casino en ligne

How the AGCO Registrar’s Standards for Internet Gaming Affect Ontario Online Casinos

Posted by Arthur Crowson .

The AGCO Registrar’s Standards for Internet Gaming touch every part of how licensed operators run their platforms in Ontario’s regulated iGaming market. This page covers the specific, enforceable obligations set out in those standards, organized around six risk themes: entity level, responsible gambling, player account management, game integrity, information security, and unlawful activity. It also takes a close look at marketing restrictions, cybersecurity controls, and game certification requirements. By the end, you’ll have a clear picture of what compliance actually demands and what to look for when checking whether an Ontario-licensed casino is meeting its obligations.

The Regulatory Foundation and Scope of Application

The Registrar’s Standards for Internet Gaming get their binding force from the Gaming Control Act, 1992, specifically Sections 3.8 and 3.9. Those sections require registrants, the Ontario Lottery and Gaming Corporation, and iGaming Ontario to comply with standards the Registrar sets. The standards came into force on April 4, 2022, the day Ontario’s regulated internet gaming market launched. They apply to four categories of entity: OLG’s internet gaming site; iGaming Ontario, the conduct-and-management body overseeing private operators; all registered private internet gaming operators active in the Ontario market; and certain registered gaming-related suppliers whose products or services are part of the regulated ecosystem.

The Six Risk Themes That Structure the Standards

The Registrar’s Standards for Internet Gaming are organized around six risk-based themes covering roughly 200 individual numbered standards. This structure groups obligations by the harm or integrity risk they address, not by operator function. That means a single business unit, marketing for example, has to answer to standards spread across multiple themes. The risk-based grouping also shapes how the AGCO structures its compliance assessments and audits. The list below sets out the six themes in the regulator’s official order.

  • Entity Level — covers the operator’s organizational integrity, governance, record retention, and obligations to stay out of unregulated activity.
  • Responsible Gambling — covers player-facing harm-reduction tools, disclosures, and employee training obligations.
  • Prohibiting Access to Designated Groups and Player Account Management — covers age verification, self-exclusion enforcement, and the lifecycle of player accounts.
  • Ensuring Game Integrity and Player Awareness — covers game and RNG certification, fairness, and the accuracy of player-facing game information.
  • Information Security and Protection of Assets — covers IT control frameworks, cybersecurity, data protection, and business continuity.
  • Minimizing Unlawful Activity Related to Gaming — covers anti-money-laundering controls, fraud prevention, and payment integrity.

Entity-Level Obligations Governing Operator Conduct

The entity-level theme is the only part of the Registrar’s Standards that treats the operator itself, the corporate body holding the registration, as the unit of regulation rather than its games, its marketing, or its player-facing systems. Obligations here govern how the organization documents its own activity and how it draws a hard line between its regulated Ontario business and any other gambling activity it or its commercial partners run. The two most operationally significant requirements in this theme are record retention and the separation of regulated from unregulated markets.

Record Retention Requirements

Standard 1.09 requires that all information, including logs, related to compliance with the law, the Standards and Requirements, and adherence with control activities be kept for a minimum of three years unless otherwise stated. In practice, “compliance-related information” covers a broad set of records: system and operational logs, audit trails, transaction histories, responsible gambling intervention logs, KYC documentation from onboarding and re-verification, and AML records including customer risk ratings, transaction monitoring outputs, and reports filed with regulators. The three-year floor matters for two reasons. It defines the minimum window during which the AGCO can audit historical conduct, and it sets the period during which a player raising a dispute, over a transaction, a self-exclusion breach, or a game outcome, can expect supporting records to still exist on the operator’s systems.

