UIGEA Compliance: Payment Processor and Operator Obligations Under the Unlawful Internet Gambling Enforcement Act
The UIGEA targets financial flows, not players. Learn what § 5363 prohibits, how Regulation GG works, and what the Black Friday indictments mean for your payment stack.
The Unlawful Internet Gambling Enforcement Act of 2006, enacted on 13 October 2006 as Public Law 109-347 and codified at 31 U.S.C. §§ 5361 through 5367, does not prohibit online gambling as such. It prohibits the financial transactions that make online gambling commercially viable. That distinction is the foundation of every compliance obligation the statute creates, and missing it is the most common source of misreading among operators and payment teams entering or servicing the U.S. market.
The Act was passed in the final hours before Congress adjourned for the 2006 midterm elections, attached to the unrelated Security and Accountability For Every Port Act (SAFE Port Act). According to Senator Frank Lautenberg, no member of the Senate-House Conference Committee had seen the final bill language before it passed. The statute’s abrupt enactment produced definitional gaps that have shaped its enforcement ever since, and those gaps remain operative law today.
Source: Unlawful Internet Gambling Enforcement Act of 2006, Public Law 109-347, 31 U.S.C. §§ 5361, 5367, enacted October 13, 2006.
What Constitutes Unlawful Internet Gambling Under § 5362
Section 5362 defines the scope of the statute’s core prohibition. A “bet or wager” under the Act means risking something of value on the outcome of a contest, a sporting event, or “a game subject to chance.” The “game subject to chance” formulation was drafted specifically to capture internet poker. The Act further defines betting as including the purchase of an “opportunity” to win a lottery, provided that lottery is predominantly subject to chance, a standard that excludes genuine skill competitions.
“Unlawful internet gambling” means placing, receiving, or otherwise knowingly transmitting a bet or wager using the internet where that bet or wager is unlawful under any applicable federal or state law in the state or tribal lands in which the bet is initiated, received, or otherwise made. The definition imports and depends on underlying federal and state gambling law. The UIGEA does not establish an independent federal prohibition on the activity itself. It establishes a payment-blocking mechanism that triggers when the underlying activity is already unlawful.
The statute contains a clause expressly stating that it makes no change to any other law or Indian compact, and that it cannot be used as a defence to another crime or to expand existing gambling rights. Operators attempting to use the Act as a shield for activity prohibited under the Federal Wire Act of 1961 or state law will find no support in the statute’s text.
What Does § 5363 Actually Prohibit?
Section 5363 is the statute’s operative prohibition. It states that no person engaged in the business of betting or wagering may knowingly accept any restricted financial transaction from a person participating in unlawful internet gambling. Restricted transactions include credit cards, electronic fund transfers, checks, drafts, and similar instruments.
“No person engaged in the business of betting or wagering may knowingly accept, in connection with the participation of another person in unlawful Internet gambling, credit, or the proceeds of credit, extended to or on behalf of such other person (including credit extended through the use of a credit card).”
Three structural points govern the practical scope of § 5363. The prohibition falls on the gambling business, not on the player. It does not make it a federal crime for a customer to fund their own gambling account. The restriction is also limited to internet gambling businesses. It does not directly cover payment processors or internet service providers, and the Act explicitly states in its definitions section that being in the business of gambling does not include a financial transaction provider or an ISP. Neither a payment intermediary nor a computer host can be charged under § 5363, and the Act forecloses aiding and abetting theories against them under this provision.
This statutory limitation on criminal liability for payment processors is distinct from the civil and regulatory obligations imposed on those processors under the implementing regulation, Regulation GG. The inability to prosecute a payment processor under § 5363 does not relieve that processor of its Regulation GG duties.
How Regulation GG Implements the Statute
Section 5364 required the Federal Reserve and the U.S. Department of the Treasury to issue implementing regulations within 270 days of the Act’s passage. An initial Notice of Proposed Rulemaking was issued in October 2007. Following receipt of 410 comment responses from depository institutions, payment operators, gambling entities, federal agencies, and members of Congress, final regulations were issued in November 2008, more than two years after the statute’s enactment. The rule is codified at 12 CFR Part 233 and is known as Regulation GG, titled “Prohibition on Funding of Unlawful Internet Gambling.”
