National vs Operator-Level Self-Exclusion: The Architecture Decision Every Multi-Jurisdiction Operator Must Resolve

The self-exclusion regime in any jurisdiction presents one foundational question for compliance architects: does the regulator operate a national register that all licensees must query in real time, or does the obligation sit entirely at the operator level, with no mandated cross-platform feed? The answer determines API architecture, data governance, staffing, liability exposure, and the technical scope of your responsible gambling system before a single player registers an account.

The two models now coexist across the world’s licensed markets. National registers are operated by the UK Gambling Commission (GAMSTOP), Spelinspektionen in Sweden (Spelpaus), Spillemyndigheden in Denmark (ROFUS), the DGOJ in Spain (RGIAJ), the ANJ in France (Interdiction Volontaire), the GGL in Germany (OASIS), ACMA in Australia (BetStop), and, since 2026, iGaming Ontario (BetGuard) and Portugal’s SRIJ. Operator-level models remain the standard under the Malta Gaming Authority’s Player Protection Directive, the Curaçao GCB’s responsible gaming policy, most US state gaming boards, and MINCETUR in Peru. Each model carries distinct legal obligations, distinct technical demands, and distinct patterns of regulatory risk.

The National Register Model: Structural Logic and Legal Basis

A national self-exclusion register is a centrally maintained database of individuals who have voluntarily excluded themselves from all licensed gambling activity within a jurisdiction. The defining feature is that the exclusion travels with the player, not with any individual operator’s account. When a person registers, every licensed operator in scope is obligated to deny that person access at login, at registration, and, in the most technically advanced regimes, before dispatching direct marketing.

The UKGC mandated participation in GAMSTOP for all holders of a remote gambling operating licence in March 2020. Under Social Responsibility Code provision 3.5.4 of the Licence Conditions and Codes of Practice (LCCP), remote licensees must participate in the multi-operator self-exclusion scheme covering online gambling. The obligation is not optional: it is a social responsibility code provision, meaning breach is a matter for regulatory action. GAMSTOP, which had launched in 2018 as a voluntary scheme, became an enforcement baseline overnight. In the second half of 2025, GAMSTOP registrations from individuals aged 16 to 24 increased by 40%, according to iGamingBusiness, reflecting both growing uptake and the effect of mandatory operator participation on scheme credibility.

In Denmark, Spillemyndigheden’s national register is named ROFUS (Register Over Frivilligt Udelukkede Spillere). The obligation to query ROFUS is codified in Bekendtgørelse om onlinekasino §24 and in Spillemyndigheden’s Inspection Standards for Online Casino (SCP.02.03.EN v2.0). Under those standards, the gambling system must confirm at registration that the customer is not registered in ROFUS, and must repeat the check at each login. The same standards require that all functions of the gambling system related to self-exclusion inform customers of the possibility of registering in ROFUS and link directly to the register. The Spillemyndigheden Technical Requirements for Online Casino and Sports Betting (v2.5) specify the precise API service calls, including the GamblerMultiReklameCheck service for pre-marketing queries, and require that if ROFUS is unavailable, the licensee must investigate whether the failure is internal before notifying the authority of the outage time and error.

Sweden’s Spelpaus operates under Spellagen (2018:1138), Chapter 14 §12, which establishes the national register. The substantive obligations to check the register before marketing, at registration, and at each login derive from Chapter 15 §2 and related provisions of Spellagen and Spelförordningen (2018:1475). The technical architecture for fulfilling those obligations was most recently updated by SIFS 2026:3, decided 23 April 2026 and entering into force on 1 August 2026. Under SIFS 2026:3, each licensee receives a unique Actor ID and API Key that must authenticate every query. The regulation creates two distinct endpoints: a marketing API for pre-dispatch checks and a login API for registration and access checks. A check is only legally complete once it returns a definitive positive or negative result. Spelpaus registrations had exceeded 134,500 individuals at the time SIFS 2026:3 was published, underlining the scale of the compliance obligation for licensees running high-volume marketing campaigns.

