AML Screening and Regulations for iGaming: MGA, UKGC and Curaçao

AML regulations in iGaming are tightening across major licensing hubs such as Malta, the UK, and Curaçao, with operators expected to implement robust, risk-based compliance frameworks that integrate AML, sanctions, and PEP screening. As regulators like the MGA, UKGC, and Curaçao’s emerging LOK regime increase scrutiny, gambling businesses must move beyond basic checks and demonstrate effective customer due diligence, source-of-funds verification, transaction monitoring, and ongoing risk assessment. In a high-speed, cross-border industry, compliance is no longer a formality but a core operational requirement, with firms judged on their ability to identify high-risk players, manage complex payment flows, and maintain auditable, defensible controls.

Why AML matters so much in iGaming

Gambling businesses face a financial crime risk profile that is different from many other sectors. Customers can deposit and withdraw quickly, accounts can be opened remotely, and payment methods can be fragmented across cards, e-wallets, bank transfers, prepaid instruments, and, in some cases, crypto-related rails. This creates obvious opportunities for placement, layering, chip dumping, bonus abuse, mule account activity, and the recycling of criminal proceeds through apparently legitimate winnings.

That is why AML in gambling is not limited to suspicious activity reporting after the fact. Operators are expected to prevent misuse at the front end through customer due diligence and screening, and throughout the relationship through monitoring, escalation, and recordkeeping. PEP screening is especially important because politically exposed persons may present elevated bribery, corruption, or state capture risks even when they are not sanctioned. Sanctions screening matters because a gambling operator that allows a sanctioned person to transact may expose itself to serious regulatory and enforcement consequences, particularly where U.S., UK, or EU touchpoints exist.

In practical terms, AML and sanctions controls in iGaming usually need to answer four questions. Who is the customer? Who ultimately owns or controls the account or entity? Where is the money coming from? And is there any reason, whether sanctions-related, corruption-related, or criminal, that the operator should not do business with that person?

{{snippets-case}}

The current direction of travel in iGaming AML regulation

Across jurisdictions, the direction is broadly the same even where the legal architecture differs. Regulators are moving toward more explicit risk-based obligations, more documented governance, stronger beneficial ownership controls, more emphasis on ongoing monitoring rather than one-time onboarding, and more attention to high-risk customer segments such as VIPs, PEPs, crypto-linked users, and customers using unusual payment methods.

There is also a clear shift toward expecting operators to understand not just individual customers but the wider ecosystem around them. White-label structures, B2B relationships, payment processors, affiliates, and third-party due diligence providers are all increasingly within scope of supervisory attention. In other words, regulators no longer accept the idea that an operator can outsource risk simply because another service provider touched the customer first.

That broader trend is visible in all three jurisdictions discussed below, but each applies it differently.

MGA: Malta’s AML framework for remote gaming

Malta remains one of the most established licensing hubs for remote gaming, and its AML regime is relatively mature. The Malta Gaming Authority states that it acts as supervisory authority over land-based and remote gaming under the Prevention of Money Laundering and Funding of Terrorism Regulations, and as an agent of Malta’s Financial Intelligence Analysis Unit, the FIAU. The MGA also states that it is responsible for monitoring compliance of casino and gaming licensees with the PMLA, the PMLFTR, and any implementing procedures or guidance issued thereunder. It further notes that AML/CFT obligations apply, more specifically, to B2C licensees offering Type 1, 2 and 3 games, and that these licensees must apply a risk-based approach to AML/CFT controls.

That combination is important. Malta’s regime is not just principle-based; it is built around a layered structure of legislation, supervisory oversight, and binding implementing procedures. The FIAU’s Implementing Procedures are divided into Part I, which applies generally, and Part II, which applies at sector level. MGA’s AML page specifically points operators to those instruments and notes that they are legally binding.

For remote gaming operators, the sector-specific FIAU/MGA Implementing Procedures Part II remain a key reference point. The document makes clear that it applies to persons licensed under Maltese law to provide wagering services via electronic means of distance communication, and it includes dedicated sections on customer due diligence, politically exposed persons, reporting suspicious activity, and funding of terrorism.

What this means in practice is that MGA-licensed operators are expected to have a documented business risk assessment, customer risk assessment methodology, CDD procedures, PEP handling processes, suspicious transaction reporting processes, and governance arrangements such as MLRO and compliance functions. The risk-based approach is not optional language. The Malta remote gaming procedures explicitly state that the AML/CFT framework applicable to licensees adopts a risk-based approach and requires measures, policies, controls, and procedures that are commensurate to the ML/FT risks to which the operator is exposed.

For iGaming businesses, one of the most practical implications of the Maltese regime is that AML should not be treated as a generic corporate policy. It has to be tailored to the actual gaming model. Customer acquisition channels, product type, jurisdictional exposure, payment methods, high-value players, affiliates, outsourced due diligence, and unusual betting or withdrawal behavior all need to feed into risk scoring and control design.