Regulation GG creates obligations at the level of designated payment systems, which it defines to include automated clearing house (ACH) systems, card systems (credit and debit), check collection systems, money transmitting businesses, and wire transfer systems. Participants in those systems are required to establish and implement written policies and procedures reasonably designed to identify and block restricted transactions, or to otherwise prevent or prohibit restricted transactions through their systems.
Regulation GG Core Obligation: Participants in designated payment systems must establish written policies and procedures reasonably designed to identify and block or otherwise prevent or prohibit restricted transactions. Compliance with these requirements is not optional for card networks, ACH operators, or money transmitters. (12 CFR Part 233, § 233.5)
The regulation does not require perfection. It requires reasonable design. The standard of what is “reasonably designed” is informed by whether a payment system participant takes affirmative steps to implement policies and whether those policies are actually operative. A participant that has no written policies, or that has policies which are never tested against transaction flows, will not satisfy the standard regardless of whether any particular restricted transaction was processed.
Section 233.6 of Regulation GG provides a non-exclusive safe harbor for payment system participants who rely on the representations of the gambling business that it is not engaged in unlawful internet gambling, provided the participant has no actual knowledge to the contrary. This safe harbor has practical limits: as the PokerStars enforcement action demonstrated, actual knowledge can be established through the pattern of transactions, the coding of merchant category codes, and internal communications.
Designated Payment Systems: Who Bears the Obligation
Regulation GG assigns the primary implementation burden to participants in designated payment systems. For card systems, the burden falls on the card network operator and, for some obligations, on card issuers and acquirers. For ACH systems, the burden falls on the ACH operator and, in some circumstances, on originating depository financial institutions. For wire transfer systems, the burden falls on the sending bank. Money transmitting businesses regulated under 31 U.S.C. § 5330 carry obligations as direct participants.
| Designated Payment System | Primary Obligated Participant | Core Obligation |
|---|---|---|
| Card systems (credit/debit) | Card network, acquirer | Written policies to block restricted transactions, merchant screening |
| ACH systems | ACH operator, originating depository institution | Policies to identify gambling-related ACH entries for blocking |
| Wire transfer systems | Sending bank | Procedures to identify and block restricted wire transfers |
| Money transmitting businesses | MSB as defined under 31 U.S.C. § 5330 | Written procedures, customer identification for gambling transactions |
| Check collection systems | Collecting bank | Policies to identify and return gambling-related items |
For operators seeking banking and payment relationships in states where online gambling is licensed, the practical challenge is demonstrating to payment system participants that the transactions are not restricted. Licensed operators in New Jersey, Nevada, Michigan, Pennsylvania, and other regulated jurisdictions typically provide their banking partners with copies of state licences and legal opinions confirming that their transactions fall within the intrastate exemption. Payment infrastructure remains a significant barrier to market entry even for operators that have cleared state licensing.
The Statutory Exemptions
The UIGEA’s definition of unlawful internet gambling is bounded by several statutory exemptions. Overreliance on an exemption that does not in fact apply is itself a compliance failure.
The intrastate gambling exemption applies where a state expressly authorises a specific type of online gambling under state law, the gambling is conducted and received within that state’s borders, the state law includes age and location verification requirements, and the gambling is not prohibited by any applicable federal law. New Jersey, Nevada, Delaware, Michigan, Pennsylvania, West Virginia, and Connecticut have each enacted frameworks that can qualify transactions within their systems for this exemption. The exemption is jurisdictional and transactional: a single transaction that crosses state lines does not qualify, even if both states have licensed their respective players.
The tribal lands exemption operates in parallel. Gambling conducted on tribal lands in conformance with a tribal-state gaming compact and applicable tribal ordinances under the Indian Gaming Regulatory Act (IGRA) is not unlawful internet gambling under the statute, provided the relevant federal and tribal law authorises it. The ongoing Ho-Chunk Nation litigation against prediction market operator Kalshi in Wisconsin illustrates that the tribal-land boundary remains a live enforcement question as new product forms test the edges of IGRA.
