Cross-Border Player Onboarding: When KYC From One Jurisdiction Counts in Another
Can KYC completed in one jurisdiction satisfy another regulator's obligations? This guide maps the legal mechanisms, equivalence tests, and group-sharing models compliance teams must implement.
A player registers with a group’s UK-licensed brand, passes full KYC including identity verification and a source-of-funds assessment, and then opens an account with the same group’s Malta-licensed brand. The compliance question is straightforward and the answer is not: does the MGA-licensed entity need to re-verify that player from scratch, or can it rely on the work already done by its UK sister? The practical answer is a conditional yes, conditional on satisfying distinct legal frameworks that operate in parallel, each with its own equivalence tests, data-access requirements, and non-delegable obligations.
The Foundational Rule: Liability Belongs to the Receiving Entity
Every operative reliance framework across the major iGaming jurisdictions converges on one non-negotiable principle. Under the UK’s Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017), Regulation 39(1) states that a relevant person may rely on a third party to apply any of the customer due diligence measures required by Regulation 28, but that “notwithstanding the relevant person’s reliance on the third party, the relevant person remains liable for any failure to apply such measures.” The Curaçao CGA AML/CFT Policy section III.9 uses almost identical language: “the ultimate responsibilities for CDD measures remain with the casino relying on the third party.” The Gibraltar Gambling Commissioner’s AML Code of Practice for Remote Gambling (2026 update), section 6.13, takes the same position, adding that a licence holder “cannot ‘rely’ on third parties to have concluded CDD on their behalf” unless a specific statutory condition is met.
“Where such reliance is permitted, the ultimate responsibilities for CDD measures remain with the casino relying on the third party.”, Curaçao CGA AML/CFT Policy, section III.9
This is not a technicality. It is the operative limit of any cross-border KYC passporting model. Compliance teams that build group-sharing frameworks on the assumption that a verified check in jurisdiction A transfers responsibility away from the entity in jurisdiction B have misread every source instrument.
Can KYC from One Jurisdiction Satisfy Another Jurisdiction’s Requirements?
Conditionally, yes, but only where three cumulative conditions are met: the third party that originally conducted the CDD must itself be subject to AML/CFT obligations and supervision, the relying entity must be able to obtain all identification and verification data immediately on request, and the relying entity must retain full responsibility for ongoing monitoring, PEP screening, and risk reassessment. These conditions recur, in substantively identical form, across MLR 2017 Regulation 39, the AMLD IV/V framework transposed across EU member states, the Curaçao CGA AML/CFT Policy, and Gibraltar’s 2026 AML Code. The cross-border question thus becomes an equivalence question: is the entity that originally performed the CDD subject to a supervisory regime at least equivalent to FATF standards?
Within a corporate group, the most defensible model is one where the entity that first verified the customer holds a licence in an FATF-member jurisdiction with gambling-sector AML supervision, and the intragroup data-sharing agreement is documented with tested access protocols. The MGA/FIAU’s 2016 consultation on the transposition of Directive (EU) 2015/849 into Maltese law established the framework under which MGA licensees apply the equivalence test, and the FIAU’s implementing procedures for the remote gaming sector set the CDD threshold for MGA licensees at €150 per the relevant section of those implementing procedures. An MGA licensee relying on CDD conducted by a UKGC licensee in the same group will generally satisfy the equivalence test, provided the agreement structure meets the Regulation 39 conditions replicated in Maltese law.
The Mechanics of MLR 2017 Regulation 39
MLR 2017 Regulation 39 is the operative UK instrument. It permits a relevant person, including a remote gambling licensee subject to the Proceeds of Crime Act 2002 and the Gambling Commission’s LCCP, to rely on a qualifying third party to apply CDD measures under Regulation 28(2) to (6) and (10). The conditions are precise.
