Skip to content
2,151 standards indexed across 19 jurisdictions View the Atlas
3 hubs live · 3 more in the pipeline See all compliance topics
Daily news + multi-week series Browse all insights
3 tools live · 4 interactive tools in development Roadmap
Comparison · RG Compliance 15 min read Jun 18, 2026

Affordability Checks: How UKGC, MGA and Spelinspektionen Frame Operator Implementation Differently

Three regulators, three architectures: the UKGC mandates threshold-triggered financial checks, the MGA delegates to operators, and Sweden demands continuous behavioural profiling. See how each framework affects your workflow.

Matt Denney

By

Founder, gamingcompliance.io · 15 yrs in iGaming compliance

Published Jun 18, 2026 Updated Jun 19, 2026 15 min read Filed Responsible Gambling Compliance

Three regulators have each decided that operators must do something about customers who spend money they cannot afford to lose. The UK Gambling Commission has codified that obligation into two precisely calibrated, threshold-triggered checks embedded in the LCCP. The Malta Gaming Authority has left the mechanism largely to operator discretion, anchoring it within a broader player protection framework. Spelinspektionen in Sweden has constructed a continuous duty of care, the omsorgsplikt, that attaches to every gambling licence and demands ongoing behavioural profiling rather than any single financial test. Each approach reflects a different theory of regulatory design, and each creates a materially different compliance burden for operators holding licences in more than one jurisdiction.

One clarification before the comparison: “affordability checks” is market shorthand, not a single legal category. None of these three regimes defines the term, and the UKGC in particular is explicit that its Financial Risk Assessments are not affordability checks and do not attempt to assess what a customer can afford to gamble. The phrase is a convenient umbrella for the player-protection-driven financial controls each regulator imposes, but the underlying obligations differ in kind, not merely in threshold.

The UKGC Model: Prescribed Thresholds, Two-Tier Architecture

The UK Gambling Commission’s framework draws a firm line between two concepts the industry had previously conflated. Financial Vulnerability Checks (FVCs) are “light-touch” and frictionless, designed to surface publicly available indicators of financial distress. Financial Risk Assessments (FRAs) are a more intensive credit-reference-based review for higher-spending accounts. Both sit within the Licence Conditions and Codes of Practice, but the Commission has been deliberate about separating their scope and rationale.

LCCP Social Responsibility Code 3.4.4 gives FVCs their operative force. From 28 February 2025, the relevant threshold is where a customer’s deposits minus withdrawals exceed £150 in a rolling 30-day period. Between 30 August 2024 and 27 February 2025, the threshold was £500. When a customer reaches the threshold, the licensee must conduct an FVC against publicly available data, including bankruptcy registers, county court judgments, and similar indicators, without interrupting the customer journey. A licensee is not required to repeat the check if it has completed an FVC or an FRA within the previous 12 months. The licensee must then record the rationale for any proportionate action taken.

LCCP Requirement: Under UKGC LCCP SR Code 3.4.4, the FVC threshold from 28 February 2025 is where net deposits exceed £150 in a rolling 30-day period. The check must be frictionless and use publicly available data. No documentary evidence from the customer is required or permitted without a specific regulatory basis.

The UKGC has been explicit that FVCs do not constitute an assessment of what a customer can afford to gamble. Tim Miller, the Commission’s Executive Director, stated at the Ethical Gambling Forum in London: “The checks we have been piloting will not even attempt to make an assessment of what each customer can afford to gamble.” The Commission has also signalled that operators asking for bank statements or payslips after an FVC lack a “legitimate regulatory purpose” for doing so, guidance the Commission intends to formalise. This clarification is operationally significant: it instructs remote gambling licensees that the check is a vulnerability signal, not an income verification exercise.

Financial Risk Assessments sit at a higher-spend tier than FVCs, draw on credit reference agency data, and remain under review. The Commission’s consultation proposed FRAs for unusually high loss levels, more than £1,000 within a rolling 24-hour period or £2,000 within a rolling 90-day period, with lower triggers proposed for customers aged 18 to 24. The FRA pilot tested whether credit-reference-agency data could support a frictionless assessment process for this high-spending cohort; it did not turn the £500 or £150 FVC thresholds into FRA triggers. Pilot data indicated that 97% of customers who reach the trigger would complete a frictionless assessment without customer-facing disruption. Only around 0.1% of active accounts, one in a thousand, would be unable to complete the check without additional support. The Commission’s board met on 21 May 2026 to consider next steps on FRA rollout but had not reached a final implementation decision as of that date, according to a spokesperson statement reported by SBC News.