Spain, France, and Germany: Three Variations on the National Model

Spain’s national register, the RGIAJ (Registro General de Interdicciones de Acceso al Juego), is operated by the DGOJ under Law 13/2011. Online gambling operators licensed at the federal level must verify that a player is not registered in the RGIAJ before permitting access to gambling activity. The DGOJ provides a Player Verification Service through which operators can simultaneously check identity, RGIAJ status, minor status, and deceased-persons registry status. Operators must inform players of the prohibition on participating in games where they are registered with the RGIAJ and must provide self-exclusion tools alongside that obligation. Under the Gambling Laws and Regulations 2026 country report for Spain, this is framed as a broad social responsibility requirement: operators must incorporate a responsible gambling policy and must not onboard or permit gameplay by persons registered in the RGIAJ. For a complete profile of DGOJ licensing obligations, see the DGOJ licence requirements guide.

France’s ANJ administers the Interdiction Volontaire de Jeu, which had 58,000 enrollees at end-2023 and grew to 85,000 by the end of 2024, a 20% annual growth rate documented in the ANJ’s 2024 annual report. Under the ANJ’s technical requirements for licensed operators, querying the interdiction volontaire database is a mandatory technical obligation, sitting alongside the prohibition on accepting gameplay from persons on the administrative or judicial gambling ban list. The ANJ’s compliance framework requires operators to transmit data on player activity periodically and to respect the precise technical specifications set by the authority. A failure in the interdiction volontaire check system constitutes a breach of those specifications, and the ANJ’s enforcement record confirms that self-exclusion system failures are treated as sanctionable offences.

Germany’s OASIS system, administered by the Gemeinsame Glücksspielbehörde der Länder (GGL), operates as the national cross-operator self-exclusion register under the Glücksspielstaatsvertrag 2021. All licensed online operators in Germany must integrate with OASIS and deny access to registered individuals. Germany reported a spike in self-exclusion participants in the months after OASIS was operationalised, confirming uptake at scale. According to iGamingBusiness, this growth ran parallel with Spelpaus exceeding 134,500 registrations and GAMSTOP’s youth registration surge in H2 2025.

What Does Operator-Level Self-Exclusion Actually Require?

Under an operator-level model, the licensee must offer self-exclusion within its own platform, enforce the exclusion across all its brands and products, maintain records, suppress marketing, and manage reactivation. There is no centralised register to query. The player who wishes to stop gambling with all licensed operators must contact each one individually.

The MGA’s Player Protection Directive (Directive 2 of 2018), issued under Article 7(2) of the Gaming Act 2018 (Cap. 583), sets out the self-exclusion obligations for MGA-licensed B2C operators. Under the Directive, all B2C licensees must offer players the ability to self-exclude for either a definite or an indefinite timeframe. The exclusion must be immediately effective: no new wagers or deposits may be accepted from the moment of the exclusion order. Records must be retained for at least the duration of the exclusion and as long as necessary to maintain a complete responsible gaming profile. The B2C licensee must never apply a shorter exclusion than the player requested, and reactivation can only follow expiry of the exclusion period or a player’s active request. The licensee cannot prompt reactivation. The MGA FAQ clarifies that if a player who closed an account makes contact mentioning problematic gambling, the operator must apply a self-exclusion.

“All Licensees are required to always offer players the ability to self-exclude from all gaming activity for either a definite or an indefinite timeframe. The Operator must never apply a self-exclusion for a shorter timeframe than the player’s request, nor attempt to persuade or induce a player to set a lesser timeframe.”, MGA Player Protection Directive FAQ

The critical absence from the MGA framework is any cross-operator feed. An MGA-licensed operator’s exclusion list is private to that operator. A player who self-excludes with one MGA licensee remains able to register and play with every other MGA licensee. This is not a regulatory gap in the sense of a defect. It is an intentional architectural choice, reflecting the MGA’s model of individual licensee accountability rather than state-administered cross-platform control. The full scope of MGA B2C obligations is covered in the MGA licence requirements profile.

Curaçao’s framework under the Landsverordening op de Kansspelen (LOK), which entered into force on 24 December 2024, similarly requires operator-level self-exclusion. Under the CGA’s Responsible Gaming Policy for Licensed Operators, in accordance with LOK clause 5.4(2), operators must offer self-exclusion periods of at least one year. The exclusion applies across all brands and domains operated under the licensee’s licence, covers all gambling verticals, and triggers automatic marketing opt-out. The operator must have robust measures to prevent self-excluded individuals from opening new accounts under different credentials. There is no centralised CGA register. The obligation is structural: it sits within the operator’s own account management and compliance systems.