Separation from Unregulated Markets

Two related standards police the boundary between Ontario’s regulated scheme and unregulated gambling activity. Standard 1.21 prohibits operators from using independent third parties for direct-to-consumer marketing, promotion, or player referral services if those same third parties also do that work for unregulated online gaming sites. The rule covers affiliate networks, marketing agencies, and influencer arrangements that straddle the regulated market and grey-market operators. A third party cannot be retained for Ontario work if it is simultaneously driving traffic to sites outside the regulated scheme. Standard 1.22 requires operators and gaming-related suppliers to stop all unregulated activities that would require registration under the Gaming Control Act, 1992 if conducted within iGaming Ontario’s regulated scheme. This obligation ended the transition period for previously unregulated operators and suppliers, with an effective date of October 31, 2022.

Responsible Gambling Obligations

The responsible gambling theme puts three distinct categories of obligation on Ontario-licensed internet gaming operators: mandatory player-facing disclosures, mandatory player-controlled harm-reduction tools, and training duties for staff with responsible gambling functions. These obligations run continuously across the player relationship. They attach at registration, persist through every authenticated session, and continue to govern operator conduct after account closure or self-exclusion. Compliance is assessed not as a one-time checkpoint at onboarding but as a sustained pattern of operator behaviour visible across the player journey, the marketing pipeline, and internal training records.

Mandatory Player-Facing Disclosures

Standard 2.09 anchors the disclosure obligation. The registration page and the pages within the player account must prominently display a responsible gambling statement, the Connex Ontario problem gambling helpline contact number, an online contact link, and a link to a page with responsible gambling resources. The word “prominently” matters for enforcement, not just aesthetics. Compliance reviewers look at placement on the page, contrast against surrounding interface elements, and whether the disclosure persists across the player journey. A disclosure that appears only at initial registration and disappears from the authenticated account experience does not satisfy the standard. Neither does a link rendered in low-contrast text at the bottom of an unrelated page.

Player-Controlled Harm-Reduction Tools

Operators must give players a defined set of controls that let them limit their own gambling behaviour before any harm occurs. These controls must be accessible from the player account interface, not buried behind support requests or multi-step navigation. Once a player sets a control, the operator must honour it without requiring the player to do anything further. The following categories of controls must be available to players:

  • Self-exclusion — lets a player bar themselves from the operator’s platform for a defined period, during which the operator must block account access.
  • Deposit limits — let a player cap the amount they can transfer into their account over a chosen interval.
  • Loss thresholds — let a player cap the net losses they can incur over a chosen interval, triggering restrictions when the threshold is reached.
  • Session duration controls — let a player cap the time they can stay logged in to a gambling session.
  • Cooling-off periods — let a player suspend their account for a short interval without committing to full self-exclusion.

Marketing Directed at High-Risk Players

Amendments effective February 28, 2024 introduced a ban on marketing directed at high-risk players. The obligation is active, not passive. The operator must identify players showing elevated risk indicators and exclude them from promotional targeting, rather than simply avoiding explicit targeting of risk profiles. In practical terms, this means the operator needs a detection mechanism that classifies players against risk criteria and feeds that classification into marketing systems, so identified high-risk players are removed from promotional delivery. That includes bonuses, free play offers, retention campaigns, and direct communications.

Employee Training Programmes

Responsible gambling training obligations for casino and lottery employees are governed by Standards 2.10 and 2.11. Following a 2025 update, the AGCO no longer requires Registrar approval of the responsible gambling training programme itself. The burden now falls on the operator to design, document, and maintain a programme that meets the substantive requirements of the two standards. In practical terms, this gives operators more flexibility over programme content and delivery format, but it also increases audit exposure. The operator now has to demonstrate on inspection that its programme holds up against the standards, rather than pointing to prior regulator sign-off as proof of adequacy.

Player Account Management and Prohibiting Access to Designated Groups

This theme puts two parallel duties on Ontario-licensed operators. The first is an exclusion duty: the operator must actively block access by people outside the permitted player population, specifically minors and self-excluded individuals. The second is an account-lifecycle duty: the operator must verify identity at onboarding, maintain account integrity throughout the relationship, and enforce payment integrity at every deposit and withdrawal. The two duties run continuously and reinforce each other. A failure in identity verification at onboarding weakens every control built on top of that account.

