Source of Funds Documentation: When to Ask and What to Accept Under UKGC and MGA Expectations

The Regulatory Foundation: Why Source of Funds Sits at the Centre of AML Compliance

Source of funds (SoF) verification is not a standalone compliance exercise. For licensees operating under the UK Gambling Commission and the Malta Gaming Authority, it is a core component of the risk-based approach mandated by each regulator’s AML framework. The obligation flows from national anti-money laundering legislation transposed from the EU’s Fourth and Fifth Anti-Money Laundering Directives, applied to gambling through sector-specific licence conditions and codes of practice.

Under the UKGC’s Licence Conditions and Codes of Practice, licensees must carry out customer due diligence proportionate to the risk the customer and their activity presents. Source of funds checks are the mechanism by which licensees satisfy the enhanced due diligence requirement at the higher end of that risk spectrum. The LCCP does not prescribe a single universal monetary threshold; instead, it places the obligation on the licensee to set risk-based triggers in their own policies and to justify those triggers if challenged. In practice, operators should treat any threshold setting as a documented risk decision, not an administrative default.

MGA licensees operate under a parallel structure. The Prevention of Money Laundering and Funding of Terrorism Regulations require licensees to apply enhanced due diligence where higher risk is identified, and the MGA’s compliance audit function, as described in the MGA Compliance Audit Manual, evaluates whether licensees have embedded these obligations in their operational procedures.

Trigger Thresholds: Setting Defensible Parameters

The absence of a single mandated trigger figure is a deliberate regulatory choice, and it creates both flexibility and risk for licensees. The UKGC expects licensees to set thresholds that reflect their actual player base, the product risk profile, and the broader customer risk assessment. A threshold set arbitrarily, copied from a competitor, or unchanged since the last compliance review will not constitute a defensible risk-based approach.

Factors that inform threshold calibration include: cumulative deposit volumes over defined time periods, velocity of deposits or withdrawals, player tenure and historical behaviour patterns, payment method risk, geographic risk indicators, and any adverse media or PEP/sanctions matches identified during onboarding or periodic review. Licensees who can only point to a single monetary figure without contextual parameters around it should treat this as a gap in their AML programme.

The UKGC’s ongoing financial risk check pilot, which began in August 2024 at a net monthly deposit level of £500 and was adjusted downward to £150 in February 2025, operates through credit reference agency data rather than documentary requests to customers. This is relevant context for SoF threshold design because it signals the regulator’s expectation that initial risk stratification should use data enrichment before escalating to customer-facing document requests. The UKGC position, articulated by Executive Director Tim Miller at the Ethical Gambling Forum in April 2026, is that post-pilot guidance will specifically address the circumstances in which document requests are appropriate.

Tim Miller, UKGC Executive Director, stated in April 2026: “The checks we have been piloting will not even attempt to make an assessment of what each customer can afford to gamble,” and separately indicated the Commission would work toward guidance that prevents operators from requesting bank statements or similar documents after a risk check on the basis that such requests have no “legitimate regulatory purpose.” (According to iGamingBusiness.com, 29 April 2026.)

Compliance officers should note the distinction Miller draws: the financial risk assessment pilot, currently using credit reference data, is not the same instrument as a source of funds check triggered by AML risk. However, the directional signal from the regulator is clear: document requests should be proportionate and purpose-specific. A blanket policy of requesting bank statements from any player crossing a deposit threshold, without a corresponding risk-based rationale, is increasingly difficult to defend.

Acceptable Evidence: A Tiered Approach

Regulatory guidance across UKGC and MGA frameworks does not exhaustively enumerate every acceptable document type, which means licensees must operate a structured internal hierarchy of evidence that is both risk-calibrated and audit-ready. In practice, the industry consensus is to apply a tiered evidence model moving from passive data through to formal documentation.

At the first tier, licensees should exhaust open-source verification before making any customer-facing request. This includes: credit reference agency data indicating employment status, income proxies, or financial distress indicators; electoral roll and Companies House checks for business owners; adverse media screening; and transaction pattern analysis from the licensee’s own data. Many enforcement cases have highlighted licensees who moved to document requests prematurely, creating friction without the supporting risk logic that would justify it.

