Licensing in Canada

1) The whole picture: federation, provinces and exceptions

The Canadian gambling model is built around the Criminal Code, which prohibits gambling, except when conducted and managed by the provinces/territories or their authorized organizations.

1. Provincial jurisdiction: each province decides how to organize the market (state-owned enterprises, monopolies, concessions, open registries, etc.).

2. Ontario as an "open market": from 2022, the province allows private operators to work in conjunction with AGCO (regulator) and iGaming Ontario - iGO (the state provider through which the market is "conducted & managed").

3. Kahnawà: ke Gaming Commission (KGC): Regulator of the Mohawk Territory of Kahnawake. Its licensing is historically significant for international hosting and B2B/B2C portfolios, however, for legal work with Ontario players, a separate AGCO/iGO mode is needed; for other provinces - their own models of these provinces.

2) Main models

2. 1 Ontario: AGCO + iGaming Ontario (iGO)

Regulator: AGCO sets Registrar's Standards for Internet Gaming (RG/AML/advertising/technical control).

Operator Model: A private operator enters into an Operating Agreement with iGO, obtains registration from AGCO, and technically connects to the iGO registry/requirements. Formally, games are "conducted and managed" by iGO, and the operator is a "service provider."

Verticals: casino/slots, betting, poker/bingo, etc.
Key features: strict standards of Responsible Gambling, marketing, technical control; reporting and revue-sher with iGO (essentially a functional analogue of GGR-taxation).

2. 2 Kahnawà:ke: KGC

Regulator: Kahnawà: ke Gaming Commission.
License perimeter: operator client license (Client Provider Authorization), providers/platforms (Interactive Gaming License via Key Person/Key Equipment Providers) and hosting in the Mohawk Internet Technologies data center (traditional).

• For Ontario, not enough for legal access to players; AGCO/iGO required.
• For international markets - often used as a respected hosting/operator license mode in multi-jurisdictional portfolios.
• Practice: Strong emphasis on due diligence, operational processes, infrastructure security and resilience.

3) RG/AML/advertising/privacy - general logic

3. 1 Responsible Gambling (RG)

Player tools: deposit/loss/time limits, timeouts, self-exclusion, reality-checks, activity history.
Provincial self-exclusion registries: in Ontario - provincial circuit (in sync with iGO); the operator is obliged to check the statuses online.
Behavioral monitoring: detection of "early signs" of problem play, escalation, telemetry of interventions.

3. 2 AML/CTF и FINTRAC

PCMLTFA/FINTRAC: Casinos and online gaming operators in Canada are subject to FINTRAC (Customer Due Diligence, EDD, Large/Suspicious Transactions, Journals, Training) AML surveillance requirements.
KYC: ID/age and addresses (in Ontario, eKYC providers, bank checks/two-source models, documents/selfies are allowed).
Transaction monitoring: velocity/anomalies, funding sources, sanctions/POP screening, decision log and STR/SAR procedures.

3. 3 Advertising and Affiliates

Ontario (AGCO): detailed advertising/bonus standards: prohibition of misleading promises, restrictions on creatives and language, protection of minors/vulnerable groups, restriction of "aggressive" promo communication and influencers (audience, labeling requirements).
Affiliates: contractual responsibility for compliance with RG/AML/data, whitelisting of sites, audit of materials, stop procedures.

3. 4 Privacy and data

PIPEDA (federal law on the protection of personal data in the commercial sector) + provincial acts (in a number of provinces - their own privacy laws); Ontario requires compliance with AGCO/iGO privacy standards.
DPIA/DSR: assessment of processing risks, timing of responses to subject requests (access/correction/deletion/portability), PII minimization, and control of data flow (including cross-border transmissions).

4) Technical requirements: SDLC/observability/safety/DR

SDLC/releases: change control, staging pipelines, artifact and SBOM signatures, "no humans in prod," release logs and rollbacks.
Observability: structured logs (without PAN/extra PII), metrics, traces (OTel), SLO/SLI (latency p95/p99, error-rate), synthetic deposit/ACC/output checks, retention for audit.
Security: segmentation, mTLS, WAF/bot management, SSO/MFA/PAM, SAST/SCA/DAST in CI/CD, regular pentest and no expired critical/high.
DR/BCP: regular restore tests confirmed by RTO/RPO, degradation plans (graceful).
Anti-abuse: behavioral scoring, device-signals, velocity rules, anti-bonus framework.

5) Payments: Interac-country

Methods: Interac e-Transfer/Online, cards (with 3-D Secure), A2A/Open Banking, bank transfers, local wallets.
Integration requirements: idempotency, HMAC signatures webhooks, DLQ/event replay, Time-to-Wallet monitoring and success/authorization rates, reconciliations with iGO reporting/providers.
AML/sanctions/velocity: filters on incoming/outgoing flows, limits, manual check of cases.

