Skip to content
2,151 standards indexed across 19 jurisdictions View the Atlas
3 hubs live · 3 more in the pipeline See all compliance topics
Daily news + multi-week series Browse all insights
3 tools live · 4 interactive tools in development Roadmap
UKGC · Responsible Gambling 15 min read Jul 13, 2026

UKGC Financial Vulnerability Checks and FRAs: Thresholds, Timelines, and CRM Trigger Points

The UKGC runs two parallel check regimes with different data sources and triggers. Get exact thresholds, age-based distinctions, and CRM workflow implications for your compliance team.

Matt Denney

By

Founder, gamingcompliance.io · 15 yrs in iGaming compliance

Published Jul 13, 2026 15 min read Filed Responsible Gambling Compliance

Remote operating licensees in Great Britain are now subject to two parallel regimes for checking financial vulnerability: the live financial vulnerability check requirement embedded in LCCP SR code 3.4.3, and a staged rollout of Financial Risk Assessments (FRAs) confirmed by the Gambling Commission on 7 July 2026. These are distinct obligations with different data sources, different trigger thresholds, and different enforcement postures. Treating them as interchangeable is a compliance error with real consequences.

Both regimes flow from the Gambling Act Review White Paper published in April 2023, which proposed a proportionate, frictionless system to identify remote gambling customers in financial distress without the friction of document requests. The Commission spent two years piloting, consulting, and refining before confirming the full architecture. That architecture is now settled, and licensees must build it into their CRM and customer monitoring workflows accordingly.

Scope: Both the financial vulnerability check and the FRA regime apply to remote operating licensees only. Non-remote licensees are not in scope. Operators holding multiple licence types must ensure their remote gambling operations are covered by dedicated policies and procedures separate from their non-remote compliance frameworks.

What Are the Two Regimes and Why Do They Differ?

The financial vulnerability check under LCCP SR code 3.4.3 uses publicly available data, principally bankruptcy and insolvency records, to screen high-spending customers at a relatively low deposit threshold. It has been a binding licence condition since 30 August 2024. The Financial Risk Assessment, by contrast, draws on credit reference agency data to identify customers in active financial distress, debt management plans, or default. FRAs are calibrated to a higher spend threshold and are being phased in through a staged implementation that began in July 2026.

The Commission has consistently emphasised that FRAs are not a continuation of the old “affordability checks” debate. Tim Miller, then Executive Director of Policy Research at the Gambling Commission, stated at the Ethical Gambling Forum in London that the assessments “will not even attempt to make an assessment of what each customer can afford to gamble.” The purpose is narrower: identifying customers already in financial difficulty, not setting a ceiling on what customers may spend. This distinction matters for how licensees frame their internal policies and how they describe the checks to customers.

Financial Vulnerability Checks: The Live Obligation Under LCCP SR Code 3.4.3

The financial vulnerability check requirement is operative now and applies to all remote operating licensees. Under LCCP SR code 3.4.3, a licensee must conduct a check using publicly available data when a customer’s deposits minus withdrawals exceeds the relevant threshold within a rolling 30-day period.

The threshold moved in two steps. From 30 August 2024 to 27 February 2025, the relevant threshold was £500 net deposits in a rolling 30-day period. From 28 February 2025 onwards, the threshold dropped to £150 net deposits in a rolling 30-day period. This lower figure is the current binding standard.

Source: UK Gambling Commission, Licence Conditions and Codes of Practice, SR code 3.4.3, paragraphs 6 and 7. The threshold structure is confirmed verbatim in the LCCP full text: “From 28 February 2025, the relevant threshold is where the customer’s deposits minus withdrawals exceeds £150 in a rolling 30-day period.”

LCCP SR code 3.4.3 does not require the check to be conducted at the exact moment the customer crosses the threshold. The licensee must use the information obtained in the check within its overall approach to identifying risk of harm and taking proportionate action. Where a financial vulnerability check or FRA has already been conducted within the previous 12 months, the licensee is not required to conduct a further check when the customer again reaches the threshold. This 12-month lookback exemption is explicit in the code provision and is operationally significant for high-volume operators managing large active account bases.

