KYC/AML for Online Gambling Operators: AMLD6 Requirements 2026

Online gambling operators are explicitly classified as obliged entities under EU anti-money laundering law. With the AMLR (Regulation EU 2024/1624) and AMLD6 (Directive 2024/1640) fully applicable from 10 July 2027, the compliance requirements for gambling operators are being harmonised across all 27 EU member states without the need for national transposition. In the UK, operators licensed by the UK Gambling Commission (UKGC) face parallel obligations under the Money Laundering Regulations 2017 (MLR 2017), enforced by both the UKGC and HMRC. This guide explains what operators must do and when.

This article is for informational purposes only and does not constitute legal or regulatory advice. Regulatory references are accurate as of the publication date. Seek qualified legal counsel for advice specific to your situation.

Which Gambling Operators Are Subject to AML Requirements?

Gambling service providers are obliged entities under the AMLR. Article 3(3)(e) of Regulation EU 2024/1624 explicitly lists "providers of gambling services" among entities subject to the full customer due diligence (CDD) and transaction monitoring requirements (EUR-Lex, Regulation EU 2024/1624).

In the UK, all operators holding a remote or non-remote gambling licence from the UKGC are subject to the MLR 2017, as amended by the Money Laundering and Terrorist Financing (Amendment) Regulations 2022. The Financial Action Task Force (FATF) has specifically flagged casinos as high-risk for money laundering in its 2021 report on money laundering through the real estate sector.

Customer Due Diligence (CDD) Requirements for Gambling Operators

CDD is triggered when a customer transaction reaches EUR 2,000 as a single payment or through cumulative linked transactions within a 24-hour window. The UKGC's July 2023 guidance on financial crime requires operators to implement robust CDD from account opening, not merely at threshold-triggering deposits (UKGC, Financial Crime Guide 2023).

Identity Documents Required at Onboarding

Standard CDD requires operators to collect and verify:

• Photo ID: valid passport or national identity card (driving licence accepted where national rules permit)
• Proof of address: utility bill or bank statement dated within 3 months
• Date of birth confirmation for age verification (minimum 18 years)
• For corporate customers: certificate of incorporation, beneficial ownership structure, and UBO identification

The UKGC's LCCP (Licence Conditions and Codes of Practice) Condition 12 requires licensees to verify customer identity at account opening. For remote operators, digital verification methods are accepted where they meet the standards set by the Joint Money Laundering Steering Group (JMLSG Guidance, Part II Section 14).

CheckFile supports gambling operators with multi-layer document verification — structural integrity checks, metadata analysis, and cross-document consistency — compatible with high-volume KYC onboarding workflows.

Risk-Based Approach to CDD

Not all customers carry the same money laundering risk. A risk-based approach requires segmenting your customer base. Key risk factors specific to gambling include:

• Deposit method: e-wallets and cryptocurrency deposits carry higher risk than bank transfers
• Geographic origin: customers from FATF high-risk jurisdictions require enhanced scrutiny
• Playing patterns: structured deposits just below the EUR 2,000 threshold (smurfing)
• Withdrawal patterns: immediate withdrawals after deposit with minimal play (potential conversion)

Enhanced Due Diligence (EDD): High-Value Players and PEPs

Enhanced Due Diligence is mandatory when the customer risk profile is elevated. AMLR Article 36 requires EDD for Politically Exposed Persons (PEPs), customers from high-risk third countries, and relationships presenting unusual characteristics (EUR-Lex, Regulation EU 2024/1624, Art. 36).

In the gambling context, EDD is specifically required for:

VIP and High-Value Players: Any customer whose cumulative deposits exceed EUR 25,000 in a 12-month rolling period should undergo EDD including source of funds (SoF) verification. For players above EUR 100,000 annual deposits, source of wealth (SoW) documentation is standard practice. The UKGC's June 2023 guidance explicitly calls for "customer interaction" when customers show significant losses without clear affordability evidence.

PEP and Sanctions Screening: All customers must be screened against PEP lists and sanctions lists (OFAC, EU Consolidated List, UN, HM Treasury) at onboarding and on an ongoing basis. The sanctions and PEP screening guide provides detailed methodology.

