Skip to content
2,151 standards indexed across 19 jurisdictions View the Atlas
3 hubs live · 3 more in the pipeline See all compliance topics
Daily news + multi-week series Browse all insights
3 tools live · 4 interactive tools in development Roadmap
UKGC · AML & KYC 14 min read Jul 10, 2026

UKGC Anti-Money Laundering: What UK Licensed Operators Must Have in Place

UKGC licensees face AML obligations across three simultaneous legal layers. Master LCCP 12.1.1, MLR 2017, POCA 2002, and the MLRO framework before your next compliance review.

Matt Denney

By

Founder, gamingcompliance.io · 15 yrs in iGaming compliance

Published Jul 10, 2026 14 min read Filed AML & KYC

Every operating licensee regulated by the UK Gambling Commission carries AML obligations that sit across three legal layers simultaneously: LCCP licence conditions, the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (the MLR 2017), and the Proceeds of Crime Act 2002 (POCA). Failure in any one of these layers has generated some of the largest financial penalties the Commission has imposed, including the £19.2 million settlement with William Hill in 2023 and the £17 million settlement with Entain in 2022. This article sets out the specific obligations at each layer and the operational infrastructure the Commission expects to see in place.

The Legislative Foundation: POCA 2002 and the MLR 2017

The Proceeds of Crime Act 2002 creates the primary criminal offences that every licensee must avoid. The core offences under Part 7 of POCA are concealing, disguising, converting, transferring or removing criminal property (section 327), entering into or becoming concerned in an arrangement that facilitates the acquisition, retention, use or control of criminal property (section 328), and acquiring, using or possessing criminal property (section 329). A licensee that continues accepting funds from a customer after developing knowledge or suspicion that those funds are criminal property risks committing a section 328 arrangement offence.

POCA also provides the legal mechanism for the consent defence. Where a licensee has actual knowledge or suspicion of money laundering, submitting an authorised disclosure to the National Crime Agency (NCA) and receiving consent before proceeding gives the licensee a statutory defence. The nominated officer function exists precisely to manage this process. Proceeding with a transaction before consent is obtained, or without having made the required disclosure, removes that defence entirely.

The MLR 2017 impose a separate regulatory compliance regime on top of the POCA offences. Gambling operators are listed as “relevant persons” under the MLR 2017, which means casino operators are subject to the full customer due diligence (CDD), enhanced due diligence (EDD), record-keeping and risk assessment obligations under those Regulations. The MLR 2017 require licensees to conduct a written risk assessment of the risks of money laundering and terrorist financing to which the business is subject, to maintain appropriate policies, procedures and controls, and to monitor and update those controls on an ongoing basis. The Gambling Commission acts as the supervisory authority for the gambling sector under the MLR 2017, meaning Commission inspectors have direct supervisory powers over a licensee’s MLR compliance alongside their LCCP enforcement functions.

Source: Proceeds of Crime Act 2002, Part 7, Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (SI 2017/692); UK Gambling Commission, Licence Conditions and Codes of Practice (version effective 6 April 2026), Condition 12.1.1.

LCCP Condition 12.1.1: The Licensee’s Core AML Obligation

LCCP Condition 12.1.1 applies to all operating licences except gaming machine technical licences and gambling software licences. The condition imposes three distinct duties that must each be satisfied independently.

Licensees must conduct an assessment of the risks of their business being used for money laundering and terrorist financing. That risk assessment must be appropriate to the business, must be reviewed in light of any change in circumstances, including the introduction of new products or technology, new payment methods, changes to the customer demographic or any other material change, and must in any event be reviewed at least annually. The annual review is a minimum, not a ceiling. A licensee that launches a new cryptocurrency deposit method or enters a new customer segment must update its risk assessment at that point, not at the next scheduled annual cycle.

Following the risk assessment, licensees must ensure they have appropriate policies, procedures and controls in place to prevent money laundering and terrorist financing. Those policies, procedures and controls must be implemented effectively, kept under review, and revised as appropriate to ensure they remain effective. Licensees must also take into account any applicable learning or guidelines published by the Commission from time to time. The current reference document is the Commission’s Prevention of Money Laundering and Combating the Financing of Terrorism guidance, Fifth Edition (Revision 5), updated 22 October 2025. Compliance officers must treat that document as a live obligation, not a historical reference.

“Licensees must conduct an assessment of the risks of their business being used for money laundering and terrorist financing. Such risk assessment must be appropriate and must be reviewed as necessary in the light of any changes of circumstances… and in any event reviewed at least annually.”, UKGC LCCP, Condition 12.1.1

For a full searchable view of LCCP obligations across all licence types, the UKGC LCCP explorer maps every condition against the applicable licence categories.