When a check is completed and returns indicators of financial vulnerability, the licensee must assess the risk identified, take proportionate action, and record the rationale for that decision. LCCP SR code 3.4.3 also requires licensees to maintain documented policies on whether proportionate action decisions are taken manually, in a fully automated manner with an option for manual review, or through a combination of both. Where significant risk is identified, the licensee must have procedures specifying when immediate action is necessary to limit harm.

What Does a Financial Vulnerability Check Actually Involve?

The check draws on publicly available data sources. The Commission’s consultation materials specifically cite bankruptcy and insolvency records as the primary data points in scope. Some larger operators already conducted such checks at registration for all customers before the LCCP requirement was introduced, for them, the operational change is principally the codification of the trigger and the documentation requirements.

For most licensees, the practical implementation involves integrating a data feed from a provider that aggregates public insolvency and bankruptcy records, building a CRM workflow that flags accounts when the rolling 30-day net deposit figure crosses £150, and routing flagged accounts to an automated or manual review process. The Commission’s guidance does not mandate a single approved data provider, but licensees must be able to demonstrate that the data source is capable of returning the relevant bankruptcy and insolvency indicators.

Licensees must not use the financial vulnerability check as a trigger for requesting bank statements or other financial documents from the customer. Tim Miller confirmed that document requests following a frictionless risk check have no “legitimate regulatory purpose.” Requesting documents in response to a frictionless-check trigger would represent a compliance failure, not a safe harbour.

Financial Risk Assessments: The Staged Implementation Confirmed July 2026

On 7 July 2026, the Gambling Commission confirmed it will introduce FRAs in a staged approach. The announcement followed a pilot that ran in two formal phases: a first phase commencing August 2024 at a £500 net monthly deposit threshold, and a second phase from February 2025 at a £150 net monthly deposit threshold, involving tier-one operators and credit reference agencies. Pilot data showed that 97 percent of customers spending above the threshold levels could be assessed frictionlessly, materially higher than the 80 percent projected in the 2023 White Paper.

“High-spending customers are between two and four times more likely to have a debt management plan and between two and five times more likely to have a default in the previous 12 months than consumers in the wider population. Without being identified, they may continue to receive marketing and promotional offers encouraging further gambling despite being financially vulnerable.”

The Commission’s July 2026 announcement stated that less than 3 percent of accounts would require an FRA, and less than 1 in 1,000 accounts would be unable to be assessed frictionlessly. For that residual population, the Commission indicated that licensees must verify identity properly and may assess financial risk through other means, which the Commission listed as open banking or document requests. This is the only context in which document requests carry any regulatory foundation under the new regime.

FRA Trigger Thresholds: Stage One and Fully Operational

The Commission has confirmed an age-stratified threshold structure for FRAs that differs significantly from the financial vulnerability check under LCCP SR code 3.4.3. Compliance teams must implement both sets of thresholds simultaneously in their monitoring architecture.

Check Type Age Group Stage One Trigger Fully Operational Trigger (24 hrs) Fully Operational Trigger (90 days)
Financial Vulnerability Check (LCCP SR 3.4.3) All ages £150 net / 30 days (live now) N/A N/A
Financial Risk Assessment 25 and over £5,000 net / 24 hrs £1,000 net £3,000 net
Financial Risk Assessment Under 25 £2,500 net / 24 hrs £750 net £2,000 net

Stage one applies to the largest operators only. The Commission defined “largest operators” by reference to customer volume and spend levels, and confirmed that the stage-one timetable will be finalised through implementation groups formed during the summer of 2026. Operators not yet in the stage-one cohort are not required to conduct FRAs until they receive Commission notification of their inclusion. LCCP SR code 3.4.3 financial vulnerability checks remain fully in force for all remote licensees regardless of their FRA stage.

