EDD Triggers in iGaming: Building a Risk Matrix Regulators Actually Accept
Compliance officers building EDD frameworks face scrutiny from UKGC, MGA, and Gibraltar on the same core question: is your risk matrix documented, calibrated, and auditable? Here's how to build one that holds.
A risk matrix that cannot articulate why it assigned a particular customer a high score is not a compliance control. It is a spreadsheet. According to industry sources and regulatory guidance, overreliance on automated systems and the absence of genuine documented risk assessments has become a systemic failure across the sector. The Gibraltar Gambling Commissioner’s AML Code of Practice and the Curaçao CGA’s AML/CFT Policy frame the obligation from their own legislative bases: the risk assessment must be documented, its methodology must be defensible, and the EDD measures taken must be proportionate to the specific risk identified. What regulators are looking for when they open the compliance file is a matrix they can interrogate, not one they must take on faith. Compliance officers building these frameworks face scrutiny from the UKGC, MGA, Gibraltar, Curaçao, and other European-facing regulators on the same core question: is the risk matrix documented, calibrated, and auditable?
What Regulators Mean by “Risk-Based”
Every major regulator, the UKGC, MGA, Gibraltar’s Gambling Commissioner, the Curaçao Gaming Control Board, and Denmark’s Spillemyndigheden, requires licensees to take a risk-based approach to AML/CFT. The phrase is not aspirational. It carries specific structural obligations that enforcement teams test against documented evidence.
Under UKGC Licence Conditions and Codes of Practice (LCCP) Condition 12.1.1, licensees must conduct a risk assessment of their business being used for money laundering or terrorist financing. That assessment must be appropriate, reviewed at least annually, and revised whenever material circumstances change, including the introduction of new products, new payment methods, changes in customer demographics, or any other material development. Following the assessment, the licensee must implement policies, procedures, and controls that are proportionate to the risk identified, and must keep those controls under review.
The Curaçao CGA AML/CFT Policy structures this obligation in two layers. The Business Risk Assessment (BRA) identifies ML/TF risks at the entity level, covering the methodology used, the reasons for assigning low, medium, or high risk ratings to each factor, the outcome of the assessment, and the information sources relied on. The Customer Risk Assessment (CRA) then operates at the individual player level, carried out before an occasional transaction or before establishing a business relationship, and revised if circumstances change during the relationship. The CRA output determines what level of Customer Due Diligence applies, standard, simplified, or enhanced.
“By adopting a Risk-based Approach, it is possible for casinos to ensure that measures to prevent or mitigate money laundering, financing of terrorism and proliferation of weapons are commensurate with the risks identified. The risk assessment considers all relevant risk factors, including the player, countries or geographic areas, products and services that the casino offers and delivery channels, before determining what the level of overall risk is.”
Source: Curaçao CGA, AML/CFT Policy: Anti-Money Laundering and Counter-Financing of Terrorism, Section II.2.1, Business Risk Assessment.
The Four Risk Domains Every Matrix Must Cover
Across the major licensing frameworks, four risk domains consistently form the structural basis of any compliant risk matrix. The Curaçao CGA AML/CFT Policy names them explicitly as the four areas that both the Business Risk Assessment and the Customer Risk Assessment must address. Gibraltar’s AML Code of Practice and the UKGC’s AML guidance address the same domains, though with jurisdiction-specific weighting obligations.
Customer risk concerns the probability of ML/TF arising from the relationship with a specific player. The Curaçao CGA lists the following categories as presenting higher-than-average risk: customers with multiple or irregular income streams, politically exposed persons (PEPs); high spenders where the source of income cannot be established, casual customers whose spending pattern changes unexpectedly, customers using third parties to place bets or redeem chips, customers maintaining multiple player accounts to fragment monitoring, and unknown customers redeeming large chip amounts. A customer with a single verifiable source of regular income presents materially lower risk than a customer whose income pattern is inconsistent with their stated profile.
