As FINTRAC scrutiny intensifies and payments become a growing focal point for risk, Ian Messenger explains why Canada’s gaming sector is being pushed to treat AML as an operational function rather than a compliance exercise.
For years, anti-money laundering compliance in gaming often lived in the background, surfacing most visibly during audits, licence reviews, or enforcement actions. In Canada, this dynamic has begun to shift. Following increased scrutiny from FINTRAC and a series of regulatory examinations across the sector, operators are facing growing pressure to demonstrate that AML controls are functioning in real time, not simply existing on paper.
Much of that scrutiny has centred on payments. Deposits, withdrawals, rapid fund movements and source-of-funds assessments have become focal points in wider debates around risk ownership between operators, payment service providers, and banks. At the same time, Canada’s mix of federal AML obligations and provincial gaming frameworks has created an increasingly complex environment for companies trying to maintain consistent standards across different markets and products.
Ahead of his appearance at SBC Summit Canada this month, Payment Expert spoke with Ian Messenger about the operational realities of modern AML compliance, the growing importance of payments-led risk monitoring, and why the industry can no longer treat AML as a standalone reporting function removed from day-to-day business activity.
Read the full interview below.
Canada’s gaming sector is shifting from audit readiness to embedded compliance. What does “good” AML practice look like in day-to-day operations?
Good AML practice in day-to-day gaming operations means compliance is built into ordinary decisions, not treated as a file review or audit exercise after the fact. It involves staff consistently knowing the customer, understanding source of funds and source of wealth where appropriate, identifying unusual play or transaction patterns, escalating concerns early, documenting decisions clearly, and using surveillance, cage, compliance, and management teams as part of one coordinated risk picture.
“Good” AML means that red flags are recognised in real time, controls are applied consistently, and the organisation can explain not only what it did, but why it made each decision.
Recent FINTRAC scrutiny has exposed gaps in AML frameworks. What were the most common weaknesses identified, particularly around payments?
The most common weaknesses were gaps between the written AML framework and what actually happened at the payment and patron-transaction level. FINTRAC identified failures to recognise and report suspicious activity, weak enhanced due diligence for high-risk patrons, inadequate monitoring of transaction volume and rate of play, poor consideration of ML/TF indicators, and insufficient documentation showing how payment activity, patron risk, and source-of-funds concerns were assessed.
The issue was that large or rapid movement of funds, activity inconsistent with a patron’s profile, and threshold-aware behaviour were not always connected to timely escalation, STR filing, or enhanced monitoring.
There’s ongoing debate around AML ownership, between operators, PSPs, and banks. From your perspective, where should ultimate responsibility sit?
Ultimate responsibility should sit with the regulated entity that owns the customer relationship and controls the gaming activity, which is usually the operator.
PSPs and banks play an important role in detecting payment anomalies, applying their own AML controls, and escalating suspicious activity, but they do not see the full gaming context, including patron behaviour, source-of-funds interactions, cage activity, play patterns, loyalty data, and risk decisions.
Good AML practice requires shared accountability across operators, PSPs, and banks, but the operator should remain responsible for connecting payment activity to the broader patron risk picture and ensuring concerns are investigated, documented, and reported where appropriate.
Payments are often the entry and exit points for risk. How should operators rethink their payments strategy to better align with AML expectations?
Operators should rethink payments as a core AML risk function rather than a separate operational or customer-experience process. Deposits, withdrawals, refunds, third-party payments, rapid movement of funds, failed or reversed transactions, and changes in payment behaviour should all be connected to the patron’s overall risk profile, gameplay activity, source-of-funds information, and transaction history.
This means designing payment controls that support real-time monitoring, clear escalation triggers, stronger due diligence, and better information-sharing between payments, compliance, fraud, cage, and customer-facing teams.
A mature payments strategy should help the operator understand not only whether a payment can be processed, but whether the movement of funds makes sense in the context of the customer, their activity, and the operator’s AML obligations.
Canada’s regulatory structure combines federal oversight with provincial frameworks. How challenging is this fragmentation for operators trying to maintain consistent AML standards?
The fragmentation is significant because operators must align federal AML obligations under FINTRAC and the Proceeds of Crime regime with provincial gaming frameworks that determine how gaming is conducted, managed, regulated, and supervised.
While the federal AML requirements create the baseline, provincial differences in operating models, regulator expectations, Crown agency oversight, reporting processes, land-based versus iGaming structures, and payment environments can make consistency difficult. The challenge for operators is avoiding a patchwork approach where AML standards vary by province or business line.