There are also signs of continuing supervisory attention. MGA highlighted in 2024 that it and the FIAU had completed a thematic review of the remote gaming sector focused on operators’ knowledge of AML/CFT matters, and in 2025 it published additional supervisory engagement material for the remote gaming sector. That suggests Malta is not treating AML as static compliance documentation; it is actively testing how well operators understand and operationalize their obligations.

What AML and PEP screening mean in Malta-based iGaming operations

For MGA-regulated operators, AML screening should be understood as part of a full customer due diligence lifecycle. That includes screening at onboarding, refreshing checks during the relationship, enhanced due diligence where higher-risk indicators arise, and escalation where suspicion exists. PEP screening matters because Maltese AML rules are embedded in the wider EU-style AML framework, where politically exposed persons require enhanced scrutiny rather than automatic rejection. The issue is not that every PEP is prohibited; the issue is that their source of wealth, source of funds, and transaction patterns require closer review.

Sanctions screening is also highly relevant, even where the gambling-specific rulebook focuses more visibly on AML/CFT than sanctions as a standalone topic. Malta’s broader AML framework includes sanctions screening obligations in Part I of the FIAU Implementing Procedures, which contains a dedicated chapter on sanctions screening. For remote gaming operators, that means sanctions controls cannot sensibly be separated from AML onboarding and ongoing monitoring.

UKGC: a more differentiated system with casino-specific AML rules

The UK position is more nuanced and often misunderstood. The Gambling Commission makes clear that it has a duty to ensure adequate controls are in place to prevent gambling businesses being used for money laundering and terrorist financing, but the strict application of the Money Laundering Regulations is focused on the casino sector. The Commission states that the Regulations apply to non-remote and remote casinos licensed by the Commission and operating in the UK.

This distinction matters. In Great Britain, remote and non-remote casinos are in the regulated sector for AML purposes under the Money Laundering Regulations. Other gambling operators still have financial crime obligations, including under the Proceeds of Crime Act, Terrorism Act, LCCP requirements, and broader Gambling Commission expectations, but they do not all sit in the same regulatory position as casinos. The Commission’s page for “all other gambling businesses” says that it applies to the non-regulated sector and that it covers all gambling businesses except remote and non-remote casinos, which have specific requirements.

For casino operators, the UKGC framework is detailed and active. The Commission says operators must conduct their own money laundering and terrorist financing risk assessments, and that the relevant legal background includes the Proceeds of Crime Act 2002, the Terrorism Act 2000, and the Money Laundering Regulations 2017. It also makes clear that operators must comply with the Licence Conditions and Codes of Practice.

The UK framework is notable for how operational it has become. The Commission publishes an AML hub, a sector risk assessment, emerging risks bulletins, guidance updates, and notices on changes such as digital identity guidance, money service business activity, high-risk third countries, and PEP treatment. This creates an environment where operators are expected not only to have a policy but to keep it updated in light of supervisory publications.

Ongoing developments under UKGC supervision

One of the clearest recent developments is the Commission’s November 2025 casino guidance update. The Commission said the update reflected prior changes under the Money Laundering Regulations, Proceeds of Crime Act, and FCA guidance on politically exposed persons. It highlighted updated guidance on PEPs, changes to high-risk third countries, an increase in the threshold for submitting a defence against money laundering from £1,000 to £3,000 for the casino sector, and updated expectations that operators should give due consideration to money laundering risks posed by business-to-business relationships, including third parties and white-label partners.

That last point is especially important for iGaming. Many online gambling businesses rely on B2B integrations, white-label arrangements, payment partners, and third-party verification vendors. The UK regulator is effectively saying that AML responsibility does not stop at the direct customer relationship. Operators must understand the risks created by the commercial structures around the product.

The Commission’s April 2025 emerging risk bulletin also shows where supervisory attention is moving. It highlighted risks including payments received from PEPs or persons appearing on financial sanctions lists, customers buying in through multiple payment methods, reliance on third-party due diligence providers, funds transferred from unknown sources, and funds transferred from unlicensed money service businesses. It also warned about attempts to bypass due diligence using false documentation, deepfake videos, and face swaps generated by AI.

Taken together, those updates show that UKGC expects operators to think dynamically. AML in iGaming is no longer just about identifying a suspicious cash-heavy customer in a land-based venue. It now includes onboarding fraud, synthetic identity risk, complex payment flows, third-party provider risk, sanctions screening, and PEP-linked payment activity.

Why PEP and sanctions screening matter so much in the UK iGaming context

The UKGC materials now explicitly flag PEPs and persons on financial sanctions lists as risk indicators within gambling operations. That makes PEP and sanctions screening operationally central, not peripheral.

For casino operators in particular, screening should happen before access is granted to remote gambling facilities. The Commission’s guidance on identification and verification on entry states that the on-entry approach requires casinos to identify and verify the identity of the customer before access is given to remote gambling facilities. Once the customer is identified, the operator still needs to assess risk, including whether the customer is a PEP, connected to a high-risk jurisdiction, using suspicious payment methods, or presenting source-of-funds concerns.

