Educational demonstration of AML compliance in iGaming operations
This Anti-Money Laundering (AML) policy outlines the procedures, controls, and organizational measures that a licensed iGaming operator must implement to prevent its platform from being used for money laundering, terrorist financing, or other financial crimes.
In a real operation, this policy applies to all employees, contractors, and third-party service providers. It covers all products offered — sports betting, casino games, poker, and any other gambling services — across all channels (desktop, mobile, retail).
The three pillars of AML compliance in iGaming are:
iGaming AML compliance operates within a layered regulatory environment. Key frameworks include:
The MGA requires licensees to implement a Player Due Diligence (PDD) framework with tiered verification based on deposit/withdrawal thresholds. Operators must appoint a designated Money Laundering Reporting Officer (MLRO) and submit annual compliance reports.
The Netherlands' KSA enforces the Wet op de kansspelen (Gambling Act) alongside the Wet ter voorkoming van witwassen (Wwft). Dutch-licensed operators face strict requirements including mandatory IBAN-only deposits, enhanced affordability checks, and CRUKS (self-exclusion register) integration.
A single iGaming operator may hold licenses in 5+ jurisdictions simultaneously. Each jurisdiction has its own AML thresholds, reporting timelines, and record-keeping requirements. The compliance team must build systems that satisfy the strictest applicable rule — a concept explored in detail in the book.
| Tier | Trigger | Requirements | Timeframe |
|---|---|---|---|
| Basic Registration | Account creation | Email, name, date of birth, address | Instant |
| Standard KYC | First deposit or cumulative deposits reach threshold | Government-issued photo ID (passport, national ID, driver's license) | Within 72 hours |
| Enhanced KYC | Cumulative deposits ≥ €2,000 or withdrawal request | Proof of address (utility bill, bank statement < 3 months), ID re-verification | Before withdrawal |
| Enhanced Due Diligence | High-risk flags, PEP status, or deposits ≥ €10,000 | Source of funds documentation, wealth declaration, employer verification | Before continued play |
When a player's deposit activity exceeds defined thresholds or triggers risk indicators, the operator must verify the legitimate origin of funds. Acceptable documentation includes:
EDD is triggered for high-risk customers, including those from high-risk jurisdictions (FATF grey/black list), players with unusual transaction patterns, and politically exposed persons. EDD measures include:
Real-time transaction monitoring systems analyze player behavior against predefined rules and machine-learning models. Common alert triggers include:
| Jurisdiction | Threshold | Report Type | Deadline |
|---|---|---|---|
| EU / Netherlands | €2,000 single / €10,000 cumulative | Unusual Transaction Report (MOT) | Within 14 days |
| Malta (MGA) | €2,000 or suspicious pattern | STR to FIAU | Within 5 working days |
| UK (UKGC) | £2,000 or suspicious | SAR to NCA | As soon as practicable |
| Curaçao | $10,000 or suspicious | UTR to FIU | Within 14 days |
When monitoring identifies activity that cannot be satisfactorily explained through normal gambling behavior, the MLRO must assess whether a SAR should be filed. The decision to file is based on reasonable grounds for suspicion — not certainty. Common SAR scenarios in iGaming:
A risk-based approach is the foundation of modern AML compliance. The operator conducts both enterprise-wide and individual customer risk assessments:
Each customer receives a composite risk score based on weighted factors:
Scores are recalculated dynamically as new data becomes available. Thresholds determine the level of ongoing monitoring: low-risk customers receive standard monitoring, medium-risk customers are reviewed quarterly, and high-risk customers require continuous enhanced monitoring.
Politically Exposed Persons present elevated money laundering risk due to their positions of influence. PEP screening must occur at onboarding and continuously thereafter. Categories include:
Operators typically integrate third-party PEP screening databases (e.g., Dow Jones, Refinitiv World-Check, ComplyAdvantage) via API to automate checks against registration data. A PEP match does not automatically mean rejection — it triggers Enhanced Due Diligence and senior management review.
All AML-related records must be retained for a minimum period as defined by applicable regulations:
Records must be stored securely, readily retrievable for regulatory requests, and protected under applicable data protection laws (GDPR). The tension between AML record-keeping obligations and GDPR data minimization principles is a key challenge explored in the book.
All staff must receive AML training appropriate to their role. The training program includes:
Training must cover: recognizing suspicious behavior, internal reporting procedures, tipping-off prohibitions (never alerting a customer that a SAR has been or may be filed), and the personal criminal liability that staff may face for non-compliance.
Operators must track training completion rates and assess comprehension through testing. Key metrics include:
The MLRO is responsible for maintaining the training calendar, updating materials when regulations change, and reporting training metrics to the board on a quarterly basis. In jurisdictions like Malta and the UK, regulators may request training records during license reviews.
A clear internal reporting chain is essential for effective AML compliance. The typical structure in an iGaming operation:
Internal reports must be filed within 24 hours of identifying suspicious activity. The MLRO then has a jurisdiction-specific deadline to decide whether to file an external report. All internal reports are logged in a secure, access-controlled system with full audit trail capabilities.
Staff must never inform a customer (or any third party) that a SAR has been filed, is being considered, or that an investigation is underway. Tipping off is a criminal offense in most jurisdictions, carrying penalties of up to 5 years imprisonment in the EU. Even casual remarks like "your withdrawal is delayed due to compliance checks" can constitute tipping off if the delay is specifically due to a SAR investigation.
Responsible gambling (RG) and AML are distinct compliance domains, but they share significant overlap in practice:
Modern compliance platforms increasingly integrate RG and AML monitoring into unified systems, allowing a single behavioral analytics engine to serve both purposes — reducing false positives and operational overhead.
| Data Point | RG Use | AML Use |
|---|---|---|
| Session duration | Identify compulsive play patterns | Detect automated / bot-like behavior |
| Deposit frequency | Flag chasing losses | Detect structuring attempts |
| Win/loss ratio | Identify vulnerable players on losing streaks | Detect collusion or chip dumping |
| Payment methods | Track spending across channels | Identify third-party or multi-source funding |
| Withdrawal cancellations | Flag reverse withdrawal (continued play) | Detect layering patterns |
Crypto-accepting operators face additional AML challenges due to the pseudo-anonymous nature of blockchain transactions:
Many jurisdictions now require crypto-accepting gambling operators to hold additional licenses or meet enhanced compliance requirements. The Dutch KSA, for example, restricts the use of cryptocurrency payments for licensed operators entirely.
AcmetoCasino is a fully simulated environment designed to illustrate the technical infrastructure behind AML compliance. In this simulation:
Chapters 9-12 provide deep technical coverage of building AML-compliant systems, including database schemas for audit trails, real-time monitoring architectures, and integration patterns for third-party screening services. Visit thebackendofluck.com for more information.
Last updated: March 2026 | This document is for educational purposes only and does not constitute legal advice.