Behavioural Markers of Harm: Building a Defensible RG Detection Model
Regulators at UKGC, MGA, AGCO, and AGLC now mandate documented harm-detection models. Learn which markers, validation methods, and intervention records make a model defensible at audit.
Enforcement actions under the UK Gambling Commission’s Licence Conditions and Codes of Practice, the Malta Gaming Authority’s Player Protection Directive, and the AGCO’s Registrar’s Standards now share a common anatomy: an operator’s detection model failed to flag a customer whose behaviour was, in retrospect, plainly harmful. The penalty notices that follow are not primarily about the harm itself, they are about the documented inadequacy of the system that should have caught it. Building a detection model that withstands regulatory scrutiny means understanding what each regulator actually requires, what enforcement decisions reveal about de facto thresholds, and what documentation the auditor will ask to see.
What Regulators Require: The Identify-Act-Evaluate Framework
UKGC SR Code Provision 3.4.3, which applies to all remote licensees and has been in force in its full form since 12 September 2022, states that licensees must implement effective customer interaction systems and processes that minimise the risk of customers experiencing harms associated with gambling. Those systems must embed three elements: identify, act, and evaluate. The Commission’s formal guidance under SR Code 3.4.3, last updated 30 August 2023, operationalises each element. Identify requires that licensees use a combination of data sources and signals, not a single trigger, to detect at-risk behaviour. Act requires that the response be proportionate to the identified risk. Evaluate requires that licensees measure the impact of their interactions and demonstrate those outcomes to the Commission on request.
The MGA’s Player Protection Directive (Directive 2 of 2018, V3 January 2023) reaches the same structure through a different legislative route. Article 17(1) requires B2C licensees to monitor and identify problem gambling and behaviour indicative that a player is at risk of developing gambling problems, using analytical tools and behaviour monitoring systems with pre-designed and evolving parameters, as well as customer-facing responsible gaming staff. Article 17(2) then requires effective steps to address identified risk. Article 17A, inserted in the V3 January 2023 revision, mandates that the criteria used to meet article 17(1) obligations must be documented and reflected in the licensee’s policies and procedures.
Source: MGA, Player Protection Directive (Directive 2 of 2018, V3, January 2023), Articles 17 and 17A.
In Ontario, AGCO Registrar’s Standard 2.10 requires that a mechanism be in place to monitor player risk profiles and behaviours for the purpose of detecting signs of players potentially experiencing harm. At a minimum, operators must include a risk profile for players at high risk of experiencing gambling-related harm. Standard 2.11 requires that assistance be readily available and systematically provided. In June 2025, the AGCO released detailed guidance on the enforcement of Standards 2.10 and 2.11, specifying that indicators such as repeated deposits in short timeframes, excessive session lengths, and apparent loss-chasing must trigger escalated responses. Operators are expected to maintain detailed, time-stamped records of all interventions.
Alberta’s AGLC Standards and Requirements for Internet Gaming (SRIG, issued 14 January 2026, version dated 17 March 2026) sets out the most granular framework in Attachment 3.3. The SRIG requires operators to use both automated and manual tools to monitor players’ behaviour in a manner that enables timely and effective provision of support. Monitoring must occur either continuously or at a rate that reflects the dynamic nature of player behaviour, and must draw on information from various sources, not a single data stream.
Which Behavioural Markers Must the Model Include?
MGA Article 17A(1) provides the clearest statutory enumeration of minimum marker categories, and the list sets the regulatory floor that all MGA B2C licensees must meet. Each category maps to a distinct harm pattern validated by subsequent enforcement decisions across multiple jurisdictions. A model that omits any of the five categories below will not satisfy Article 17A(1) on its own terms.
| Marker Category | MGA Article 17A(1) Reference | Indicator Type |
|---|---|---|
| Deposit frequency and amount | Article 17A(1)(a) | Transactional velocity |
| Use of multiple payment methods | Article 17A(1)(b) | Financial fragmentation |
| Reversal of pending withdrawals | Article 17A(1)(c) | Loss-chasing proxy |
| Increased player complaints and bonus requests | Article 17A(1)(d) | Communication-based signal |
| Use of responsible gaming tools | Article 17A(1)(e) | Self-reported distress signal |
Deposit frequency and amount captures both the escalation dynamic (progressive increases in stake or deposit over time) and the velocity signal (multiple deposits within a compressed period). The reversal of pending withdrawals is an explicit regulatory acknowledgement that the inability to execute a decided withdrawal is a recognised marker of chasing behaviour. Communication-based signals acknowledge that contact with customer service, bonus utilisation at elevated frequency, and complaint patterns carry harm information independently of transactional data.
