Sumsub
The Sumsuber

Best practices for KYC/AML

Guides
2022-09-09
10 min read

A Global Guide to AML Compliance in Gambling, Gaming, and Betting (2022)

Learn how to stay compliant with AML regulations in three closely related industries—gambling, gaming and betting.

Whether online or offline, casinos, bookkeepers, and other gambling institutions  have historically been used for money laundering and other criminal activity, leading many jurisdictions to impose restrictions. Despite all this, the regulatory landscape is quickly changing. And since such institutions generate millions in revenue, traditionally gambling-averse jurisdictions are starting to change their tune.

Vietnam, a country where gambling has been illegal for centuries, is thinking of legalizing sports betting. The Netherlands and Germany legalized online gambling in 2021, following moves by their European neighbors Spain, Italy, UK, Belgium, Switzerland, France, and Denmark. iGaming—a new internet gaming industry—began operating in Ontario, Canada just in April this year.

As similar as these activities may sound, this article considers the key differences between gaming, gambling, and betting, as well as how to comply with regulations in different countries.

Table of Contents

1. Definitions: gaming, betting and gambling

The terms “gaming”, “betting” and “gambling” are often used as synonyms and they’re all regulated the same way. However, there are important differences. So let’s go over the definitions in more detail.

The main difference between all three lies in the degree of certainty and risk.

Gaming” and “gambling” are often used interchangeably, however the former depends on a certain degree of skill (i.e. Poker), whereas the latter is based entirely on games of chance (i.e. roulette).  
Betting can involve strategic prediction of real-life events supported by data and research. The most common examples are bets on sporting events, reality shows and elections.

2. Why an Anti-Money Laundering (AML) program is a top priority for these industries

Gambling, gaming, and betting have always been attractive for illegal funds. 

In 2009, the Financial Action Task Force (FATF) revised its Recommendations to  further increase AML obligations for casinos. As a result, FATF member countries have strengthened the regulatory landscape for casinos, bookmakers, etc.

To comply, an appropriate AML program is essential. Its purpose is to prevent suspicious customers and transactions from entering the financial system. However, criminals constantly invent sophisticated methods of flying under the radar. Therefore, a truly effective AML program must handle new and complex fraud attempts. Otherwise, businesses expose themselves to financial and reputational losses.

Read further: 6 Key Components of an AML Compliance Program

3. Fundamental AML compliance in betting

Although AML laws are the same for online casinos and betting apps , betting still has its own specifics, and the chances of coming across money laundering are high.

Money laundering in betting takes the following forms:

  • Criminals leverage low-outcome bets to deposit dirty money and withdraw it as “winnings.” 
  • Money obtained from illegal sources is used to sponsor betting as a leisure activity.
  • Criminals directly invest in/ acquire betting shops. This is what allegedly happened in Bremen, Germany. As a result, the city’s authorities decided to shut down all betting shops.

AML compliance program. To prevent betting businesses from becoming a source of crime and comply with betting regulations, a thorough AML compliance program must be in place. Among other things, it should define how the company detects, assesses, and reports financial crime.  

  • Customer Due Diligence (CDD). Before a customer is allowed to bet, they must go through a Customer Due Diligence check. This involves obtaining the customer’s information to verify their identity and evaluate whether they are involved in any crime.
  • Enhanced Due Diligence (EDD). In cases of higher money laundering risk, companies apply what is known as Enhanced Due Diligence. One of the most vital components of EDD is checking clients’ source of funds to ensure that they don’t come from illegal activity. 
  • Ongoing customer monitoring. This is an extra layer of risk management that involves ongoing due diligence checks on the customers and scrutiny of their transactions.
  • Independent AML audits. Such audits allow businesses to detect their deficiencies and failures in their AML strategies, and correct their problems before regulatory inspections. Thus, firms can be protected from high regulatory fines.

Read further: What Makes an AML Compliance Program Effective

4. Fundamental AML compliance in online casinos

Gambling operators must comply with laws and regulations aimed at preventing casino money laundering and terrorist financing (ML/FT). This is an especially vulnerable industry due to its high-risk nature, and online casinos often commit painful mistakes resulting in huge fines.

Read further: Casino Compliance: 6 Common Mistakes and How to Avoid Them

Let’s discuss what casino firms can do to safeguard themselves:

AML compliance program. Online casinos must develop their own compliance programs aimed at fraud prevention.  Such programs must define how the company detects, analyzes, and reports criminal incidents such as gambling money laundering and fraud attempts. There is no one-size-fits-all compliance regime, so each online casino must develop one in accordance with the specifics of their business.