“Less than 3 percent of active customers would trigger intervention steps based on the new pilot. Meanwhile, 97 percent would undergo a frictionless assessment, without disruption.”, UKGC pilot data, as cited by Commission Executive Director Tim Miller at the Ethical Gambling Forum.

LCCP SR Code 3.4.3, which governs broader remote customer interaction, provides the surrounding architecture within which FVCs and FRAs operate. This code requires licensees to implement effective customer interaction systems embedding three elements: identify, act, and evaluate. Licensees must document how automated and manual review processes interact, including the circumstances in which immediate action is necessary when significant risk is identified. The financial checks feed into the broader customer interaction record and must be traceable through the licensee’s monitoring and evaluation framework.

What Does the UKGC Framework Mean for Operator Workflow?

Remote gambling licensees must trigger an FVC automatically when the £150 net deposit threshold is reached, drawing on publicly available data without manual intervention in the customer journey. The operator must record whether the check returned any indicators of vulnerability, what proportionate action was taken, and the rationale for that decision. Where the customer has previously received an FVC or FRA within 12 months, the re-check obligation does not apply at the next threshold crossing.

Operators should configure their monitoring systems to track the 12-month window per customer and to escalate accounts flagging bankruptcy or debt default to human review under the broader LCCP 3.4.3 customer interaction duty. The Betting and Gaming Council has disputed the Commission’s estimated coverage figures, arguing that the true proportion of customers affected by FVCs could reach 5% of the active base, rising to 10% for customers who wager every month. The BGC has also raised concerns about data accuracy and the reliability of credit reference agency outputs when applied to gambling spend patterns. Compliance teams should test their system logic against both the Commission’s 3% estimate and the BGC’s higher bound when modelling capacity for manual review escalations.

The MGA Model: Operator-Led Risk Assessment Within a Defined Framework

The Malta Gaming Authority has not prescribed a monetary threshold for financial vulnerability checks. Directive 2 of 2018 (the Player Protection Directive), which came into force on 1 August 2018 under the authority of Article 7(2) of the Gaming Act (Cap. 583 of the Laws of Malta), sets out the minimum player protection tools that B2C licensees must provide. These include mandatory self-exclusion, either deposit limits or wagering limits, and reality checks. Loss limits and session time limits are encouraged but not mandatory. The Directive does not require operators to interrogate a player’s financial circumstances at a defined spend level.

The MGA’s Compliance Audit Manual provides more operational texture. Auditors are required to check whether the licensee’s system flags a deposit where the total accumulation of deposits equals or exceeds €2,000, calculated either on a daily basis taking into account all deposits since the establishment of the business relationship, or on a rolling 180-day period. This is an AML-adjacent monitoring obligation rather than a standalone affordability check, and it is the closest the MGA framework comes to a monetary trigger for enhanced review. The threshold aligns with the FIAU’s customer due diligence requirements rather than a responsible gambling rationale.

Source: Malta Gaming Authority, Directive 2 of 2018, Player Protection Directive, in force 1 August 2018, MGA Compliance Audit Manual (version August 2018, MGA/G/001), section 6.17.

For responsible gambling purposes, the MGA’s framework operates through player profiling and risk-segmentation tools that the operator designs. The Compliance Audit Manual checks whether enhanced due diligence is carried out on high-risk players, whether source of wealth and source of funds are requested for high-risk profile players, and whether the licensee has controls to detect politically exposed persons. These checks are triggered by the operator’s internal risk classification, not by a regulator-specified deposit figure.

MGA licensees serving players in jurisdictions with their own mandated checks, such as the UK and Sweden, must apply those local requirements on top of the MGA baseline. The MGA framework creates a compliance floor, point-of-consumption regulators in the player’s home market can and routinely do impose a higher ceiling.

What Does the MGA Framework Mean for Operator Workflow?

