Home  /  News  /  Compliance & AML
Compliance & AMLJanuary 8, 2025

Building an AML/CFT Manual Regulators and Banks Expect

What regulators and banking partners actually check in an online casino AML/CFT manual. Practical guidance for iGaming operators in 2025.

Building an AML/CFT Manual Regulators and Banks Expect

An AML/CFT manual is not a formality to file and forget. For online casino operators, it is the document that licensing authorities examine during audits and that correspondent banks review before approving payment processing relationships. Getting it right from the start saves months of remediation work and protects your operating licence.

Why the Manual Matters Beyond Licensing

Most operators treat their AML/CFT manual as a box-ticking exercise during the licence application. In practice, banking partners, payment service providers and even affiliate networks now request it as part of their own due diligence. A thin or generic document signals operational immaturity and creates friction across every commercial relationship your casino depends on.

Regulators in Malta, Gibraltar, Curacao and the UK each have jurisdiction-specific requirements, but the underlying framework they all look for is consistent: a manual that reflects your actual business, not a template downloaded from the internet.

Core Sections Every Regulator Expects

1. Risk Assessment Methodology

The manual must open with a documented risk assessment that is specific to your operator profile. This means identifying the player geographies you accept, the payment methods you offer, your average deposit sizes and your product verticals. A casino offering high-limit live dealer games to players in high-risk jurisdictions carries a materially different risk profile than a slots-only operator targeting regulated European markets. The regulator needs to see that you have made this analysis yourself, not that you have copied a generic sector risk classification.

2. Customer Due Diligence Procedures

This section must describe exactly how your team verifies player identity at registration, at trigger thresholds and on an ongoing basis. Specify the acceptable document types, the technology stack you use for electronic verification, and the escalation path when documents are inconsistent or expire. Regulators pay close attention to the gap between your stated CDD policy and the software workflows that actually enforce it.

3. Enhanced Due Diligence for High-Risk Players

EDD triggers should be defined numerically where possible. Describe what additional information is collected from PEPs, players from FATF grey-list countries and players whose source-of-wealth declarations are inconsistent with their transaction patterns. Banking partners frequently look at this section to assess whether your EDD standard meets their own correspondent risk policies.

4. Transaction Monitoring Rules

Document the specific thresholds, rules and behavioural patterns your monitoring system flags for review. Name the system you use and describe how alerts are triaged. Regulators want to see a clear audit trail from alert generation through analyst review to either case closure or suspicious activity reporting. Vague language such as "transactions are reviewed periodically" will draw questions and possible findings.

5. Suspicious Activity Reporting

Define who holds the authority to submit a suspicious activity report or suspicious transaction report to the Financial Intelligence Unit in your jurisdiction. The MLRO must be named, their qualifications documented and a deputy nominated. The manual should also describe internal escalation timelines, the confidentiality obligations around tipping-off, and the record-keeping standard for filed reports.

6. Staff Training Programme

Regulators expect a training schedule, not a one-page policy. Include the frequency of training, the different curricula for customer-facing staff versus compliance analysts, and the mechanism for testing comprehension. Training records should be linked to individual employee files and available for inspection at any time.

What Banking Partners Check Specifically

Payment processors and acquiring banks apply their own compliance overlay on top of licensing requirements. They typically look for three things your regulator may not explicitly require: an independent audit opinion on the AML framework, evidence that the manual was reviewed after any material change to the business, and a documented sanctions screening procedure that names the lists screened and the frequency of screening. Operators who can produce a recent independent review letter alongside the manual move through banking onboarding significantly faster.

Common Deficiencies That Trigger Regulatory Findings

  • Generic risk appetite statements not linked to measurable thresholds
  • CDD procedures that describe a process no longer used after a platform migration
  • Missing or unnamed MLRO with no documented deputy arrangement
  • Transaction monitoring rules that have not been updated to reflect new payment methods added to the cashier
  • Training records held in a format that cannot be produced quickly during an inspection
A well-constructed AML/CFT manual reflects the live operation of the business. If the document describes procedures your team does not actually follow, it becomes evidence against you rather than protection during an audit.

Keeping the Manual Current

Build a review cycle into the manual itself. A minimum annual review is standard, but material business changes, including new market entries, new payment methods or significant player demographic shifts, should each trigger an ad-hoc update. Version-control every revision with a date, the author and a summary of changes. This version history is one of the first things a thorough regulator will examine to assess whether your compliance culture is proactive or reactive.

FAQ

Frequently asked questions

What must an AML/CFT manual for an online casino include?

An online casino AML/CFT manual must include a risk assessment specific to the operator's business profile, customer due diligence and enhanced due diligence procedures, transaction monitoring rules with defined thresholds, suspicious activity reporting protocols, and a documented staff training programme. The manual should name the designated MLRO and describe the escalation path for high-risk cases. Regulators expect the document to reflect actual operational procedures rather than generic policy language.

Why do banking partners request an operator's AML/CFT manual?

Banks and payment processors conduct their own due diligence on iGaming operators before approving processing relationships, and the AML/CFT manual is a primary source of evidence for that review. They look for an independent audit opinion on the compliance framework, documented sanctions screening procedures and evidence that the manual is updated after material business changes. A detailed, current manual reduces onboarding friction and signals that the operator manages financial crime risk at a professional standard.

How often should an online casino review its AML/CFT manual?

The minimum standard across most licensing jurisdictions is an annual review, with the review date and author documented in a version history. Beyond the annual cycle, any material change to the business, such as entering a new regulated market, adding a new payment method or experiencing a significant shift in player demographics, should trigger an immediate ad-hoc update. Regulators examine version history to assess whether compliance governance is proactive or only reactive to enforcement pressure.

What are the most common AML/CFT manual deficiencies found during regulatory inspections?

Common deficiencies include risk appetite statements that use vague language rather than measurable thresholds, CDD procedures that describe processes replaced during a platform migration, an unnamed or undocumented MLRO with no designated deputy, and transaction monitoring rules that have not been updated to cover newer payment methods in the cashier. Training records held in inaccessible or incomplete formats also regularly attract findings. Each of these gaps can result in licence conditions, remediation orders or financial penalties.

Keep reading

Related articles

Show us one brand.
We will find the leaks.

Book a 30-minute teardown. We walk through one of your brands and show you exactly where revenue, retention or compliance is slipping, no obligation.