Like in betting, a reliable AML compliance program should include:

  • Customer Due Diligence (CDD) involves gathering basic information about the client (such as their name, address, and date of birth) and verifying it through a reliable source. Online casinos also have to check users (or “gamblers”) against databases containing Politically Exposed Persons (PEPs), sanctioned and blocklisted individuals, as well as adverse media.
  • Enhanced Due Diligence (EDD) is a more sophisticated check needed in the event that a client poses a high risk of money laundering. Online casinos, however, are almost always required to perform EDD given the high ML risks associated with the sector. EDD includes verification of source of funds (SoF) documents, which include debit/credit cards, bank statements, savings accounts, recent paychecks, etc. The types of accepted SoF documents can vary from casino to casino.
  • Employee training. If your team is not fully aware of AML-related red flags, even automated prevention tools won’t necessarily keep you safe. Therefore, online casinos must provide necessary training to their compliance officers, including annual refresher courses. Compliance teams must also be aware of the general requirements (such verifying SoF) as well as risk tolerances specific to their casinos.
  • Reporting. To avoid breaking the law, operators should always report instances of known or suspected money laundering and terrorist financing. Moreover, operators should be aware that there is no minimum financial threshold for reporting these activities.
  • Ongoing customer monitoring. Monitoring helps gambling operators see the big picture about  the customer, their business, and risk profile, including sources of funds if necessary. It pays to know your customer, as it’s not always at the registration stage when fraudsters or money launderers show their true selves.
  • Independent AML audits. Independent auditors should audit AML compliance programs to measure their efficiency and avoid possible regulatory fines. Such audits help businesses to detect their AML failures and correct them before regulatory inspections. Thus, companies can be protected from high regulatory fines.
  • Money lending prevention measures. In the UK, licensed casinos take appropriate measures to prevent organized money lending between customers on their premises. Similarly, if money lending appears to be commercial and/or connected to ML activity, online casinos must be prepared to report such cases to the Gambling Commission.

The UK Gambling Commission has recently made onboarding and verification of clients even stricter. Without successful verification, casinos can neither allow users to deposit money, nor grant them access to free-to-play games, free bets, or bonuses.

5. Responsible gambling guidelines—from underage gambling to marketing ethics

Gambling is only fun when done sensibly; otherwise, it becomes dangerous. To make sure gamblers and gamers are not at risk, regulators demand that online casinos and betting shops keep up with responsible gambling requirements. 

This also concerns video games. In 2019 video game firms faced the risk of prosecution in the UK over gambling by children, with such products as skins and loot boxes in Counter-Strike and Call of Duty. Skins are in-game items that can be won in the game, while loot boxes invite players to pay a certain amount for a mystery reward. Such items aren’t defined as gambling under English law, due to the fact that the in-game items cannot be exchanged for cash within the game. However,  they can still be bought and traded with real money on other sites, and acquiring them may involve an element of chance, similar to placing a bet. The UK’s Gambling Commission said it is prepared to regulate this when the proper legislation is introduced.

Preventing of underage gambling

According to the UK’s Gambling Act 2005, it is illegal to permit any person under the age of 18 to enter a licensed gambling premises. Yet, a 2019 study conducted by GambleAware and the University of Bristol shows that 50% of 17-year-olds living in the UK are gambling on a regular basis. To protect themselves from underage gamblers and related regulatory fines, online casinos must ensure that new players submit their official IDs for verification to comply with casino KYC requirements.

The legal age for gambling varies across countries; most set it at 18, while in Greece and in most US states it’s 21. In Malta, the age is much higher, at 25 for locals. While Portugal has complicated laws, with different age requirements depending on the institution.

Controls for detecting problematic gambling behavior

An important aspect of responsible gambling is being able to stop damaging behavior before it seriously affects a player. Therefore, online casinos have to be on the lookout for warning signs. This means implementing three specific measures for detecting gambling addiction.

  1. Screening for self-excluded individuals
    When onboarding players, online casinos must check if their names appear on self-excluded lists. If so, the casino must bar them from entry. Self-excluded lists may belong to a specific casino or be part of broader, national self-restriction schemes, such as GAMSTOP in the UK.
  2. Ongoing monitoring and addictive gambling triggers
    Detecting the signs of gambling addiction is an ongoing process, lasting throughout the customer lifecycle. Addictive behavior can manifest itself on  multiple occasions, such as when players chase losses, play high stakes, or show erratic gambling patterns. Once problematic behavior is detected, online casinos must restrict the affected player from their service and, ideally, direct them towards help.
  3. Source of funds (SoF) verification
    When checking sources of funds/wealth for casino AML compliance, casinos must analyze whether a player displays behavioral patterns associated with problem gambling. For example, a warning sign could be when a person spends €3k ($3.1k) every month, while earning only €2k ($2.1k).