The fully operational thresholds for customers aged 25 and over sit at £1,000 net deposits within any 24-hour rolling period, or £3,000 net deposits within any rolling 90-day period. For customers under 25, those thresholds fall to £750 in 24 hours and £2,000 over 90 days. The age-stratified design reflects the Commission’s assessment that younger customers face elevated financial vulnerability risk at lower spend levels. These are net deposit figures, meaning deposits minus withdrawals, consistent with the methodology applied to the financial vulnerability check under LCCP SR code 3.4.3.

What Triggers a Review: Mapping the CRM Decision Tree

Compliance teams building or updating their CRM monitoring workflows need to account for three distinct trigger points running in parallel. The financial vulnerability check under LCCP SR code 3.4.3 is already live and triggers at £150 net deposits over a rolling 30-day window for all remote accounts. The FRA stage-one trigger, applicable to the largest operator cohort from the timeline confirmed through summer 2026 implementation groups, sits at £5,000 net in 24 hours for customers aged 25 and over, or £2,500 for those under 25. The fully operational FRA thresholds will become binding once the Commission completes its staged rollout.

Beyond these quantitative triggers, LCCP SR code 3.4.1 on customer interaction remains independently operative. That provision requires licensees to identify customers who may be at risk of gambling harm using behavioural indicators, regardless of whether any spending threshold has been crossed. A customer who has not triggered either a financial vulnerability check or an FRA may still require intervention under SR code 3.4.1 based on markers of harm identified through play pattern monitoring. The Commission confirmed in the July 2026 announcement that “regardless of a customer’s spending level, the Commission expects operators to identify those who may be at risk of gambling harm and take proportionate action.”

The 12-month lookback exemption under LCCP SR code 3.4.3 intersects with the FRA regime in practice. Where an FRA has been conducted within the previous 12 months, that FRA satisfies the financial vulnerability check requirement for the same period. Once a customer enters the FRA population, licensees do not run duplicate checks under both provisions simultaneously, provided the FRA was conducted within the preceding 12 months.

Enforcement Posture and the Limits of Stage-One Immunity

The Commission made an explicit and, as it acknowledged, unusual commitment during the July 2026 announcement: no enforcement action will be taken on a failure to act following an FRA during the early stages of implementation. This grace period is specific to the FRA regime and is not a blanket exemption from compliance obligations.

All existing LCCP conditions remain fully enforceable throughout the staged FRA rollout. The financial vulnerability check obligation under LCCP SR code 3.4.3 has been fully enforceable since August 2024 and was never subject to a comparable grace period. The Commission’s enforcement record through 2025 and 2026 demonstrates continued willingness to impose substantial financial penalties for social responsibility failures. Petfre (Gibraltar) Limited was directed to pay £900,000 for regulatory failures, announced on 30 June 2026. Done Brothers (Cash Betting) Limited, trading as Betfred, was directed to pay £825,000 in December 2025 following identification of social responsibility and anti-money laundering failures that included inadequate customer spend assessment and inappropriately calibrated source-of-income inquiry thresholds.

The Betfred case is instructive for FRA programme design. The Commission found that Betfred’s thresholds for making source-of-income enquiries were “not appropriately risk based,” with enquiry thresholds set at £15,000 in losses and £125,000 in stakes over 365 days. The Commission’s language on threshold calibration directly anticipates the same analytical framework that will be applied to FRA implementation compliance. Licensees who configure FRA workflows at thresholds higher than the Commission’s confirmed figures, or who fail to document the basis for any deviation, face the same characterisation of non-compliance once the enforcement grace period ends.

What Proportionate Action Actually Means

Neither the financial vulnerability check nor the FRA requires a binary decision to stop serving the customer. The Commission’s July 2026 announcement was explicit: the programme “is not a ‘binary’ decision to stop serving customers, but rather a way to implement interventions like reduced marketing or deposit limits.” This matters operationally because it defines the range of responses a licensee must have available and documented.

LCCP SR code 3.4.3 requires licensees to take “proportionate action” following a check that returns vulnerability indicators, and requires licensees to document the rationale for whatever action is chosen. The Commission’s guidance on proportionate action under the customer interaction framework identifies a spectrum of interventions: reducing or removing marketing to the customer, prompting the customer to set or review deposit limits, initiating a customer interaction conversation, implementing a temporary account restriction, or suspending the account entirely in cases of significant identified risk.

