Verification knowledge hub
Learn how to stay compliant with AML regulations in three closely related industries—gambling, gaming and betting.
Whether online or offline, casinos, bookkeepers, and other gambling institutions have historically been used for money laundering and other criminal activity, leading many jurisdictions to impose restrictions. Despite all this, the regulatory landscape is quickly changing. And since such institutions generate millions in revenue, traditionally gambling-averse jurisdictions are starting to change their tune.
Vietnam, a country where gambling has been illegal for centuries, is thinking of legalizing sports betting. The Netherlands and Germany legalized online gambling in 2021, following moves by their European neighbors Spain, Italy, UK, Belgium, Switzerland, France, and Denmark. iGaming—a new internet gaming industry—began operating in Ontario, Canada just in April last year.
As similar as these activities may sound, this article considers the key differences between gaming, gambling, and betting, as well as how to comply with regulations in different countries.
The terms “gaming”, “betting” and “gambling” are often used as synonyms and they’re all regulated the same way. However, there are important differences. So let’s go over the definitions in more detail.
The main difference between all three lies in the degree of certainty and risk.
“Gaming” and “gambling” are often used interchangeably, however the former depends on a certain degree of skill (i.e. Poker), whereas the latter is based entirely on games of chance (i.e. roulette and other online casino games).
Suggested read: The 6 Most Popular Forms of Money Laundering in Casinos
Betting can involve strategic prediction of real-life events supported by data and research. The most common examples are bets on sporting events, reality shows and elections.
Crypto gambling is a type of online gambling that uses virtual currencies as a means of payment. The benefits of this method include the additional security offered by blockchain technology, and the ability for players to instantly withdraw money from their accounts, unlike in traditional online casinos.
Suggested read: Crypto Gambling Regulations in the US, UK, and Canada
Sumsub prepared a KYC guide for the gaming industry in the USA and Canada to help businesses understand the gaming laws in these countries and optimize their verification flows. You will learn how to combat fraud, build proper verification processes, screen users for money laundering, and maintain high conversion rates:
Gambling, gaming, and betting have always been attractive for illegal funds.
In 2009, the Financial Action Task Force (FATF) revised its Recommendations to further increase AML obligations for casinos. As a result, FATF member countries have strengthened the regulatory landscape for casinos, bookmakers, etc.
To comply, an appropriate AML program is essential. Its purpose is to prevent suspicious customers and transactions from entering the financial system. However, criminals constantly invent sophisticated methods of flying under the radar. Therefore, a truly effective AML program must handle new and complex fraud attempts. Otherwise, businesses expose themselves to financial and reputational losses.
Suggested read: 6 Key Components of an AML Compliance Program
Although AML laws are the same for online casinos and betting apps , betting still has its own specifics, and the chances of coming across money laundering are high.
Money laundering in betting takes the following forms:
AML compliance program. To prevent betting businesses from becoming a source of crime and comply with betting regulations, a thorough AML compliance program must be in place. Among other things, it should define how the company detects, assesses, and reports financial crime.
Suggested read: What Makes an AML Compliance Program Effective
Gambling operators must comply with laws and regulations aimed at preventing casino money laundering and terrorist financing (ML/FT). This is an especially vulnerable industry due to its high-risk nature, and online casinos often commit painful mistakes resulting in huge fines.
Suggested read: Casino Compliance: 6 Common Mistakes and How to Avoid Them
Let’s discuss what casino firms can do to safeguard themselves:
AML compliance program. Online casinos must develop their own compliance programs aimed at fraud prevention. Such programs must define how the company detects, analyzes, and reports criminal incidents such as gambling money laundering and fraud attempts. There is no one-size-fits-all compliance regime, so each online casino must develop one in accordance with the specifics of their business.
Like in betting, a reliable AML compliance program should include:
The UK Gambling Commission has recently made onboarding and verification of clients even stricter. Without successful verification, casinos can neither allow users to deposit money, nor grant them access to free-to-play games, free bets, or bonuses.
In most jurisdictions online casinos are obliged to conduct a Know Your Customer (KYC) procedure as part of the local AML regulations. KYC requirements for casinos differ from one jurisdiction to another, but usually they include the following:
Suggested read: KYC Guide for the Gaming industry: US and Canada
Gambling is only fun when done sensibly; otherwise, it becomes dangerous. To make sure gamblers and gamers are not at risk, regulators demand that online casinos and betting shops keep up with responsible gambling requirements.