Under Regulation 39(2)(a), when reliance is exercised, the relevant person must immediately obtain from the third party all information needed to satisfy the Regulation 28 CDD requirements. Under Regulation 39(2)(b)(i), the arrangement must enable the relevant person to obtain from the third party, immediately on request, copies of any identification and verification data and other relevant documentation. Under Regulation 39(2)(b)(ii), the third party must retain copies of that data for a period of at least five years.
Regulation 39(3) specifies who qualifies as a third party for these purposes: credit institutions and financial institutions regulated under the Financial Services and Markets Act 2000, and, critically for cross-border iGaming group structures, persons established in an EEA state or in a country outside the EEA that imposes requirements equivalent to those of the fourth Money Laundering Directive (Directive 2015/849/EU), provided they are supervised for compliance with those requirements. This equivalence test is what gates intragroup reliance when the originating entity holds a non-UK licence.
Key requirement (UK): MLR 2017 Regulation 39(2) requires the relying entity to obtain all CDD data immediately, not on notice, not within a reasonable period. Any intragroup data-sharing agreement that provides for 48-hour or business-day access windows does not satisfy this condition.
The UKGC’s LCCP Condition 17.1.1 imposes a parallel and non-derogable obligation: licensees must obtain and verify information to establish a customer’s identity, at minimum name, address, and date of birth, before that customer is permitted to gamble. The condition does not exclude reliance on a third party, but it does require that the verification have actually occurred before access to gambling is granted. LCCP Condition 12.1.1 further requires licensees to have documented AML policies and procedures that address the money laundering and terrorist financing risks specific to their business, which must cover the adequacy of any third-party reliance arrangements.
The Gibraltar Model: Third-Party Reliance Under the POCA Framework
Gibraltar’s Gambling Commissioner takes a notably cautious position in the 2026 AML Code of Practice for Remote Gambling. Section 6.13 distinguishes between two categories of third-party engagement. The first, using third-party databases, information services, or making inferences from deposit method, does not constitute regulated reliance, and the licence holder remains fully responsible. The second, constituting true reliance, requires that the third party undertake under section 25(6) of Gibraltar’s Proceeds of Crime Act 2002 (POCA) to make available immediately to the licence holder copies of the relevant information used to establish CDD.
Section 6.14 of the Code states the Gibraltar Gambling Commissioner’s view that “the restrictions around this provision make third party reliance viable only if the third party is both regulated for AML purposes and has an existing relationship with the customer independent of the relationship being formed with the relying institution.” This is a meaningful practical constraint for cross-border group structures, because an intragroup sister entity does not typically have an independent pre-existing relationship with the customer. The customer’s relationship with the group as a whole may precede both regulated accounts.
Compliance officers building group-sharing frameworks for Gibraltar-licensed entities should note section 6.16 of the Code: payment methods that do not use identity verification or due diligence procedures, including e-money vouchers and certain virtual currencies, cannot form the basis of any positive identity inference, regardless of what another group entity may have concluded about those payment instruments.
The Curaçao Framework: Strict Conditions and Tested Agreements
Under the Curaçao CGA AML/CFT Policy, section III.9 sets out three cumulative conditions for intragroup or third-party CDD reliance. The casino must obtain the information concerning elements (a) through (c) of the CDD measures, covering identification of the player, verification of identity, and identification of beneficial ownership, immediately from the third party. The casino must have a tested written agreement with the third party requiring that copies of identification data and relevant CDD documentation be made available on request. The third party must itself be subject to CDD and record-keeping requirements.
The word “tested” carries operational significance here. The CGA AML/CFT Policy explicitly requires that the arrangement be tested from time to time to ensure it functions as agreed. A dormant intragroup data-sharing agreement that has never been exercised against a live customer file does not satisfy the Curaçao standard. Compliance audits in Curaçao-licensed group entities should include periodic testing of the data-retrieval mechanism, with documented results.
