KYC/AML for Online Gambling Operators in the USA: BSA and State Requirements 2026

Online gambling operators in the United States face a complex, fragmented regulatory framework that differs fundamentally from the EU's AMLD6 model. AML compliance is governed primarily by the Bank Secrecy Act (BSA, 31 USC §5311 et seq.) and regulations administered by FinCEN (Financial Crimes Enforcement Network), rather than a single federal gambling authority. State-level licensing adds another layer: New Jersey (online casino), Nevada (online poker), Pennsylvania, Michigan, and Connecticut each impose their own KYC requirements on top of federal BSA obligations.

This article is for informational purposes only and does not constitute legal or regulatory advice. Regulatory references are accurate as of the publication date. Seek qualified legal counsel for advice specific to your situation.

Federal AML Framework: BSA and FinCEN Requirements

Casinos — including online casinos operating under state law — are defined as "financial institutions" under the BSA (31 USC §5312). FinCEN's 2010 rulemaking (31 CFR Part 1010, Subpart E) classifies card clubs and casinos with gross annual gaming revenue exceeding USD 1 million as financial institutions subject to the full BSA compliance program requirements (FinCEN, Casino AML guidance).

This means US online gambling operators above the USD 1 million GGR threshold must:

• Establish and maintain a written Anti-Money Laundering (AML) Program with internal controls, a designated compliance officer, employee training, and independent testing
• File Currency Transaction Reports (CTRs) for cash transactions (or cash equivalents) of USD 10,000 or more in a single gaming day
• File Suspicious Activity Reports (SARs) with FinCEN for transactions involving USD 5,000 or more where the operator suspects money laundering or fraud
• Maintain records of monetary instrument purchases and wire transfers

OFAC screening is a separate but parallel obligation: all operators must screen customers against OFAC's Specially Designated Nationals (SDN) list and other applicable sanctions lists. Violations carry civil penalties of up to USD 1 million per violation.

State-Level KYC Requirements

Online gambling in the US is legal in a small but growing number of states. Each state's gaming commission imposes specific KYC requirements:

New Jersey's Division of Gaming Enforcement requires operators to verify customer identity within 72 hours of account registration, and to suspend accounts that fail verification. The NJ DGE AML internal controls requirement mandates a written AML program that mirrors the BSA framework.

Customer Identification Program (CIP) Requirements

Under the BSA's Customer Identification Program (CIP) rules (31 CFR 1020.220, adapted for casinos), US online gambling operators must collect and verify:

• Full legal name
• Date of birth (to confirm age, minimum 21 in most states for casino games)
• Social Security Number (SSN) or Individual Taxpayer Identification Number (ITIN) for US persons; passport number for foreign nationals
• Current address (physical address required; P.O. Box alone insufficient)
• Government-issued photo ID: US driver's license, state ID card, US passport, or military ID

Identity verification may be documentary (reviewing a copy of the ID) or non-documentary (using identity verification services, credit report comparison, or knowledge-based authentication). Many operators combine both methods to meet the "reasonable belief" standard required by FinCEN.

CheckFile supports US-licensed operators with automated document verification compatible with both the BSA CIP requirements and state-level gaming commission standards.

Geolocation Verification

A unique US requirement is geolocation verification: operators must confirm that the player is physically located within the licensed state at the time of play. This is typically achieved through IP address verification combined with GPS-based geolocation software (e.g., GeoComply), which is a mandatory component of KYC for most state-licensed operators.

Currency Transaction Reports (CTRs) and Structuring

For cash-based transactions — which remain relevant for brick-and-mortar casinos and gift card/voucher systems — CTRs must be filed for transactions of USD 10,000 or more. Structuring — deliberately breaking up transactions to avoid the USD 10,000 threshold — is a federal crime under 31 USC §5324, regardless of whether the underlying funds are from legitimate sources.

Online gambling operators must monitor for digital equivalents of structuring: multiple deposits just below the USD 5,000 SAR threshold, rapid cycling between payment methods, or deposits followed immediately by withdrawal requests without substantive play.