MGA licensees must implement the mandatory player protection tools under Directive 2 of 2018, maintain a responsible gaming page no more than one click from any page on the site, and display helpline information prominently. For financial profiling, the operator’s internal risk framework determines when enhanced review of a player’s financial position is warranted. The Compliance Audit Manual places an auditor expectation on €2,000 deposit accumulation flagging, but the response to that flag is governed by the licensee’s own AML/CDD procedures, not by a responsible-gambling affordability rule.

An MGA compliance audit examines whether high-risk players received enhanced scrutiny, not whether every player who deposited above a specified amount was reviewed. This distinction is meaningful: it shifts the compliance burden from process (did the check trigger automatically?) to substance (did the operator identify and act on risk indicators appropriately?). Operators should document their risk segmentation logic clearly and ensure the rationale for each high-risk classification is auditable. The MGA’s enforcement register confirms that licence revocations and suspensions have followed failures in the underlying risk management architecture rather than failures to apply a specific threshold test.

The Swedish Model: Omsorgsplikt and Continuous Behavioural Profiling

Sweden’s approach is architecturally distinct from both the UKGC and the MGA. Chapter 14, Section 1 of Spellagen (2018:1138) imposes an omsorgsplikt, a duty of care, on every holder of a Swedish gambling licence. The statutory text states that licensees shall ensure that social and health considerations are observed in gambling operations to protect players against excessive gambling and to help them reduce their gambling where there is reason to do so. Continuous monitoring of gambling behaviour is a component of this duty. Licensees must prepare a handlingsplan (action plan) setting out how the omsorgsplikt will be fulfilled.

The regulations issued under the previous authority of Lotteriinspektionen (now Spelinspektionen), specifically LIFS 2018:2 on gambling responsibility, and Spelinspektionen’s own Omsorgsplikt Vägledning (guidance on the duty of care) provide operational content. The guidance makes clear that the duty requires a holistic assessment of each individual player’s needs. Spelinspektionen developed the guidance in collaboration with the gambling industry, the Swedish Public Health Agency (Folkhälsomyndigheten), and organisations providing support to players and family members.

The indicators that licensees must monitor include changes to deposit limits, loss limits, login time, and shifts in gambling behaviour. The guidance specifies that where a player sets or holds a deposit limit higher than SEK 10,000 per month, the licensee must make direct contact with that player by email or telephone, not merely a pop-up message, in a way that enables the player to respond. A pop-up alone is expressly insufficient to satisfy the omsorgsplikt in this context. The Linköping Administrative Court confirmed this principle implicitly when it reviewed Spelinspektionen’s enforcement action against LeoVegas (operating as Roar Vegas): the court found that Roar Vegas’s automated alerts and manual follow-ups had in fact reduced gambling activity for the three flagged accounts, and that the duty of care does not mandate specific, rigid timetables for intervention.

“Det är licenshavarnas ansvar att avgöra vilka indikatorer för överdrivet spelande som är relevanta att utgå från i sin spelverksamhet och vilken typ av spelansvarsåtgärder som är effektiva för att skydda spelarna.” (It is the licensees’ responsibility to determine which indicators of excessive gambling are relevant in their operations and what type of responsible gambling measures are effective to protect players.), Spelinspektionen, Omsorgsplikt Vägledning.

Additional risk factors the guidance identifies for heightened attention include a player’s history of prior self-exclusions and younger players aged 18 to 24. Neither carries a monetary threshold, both require the licensee to increase the intensity of monitoring and, where warranted, to apply restrictions or access limitations (tillträdesbegränsningar). The escalation ladder runs from feedback on gambling behaviour, through deposit limit restrictions and marketing exclusion, to full account suspension and referral to treatment services.

Sweden’s Credit Ban: A Structural Complement to the Duty of Care

From 1 May 2026, all Swedish gambling licensees must ensure that customer deposits are not processed from sources traceable to credit cards, overdrafts, financial loans, or buy-now-pay-later services. This obligation was enforced as a regulatory condition under Swedish Gambling Act reforms overseen by Financial Markets Minister Niklas Wykman. The credit ban extends to e-wallets: licensees must verify that payment providers are not offering deferred payment services to fund gambling accounts. This is categorically different from the UKGC or MGA approaches, removing a harmful payment vector structurally rather than monitoring spend after the fact.