What Does the Commission’s AML Guidance Require in Practice?

The Fifth Edition guidance is addressed specifically to remote and non-remote casino operators, though the Commission’s published AML guidance and casework expectations apply across the wider licensee base. The guidance is structured across eight parts covering the risk-based approach, customer relationships, senior management responsibility, the nominated officer function, customer due diligence, record keeping, and suspicious activity reporting.

The risk-based approach requires licensees to direct resources proportionately to the actual risk profile of their business, their customers, their products and their distribution channels. Higher risk warrants more intensive controls, lower risk may warrant lighter-touch procedures. The Commission is explicit that a risk-based approach is not a rationale for doing less. It is a framework for doing the right amount in the right places.

On customer due diligence, the guidance distinguishes between standard CDD, simplified CDD for lower-risk situations, and enhanced due diligence where higher-risk factors are present. EDD is mandatory for politically exposed persons (PEPs), customers from high-risk third countries identified by the FATF, customers with unexplained wealth relative to their apparent profile, and any situation where the licensee identifies a higher risk of money laundering or terrorist financing. EDD requires the licensee to obtain approval from senior management before establishing or continuing a business relationship, to take reasonable measures to establish the source of wealth and source of funds, and to conduct enhanced ongoing monitoring of the relationship.

Source of Funds Verification: Risk-Based, Not Threshold-Based

A recurring misconception in compliance practice is that source of funds verification is a threshold exercise, triggered automatically at a fixed deposit or loss amount. The Commission’s position is that source of funds checks are required whenever the licensee’s risk assessment indicates they are appropriate, which depends on the customer’s risk profile, the pattern and volume of their transactions, and the presence of any indicators of concern.

The Commission expects licensees to develop internal triggers calibrated to their specific business model and customer base. A high-value casino customer depositing large sums without a clear wealth profile will attract EDD well before the licensee has accumulated extensive transaction history. A lower-volume customer whose deposits suddenly spike, or whose source of funds appears inconsistent with their known occupation, equally requires intervention regardless of absolute amounts.

The Commission’s casework has consistently flagged licensees that treat source of funds verification as a compliance checkbox rather than a genuine risk control. The failure mode identified most frequently is licensees accepting self-certified income declarations without taking reasonable steps to verify them through independent or corroborating sources. The Fifth Edition guidance is clear that verification must be meaningful and proportionate to the risk identified.

The Nominated Officer: MLRO Requirements and SAR Obligations

Casino licensees and most betting licensees must designate a nominated officer, commonly referred to as the Money Laundering Reporting Officer (MLRO). The MLRO role is a statutory function under POCA and the MLR 2017, not a compliance best practice. The nominated officer must receive internal disclosures from members of staff who know or suspect money laundering, must consider whether to make an authorised disclosure to the NCA, and must file a Suspicious Activity Report (SAR) with the NCA’s Financial Intelligence Unit where the knowledge or suspicion threshold is met.

The MLRO must have sufficient seniority, authority and access to information to carry out the role effectively. The Commission’s Fifth Edition guidance is explicit that the nominated officer must be able to access customer records, transaction data and account histories without needing to seek approval from operational or commercial management. An MLRO whose SAR decisions are subject to commercial override is not performing the function the statute requires.

The tipping-off prohibition under POCA applies across the entire licensee’s organisation. Once a SAR has been filed, no director, officer, employee or agent may disclose to the subject of the report, or to any person who might relay that information to the subject, that a disclosure has been made. The tipping-off offence carries criminal sanctions. Operational staff must be trained to understand the prohibition and must know to refer any customer inquiry about account restrictions to the compliance function rather than offering any explanation.

MLRO Requirement: The nominated officer must be able to access all relevant customer data and file SARs with the NCA’s Financial Intelligence Unit without commercial or operational sign-off. Operational override of SAR decisions is a regulatory and criminal law failure point.

Casino-Specific Reporting: LCCP Condition 15.2.3

Remote and non-remote casino licensees carry an additional reporting obligation under LCCP Condition 15.2.3, which requires licensees to notify the Commission of certain money laundering and terrorist financing events. This casino-specific condition sits alongside, and is not a substitute for, the POCA and MLR 2017 obligations to report suspicions to the NCA via the SAR regime.

