Lex Specialis in Practice: Why Gambling Regulator Rules Override AML/CFT Baselines

Some teams mistakenly believe that following only AML/CFT legislation is somewhat sufficient for gambling compliance—and that looking at regulator guidance somehow steps outside that AML/CFT framework. The unspoken question is often: “If we follow AML law, why also follow gambling regulator rules?” It’s understandable, but fundamentally incomplete.

Here’s why: global AML enforcement data shows gambling regulators are wielding serious power. AML fines in the gambling sector surged from approximately $9.8 million in 2018 to $442 million in 2023, a 42% year-on‑year rise.

That means even if a firm ticks the boxes under broad AML/CFT law, failure to meet strict, regulator-imposed thresholds can still trigger enforcement. In gambling, what regulators expect often sets the standard for how things actually operate, usually raising it well above the minimum legal requirements.

Why gambling compliance goes beyond AML/CFT

Global anti‑money laundering standards explicitly treat gambling as a high‑risk sector. A 2008 FATF guidance document on casinos recommends a risk‑based approach tailored to sector specifics—not a one‑size‑fits‑all law. 

And this isn’t a one-off: FATF’s core Recommendation 1 encourages countries to go further where needed. It says that both financial institutions and designated non-financial businesses and professions should identify, assess, and effectively mitigate their own risks, such as money laundering or terrorist financing. That means taking action beyond the legal baseline when the sector demands it.

Gambling regulators—like the UK Gambling Commission (UKGC)—issue sector‑specific rules and codes of practice, such as identity thresholds, source‑of‑funds requirements, and enhanced due diligence regimes that go further than general AML law.

Suggested read: Enhanced Due Diligence (EDD)

Lex specialis: Applying the specific rule over the general

So what happens when AML/CFT law sets one standard, but your gambling regulator sets another? You don’t choose between them—you follow the one that governs your license. Think of it this way:

•  AML/CFT law provides a basic compliance blueprint.
•  The gambling regulator issues operational “building codes” adapted to high‑risk conditions.
•  You need both: law to set the floor, regulator rules to meet sector realities.

What happens in practice when laws conflict?

Conflicts between general AML/CFT law and sector-specific rules aren’t hypothetical… They happen all the time. When it comes to gambling, the stricter rule almost always wins.

• If AML law triggers EDD only at €2,000, but the regulator’s threshold is €1,000—you apply €1,000.
• If AML law requires “proof of identity,” but the regulator mandates a passport and source of funds, you follow the regulator.

Why? Because that’s what the licensing authority expects. That’s what will be checked during audits. And ultimately, that’s who can suspend or revoke a license.

Suggested read: AML Transaction Monitoring in 2025: The Complete Guide

Real‑world examples

All of this isn’t just theory. Regulators are already enforcing these sector-specific standards, and the consequences for ignoring them are very real. 

For example, in mid-2025, Spelinspektionen hit three licensed operators—TSG Interactive (PokerStars), Betsson Nordic, and Snabbare—with penalties for not gathering enough customer information and source-of-funds data. The fines ranged between SEK 5.5 million and SEK 7 million (around €500,000 to €640,000) for the lack of required due diligence and adequate risk assessment.

The Gambling Commission fined Corbett Bookmakers nearly £700,000 in March 2025: one breach was a customer staking £47,000 and losing £14,000 over eight months without proper verification. This situation highlights a significant concern, as it involves not only compliance with national AML laws but also adherence to social responsibility standards and broader regulatory requirements.

International examples include Australia’s AUSTRAC suing Entain (operator of Ladbrokes), following alleged systemic failures to conduct proper high‑risk customer checks under gambling licensing regimes.

“But we’re AML-compliant…” and other common misconceptions

Let’s clear up some of the most persistent myths we hear from teams navigating gambling compliance.

• “AML/CFT law is all we need to follow.”
  AML/CFT is essential—but not enough. Gambling regulators add stricter, sector-specific obligations based on elevated risk. You must follow both.
• “What if AML law and the regulator say different things?”  
  Apply the stricter or more specific rule. That’s what regulators will audit for. (Lex specialis derogat legi generali).
• “If it’s just a guideline or circular, can we skip it?”
  No. Regulator-issued guidance, license conditions, and codes of practice are often enforceable—even if not labeled as “law.”
• “Isn’t checking both AML law and regulator rules redundant?”
  It may feel like double work, but it’s not. AML laws give general direction; regulators tell you how to navigate your terrain. 
• “What’s the worst that could happen if we just follow AML law?”
  Regulatory breaches, failed audits, fines, or losing your license. You might be “technically” compliant under AML law, but that won’t protect your license.

The real rule of compliance: Know who you’re answering to

Gambling compliance is demanding for a reason. The risks are higher, so the expectations are, too. Yes, AML/CFT laws matter, but your license lives and dies by what your regulator enforces.

The right question isn’t “What’s the legal minimum?”

It’s:

• What does the regulator expect?
• What’s stricter or more tailored to our sector?

That’s your answer. Every time.

And if you’re unsure—ask. That’s what compliance is for. Better to check than assume.