Geographic risk is governed in part by reference to external lists. Gibraltar’s AML Code of Practice requires licensees to apply enhanced due diligence and counter-measures in respect of countries on the FATF “black list”, jurisdictions with significant strategic deficiencies in AML/CFT controls. The Spillemyndigheden in Denmark similarly directs online gambling operators to incorporate the national and supranational risk assessment when evaluating game-specific and jurisdictional risk, and explicitly references FATF typology reports as reference material. A matrix that does not map customer residency against current FATF and EU high-risk country lists, updated following each FATF plenary, will fail geographic risk coverage.
Product and service risk accounts for the inherent ML/TF vulnerability of each game type and payment mechanism. Online casino products with high transaction velocity and rapid cycling between wager and withdrawal present higher inherent risk than lower-frequency sports betting. Cryptocurrency as a payment channel elevates customer risk in the Curaçao framework, the CGA AML/CFT Policy lists “new tech users (Crypto)” explicitly as an EDD category. The Netherlands’ KSA has taken the stronger position of prohibiting virtual currencies in regulated gambling entirely under the Wet ter voorkoming van witwassen en financieren van terrorisme (WWFT).
Delivery channel risk addresses how the business relationship is established and conducted. For remote gambling, account-based relationships present a different risk profile than anonymous or walk-in models. Where a licensee uses physical establishments or third-party points of presence to extend customer reach, a scenario addressed directly by the Curaçao CGA policy, the casino must ensure those physical operators apply the same AML/CFT policies, and must verify that the physical establishment operator is of good standing.
Threshold Architecture: What Triggers CDD and What Triggers EDD
Regulators set monetary thresholds for standard CDD, but EDD is not simply a higher monetary threshold, it is a qualitatively different level of scrutiny applied when risk factors are present, irrespective of transaction size.
The first table sets out the AML/CDD trigger basis across five major frameworks, alongside the EDD categories each mandates. A second table separates the adjacent safer-gambling signals that may feed the matrix but are not themselves AML triggers, which is where the UKGC financial vulnerability check belongs.
Table 1: AML/CDD and EDD triggers by jurisdiction
| Regulator / Framework | Standard CDD Trigger | Mandatory EDD Categories |
|---|---|---|
| UKGC (Great Britain) | Risk-based under LCCP 12.1.1: assess ML/TF risk, apply controls proportionate to that risk, and review at least annually or on material change | PEPs, high-risk jurisdiction customers, customers identified in the business risk assessment as high-risk |
| MGA / FIAU (Malta) | €150 per FIAU Implementing Procedures s.3.3.2, €2,000 cumulative deposit flag (daily or 180-day rolling) | PEPs, high-risk profile players, source of wealth requests for high-risk accounts |
| Gibraltar (GRA) | Risk-based under POCA, enhanced monitoring mandatory for all PEP accounts | PEPs (MLRO/senior manager approval required); FATF black-list jurisdiction customers, high-value accounts |
| Curaçao (CGA) | NAf 4,000 (~€1,926); or upon suspicion | PEPs, high-risk geographic area residents, cryptocurrency users, high spenders with unexplained income |
| Netherlands (KSA / WWFT) | On establishment of business relationship, on suspicion | PEPs, high-risk third-country customers, unusual transaction patterns |
Key obligation: Under Gibraltar’s Proceeds of Crime Act (POCA), section 20, all PEP accounts must be evaluated for specific approval to continue, with source of funds and source of wealth established and enhanced ongoing monitoring applied. Approval must be granted by a senior manager, the MLRO, or a designated representative, automated clearance of PEP status is not compliant with this requirement.
For Great Britain, the £150 net deposit figure should not be read as a CDD trigger. It is a financial vulnerability check under the UKGC’s safer gambling framework, sitting under Social Responsibility Code provision 3.4.4 rather than the AML regime. It remains relevant to matrix design because it creates a parallel risk signal that compliance teams may need to incorporate into broader customer monitoring. The AML trigger itself remains risk-based under LCCP 12.1.1: the operator must assess ML/TF risks, implement controls proportionate to those risks, and review the assessment at least annually or whenever material circumstances change, such as new products, technologies, payment methods, or customer-demographic shifts.