The credit ban does not replace the omsorgsplikt. Operators holding Swedish licences must continue to profile player behaviour, monitor deposit limit changes, and act on indicators of excessive gambling under Chapter 14 of Spellagen, independently of whether the customer is using credit-funded deposits. The two obligations operate in parallel, and compliance teams must not treat the credit ban as a substitute for the full duty-of-care framework.

How Does Spelinspektionen Enforce the Duty of Care?

Spelinspektionen conducts supervisory reviews focused on the highest-loss players within defined age cohorts, sampling accounts specifically selected from the 18-24 and 25-plus bands. In its 2025 action against Roar Vegas, three accounts with monthly deposit limits between SEK 100,000 and SEK 300,000, combined with indicators including rapid deposits and losses and lengthy session durations, formed the basis of the enforcement action. Spelinspektionen imposed a fine of SEK 8 million (approximately USD 852,867).

The Administrative Court in Linköping quashed that fine on 12 June 2026. According to iGamingBusiness, the court found that the operator’s detailed records and action plans undermined the regulator’s claims of a serious breach. A key legal finding was that long session durations are common among sports bettors and do not by themselves establish problem gambling. The ruling illustrates that omsorgsplikt enforcement is evidence-dependent: Spelinspektionen must demonstrate specific failures with specific accounts, not assert that indicators were present. Operators who maintain detailed, contemporaneous records of their interventions and outcomes are better placed to rebut supervisory findings than those who rely solely on automated system logs.

Comparing the Three Frameworks: A Structural Overview

Dimension UKGC (UK) MGA (Malta) Spelinspektionen (Sweden)
Trigger mechanism £150 net deposit in 30 days (FVC); higher-spend FRA (under review) No prescribed monetary trigger, operator risk-segmentation No monetary trigger, continuous behaviour monitoring
Data source for check Publicly available data (FVC); credit reference agency (FRA) Operator’s internal CDD/AML risk profile Operator’s behavioural monitoring system
Customer-facing friction Designed to be frictionless, document requests prohibited post-FVC Tool provision mandatory, intrusive checks at operator discretion Direct contact (email/phone) required at SEK 10,000+ monthly limit
Action plan required Policies and procedures under LCCP 3.4.3 Responsible gaming page and tools under Directive 2 of 2018 Handlingsplan mandatory under Spellag Ch. 14
Credit funding No general ban (individual lender-level controls) No ban Prohibited from 1 May 2026
Key enforcement precedent Systematic LCCP 3.4.3 failures cited in major operator enforcement cases Licence suspension for systemic player protection failures Roar Vegas SEK 8m fine (March 2025), overturned June 2026

Multi-Licence Compliance: Where the Frameworks Intersect

Operators holding licences from more than one of these regulators face a layering challenge. An MGA-licensed operator that also holds a UKGC remote operating licence must apply the LCCP FVC regime to UK-resident customers, regardless of what the MGA requires at a baseline. An operator with a Swedish licence must apply both the credit ban and the omsorgsplikt, regardless of whether it also operates under MGA or UKGC supervision.

The most common compliance gap in multi-licence environments is the assumption that meeting the highest single standard satisfies all others. It does not. The UKGC FVC is a threshold-triggered, externally verified check using credit reference data. The Swedish omsorgsplikt is a continuous, internally documented monitoring programme. The MGA’s player protection framework requires the provision of tools and internal risk classification. These are not substitutes for each other, they are parallel obligations requiring separate system configurations and documentation chains.

Compliance teams managing cross-jurisdictional portfolios should map customer populations by residence jurisdiction at account level, not at product level, and ensure that the monitoring system applies the correct regulatory regime to each customer automatically. Where a customer’s residence cannot be verified, the more stringent framework should apply as a default. Legal counsel should confirm the applicable residence-jurisdiction rules for each regulator, as point-of-consumption authority determinations vary.

Practice point: Multi-licence operators should maintain separate documentation streams for UKGC FVC records (threshold-triggered, 12-month re-check exemption), Swedish omsorgsplikt action records (continuous, per-player), and MGA risk-classification records (risk-based, AML-integrated). A single customer record may need to satisfy all three simultaneously for a player who holds accounts with the same operator across jurisdictions.

