Home  /  News  /  Compliance & AML
Compliance & AMLMay 23, 2025

MLRO in iGaming: Build, Buy, or Outsource the Role

How iGaming operators can evaluate three MLRO models, weigh the compliance risks, and choose the right structure for their licence and scale.

MLRO in iGaming: Build, Buy, or Outsource the Role

The Money Laundering Reporting Officer sits at the intersection of regulatory obligation and operational reality. For iGaming operators, getting this appointment wrong does not simply invite a fine; it can trigger licence suspension, personal liability for named individuals, and reputational damage that takes years to repair. Yet many operators still treat the MLRO function as an afterthought, filling the seat reactively rather than by design.

What the MLRO Role Actually Requires

Under most gambling licences, including those issued by the Malta Gaming Authority, the UK Gambling Commission, and Curacao's new licensing framework, operators must appoint a qualified individual responsible for receiving internal suspicious activity reports, deciding whether to file a Suspicious Activity Report with the relevant Financial Intelligence Unit, maintaining the AML/CFT programme, and acting as the primary regulatory contact on financial crime matters.

The role is not ceremonial. A competent MLRO must understand transaction monitoring logic, know how to interpret SAR obligations under local law, keep up with FATF guidance updates, and be reachable when a compliance event escalates. They also carry personal accountability, meaning their individual fitness and propriety are assessed by the regulator, not just the company's.

Option One: Building the Function In-House

Hiring a dedicated, full-time MLRO makes sense when an operator has sufficient transaction volume to justify the cost, operates across multiple jurisdictions requiring ongoing regulatory dialogue, or holds a licence where the regulator expects a senior, named employee in the seat.

  • Advantages include direct control over escalation speed, deep familiarity with the operator's player base and product mix, and continuity during regulatory inspections.
  • Disadvantages include salary and benefits costs that can exceed EUR 90,000 annually for a qualified candidate, the single-point-of-failure risk when the MLRO leaves, and the challenge of keeping one person current across multiple evolving frameworks.

Operators building in-house should budget not just for salary but for ongoing training, external legal counsel on complex SAR decisions, and deputy cover arrangements. Regulators increasingly scrutinise what happens to compliance oversight during MLRO absences.

Option Two: Buying the Expertise Through a Senior Hire

Some operators interpret the build option as simply recruiting a heavy-weight compliance professional rather than developing internal capability over time. Hiring someone who arrives with existing regulatory relationships, SAR filing experience and a network in the Financial Intelligence Unit community can compress the maturity curve significantly.

The practical challenge is that experienced iGaming MLROs with a proven track record are scarce. Candidates who genuinely understand both AML typologies specific to online gambling and the technical side of transaction monitoring systems command premium compensation. A rushed hire to fill a regulatory gap often produces a candidate who looks strong on paper but lacks the operational depth the role demands.

Option Three: Outsourcing to a Managed Compliance Partner

Outsourcing the MLRO function, sometimes described as a Fractional MLRO or Compliance-as-a-Service model, has matured considerably over the past three years. Under this structure, a regulated compliance services firm provides a named, qualified individual to act as the operator's MLRO on a contractual basis, supported by a broader team covering SAR decisions, policy updates, regulatory correspondence and training.

  • Cost efficiency: operators pay for the expertise they actually use rather than a full-time salary regardless of volume.
  • Regulatory continuity: a firm-based MLRO model typically includes deputy and succession arrangements that a single hire cannot provide.
  • Breadth of knowledge: a practitioner serving multiple operators sees a wider range of typologies and regulatory developments than one embedded in a single brand.
  • Limitation: some regulators, particularly the UKGC, require the MLRO to have a sufficiently direct relationship with senior management and the board. Contract arrangements must be structured carefully to satisfy fitness and propriety expectations.

How to Choose the Right Model

The decision is not purely financial. Operators should map the choice against three variables: licence jurisdiction and its specific requirements around the MLRO's employment status; current transaction volume and the complexity of the player risk profile; and the operator's internal capacity to supervise and support whichever model they select.

A startup launching on a single jurisdiction licence with modest GGR is likely over-engineering the problem by hiring a full-time MLRO at launch. Conversely, a scaled operator with players across the EU, a high proportion of high-value accounts, and active regulatory dialogue should not be relying on a fractional arrangement with limited hours.

The MLRO model an operator chooses signals to the regulator how seriously the business treats financial crime risk. Structure it for the operation you are running today, but build in a clear trigger for reviewing it as the business grows.

OnlineShine's Practitioner View

At OnlineShine, we support operators across all three models: advising on in-house hiring specifications, providing fractional MLRO services for early-stage and mid-size operations, and conducting gap analyses for businesses transitioning between models. The right answer depends on your licence, your risk appetite, and your growth trajectory. What matters most is that the choice is deliberate and documented, so the regulator can see the reasoning when they ask.

FAQ

Frequently asked questions

Does an iGaming operator always need a full-time MLRO?

Not in every jurisdiction. Many licensing frameworks require a named, qualified MLRO but do not mandate that the person be a full-time employee. Operators can satisfy the obligation through a fractional or outsourced model, provided the arrangement gives the individual genuine authority to act and the regulator is satisfied with the fitness and propriety of the appointment. However, high-volume operators and those holding UK Gambling Commission licences face stricter expectations around management access and availability.

What qualifications should an iGaming MLRO hold?

Most regulators do not prescribe a single mandatory qualification, but they assess the individual's relevant experience and training as part of fit and proper checks. Practically, a credible iGaming MLRO should hold a recognised AML qualification such as ICA or ACAMS, have direct experience filing SARs with a Financial Intelligence Unit, understand gambling-specific typologies such as chip dumping and bonus abuse layering, and be familiar with the operator's specific licence jurisdiction's AML framework.

What are the main risks of outsourcing the MLRO function?

The primary risks are insufficient availability during a live compliance event, the possibility that the named individual lacks deep familiarity with the specific operator's player risk profile, and regulatory pushback in jurisdictions where the MLRO is expected to have a direct employment relationship with the operator. These risks can be managed through well-drafted service level agreements, regular joint risk assessments, and clear escalation protocols, but operators must satisfy themselves that the arrangement meets their regulator's specific requirements before proceeding.

How often should an iGaming operator review its MLRO model?

An operator should review the structure of its MLRO function at least annually and whenever a material change occurs, such as entering a new market, crossing a significant GGR threshold, launching a new product vertical, or receiving a regulatory finding related to AML. The review should assess whether the current model still matches the operator's risk profile, transaction complexity and regulatory obligations, and the outcome should be documented in the compliance governance framework.

Keep reading

Related articles

Show us one brand.
We will find the leaks.

Book a 30-minute teardown. We walk through one of your brands and show you exactly where revenue, retention or compliance is slipping, no obligation.