Age Confirmation and Identity Verification

The operator must confirm a player’s age before granting access to real-money play and must verify identity to a standard sufficient to support both the age determination and the AML KYC obligations that apply later in the customer lifecycle. Age confirmation cannot be satisfied by a self-attestation checkbox at registration. The standards require verification against authoritative data sources. In practice, operators meet this obligation through document upload (government-issued identification submitted by the player), third-party data matching against credit bureau, electoral, or other authoritative datasets, or a combination of both. The verification standard must be high enough that the same identity record can later support enhanced due diligence under the AML programme without re-onboarding the player.

Enforcement Against Self-Excluded Individuals

The operator must stop self-excluded individuals from opening new accounts, accessing existing accounts during the exclusion period, and receiving any marketing communications during the exclusion period. Each of the three prohibitions is independent. Blocking login alone does not satisfy the marketing suppression duty, and suppressing marketing alone does not satisfy the account-opening duty. Self-exclusion at one private operator does not automatically extend across every other operator in the Ontario regulated market under the published standards. Available regulator and conduct-and-management materials do not describe a centralized cross-operator self-exclusion register binding all registered private operators, so a player seeking market-wide exclusion must contact each operator individually.

Secure Payment Processing

Player account management obligations require the operator to make sure funds entering and leaving the player account are processed through controls that prevent fraud, unauthorized access, and the use of third-party payment instruments by anyone other than the verified account holder. A deposit or withdrawal is compliant under the standards, rather than merely functional, when three conditions are met: the payment instrument is tied to the verified identity on the account, the transaction passes the operator’s fraud and authentication controls, and the transaction is recorded in a player-accessible ledger. At a minimum, the gaming system must give the player access to deposit and withdrawal history and current balance. That gives the player an audit trail they can use to spot unauthorized activity.

Game Integrity, RNG Certification, and Player Awareness

This theme governs the technical fairness of the product delivered to the player, and its enforcement record is among the most active in the Ontario framework. The Registrar has issued financial penalties to private operators for offering games that were not approved, following amendments to the standards made in 2022. Two operational rules anchor the theme: no game may be offered in the regulated market without prior approval or accredited certification, and fairness depends on a verified mechanism that randomly determines game outcomes. Both rules are tested before launch and remain subject to ongoing audit.

Game and RNG Certification Obligations

Standard 4.08 requires that every game, every random number generator, and every component of an iGaming system be either approved directly by the Registrar or certified by an independent testing laboratory that is itself registered by the Registrar. The obligation is component-level, not product-level. A single uncertified module within a broader gaming system is enough to put the operator out of compliance. The certification duty also covers the electronic components of equipment used in live dealer games, meaning live dealer products are not exempt from technical certification just because a human dealer is involved. Certification must be in place before the game goes live in the regulated market. Post-launch remediation does not fix a pre-launch failure to certify.

Randomness Mechanism Requirements

Standard 4.26 requires a mechanism to randomly select the game elements used to determine game outcomes. The standard treats randomness as the structural basis of fairness in games where outcomes are generated internally by the gaming system rather than by external events. One carve-out applies: Standard 4.26 does not cover sport and event betting products, where outcomes are determined by real-world events rather than an internal randomness mechanism. For those products, integrity obligations sit in adjacent standards covering event data, pricing, and settlement rather than in the randomness requirement.

Player Awareness Disclosures

Operators must make accurate game information available to the player, including the rules of play, paytable information, return-to-player or odds information where applicable, and the conditions under which a game session can be interrupted or recovered. The information must be accessible from within the game environment, not buried in unrelated help documentation. In the regulator’s framework, “awareness” means a disclosure duty, not an educational one. The operator must make the information available and accurate, but does not have to confirm the player has read or understood it. Compliance assessment focuses on whether the disclosures exist, whether they are accurate, and whether they are reachable from the point of play.

