Single Customer View for RG: Where Cross-Brand Aggregation Is Compulsory in 2026
UKGC and MGA impose cross-brand RG aggregation obligations that differ sharply in scope and trigger. Here is exactly what each regime requires in 2026.
Multi-brand gambling groups face a structural compliance problem: a customer who is accruing harm indicators on Brand A may be invisible to Brand B, Brand C, and every affiliate skin within the same corporate portfolio. The UK Gambling Commission and the Malta Gaming Authority have each addressed this with binding obligations, though the scope, trigger conditions, and data-sharing architecture they mandate differ significantly. Understanding precisely where the compulsion sits, and where discretion remains, determines how a group-level responsible gambling programme must be built in 2026.
What Is a Single Customer View in the RG Context?
A Single Customer View, in the responsible gambling context, is an integrated data profile that aggregates a customer’s gambling behaviour across all touchpoints where the operator has visibility: multiple brands, multiple verticals, multiple channels. The purpose is to enable harm identification that accounts for the totality of a player’s activity rather than any isolated slice of it.
The UKGC framed the problem precisely in February 2020 when it challenged the online gambling industry, represented by the Betting and Gaming Council, to develop an SCV solution. The Commission’s own evidence underpinned that challenge: online gamblers hold an average of three accounts, younger gamblers hold materially more, and the risk of harm is elevated among those who participate in multiple gambling activities simultaneously. A customer who deposits £400 a week across four brands operated by the same group, or across four different licensees, may trigger no single-brand alert at any of them.
This cross-operator view of a customer’s gambling activities could help identify and prevent potential gambling harms in those who hold accounts with more than one gambling company.
Source: UK Gambling Commission, ‘An Update on the Single Customer View Industry Challenge’, 7 October 2021, gamblingcommission.gov.uk.
The SCV concept splits into two distinct obligations depending on the regulator. The UKGC has imposed cross-brand aggregation as an intra-group expectation embedded within its customer interaction framework, while exploring cross-operator (inter-group) data sharing through separate regulatory initiatives. The MGA has codified specific cross-brand obligations directly into Directive 2 of 2018, its Player Protection Directive. Both frameworks are in force in 2026.
MGA: Where Cross-Brand Aggregation Is Directly Codified
The MGA’s most explicit cross-brand aggregation rule sits within Article 11 of Directive 2 of 2018 (Player Protection Directive, V3 January 2023), which governs self-exclusion obligations for B2C licensees.
The core rule operates on a trigger-and-scope logic. Where a B2C licensee operates multiple brands with separate player registration, a player requesting self-exclusion for a reason other than problematic gambling may have the exclusion applied solely to the brand on which the request was made. That discretion collapses entirely when the trigger is gambling-related harm. The Directive is explicit: where a player has been excluded in light of sufficient reasons indicating that the player may have a gambling problem, whether at their own request or on the licensee’s initiative, that player must be excluded across all brands operated by the B2C licensee, irrespective of whether the brands require separate player registration and irrespective of whether the player holds an account with any given brand in the portfolio.
In the event that a player has been excluded in light of sufficient reasons which indicate that the player may have a gambling problem… that player shall be excluded across all brands operated by the B2C licensee, irrespective of whether the brands require separate player registration.
Source: MGA, Directive 2 of 2018, Player Protection Directive, Article 11(4), V3 January 2023.
The MGA Compliance Audit Manual (MGA/G/001) reinforces this at the supervisory level. Audit checklist item 6.10.1 requires auditors to determine whether the licensee is excluding players from all brands when a player is classified as a problematic gambler by the licensee. This is not a guidance note: it is an active audit criterion. Licensees that cannot demonstrate a functional all-brand propagation mechanism for problem-gambling exclusions will face findings at compliance audit.
The MGA’s FAQ documentation makes the operational implication unambiguous: a player can self-exclude across all brands which a licensee offers on request. When the self-exclusion arises from problematic gambling, propagation to all brands operated by the licensee is mandatory regardless of whether the player has ever registered on those other brands.
MGA: Cross-Brand Aggregation for Deposit and Wagering Limits
Article 9 of Directive 2 of 2018 extends the cross-brand logic to financial limits. Where a B2C licensee allows players to hold more than one account on a single brand, or across two or more brands where those brands do not require separate player registration, any player-set limit must prevail across all accounts. The rule creates an aggregation obligation that applies automatically when accounts are linked or share registration, without the need for a harm trigger.