At the second tier, where passive data is inconclusive or indicates elevated risk, licensees may request self-certification of income source. This is a lower-friction initial step: asking a customer to confirm, for example, that their deposits derive from employment income, investments, or a specific windfall. The self-certification alone does not complete the SoF check but it informs the next decision point.

At the third tier, documentary evidence becomes appropriate. Acceptable document types commonly referenced by UKGC guidance and MGA compliance assessments include payslips covering a period sufficient to evidence the deposit volumes in question, bank statements showing salary credits or investment proceeds, employer confirmation letters on headed paper, pension statements, evidence of property sale proceeds, or inheritance documentation such as grant of probate. For self-employed customers or company directors, recent tax assessments or accountant letters are commonly accepted.

The key evaluative question for any document submitted is whether it is sufficiently specific, recent, and verifiable to support the conclusion that the funds in question were legitimately sourced. A single payslip that accounts for a fraction of the cumulative deposits over the review period does not close the SoF obligation. Licensees must assess whether the evidence presented covers the quantum of funds being reviewed, not merely confirms that the customer has some form of income.

Digital and Third-Party Evidence

Open banking data, where the customer consents to sharing transaction history directly from their bank, is increasingly used in practice as a source of funds verification tool. It provides a cleaner audit trail than a PDF bank statement and reduces the risk of document manipulation. Neither the UKGC LCCP nor the MGA’s Directive 3 of 2018 explicitly mandates or prohibits this method, which means it sits within the licensee’s discretion to adopt as part of their risk-based approach, provided the privacy and data protection requirements under the UK GDPR and EU GDPR respectively are met.

Licensees using third-party data enrichment services or open banking integrations should ensure their AML policy documentation describes how these tools are used, what data is retained, and how the output feeds into the SoF decision. An AML file that shows a third-party API call with a binary pass/fail result, without any explanation of the underlying methodology, may not satisfy an MGA compliance audit or a UKGC casework review.

Record-Keeping: What a Defensible File Looks Like

Record-keeping is where SoF compliance most frequently breaks down in enforcement contexts. The UKGC’s enforcement decisions consistently identify two failure modes: either no SoF check was conducted despite clear risk indicators, or a check was conducted but the file cannot demonstrate the decision-making process, the evidence reviewed, or the outcome.

A defensible SoF file should contain, at minimum: the trigger event or combination of factors that initiated the check, the date the check was initiated and the date it was completed or escalated, the evidence requested and the date of the request, the evidence received and its content, a reviewer’s documented assessment of whether the evidence was sufficient to account for the deposits under review, the outcome decision (approved, escalated, account restricted, or SAR submitted), and any monitoring parameters applied as a result.

The MGA Compliance Audit Manual confirms that MGA compliance auditors will test whether licensees’ AML procedures are embedded in practice, not just documented in policy. Auditors take samples of customer files to verify that the documented procedures were actually followed. A gap between the written AML policy and the operational evidence in customer files is treated as a material compliance failure. Licensees should conduct periodic internal audits that replicate this sampling methodology before an external compliance audit occurs.

Under MGA Directive 3 of 2018, licensees must maintain effective systems and procedures to meet their AML/CFT obligations as required by the applicable national legislation. The MGA Compliance Audit Manual tests this through direct inspection of customer file samples, assessing whether policies are operationally embedded rather than merely declared.

When to Restrict, Suspend, or Exit a Customer

The SoF process must have a defined outcome pathway. If a customer cannot or will not provide evidence sufficient to satisfy the check within a reasonable timeframe, the licensee’s policy must specify what happens next. Regulatory expectations are that: continued unrestricted play during an unresolved SoF check is not acceptable, particularly where deposits continue to accrue; account restriction or suspension of withdrawals is a proportionate interim measure; and failure to complete the check within the policy timeframe should trigger escalation to the MLRO and a consideration of whether a Suspicious Activity Report is required.

The UKGC LCCP makes clear through the relevant anti-money laundering licence conditions that licensees must not permit transactions to proceed where enhanced due diligence has not been completed and the risk profile demands it. Gibraltar’s Gambling Act 2005 contains parallel obligations, requiring licence holders to maintain effective internal controls and procedures to detect money laundering, and imposing a 24-hour notification window to the Gambling Commissioner once suspicion arises, with onward notification to the Gibraltar Financial Intelligence Unit.