Information Security and Protection of Assets

The fifth risk theme puts obligations at three distinct levels. At the governance layer, the operator must adopt a recognized industry-standard IT control framework to organize and document its security posture. At the technical-controls layer, the standards address how access is granted, how identities are authenticated, and how data is protected against interception or unauthorized retrieval. At the resilience layer, the standards require continuity infrastructure capable of resuming operations after a disruptive event. Each layer is independently auditable, and a gap at any layer is a compliance gap regardless of how strong the other layers are.

IT Control Framework Adoption

Standard 5.01 requires the operator to use a recognized industry-standard IT framework to manage its IT control environment. The regulator does not prescribe a single framework. The operator can choose from recognized options such as ISO 27001, NIST, or COBIT. But that choice comes with a demonstration burden. The framework must be genuinely in use across the IT control environment, with evidence that controls are mapped, owners are assigned, and the framework drives day-to-day security operations. Naming a framework in a policy document without actually running it does not satisfy the standard and will be visible on inspection.

Risk-Based Access Controls and Multi-Factor Authentication

Standard 7.4 requires a risk-based approach to access controls, with multi-factor authentication (MFA) required for high-risk areas, specifically access to player data, financial transactions, and administrator accounts. “Risk-based” means the intensity of the control must scale with the sensitivity of the asset. Low-risk read-only access may rely on single-factor authentication, but any pathway that touches the three named high-risk categories must enforce MFA. The obligation falls primarily on operator-side systems and elevated-privilege accounts, meaning the people, processes, and consoles that handle regulated data and money movement. Player-side MFA is treated as an emerging expectation rather than a uniformly required control under the current standards, so operators are not obliged to enforce MFA on player logins the same way they must enforce it on administrator access.

Data Protection in Transit and at Rest

Operators must encrypt sensitive data both in transit and at rest, and must run firewalls and intrusion detection systems sized to the threat environment they face. The standards do not prescribe specific cipher suites, key lengths, or product categories. Instead, they prescribe outcomes: confidentiality of regulated data, integrity of stored records, and detection of unauthorized network activity. The operator’s chosen IT control framework determines how those outcomes are met. This approach places the burden on the operator to justify why its selected technical configuration is appropriate for the data it holds and the threats it faces.

Disaster Recovery Site Requirement

Standard 5.07 requires the operator to maintain a disaster recovery site. This is a structural requirement, not a procedural one. The operator must have a physically separate environment capable of resuming operations, not just a documented recovery plan that points to future provisioning. A runbook describing what would happen in a disaster does not satisfy the standard. The disaster recovery environment must exist, be reachable, and be sufficiently provisioned to take over the operational load when the primary site goes down.

Marketing and Advertising Restrictions

The marketing rules in the Registrar’s Standards work along two independent axes: categorical prohibitions on the content and persons that may appear in gambling marketing, and placement restrictions governing where and how bonus offers can be communicated. The categorical content rules were tightened by amendments announced on August 29, 2023 and effective February 28, 2024, which expanded the list of persons and imagery barred from any gambling advertising in Ontario. The placement rules operate independently of the content rules and apply to all promotional communications regardless of the medium used to deliver them.

Prohibited Content and Persons in Gambling Marketing

The regulator treats certain content and certain categories of person as creating an unacceptable risk of appeal to minors or of normalizing gambling, and bars them from any operator marketing on that basis. The prohibitions are categorical rather than context-dependent. A person or image falling within a prohibited category cannot appear in Ontario gambling marketing regardless of the message, channel, or audience targeting applied. The following categories are red flags that should be identifiable in any operator’s advertising output during a compliance review.

  • Cartoon figures — prohibited from appearing in any gambling marketing because of their appeal to minors.
  • Social media influencers — prohibited from appearing in gambling marketing.
  • Celebrities likely to appeal to minors — prohibited from appearing in gambling marketing, with the regulator assessing minor-appeal on a case-by-case basis.
  • Active and retired athletes — prohibited from appearing in gambling marketing, with one exception: athletes may appear in marketing that exclusively promotes responsible gambling messaging.
  • Marketing directed at high-risk players — prohibited as a targeting category, requiring the operator to remove identified high-risk players from promotional delivery.