For non-casino UK gambling businesses, the position is less prescriptive under the MLR regime, but it would be a mistake to conclude that PEP and sanctions screening are optional. The Commission’s broader guidance makes clear that all operators must assess and effectively manage money laundering and terrorist financing risks applicable to their business. In practice, if an operator has international customers, online onboarding, fast withdrawals, or high-value users, screening for sanctions and PEP exposure is a sensible and increasingly expected part of the control framework.

Curaçao: a jurisdiction in transition under the new LOK framework

Curaçao is the most visibly changing of the three jurisdictions. The biggest development is structural: with the entry into force of the National Ordinance on Games of Chance, or LOK, on 24 December 2024, the Gaming Control Board was designated as the Curaçao Gaming Authority, or CGA, and continues supervisory and licensing activity under that name. The CGA confirmed in an October 2025 press release that the LOK remains in force and that licensing and supervisory activities continue uninterrupted.

This matters because Curaçao historically had a reputation for lighter-touch supervision under the older master-license model. The new framework is intended to be more formalized, more transparent, and more aligned with international compliance expectations. While the public guidance set is still evolving and is less consolidated than in Malta or Great Britain, the direction is clear.

The licensing materials published through the CGA portal already show a more AML-aware posture. The business and corporate information form for online gaming license applicants requires the applicant to disclose company history, source of funds, bank accounts, virtual asset wallets, qualifying interest holders up to the ultimate beneficial owner, and to upload a screenshot of goAML registration. That is highly relevant because it shows Curaçao embedding AML-relevant controls into licensing and corporate transparency, not treating them as separate from market entry.

CGA’s business plan guidance also requires applicants to describe management structure and reporting lines, which is an important signal for governance expectations, especially around compliance independence and accountability.

The Curaçao responsible gaming policy, while not an AML rulebook, is also revealing. It states that adherence to the policy is a requirement under the LOK and notes that high-risk business models may include cryptocurrency, agent or intermediary accounts, and high rollers or VIPs. Operators with such models are expected to have policies that suitably address those higher-risk elements. That is not a full AML framework in itself, but it shows that Curaçao’s supervisory approach is increasingly sensitive to risk typologies commonly associated with AML concerns.

What operators should understand about Curaçao’s AML direction

The most important point about Curaçao today is that it is a live transition environment. The regulatory direction is toward more licensing integrity, more transparency around ownership and funding, and more formal supervision. Because the regime is still bedding in, operators should be cautious about relying on old assumptions associated with the legacy Curaçao model.

The official documentation already suggests a more serious treatment of ownership, funding, wallet disclosure, and reporting infrastructure. A jurisdiction that requires goAML registration, source-of-funds support, UBO-chain disclosure, and declaration of wallets is plainly moving toward a more structured AML/CFT environment.

For operators, that means the safest approach is to assume that Curaçao is moving closer to mainstream risk-based AML supervision, even if the full public guidance library is still developing. Firms should not wait for every detail to be codified before implementing proper AML and PEP screening, sanctions checks, source-of-funds controls, and transaction monitoring.

What iGaming operators should do regardless of jurisdiction

Although Malta, Great Britain, and Curaçao differ in legal structure and supervisory maturity, the core control principles are converging.

Operators need to identify and verify customers properly, including beneficial ownership where relevant. They need customer risk scoring that takes account of geography, payment methods, products, transaction patterns, PEP status, and sanctions exposure. They need clear enhanced due diligence procedures for high-risk users, especially VIPs, PEPs, crypto-linked customers, and users with unusual source-of-funds profiles. They need sanctions and PEP screening not just at onboarding but throughout the life of the relationship. And they need governance that can withstand regulatory scrutiny, including escalation processes, trained personnel, audit trails, and independent oversight.

In iGaming, AML and PEP screening are not separate compliance functions. They are part of the same risk question. Who is this player, who is really behind this account, where is the money coming from, and is this relationship lawful and acceptable?

{{snippets-guide}}

Conclusion

AML regulations in iGaming are becoming more sophisticated and more demanding. Malta’s MGA framework is comparatively mature and strongly anchored in the FIAU’s binding implementing procedures. The UKGC framework is highly operational and increasingly focused on real-world risks such as PEP payments, sanctions exposure, onboarding fraud, high-risk third countries, and B2B partner risk. Curaçao, meanwhile, is in the middle of a significant regulatory reset under the LOK, with clearer licensing, transparency, and compliance expectations already visible.

For operators, the key lesson is simple. AML in gambling is no longer just about filing suspicious reports after something has gone wrong. It is about building a control environment that can show, at every stage, that the operator knows who the customer is, understands the source and nature of the risk, and can demonstrate why the business relationship was allowed to proceed.

sanctions.io is a highly reliable and cost-effective solution for real-time screening. AI-powered and with an enterprise-grade API with 99.99% uptime are reasons why customers globally trust us with their compliance efforts and sanctions screening needs.

‍

To learn more about how our sanctions, PEP, and criminal watchlist screening service can support your organisation's compliance program: Book a free Discovery Call.

‍

We also encourage you to take advantage of our free 7-day trial to get started with your sanctions and AML screening (no credit card is required).

‍