The regulatory landscape for online casinos is changing quickly. Just recently, the Netherlands and Germany announced plans for online gambling legalization, following moves by their European neighbors Spain, Italy, UK, Belgium, Switzerland, France, and Denmark. This means it’s time to refresh our memory on the fundamental requirements facing online casinos today.
Table of Contents
- Fundamental AML requirements for online casinos
- Responsible gambling guidelines—from underage gambling to marketing ethics
- Key security standards and practices
Gambling operators must comply with laws and regulations aimed at preventing money laundering and terrorist financing (ML/FT). Compliance is particularly important for online casinos due to the high-risk nature of their business.
- Well-adjusted AML compliance programs. Online casinos must develop their own compliance program, defining how they detect, analyze, and report criminal incidents such as money laundering and fraud attempts. There is no one-size-fits-all compliance regime, so each online casino must develop one in accordance with the specifics of their business.
- Due diligence measures. Before an individual is permitted to gamble, online casinos must verify them, evaluating the dangers they pose in terms of ML/FT. The format of these due diligence measures varies from country to country. Some regulators require biometric checks of online gamblers, as is done in the UK. Whereas in Germany, video identification is sometimes required.
There are two common levels of due diligence.
1) Customer Due Diligence (CDD) involves gathering basic information about the client (such as their name, address, and date of birth) and verifying it through a reliable source. Online casinos also have to check users (or “gamblers”) against databases containing PEPs, sanctioned and blocklisted individuals, as well as adverse media.
2) Enhanced Due Diligence (EDD) is a more sophisticated protection layer which follows CDD in the event that a client poses a high risk of money laundering. Online casinos, however, are almost always required to perform EDD given the high ML risk associated with the sector. EDD includes verification of source of funds (SoF) documents, which include debit/credit cards, bank statements, savings accounts, recent paychecks, etc. The types of accepted source of funds documents can vary from casino to casino.
- Employee training. If your team is not fully aware of AML-related red flags, even automated prevention tools won’t necessarily keep you safe. Therefore, online casinos must provide necessary training to their compliance officers, including annual refresher courses. Compliance teams must also be aware of the general requirements (such verifying SoF) as well as risk tolerances specific to their casinos.
- Reporting. To avoid breaking the law, operators should always report instances of known or suspected money laundering and terrorist financing. Moreover, operators should be aware that there is no minimum financial threshold for reporting these activities.
- Money lending prevention measures. In the UK, licensed casinos take appropriate measures to prevent organized money lending between customers on their premises. Similarly, if money lending appears to be commercial and/or connected to ML activity, online casinos must be prepared to report such cases to the Gambling Commission.
The UK Gambling Commission has recently made onboarding and verification of clients even more strict. Without successful verification, casinos not only cannot allow users to deposit money, but also can’t grant them access to free-to-play games, free bets, or bonuses.
Gambling is only fun when done sensibly; otherwise, it becomes dangerous. To make sure gamblers are not at risk when playing, regulators demand that online casinos keep up with responsible gambling requirements. These requirements stretch from preventing underage gambling to marketing ethics.
Preventing of underage gambling
A 2019 study conducted by GambleAware and the University of Bristol has shown that 50 percent of 17-year-olds living in the UK are gambling on a regular basis. To prevent this figure from growing, and to protect themselves from regulatory fines, online casinos must ensure that their users are of age. Therefore, online casinos must require new players to submit their official IDs for verification at the KYC stage.
The legal age for gambling varies across countries; the UK sets it at 18; in the US, it’s 21 for most states; and, in Malta, it’s 25 for locals.
Controls for detecting problematic gambling behaviour
An important aspect of responsible gambling is being able to stop damaging behavior before it seriously affects a player. Therefore, online casinos have to be on the lookout for warning signs. This means implementing three specific measures for detecting gambling addiction.
- Screening for self-excluded individuals
When onboarding players, online casinos must check if their names appear on self-excluded lists. If so, the casino must bar them from entry. Self-excluded lists may belong to a specific casino or be part of broader, national self-restriction schemes, such as GAMSTOP in the UK.
- Ongoing monitoring and addictive gambling triggers
Detecting the signs of gambling addiction is an ongoing process, lasting throughout the customer lifecycle. Addictive behaviour can manifest on multiple occasions, such as when players chase losses, play high stakes, or show erratic gambling patterns. Once problematic behavior is detected, online casinos must restrict the affected player from their service and, ideally, direct them towards help.