Betting licensees carry a parallel obligation under LCCP Condition 15.1.2 to report suspicion of offences, including money laundering offences, to the Commission. All licensees must use the Commission’s eServices portal for these notifications and must report as soon as reasonably practicable after the relevant event.

The Commission expects licensees to maintain clear internal procedures that distinguish between the SAR obligation to the NCA, which operates under the consent regime and the tipping-off prohibition, and the notification obligation to the Commission, which is a regulatory reporting obligation. Both must be met, and neither satisfies the other.

Enforcement Record: What AML Failures Have Cost Licensees

The Commission’s enforcement record on AML provides the clearest guide to what the regulator looks for in casework. The pattern across the major settlements is consistent: licensees that treated AML as a process rather than a risk control, that over-relied on unverified customer declarations, and that failed to escalate or act on internal flags have faced the largest penalties.

Licensee Settlement / Penalty Year Primary Failures Cited
William Hill £19.2 million 2023 AML and social responsibility failures across retail and online
Entain £17 million 2022 AML and social responsibility control failures
William Hill £6.2 million 2018 Systematic failures to prevent money laundering
Aspire Global £1.4 million 2025 AML and social responsibility compliance failures
ProgressPlay £1 million 2025 AML and social responsibility control gaps
Betfred £3.25 million 2023 Insufficient controls and poor record keeping in shops
Betfred £900,000 2026 Social responsibility monitoring failures, AML control deficiencies

According to iGamingBusiness, the Aspire Global settlement in March 2025 included findings related to AML failures. According to SBC News, Betfred’s June 2026 settlement of £900,000 addressed failures to implement sufficient monitoring processes, and the Commission signalled that its period of enforcement dormancy had ended.

The AI Warning: John Pierce at GAMLG, June 2026

At the Gambling Anti-Money Laundering Group Annual Conference on 10 June 2026, the Commission’s Director of Enforcement John Pierce issued a direct warning about the growing use of AI and algorithmic tools in AML compliance. His remarks define the Commission’s current inspection posture.

“We aren’t ideologically against the use of new technology in your processes. But you need to be sure they are doing what is required and the evidence we’ve seen so far is too often they simply aren’t delivering. So if your business is considering this type of approach, make sure it’s delivering compliance before you launch it.”, John Pierce, UKGC Director of Enforcement, GAMLG Annual Conference, 10 June 2026

Pierce also noted that, while the overall picture of compliance has improved since he joined the Commission in February 2024, AML failings continue to appear in the majority of enforcement notices the Commission publishes. The speech confirmed that the Commission is tracking the UK’s approach to its next FATF mutual evaluation and that AML standards across the licensed sector form part of that preparation.

For licensees deploying machine-learning or algorithmic tools for transaction monitoring, customer risk scoring or source of funds flagging, the Commission’s expectation is that those tools can be demonstrated to deliver the required compliance outcomes, with evidence. Deploying a tool and assuming it works is not sufficient. Licensees must be able to show, through audit trails and testing, that the algorithm is identifying the risk it is configured to identify.

The Single Customer View and Multi-Account Monitoring

A persistent source of AML failure in Commission casework is the inability of licensees to aggregate a customer’s activity across multiple accounts, brands or products within the same corporate group. The Commission expects licensees to maintain a single customer view: a consolidated picture of a customer’s deposits, withdrawals, wins, losses and AML risk flags across all touchpoints within the licensee’s business.

Licensees holding multiple brand licences or operating white-label arrangements must ensure that their AML risk assessment addresses the group-level customer exposure, not just the individual brand. A customer who is operating within apparently acceptable parameters on one brand but whose combined group-level activity would trigger EDD requirements is a risk that licensees must be able to identify and act on.

The Commission’s enforcement findings in several major cases have included failures to link accounts held by the same customer across different trading names within the same group, leading to AML controls being circumvented by account fragmentation. Compliance teams must treat the single customer view as a technical architecture requirement, not just a policy intention.

Record Keeping: The Five-Year Obligation

The MLR 2017 require licensees to retain CDD records and transaction records for five years from the end of the business relationship or the date of the occasional transaction. For ongoing customer relationships, the five-year clock runs from the end of the relationship, not from the date the individual record was created. Records relating to long-standing VIP customers may therefore need to be retained for considerably longer than five years from the date they were first opened.

Records must be kept in a form that is retrievable for supervisory inspection or law enforcement request within a reasonable timeframe. Licensees that maintain AML records across fragmented systems with no consolidated retrieval capability create compliance risk independently of the underlying quality of their AML controls.