Separate from reliance on a third party, the Curaçao CGA policy draws a sharp line on what cannot be delegated. The casino must retain the customer-based risk assessment, determination of whether the customer is a politically exposed person, and conduct of ongoing monitoring. These obligations are non-transferable under section III.9 regardless of the group structure or the quality of the originating entity’s CDD.
Source: Curaçao CGA, AML/CFT Policy for Licensed Operators, section III.9, Reliance on Third Parties, Gibraltar Gambling Commissioner, AML Code of Practice for Remote Gambling (2026 update), sections 6.13, 6.16, MLR 2017, SI 2017/692, Regulation 39.
What Cannot Be Passported: Ongoing Monitoring and PEP Screening
No jurisdiction surveyed permits the ongoing monitoring obligation to be outsourced to or assumed by a group entity that holds a licence in a different jurisdiction. This is the sharpest practical limit on cross-border KYC reliance models. Under MLR 2017 Regulation 39, the third-party reliance mechanism applies to the initial CDD measures under Regulation 28, covering identification, verification, and understanding the purpose and intended nature of the business relationship. The ongoing monitoring obligation under Regulation 28, which requires scrutinising transactions throughout the course of the relationship and keeping documents, data, and information up to date, falls outside the scope of what may be delegated to a third party under the reliance provisions.
The MGA Compliance Audit Manual reinforces this at sections 6.17.1 through 6.17.6. Auditors are directed to obtain and verify that the licensee holds its own KYC procedures document, can display the identity verification status of each player in its back-office system, and maintains a secure list of all registered players and documents obtained during verification. These obligations attach to the MGA licensee directly and cannot be satisfied by pointing to documentation held by a group entity elsewhere.
PEP screening presents an additional structural problem for pure reliance models. A player who was not a PEP at the time the originating entity completed its CDD may have acquired PEP status by the time the player registers with a second group entity. The relying entity cannot assume that the originating entity’s PEP determination remains current. Every group-sharing framework must include a mechanism for the receiving entity to conduct its own PEP check against current sanctions and PEP lists at the point of onboarding, even where it relies on the originating entity’s identification and verification data.
The MGA and FIAU: Equivalence in a Dual-Regulator Environment
Malta presents a structurally distinct environment because AML/CFT supervision of MGA licensees is shared between the MGA and the Financial Intelligence Analysis Unit (FIAU). MGA licensees are subject to the FIAU’s Implementing Procedures for the Remote Gaming Sector, which implement the EU Anti-Money Laundering Directives as transposed into Maltese law. The CDD threshold for MGA licensees under the FIAU implementing procedures is €150. An MGA licensee relying on CDD conducted by a UKGC-licensed group entity must ensure that the originating entity’s procedures met or exceeded the FIAU’s standard at the time the CDD was conducted, and that the FIAU’s €150 threshold and the originating entity’s threshold are aligned or that enhanced checks fill any gap.
The equivalence question becomes more complex when the originating entity holds a licence outside the EU and outside the UK post-Brexit. A group entity holding a Curaçao licence under the post-LOK regime will generally satisfy the equivalence test for the CGA’s own purposes, given that Curaçao is a member of the Caribbean Financial Action Task Force (CFATF). However, an MGA-licensed entity relying on CDD conducted by that same Curaçao-licensed sister entity must assess whether Curaçao’s supervisory framework is treated as equivalent under Maltese law’s transposition of AMLD V. Compliance officers should not assume equivalence, it requires documented analysis and legal opinion for each specific reliance arrangement.
eIDAS 2.0 and the European Digital Identity Wallet
The revised eIDAS framework, adopted by the EU in 2024, requires member states to issue European Digital Identity (EUDI) wallets and provides a structural basis for cross-border identity attestation within the EU. Under eIDAS 2.0, a person’s identity can be verified using a wallet-based credential issued by a member state’s authorised identity provider, and that credential carries legal recognition across all member states for purposes requiring identity verification.