US States and Other Operator-Level Jurisdictions

Most US state gaming regulators operate either voluntary statewide lists, which operators must check, or entirely operator-level programmes. New Jersey’s Division of Gaming Enforcement, Pennsylvania’s Gaming Control Board, and Michigan’s Gaming Control Board each maintain their own self-exclusion list structures, but these operate as state-administered databases rather than regulator-run cross-industry feeds in the same sense as GAMSTOP or ROFUS. Players in US states without a mandatory centralised programme must in practice contact each licensed operator directly.

Peru’s regime under Ley N° 31557 and its implementing regulations under Decreto Supremo 005-2023-MINCETUR places the self-exclusion obligation at the operator level. MINCETUR has not established a national self-exclusion register comparable to the European models. Each authorised platform must implement its own exclusion mechanisms, and the regulatory framework does not require cross-platform exclusion feeds.

The Transitional Cases: Ontario and Portugal

Perhaps the most instructive recent developments are jurisdictions that began with operator-level models and have migrated to centralised architectures. Ontario and Portugal both confirmed this transition in spring 2026.

Ontario’s AGCO Registrar’s Standards for Internet Gaming included a note at Standard 2.14 that operators would be required to participate in a coordinated, centralised self-exclusion program once directed by the Registrar. That direction came in 2026. On 14 May 2026, iGaming Ontario launched BetGuard, a centralised self-exclusion portal covering all 77 licensed iGaming websites in the province, including OLG’s Proline platform. Under the updated AGCO standards, operators must prominently promote BetGuard, prevent account access for any person registered in the Centralised Self-Exclusion Programme, stop marketing to those individuals within 24 hours, cancel and refund outstanding wagers, and return unused funds. Self-exclusion terms offered are six months, one year, and five years. Within two weeks of launch, over 500 individuals had registered, according to iGamingBusiness. The AGCO will review the need for individual site self-exclusion programmes within 12 months of the CSE launch.

Portugal’s SRIJ introduced a centralised online self-exclusion portal effective 8 April 2026. The platform applies exclusion measures across all licensed online gambling operators in Portugal, replacing previously fragmented processes. The SRIJ specifically designed the portal to prevent circumvention by switching between licensed sites, which is the core functional advantage of the national register model. Third parties acting on behalf of at-risk individuals may also initiate an exclusion through the portal. According to iGamingBusiness, Portugal’s move was part of a global pattern that also included Germany’s OASIS expansion and GAMSTOP’s H2 2025 registration surge.

The national register model shifts responsibility from whether the operator remembered to check, to whether the registry record existed, a fundamentally different liability framework.

How Do the Two Models Compare on Enforcement Risk?

National register models concentrate enforcement risk at the API integration layer. The question regulators ask is not whether the operator has a self-exclusion policy: it is whether the operator queried the register correctly, at the right trigger points, and acted on the result. This is binary and auditable. Australia’s ACMA demonstrated what enforcement looks like at scale: Entain entered a court-enforceable undertaking in May 2026 after ACMA found more than 500 breaches linked to BetStop. According to iGamingBusiness, ACMA found that Entain had opened accounts for self-excluded customers, failed to promptly close certain accounts, and sent promotional communications lacking mandatory BetStop messaging. A separate Unibet action found that operator had allowed self-excluded individuals to continue wagering. The enforcement mechanism in a national register jurisdiction is documentary: the regulator cross-references the BetStop, GAMSTOP, or ROFUS exclusion timestamp against the operator’s account-opening logs.

Operator-level models distribute enforcement risk differently. Regulators assess whether the operator’s own procedures were adequate: was the self-exclusion tool accessible, was it enforced across all brands, was marketing suppressed, were reactivation protocols followed? The MGA’s enforcement register shows actions taken against licensees for player protection failures, including failures in self-exclusion implementation. The absence of a national register means there is no cross-operator data set against which regulators can mechanically verify compliance. This makes some violations harder to detect, but also means operators face less exposure from system-level API failures.

What Multi-Jurisdiction Operators Must Build

An operator holding licences in three or more of the jurisdictions covered in this article will simultaneously be subject to both models. The practical consequence is a dual compliance stack: a real-time national-register API layer covering Sweden, Denmark, the UK, Spain, France, Germany, Ontario, Portugal, and Australia, and a per-operator exclusion database covering MGA, Curaçao, US state, and Peru operations. These are not interchangeable. The national-register API must fire at three defined trigger points, namely player registration, each login, and pre-marketing dispatch, and must use jurisdiction-specific credentials and endpoints. SIFS 2026:3 in Sweden specifies that the marketing check uses a different API endpoint from the login check. Spillemyndigheden’s v2.5 technical requirements specify distinct service call schemas for ROFUS at login versus ROFUS at marketing dispatch. Treating these as a single generic call is a compliance failure.