Where brands do require separate player registration, the position relaxes: the licensee may allow limits to apply solely to the brand on which the player requested them. The compliance design consequence is significant for group operators. Where a group operates co-registered brands, with single sign-on, shared wallet, or unified account management, the full cross-brand limit obligation applies by default. Where it operates genuinely siloed brands with independent registration and player records, the limit can be brand-scoped. The harm-trigger override from Article 11 still applies in all cases: separate registration does not isolate a problem-gambling exclusion.
The practical architecture required for MGA compliance therefore needs at minimum two capabilities. The system must identify whether a player’s accounts across brands share registration status. It must also maintain a real-time flag that, when a problem-gambling indicator reaches the threshold for exclusion, propagates that exclusion to every brand in the portfolio regardless of registration silo.
UKGC: The Intra-Group Obligation Under LCCP SR Code 3.4.3
The UKGC’s Licence Conditions and Codes of Practice do not use the phrase “single customer view” as a defined obligation. The cross-brand aggregation expectation for UK licensees is instead derived from SR Code 3.4.3, which governs remote customer interaction and came into full force on 31 October 2023.
SR Code 3.4.3 requires licensees to implement effective customer interaction systems and processes that minimise the risk of customers experiencing harms associated with gambling. Those systems and processes must embed three elements: identify, act, and evaluate, and must reflect that customer interaction is an ongoing process. The Commission’s guidance on customer interaction for remote operators, which licensees must take into account under SR Code 3.4.3(2), elaborates on what “effective” means in practice.
For a multi-brand group, implementing SR Code 3.4.3 at the level of a single brand without aggregating behaviour across the group’s other brands creates a structural compliance gap. The Commission’s own evidence base, that at-risk customers hold multiple accounts and that cross-activity gambling elevates harm risk, means that a brand-level monitoring system will systematically under-detect harm. The Commission has not published a formal ruling that intra-group SCV is mandatory, but the expectation embedded in the “effective” systems requirement, read alongside the evidence the Commission itself cites, creates a strong compliance case for group-level aggregation. Compliance teams operating multi-brand UK-licensed groups should treat intra-group SCV as a material component of demonstrating SR Code 3.4.3 compliance.
Compliance note: UKGC SR Code 3.4.3 does not explicitly require intra-group SCV, but the Commission’s guidance frames “effective” customer interaction systems against its evidence on multi-account harm. Operators should document how their group-level data aggregation architecture supports the identify-act-evaluate framework. Legal counsel should review this documentation ahead of any enforcement engagement. For the full text of the LCCP, including SR Code 3.4.3, see the UKGC LCCP explorer.
UKGC LCCP and the GAMSTOP Obligation: Cross-Operator Self-Exclusion
SR Code 3.5.5 of the LCCP mandates participation in the multi-operator self-exclusion scheme for remote operators. The Commission made participation in GAMSTOP mandatory for all online gambling operators in March 2020. GAMSTOP operates at the inter-group level: it enables a customer to self-exclude from all licensed remote gambling sites and apps in Great Britain in a single request, rather than operator by operator.
GAMSTOP is the mechanism for cross-operator self-exclusion, not for the aggregation of harm signals short of self-exclusion. It handles the most severe end of the spectrum, the customer who has self-referred for exclusion, but does not create a mechanism by which softer behavioural risk signals are shared between licensees in real time. That gap is what the Single Customer View initiative, and its successor GamProtect, were designed to address.
GamProtect: The UK’s Voluntary Cross-Operator SCV in Practice
GamProtect emerged from the UKGC’s February 2020 SCV challenge as the industry’s cross-operator data-sharing initiative. It was championed within the Commission’s own regulatory development work as a tool to form what was described as a “single eye of the customer,” enabling participating licensees to identify and voluntarily restrict customers exhibiting severe indicators of gambling-related harm.
GamProtect is voluntary. Participation demonstrates a licensee’s commitment to the identify-act-evaluate framework under SR Code 3.4.3, but non-participation is not in itself a licence condition breach. The scheme’s scope is limited to customers displaying severe harm indicators: it is not a general data-pooling arrangement. Its legal architecture rests on the ICO Regulatory Sandbox analysis completed in October 2021.
Does a Problem-Gambling Exclusion on One Brand Automatically Apply to All Others?