Table 2: Adjacent monitoring signals that may feed the risk matrix
| Signal | Regime | Threshold / definition | Relevance to the AML matrix |
|---|---|---|---|
| UKGC financial vulnerability check | Safer gambling (Social Responsibility Code 3.4.4) | Deposits minus withdrawals exceeding £150 in a rolling 30-day period (from 28 February 2025) | Not an AML/CDD trigger, but a parallel signal; a sustained vulnerability flag can corroborate affordability and source-of-funds concerns recorded in the AML customer risk assessment |
| Affordability / financial risk checks | Safer gambling | Operator-defined light-touch and enhanced tiers | Spend inconsistent with assessed affordability can reinforce a weighted velocity factor in the matrix |
| Responsible-gambling interaction markers | Safer gambling | Operator-defined behavioural triggers | Behavioural escalation may coincide with, but is governed separately from, AML escalation; the two committees may be combined or kept distinct |
Keeping these signals in a separate table preserves the distinction regulators expect: safer-gambling and AML obligations arise from different parts of the rulebook, are owned by different controls, and are evidenced separately, even where the same customer behaviour informs both.
How to Structure the Risk Matrix: Weighting, Scoring, and Combination Logic
A compliant risk matrix does more than list risk factors. It assigns weights, defines score ranges for each factor, applies a combination rule that produces an overall risk band, and documents the rationale for each calibration decision.
The weighting question is where most matrices fail regulatory review. Assigning equal weight to every factor, treating PEP status, geographic risk, and payment method as equivalent inputs, does not reflect the actual risk landscape. PEP status carries a mandatory EDD obligation under Gibraltar’s POCA and the MGA’s audit standards regardless of the customer’s transaction size. Geographic risk associated with FATF black-list jurisdictions requires EDD regardless of customer profile. These are non-discretionary triggers, and a matrix that treats them as merely contributing scores toward a threshold will be challenged.
In practice, compliance teams should structure the matrix in two tiers. The first tier contains automatic EDD triggers: PEP status, FATF black-list or grey-list residency, presence on a sanctions list, and any unresolved suspicion of ML/TF. When any of these factors is present, EDD applies regardless of the overall risk score, no weighting calculation can override a mandatory trigger. The second tier contains weighted risk factors that accumulate to produce a risk band. These include transaction velocity and size relative to stated income, payment channel (cryptocurrency, third-party wallets), account tenure and behavioural consistency, geographic residency against tiered country lists, and product type.
The combination rule must be documented. Whether the matrix uses additive scoring, multiplicative weighting, or a decision-tree structure, the methodology must be written into the AML policy and the rationale for each weight must be recorded. A senior compliance officer reviewing the matrix two years after it was built should be able to understand, from the documentation alone, why a particular weight was assigned to a particular factor and what evidence base supported that calibration decision.
A Sample Risk Matrix: Triggers, Weights, and Required Evidence
The structure above becomes concrete when it is expressed as a working table. The matrix below is illustrative rather than prescriptive, the specific weights and bands must be calibrated to each operator’s products, customer base, and licence portfolio, but it shows the shape a regulator expects: each factor classified as an automatic trigger or a weighted contributor, each mapped to a defined result, and each tied to the evidence the case file must hold.
| Risk factor | Trigger type | Score / weight | Result | Required evidence |
|---|---|---|---|---|
| PEP match | Automatic | N/A | EDD mandatory | Senior/MLRO approval to continue, source of funds, source of wealth, enhanced monitoring |
| Sanctions match | Automatic | N/A | Escalate, freeze, report | Screening record, MLRO decision, SAR/STR assessment |
| FATF black-list residency | Automatic | N/A | EDD plus counter-measures | Country-risk record, enhanced monitoring plan |
| FATF grey-list residency | Weighted or automatic, per policy | High | EDD likely | Country-risk rationale, documented policy basis |
| Cryptocurrency funding | Weighted, jurisdiction-specific | Medium-high | EDD if combined with other factors | Wallet / payment review, source-of-funds evidence |
| Deposit velocity inconsistent with profile | Weighted | High | EDD if threshold exceeded | Bank statements, payslips, affordability and source-of-funds review |
| Multiple accounts / linked identities | Weighted or automatic | High | Escalate | Device, IP, and account-link analysis |
| Third-party payment method | Automatic or high weighted | High | EDD, reject withdrawal to a different account | Payment-ownership proof, same-account withdrawal record |
The distinction between trigger type and result is deliberate: an automatic trigger collapses straight to a mandatory outcome irrespective of score, while a weighted factor contributes to a band that the combination rule then converts into a result. The matrix that cannot show, factor by factor, which logic applied is the matrix most likely to be challenged.
