Most operators have an AML document. Far fewer have an AML programme that would survive a regulator's file review or a bank's onboarding due diligence. The difference is not length; it is evidence that the programme is lived: named ownership, live screening, tuned monitoring and a paper trail.
The written foundation
A defensible programme starts with a business-specific risk assessment: your verticals, markets, payment methods and player profile, scored honestly. From that flows a versioned AML/CFT manual that states concrete thresholds rather than platitudes, for example enhanced due diligence at a defined cumulative deposit level and source-of-wealth checks at a defined redemption level. Reviewers immediately recognize a template manual with no connection to the actual operation; it is often worse than none, because it proves the controls on paper are not the controls in practice.
A named MLRO with real authority
Someone must formally own the programme: reviewing alerts, deciding on escalations, filing suspicious activity reports and signing the annual review. For smaller operators an outsourced MLRO in an advisory or recommendatory structure works well, provided the mandate, reporting lines and decision rights are written down. What does not work is an MLRO in name only who never sees a transaction.
Screening and monitoring that actually run
- Onboarding KYC: identity, age and address verification with documented pass and fail criteria, plus a defined re-verification trigger.
- Sanctions and PEP screening: at onboarding and on an ongoing schedule, against current lists, with dispositioned matches recorded.
- Transaction monitoring: rules tuned to your product, deposit velocity, structuring patterns, rapid deposit-and-withdraw behaviour, minimal play-through, with alert queues that are actually worked.
- Record keeping: every decision, on every alert, retrievable for the statutory retention period.
The evidence layer
When a regulator, bank or payment partner tests the programme, they sample: show me this player's file, show me the alert this deposit generated, show me who reviewed it and when. A defensible programme produces those artifacts as a by-product of normal operation, monthly MLRO reports, training records, screening logs, SAR registers. If assembling the evidence requires a scramble, the programme is not defensible yet.
Build order for a new brand
Risk assessment first, manual second, tooling third, training fourth, then a quarter of tuning while the first monitoring reports accumulate. A credible baseline takes four to eight weeks; credibility with counterparties builds over the following months of consistent evidence.