The CRM workflow must not terminate at the check output. It must route the result into a documented decision log that records the indicator returned, the action taken, and the basis for that action. Where the decision is to take no action following a check that returns indicators of vulnerability, the rationale for that decision must also be recorded. A check without a documented outcome is a compliance exposure regardless of what the check returned.

Operational note: The Commission has confirmed that FRA outputs should not result in operators requesting bank statements or other financial documents as a standard next step. Where the credit reference agency assessment is frictionless and returns a result, the licensee’s next step is a proportionate intervention, not a document request. Document requests are reserved for the residual population of accounts where a CRA assessment cannot be completed, estimated at fewer than 1 in 1,000 accounts.

Interaction with GAMSTOP and the Wider Responsible Gambling Framework

The financial vulnerability check and FRA obligations sit within a broader responsible gambling architecture that remote licensees must maintain. GAMSTOP, the national online self-exclusion scheme operated under LCCP social responsibility code provisions, remains independently operative. Customers who have self-excluded via GAMSTOP must not receive marketing or be permitted to gamble, regardless of their financial vulnerability check status. The two systems operate in parallel and do not substitute for each other.

The deposit limit framework under RTS 12 also intersects with FRA outcomes. Where an FRA identifies financial vulnerability, and the proportionate action is to prompt the customer to set or review deposit limits, the RTS 12 mechanism must be capable of processing that prompt in a frictionless manner. The Commission’s October 2025 update on deposit limit rules confirmed implementation extensions were granted to give operators additional time, but that regime is now operative. Compliance teams must ensure that the deposit limit tooling is integrated with, not separate from, the FRA output workflow.

For a detailed view of the LCCP rulebook that underpins both regimes, the UKGC LCCP explorer on this site covers the full Licence Conditions and Codes of Practice, including the social responsibility code provisions governing customer interaction and financial vulnerability. The Responsible Gambling Compliance hub maps the full spectrum of player protection obligations across all 17 regulated jurisdictions covered on this site, including how UK thresholds compare to national self-exclusion models in Sweden, Denmark, Spain, and France.

Is the UKGC Requiring Operators to Stop Serving High-Spending Customers?

No. A financial vulnerability check or FRA that returns no indicators of financial difficulty requires no intervention beyond completing the check and logging the outcome. A check that returns indicators requires proportionate action, but the Commission has explicitly confirmed that proportionate action includes options such as reducing marketing intensity to the customer or prompting a deposit limit review, not only account restriction or closure. The framework is calibrated to identify customers in actual financial distress, not to impose a spend ceiling on the broader customer base.

Do FRAs Affect a Customer’s Credit Score?

No. The Commission confirmed in the July 2026 announcement that FRAs conducted through Credit Reference Agencies have no impact on the customer’s credit score. This is a soft search, not a hard inquiry. Licensees should reflect this in any customer-facing communications about the check process, and should not imply that a check constitutes a credit application or will be visible to lenders.

Timeline of Key Dates

Date Event Threshold / Action
April 2023 Gambling Act Review White Paper published Proposed financial vulnerability checks and FRAs
30 August 2024 LCCP SR code 3.4.3 comes into force (Phase 1) £500 net deposit / 30-day rolling window
August 2024 FRA pilot Phase 1 begins (largest operators) £500 net monthly deposit trigger, CRA data tested
28 February 2025 LCCP SR code 3.4.3 threshold lowered (Phase 2) £150 net deposit / 30-day rolling window (current binding level)
February 2025 FRA pilot Phase 2 begins £150 net monthly deposit, active accounts included
21 May 2025 Commission updates on FRA pilot progress 97% frictionless rate confirmed
7 July 2026 Commission confirms staged FRA rollout Stage one at £5,000 / £2,500 (age-stratified); full thresholds confirmed
Summer 2026 Implementation groups formed Stage-one timetable to be finalised with industry

Practical Implementation Checklist for Remote Licensees

Compliance teams should verify the following before the stage-one FRA rollout timetable is finalised. The financial vulnerability check requirements are already binding and should have been implemented since August 2024, if they have not, enforcement exposure is immediate.

