Online gambling has seen exponential growth over the past two years. According to a recent study from the University of Bristol, regular gamblers were six times more likely to opt for online gambling than before the pandemic, and research suggests this market will continue to grow by more than 11% year over year.
While this is good news for online casinos and gambling apps, the growth comes with a downside: more players mean more chances for potential misuse, either as cyberattackers look to compromise customer accounts and access their winnings or criminals leverage online gambling as a front for money laundering.
Know your customer (KYC) and anti-money laundering (AML) aren’t just regulatory obligations that online casinos are required to implement — they can also safeguard online casinos against account takeover attacks and money laundering efforts. Here’s a look at the growing risks for online gambling operations, the evolving regulatory landscape, and what companies can do to stay compliant.
Is the gambling industry required to comply with KYC and AML regulations?
In 1985, casinos were designated “financial institutions” under the Bank Secrecy Act (BSA), which in turn required them to file currency transaction reports (CTRs) for any transaction over $10,000 and comply with the same KYC and AML rules that apply to banks and other financial firms.
Online casinos fall under the same rules, although it’s worth noting that each state may take a different approach to online gambling. For example, New Jersey allows online casinos, online poker, and online sports betting, while Illinois only allows online sports betting. Meanwhile, Delaware permits casinos and poker but no sports betting.
These differing approaches may stem, in part, from the growing risk presented by online gambling. In fact, the FBI itself confirmed that online gambling was connected to an increased risk of both fraud and money laundering.
The growing online gambling market has only increased these risks, which, according to the Cybersecurity and Infrastructure Security Agency (CISA), include:
- Social engineering efforts that trick users into revealing financial or account information
- Attackers attempting to compromise online gambling sites by exploiting security vulnerabilities
- Attackers infecting personal or casino devices with malware, ransomware, or spyware
As a result, online gambling sites must take steps to both fully identify users as required by customer due diligence (CDD) rules and, in turn, prevent money launderers from using gambling applications as a way to conceal the source of their funding.
If online gambling sites and apps are found lacking in either their KYC or AML approach, federal agencies can take action by requesting immediate changes, applying monetary fines, or — if necessary — prohibiting the casino from operating online.
Current KYC/AML regulations for gambling — and where they’re headed
Under current regulations, online casinos are required to create programs that satisfy three of the four core requirements of the CDD rule for AML compliance:
- Identifying and verifying the identity of customers
- Understanding the nature and purpose of customer relationships to develop risk profiles
- Continuously monitoring to identify and report suspicious transactions
The fourth CDD rule requires covered financial institutions to “identify and verify the identity of the beneficial owners of companies opening accounts.” However, since online casinos serve individuals, not companies, they’re not obligated to meet this expectation.
Moving forward, it's expected that more states will legalize online gambling; Connecticut did so in 2021, while both New York and Kentucky introduced bills in 2022 that were not successful but may find more traction next year.
As a result, online gambling providers should take steps now to ensure their compliance operations are up to par — as additional states add their support for online gambling, regulatory expectations will only become more complicated. According to a list of best practices from the American Gaming Association (AMA), casinos should not only conduct regular, external audits of their overall compliance program but also ensure they conduct in-depth audits to pinpoint key issues when they discover potential weaknesses.
Six tips for staying compliant
While the KYC and AML landscape continues to evolve, six tips can help gambling organizations improve their compliance.
Screen for self-excluded customers
Some customers choose to place themselves on self-exclusion lists to address gambling addictions or other concerns. Screening for these individuals helps ensure they’re not allowed to re-access online casinos or gambling sites, in turn ensuring businesses don’t run afoul of regulations designed to limit addictive behavior.
Given the hesitancy of many states to legalize online gambling due to its potentially addictive effects, companies must ensure they take all precautions possible to confirm that users are who they say they are — and that they aren’t on self-exclusion lists.
Verify the source of funds (SoF)
Where are users’ funds coming from? Source of funds verification can help companies reduce the risk of “problem gambling” by comparing spending to reported income and cutting off users when they meet specific thresholds — and also help avoid potential issues with money obtained through the proceeds of crime.
For example, if funds originate in Myanmar, the Cayman Islands, or Mozambique — all in the top five of Basil’s 2021 AML Index — online casinos may be best served by terminating account access or conducting more in-depth checks to ensure the money hasn’t been illegally obtained.
Assess business-specific risks
While gambling companies face similar risks, they’re not identical. Depending on the nature of your players, games, and payouts, you may have higher or lower risks across different risk factors. As a result, it’s critical to assess risks on a case-by-case basis.
For example, if your company facilitates small-scale sports betting, your verification process may not need to be as in-depth as if you’re hosting a high-stakes online poker tournament. In the latter case, you may want to put in additional effort to verify the source of funds on top of verifying the user’s identity.
Support chief compliance officers
Chief compliance officers can help companies avoid compliance issues — if they’re given enough room to do their jobs properly. While designating a compliance officer is now required under KYC/AML regulations, there’s no obligation to ensure they’re properly equipped to get things done. In order to succeed, compliance offers need both operational tools and company support to ensure that best practices are followed.
Understand country-specific obligations
From the United States to the EU, Australia, and China, differing countries have region-specific regulations that gambling operations must follow. In Canada, for example, casinos must submit disbursement reports, large cash transaction reports, virtual currency transaction reports, and electronic funds transfer reports within 24 hours. Or consider the poker tournament mentioned above. In the United States, you need to verify that users are over 21. In places like Seoul, meanwhile, anyone 19 or older can participate.
Implement robust IDV processes
The more you know about who’s accessing your site and playing your games, the lower your risk. Automated and robust identity verification (IDV) processes can boost overall compliance, improve player confidence in the safety of your game, and streamline the process so customers aren’t stuck waiting hours or days for access.
Don’t roll the dice on KYC and AML
As online casinos are considered financial institutions, it’s not worth ignoring KYC and AML regulations. Instead, online casino and gambling application providers are best served by implementing KYC/AML frameworks that help them reliably identify users, confirm money sources, and support the work of chief compliance officers to reduce the risk of online gambling fraud.
Don’t gamble with your IDV. Bet on a sure thing with Persona.