Special measures to prevent addiction

Casinos should have special programs to enable players to protect themselves 

  • Access limiting. Users can restrict their gambling activity to the amount of hours they consider appropriate.
  • Activity alerts. Notify users if they have been playing for too long. What’s considered ‘too long’ is also determined by the player. Some countries, like Sweden, make these alerts mandatory for all players.
  • Deposit limits. Players put a certain limit on their deposit amounts in order to stick to their budgets and avoid overspending.
  • Time-outs. Users have the option to put their accounts on temporary hiatus for an amount of time that works best for them.
  • Nationwide self-exclusion. Users enter their name onto a national self-exclusion list to block themselves from accessing any gambling website in their country.In the UK, for instance, all online casinos are required to have GAMSTOP membership.
  • Permanent self-exclusion. Players can block themselves from an online casino forever and irreversibly, requesting to cease any contact and no longer receive marketing promotions.

There are many more initiatives that countries can take to protect their nationals. Denmark, for example, requires all online gamblers to pass an online test revealing if they are addicted to gambling.

During the COVID-19 pandemic, regulatory measures have toughened worldwide in a bid to further protect problem gamblers. For instance, Sweden imposed a weekly deposit limit of 5k SEK ($493) and the UK issued strengthened its guidance in response to data showing that players are spending more of their time and money on gambling.

Ethical marketing

Online casinos must avoid targeting vulnerable groups, such as children, teenagers, or self-excluded players. Similarly, gambling can’t be normalized through sponsorship of sports or any other medium that could be associated with youth culture.

These marketing restrictions can also affect the timing of casino advertisements. For example, new rules for online gambling platforms in Germany forbid ads between 6 am and 9 pm. The UK is also ready to introduce curbs on advertising, given findings that 96% of 11-24 year olds in the UK had been exposed to gambling ads in February 2020, leading them to place bets soon after.

Problem gambling awareness

In September 2020, the UK made it mandatory to teach students about online gambling risks at school. The same is expected of online casinos, who must educate users on the dangers of gambling through videos, blog posts, webinars, and other initiatives aimed at raising gambling addiction awareness.

6. Key security standards and practices

Fraud has become a real menace for the gambling industry, with schemes like bonus hunting, multi-accounting, account takeovers and illicit chargebacks on the rise.

Sumsub is here to help.

With this guide, you’ll be able to:

  • build a proper KYC process in the EU and UK,
  • screen customers for money laundering,
  • enforce age verification requirements without slowing down the onboarding process.

Online casinos already have to deal with criminals attempting to steal unprotected data. Worse yet, data can be leaked due to poor management and frequent turnover of staff. That’s why online casinos must implement appropriate controls aimed at protecting players from unnecessary risk.

1) Information Security Management System (ISMS)

An Information Security Management System (ISMS) is a set of procedures to systematically manage a company’s sensitive data. The goal of an ISMS is to reduce risk and ensure business continuity by preemptively limiting the impact of a security breach.

In most online gaming jurisdictions, information security requirements are based on the ISO/IEC 27001:2013 standard, which specifies the requirements for establishing, implementing, and improving an ISMS within the entity.

ISO/IEC 27001:2013 lies at the heart of an Information Security Management System, since its main focus lies on the integrity, availability and confidentiality of sensitive company information. At the same time it covers information backup, along with access control, disaster recovery, incident management procedures, the security of the software cycle and network security controls, and security in supplier relationships. ISMS helps gambling and betting operators minimize security breaches and cyber attacks while reducing the costs associated with keeping information safe. If online casinos are ISO/IEC 27001 certified, jurisdictions such as Colombia, Denmark, Great Britain, the Czech Republic, Greece, Portugal, Romania, Spain, Sweden and Switzerland waive certain security auditing requirements if the company decides to operate abroad. 

2) Data processing responsibilities

Falling under the scope of digital service providers, online casinos must comply with certain data protection principles. Therefore, online casinos have to ensure players understand that their data is going to be processed and, in the case of suspected illegality, potentially shared. To stay compliant, casinos have to acquire explicit consent from players before onboarding them. The same goes for acquiring consent from players prior to sending them any marketing materials—something that the gambling sector is often blamed for neglecting.

3) Data Security Standards

Because online casinos process sensitive customer information, such as credit/debit card details, they have to monitor for security breaches, analyze criminal attacks, and identify potential vulnerabilities. It’s essential to conduct penetration tests at least twice a year in order to identify weaknesses and blindspots. Remember that, if there is a security breach, online casinos may be liable for any resulting damages, depending on applicable data protection regulations.

