Home  /  News  /  Compliance & AML
Compliance & AMLJune 18, 2025

Age Verification in Online Gaming: An Operator Checklist

A practical checklist for iGaming operators to audit and strengthen age verification controls this week, covering technology, process and compliance gaps.

Age Verification in Online Gaming: An Operator Checklist

Age verification is no longer a checkbox at registration. Regulators across the UK, Netherlands, Sweden and beyond are scrutinising how operators verify age at every friction point, and fines for failures are climbing. If your team has not reviewed your age verification stack in the past six months, this week is the right time to start.

Why Age Verification Deserves Fresh Attention in Mid-2025

Several regulatory updates that took effect in the first half of 2025 have raised the evidentiary bar for operators. The UK Gambling Commission continues to push for real-time, database-level checks rather than self-declaration. The Dutch KSA has signalled stricter enforcement of Cruks exclusion cross-referencing, which overlaps directly with age confirmation workflows. Meanwhile, Swedish operators face Spelinspektionen scrutiny over re-verification triggers when accounts show behavioural anomalies. The pattern is consistent: regulators expect verification to be continuous, not a one-time onboarding step.

The Core Technology Options Available Now

Understanding your choices is the foundation of any credible checklist. The main approaches in active use today include:

  • Credit bureau lookups: Fast, low-friction, and effective in markets where credit data is comprehensive. Suitable for UK and Nordics; less reliable in newer regulated markets.
  • Document verification with liveness detection: Optical character recognition combined with a real-time selfie check. Higher friction but stronger assurance. Required or strongly recommended under several licences for high-value deposits.
  • Mobile network operator (MNO) data: Matches registration data against the subscriber record held by the player's mobile carrier. Near-invisible to the user and growing in adoption across Europe.
  • Digital identity wallets: Government-backed schemes such as the UK digital ID framework and EU eIDAS 2.0-compliant wallets. Uptake is still limited but accelerating; operators who build integrations now will have a compliance advantage within 18 months.
  • Email and device intelligence: Age estimation derived from account age, device history and behavioural signals. Used as a secondary signal rather than a primary control.

The Operator Checklist: Actions for This Week

1. Audit Your Current Verification Trigger Points

Map every point in the player journey where age or identity is checked: registration, first deposit, withdrawal request, bonus claim, and re-activation after dormancy. Document which check runs at each point and whether it is automated or manual. Gaps in this map are gaps in your regulatory defence.

2. Confirm Your Provider Is Returning Decisioned Data, Not Just a Match Score

Some vendors return a pass/fail score without audit-ready evidence. Regulators expect you to store the underlying data that justified the decision. Confirm with your provider that raw decision records are retained in a format your compliance team can produce on request.

3. Test Edge Cases Specific to Your Player Base

Run internal tests for players with thin credit files (young adults, recent migrants), players using VPNs or address proxies, and accounts where the payment method holder differs from the registered player. These are the scenarios most likely to result in regulatory criticism if a problem surfaces.

4. Review Your Re-Verification Policy

If your only age check happens at registration, you are exposed. Establish clear rules for when re-verification is triggered: a change of payment method, a significant deposit limit increase, a long period of inactivity, or a behavioural flag raised by your responsible gambling tools.

5. Cross-Reference Exclusion Registers at the Verification Stage

In markets where a national exclusion scheme operates (Cruks, Spelpaus, OASIS), the exclusion check should run in parallel with age verification, not after it. A player who is both under-age and self-excluded represents a compounded failure if either check is delayed.

6. Document Your Fallback Procedure

Every automated system fails occasionally. Your compliance documentation should include a written procedure for what happens when the primary verification method returns an error or is unavailable. A manual review path with defined timelines is the minimum standard regulators expect.

Where OnlineShine Sees Operators Falling Short

In our work with operators across multiple regulated markets, the most common gap is not the verification technology itself. It is the absence of a formal review cycle. Teams implement a vendor, pass their licence audit, and then treat the system as resolved. Regulatory standards and fraud patterns both move faster than annual reviews can accommodate. A quarterly internal audit of your age verification controls, tied to your broader AML and responsible gambling review calendar, closes that gap more reliably than any single technology upgrade.

Verification technology is only as strong as the operational process built around it. The best document-scanning tool in the market cannot compensate for a team that has not reviewed its trigger logic in two years.

If your team needs an independent review of your current verification stack or help mapping controls to a specific licence requirement, OnlineShine's compliance team works with operators on precisely these assessments.

FAQ

Frequently asked questions

What is the minimum age verification standard required for licensed online casino operators in Europe?

Requirements vary by jurisdiction, but most European regulators including the UK Gambling Commission, Dutch KSA and Swedish Spelinspektionen require operators to verify that a player is at least 18 years old before allowing any real-money play or deposit. Verification must be based on reliable data sources such as credit bureau records or government-issued document checks, not self-declaration alone. Several regulators also require evidence to be retained in an audit-ready format for a defined number of years.

Is a one-time age check at registration sufficient for regulatory compliance?

In most regulated markets, a single check at registration is no longer considered sufficient on its own. Regulators increasingly expect operators to apply re-verification triggers when material changes occur on an account, such as a payment method change, a significant deposit limit increase, or a return from a long dormant period. Some jurisdictions also require periodic re-confirmation of player identity data. Operators should document their re-verification policy and ensure it is applied consistently.

What is liveness detection and why does it matter for age verification?

Liveness detection is a technology used during document-based identity verification to confirm that the person submitting the document is physically present and not using a photograph or pre-recorded video. It typically involves asking the user to perform a short facial movement during a selfie capture. In the context of age verification, liveness detection prevents account takeover and identity fraud where an adult's documents are used to register on behalf of a minor. It is increasingly required or recommended by regulators for high-value account activity.

How should operators handle age verification failures when the automated system is unavailable?

Operators should maintain a documented manual review procedure that activates whenever the primary automated verification system returns an error or is temporarily unavailable. This procedure should specify the maximum time allowed before a manual decision is made, the evidence acceptable for manual review, and who within the compliance team holds authority to approve or reject the registration. Regulators expect this fallback process to be written, tested and accessible to staff without delay.

Keep reading

Related articles

Show us one brand.
We will find the leaks.

Book a 30-minute teardown. We walk through one of your brands and show you exactly where revenue, retention or compliance is slipping, no obligation.