The fantasy sports carve-out under § 5362(1)(E) exempts participation in fantasy or simulation sports games or educational games where the outcome reflects the relative knowledge and skill of the participants, the prize is established in advance and not determined by the number of participants, winning outcomes are determined predominantly by accumulated statistical results of the performance of multiple real-world athletes, and no winning outcome is based on the score, point spread, or performance of a single real-world team or single athlete in a single event. Daily fantasy sports operators have built their legal foundations on this carve-out. The carve-out does not extend to single-game fantasy products, same-game parlays, or any product where the prize is not determined before play begins.
The fantasy sports exemption requires that outcomes reflect the “relative knowledge and skill of the participants” and that no outcome be based on the performance of a single real-world athlete in a single real-world sporting event, two conditions that actively distinguish compliant DFS from sports wagering.
Horse racing conducted pursuant to the Interstate Horseracing Act of 1978 is separately addressed in the Act. The UIGEA does not clarify the legality of interstate horseracing wagers but acknowledges the IHA’s framework. Operators in that vertical must satisfy both the IHA’s consent requirements from the host state and any applicable state simulcast laws in addition to UIGEA analysis.
What Does the Act Not Prohibit?
Does the UIGEA prohibit internet gambling directly? No. The UIGEA did not specifically prohibit online gambling as an activity. It targeted the financial transactions that support unlawful online gambling. Whether any specific form of internet gambling is “unlawful” depends entirely on applicable federal law (including the Wire Act of 1961) and state law, not on the UIGEA itself.
Is a player who funds an offshore gambling account criminally liable under the UIGEA? No. Section 5363 prohibits those in the business of betting or wagering from knowingly accepting restricted transactions. Players are not in that business, and the statute does not criminalise their conduct. The DOJ’s enforcement approach has reflected this: prosecutions have targeted operators and their payment-processing networks, not individual bettors.
Criminal Penalties and Enforcement Architecture
Section 5366 sets the criminal penalty for violations of § 5363 at up to five years imprisonment, a fine, and a bar from involvement in gambling. The criminal prohibition runs against those who “engage in the business of betting or wagering” and knowingly accept restricted transactions. Entities that structure payment flows to circumvent the statute face prosecution under § 5366 as well as under separate federal fraud and money laundering statutes.
Section 5367 separately imposes liability on ISPs and financial institutions if they themselves operate illegal gambling sites. An ISP’s obligation under § 5365 is triggered differently: the ISP is under no obligation to monitor whether its users are sending funds to gambling sites, but once a U.S. Attorney or state attorney general provides notice, the ISP can be ordered by a court to sever its links to unlawful gambling sites. The notice-and-hearing mechanism under § 5365 is the statute’s primary tool for addressing ISP complicity.
The April 2011 indictments in United States v. Scheinberg (the “Black Friday” case in the Southern District of New York) remain the primary enforcement precedent under the UIGEA. The founders of PokerStars, Full Tilt Poker, and Absolute Poker were among those indicted for charges that included UIGEA violations. According to the U.S. Attorney for the Southern District of New York, the companies attempted to circumvent UIGEA restrictions by routing payments through individuals acting as fictitious payment processors, disguising gambling revenue as payments for non-existent goods including jewellery and golf balls. This transaction-disguising typology is documented in bank examination materials prepared by the U.S. Treasury Department’s Examination Handbook Section 770.
Enforcement Typology: In United States v. Scheinberg (SDNY, April 2011), prosecutors alleged that PokerStars and Full Tilt Poker disguised gambling deposits as payments for fictitious merchandise. Banks and payment processors should treat merchant category code mismatches and high-volume fictitious-goods codes as red flags requiring enhanced due diligence on underlying transaction purpose.