AGCO guidance issued in June 2025 adds session length as a required indicator, consistent with the UKGC’s enforcement record, which identifies extended uninterrupted sessions as a standalone harm marker. AGLC Attachment 3.3 requires that player behaviour indicators, alongside player-provided information and third-party data sources where available, be incorporated into a comprehensive approach to player risk profiling.
What Enforcement Decisions Reveal About Acceptable Thresholds
Regulatory guidance specifies categories of markers but does not prescribe numerical thresholds. Enforcement decisions fill that gap by identifying the systems regulators considered inadequate, and they define the floor below which a detection model will not survive scrutiny.
The Paddy Power Betfair settlement, published by the UKGC in December 2025, found that one customer deposited £25,000 in 25 days before being interacted with. Another staked £86,000 over a 16-day period during which time they lost £6,000, and despite the high velocity of spend, no manual review of the account took place. A third displayed session lengths reaching 7 hours and 46 minutes over a 17-day period, placing over 300 bets amounting to £20,000, and was only identified as an indicator of harm after hitting a loss threshold.
The Commission’s finding in that settlement was unambiguous: the systems in place were not sensitive enough to identify indicators of harm. The four entities trading as Paddy Power and Betfair paid £2 million as part of the settlement. The significance for compliance teams is not the fine quantum, it is the specific factual patterns the Commission identified as having warranted earlier identification. A threshold that triggers only after a customer has deposited £25,000 in 25 days is not a detection model, it is a paper trail for a penalty notice.
In Ontario, the AGCO imposed a CAD $105,000 penalty on Score Media and Gaming Inc. (theScore) for failing to adequately monitor and intervene with a player who wagered approximately $2.5 million with significant losses over eight months, displaying clear signs of distress and harmful behaviour including loss-chasing. The AGCO found that theScore had relied on player self-assessments rather than conducting meaningful behavioural due diligence. The violation engaged Standards 2.10 and 2.11 of the Registrar’s Standards for Internet Gaming.
Enforcement benchmark: Both the UKGC Paddy Power Betfair settlement (December 2025, £2m) and the AGCO theScore penalty (CAD $105,000) turned on the same failure: detection systems triggered by loss thresholds rather than by the velocity and pattern of preceding behaviour. A defensible model must detect the trajectory, not just the destination.
Model Architecture: What a Defensible Detection System Looks Like
Regulators do not prescribe a detection architecture, but the combined requirements of the UKGC formal guidance, MGA Article 17A, AGCO Standards 2.10 and 2.11, and AGLC Attachment 3.3 converge on a coherent model structure. Each component must be present and documented.
The data layer must draw on multiple source types simultaneously. Transactional data (deposit frequency, stake size progression, withdrawal reversal patterns) is the baseline. Session data (duration, frequency of sessions per day or week, time-of-day patterns) provides a separate signal that is particularly relevant for detecting escalation. Communication data (support contact, bonus request frequency, account query patterns) adds a behavioural signal that is not captured by financial data alone. Player-provided data (responses to self-assessment tools, tool utilisation history, limit-setting patterns) completes the picture. AGLC Attachment 3.3 states explicitly that operators are expected to incorporate player behaviour indicators, player-provided information, and third-party data sources where available into a comprehensive approach to player risk profiling.
The scoring layer must aggregate those signals into a risk profile that updates in near real-time. AGLC Attachment 3.3 requires that indicators be monitored either continuously or at a rate that reflects the dynamic nature of player behaviour. A model that recalculates risk daily will not satisfy this requirement where a player’s spend velocity is measured in hours. AGCO June 2025 guidance uses the phrase “real-time behavioural monitoring” directly. The practical implication is that a batch-processing approach to risk scoring is not defensible for high-frequency product types such as online casino.
The segmentation layer assigns players to risk bands based on the aggregated score. AGCO Standard 2.10 requires, at a minimum, a risk profile for players at high risk of experiencing gambling-related harm. AGLC Attachment 3.3 goes further, requiring that interventions be provided for all players who may be at risk of experiencing harm, not just those already identified as high-risk. The distinction is significant: a binary model that identifies only a small high-risk cohort and ignores the broader at-risk population does not meet the AGLC standard. In practice, a three-tier or four-tier segmentation approach, with escalating intervention protocols for each tier, maps most directly to the AGLC’s requirement and is consistent with the UKGC’s identify-act-evaluate loop.
The Intervention Ladder: Proportionality and Escalation
Regulatory frameworks across jurisdictions converge on proportionality as the organising principle of the intervention response. The intervention must be calibrated to the severity of the identified risk. AGLC Attachment 3.3 requires operators to intervene according to the severity of the situation and uses the phrase “tailored and escalating interventions” to describe the expected practice.