Based on what we observe, online casinos shouldn’t expect regulations to loosen in the near future. On the contrary, more countries are seeking to develop a more tightly regulated online casino industry, with the aim of protecting vulnerable users from problem gambling. So the best move would be to stay on top of these shifting regulatory demands and be ready for whatever comes next.

7. Regulations around the globe

As gambling regulations get stricter, some businesses consider moving to more “tolerant” jurisdictions. Other businesses choose the opposite route, moving to more reputable regions to attract more customers.We’ve broken down several popular betting jurisdictions below:

  • Australia

    Australia is a reputable gambling jurisdiction with strict compliance requirements.

    Gambling regulation: All states and territories of Australia have their own gambling regulations.

    Authority: The Australian Communications & Media Authority (online betting).

    AML Regulator: Australian Transaction Reports and Analysis Centre (AUSTRAC)

    Age restriction: 18 years.

    Overview: Since there is no single regulator for land-based gambling, the difference in terminology between betting and gambling, as well as different requirements, vary from state to state. The law known as the Interactive Gambling Act prohibits online gambling but allows online betting.

    Bookmakers need a state-issued license to operate in Australia. You can consider Australia if you want to run a company in a very reputable region where people are highly engaged in betting.

    AML-obliged activities: 

    • Betting accounts and services
    • Exchanging gaming chips, tokens or currency
    • Paying out winnings, or awarding a prize, in respect of a game or bet
    • Games of chance, or a mix of chance and skill that are played for money (not including lotteries, raffles or bingo games)
    • Gaming machines (such as poker machines).

  • Gibraltar

    Gibraltar is one of the most popular and well-established gambling jurisdictions Some of the most popular gambling operators, such as Ladbrokes and Betfair, are based there.

    Gambling regulation: The Gambling Act.

    Authority: The Gibraltar Regulatory Authority.

    Age restriction: 18 years.

    Overview: Gambling in Gibraltar includes betting, gaming (casinos, etc.), and lotteries. The territory is one of the most reputable betting jurisdictions with a well-developed infrastructure for remote betting and gambling. Also, Gibraltar offers low taxes and no VAT charges. All these factors make Gibraltar an attractive spot for gaming and betting operators. 

    Gibraltar-licensed bookmakers can provide remote services globally. Previously, the Licensing Authority had only considered licensing blue chip businesses with a proven track record in gambling in other jurisdictions. However, the jurisdiction currently considers licensing of appropriately funded start-ups. Gibraltar also proposes that gaming/betting businesses and startups relocate fully or partially to its jurisdiction.

    The Anti-Money Laundering Code of Practice is an “interpretive guidance” to the Gibraltar gambling industry in respect of the requirements of the Gambling Act, the Gibraltar Proceeds of Crime Act, and the EU Anti-Money Laundering Directives. This Code applies to all financial transactions associated with defined gambling activities undertaken under the authority of a Gibraltar remote gambling license.

  • The UK

    The UK is famous for its strict requirements, transparency, and thorough protection of vulnerable gamblers.

    Gambling regulation: The Gambling Act

    Authority: The UK Gambling Commission.

    Age restriction: 18 years.

    Overview: The Gambling Act divides gambling into gaming, betting, and lottery. All gambling operators, including offshore bookmakers, must obtain a local license. Starting from April 2020, UK citizens will not be able to use credit cards to wage bets, since credit cards pose a financial risk to problem gamblers, allowing them to spend more than they can afford.

    The UK is known for its high AML compliance standards and well-developed responsible gambling policies. Therefore, you can consider the UK if you are not afraid of strict requirements and huge penalties for non-compliance. The benefit is that you’ll be  operating  in one of the most globally recognized gambling jurisdictions.

  • The US

    In 2018, the US government struck down the Professional and Amateur Sports Protection Act. Now each state can decide whether to make betting legal in its territory.

    Gambling regulation: The Unlawful Internet Gambling Enforcement Act and The Interstate Wire Act.

    Authority: Each state where gambling is legal has its own regulator. FinCEN supervises AML compliance in all sectors, including betting.

    Age restriction: 21 years (in majority of states).

    Overview: Since 2018, roughly 30 states have legalized sports betting, including 21 that allow online betting. Permitted forms of betting vary from state to state. For instance, in New York, you can only offer land-based betting services. See the list of allowed betting services and requirements by state here. Necessary responsible gambling measures also differ from state to state, with self-exclusion tools being the most common.

