document must:

  • Be authentic, valid, and current;
  • Be issued by a federal, provincial, or territorial government (or by a foreign government);
  • Indicate the person’s name;
  • Include a photo of the person;
  • Include a unique identifying number; and
  • Match the name and appearance of the person being identified.

In a remote setting, the organization must have a process to authenticate the ID document, including “using a technology capable of determining the document’s authenticity.”  The regulations give the example to (a) ask the end user to scan their ID document using the camera on their mobile phone; and (b) use a technology to compare the features of the ID document against known characteristics (for example, size, texture, character spacing, raised lettering, format, design), security features (for example, holograms, barcodes, magnetic strips, watermarks, embedded electronic chips) or markers (for example, logos, symbols) to be satisfied that it is an authentic document as issued by the competent authority (federal, provincial, or territorial government).

The regulations also require to determine whether the authenticated ID document is valid and current, and that the name and photo match those of the end user providing the document. As an example, the regulations suggest asking the person to take a “selfie” photo using the camera on their mobile phone, and use a face-matching technology to compare the image from the selfie to the photo on the ID document. 

There is specific caution that it is not enough to only view an end user and their ID document through a video conference or another type of virtual application. There must be closer inspection of the document and face.

Additionally, a company’s compliance program’s policies and procedures must describe:

  • The processes it follows to determine whether a government-issued photo identification document is authentic, whether the client is present or not, and how it will confirm that it is valid and current;
  • The steps it uses to confirm that the name and photograph are those of the person; and
  • Its processes to determine that a government-issued photo identification document is authentic, valid, and current.

Finally, the following details must be recorded as part of the identification process:

  • The person’s name;
  • The date on which the organization verified the person’s identity;
  • The type of document used (for example, driver’s license, passport, etc.);
  • The unique identifying number of the document used;
  • The jurisdiction (province or state) and country of issue of the document; and
  • The expiry date of the document when available (if this information appears on the document or card, the organization must record it).

The Great White North is not playing around

Canada has primed its supervision of AML/KYC with detailed and broad application, which covers casinos specifically under the PCMLTFA. The recent fines imposed by FINTRAC on RBC, CIBC, and TD Bank show that the regulator is not timid in setting an example at the highest level of oversight. 

Further, the January 2024 Special Bulletin on online gaming highlights that reporting entities cannot hide behind a veil of ignorance. Specific risks have been identified by FINTRAC. 

Operators and other covered entities in the AML landscape (such as crypto and currency exchanges and payment providers) must identify and mitigate risks associated with online gambling transactions, emphasizing the importance of vigilance and adherence to compliance measures to combat money laundering and terrorist financing activities.

About the post:
Images are generative AI-created. Prompt: An almost complete puzzle of a smiling black woman’s face. Tool: Midjourney.

About the author:
Terry Brenner is the Head of Legal, Risk, and Compliance for IDVerse America. He oversees the company’s foray into this market, heeding to the sensitivities around data protection, inclusivity, biometrics, and privacy. With over two decades of legal experience, Brenner has served in a variety of roles across a diverse range of sectors.

x  Powerful Protection for WordPress, from Shield Security
This Site Is Protected By
Shield Security