The AGLC SRIG describes current examples of intervention at different points on the severity scale. At lower severity, the expected response includes player interaction to gather additional information, player self-assessment surveys, and reminder communications highlighting responsible gambling resources and tools. At the mid-range, personalised communications are expected, communicating specific RG concerns identified by the operator directly to the player. At the higher-severity end, mandatory limit modifications, temporary account suspension pending further assessment, and permanent exclusion in cases of persistent severe risk are all cited as appropriate responses.
The Curaçao Gaming Authority’s Responsible Gaming Policy for Licensed Operators, issued to operators under the post-LOK licensing regime, adopts the same escalation architecture, including a requirement that operators follow a clear escalation protocol where risk is identified, potentially extending to mandatory deposit limits and account suspension.
The UKGC’s formal guidance on SR Code 3.4.3 sets out that the act component of the identify-act-evaluate framework must be proportionate to the customer’s circumstances and the nature of the identified harm risk. This creates an obligation to modulate the intervention, not merely to deploy a standard safer gambling message at every trigger point. An automated message dispatched at the same wording and channel regardless of the severity of the underlying signal will not satisfy the “effective” test in SR Code 3.4.3(1).
MGA Article 17(1) requires behaviour monitoring systems with “pre-designed and, or evolving parameters.” The word “evolving” carries compliance weight. A static ruleset that does not update as the operator’s player population changes, as product behaviour changes, or as new harm research is published, will not remain defensible over time.
Model Validation: What Regulators Audit
UKGC SR Code 3.4.3(14) requires licensees to take account of problem gambling rates for the relevant gambling activity as published by the Commission, in order to check whether the number of customer interactions is, at a minimum, in line with that level. This is the closest the LCCP comes to mandating a quantitative validation requirement. Its practical effect is that a detection model producing an interaction rate significantly below the Commission’s published problem gambling prevalence rate for that activity will trigger scrutiny. The full text of SR Code 3.4.3 and its associated guidance is navigable through the UKGC LCCP explorer.
MGA Article 17A(1) requires that the criteria used to meet identification obligations be documented and reflected in policies and procedures. The MGA Compliance Audit Manual, used by MGA auditors during compliance examinations, checks that licensees maintain records of player harm identification and the steps taken in response. The criteria, not just the outcomes, must be auditable. An operator cannot present a model as compliant if the decision logic is embedded in a system that cannot be interrogated by an auditor.
UKGC SR Code 3.4.3(13) requires that licensees evaluate the effectiveness of their customer interaction activities, record the impact, and be able to demonstrate the outcomes of their evaluation to the Commission. This evaluation obligation is not satisfied by logging that an interaction occurred. The operator must be able to show what happened after the interaction: whether the player’s behaviour changed, whether further interventions were required, and whether the interaction category itself was effective at the population level.
For compliance teams, this creates a documentation architecture with four distinct layers. The model specification layer records the marker set, the weighting logic, the threshold values for each risk tier, and the version history as parameters are updated. The interaction log layer records each player-level interaction, the trigger that caused it, the channel and content of the intervention, and the timestamp. The outcome layer records what happened to the player’s risk profile after the intervention and over the following period. The aggregate evaluation layer records periodic analysis of whether the model is producing the right rate of interactions and whether interventions in specific categories are effective at changing behaviour.
Documentation minimum: A defensible model requires four auditable layers: model specification (markers, weights, thresholds, version history); interaction log (per-player trigger, channel, content, timestamp); outcome record (post-intervention behaviour); and aggregate evaluation (interaction rate benchmarking against published prevalence data). Regulators audit all four, and gaps in any layer are findings.
Cross-Jurisdictional Calibration Challenges
Operators holding licences across multiple jurisdictions face the compound challenge of building a single detection architecture that satisfies the most demanding requirement in each dimension. The UKGC’s evaluate obligation and the AGLC’s near-real-time monitoring requirement are independently demanding. Together, they define a high-capability baseline that, if met, will also satisfy the MGA and AGCO frameworks.
Product type matters for threshold calibration. A detection model calibrated for a sports betting book, where sessions are naturally episodic and deposits are infrequent, will not be appropriate for an online casino book where session frequency can be daily and deposits can be multiple within a single session. UKGC SR Code 3.4.3(14) acknowledges this by referring to problem gambling rates for the relevant gambling activity, the prevalence rate differs by product vertical, and the expected interaction rate should reflect that difference. MGA Article 17(1) similarly refers to analytical tools with pre-designed and evolving parameters, accommodating product-specific calibration within a single licensee framework.
