iGaming AML Programme: Building a Compliant Anti-Money Laundering Framework

Casinos and betting operators are among the highest-risk business sectors for money laundering under both FATF guidance and UK regulatory frameworks. The combination of cash acceptance in land-based operations, high-volume electronic transactions in online operations, and the potential to convert illicit funds into apparent gambling winnings creates a sector-specific AML risk profile that demands a structured, well-resourced programme. For UKGC-licensed operators, AML failures have resulted in regulatory penalties exceeding £100 million collectively across the industry over the past decade, with individual operator fines reaching into the tens of millions.

The Legal Basis: MLR17 and LCCP

The legal framework for iGaming AML compliance in the UK has two foundations. The Money Laundering Regulations 2017 (MLR17), as amended by the 2019 and 2022 amendments, apply to casino operators as regulated businesses under Schedule 2, requiring them to implement a risk-based AML programme. Additionally, the UKGC's Licence Conditions and Codes of Practice impose AML requirements through Social Responsibility Code Provision 12.1 and the associated Industry Good Practice Guidance, which the Gambling Commission has explicitly stated it uses as the benchmark for assessing operator compliance.

For online operators without cash-facing operations, MLR17 applies strictly to land-based casino activities. However, the LCCP AML requirements apply to all licensed operators regardless of whether they also fall under MLR17 as a regulated sector. The UKGC's enforcement decisions have consistently applied the same AML standard expectations to online-only operators as to land-based operators under the licence conditions framework.

The Business-Wide Risk Assessment

The foundation of any compliant iGaming AML programme is the Business-Wide Risk Assessment (BWRA), required by Regulation 18 of MLR17 and reflected in the UKGC's AML guidance. The BWRA must identify and assess the AML risks associated with the operator's products, customers, jurisdictions, and delivery channels. For a UK-licensed online casino, the key risk factors to assess include:

• High-value players with rapid deposit and withdrawal cycles who may be using gambling to layer funds
• Players from high-risk jurisdictions under FATF's grey or blacklists
• Payment methods with higher anonymity risk (prepaid vouchers, crypto)
• Politically Exposed Persons (PEPs) and their associates
• Unusual patterns in player behaviour — large deposits immediately withdrawn after minimal wagering

The BWRA must be reviewed and updated annually and whenever the operator makes material changes to its product, customer base, or distribution channels. The Gambling Commission has criticised operators for maintaining BWRAs that are generic and unattuned to the specific risk profile of their actual customer base — the document must reflect the real risks of the real business, not a theoretical risk register.

Customer Due Diligence: Triggers and Standards

CDD in the iGaming context is triggered by thresholds set in the operator's own AML policy, rather than the statutory thresholds that apply to supervised sector firms like banks. The LCCP requires operators to apply CDD before permitting players to deposit or wager material amounts, but leaves the specific trigger levels to the operator's risk-based judgment. Industry practice has converged on triggers in the region of £2,000 cumulative net deposits within 24 hours, or £8,000–10,000 within 30 days, but these are operational defaults rather than regulatory minimums.

The quality of CDD is more important than the trigger level. The Gambling Commission's enforcement decisions show a recurring pattern: operators that trigger CDD but accept inadequate documentation — salary slips from employment where the claimed income is inconsistent with the deposit volumes, or bank statements for accounts that are clearly used as conduits rather than primary accounts — fail AML compliance even if the formal CDD process was initiated.

Source of funds (SOF) evidence must be assessed against the customer's deposit pattern. A player depositing £50,000 in a month who provides a payslip showing a £60,000 annual salary has not demonstrated that this month's gambling funds came from a legitimate source consistent with their income. The SOF assessment must consider the quantum and velocity of deposits, not just the existence of an income source.

PEP and Sanctions Screening

All player accounts must be screened against PEP databases and sanctions lists at account opening and on an ongoing basis. The sanctions screening obligation is strict — accepting a deposit from a sanctions-designated individual is a criminal offence under the Sanctions and Anti-Money Laundering Act 2018 regardless of whether the operator was aware of the designation at the time. Real-time screening against OFSI (Office of Financial Sanctions Implementation) and OFAC lists must be integrated into the onboarding and transaction flow.

PEP screening triggers Enhanced Due Diligence (EDD), not an automatic decline. A PEP who can demonstrate legitimate source of wealth may be an acceptable customer — but the EDD file must be of higher quality and must be reviewed by senior management before the relationship is approved or continued.

Suspicious Activity Reports

Where an operator suspects that a customer is engaged in money laundering or terrorist financing, or has reasonable grounds for suspicion, a Suspicious Activity Report (SAR) must be submitted to the National Crime Agency (NCA) via the online SAR portal. Failure to report is a criminal offence under the Proceeds of Crime Act 2002 (POCA). The threshold for suspicion is objective — the question is whether a reasonable person in the operator's position would have suspected money laundering, not whether the operator actually formed that suspicion.

SAR reporting must be protected by a "tipping off" prohibition — the operator must not tell the customer that a SAR has been filed, as this would compromise any law enforcement investigation. The operational implication is that staff who prepare SARs must be trained on tipping-off restrictions, and the SAR process must be managed by the MLRO (Money Laundering Reporting Officer) in a way that insulates front-line staff from knowledge of which accounts are under SAR review.