Home  /  News  /  Compliance & AML
Compliance & AMLOctober 2, 2025

Open Banking Payments in Online Gambling: A Compliance Guide

How iGaming operators can adopt open banking payments while meeting AML, KYC and responsible gambling obligations in 2025.

Open Banking Payments in Online Gambling: A Compliance Guide

Open banking has moved from a regulatory experiment into a practical payment rail for online gambling, but its compliance implications remain underappreciated by many operators. For compliance officers and brand owners navigating this shift in October 2025, understanding how account-to-account transfers interact with AML obligations, source-of-funds checks and responsible gambling controls is no longer optional.

What Open Banking Means for Gambling Operators

Open banking allows players to authorise a direct payment from their bank account to an operator's nominated account, bypassing card networks entirely. The payment is initiated through a regulated third-party payment initiation service provider, known as a PISP, operating under frameworks derived from PSD2 in Europe and equivalent legislation in other jurisdictions. For operators, this translates into lower transaction fees, near-instant settlement and a reduction in chargebacks. It also means the operator is receiving funds that originate directly from a verified bank account, which carries specific compliance consequences.

AML and Source-of-Funds Implications

Because each open banking transaction is linked to a named bank account, the payment method inherently provides a layer of identity verification that card payments and e-wallets often do not. The account holder's name returned by the bank can be matched against the player's registered details in real time, strengthening name-matching controls without adding friction.

However, this should not be confused with a complete AML solution. Key considerations include:

  • Affordability signals: The bank account link can, with player consent under open banking data-sharing provisions, surface account balance and income data. Operators running enhanced due diligence programmes should explore whether AISP (account information service provider) consent flows can inform affordability assessments at onboarding or during high-volume play periods.
  • Third-party funding risk: A player may grant another person access to their bank account or use a joint account. Policies must address how operators detect and respond to payments that appear to originate from a third party, since this is a recognised money laundering typology in gambling contexts.
  • Velocity and structuring: Open banking's low friction can enable rapid, repeated deposits. Transaction monitoring rules must account for the speed at which account-to-account payments can be executed, particularly in jurisdictions where deposit limits are self-imposed rather than regulatory.

KYC Integration and Verification Timing

A common operational error is treating the bank account match as a substitute for formal KYC. Regulators in the UK, Netherlands and Malta consistently hold that payment method verification is a complement to identity verification, not a replacement. The practical implication is that operators should complete KYC before allowing open banking deposits above de minimis thresholds, and should record the bank account IBAN or equivalent as a verified funding source in the player's compliance profile.

Where players use multiple bank accounts across different sessions, each new account should trigger a source-of-funds review consistent with the operator's risk-based approach. Flagging this at the system level prevents compliance gaps that only appear during audits.

Responsible Gambling Controls Specific to Open Banking

Open banking removes some of the friction that card processors naturally introduce, such as three-domain secure authentication delays or soft declines. Operators must compensate for this reduced friction at the product level. Practical controls include:

  • Mandatory cooling-off periods between successive open banking deposit attempts within a defined time window.
  • Real-time deposit limit enforcement that applies before the payment initiation request is sent to the PISP, rather than after.
  • Behavioural triggers that escalate a player to a safer gambling review when open banking deposit frequency exceeds defined thresholds.

Regulatory Licensing and PISP Due Diligence

Operators are responsible for the compliance posture of the PISPs they contract with. Before onboarding any open banking provider, compliance teams should confirm the PISP holds appropriate authorisation, review its own AML and fraud controls, and document that assessment in a third-party risk management file. Some gambling regulators are beginning to request evidence of PISP due diligence as part of licence renewal submissions.

Open banking payments offer genuine compliance advantages when implemented deliberately, but the compliance architecture must be built before the payment method goes live, not retrofitted after the first audit finding.

Practical Next Steps for Operators

Operators considering open banking adoption should conduct a gap analysis against their current AML programme, update their payment method risk assessment, and revise their transaction monitoring rule sets before launch. Engaging external compliance specialists who understand both PSD2-derived frameworks and gambling-specific regulatory expectations is the most efficient route to a defensible implementation.

FAQ

Frequently asked questions

Does open banking replace standard KYC checks for online gambling operators?

No. Open banking payment verification confirms that a player controls a specific bank account, but it does not satisfy KYC obligations under gambling regulations. Operators in regulated markets such as the UK, Malta and the Netherlands must complete full identity verification before allowing deposits above de minimis thresholds. The bank account match should be recorded as a supplementary data point in the player's compliance profile, not treated as a standalone identity check.

What AML risks are specific to open banking deposits in gambling?

The primary risks are third-party funding, where someone other than the account holder initiates a payment on behalf of a player, and high-velocity structuring, where the low friction of account-to-account transfers enables rapid successive deposits. Operators must update their transaction monitoring rules to detect these patterns, and their AML policies should explicitly address joint accounts and delegated account access as risk factors.

Can open banking account data be used for affordability assessments?

Yes, with explicit player consent under open banking data-sharing rules, an account information service provider (AISP) connection can provide balance and income data that informs affordability checks. This is increasingly relevant as regulators in several European markets push operators toward evidence-based affordability assessments during enhanced due diligence. Operators should ensure that any such consent flow is clearly explained to players and that data use complies with applicable privacy regulations.

What due diligence should operators conduct on open banking payment providers?

Operators should verify that their PISP holds valid regulatory authorisation in the relevant jurisdiction and should review the provider's own AML, fraud and data security controls before signing a contract. This assessment must be documented in a formal third-party risk management file. Some gambling regulators are already requesting evidence of PISP due diligence during licence reviews, so maintaining a current and auditable assessment record is a practical compliance requirement.

Keep reading

Related articles

Show us one brand.
We will find the leaks.

Book a 30-minute teardown. We walk through one of your brands and show you exactly where revenue, retention or compliance is slipping, no obligation.