- Source of funds (SoF) verification
When checking sources of funds/wealth for AML compliance, casinos must analyze whether a player displays behavioral patterns associated with problem gambling. For example, a warning sign could be when a person spends €3000 every month, while earning only €2000.
Special measures to prevent addiction and its progression
Casinos should have special programs allowing players to protect themselves from addictive patterns.
- Access limiting. Users can restrict their gambling activity to the amount of hours they consider appropriate.
- Activity alerts. Notify users if they have been playing for too long. What’s considered ‘too long’ is also determined by the player. Some countries, like Sweden, made these alerts mandatory for all players.
- Deposit limits. Players put a certain limit on their deposit amounts in order to stick to their budgets and avoid overspending.
- Time-outs. Users have the option to put their accounts on temporary hiatus for an amount of time that works best for them.
- Nationwide self-exclusion. Users enter their name onto a national self-exclusion list to block themselves from accessing any gambling website in their country. This is an option that online casinos should offer to troubled players. In the UK, for instance, all online casinos are required to have GAMSTOP membership.
- Permanent self-exclusion. Players can block themselves from an online casino forever and irreversibly, requesting to cease any contact and no longer receive marketing promotions.
There are many more initiatives that countries take to protect their nationals. Denmark, for example, requires all online gamblers to pass an online test revealing if they are, in fact, addicted to gambling.
During the COVID-19 pandemic, regulatory measures have toughened worldwide in a bid to further protect problem gamblers. For instance, Sweden imposed a weekly deposit limit of 5,000 SEK (£400) and the UK issued strengthened guidance, triggered by data showing that players are spending more of their time and money on gambling.
Online casinos must avoid targeting vulnerable groups, such as children, teenagers, or self-excluded players. Therefore, advertisements cannot use imagery that can be appealing to children. Similarly, gambling cannot be normalized through sponsorship of sports or any other medium that could be associated with youth culture.
These marketing restrictions can also affect the timing of casino advertisements. For example, new rules for online gambling platforms in Germany forbid ads between 6 am and 9 pm. The UK is also ready to introduce curbs on advertising, given findings that 96% of 11-24 year olds in the UK had been exposed to gambling ads in the month of February, 2020, leading them to place bets soon after.
Problem gambling awareness
In September 2020, the UK made it mandatory to teach students about online gambling risks at school. The same is expected of online casinos, who must do everything to educate users on the dangers of gambling. This can be done by recording videos, writing blog posts, organizing webinars, and other initiatives aimed at raising gambling addiction awareness.
Online casinos already have to deal with criminals attempting to steal unprotected data. Worse yet, data can be leaked by a casino due to poor management and frequent turnover of staff. That’s why online casinos must implement appropriate controls aimed at protected players from unnecessary risk.
1) Information Security Management System (ISMS)
ISMS helps casinos minimize the security breaches and cyber-attacks while reducing the costs associated with keeping information safe. If online casinos are ISO/IEC 27001 certified, jurisdictions such as Colombia, Denmark, Great Britain, the Czech Republic, Greece, Portugal, Romania, Spain, Sweden and Switzerland waive certain security auditing requirements. This enables casino businesses to conduct independent regulatory testing, speeding up the certification process and saving up on costs and labor.
2) Data processing responsibilities
Falling under the scope of digital service providers, online casinos must comply with certain data protection principles. In particular, online casinos have to ensure players understand that their data is going to be processed and, in the case of suspected illegality, potentially shared. To stay compliant, casinos have to acquire explicit consent from players before onboarding them. Same goes for acquiring consent from players prior to sending them any marketing materials—something that the gambling sector is often blamed for neglecting.
3) Data Security Standards
Because online casinos process sensitive customer information, such as credit/debit card details, they have to monitor for security breaches, analyze criminal attacks, and identify potential vulnerabilities. It is essential to conduct penetration tests at least twice a year in order to identify weaknesses and blindspots. Remember that, if there is a security breach, online casinos may be liable for any resulting damages, depending on applicable data protection regulations.
Based on what we observe, online casinos shouldn’t expect regulations to loosen in the near future. On the contrary, more countries are seeking to develop a regulated online casino industry, with an aim to protect vulnerable nationals from problem gambling. So, the best move would be to stay on top of these shifting demands and be ready for whatever comes next.
Looking for a tailored solution to KYC/AML compliance, age verification, and source of funds checks? Onboard new players with bank-grade security and in compliance with the latest regulatory guidelines using Sumsub. Get a free demo today.