Suspicious Behavioural Patterns: EDD must be applied when a customer exhibits red flags such as deliberate losses, refusal to provide source of funds documentation, or use of multiple linked accounts.

For EDD documentation, operators need to request: recent payslips or tax returns, employment contracts or business accounts for self-employed customers, and property or investment statements for high-net-worth individuals. CheckFile enables centralised storage and retrieval of EDD documentation with a full audit trail maintained for the required 5-year period.

Suspicious Activity Reports (SARs) to the National Crime Agency

In the UK, gambling operators must submit a Suspicious Activity Report (SAR) to the National Crime Agency (NCA) via the SAR Online portal whenever they know, suspect, or have reasonable grounds to suspect that a customer is engaged in money laundering or terrorist financing. The NCA received 901,255 SARs in the financial year 2023–24, with financial institutions and gambling operators among the key reporting sectors (NCA, SARs Annual Report 2023–24).

Typical SAR triggers for gambling operators:

• Customer depositing large sums with minimal gambling activity followed by withdrawal requests
• Multiple customers sharing the same IP address, payment method, or device
• Customer applying pressure to process transactions quickly without plausible reason
• Attempts to deposit funds and immediately withdraw without substantive play (placement)

The tipping-off prohibition under POCA 2002 (s.333A) means operators must not disclose to the customer that a SAR has been filed or that an investigation is underway.

Data Retention and UK GDPR Compliance

The AMLR requires a 5-year data retention period for all identity verification records and transaction data after the end of the business relationship (AMLR Art. 77). In the UK, this obligation is mirrored in MLR 2017 Regulation 40. This coexists with the UK GDPR storage limitation principle; the legal basis for retaining AML data beyond normal retention periods is the legal obligation under Article 6(1)(c) UK GDPR.

For practical guidance on document retention across jurisdictions, see the document retention requirements guide.

Internal Controls and Governance

The AMLR (Art. 8-9) and UKGC LCCP Social Responsibility Code require gambling operators to appoint a Money Laundering Reporting Officer (MLRO) at senior management level, implement documented AML policies and procedures, and deliver regular staff training. Specific requirements include:

• Annual AML risk assessment specific to the operator's product mix, customer base, and payment methods
• Ongoing monitoring of customer transactions against established behaviour profiles
• Staff training covering typologies of gambling-related money laundering (placement via losses, layering via multiple accounts)
• Independent audit of the AML framework at least every two years

The compliance audit checklist provides a structured framework for preparing for regulatory inspections. CheckFile integrates with operator onboarding systems via API to automate document checks and generate audit-ready compliance records.

Frequently Asked Questions

Were gambling operators already subject to AML rules before AMLD6?

Yes. Gambling service providers have been obliged entities since AMLD3 (2005) for casinos and since AMLD4 (2015) for all gambling services above the EUR 2,000 threshold. AMLD6 and the AMLR 2024 strengthen and directly harmonise these requirements across the EU without requiring national transposition.

What is the CDD threshold for online gambling operators?

The standard CDD threshold is EUR 2,000 per transaction or as a cumulative total of linked transactions. This threshold applies to both deposits and payout requests. Many operators apply CDD from account opening regardless of the deposit amount, which is considered best practice by most EU supervisory authorities and by the UKGC.

What happens if a gambling operator fails to comply with AML requirements?

Under AMLD6, fines can reach EUR 10 million or 10% of annual turnover for legal entities. The UKGC additionally has powers to suspend or revoke a gambling licence. In the UK, the UKGC has issued fines exceeding GBP 100 million against major operators since 2020 for AML and social responsibility failures.

Do crypto payment deposits require specific KYC treatment?

Yes. Cryptocurrency deposits require enhanced due diligence because they can obscure the origin of funds. Operators must verify the source of the crypto assets, check that the wallet address is not on sanctions lists, and apply the FATF Travel Rule where applicable. Many operators apply mandatory EDD for any crypto deposit above EUR 1,000.

How should operators handle anonymous e-wallet payments?

Anonymous e-wallet payments (where the operator cannot identify the beneficial owner of the wallet) should be restricted or prohibited for deposits above the CDD threshold. Where operators accept e-wallets, they must ensure the e-wallet provider itself has completed KYC on the end customer, as required by AMLR Article 79.