24/09/25
This article examines the obligations of online casino operators under Know Your Customer (KYC) and Anti-Money Laundering (AML) regulations. It reviews the international and national standards, analyses how approaches differ across jurisdictions, and highlights key enforcement cases that demonstrate the risks of non-compliance.
📜 Regulatory and Legal Standards
Online casinos are formally classified as Designated Non-Financial Businesses and Professions (DNFBPs) under the Financial Action Task Force (FATF) Recommendations. FATF Recommendation 22 requires casinos to conduct customer due diligence (CDD), monitor transactions, and report any suspicious activity.
In the United Kingdom, the legal framework rests on:
• Proceeds of Crime Act 2002 (POCA)
• Money Laundering, Terrorist Financing and Transfer of Funds Regulations 2017 (as amended)
• Gambling Act 2005 and the License Conditions and Codes of Practice (LCCP) enforced by the Gambling Commission
Operators must adopt a risk-based approach, assessing the risks associated with customer profiles, jurisdictions, product types, and transaction methods. Identity verification is mandatory at onboarding, covering age, identity, address, and sanctions screening.
Enhanced due diligence (EDD) is required in higher-risk cases-for example, politically exposed persons (PEPs), large transaction volumes, or customers using multiple accounts. Operators must keep full records of due diligence, risk assessments, and decisions, making them available to regulators
Additionally, gambling firms must submit Suspicious Activity Reports (SARs) to the UK Financial Intelligence Unit (FIU) when suspicious transactions are identified. Similar obligations exist across the EU under the 5th and 6th Anti-Money Laundering Directives (AMLDs), which require strong KYC, beneficial ownership checks, and reporting duties.
Responsible gambling and data protection are now considered part of the compliance framework, meaning casinos must implement self-exclusion, deposit limits, and data safeguards under the UK GDPR and EU GDPR.
⚖️ Analysis and Jurisdictional Comparisons
Different jurisdictions take different approaches to regulating online casino compliance.
• In the UK, enforcement has become increasingly strict: operators risk multi-million-pound fines or license revocation for AML and KYC breaches. The Gambling Commission’s 2023 national risk assessment confirmed that gambling remains at high risk of money laundering.
• In the European Union, online casinos must comply with the AMLDs, but each member state implements them differently. For instance, Malta, a key iGaming hub, applies detailed due diligence thresholds, while Lithuania has shown strong enforcement in recent cases.
• Outside Europe, regimes vary significantly. Some jurisdictions enforce lighter checks-triggering KYC only after high transaction thresholds, while others impose checks at the first point of registration.
Technological solutions, such as biometric verification, document scanning, and AI-driven monitoring, are increasingly deployed, but these raise privacy and data protection concerns. Regulators emphasise that while technology can assist, it does not replace the operator’s legal responsibility.
The trend is towards convergence: regulators are harmonising standards, and cross-border operators face simultaneous obligations under multiple regimes, creating a complex compliance landscape.
📂 Enforcement Cases and Practical Examples
Enforcement demonstrates how far operators must go:
• William Hill (UK, 2023): Fined £19.2 million by the Gambling Commission for failing to carry out appropriate AML checks and responsible gambling measures. Customers were able to deposit and lose large sums without adequate source-of-funds checks.
• Entain (UK, 2022): Ordered to pay £17 million for AML and social responsibility failures, including allowing high-spending customers to gamble without proper due diligence.
• Olympic Casino Group Baltija (Lithuania, 2024): Fined €8.36 million for AML failings in relation to a high-profile case involving embezzled funds. The regulator found failures in monitoring, reporting, and source-of-fund verification.
These examples show that regulators expect casinos not only to verify customer identity, but also to analyse ongoing behaviour, verify the source of funds, and prevent enabling financial crime.
Failure to comply brings not only reputational damage and financial penalties but also the risk of losing the operator’s license-effectively ending its ability to operate.
✅ Conclusion
KYC and AML compliance in online casinos is no longer a box-ticking exercise. Regulators expect operators to:
• Apply risk-based customer due diligence from the first point of contact
• Carry out enhanced due diligence for higher-risk players
• Monitor transactions continuously and file SARs promptly
• Enforce responsible gambling and data protection obligations
• Maintain thorough records and cooperate with supervisory authorities
As enforcement actions across Europe show, regulators are willing to impose significant financial penalties and revoke licenses.
If your gaming platform or online casino requires legal support in meeting AML/KYC obligations or responding to regulatory scrutiny, contact NUR Legal. Our team advises operators on compliance frameworks, licensing, risk assessments, and enforcement defence.
#AML #KYC #OnlineCasinos #GamingLaw #RegulatoryCompliance #ResponsibleGambling #DataProtection #UKLaw #EULaw #FinancialCrime
Emil Korpinen