    When sports betting became legal in many states, regulation got much stricter. Nevertheless, the US is a promising place to open a sportsbook. At present, Americans illegally wage more than $150bn a year on sports, so the recent legalization of betting makes it possible for bookmakers to tap into this market. 

  • The European Union (EU)

    Gambling regulation: There is no single gambling regulation in the EU, but 4th , 5th and 6th Anti-Money Laundering Directives (AMLD) prescribes AML requirements for all financial institutions throughout the Union.

    Authority: Every country within the EU has its own regulator. Organizations are not obliged to join the European Gaming and Betting Association, but it is still quite a respectable entity that promotes AML compliance and safe gambling.

    Age restriction: 18 years (in most countries).

    Overview: The Directives unite all gambling, betting, and other similar activities under the term “gambling”. The so-called 4AMLD, 5AMLD and 6AMLD are now in force. While the Directives are a common regulation for all European countries, each country has  local AML regulation that aligns with the Directives.

    Jurisdictions within the EU vary significantly in terms of reputation and affordability. Some of them make it easy to obtain a license, while others, like Malta, have more costly but more reputable licenses.

  • Malta

    Malta is a prestigious betting and gambling jurisdiction.

    Gambling regulation: The Gaming Act.

    Authority: The Malta Gaming Authority.

    Age restriction: 25 years (locals), 18 years (foreigners).

    Overview: In Malta, the term “game” in reference to gambling. The term encompasses two types of games: a game of chance (an activity with an outcome determined by chance), and a game of skill (an activity with an outcome determined by the use of skill). Betting belongs to games of chance.

    Malta is famous for its secure business environment, high AML standards, and strong player protection. Therefore, requirements for a Maltese license are quite strict and include several independent compliance audits. You can consider Malta if you want to operate in one of the most established gambling jurisdictions.

  • Cyprus

    Both gambling and betting are legal in Cyprus. However, similar to Australia, only remote betting is allowed, while online gambling is prohibited.

    Betting regulation: The Betting Law.

    Authority: The National Betting Authority (NBA).

    AML Regulator: CySEC

    Age restriction: 18 years.

    Overview: Gambling (casino, poker, etc.) and betting (wagers on sporting and other events) are regulated separately in Cyprus. The Betting Law supervises online and offline betting, requiring companies to not only obtain a local license, but also open an office in Cyprus in order to offer betting services in the country. Also, all applicants are required to have a paid-up capital of at least €500k ($515k). This way, the country’s government ensures that only established businesses enter the market. 

    The NBA encourages responsible gambling among operators, but the concept is not written into regulation, and no penalties are imposed for non-compliance.

  • Curaçao

    Curaçao is among the most attractive jurisdictions for bookmakers. The island is famous for low gambling taxes (only 2%, no VAT) and simple license application process.

    Gambling regulation: Remote gaming is regulated by the National Ordinance Offshore Games of Hazards, while non-remote services are regulated by the National Ordinance Curaçao Casino Sector.

    Authority: The Curaçao Gaming Control Board (GCB).

    Age restriction: 18 years.

    Overview: In Curaçao, betting and gambling are united under the term “gaming”, with both online and offline gaming being legal. A company can obtain just one all-inclusive license for all gambling and betting services. The GCB encourages operators to adopt measures for responsible gambling compliance, but it is more a recommendation than a requirement, and no fines are imposed.

    Both Malta and Curaçao are popular targets for bookmakers that want to offer remote services all around the world. However, since so many companies can easily set up in Curaçao, its license is not as reputable as a Maltese license. What’s more, many European countries prohibit Curaçao-licensed operators from offering services to their citizens.

  • Costa Rica

    Costa Rica is well-known among bookmakers for its rather lenient gambling laws.

    Gambling regulation: There is no law or government body that supervises gambling in Costa Rica.

    Overview: Gambling regulations in Costa Rica can be considered convenient, with online gambling not being regulated at all. Since there are no gambling laws, gambling and betting are not separated. Offering gambling and betting services to the locals is prohibited, but companies can provide remote services for residents of other countries. The authorities do not monitor remote bookmakers for AML or KYC gambling compliance, let alone responsible gambling.

    In Costa Rica, there is no such thing as a gambling license. If you want to provide betting or gambling, you just need an ordinary business license. No one checks the applicant’s background or gambling software.

Regardless of the jurisdiction you choose, it’s always advisable to stay KYC & AML compliant. More customers will be attracted to your company if they know you’ll protect them from gambling addiction and won’t use their money for illegal activities.

Looking for a tailored solution to KYC/AML compliance, age verification, and source of funds checks? Onboard new players with bank-grade security and in compliance with the latest regulatory guidelines using Sumsub. Get a free demo today.

Share