AML and Sanctions compliance in iGaming

iGaming operators must conduct Customer Due Diligence (CDD) on players prior to or during account establishment. This typically involves collecting and verifying the customer’s personal information (name, date of birth, address, etc.) using reliable, independent sources (e.g., government-issued ID, proof of address) when a player’s deposits reach certain cumulative thresholds. In some jurisdictions, iGaming companies are subject to strict identification requirements, regardless of the deposit amount.

According to Switzerland’s Federal Act on Gambling (Gambling Act)⁴ and Anti-Money Laundering Act (AMLA)⁵, identification is mandatory before any withdrawals⁶ can be made from a provisional account. The UK’s Money Laundering Regulations 2017⁷ mandate identity verification before any gambling activity as well, reflecting both countries' commitment to mitigating risk and preventing money laundering.

In practice, CDD for iGaming includes:

• Identity verification: Obtaining proof of identity and age (to prevent underage gaming) and confirming these against independent sources.⁸ This can be done via document upload checks, electronic identity verification services, databases, or facial recognition technology for live verification.
• Beneficial owner verification: If an account is opened by or on behalf of a legal entity (less common in consumer gambling), the operator must identify any beneficial owners behind that entity. This aligns with EU requirements to identify and verify anyone owning 25%+ of a corporate customer.
• Purpose and nature of relationship: Understanding the intended nature of gambling activity⁹ may be part of initial due diligence, especially for higher-risk cases, for example, whether the account is for personal recreational betting or high-stakes play.
• Ongoing and one-off transactions: iGaming accounts usually imply an ongoing relationship, so CDD is done at onboarding. However, if a platform allows single transactions, including the use of anonymous betting vouchers, CDD is required for transactions above certain thresholds. Most regulated markets have eliminated anonymous gambling accounts.

If CDD cannot be completed, or if the customer is deemed high-risk and unwilling to provide the required information, the operator must terminate the relationship. According to EU Directive 2015/849¹⁰ and national laws, proceeding with a business relationship in the absence of satisfactory due diligence is prohibited.

For high-risk customers or situations, iGaming operators must apply Enhanced Due Diligence (EDD), which means extra measures to mitigate increased risk. Under the EU framework, EDD is mandatory in the following scenarios:

• the customer is a Politically Exposed Person (PEP),
• the customer is from a high-risk third country,
• the transactions are unusually large or complex, or
• in cases where the operator’s risk assessment resulted in a high-risk rating.

Key EDD measures in the iGaming context include:

• Source of funds (SoF) and wealth checks (SoW): High-risk customers must provide information or documentation on the origin of the money they use for gambling. For example, if a player deposits very large and unusual sums, the operator should inquire and verify whether the funds come from a legitimate source.¹¹
• Enhanced identity verification: Re-verifying or obtaining additional identity proofs, especially if there are doubts about the initial documents. This might include using more robust electronic verification or biometric checks.
• More frequent monitoring: Subjecting high-risk accounts to more frequent review and monitoring. For instance, betting patterns of a high-risk player might be reviewed manually by compliance officers on a regular basis.
  
• Senior management approval: If the customer is a high-risk client, such as a PEP or a client from a high-risk country, the account should be approved by senior management, according to international¹² and national¹³ requirements.
• Detailed background checks: In some cases, operators will perform open-source news gathering or use public records to check the customer’s background, for instance check adverse media news¹⁴ as part of EDD.

Operators must also perform periodic reviews of existing customers (Ongoing Due Diligence). Higher-risk accounts might be reviewed more frequently (e.g., every six or twelve months) to refresh CDD information and ensure risk profiles are up to date. If new information arises (for example, if a customer’s behavior changes or they become a PEP), the risk rating and due diligence measures should be updated accordingly.

In summary, the intensity of EDD measures is proportionate to the level of risk; therefore, higher-risk customers require more thorough verification and ongoing oversight. EDD procedures ensure that iGaming operators know their player at a deeper level. High-risk clients (e.g., gamers depositing large amounts, politically exposed persons) should be subject to tighter checks to prevent the iGaming platform from being misused to launder illicit funds. These requirements stem from EU law (AML Regulation, 5AMLD and 6AMLD) and national regulations, which explicitly list scenarios requiring EDD and the measures to take (e.g., UK Money Laundering Regulations 2017, Federal Act on Gambling).

In addition to AML measures, iGaming operators must comply with international sanctions regimes¹⁵. Sanctions laws prohibit doing business with certain individuals, entities, or countries (e.g., terrorist financiers, proliferators of weapons, or entities linked to regimes like North Korea, Iran, or Russia). iGaming operators can face severe penalties if they provide services to sanctioned persons or facilitate transactions involving sanctioned entities. Therefore, robust sanctions screening processes are essential.