Relationship to Other Federal Laws
The UIGEA operates alongside, and does not replace, the Federal Wire Act of 1961 (18 U.S.C. § 1084). The Wire Act prohibits the use of wire communication facilities for transmitting information assisting in placing bets on sporting events or contests across state lines. The Fifth Circuit’s 2002 ruling in In re MasterCard International held that the Wire Act’s prohibition on the “transmission of information” applies only to sports betting, not to online casino games of chance. The DOJ adopted that position in a 2011 Office of Legal Counsel opinion, which allowed New Jersey, Nevada, and Delaware to proceed with intrastate online casino and poker licensing. In 2018, the OLC partially reversed course, creating renewed ambiguity about interstate data transmissions in non-sports-betting contexts. That question remains unresolved in several circuits.
The Bank Secrecy Act (BSA) imposes independent AML obligations on licensed gambling businesses classified as financial institutions. FinCEN’s rules at 31 CFR Part 1021 require casinos meeting the gross annual gaming revenue threshold to file Currency Transaction Reports for cash transactions exceeding $10,000 within a gaming day, to file Suspicious Activity Reports for transactions of $5,000 or more where the casino knows, suspects, or has reason to suspect money laundering or regulatory evasion, and to maintain written AML compliance programmes with internal controls, independent testing, designated compliance personnel, and ongoing training. These obligations apply to state-licensed internet gambling operators in addition to the UIGEA’s payment-blocking requirements. BSA compliance and UIGEA compliance are parallel obligations, not alternatives. For a broader treatment of AML programme requirements across jurisdictions, see the AML and Financial Compliance hub.
Operator Compliance Obligations in Practice
For any entity seeking to operate internet gambling in a UIGEA-compliant manner in the United States, the compliance architecture rests on three sequential determinations. Each must be satisfied before the next is meaningful.
The threshold determination is whether the specific gambling activity is lawful under applicable federal and state law in the jurisdiction where the player is located. If the underlying activity is unlawful, no payment structure makes the transaction compliant. If the activity is lawful under state licensing and falls within one of the UIGEA’s statutory exemptions, the operator must document that legal basis clearly and maintain it as a living compliance record, not a one-time legal opinion.
The second determination is whether the operator’s payment processing relationships are structured to ensure that payment system participants have the information they need to satisfy their own Regulation GG obligations. Licensed operators in New Jersey, for example, maintain geolocation verification to confirm that all wagers are placed within state borders, combined with age and identity verification at account opening. These controls produce the documentary record that an acquiring bank needs to confirm that the transactions processed on behalf of that operator fall within the intrastate exemption and are therefore not restricted transactions under Regulation GG.
The third determination concerns ongoing monitoring. Operators must monitor their payment flows for indicators that transactions are being routed or coded in ways that obscure their gambling-related purpose. The Black Friday typology of disguised merchant category codes and fictitious goods descriptions remains the primary red flag. Any unexplained divergence between transaction description and the operator’s known revenue lines should trigger internal review and, where the BSA threshold is met, suspicious activity reporting to FinCEN.
Operators expanding from regulated international markets into U.S. state licensing also need to evaluate how their existing payment infrastructure intersects with Regulation GG. A payment processor that has contractual terms prohibiting gambling transactions may refuse service even where the gambling is state-licensed and the UIGEA exemption applies. Renegotiating those terms, or sourcing processors with U.S.-licensed-gambling-specific agreements, is a pre-licensing operational requirement, not a post-launch concern.
The WTO Dimension and International Context
The UIGEA has faced sustained challenge at the World Trade Organization. Antigua and Barbuda initiated dispute proceedings, and the WTO ruled on 25 January 2007 that the United States was in violation of its treaty obligations by not granting full market access to online gambling companies based in Antigua. The WTO confirmed this ruling on 30 March 2007. Antigua subsequently claimed US$3.4 billion in trade sanctions. The United States resolved the dispute by granting concessions in other trade sectors, with details not publicly disclosed by the Bush administration.
The WTO ruling did not alter domestic U.S. law and the UIGEA remains fully in force. The dispute illustrates the tension between domestic payment-blocking regimes and international trade commitments, a tension that compliance counsel advising offshore operators on U.S. market access strategy should weigh alongside the entirely separate question of whether specific transactions violate the statute.