A Worked Example: How the Matrix Behaves on a Real Customer
A matrix is only as good as its behaviour on a live file. Consider a representative scenario.
Scenario: A customer registers from a medium-risk country, deposits €2,300 across twelve days using two different payment methods, then requests a withdrawal to an account other than the one used to deposit.
Which factors triggered. Three fire. Residency in a medium-risk country contributes a weighted geographic score. Deposit velocity, €2,300 over twelve days across two payment methods, is assessed against the customer’s stated profile and contributes a high weighted score where it is inconsistent with declared income. The withdrawal to a different account engages the third-party / same-account payment control.
Automatic or weighted. None of the three is a standalone automatic trigger, there is no PEP, sanctions, or FATF black-list hit, so the geographic and velocity factors accumulate as weighted inputs. The same-account withdrawal control, however, operates as a hard control: the withdrawal to a different account is held pending proof of payment ownership regardless of the overall score.
Final risk rating. The combination of medium-risk geography and high velocity inconsistent with profile produces a high overall band under most additive or decision-tree rules. The customer is rated high risk and routed into the EDD workflow.
Required EDD actions. Request and assess source of funds (bank statements, payslips, or equivalent) for the €2,300; establish source of wealth if the overall profile remains unexplained; obtain proof of ownership of the destination account before releasing any withdrawal; and apply enhanced ongoing monitoring to the relationship.
What the case file must contain. The CRA output with the score and the factors that drove it; the source-of-funds and source-of-wealth evidence obtained, together with the caseworker’s assessment of it, not merely the documents collected; the payment-ownership evidence for the destination account; any decision to continue or restrict the account, with a dated rationale; the identity of the caseworker and the approving officer; and the next scheduled review date.
Who can approve continuation. A high-risk continuation decision must be made by an identifiable post holder, the MLRO, a senior manager, or the risk committee, depending on the operator’s referral criteria. Automated clearance is not sufficient once a mandatory or high-risk pathway has been engaged.
When the next review is scheduled. High-risk relationships warrant a defined enhanced-monitoring cadence; the file should carry an explicit next-review date rather than defaulting to the annual corporate cycle.
What Do Regulators Actually Audit? A Walkthrough of the MGA Compliance Audit Manual
The MGA Compliance Audit Manual (MGA/G/001) provides the most granular public articulation of what a regulator checks when auditing a licensee’s KYC and EDD programme. Auditors appointed by the MGA must confirm that the licensee’s back-office can display the identity verification status of each player, that a secure list of all registered players and supporting documents is maintained, and that KYC procedures are being observed in practice, not merely documented.
Specifically on enhanced due diligence, the manual requires auditors to confirm that enhanced due diligence is carried out on high-risk players and on PEPs, and that source of wealth and source of funds are being requested for high-risk profile players. The audit sample includes a check that the system flags deposits when the total accumulation reaches or exceeds €2,000, whether calculated on a daily basis from the establishment of the business relationship or on a rolling 180-day basis.
For withdrawal controls, the manual requires a sample of at least thirty player withdrawals, checking that funds are remitted to the same account from which they were deposited, a same-account withdrawal control that limits layering risk in the remote gaming environment.
The MGA does not specify precisely how a licensee must weight its risk matrix. What it specifies is the outcome: every high-risk player must have had genuine EDD conducted, every PEP must have been identified, and source of funds documentation must exist in the file. A licensee whose matrix generates correct high-risk designations but whose caseworkers then fail to execute the EDD steps will fail the audit on evidence grounds, not on methodology grounds.