For MGA-licensed and other EU-jurisdiction gambling operators, the EUDI wallet creates a new onboarding pathway. A player who has verified their identity via a EUDI wallet-issued credential presents an identity attestation that meets the verification standard in every member state simultaneously. The practical consequence is that an MGA licensee onboarding a player who presents a valid EUDI wallet credential may be able to satisfy the identification and verification elements of CDD without requiring additional document submission, subject to the FIAU confirming that EUDI wallet attestations satisfy their implementing procedures standard.
Two important limits apply. eIDAS 2.0 addresses identity verification, not the full suite of AML/CFT CDD obligations. Source-of-funds assessment, PEP screening, transaction monitoring, and ongoing due diligence are not covered by any digital identity framework. Additionally, eIDAS 2.0 has no direct application in the UK following Brexit. UKGC-licensed entities must assess eIDAS-issued credentials against their own LCCP obligations and MLR 2017 requirements independently, and current UKGC guidance does not specifically address the evidential weight of EUDI wallet credentials. Operators should obtain legal advice on how EUDI-based verification evidence is treated under the UK regulatory framework before relying on it to satisfy LCCP Condition 17.1.1.
How Multi-Jurisdiction Groups Structure Shared CDD in Practice
The practical model adopted by most multi-jurisdiction group operators divides KYC obligations into an originating layer and a receiving layer. The originating layer, typically the entity in the jurisdiction with the most comprehensive onboarding standards and often the UKGC-licensed entity, conducts the full initial CDD suite: identity verification against name, address, and date of birth per LCCP Condition 17.1.1, electronic verification against credit reference and document databases, source-of-funds assessment at the relevant trigger threshold, and PEP and sanctions screening.
The receiving layer, the entity in the second jurisdiction where the same player seeks to register, conducts a set of non-delegable checks specific to that jurisdiction’s obligations: its own PEP and sanctions screening against current lists, verification that the customer does not appear on that jurisdiction’s self-exclusion registers (Spelpaus in Sweden, RGIAJ in Spain, GAMSTOP in the UK, the BetGuard system in Ontario under the AGCO Registrar’s Standards for Internet Gaming); and an assessment of whether any enhanced due diligence triggers arise from the customer’s risk profile in the context of that specific jurisdiction.
The data-sharing agreement between the originating and receiving entities must satisfy all of the conditions in MLR 2017 Regulation 39(2), or the applicable local equivalent, simultaneously. A single group-level data-sharing policy covering all entities is operationally efficient, but each entity’s compliance team must document, separately, how that policy satisfies its own jurisdiction’s reliance conditions. The AGCO Registrar’s Standards for Internet Gaming, section 1.19, independently requires that Ontario-registered operators hold third parties to the same compliance standards as if those parties were bound by Ontario regulations, which means that any intragroup data-sharing arrangement must be assessed against AGCO standards from the Ontario entity’s perspective, not merely from the perspective of the originating jurisdiction.