The WTO confirmed in March 2007 that U.S. restrictions on cross-border online gambling supply violated treaty obligations, yet the UIGEA’s payment-blocking architecture remains unchanged, making regulatory arbitrage through offshore structuring legally ineffective for U.S.-player-facing services.
The State-Licensed Market and UIGEA Coexistence
The growth of state-licensed internet gaming in New Jersey, Pennsylvania, Michigan, West Virginia, Connecticut, and Delaware since 2013 has created a functioning coexistence model. State regulators, including the New Jersey Division of Gaming Enforcement and the Michigan Gaming Control Board, impose geolocation, identity verification, and responsible gambling requirements that simultaneously satisfy the UIGEA’s intrastate exemption conditions. The licensing frameworks enacted by the New Jersey Assembly and the Michigan Lawful Internet Gaming Act each contain explicit age and location verification mandates, which are the statutory conditions the UIGEA requires to trigger the intrastate exemption.
Payment processors serving licensed operators in these states have developed specific merchant category codes and transaction routing procedures for state-regulated internet gambling. The Visa and Mastercard networks maintain category codes that distinguish licensed internet gambling from general entertainment, which allows acquiring banks to apply their Regulation GG policies correctly. Operators entering state-regulated markets should confirm that their acquiring bank has established these procedures before go-live, not after.
For compliance teams managing dual exposure across North American regulated markets, the UIGEA framework contrasts sharply with the Canadian approach. In Ontario, the AGCO and iGaming Ontario operate a conduct-and-manage model where the provincial entity is the legal gambling operator and private operators are service providers, a structure that largely insulates payment processing from the federal-law ambiguities that characterise U.S. market entry. For a detailed comparison of the Ontario and Alberta regulatory frameworks, see AGCO vs AGLC: Key Differences in Ontario and Alberta Internet Gaming Regulation.
Key Resources
Unlawful Internet Gambling Enforcement Act of 2006, Public Law 109-347, 31 U.S.C. §§ 5361, 5367. The statute in full, including the § 5362 definitions, § 5363 prohibition, § 5364 regulatory mandate, § 5365 ISP provisions, § 5366 criminal penalties, and § 5367 financial institution liability.
Regulation GG, Prohibition on Funding of Unlawful Internet Gambling, 12 CFR Part 233 (Board of Governors of the Federal Reserve System). The implementing regulation issued November 2008. Sections 233.2 (definitions), 233.3 (designated payment systems), 233.4 (exemptions), 233.5 (policies and procedures required), and 233.6 (non-exclusive safe harbor) set out the compliance programme obligations for payment system participants.
31 CFR Part 1021, FinCEN Rules for Casinos and Card Clubs. The parallel BSA compliance framework applicable to gambling businesses qualifying as financial institutions, including CTR thresholds, SAR requirements, and written AML programme mandates.
U.S. Treasury Examination Handbook Section 770. The OCC/Treasury examination guidance on UIGEA compliance, used by bank examiners when assessing whether depository institutions have adequate Regulation GG policies and procedures in place.
Source: Regulation GG, 12 CFR Part 233 (Federal Reserve Board, November 2008); 31 U.S.C. §§ 5361, 5367 (Public Law 109-347, October 13, 2006); 31 CFR Part 1021 (FinCEN, as amended).
This article provides a general compliance reference. The UIGEA’s application to specific business models, transaction types, and state-licensed products involves fact-specific legal analysis. Operators and payment system participants should consult qualified U.S. gaming and financial regulatory counsel before relying on any statutory exemption or structuring payment arrangements for internet gambling services. For practical guidance on structuring compliant payment arrangements in state-licensed markets, see our Payment Compliance resource hub.
Matt Denney
Editorial · gamingcompliance.io
Reads the primary source so you don't have to. Fifteen years inside iGaming compliance: operator, supplier, and crown-corporation lottery.
The Tuesday brief, every week.
One email. Every regulator change we surface, every standard we re-index, every enforcement decision we read. No marketing, no fluff.
Unsubscribe with one click. We'll never share your address.