Under the MGA framework, yes. The obligation in Directive 2 of 2018 is unambiguous: a problem-gambling-triggered exclusion, whether self-initiated or operator-initiated, must be applied to every brand the B2C licensee operates. The player need not hold an active account on the other brands. The exclusion is portfolio-wide.
Under the UKGC framework, the answer is more nuanced. GAMSTOP covers the full remote licensed estate of Great Britain when a player self-refers for exclusion via the national scheme. An operator-initiated restriction, such as a deposit limit, a reduced marketing flag, or a harm-triggered account review, imposed by one brand within a multi-brand group is not mandated by the LCCP to propagate automatically to sibling brands under a separate licence. The Commission’s “effective systems” language under SR Code 3.4.3 nonetheless creates pressure on multi-brand groups to implement intra-group signal sharing, particularly for customers showing repeated harm indicators across multiple brands in the same portfolio.
The UK GDPR Legal Basis for Cross-Operator Data Sharing
The data protection dimension of any SCV or cross-brand aggregation arrangement is non-trivial. In November 2020, the UKGC entered the ICO’s Regulatory Sandbox specifically to establish whether an appropriate lawful basis under UK GDPR exists for sharing behavioural data between gambling operators for harm identification purposes.
The ICO’s Phase 1 Sandbox report, published on 7 October 2021, confirmed two potential lawful bases under Article 6 of the UK General Data Protection Regulation. Article 6(1)(e), Public Task, may apply where there is a domestic legal basis from which the processing originates and the sharing is carried out in the public interest. The ICO confirmed this does not require a legal obligation, but there must be a law from which the processing can be derived. Article 6(1)(f), Legitimate Interests, may also apply, encompassing the interests of individuals at risk of problem gambling, the interests of operators in meeting their legal requirements, and the interests of society. Those interests must be balanced against the fundamental rights and freedoms of all data subjects whose data may be shared.
The ICO was clear that while both bases may apply, each deployment of a cross-operator SCV system requires its own necessity and proportionality analysis. The sandbox outcomes do not function as a blanket clearance. Each participating operator must conduct a Legitimate Interests Assessment or satisfy itself that the relevant public task basis is established in its specific circumstances. Any SCV architecture that processes special category personal data, such as data that reveals health information about a player’s gambling disorder, must additionally satisfy an Article 9 condition under UK GDPR.
| Dimension | UKGC Position | MGA Position |
|---|---|---|
| Cross-brand self-exclusion (problem gambling) | Not explicitly codified in LCCP as an intra-group requirement, GAMSTOP covers inter-operator exclusion | Compulsory across all licensee brands, Directive 2 of 2018, Art. 11(4) |
| Cross-brand financial limits | Customer-led limits required per brand, no explicit aggregation mandate for separately registered brands | Aggregation required where no separate brand registration, brand-scoped where separate registration, unless harm trigger overrides |
| Cross-operator harm signal sharing | GamProtect (voluntary); GAMSTOP (mandatory for self-exclusion only) | No cross-licensee mechanism mandated, obligation is intra-group only |
| Regulatory basis for data sharing | UK GDPR Art. 6(1)(e) or 6(1)(f); ICO Sandbox Phase 1 confirmed potential applicability | EU GDPR as Malta’s data protection regime, no MGA-specific sandbox equivalent published |
| Audit exposure | SR Code 3.4.3 effectiveness, GAMSTOP participation under SR Code 3.5.5 | Audit checklist 6.10.1, all-brand exclusion for problem gamblers |
Emerging Approaches: Pseudonymised Data Pooling Beyond the Group
The debate about what a true cross-operator SCV looks like beyond the intra-group context is live in 2026. The Czech Republic’s IRIS project operates a platform on which licensed operators share pseudonymised behavioural identifiers to track player risk across multiple operators simultaneously, as reported by iGaming Business in July 2026. New Czech legislation explicitly permits this exchange of pseudonymised data for player protection purposes, creating a domestic legal basis of exactly the type the ICO identified as necessary for the Art. 6(1)(e) Public Task condition. The model measures success through longitudinal changes in player behaviour rather than the volume of interventions sent, and is designed to prevent the regulatory arbitrage through which responsible operators lose customers to less constrained competitors within the same licensed market.
The Czech IRIS framework represents one implementation of the SCV architecture that the UKGC’s 2020 challenge and the ICO’s 2021 Sandbox analysis pointed toward. Whether the UK will create a statutory basis for an equivalent mandatory cross-operator scheme, the next logical step beyond voluntary GamProtect participation, remains an open regulatory question as of mid-2026.