The CRM system must calculate net deposits on a rolling 30-day basis and flag any account where the net figure crosses £150. The calculation must use deposits minus withdrawals, not gross deposits. Accounts that have had a financial vulnerability check or FRA within the previous 12 months are exempt from re-check at the threshold, but the system must be able to identify those accounts and confirm the date of the prior check.

The data integration for public insolvency and bankruptcy records must be live, not scheduled. Where a check is triggered, the data query must return a result that the system can log, and the outcome must be routed into a documented decision workflow. A null result from the data provider is not equivalent to a clean result, licensees must be able to distinguish between a check that returned no vulnerability indicators and a check that failed to return a result at all.

For the FRA regime, licensees in the largest-operator cohort must engage with the Commission’s summer 2026 implementation groups to confirm their inclusion date and stage-one threshold assignment. Age verification data must already be present at account level so that the age-stratified thresholds can be applied automatically once the trigger logic is active. Licensees should also review whether their current customer interaction policies under LCCP SR code 3.4.1 adequately address the scenario where an FRA returns indicators of financial difficulty, to ensure that the response options documented in those policies match the Commission’s confirmed intervention spectrum.

Qualified legal counsel should be consulted on jurisdiction-specific application, particularly for operators whose remote gambling operations serve customers in multiple territories where additional national requirements may apply alongside the UKGC framework.

Source: UK Gambling Commission, “Commission to introduce Financial Risk Assessments in staged approach,” 7 July 2026, gamblingcommission.gov.uk. UK Gambling Commission, Licence Conditions and Codes of Practice, SR code 3.4.3, current version. UK Gambling Commission, Gambling Act Review White Paper: High Stakes: Gambling Reform for the Digital Age, April 2023.

Key Resources

UK Gambling Commission, Licence Conditions and Codes of Practice (LCCP), SR code 3.4.3: gamblingcommission.gov.uk/licensees-and-businesses/lccp/online

UK Gambling Commission, “Commission to introduce Financial Risk Assessments in staged approach,” 7 July 2026: gamblingcommission.gov.uk/news/article/commission-to-introduce-financial-risk-assessments-in-staged-approach

UK Gambling Commission, Customer Interaction Guidance for Remote Gambling Licensees (formal guidance): gamblingcommission.gov.uk/guidance/customer-interaction-guidance-for-remote-gambling-licensees-formal-guidance

UK Government / DCMS, High Stakes: Gambling Reform for the Digital Age (White Paper), April 2023: gov.uk/government/publications/high-stakes-gambling-reform-for-the-digital-age

For guidance on how these requirements integrate with your existing compliance framework, and to discuss implementation strategy specific to your operator profile and customer base, consult the UKGC LCCP explorer or contact a qualified compliance specialist with expertise in UKGC social responsibility obligations.

Matt Denney

Matt Denney

Editorial · gamingcompliance.io

Reads the primary source so you don't have to. Fifteen years inside iGaming compliance: operator, supplier, and crown-corporation lottery.

Related coverage · also tagged Responsible Gambling Compliance

Browse all →

Responsible Gambling Compliance

Single Customer View for RG: Where Cross-Brand Aggregation Is Compulsory in 2026

Jul 11 · 13 min read

Responsible Gambling Compliance

GamCare, BeGambleAware and ANJ Treatment Partners: Operator Integration Obligations in 2026

Jul 4 · 15 min read

Responsible Gambling Compliance

AGLC Player-Protection Controls: Deposit Limits, Loss Limits, and Reality Checks Under the SRIG

Jun 30 · 13 min read

The Tuesday brief, every week.

One email. Every regulator change we surface, every standard we re-index, every enforcement decision we read. No marketing, no fluff.

Unsubscribe with one click. We'll never share your address.