This also concerns video games. In 2019 video game firms faced the risk of prosecution in the UK over gambling by children, with such products as skins and loot boxes in Counter-Strike and Call of Duty. Skins are in-game items that can be won in the game, while loot boxes invite players to pay a certain amount for a mystery reward. Such items aren’t defined as gambling under English law, due to the fact that the in-game items cannot be exchanged for cash within the game. However, they can still be bought and traded with real money on other sites, and acquiring them may involve an element of chance, similar to placing a bet. The UK’s Gambling Commission said it is prepared to regulate this when the proper legislation is introduced.
According to the UK’s Gambling Act 2005, it is illegal to permit any person under the age of 18 to enter a licensed gambling premises. Yet, a 2019 study conducted by GambleAware and the University of Bristol shows that 50% of 17-year-olds living in the UK are gambling on a regular basis. To protect themselves from underage gamblers and related regulatory fines, online casinos must ensure that new players submit their official IDs for verification to comply with casino KYC requirements.
The legal age for gambling varies across countries; most set it at 18, while in Greece and in most US states it’s 21. In Malta, the age is much higher, at 25 for locals. While Portugal has complicated laws, with different age requirements depending on the institution.
An important aspect of responsible gambling is being able to stop damaging behavior before it seriously affects a player. Therefore, online casinos have to be on the lookout for warning signs. This means implementing three specific measures for detecting gambling addiction.
Casinos should have special programs to enable players to protect themselves
There are many more initiatives that countries can take to protect their nationals. Denmark, for example, requires all online gamblers to pass an online test revealing if they are addicted to gambling.
During the COVID-19 pandemic, regulatory measures have toughened worldwide in a bid to further protect problem gamblers. For instance, Sweden imposed a weekly deposit limit of 5k SEK ($493) and the UK issued strengthened its guidance in response to data showing that players are spending more of their time and money on gambling.
Online casinos must avoid targeting vulnerable groups, such as children, teenagers, or self-excluded players. Similarly, gambling can’t be normalized through sponsorship of sports or any other medium that could be associated with youth culture.
These marketing restrictions can also affect the timing of casino advertisements. For example, new rules for online gambling platforms in Germany forbid ads between 6 am and 9 pm. The UK is also ready to introduce curbs on advertising, given findings that 96% of 11-24 year olds in the UK had been exposed to gambling ads in February 2020, leading them to place bets soon after.
In September 2020, the UK made it mandatory to teach students about online gambling risks at school. The same is expected of online casinos, who must educate users on the dangers of gambling through videos, blog posts, webinars, and other initiatives aimed at raising gambling addiction awareness.
Fraud has become a real menace for the gambling industry, with schemes like bonus hunting, multi-accounting, account takeovers and illicit chargebacks on the rise.
Sumsub is here to help.
With this guide, you’ll be able to:
Online casinos already have to deal with criminals attempting to steal unprotected data. Worse yet, data can be leaked due to poor management and frequent turnover of staff. That’s why online casinos must implement appropriate controls aimed at protecting players from unnecessary risk.
1) Information Security Management System (ISMS)
An Information Security Management System (ISMS) is a set of procedures to systematically manage a company’s sensitive data. The goal of an ISMS is to reduce risk and ensure business continuity by preemptively limiting the impact of a security breach.
In most online gaming jurisdictions, information security requirements are based on the ISO/IEC 27001:2013 standard, which specifies the requirements for establishing, implementing, and improving an ISMS within the entity.
ISO/IEC 27001:2013 lies at the heart of an Information Security Management System, since its main focus lies on the integrity, availability and confidentiality of sensitive company information. At the same time it covers information backup, along with access control, disaster recovery, incident management procedures, the security of the software cycle and network security controls, and security in supplier relationships. ISMS helps gambling and betting operators minimize security breaches and cyber attacks while reducing the costs associated with keeping information safe. If online casinos are ISO/IEC 27001 certified, jurisdictions such as Colombia, Denmark, Great Britain, the Czech Republic, Greece, Portugal, Romania, Spain, Sweden and Switzerland waive certain security auditing requirements if the company decides to operate abroad.
2) Data processing responsibilities
Falling under the scope of digital service providers, online casinos must comply with certain data protection principles. Therefore, online casinos have to ensure players understand that their data is going to be processed and, in the case of suspected illegality, potentially shared. To stay compliant, casinos have to acquire explicit consent from players before onboarding them. The same goes for acquiring consent from players prior to sending them any marketing materials—something that the gambling sector is often blamed for neglecting.
3) Data Security Standards
Because online casinos process sensitive customer information, such as credit/debit card details, they have to monitor for security breaches, analyze criminal attacks, and identify potential vulnerabilities. It’s essential to conduct penetration tests at least twice a year in order to identify weaknesses and blindspots. Remember that, if there is a security breach, online casinos may be liable for any resulting damages, depending on applicable data protection regulations.
