Before a first deposit, the operator must know who you are
KYC sits at the intersection of age verification, AML compliance, and responsible gambling. Every indexed market requires identity verification before a first deposit. The variation is in what is verified, how deep the checks go, and when enhanced due diligence triggers. European markets lean on national-identity infrastructure (MitID, BankID, e-ID). US states lean on SSN lookups and documentary evidence. Malta\'s PPD 4 and GACD 30 set out a tiered model that has become the reference for MGA licensees operating into multiple destination markets.
Each chip is one indexed rulebook. Green = we have a directly matched standard on this topic; dim = the topic may be covered under different wording, explore the framework to verify.
Best-match standard per framework. Scored against titles, requirements and editorial tags, click through for the full text.
| Market | Standard | Excerpt | Source |
|---|---|---|---|
| AGCO S 5.70 | Withdrawal authorization and identity verification | Players are permitted to withdraw funds from their player account only after the appropriate verifications and authorization. | Open ↗ |
| AGLC AGLC 4.4.23 | Players may be permitted to deposit funds into or withdraw funds from their player accounts only after: a) dep… | Players may be permitted to deposit funds into or withdraw funds from their player accounts only after | Open ↗ |
| DGA AML — CDD / EDD | Customer due diligence and enhanced due diligence | Gambling operators must carry out customer due diligence when stakes, payouts or both reach EUR 2,000 — whether in a single transaction or in linked transactions (§ 10, nr. 3). CDD covers collecting identity data, ver… | Open ↗ |
| DGOJ L 10/2010 art. 11 | Enhanced due diligence and source-of-funds | Enhanced due diligence applies to high-risk players, politically exposed persons and any situation where the standard measures do not give adequate assurance. Source-of-funds evidence is required before further activity… | Open ↗ |
| GGL § 4(5) | Full KYC before play — 18+, OASIS, identity proof | Section 4(5) requires full identity verification before any real-money play. Acceptable methods include VideoIdent, eID, bank-account verification, or comparable e-ID schemes. Age must be confirmed as 18+ and the verifie… | Open ↗ |
| MGA GACD 30 | Registration requirements | A B2C licensee may not permit gaming without a registered player account. At minimum the licensee must collect name and surname, date of birth, and permanent residential address (plus email / remote-means contact for rem… | Open ↗ |
| MGCB R 432.639 | Internet gaming account registration | Operators must verify legal name, date of birth, Social Security number (last four), and residential address before any deposit. Age is verified against a database deemed reliable by the Board, and an account cannot tran… | Open ↗ |
| NJ DGE § 69O-1.3(b) | Account registration, KYC, and encryption | To open an Internet/mobile account the licensee must create an encrypted patron file, verify identity (via N.J.A.C. 13:69D-1.5A plus recorded credential number or an approved remote multi-source method), confirm age 21 a… | Open ↗ |
| OCCC OAC 5.1 | Patron Identity Verification and Age 21 Gate | Before activating a sports gaming account or accepting a deposit or wager, a proprietor shall verify that the patron is at least 21 years of age and confirm the patron's identity through digital or physical examination o… | Open ↗ |
| PA PGCB 58 Pa. Code § 805.2 | Interactive gaming account registration | Before accepting any wager, operators must register a player account using verified identity, confirm the player is at least 21, confirm Pennsylvania physical presence, and check the PGCB self-exclusion list in real time… | Open ↗ |
| SGA SIFS 2022:3 Ch 9 §5 | PEP and sanctions screening | At registration, and on an ongoing basis, the licence holder must check whether the player is a politically exposed person (PEP) or appears on applicable sanctions lists, and must apply enhanced due diligence where such… | Open ↗ |
| UKGC LCCP LCCP 17.1.1 | Customer identity verification | Licensees must obtain and verify information to establish the identity of a customer, name, address, and date of birth, before that customer is permitted to gamble. | Open ↗ |
| UKGC RTS | No standard directly indexed | — | Open ↗ |
The UK's LCCP SRCP 3.9 requires ongoing customer due diligence, KYC is not a one-time event but a continuing obligation triggered by account activity. Malta's PPD and the Spillemyndigheden framework match this. The US-state pattern is more deposit-event-centred, verification at registration, re-verification on withdrawal beyond a threshold, and suspicious-activity escalation as the ongoing layer.
Every market requires enhanced verification above activity thresholds. The UK's financial-vulnerability framework (LCCP SRCP 3.4.4) at £150 net deposits and the AML-led thresholds elsewhere converge on a two-tier model: identity confirmation at the gate, source-of-funds evidence once activity exceeds a risk threshold.
Ohio requires the proprietor to verify patron identity through digital or physical examination of a government-issued ID, or multi-source authentication approved in writing by the OCCC Executive Director, before the account can deposit or wager, under OAC 3775-16-03. Verification records must be retained for the period the Commission requires. Ohio uses "patron" rather than "player" or "customer" as its statutory vocabulary.
Open questions and imminent changes that will shift the cells above. Each item is traceable to a regulator publication or indexed statute.
Every indexed market requires identity verification before the first real-money deposit. The UK under LCCP SRCP 3.2 requires it before any play, including free-play demos. Withdrawal triggers enhanced verification in most markets; large-activity thresholds trigger source-of-funds review.
Government-issued photo ID (passport, driving licence, national ID card) is universal. European markets with national-ID infrastructure (Denmark MitID, Sweden BankID-equivalent) accept e-ID authentication. US states typically require SSN lookup plus documentary backup. Each regulator's detailed acceptance list sits in technical annexes most of which are in our indexed corpus.
Every claim above traces to one of these citations. Matched standards link straight into the framework explorer; overlay facts link to the RG Observatory card with its audit note.
Built 2026-05-11 from the same datasets that power the framework explorers. Not legal advice; verify against the issuing regulator.