What the MGA auditor will expect to see. The manual reduces to a short list of artefacts a licensee should be able to produce on request.
| Audit item | Evidence expected |
|---|---|
| Player risk rating | CRA output visible in the back office |
| PEP status | Screening result and EDD record |
| High-risk player | Source-of-funds / source-of-wealth request and the caseworker’s assessment |
| €2,000 accumulation flag | System flag or report (daily from establishment of the relationship, or rolling 180-day) |
| Withdrawals | Sample of at least thirty withdrawals showing same-account remittance |
| EDD execution | Case notes, documents, and the approval record |
Override Controls: The Audit Trail That Regulators Want to See
Automated risk scoring systems are now standard across licensed iGaming operations. Regulatory guidance indicates that AI tools used to analyse transaction data and generate Suspicious Activity Reports “often fail to meet compliance standards on their own,” and that Personal Management Licence holders are frequently not providing sufficient oversight of AML controls.
The Gibraltar AML Code of Practice addresses override governance at an institutional level, requiring that B2C operators maintain a risk management committee, or an equivalent function, with clear and accountable processes for reviewing customer accounts that raise AML concerns. The committee must be properly constituted, with minutes of meetings kept using formal reports and assessment tools for identified cases. The MLRO must be a member. Critically, the code specifies that the criteria for customer referral and processing must be transparent, including “which post holder has made critical decisions to continue operating an account or refer it to the committee.” Any individual who makes a decision to maintain or override a risk classification must be identifiable in the audit trail.
“The criteria for customer referral and processing must be transparent, including which post holder has made critical decisions to continue operating an account or refer it to the committee. Any such committee may be combined with, or separate from, any similar group established to examine customers raising responsible gambling concerns.”
Source: Gibraltar Gambling Commissioner, AML Code of Practice for Remote Gambling, Section 5.4, Risk Management Committee.
For every override, whether the system flags a customer as high-risk and a caseworker downgrades the designation, or a customer presents low automated scores but a caseworker escalates on qualitative grounds, the file must contain a dated written record of the decision, the rationale, and the identity of the approving officer. The Curaçao CGA AML/CFT Policy makes this obligation explicit in the context of account suspension: where a casino decides not to pursue a CDD process because it fears tipping off a customer, it must file a report to the FIU, and the reasoning for that operational decision must be documented in internal procedures.
Common Regulator Objections, and How the Matrix Answers Them
Most enforcement findings against risk matrices fall into a small set of recurring objections. Each has a structural fix the matrix and its governance can build in before an inspector raises it.
| Regulator objection | Why it fails | Fix |
|---|---|---|
| “The matrix says high risk, but no EDD was performed.” | Policy not applied in practice | Link the risk score to a mandatory case workflow that cannot be closed without the EDD steps |
| “The customer was downgraded without rationale.” | Override not auditable | Require a dated approval, a reason code, and an identified approver for every override |
| “The matrix has not changed in two years.” | Annual review not substantive | Keep a version history with documented review evidence and a rationale for each change |
| “PEPs are treated as weighted factors only.” | Mandatory EDD trigger diluted | Make PEP status an automatic EDD trigger, not a contributor to a score |
| “Source of funds was requested but not assessed.” | Document collection confused with due diligence | Require a caseworker conclusion and approval, not merely uploaded documents |
Triggered EDD: What the Measures Must Actually Comprise
Triggering EDD is not sufficient. The measures applied must be proportionate to the specific risk identified and must increase the degree and nature of monitoring. The Curaçao CGA AML/CFT Policy states this directly: “The Enhanced Due Diligence measures should be consistent with the risks identified. In particular, a casino should increase the degree and nature of monitoring of the business relationship, in order to determine whether transactions or activities appear unusual.”
Source of funds documentation is the most common EDD measure, and the one most frequently cited in enforcement findings. For remote gambling, acceptable source of funds evidence includes payslips, bank statements demonstrating regular salary credits, tax returns for self-employed customers, documentation of asset sales, or company accounts for business owners. The level of evidence must match the risk level: a customer flagged as high-risk due to PEP status and high transaction velocity requires more than a self-declaration.