Suspicious Activity Reports (SARs) to FinCEN

US online gambling operators must file a SAR with FinCEN when they know, suspect, or have reason to suspect that a transaction of USD 5,000 or more involves funds derived from illegal activity, is designed to evade BSA reporting requirements, or lacks a lawful purpose. FinCEN received 3.6 million SAR filings in 2024, with casinos and card clubs filing approximately 92,000 (FinCEN, SAR Stats 2024).

SARs must be filed within 30 days of detection (60 days if no suspect is identified). Operators must maintain records of SARs for 5 years and must not disclose the filing to the subject of the report (the "tipping-off" prohibition under 31 USC §5318(g)(2)).

Common SAR triggers for online gambling:

• Player depositing large amounts via multiple payment methods in succession
• Account activity inconsistent with player's stated income or employment
• Use of cryptocurrency exchanges to fund gambling accounts
• Evidence of multiple accounts controlled by the same person (multi-accounting)

OFAC Sanctions Compliance

Every US gambling operator must screen customers against OFAC's SDN list and other applicable sanctions programs (Iran, Cuba, North Korea, Syria, Russia/Ukraine). Operating with a sanctioned individual or entity can result in civil penalties up to USD 1,025,965 per violation (as of 2026, adjusted for inflation under FCPA).

Operators must implement real-time sanctions screening at account opening and during ongoing monitoring. A blocked transaction must be reported to OFAC within 10 business days using the applicable blocking report form.

Enhanced Due Diligence for High-Stakes Players

While the BSA's CDD rule (31 CFR 1010.230) does not set a specific monetary threshold for EDD in the gambling context, regulators expect operators to apply enhanced scrutiny for:

• High-rollers depositing more than USD 50,000 in a 30-day period
• PEPs and senior foreign political figures (SFPF under the PATRIOT Act)
• Non-resident aliens from countries on the FATF high-risk list
• Players exhibiting behavioral red flags (e.g., chasing losses, unusual withdrawal patterns)

EDD documentation for US operators typically includes: copies of recent tax returns (Form 1040), pay stubs, bank statements, or business financial statements for self-employed players.

The compliance audit checklist and enhanced due diligence guide provide structured frameworks for building EDD programs. CheckFile enables US operators to centralize and audit-trail all EDD documentation.

Record-Keeping Requirements

The BSA requires casinos to retain AML records for 5 years from the date of the record. This includes: CTRs, SARs, customer identification records, and monitoring reports. For player activity records, state gaming commissions may impose longer retention requirements (New Jersey requires 5 years; Nevada requires records to be retained until the casino's next full audit).

Frequently Asked Questions

Are all US online gambling operators subject to the Bank Secrecy Act?

Online gambling operators with gross annual gaming revenue above USD 1 million are classified as financial institutions under the BSA and must maintain a full AML compliance program. Operators below this threshold are still subject to the basic BSA reporting requirements (CTRs and SARs) but are not required to have a formal AML program unless their state gaming commission mandates it.

What is the difference between a CTR and a SAR for US gambling operators?

A Currency Transaction Report (CTR) is a mandatory filing for any cash transaction of USD 10,000 or more — it is objective and threshold-triggered. A Suspicious Activity Report (SAR) is filed when the operator subjectively suspects money laundering or fraud on transactions of USD 5,000 or more. SARs are not public and must be kept confidential.

Does AMLD6 apply to US-based online gambling operators?

AMLD6 is an EU directive and does not directly apply to US-licensed operators. However, operators holding an EU license alongside their US license (e.g., a Malta Gaming Authority license for EU customers) must comply with AMLD6 for their EU operations. US-only operators are governed by the BSA/FinCEN framework and applicable state law.

How should US operators handle cryptocurrency deposits?

Cryptocurrency deposits from US customers are subject to the same BSA CIP requirements as fiat currency deposits. Operators must verify the identity of the customer, ensure the wallet is not on the OFAC SDN list, and apply the BSA's Travel Rule for cryptocurrency transfers above USD 3,000. Many state gaming commissions have additional guidance on cryptocurrency acceptance.

What are the penalties for BSA non-compliance for gambling operators?

Civil penalties for willful BSA violations can reach USD 100,000 per day of ongoing violation. Criminal penalties include fines of up to USD 500,000 and imprisonment for up to 10 years. State gaming commissions can additionally revoke or suspend gaming licenses. The DOJ has brought enforcement actions against major casino operators for systemic AML program failures.