Sweden’s Spelinspektionen, operating under the Gambling Act (2018:1138), mandates a channelisation framework in which responsible gambling controls, including player interaction, are part of the licence conditions for channelled operators. While Sweden’s framework does not enumerate specific behavioural markers in the manner of MGA Article 17A, Spelinspektionen’s audit focus on the effectiveness of player protection systems means that a documented, multi-signal model is a practical requirement for any licensee seeking to demonstrate compliance.
For operators entering Ontario and Alberta concurrently, the AGCO Registrar’s Standards and the AGLC SRIG present comparable but not identical requirements. Both require real-time or near-real-time monitoring, both require multi-source risk profiling, and both require escalating interventions. The AGLC’s Attachment 3.3 is more prescriptive about the requirement to intervene for all at-risk players rather than only confirmed high-risk players. Operators building a unified model for Canadian multi-provincial operations should calibrate to the AGLC standard on this dimension. A detailed comparison of how the two Canadian frameworks treat RG obligations is covered in our AGCO vs AGLC analysis.
What Regulators Expect at Audit: A Practical Checklist
Regulators conducting compliance examinations under the UKGC, MGA, and AGCO frameworks will typically examine the following areas. The list below is derived from the documented obligations in those frameworks and from the factual patterns identified in published enforcement actions.
The model specification document must exist in written form, must name every marker category in use, must specify the logic by which individual markers aggregate into a risk score, must define the thresholds that determine tier assignment, and must carry a version history with dates on which parameters were changed and the rationale for each change. Where the model uses machine learning or statistical techniques rather than rule-based logic, the documentation must explain the methodology, the training data used, and the validation approach.
The interaction record must be time-stamped, must identify the trigger, must record the channel used, and must record the content of the communication or the nature of the account-level action taken. Where manual review occurs, the record must show who conducted the review, what information they examined, and what decision they reached. AGCO enforcement in the theScore case found that reliance on player self-assessments without independent behavioural corroboration was inadequate, the audit trail must show that the operator formed an independent assessment of risk.
The outcome evaluation must occur at regular intervals. For the UKGC, the evaluation must be capable of demonstrating that the number of interactions is in line with published problem gambling prevalence for the relevant activity. For the MGA, the policies and procedures governing actions taken in respect of problem gamblers must be maintained and kept current. For the AGCO, operators are expected to build processes to evaluate the impact of interventions to support ongoing improvement, a phrase drawn directly from the June 2025 guidance.
Compliance teams responsible for RG detection model governance should treat the model as a living regulatory document, subject to the same change management discipline as a licensing condition. For operators managing multi-jurisdictional responsible gambling compliance programmes, a broader cross-jurisdictional overview of RG control frameworks across all 17 regulated markets is available at the Responsible Gambling Compliance hub.
Qualified legal counsel with jurisdiction-specific iGaming regulatory experience should be engaged when designing or revising a detection model intended to satisfy UKGC, MGA, or Canadian provincial requirements, given the interaction between the documented regulatory obligations and the evolving enforcement posture in each market. To begin implementing a compliant detection model in your jurisdiction, consult the Responsible Gambling Compliance hub for jurisdiction-specific resources and framework comparisons.
Key Resources
UKGC, Licence Conditions and Codes of Practice, SR Code Provision 3.4.3, the primary UK remote gambling customer interaction obligation, in force from 12 September 2022 (with additions from 31 October 2023). Available at gamblingcommission.gov.uk.
UKGC, Customer Interaction Guidance for Remote Gambling Licensees (Formal Guidance under SR Code 3.4.3), last updated 30 August 2023. Operationalises the identify-act-evaluate framework. Available at gamblingcommission.gov.uk.
MGA, Player Protection Directive (Directive 2 of 2018, V3, January 2023), Articles 17 and 17A specify the mandatory marker categories and documentation obligations for MGA B2C licensees. Available at mga.org.mt.
AGCO, Registrar’s Standards for Internet Gaming, Standards 2.10 and 2.11, the Ontario risk-profiling and harm-assistance obligations, with AGCO enforcement guidance issued June 2025. Available at agco.ca.
AGLC, Standards and Requirements for Internet Gaming (SRIG 2026-03-17), Attachment 3.3, the Alberta additional requirements for identifying and supporting players at risk of harm, issued 14 January 2026. Available at aglc.ca.
Matt Denney
Editorial · gamingcompliance.io
Reads the primary source so you don't have to. Fifteen years inside iGaming compliance: operator, supplier, and crown-corporation lottery.
The Tuesday brief, every week.
One email. Every regulator change we surface, every standard we re-index, every enforcement decision we read. No marketing, no fluff.
Unsubscribe with one click. We'll never share your address.