“Operators must require the third party to conduct themselves in so far as they carry out activities on behalf of the operator as if they were bound by the same laws, regulations, and standards.”, AGCO Registrar’s Standards for Internet Gaming, section 1.19
Jurisdiction Comparison: Third-Party CDD Reliance Rules
| Jurisdiction | Instrument | Reliance Permitted | Immediate Data Access Required | Ongoing Monitoring Delegable | Equivalence Test |
|---|---|---|---|---|---|
| UK (UKGC) | MLR 2017, Reg. 39 | Yes | Yes, immediately on request | No | EEA or equivalent third country with FATF-standard supervision |
| Malta (MGA/FIAU) | AMLD IV/V transposed, FIAU Implementing Procedures | Yes | Yes | No | EU equivalence list, FATF members |
| Gibraltar (GRA) | AML Code of Practice 2026, s.6.13, 6.14 | Conditionally, requires POCA s.25(6) undertaking | Yes, immediately | No | Regulated for AML, pre-existing independent customer relationship required |
| Curaçao (CGA) | CGA AML/CFT Policy, s.III.9 | Yes, with tested written agreement | Yes | No, PEP and risk assessment retained by casino | Third party subject to CDD and record-keeping obligations |
| Ontario (AGCO) | Registrar’s Standards, s.1.19 | Yes, third party held to Ontario standards | Yes | No | Third party must meet AGCO-equivalent obligations |
| Netherlands (KSA) | WWFT (AML Act); KSA Gaming System Assessment Scheme v2.1 | Subject to WWFT equivalence rules | Yes | No | EU/FATF equivalence required |
What Compliance Teams Must Document Before Relying on Cross-Border KYC
Before any group entity activates a cross-border reliance arrangement, four documentary elements must be in place. The data-sharing agreement must specify that the receiving entity can access all identification and verification data immediately on request, that the originating entity will retain that data for the minimum statutory period applicable in the receiving jurisdiction (five years under MLR 2017, five years under Curaçao CGA rules), and that the arrangement will be tested at defined intervals. The equivalence assessment must document the supervisory regime applicable to the originating entity and confirm that it satisfies the receiving jurisdiction’s equivalence threshold, with legal sign-off where non-obvious. The receiving entity’s own compliance procedures must separately document which elements of CDD it is relying on the originating entity to have performed, and which elements it is performing independently: PEP screening, sanctions screening, and self-exclusion register checks are always in the latter category. The reliance arrangement must be included in the receiving entity’s AML risk assessment and reviewed annually, or whenever the originating entity’s regulatory status changes.
The UK Gambling Commission’s June 2026 warning on AML standards noted poor oversight by Personal Management Licence holders and inadequate risk assessments, including inadequate due diligence on third-party relationships. Intragroup reliance arrangements are not exempt from this scrutiny. According to iGamingBusiness, June 2026, the Commission specifically criticised operators who treated delegated relationships as substitutes for genuine risk assessment rather than as supplements to it.
Compliance officers at multi-licence groups should consult qualified legal counsel for a jurisdiction-by-jurisdiction assessment of whether their current intragroup data-sharing agreements satisfy each receiving entity’s local law conditions, particularly where group structures span EU-licensed, UK-licensed, and offshore-licensed entities simultaneously. For a practical compliance audit framework specific to your group structure, review the AML & Financial Compliance hub and the UKGC vs MGA in 2026: Which Licence Actually Costs More to Maintain to understand how your existing arrangements align with current regulatory expectations.
Key Resources
Primary sources for this article:
Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017, Regulation 39: legislation.gov.uk
UKGC Licence Conditions and Codes of Practice, Condition 17.1.1, Customer Identity Verification: gamblingcommission.gov.uk
Gibraltar AML Code of Practice for Remote Gambling (2026 update), sections 6.13, 6.16, Third-Party Reliance.
Curaçao CGA AML/CFT Policy for Licensed Operators, section III.9, Reliance on Third Parties to Perform Customer Due Diligence.
MGA Compliance Audit Manual, sections 6.17.1, 6.17.6, KYC Procedures.
AGCO Registrar’s Standards for Internet Gaming, section 1.19, Third-Party Management.
For broader context on the AML compliance obligations that frame these reliance rules, see the AML & Financial Compliance hub. For the full UKGC LCCP rulebook in searchable format, see the LCCP explorer. For a side-by-side look at how the UKGC and MGA licence structures compare across all major compliance dimensions, see UKGC vs MGA in 2026: Which Licence Actually Costs More to Maintain.
Matt Denney
Editorial · gamingcompliance.io
Reads the primary source so you don't have to. Fifteen years inside iGaming compliance: operator, supplier, and crown-corporation lottery.
The Tuesday brief, every week.
One email. Every regulator change we surface, every standard we re-index, every enforcement decision we read. No marketing, no fluff.
Unsubscribe with one click. We'll never share your address.