For the per-operator exclusion database, the obligations under MGA Directive 2 of 2018 and the Curaçao CGA Responsible Gaming Policy require the operator to maintain a complete responsible gaming profile on the player, enforce cross-brand exclusion within the same licence, suppress all marketing and bonuses, and manage reactivation only through documented player-initiated requests. The AGCO Registrar’s Standards require maintaining a register of excluded players with name, address, and account details, and taking active steps to identify self-excluded persons found in breach of their agreement.

The architectural question that most compliance teams underestimate is data residency. National registers in the UK, Sweden, and Denmark are queried via API calls that pass player identifiers such as national insurance numbers or CPR numbers to regulator-operated systems. This triggers GDPR obligations and, in some cases, cross-border data transfer restrictions. An operator whose CRM and player database infrastructure is hosted outside the EEA must confirm that the API call flow, including any response caching, complies with the applicable data protection framework for each national register query.

Alberta provides an instructive close-to-home example. The AGLC Standards and Requirements for Internet Gaming (SRIG, issued 17 March 2026) establish a centralised prohibited persons list, covering both persons convicted or legally excluded and self-excluded individuals. All registered operators must maintain an effective API connection to AGLC’s centralised information system, and discrepancy reports must be submitted within 72 hours on all prohibited persons who attempt to enter or remain on an iGaming site. As AGLC updates the centralised list, all registered player information must be checked against it in real time. The AGCO and AGLC frameworks are compared in detail in the AGCO vs AGLC standards comparison.

The Direction of Travel

The doctrinal split between national-register and operator-level models is narrowing. Portugal (April 2026), Ontario (May 2026), and Puerto Rico (June 2026) all moved from operator-level to centralised architectures within a two-month window. The ANJ’s 2024 annual report frames the 20% annual growth in Interdiction Volontaire enrolments as evidence that the self-exclusion instrument is working but that further structural reinforcement is needed. The DGOJ’s draft resolution introducing a unified mechanism for detecting risky gambling behaviour in Spain points toward the next phase: national registers that do not merely enforce exclusion decisions already made by players, but actively flag at-risk users before they self-exclude.

For operators, the implication is that jurisdictions currently operating operator-level models should be treated as potential transition candidates. The AGCO’s Registrar’s Standards contained the centralised programme note as a conditional forward obligation well before BetGuard launched. Compliance teams building or refreshing their responsible gambling architecture in MGA, Curaçao, or US-state markets should design with modular national-register integration in mind, even where no national register currently exists.

The SIFS 2026:3 implementation obligations for Swedish licensees offer the most technically detailed current example of what national-register compliance requires at the API layer. For operators mapping the broader responsible gambling landscape across all major licensed markets, the Responsible Gambling Compliance hub provides a cross-jurisdiction reference covering exclusion, deposit limits, customer interaction, and treatment funding obligations.

Operators should seek qualified legal counsel to confirm the precise technical specifications and enforcement timelines applicable to each licence they hold, as register specifications and API requirements are updated regularly by each national authority.

Key Resources

UKGC Licence Conditions and Codes of Practice, SR 3.5.4, 3.5.6, Remote multi-operator self-exclusion obligations including mandatory GAMSTOP participation. Available at gamblingcommission.gov.uk.

Spelinspektionens Författningssamling SIFS 2026:3, Binding technical requirements for Spelpaus API integration, effective 1 August 2026. Available at spelinspektionen.se.

Spillemyndigheden Tekniske krav for onlinekasino og væddemål v2.5, ROFUS API service call specifications and register obligations for Danish licensees. Available at spillemyndigheden.dk.

MGA Player Protection Directive (Directive 2 of 2018), as amended to V3 January 2023, Operator-level self-exclusion obligations for MGA B2C licensees. Available at mga.org.mt.

AGCO Registrar’s Standards for Internet Gaming, Standard 2.14, Ontario self-exclusion requirements including Centralised Self-Exclusion Programme obligations. Available at agco.ca.

AGLC Standards and Requirements for Internet Gaming (SRIG 2026-03-17), Section 3, Alberta prohibited persons API and centralised list obligations. Available at aglc.ca.

ANJ Rapport Annuel 2024, Interdiction Volontaire enrolment data and 2024, 2026 strategic plan context. Available at anj.fr.