6) Ontario in practice (AGCO/iGO): What to cook

• RG/AML/advertising/data/incidents/DR policies and their provable implementation (dashboards, logs, reports).
• IT/data architecture, storage model, DR/BCP plans, vulnerabilities/pentest reports.
• Integrations with payment and KYC providers, anti-fraud and monitoring.
• FINTRAC procedures (training, case management, SAR/STR, large/suspicious transaction registers).
• Advertising model: white-list channels, creative templates, contracts with affiliates, control of influencers.
• Operational reporting in iGO (finance/GGR, RG metrics, complaints/incidents, Key Persons changes).

7) KGC in practice: when and how

For Ontario: KGC license not enough; requires AGCO/iGO to access provincial players.
For international markets: KGC remains a respected regime, especially in hosting/B2B portfolios and multi-jurisdictional strategies.
Preparation: RG/AML policies/data/incidents/DR, due diligence of beneficiaries/Key Persons, IT architecture and audit, penetration tests/scans, agreements with providers (content/payments/CCS), hosting and SLA.

8) Taxes and reporting (high-level)

Ontario: economic model close to GGR-rhubarb-shar with iGO plus regulatory fees; the operator maintains detailed reporting (verticals, bonuses/adjustments, RGs/complaints/incidents) and reconciliations with PSPs/banks and game/pay logs.
KGC/internationally: fiscal and regulatory obligations depend on actual service markets and contracts; For cross-border models, consider local taxes/VAT analysis/PE risks.

9) Pros and cons of models

Ontario (AGCO/iGO) - pluses

High confidence of banks/PSP/media, transparent standards.
Clear RG/advertising rules, understandable technical requirements.
A large, growing and legal market with public statistics.

Ontario - cons

Substantial compliance OPEX and tight reporting.
Strict marketing/influencer restrictions.
Demanding technical controls and FINTRAC processes.

KGC - pluses

Dear mode for international hosting/B2B/operators.
Strong operational and technical discipline.
Portfolio strategy flexibility outside Ontario.

KGC - cons

Does not entitle to serve Ontario players (without separate AGCO/iGO).
Additional licenses/registrations will be required for individual markets.
Still a high standard of due diligence and IT controls.

10) Readiness checklists

10. 1 Definition of Ready

• Perimeter defined: Ontario (AGCO/iGO) and/or International Unit (KGC).
• Назначены Key Persons (MLRO/AMLO, DPO, RG-Lead, Heads Compliance/Platform/SRE/Security/Payments); collected SoF/SoW.
• AML/RG/Advertising/Data/Incidents/DR policies approved; conducted trainings; there are execution logs.
• SDLC: artifact signatures + SBOM, "no humans in prod," release and rollback log.
• Observability: SLO/SLI-dashboards, synthetic checks "deposit/CCL/output," retention logs.
• Security: pentest/scans closed; no critical/high expired.
• FINTRAC: Policy, Training, Case Management, Reporting Registers.
• Advertising/affiliates: white-list channels and creatives, contracts/stop procedures.
• Payments/CCM: contracts with providers, HMAC-webhooks, idempotency, DLQ/replay.
• For Ontario: AGCO registration + iGO Operating Agreement package and integration artifacts.

10. 2 Definition of Done

• Regulatory/fiscal/FINTRAC reporting included; KPI owners are assigned.
• Stable integrations: PSP/KYC/anti-fraud, Time-to-Wallet monitoring and authorizations.
• RG tools are active; intervention and self-exclusion telemetry; online checks.
• DR/BCP: restore tests performed, RTO/RPO confirmed, certificates issued.
• Marketing/affiliates: audit of materials, log of violations and measures, correct labeling.

11) Process (deadlines)

Critical path: Key Persons → live policies → SDLC/observability/DR (evidence) → FINTRAC circuit → contract/registration (iGO/AGCO or KGC) → input.

12) RACI (example for Ontario + KGC program)

13) Typical risks and mitigation

14) 90-180 Day Roadmap (example)

Month 1-2: gap analysis, Key Persons assignment, launch of SDLC/observability/security remediations, FINTRAC loop configuration.
Month 2-3: package collection (AGCO-registration + iGO OA/KGC), penetration tests/scans, DR acts, PSP/KYC/content contracts.
Month 3-4: submission/approval, dry-run of demonstrations (dashboards, magazines, RG/AML/payments/marketing), finalization of integrations.
Month 4-6: Q & A/Variations, Finalization, Payment/Content Onboarding, Reporting Inclusion, and KPI Control.

Summary

Canada is a provincial model with a federal AML superstructure. Ontario requires an AGCO + iGO bundle, where the private operator is a public iGO partner and lives by strict RG/AML/advertising/tech control standards. KGC remains an important player for international hosting and portfolio strategies, but does not replace AGCO/iGO for Ontario. By building an evidence-first culture (SDLC/observability/security/DR, FINTRAC procedures, RG telemetry, managed marketing and affiliates), you will have sustainable access to the payment ecosystem and partners in one of the most transparent markets in North America.