Based on what we observe, online casinos shouldn’t expect regulations to loosen in the near future. On the contrary, more countries are seeking to develop a more tightly regulated online casino industry, with the aim of protecting vulnerable users from problem gambling. So the best move would be to stay on top of these shifting regulatory demands and be ready for whatever comes next.
As gambling regulations get stricter, some businesses consider moving to more “tolerant” jurisdictions. Other businesses choose the opposite route, moving to more reputable regions to attract more customers.We’ve broken down several popular betting jurisdictions below:
In 2018, the US government struck down the Professional and Amateur Sports Protection Act. Now each state can decide whether to make betting legal in its territory.
Gambling regulation: The Unlawful Internet Gambling Enforcement Act and The Interstate Wire Act.
Authority: Each state where gambling is legal has its own regulator. FinCEN supervises AML compliance in all sectors, including betting.
Age restriction: 21 years (in majority of states).
Overview: Since 2018, roughly 30 states have legalized sports betting, including 21 that allow online betting. Permitted forms of betting vary from state to state. For instance, in New York, you can only offer land-based betting services. See the list of allowed betting services and requirements by state here. Necessary responsible gambling measures also differ from state to state, with self-exclusion tools being the most common.
When sports betting became legal in many states, regulation got much stricter. Nevertheless, the US is a promising place to open a sportsbook. At present, Americans illegally wage more than $150bn a year on sports, so the recent legalization of betting makes it possible for bookmakers to tap into this market.
Check out Sumsub’s KYC guide for the gaming industry in the USA and Canada.
Australia is a reputable gambling jurisdiction with strict compliance requirements.
Gambling regulation: All states and territories of Australia have their own gambling regulations.
Authority: The Australian Communications & Media Authority (online betting).
AML Regulator: Australian Transaction Reports and Analysis Centre (AUSTRAC)
Age restriction: 18 years.
Overview: Since there is no single regulator for land-based gambling, the difference in terminology between betting and gambling, as well as different requirements, vary from state to state. The law known as the Interactive Gambling Act prohibits online gambling but allows online betting.
Bookmakers need a state-issued license to operate in Australia. You can consider Australia if you want to run a company in a very reputable region where people are highly engaged in betting.
Gibraltar is one of the most popular and well-established gambling jurisdictions Some of the most popular gambling operators, such as Ladbrokes and Betfair, are based there.
Gambling regulation: The Gambling Act.
Authority: The Gibraltar Regulatory Authority.
Age restriction: 18 years.
Overview: Gambling in Gibraltar includes betting, gaming (casinos, etc.), and lotteries. The territory is one of the most reputable betting jurisdictions with a well-developed infrastructure for remote betting and gambling. Also, Gibraltar offers low taxes and no VAT charges. All these factors make Gibraltar an attractive spot for gaming and betting operators.
Gibraltar-licensed bookmakers can provide remote services globally. Previously, the Licensing Authority had only considered licensing blue chip businesses with a proven track record in gambling in other jurisdictions. However, the jurisdiction currently considers licensing of appropriately funded start-ups. Gibraltar also proposes that gaming/betting businesses and startups relocate fully or partially to its jurisdiction.
The Anti-Money Laundering Code of Practice is an “interpretive guidance” to the Gibraltar gambling industry in respect of the requirements of the Gambling Act, the Gibraltar Proceeds of Crime Act, and the EU Anti-Money Laundering Directives. This Code applies to all financial transactions associated with defined gambling activities undertaken under the authority of a Gibraltar remote gambling license.
The UK is famous for its strict requirements, transparency, and thorough protection of vulnerable gamblers.
Gambling regulation: The Gambling Act,
Authority: The UK Gambling Commission.
Age restriction: 18 years.
Overview: The Gambling Act divides gambling into gaming, betting, and lottery. All gambling operators, including offshore bookmakers, must obtain a local license. Starting from April 2020, UK citizens will not be able to use credit cards to wage bets, since credit cards pose a financial risk to problem gamblers, allowing them to spend more than they can afford.
The UK is known for its high AML compliance standards and well-developed responsible gambling policies. Therefore, you can consider the UK if you are not afraid of strict requirements and huge penalties for non-compliance. The benefit is that you’ll be operating in one of the most globally recognized gambling jurisdictions.
Gambling regulation: There is no single gambling regulation in the EU, but 4th , 5th and 6th Anti-Money Laundering Directives (AMLD) prescribes AML requirements for all financial institutions throughout the Union.
Authority: Every country within the EU has its own regulator. Organizations are not obliged to join the European Gaming and Betting Association, but it is still quite a respectable entity that promotes AML compliance and safe gambling.
