Read me — how this policy is used
This document guides day-to-day KYC/AML operations for {{COMPANY_NAME}}. It is internal, may be shared with regulators or auditors upon request, and is complemented by our Terms of Use, Privacy Policy, Responsible Gaming Policy, and internal SOPs/playbooks.
1) Purpose & Scope
This policy establishes how {{COMPANY_NAME}} prevents money laundering (ML), terrorism financing (TF), fraud, and sanctions evasion in connection with our online gaming services. It applies to:
- All players and account holders using {{BRANDS}} under {{LICENSES}} (e.g., MGA).
- Employees, contractors, and compliance service providers acting for {{COMPANY_NAME}}.
- Payment flows including deposits, withdrawals, and prize payouts.
2) Regulatory Framework
We operate under a risk-based approach aligned with applicable AML/CFT laws and guidance in our licensing jurisdictions (e.g., Malta Gaming Authority requirements, EU AML directives, FATF recommendations). Where rules differ, we apply the stricter standard.
3) Governance & Roles
- Board / Executive: approve policy, ensure adequate resources and independence for compliance.
- MLRO: maintains this policy, oversees KYC/AML operations, approves EDD, handles SAR/STR, liaison with regulators.
- Compliance Team: performs reviews, escalations, and quality assurance.
- Engineering / Data: implement and maintain controls, logs, and data retention safeguards.
- Customer Ops / Payments: follow SOPs for verification, transaction review, and escalation.
4) Risk-Based Approach
We assess risk across customer, geography, product, and channel and apply proportionate controls.
| Factor | Examples | Typical Controls |
|---|
| Geography | High-risk third countries, sanctions exposure | Block lists, step-up EDD, source-of-funds (SoF) |
| Customer | PEP, negative news, inconsistent identity | PEP/sanctions screening, adverse media checks, EDD |
| Product/Channel | Non-face-to-face onboarding, crypto rails | Reliable eKYC, liveness, transaction monitoring |
| Behavior | High velocity, circular flows, device anomalies | Automated risk scoring, manual review, limits |
5) Customer Due Diligence (CDD)
When: at onboarding and before withdrawals (and whenever suspicion arises).
What we collect (individuals): full name, date of birth, residential address, nationality/country, and—when required—government ID (passport/ID card/driver’s license) and selfie/liveness. We verify via reliable, independent sources or certified vendors.
Outcome: verified / pending / failed. We can suspend or deny services/payouts until CDD is completed.
6) Enhanced Due Diligence (EDD)
EDD is applied where risk is higher (e.g., PEP, high-risk geography, unusual flows, adverse media). Measures may include:
- Stronger identity corroboration; second document; in-depth liveness or video KYC.
- Source of Funds (SoF) and/or Source of Wealth (SoW) evidence.
- Tighter ongoing monitoring and limits; senior management/MLRO approval.
7) Screening (Sanctions & PEP)
- We screen customers against applicable sanctions lists (e.g., UN, EU, OFAC) and PEP lists at onboarding and periodically.
- Positive or potential matches are reviewed by Compliance; services may be restricted while review is ongoing.
- Hits are documented, decisioned, and retained per this policy.
8) Ongoing Monitoring & Triggers
We use automated and manual reviews to detect anomalies. Typical triggers include, but are not limited to:
- Unusual velocity or volumes (e.g., sharp increases in deposits/withdrawals or net flow).
- Patterns indicative of layering (e.g., rapid in-out with minimal gameplay).
- Device or geolocation anomalies; multiple accounts; VPN/hosting IPs.
- Sanctions/PEP updates and adverse media events.
Risk Metrics (examples): rolling deposits/withdrawals (30d), daily/24h net USD, max single win/withdrawal, high-risk geo/device flags. Thresholds are tuned by Compliance and documented in internal runbooks/SOPs.
9) Record-Keeping & Retention
- We retain KYC records, risk assessments, screening logs, and transaction data for at least five (5) years after the end of the business relationship or the date of an occasional transaction, subject to local law.
- Records must be retrievable promptly for competent authorities.
10) Data Protection
- Lawful bases: legal obligation (AML/KYC) and legitimate interests (fraud prevention). See our Privacy Policy for details.
- PII is encrypted at rest at the application layer (AES-256-GCM “sealed” records). Access is role-based and logged.
- We use vetted processors for eKYC/screening; data transfer and sub-processing are governed by DPAs.
11) Suspicion Reporting
Employees must promptly escalate unusual or suspicious activity to the MLRO using the internal SAR/STR form. The MLRO determines whether to file with the relevant FIU/authority. Tipping-off prohibitions are strictly observed.
MLRO Contact: {{MLRO_NAME}} — {{MLRO_EMAIL}}
12) Third-Party Reliance
Reliance on third parties for parts of CDD is permitted only where legally allowed and documented. {{COMPANY_NAME}} remains ultimately responsible.
13) Training & Awareness
- All relevant staff receive AML/KYC induction and annual refreshers; role-specific training is provided to high-risk teams.
- Training completion is tracked; materials are reviewed annually.
14) Audit, Testing & Updates
- This policy is reviewed at least annually and upon regulatory change, product change, or material risk events.
- Independent testing and internal audits assess control effectiveness; findings are tracked to remediation.
Document ID: {{DOC_ID}} • Supersedes: {{PREV_VERSION}} • Next review by: {{NEXT_REVIEW_DATE}}