Licensees should be cautious about exiting a customer purely on SoF grounds without first ensuring that any SAR obligations have been considered. Tipping off rules under the Proceeds of Crime Act 2002 (UK) and equivalent legislation apply. Operators should consult qualified legal counsel before communicating the reason for account closure in circumstances where a SAR has been or may be filed.

MGA-Specific Considerations

MGA-licensed operators face the additional complexity of operating under both the MGA’s regulatory framework and the Prevention of Money Laundering and Funding of Terrorism Regulations administered by the Financial Intelligence Analysis Unit (FIAU). The FIAU publishes sector-specific guidance for remote gaming that supplements the MGA’s own requirements and should be read alongside Directive 3 of 2018.

The MGA Compliance Audit Manual confirms that compliance auditors assess the quality and consistency of AML customer due diligence procedures, including whether enhanced due diligence is triggered appropriately and completed to an adequate standard. A recurring finding in MGA enforcement activity has been licensees whose risk assessments nominally exist but whose implementation in practice is inconsistent, particularly for long-standing customers whose risk profile has changed since initial onboarding.

MGA licensees should also note that source of funds obligations do not operate in isolation from the broader player funds protection regime. The requirement to accurately account for player funds, as reflected in the MGA Compliance Audit Manual’s provisions on Monthly Player Funds reporting, creates a data environment in which anomalies between declared income and deposit levels are visible to auditors. Licensees who maintain rigorous player funds reporting but have weak SoF procedures will present an inconsistent picture to any compliance examination.

Interaction with the UKGC Financial Risk Check Pilot

The UKGC’s financial risk check initiative, currently in pilot phase and subject to board approval before any full rollout, is operationally distinct from source of funds checks but creates important policy context. Pilot data reported in April 2026 indicated that fewer than 3% of active customers would trigger intervention steps under the current methodology, and approximately 0.1% could not complete the assessment without additional support. The checked cohort showed customers two to five times more likely than the average population to have defaulted on debt or entered a debt management plan. (According to iGamingBusiness.com, 29 April 2026, reporting Tim Miller’s remarks at the Ethical Gambling Forum.)

Critically, the Commission’s stated direction is that financial risk assessments, which use credit reference data, should not result in document requests to customers. This draws a regulatory line that compliance teams need to internalise: credit risk flagging is not the same as AML risk, and the response mechanisms are different. A customer flagged through the financial risk check pathway may need responsible gambling intervention rather than an SoF document request. Conflating the two creates both regulatory risk and potential harm to customers.

In practice, operators should review their internal escalation workflows to ensure that AML-triggered SoF requests and responsible gambling financial vulnerability interventions are routed through separate procedures, with distinct evidential standards and outcome pathways. Until full UKGC guidance on the financial risk framework is published, operators should consult qualified legal counsel on how to align their AML and responsible gambling policies to reflect the regulator’s stated direction.

Key Resources

UKGC Licence Conditions and Codes of Practice, available at gambling commission.gov.uk. The relevant anti-money laundering licence conditions and social responsibility code provisions govern the risk-based approach to customer due diligence including source of funds.

MGA Gaming Authorisations and Compliance Directive (Directive 3 of 2018, V2 October 2021), available at mga.org.mt. Sets out AML/CFT compliance obligations for MGA licensees, including enhanced due diligence and the obligation to embed procedures operationally.

MGA Compliance Audit Manual (v1, August 2018, MGA/G/001), available at mga.org.mt. Describes the audit methodology applied to MGA licensees, including sampling of AML customer files and assessment of whether declared procedures are operationally implemented.

FIAU Implementing Procedures Part II: Remote Gaming, available at fiau-malta.org. The FIAU’s sector-specific guidance for remote gaming operators licensed in Malta, supplementing the Prevention of Money Laundering and Funding of Terrorism Regulations.

Gibraltar Gambling Act 2005 (consolidated), available at gibraltarlaws.gov.gi. Section 36 imposes the obligation on all licence holders to maintain effective internal controls to detect money laundering, with notification requirements under section 33 when suspicion arises.