Source of wealth is a distinct concept from source of funds. Source of funds concerns the origin of the specific funds deposited. Source of wealth concerns the totality of assets and the origin of those assets. For PEPs in particular, Gibraltar’s POCA section 20 requires both to be established. The distinction matters in casework: a customer can demonstrate a legitimate source of funds for a specific deposit while their overall wealth profile remains unexplained. Both questions must be asked and both answers must be documented.
For customers in FATF black-list jurisdictions, the risk-based approach requires counter-measures beyond standard EDD. Gibraltar’s AML Code references this obligation explicitly, citing the FATF black list of jurisdictions subject to a call for action. Spillemyndigheden similarly directs Danish online gambling operators to incorporate FATF lists into their risk assessments and to consult FATF typology reports. Compliance officers should build FATF list updates, published following each plenary, typically three times per year, into their matrix review calendar.
Board-Level Accountability and Annual Reporting
The governance structure around the risk matrix is itself a compliance obligation. Under Gibraltar’s AML Code of Practice, section 5.1, licensees must clearly identify a board member with strategic responsibility for AML/CFT issues, and POCA section 9B requires the appointment of a director or senior manager to ensure compliance with Part II of POCA, covering CDD, EDD, PEPs, and record keeping. This post holder’s ability to discharge AML/CFT obligations must not be compromised by commercial responsibilities or conflicts of interest.
The board must receive at least an annual report from the MLRO on AML/CFT activities and issues, including an annual refresh of the corporate risk assessment. This requirement creates a governance checkpoint at which the risk matrix must be reviewed and updated, not merely confirmed as unchanged. If new products have been introduced, new payment channels added, or the customer demographic has shifted materially, the board-level report must reflect how the matrix has been updated to address those changes.
UKGC LCCP Condition 12.1.1 imposes the equivalent obligation: the risk assessment must be reviewed as necessary in light of any changes of circumstances, and in any event at least annually. Licensees whose risk assessment documents bear the same version date across multiple annual reviews without any substantive update will face challenge on whether a genuine review occurred.
Documentation Standards for Audit Readiness
Across every jurisdiction examined, the documentation standard is consistent: the methodology must be described, the risk ratings must be justified by reference to specific factors and evidence, and the outcome of each assessment must be recorded in a retrievable form. The Curaçao CGA AML/CFT Policy states that the BRA documentation must cover the methodology adopted, the reasons for considering a risk factor as presenting low, medium, or high risk, the outcome of the assessment, and the information sources used.
For customer-level files, the minimum documentation set for a high-risk or EDD customer should include the CRA output with the score and the factors that drove it, the EDD measures applied, the source of funds and source of wealth evidence obtained and assessed, any override decisions with dated rationale, the caseworker and approving officer identified, and the next scheduled review date. Records must be retained for at least five years under the Curaçao framework, and equivalent retention periods apply under the MGA’s regulatory obligations and Gibraltar’s POCA.
According to iGamingBusiness, the UKGC fined the Unibet bingo brand £10 million in October 2025 for “serious” AML failures, and Videoslots received a £650,000 penalty in November 2025 for AML and safer gambling shortcomings. Neither fine arose from a theoretical gap in written policy. They arose from demonstrated failures in how policies were applied to real customers in real time. The documentation gap, the absence of evidence that EDD was conducted, not the absence of a policy requiring it, is where regulatory findings are made.
Audit preparation checklist: Before a regulatory review, compliance teams should confirm that every high-risk or EDD customer file contains a dated CRA, the specific risk factors triggering EDD, documentary evidence of source of funds and source of wealth, any override decisions with identified approving officers, and a scheduled next-review date. Files missing any of these elements represent audit exposure regardless of the quality of the matrix that generated the trigger.