Staff Training and Senior Management Responsibility

The MLR 2017 impose a training obligation on all relevant persons, requiring licensees to ensure that their employees are made aware of the law relating to money laundering and terrorist financing and that they are regularly given training in how to recognise and deal with transactions or activities that may be related to money laundering or terrorist financing. The Commission’s Fifth Edition guidance addresses senior management responsibility as a discrete compliance stream, not an adjunct to the MLRO function.

Senior management must approve the licensee’s AML risk assessment. They must be briefed on significant changes to the risk environment. They must receive regular reporting from the nominated officer on SAR volumes, internal disclosure patterns, and the effectiveness of controls. Where the MLRO identifies control gaps, senior management must be seen to have responded. The Commission has consistently found in enforcement casework that AML failures at the operational level are linked to senior management either not receiving the right information or not acting on it, and both scenarios carry regulatory liability.

FATF Preparedness: The UK is building toward its next FATF mutual evaluation. The Commission has confirmed that gambling sector AML compliance is part of that national preparation. Licensees should expect heightened supervisory scrutiny of AML frameworks in the period leading up to and following the evaluation.

Interaction Between AML and Financial Risk Assessments

Compliance teams managing the Commission’s financial risk assessment (FRA) framework, currently in staged rollout with the largest operators, should note the direct operational overlap with AML obligations. The Commission has confirmed that FRAs using credit reference data are designed to identify financial vulnerability for responsible gambling purposes and are distinct from source of funds verification for AML purposes. Where a licensee obtains documentary evidence in the course of an AML source of funds check, that evidence is available to the licensee and cannot be selectively disregarded for other compliance purposes.

According to SBC News in July 2026, industry figures noted that AML document requirements will continue even after FRAs are implemented, because the AML obligation to verify source of funds is a separate legal duty from the responsible gambling obligation to assess financial vulnerability. Licensees must maintain clear procedural separation between the two processes while ensuring that compliance evidence obtained under one framework is appropriately considered in the other.

For a detailed breakdown of how AML supervisory costs compare across the UKGC and MGA frameworks, including the financial and staffing overhead of maintaining compliant AML infrastructure, see the UKGC vs MGA 2026 cost comparison. For broader context on the UKGC licensing framework within which these AML obligations sit, the AML and Financial Compliance hub covers FATF standards, transaction monitoring, and source of funds frameworks across multiple regulated jurisdictions.

Key Resources

UKGC LCCP Condition 12.1.1, Anti-money laundering: Prevention of money laundering and terrorist financing. Available at gamblingcommission.gov.uk/licensees-and-businesses/lccp/condition/12-1-1-anti-money-laundering-prevention-of-money-laundering-and-terrorist

UKGC AML Guidance, Fifth Edition (Revision 5), Prevention of money laundering and combating the financing of terrorism for remote and non-remote casinos. Last updated 22 October 2025. Available at gamblingcommission.gov.uk/guidance/the-prevention-of-money-laundering-and-combating-the-financing-of-terrorism

GAMLG Annual Conference, John Pierce speech, Commission Director of Enforcement on AML casework trends and AI risks, 10 June 2026. Available at gamblingcommission.gov.uk/news/article/gamlg-annual-conference-john-pierre-speech

Proceeds of Crime Act 2002, Primary AML criminal offences framework. Available at legislation.gov.uk/ukpga/2002/29/contents

Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017, SI 2017/692. Available at legislation.gov.uk/uksi/2017/692/contents

Note: This article reflects the LCCP as in force from 6 April 2026 and the Commission’s AML guidance at Revision 5 (22 October 2025). Licensees should consult qualified legal counsel for advice on the application of these requirements to their specific business model and licence type.

Matt Denney

Matt Denney

Editorial · gamingcompliance.io

Reads the primary source so you don't have to. Fifteen years inside iGaming compliance: operator, supplier, and crown-corporation lottery.

Related coverage · also tagged AML & KYC

Browse all →

AML & KYC

MGA AML Requirements: Malta’s Casino Due Diligence Framework Explained

Jul 3 · 16 min read

AML & KYC

New Jersey DGE AML Requirements: What Atlantic City and Online Casino Licensees Must Meet

Jun 27 · 16 min read

AML & KYC

FinCEN’s Casino Definition Under the BSA: What 31 U.S.C. § 5312 Actually Covers

Jun 25 · 15 min read

The Tuesday brief, every week.

One email. Every regulator change we surface, every standard we re-index, every enforcement decision we read. No marketing, no fluff.

Unsubscribe with one click. We'll never share your address.