Age restriction: 18 years (in most countries).
Overview: The Directives unite all gambling, betting, and other similar activities under the term “gambling”. The so-called 4AMLD, 5AMLD and 6AMLD are now in force. While the Directives are a common regulation for all European countries, each country has local AML regulation that aligns with the Directives.
Jurisdictions within the EU vary significantly in terms of reputation and affordability. Some of them make it easy to obtain a license, while others, like Malta, have more costly but more reputable licenses.
Malta is a prestigious betting and gambling jurisdiction.
Gambling regulation: The Gaming Act.
Authority: The Malta Gaming Authority.
Age restriction: 25 years (locals), 18 years (foreigners).
Overview: In Malta, the term “game” in reference to gambling. The term encompasses two types of games: a game of chance (an activity with an outcome determined by chance), and a game of skill (an activity with an outcome determined by the use of skill). Betting belongs to games of chance.
Malta is famous for its secure business environment, high AML standards, and strong player protection. Therefore, requirements for a Maltese license are quite strict and include several independent compliance audits. You can consider Malta if you want to operate in one of the most established gambling jurisdictions.
Both gambling and betting are legal in Cyprus. However, similar to Australia, only remote betting is allowed, while online gambling is prohibited.
Betting regulation: The Betting Law.
Authority: The National Betting Authority (NBA).
AML Regulator: CySEC
Age restriction: 18 years.
Overview: Gambling (casino, poker, etc.) and betting (wagers on sporting and other events) are regulated separately in Cyprus. The Betting Law supervises online and offline betting, requiring companies to not only obtain a local license, but also open an office in Cyprus in order to offer betting services in the country. Also, all applicants are required to have a paid-up capital of at least €500k ($515k). This way, the country’s government ensures that only established businesses enter the market.
The NBA encourages responsible gambling among operators, but the concept is not written into regulation, and no penalties are imposed for non-compliance.
Curaçao is among the most attractive jurisdictions for bookmakers. The island is famous for low gambling taxes (only 2%, no VAT) and simple license application process.
Gambling regulation: Remote gaming is regulated by the National Ordinance Offshore Games of Hazards, while non-remote services are regulated by the National Ordinance Curaçao Casino Sector.
Authority: The Curaçao Gaming Control Board (GCB).
Age restriction: 18 years.
Overview: In Curaçao, betting and gambling are united under the term “gaming”, with both online and offline gaming being legal. A company can obtain just one all-inclusive license for all gambling and betting services. The GCB encourages operators to adopt measures for responsible gambling compliance, but it is more a recommendation than a requirement, and no fines are imposed.
Both Malta and Curaçao are popular targets for bookmakers that want to offer remote services all around the world. However, since so many companies can easily set up in Curaçao, its license is not as reputable as a Maltese license. What’s more, many European countries prohibit Curaçao-licensed operators from offering services to their citizens.
Costa Rica is well-known among bookmakers for its rather lenient gambling laws.
Gambling regulation: There is no law or government body that supervises gambling in Costa Rica.
Overview: Gambling regulations in Costa Rica can be considered convenient, with online gambling not being regulated at all. Since there are no gambling laws, gambling and betting are not separated. Offering gambling and betting services to the locals is prohibited, but companies can provide remote services for residents of other countries. The authorities do not monitor remote bookmakers for AML or KYC gambling compliance, let alone responsible gambling.
In Costa Rica, there is no such thing as a gambling license. If you want to provide betting or gambling, you just need an ordinary business license. No one checks the applicant’s background or gambling software.
Regardless of the jurisdiction you choose, it’s always advisable to stay KYC & AML compliant. More customers will be attracted to your company if they know you’ll protect them from gambling addiction and won’t use their money for illegal activities.
Gaming AML compliance is a set of procedures and controls gaming providers develop to prevent and combat money laundering, terrorist financing and other financial crimes. This usually includes KYC, which falls into the CDD program required by the regulators. It can also include transaction monitoring and a number of other procedures (like record keeping and suspicious activity reports), depending on the jurisdiction.
Casino compliance is a set of procedures and controls an online or offline casino develops to prevent and combat ML/TF. This usually includes KYC as part of the CDD program required by the regulators, and a number of other procedures (like record keeping and suspicious activity reports), depending on the jurisdiction.
Yes. In most jurisdictions bookmakers are AML regulated and have to follow AML legal requirements.
Looking for a tailored solution to KYC/AML compliance, age verification, and source of funds checks? Onboard new players with bank-grade security and in compliance with the latest regulatory guidelines using Sumsub. Get a free demo today.