Matrix Governance, Ownership, and Version Control
Annual board reporting and a named AML director establish accountability at the top, but a matrix an auditor can interrogate also needs an operating model: defined owners, defined review cadences, and a documented change history. The controls below turn the matrix from a static document into a governed system.
| Control | Owner | Frequency |
|---|---|---|
| Risk-factor review | MLRO / Head of Compliance | Quarterly |
| FATF list update | AML analyst / Compliance operations | After each FATF plenary |
| Threshold calibration | MLRO and data team | Quarterly, or after a typology change |
| Override review | Risk committee | Monthly |
| Board AML report | MLRO | At least annually |
| Model / system testing | Compliance assurance / internal audit | Semi-annually |
A regulator rarely stops at “what is your matrix?” The harder question is “why did you weight it that way?”, and answering it requires version control. Every iteration of the matrix should carry a version number, an approval date, and a named owner, and should record the regulatory sources reviewed, the enforcement actions considered, the typology updates taken into account, the changes from the prior version, the rationale for each score or weight change, the outcome of any testing performed, and the board or MLRO approval that signed it off. A matrix with that lineage can demonstrate not only what it does but why, which is the difference between a control a regulator accepts and a spreadsheet a regulator challenges.
Cross-Jurisdictional Operations: Managing Multiple Matrix Standards
Operators licensed across multiple jurisdictions, a common profile for operators holding both a UKGC licence and an MGA licence, or a Gibraltar licence alongside Curaçao authorisation, face the challenge of maintaining matrices that satisfy each regulator’s specific requirements while operating a coherent compliance programme. The Gibraltar AML Code addresses this directly: cross-jurisdictional business must ensure that Gibraltar standards are adhered to as a minimum, and must be mindful of the AML requirements of jurisdictions in which customers are based.
In practice, this means the risk matrix must be calibrated to the highest applicable standard for each risk factor across the operator’s licence portfolio. If the UKGC mandates a safer-gambling financial vulnerability check at £150 net deposits in a rolling 30-day period while the MGA flags AML accumulation at €2,000, the operator serving customers in both jurisdictions cannot collapse these into a single threshold set at the higher level and claim compliance with both: the obligations arise from different regimes, apply to different customer populations, and must be evidenced separately. The matrix must apply each regulator’s threshold to customers within that regulator’s jurisdiction, and the architecture of the system must be able to demonstrate that differentiation to any inspector examining the records.
For a deeper look at how the UKGC and MGA differ on structural compliance obligations, including their respective approaches to AML supervision architecture, see our analysis of UKGC vs MGA licence costs and operational requirements in 2026. Operators considering the AML hub and FIU relationships across jurisdictions will also find the AML and Financial Compliance hub a useful reference for FATF, FINTRAC, FIAU, and FinCEN frameworks.
Key Resources
UKGC LCCP Condition 12.1.1, Anti-money laundering: prevention of money laundering and terrorist financing. Available at gamblingcommission.gov.uk.
UKGC Guidance, The Prevention of Money Laundering and Combating the Financing of Terrorism, Fifth Edition, Revision 5, updated 22 October 2025. Available at gamblingcommission.gov.uk/guidance.
Gibraltar AML Code of Practice for Remote Gambling. Issued by the Gibraltar Gambling Commissioner pursuant to section 6(6)(f) of the Gambling Act 2005.
Curaçao CGA AML/CFT Policy: Anti-Money Laundering and Counter-Financing of Terrorism. Issued by the Curaçao Gaming Control Board. Available at curacaogamingcontrol.com.
MGA Compliance Audit Manual, MGA/G/001, Version 1, August 2018. Available at mga.org.mt.
Spillemyndigheden, Anti-money laundering guidance for Danish online gambling licensees. Vejledning om forebyggende foranstaltninger mod hvidvask, Version 1.2. Available at spillemyndigheden.dk.
This article presents regulatory frameworks and compliance guidance for informational purposes. Operators should obtain qualified legal counsel before implementing AML/KYC programmes in any specific jurisdiction, as the application of these requirements depends on individual business models, product verticals, customer demographics, and the specific terms of each licence. For further guidance on building a compliant risk matrix from first principles, review our detailed framework on AML risk matrix design and implementation.
Matt Denney
Editorial · gamingcompliance.io
Reads the primary source so you don't have to. Fifteen years inside iGaming compliance: operator, supplier, and crown-corporation lottery.
The Tuesday brief, every week.
One email. Every regulator change we surface, every standard we re-index, every enforcement decision we read. No marketing, no fluff.
Unsubscribe with one click. We'll never share your address.