Operators in Europe must primarily screen against the EU Consolidated Financial Sanctions List,¹⁶ which includes all persons and entities sanctioned by the EU. Operators should also consider the United Nations Security Council sanctions lists.¹⁷ Many operators additionally screen against OFAC’s SDN List (U.S. sanctions) and the UK’s OFSI consolidated list, because iGaming is global and a customer might fall under another jurisdiction’s sanctions. In practice, compliance solutions aggregate these lists so that a single screening covers EU, UN, OFAC, UK, and other relevant sanctions regimes.¹⁸

Screening is done at customer onboarding and continues periodically. It also occurs at the time of payments, for example when processing withdrawals, the payee name might be screened again, and the banks involved are screened to ensure no sanctioned bank is used. Operators rely on automated screening tools that compare customer data (name, date of birth, address, etc.) against sanctions databases. This requires exact and fuzzy matching algorithms to catch potential matches (e.g., spelling variations, aliases). If a match is found, the account is typically frozen or suspended while the compliance team investigates whether it’s a true match and, if so, they must report it to the authorities.

According to EU guidance, the application of a risk-based approach is essential for effective AML/CFT compliance. Operators are expected to identify and assess risks across core factors, such as customer types, services offered, transactions, and jurisdictions, and to tailor controls accordingly. For example, where customer exposure to high-risk regions is high, enhanced screening and stricter controls should apply. By evaluating both the inherent likelihood and potential impact of ML/TF risks, operators can implement proportionate measures to mitigate vulnerabilities. Internal policies must clearly define responsibilities, response protocols, and documentation standards for managing identified risks.

In summary, sanctions screening is a critical extension of AML/CFT compliance. It ensures that an iGaming platform is not inadvertently facilitating prohibited transactions or giving sanctioned individuals a channel to move funds. With the EU’s sanctions framework becoming ever more complex, operators must stay updated on sanctions lists and maintain robust automated screening systems.

A Suspicious Activity Report (SAR)¹⁹ is a cornerstone of AML obligations. iGaming operators in Europe are legally required to promptly report any known or suspected money laundering or terrorist financing activity to their national Financial Intelligence Unit (FIU). This duty is outlined in the EU AML Directives (e.g., Article 33 of 4AMLD) and transposed into member states. In the UK, post-Brexit, SARs are submitted to the National Crime Agency (NCA)²⁰ under the Proceeds of Crime Act 2002 and the Money Laundering Regulations 2017. In Switzerland, reporting is governed by the Anti-Money Laundering Act (AMLA) and must be filed with the Money Laundering Reporting Office Switzerland (MROS).²¹

Unlike other sectors, there is no monetary threshold to filing an SAR. The obligation is based on suspicion that funds are criminal in origin or linked to terrorism. As noted in European guidance, even if a suspicious activity involves a small amount or falls below what might be a formal reporting threshold, it must still be reported to authorities.

Examples of suspicious triggers include

• customers attempting to deposit cash or cryptocurrency of dubious origin;
• sudden changes in betting patterns that suggest "chip dumping" or collusion;
• customers refusing to provide proof of funds when requested;
• and any activity that doesn't match the customer's profile (e.g., a low-income player suddenly betting large sums).

iGaming firms must proactively and vigilantly report suspicious activity. The European Commission and local regulators emphasize that iGaming operators play a frontline role in detecting illicit finance and must file Suspicious Activity Reports (SARs) as part of their duty. Even if a suspicious incident doesn’t lead to immediate law enforcement action, filing an SAR protects the operator by showing compliance and contributes to the intelligence authorities can use to combat money laundering.

Record-keeping is a core requirement of AML compliance, particularly for iGaming operators in Europe. The European AML framework requires the maintenance of detailed records of customer transactions and due diligence information for use in future audits or investigations. This includes retaining all CDD documents, such as identification records, address verification, evidence of source of funds, and politically exposed person checks, as well as any correspondence related to the due diligence process. When electronic verification is used, the corresponding records, including digital signatures, must also be retained.

iGaming providers must keep complete records of financial transactions, including deposits, withdrawals, betting activity, balances, and the payment instruments used, such as bank accounts and e-wallet IDs. Internal investigations, especially those related to suspicious activity reports (SARs), and all communication with law enforcement or financial intelligence units must be documented and stored. According to EU law, the standard retention period is five years after the end of the customer relationship or a one-time transaction. After this period, the data must be deleted or anonymized, unless an extension is justified for crime prevention purposes.

Records must be easily accessible for prompt regulatory review. Regulators commonly test this during inspections by requesting full Know Your Customer (KYC) and transactional histories for selected accounts. Acceptable formats include original documents or admissible copies, such as scanned files. Appropriate data security measures must be in place to comply with privacy regulations.

Effective AML/sanctions compliance in iGaming requires strong governance structures. Regulators expect that iGaming operators foster a culture of compliance from the top down, with clear accountability and well-trained personnel at all levels.

Every licensed iGaming operator in Europe must appoint a designated Money Laundering Reporting Officer (MLRO)²² or equivalent AML Compliance Officer. This individual is responsible for the day-to-day oversight of AML/CFT efforts and is the main point of contact for authorities. The MLRO should be a person of sufficient seniority and authority within the company, who is capable of enforcing compliance measures and reporting to the board of directors. For example, the UK Gambling Commission rules and the UK Money Laundering Regulations require a “nominated Officer”²³ (usually the MLRO) to be in place, and they hold that person accountable for compliance failures. The MLRO typically prepares annual AML reports to the board, advises on risk assessment updates, and must have the independence to escalate issues.