Home  /  News  /  Compliance & AML
Compliance & AMLJuly 2, 2026

What a Defensible AML Programme for an Online Casino Actually Contains

An AML manual is not a programme. What regulators, banks and PSPs look for in a defensible online casino AML/CFT setup, component by component.

What a Defensible AML Programme for an Online Casino Actually Contains

Most operators have an AML document. Far fewer have an AML programme that would survive a regulator's file review or a bank's onboarding due diligence. The difference is not length; it is evidence that the programme is lived: named ownership, live screening, tuned monitoring and a paper trail.

The written foundation

A defensible programme starts with a business-specific risk assessment: your verticals, markets, payment methods and player profile, scored honestly. From that flows a versioned AML/CFT manual that states concrete thresholds rather than platitudes, for example enhanced due diligence at a defined cumulative deposit level and source-of-wealth checks at a defined redemption level. Reviewers immediately recognize a template manual with no connection to the actual operation; it is often worse than none, because it proves the controls on paper are not the controls in practice.

A named MLRO with real authority

Someone must formally own the programme: reviewing alerts, deciding on escalations, filing suspicious activity reports and signing the annual review. For smaller operators an outsourced MLRO in an advisory or recommendatory structure works well, provided the mandate, reporting lines and decision rights are written down. What does not work is an MLRO in name only who never sees a transaction.

Screening and monitoring that actually run

  • Onboarding KYC: identity, age and address verification with documented pass and fail criteria, plus a defined re-verification trigger.
  • Sanctions and PEP screening: at onboarding and on an ongoing schedule, against current lists, with dispositioned matches recorded.
  • Transaction monitoring: rules tuned to your product, deposit velocity, structuring patterns, rapid deposit-and-withdraw behaviour, minimal play-through, with alert queues that are actually worked.
  • Record keeping: every decision, on every alert, retrievable for the statutory retention period.

The evidence layer

When a regulator, bank or payment partner tests the programme, they sample: show me this player's file, show me the alert this deposit generated, show me who reviewed it and when. A defensible programme produces those artifacts as a by-product of normal operation, monthly MLRO reports, training records, screening logs, SAR registers. If assembling the evidence requires a scramble, the programme is not defensible yet.

Build order for a new brand

Risk assessment first, manual second, tooling third, training fourth, then a quarter of tuning while the first monitoring reports accumulate. A credible baseline takes four to eight weeks; credibility with counterparties builds over the following months of consistent evidence.

FAQ

Frequently asked questions

What is the difference between an AML manual and an AML programme?

A manual is a document; a programme is the manual plus the people, tooling and evidence that show it operates: a named MLRO, live sanctions and PEP screening, worked alert queues, filed reports and retrievable records. Reviewers test the evidence, not the prose.

What does an MLRO do at an online casino?

The Money Laundering Reporting Officer formally owns anti-money-laundering compliance: maintaining the AML/CFT manual, reviewing escalated alerts, deciding on and filing suspicious activity reports, and reporting to management and regulators. The role can be outsourced if mandate and decision rights are documented.

When should an online casino apply enhanced due diligence?

At defined, written triggers, typically a cumulative deposit or redemption threshold, a high-risk jurisdiction, a PEP match or unusual transaction patterns. The exact thresholds should come from the operator's own risk assessment; common practice sets EDD at a specific cumulative amount and source-of-wealth checks at a higher one.

How long does it take to build an AML programme from scratch?

A defensible baseline, risk assessment, manual, screening tooling, named MLRO and monitoring procedures, typically takes four to eight weeks. Tuning alerts, training the team and accumulating the first monitoring evidence runs over the following quarter.

Keep reading

Related articles

Show us one brand.
We will find the leaks.

Book a 30-minute teardown. We walk through one of your brands and show you exactly where revenue, retention or compliance is slipping, no obligation.