Sanctions Precedent: What Enforcement Tells Operators

The UKGC’s enforcement history on customer interaction failures provides the most developed precedent. Actions against major remote gambling operators have consistently cited failures under LCCP 3.4.3, specifically inadequate interaction with customers showing clear indicators of harm and delays in escalating high-risk accounts to enhanced review. These cases establish that the Commission’s threshold for enforcement is not the failure to trigger a check at the exact £150 mark, it is the systematic absence of effective interaction systems. Operators that complete the FVC without acting on the resulting indicator may still face enforcement under the broader customer interaction code.

Sweden’s enforcement picture is still developing, and the Roar Vegas outcome complicates any straightforward reading of Spelinspektionen’s approach. The court’s June 2026 ruling established that omsorgsplikt enforcement requires unambiguous, account-specific evidence of harm and a clear causal link between the operator’s failure and the harm suffered. Spelinspektionen cannot rely on the presence of risk indicators alone. For operators, detailed contemporaneous records of each intervention, follow-up action, and outcome evaluation are the primary defence against supervisory action.

The MGA enforcement register shows that licence suspensions and revocations for player protection failures typically arise from systemic, multi-breach failures rather than a single threshold miss. An MGA licensee that cannot demonstrate a functioning player protection system, with self-exclusion working correctly, limits enforced, and the responsible gaming page accessible, will face escalating compliance and enforcement action. The authority’s audit manual places specific weight on whether enhanced due diligence was conducted on high-risk players and whether source of wealth was obtained for those profiles.

Operators and their compliance teams should consult qualified legal counsel to confirm the specific obligations applicable to their licence categories, customer base, and operating jurisdictions before finalising implementation frameworks for any of these three regimes.

Key Resources

UKGC Licence Conditions and Codes of Practice (SR Codes 3.4.3 and 3.4.4), the primary instrument for remote customer interaction and financial vulnerability check obligations. Available at gamblingcommission.gov.uk.

MGA Directive 2 of 2018, Player Protection Directive, the foundational player protection instrument for all MGA B2C licensees, setting out mandatory tools and the operator obligations framework. Available at mga.org.mt.

Spellag (2018:1138), Chapter 14, Spelansvar och konsumentskydd, the statutory basis for Sweden’s omsorgsplikt, as amended to SFS 2026:90. Available via riksdagen.se.

Spelinspektionen Omsorgsplikt Vägledning, Spelinspektionen’s operational guidance on fulfilling the duty of care, developed with Folkhälsomyndigheten and player support organisations. Available at spelinspektionen.se.

UKGC Gambling Act Review White Paper (April 2023), the policy document that established the two-tier FVC/FRA framework and set the direction for the current LCCP changes. Available at gamblingcommission.gov.uk.

For the full UKGC LCCP rulebook and a structured view of remote gambling requirements, see the UKGC LCCP explorer. For the broader responsible gambling compliance landscape across all major jurisdictions, see the Responsible Gambling Compliance hub. For a cost-side comparison of UKGC and MGA licences, see UKGC vs MGA in 2026: Which Licence Actually Costs More to Maintain.

Matt Denney

Matt Denney

Editorial · gamingcompliance.io

Reads the primary source so you don't have to. Fifteen years inside iGaming compliance: operator, supplier, and crown-corporation lottery.

Related coverage · also tagged Responsible Gambling Compliance

Browse all →

Responsible Gambling Compliance

UKGC Financial Vulnerability Checks and FRAs: Thresholds, Timelines, and CRM Trigger Points

Jul 13 · 15 min read

Responsible Gambling Compliance

Single Customer View for RG: Where Cross-Brand Aggregation Is Compulsory in 2026

Jul 11 · 13 min read

Responsible Gambling Compliance

GamCare, BeGambleAware and ANJ Treatment Partners: Operator Integration Obligations in 2026

Jul 4 · 15 min read

The Tuesday brief, every week.

One email. Every regulator change we surface, every standard we re-index, every enforcement decision we read. No marketing, no fluff.

Unsubscribe with one click. We'll never share your address.