Suspicious activity reporting is one of the most operationally demanding obligations an online gambling operator faces. Done poorly, it creates regulatory exposure and invites enforcement action. Done well, it protects the business, satisfies the regulator, and forms the backbone of a credible AML programme. This guide walks through the practical mechanics of building and running a SAR process that holds up under scrutiny.
What Counts as Suspicious Activity
Suspicion in an AML context does not require certainty, or even a strong belief that a crime has occurred. The legal threshold in most jurisdictions is whether a member of staff knows or suspects, or has reasonable grounds to suspect, that a person is engaged in money laundering or terrorist financing. That is a deliberately low bar, and operators should train their teams accordingly.
Common indicators in online gambling include:
- Deposits that are disproportionate to a player's stated income or occupation
- Rapid cycling of funds with minimal gameplay, particularly through low-margin bets
- Multiple accounts sharing payment methods, devices or IP addresses
- Requests to withdraw to a different payment method than the one used to deposit
- Players who are indifferent to gambling outcomes but highly focused on transaction speed
- Source-of-funds documents that are inconsistent, altered or implausible
The Internal Reporting Chain
Before a SAR reaches the financial intelligence unit, it travels through your internal structure. Every operator regulated in a jurisdiction with AML obligations must designate a Money Laundering Reporting Officer (MLRO). Front-line staff, including customer support, VIP managers and payments teams, must have a clear, documented route to report concerns to that MLRO without delay.
Practically, this means:
- A named MLRO and a deputy covering absences
- A standardised internal suspicious activity report form, separate from general CRM notes
- A secure, confidential submission channel, whether a dedicated email address, a compliance inbox or purpose-built software
- A written policy that prohibits tipping off the subject under any circumstances
The MLRO then evaluates the internal report, decides whether to escalate to the national financial intelligence unit (FIU), and documents the reasoning either way. That documented reasoning is critical: regulators examine not only SARs that were filed but also decisions not to file.
Filing with the FIU: Practical Considerations
In the UK, operators file with the National Crime Agency via the Suspicious Activity Reports Online portal. In the Netherlands, reports go to FIU-Nederland. Each FIU has its own submission format, data requirements and timelines, so your MLRO must be familiar with the specific portal and process for every jurisdiction in which the operator holds a licence.
When preparing a SAR for submission, include:
- Full player identification data: name, date of birth, address, account number
- A clear, factual narrative of the suspicious behaviour, referenced to specific dates and transaction amounts
- The typology you believe applies, such as structuring, layering or third-party funding
- Any supporting documentation already gathered, including source-of-funds materials or chat logs
Avoid opinion and speculation in the narrative. Write factually and chronologically. Regulators and law enforcement need a document they can act on, not an interpretive essay.
Keeping the Account Open: the Consent Regime
One of the most operationally sensitive moments in SAR processing is deciding what to do with the account while the report is pending. In many jurisdictions, proceeding with a transaction after internal suspicion has been raised, but before a SAR has been filed, can itself constitute a money laundering offence. Where a consent or defence against money laundering (DAML) regime applies, the MLRO may need to request consent from the FIU before allowing a withdrawal to proceed.
Operators should have a documented hold procedure that allows the account to be paused discreetly, without triggering any customer-facing language that could constitute tipping off. A generic system or fraud check message is generally acceptable; a message referencing AML or money laundering is not.
Record-Keeping and Audit Readiness
All internal suspicious activity reports, the MLRO's assessment notes, SAR submissions and any FIU correspondence must be retained for at least five years in most regulated markets. These records should be stored separately from general player files and accessible only to authorised compliance personnel.
At OnlineShine, we advise operators to treat the SAR register as a living compliance document, reviewed quarterly to identify typology trends and inform ongoing staff training.
Regular review of the register also demonstrates to regulators that the operator is actively managing its AML exposure rather than filing SARs reactively and in isolation.
Staff Training: the First Line of Defence
A technically correct SAR process fails if front-line staff do not recognise suspicious behaviour in the first place. Annual AML training is a regulatory minimum, but operators should supplement it with periodic typology briefings tied to real patterns observed in their own player base. Role-specific training for VIP managers, payments staff and customer support teams will be more effective than generic compliance modules delivered to the entire organisation.