Operational Implementation Checklist for Multi-Brand Groups
MGA-licensed groups operating multiple brands must ensure their player account management architecture can execute a real-time all-brand exclusion the moment a problem-gambling trigger is confirmed. The exclusion must apply to brands on which the player has no active account. Documentation of the trigger criteria and the propagation workflow is an active audit requirement under MGA/G/001 checklist item 6.10.1.
MGA-licensed groups must also map which brand pairs share registration and which operate under separate registration. For co-registered brands, financial limits set by a player aggregate automatically across all linked accounts under Article 9 of Directive 2 of 2018. For separately registered brands, limits are brand-scoped unless a problem-gambling trigger overrides. The mapping must be technically implemented, not just documented.
UKGC-licensed groups should maintain a group-level customer data view that supports the identify-act-evaluate cycle under SR Code 3.4.3. Where a group holds multiple remote operating licences, the customer interaction systems on each licence should draw on intra-group behaviour data to the extent technically achievable. All remote operators must participate in GAMSTOP under SR Code 3.5.5. Participation in GamProtect should be assessed as a mechanism for meeting the “effective systems” standard under SR Code 3.4.3 for groups operating at scale.
On data protection, any intra-group or cross-operator data sharing arrangement must have a documented UK GDPR (or EU GDPR for MGA-licensed entities serving EEA players) lawful basis. For UK operators, the ICO’s Sandbox findings support either Art. 6(1)(e) or Art. 6(1)(f), but the necessity and proportionality analysis must be specific to the deployment. A Legitimate Interests Assessment or equivalent Public Task justification is required documentation. Where the data processed reveals a player’s health status in the context of a gambling disorder, an Art. 9 special category condition must also be identified and documented. Operators should take qualified legal advice on the data protection architecture before deploying any cross-brand or cross-operator aggregation system.
Key deadlines: UKGC LCCP SR Code 3.4.3 customer interaction requirements are in full force as of 31 October 2023. MGA Directive 2 of 2018 V3 has been in force since January 2023. Multi-brand operators that have not yet implemented compliant cross-brand propagation mechanisms for problem-gambling exclusions are out of compliance with the MGA’s direct obligation and face material risk under the UKGC’s effectiveness standard.
The Responsible Gambling Compliance hub covers the full architecture of RG obligations across all 17 regulated jurisdictions on this site, including the national self-exclusion register models in the UK, Sweden, Denmark, Germany, Spain, and France alongside the operator-level models in Malta, Curaçao, and the US states. For a detailed side-by-side comparison of UKGC and MGA licence obligations across all dimensions, see UKGC vs MGA: Comparing Licence Costs, Timelines, and Operational Requirements.
Key Resources
UKGC Licence Conditions and Codes of Practice (version effective 6 April 2026): gamblingcommission.gov.uk/licensees-and-businesses/lccp, covers SR Code 3.4.3 remote customer interaction and SR Code 3.5.5 multi-operator self-exclusion (GAMSTOP).
UKGC Single Customer View Industry Challenge Update (7 October 2021): gamblingcommission.gov.uk/news/article/an-update-on-the-single-customer-view-industry-challenge, primary document establishing the SCV framework and ICO Sandbox Phase 1 findings on UK GDPR lawful bases.
MGA Directive 2 of 2018, Player Protection Directive (V3, January 2023): mga.org.mt, Articles 9 and 11 contain the cross-brand financial limits and problem-gambling exclusion obligations. Available as PDF via the MGA regulatory framework page.
MGA Compliance Audit Manual (MGA/G/001, August 2018 v1): mga.org.mt, audit checklist item 6.10.1 governs examiner review of all-brand exclusion for problem gamblers.
ICO Regulatory Sandbox Phase 1 Outcomes Report (October 2021): ico.org.uk, confirms potential UK GDPR lawful bases for cross-operator behavioural data sharing in the gambling harm context.
Matt Denney
Editorial · gamingcompliance.io
Reads the primary source so you don't have to. Fifteen years inside iGaming compliance: operator, supplier, and crown-corporation lottery.
The Tuesday brief, every week.
One email. Every regulator change we surface, every standard we re-index, every enforcement decision we read. No marketing, no fluff.
Unsubscribe with one click. We'll never share your address.