Strong Canadian AML practice requires a national control framework that meets federal expectations, supported by province-specific procedures that reflect local regulatory requirements, gaming products, payment channels, and operational risks.
Where do you see the biggest disconnect between regulatory expectations and operational reality for gaming companies?
The biggest disconnect is often between the expectation that gaming companies maintain a complete, real-time view of customer risk and the operational reality that relevant information sits across different teams, systems, and moments in the customer journey. AML risk may appear in payments, cage activity, player behaviour, source-of-funds conversations, fraud alerts, loyalty data, surveillance observations, or compliance reviews, but these signals are not always connected quickly enough to support timely decisions.
Regulators increasingly expect operators to understand the full risk picture and explain their decisions, while operators are often dealing with legacy systems, high transaction volumes, fast customer interactions, privacy constraints, and inconsistent documentation practices. The result is not usually a lack of intent, but a gap between formal AML expectations and the practical ability to detect, escalate, document, and act on risk in a coordinated way.
Is there scope for greater industry collaboration (for example, shared intelligence or standards) or does AML ultimately require a more siloed approach?
There is clear scope for greater industry collaboration, particularly in Canada where gaming operators, provincial conduct-and-manage bodies, regulators, banks, PSPs, and law enforcement often see different parts of the same risk picture. AML should not become fully siloed because financial crime networks exploit gaps between institutions, payment channels, provinces, and products.
Collaboration around typologies, red flags, payment risks, emerging laundering methods, training standards, and sector-wide expectations would improve consistency and help operators identify threats earlier. However, collaboration has to sit within privacy, legal, competition, and regulatory boundaries, and each operator must still retain responsibility for its own risk assessment, due diligence, monitoring, escalation, and reporting decisions.
The strongest model is shared intelligence and common standards, combined with clear individual accountability.
How can operators ensure AML controls do not negatively impact player experience, particularly around onboarding and withdrawals?
Operators can reduce friction by designing AML controls that are risk-based, proportionate, and built into the player journey rather than added as a last-minute barrier.
During onboarding, this means collecting the right information at the right time, using clear language, avoiding duplicate requests, and escalating only where the customer’s profile or activity requires enhanced review. For withdrawals, operators should avoid treating AML checks as a surprise hurdle after the player has won; payment method verification, source-of-funds expectations, and risk triggers should be understood earlier in the relationship.
The goal is not to weaken controls, but to make them predictable, consistent, and explainable so legitimate players experience a smooth process while higher-risk activity receives the scrutiny it requires.
Looking ahead, what changes do you expect in how FINTRAC approaches enforcement and supervision of the gaming sector?
I would expect FINTRAC’s approach to the gaming sector to become more risk-based, evidence-driven, and focused on whether AML controls are actually working in practice. Rather than accepting policies at face value, FINTRAC is likely to keep testing how operators identify suspicious activity, apply casino-specific ML/TF indicators, monitor payments and disbursements, assess high-risk patrons, and document the reasoning behind escalation or reporting decisions.
This is consistent with FINTRAC’s stated use of risk assessment methodology to target supervision, its guidance that assessments will review how indicators are used in the STR process, and its focus on transaction testing, ongoing monitoring, high-risk client reviews, and reporting quality. Enforcement will likely remain a more visible tool where FINTRAC sees systemic gaps, especially because it has emphasised that STR reporting is critical to actionable financial intelligence and that administrative monetary penalties are intended to change non-compliant behaviour.
You’ll be discussing these themes at SBC Canada. What is the one misconception about AML in gaming that you would most like to challenge?
The misconception I would most like to challenge is that AML in gaming is mainly a compliance reporting function that sits apart from the business.
In reality, effective AML is operational: it depends on what happens during onboarding, deposits, withdrawals, source-of-funds interactions, customer service, VIP management, surveillance, fraud reviews, and day-to-day decision-making. A strong AML program is not just about having policies or filing reports; it is about whether the operator can recognise risk as it emerges, connect the right information across teams, and make timely, well-documented decisions.
In gaming, AML is not a back-office obligation but an essential part of responsible, sustainable operations.
To catch this panel, along with the full conference programme and everything else SBC Summit Canada has to offer, secure your ticket here. Affiliates and operators qualify for complimentary passes.
Source: https://paymentexpert.com/2026/05/12/ian-messenger-canada-gaming-aml/