Restrictions on Bonus and Free Play Promotion

Standard 2.05 restricts public-facing bonus promotion. Specific bonus offers may only be shown to players after they have entered the operator’s casino site, and may not appear in advertising delivered to the general public. This is the regulatory reason a player in Ontario sees no bonus amounts, match percentages, or specific offer terms on a billboard, broadcast spot, or pre-login landing page. The rule pushes all bonus communication behind the site’s entry threshold. A separate obligation, confirmed by AGCO guidance issued on July 16, 2025, requires that any promotion advertised as “free” involve no financial risk to the player. In practice, no financial risk means the player cannot be required to deposit funds, wager personal money, or accept terms that could expose them to a loss as a condition of participating in the free play.

Minimizing Unlawful Activity and Anti-Money-Laundering Obligations

The sixth risk theme requires the operator to build and run a complete anti-money-laundering (AML) programme that operates continuously across the customer lifecycle, from onboarding identity checks through ongoing transaction surveillance, regulatory reporting, and post-relationship record retention. Adopting policy documents alone does not satisfy the obligation. An AML compliance effectiveness review is a gating step in the AGCO registration process. An operator cannot launch in Ontario’s regulated market until its programme has been independently assessed and any identified gaps have been fixed.

Components of the AML Programme

The AML obligation is structured as a programme with required components rather than a list of discrete tasks. The regulator expects the operator to show that each component is documented, staffed, and operating, not merely named in a policy. Auditable evidence must show that the named compliance officer has real authority, that written procedures are current, and that monitoring and reporting controls produce output consistent with their stated design. The following are the mandatory components a defensible AML programme must contain.

  • Designated Compliance Officer — a named individual with documented authority to run the AML programme.
  • Documented policies and procedures — written policies covering each programme component, maintained and updated.
  • Customer identification and verification — KYC processes sufficient to confirm the identity of each player.
  • Customer risk-ranking — a method for assigning each customer a risk rating that drives the intensity of monitoring applied.
  • Transaction monitoring — ongoing surveillance of transactional activity calibrated to customer risk rating.
  • Transaction reporting — submission of regulator-mandated reports for transactions meeting defined thresholds or suspicion criteria.
  • Record keeping — retention of AML records to support audit, investigation, and regulator inspection.

AML Effectiveness Review as a Registration Prerequisite

The AML compliance effectiveness review, commonly called a gap review, is a mandatory step in the AGCO registration process and must be completed before the operator goes live in the regulated market. The review tests whether the AML programme components are not just documented but actually working in practice. Reviewers interview staff who handle transactions to assess their understanding of policies and reporting requirements, examine a sample of records against the operator’s stated client identification controls, and review agreements with agents and vendors. Gaps identified during the review must be fixed before launch. An unsatisfactory review blocks market entry.

Using the Six Risk Themes to Evaluate an Ontario Online Casino

Enforcement actions against LeoVegas, Bunchberry, and Mobile Incorporated show that the highest-consequence obligations are not abstract. They are the ones regulators have already penalized operators for breaching. Game and RNG certification under Standard 4.08, MFA-anchored cybersecurity controls under Standard 7.4, and the marketing prohibitions effective February 28, 2024 form the operational core of Ontario’s compliance framework. Together, these three areas are where regulatory risk concentrates most visibly. When benchmarking an operator’s compliance posture, or comparing Ontario’s framework against another jurisdiction, running that assessment against all six themes gives you a structured, evidence-grounded starting point rather than a surface-level read.

Arthur Crowson

Arthur Crowson

Arthur Crowson writes for GambleOnline.ca about the gambling industry. His experience ranges from crypto and technology to sports, casinos, and poker. He went to Douglas College and started his journalism career at the Merritt Herald as a general beat reporter covering news, sports and community. Arthur lives in Hawaii and is passionate about writing, editing, and photography.

Latest News

Back To Top
Back To Top