How Casinos are Complying with Brilliant International Anti-Money Laundering Rules

casino
By /

Executive Summary

Casinos have moved to the front line of global anti-money laundering (AML) enforcement. In 2024–2025, governments tightened rules, stood up new EU-level supervision, revived or reshaped beneficial-ownership reporting in the US, and expanded enforcement against gambling firms in Australia and the UK. This guide translates the moving rulebook into actionable steps for both land-based casinos and iGaming operators: risk-based programs, KYC/EDD, source-of-funds checks, surveillance + transaction monitoring, suspicious activity reporting, third-party/junket controls, and a modern RegTech stack. Where relevant, we show regional nuances and reference current supervisory actions—so compliance leaders can calibrate their programs with confidence.

1) The Global AML Baseline: FATF + Risk-Based Approach

  • International standard-setter. The Financial Action Task Force (FATF) sets the global AML/CFT framework. Casinos are “DNFBPs” (Designated Non-Financial Businesses and Professions) and are explicitly expected to apply a risk-based approach—tailoring due diligence, monitoring, and reporting to product, channel, customer, and geographic risk.
  • Sector-specific guidance. FATF publishes guidance for casinos that maps common risk factors (cash intensity, third-party betting, cross-border high-rollers, junkets) to practical mitigations. If you operate tables, cages, VIP rooms, or online wallets, your program must reflect these risks.
  • Typologies worth baking into controls. Red flags repeatedly seen in SARs and typology reports: minimal gaming (cash in → little or no play → cash out), chip walking/redemption, bill stuffing at slots, third-party or pooled bankrolls, and junket opacity. These should map directly to alerts, case-review playbooks, and camera corroboration procedures.

Bottom line: Start from FATF’s risk-based playbook, then align to your local law.

2) Europe: The 2024–2025 EU AML Package & the New AMLA

  • A new EU AML architecture. The EU Anti-Money Laundering Authority (AMLA) gained legal existence in June 2024 and ramped to operational status in mid-2025, adding direct and indirect supervisory powers over high-risk obliged entities. Casinos active in the EU will increasingly feel EU-level oversight alongside national regulators.
  • What applies when. The EU AML Regulation (horizontal rules applied directly to firms) entered into force in 2024 and will apply from July 10, 2027, while member states must transpose the 6th AML Directive by the same date; earlier deadlines cover transparency-register access (by July 10, 2025). Map these timelines into your multi-year compliance plan.
  • Travel Rule clarity. For casinos that touch transfers of funds (e.g., payment processors, certain wallets) or crypto assets (where permitted), the EBA’s Travel Rule Guidelines (effective Dec. 30, 2024 across the EU) harmonize what sender/beneficiary information must accompany transfers—reducing fragmentation in cross-border flows. If your payments stack includes CASPs/PSPs, ensure policy + system alignment.

What to do now (EU):

  1. Assign an AMLA watch owner to track technical standards and supervisory college outputs.
  2. Run a Travel-Rule gap assessment with your payments and crypto partners.
  3. Stage your policy uplift for 2027 application dates—don’t leave data model changes (KYC fields, risk taxonomies) to the last minute.

3) United States: BSA, Casinos as “Financial Institutions,” and BOI Flux

  • Casinos under the BSA. US casinos and card clubs have been BSA-regulated financial institutions since 1985, with program obligations (internal controls, training, independent testing), CTRs for >$10,000 currency, and SARs for suspicious activity. The American Gaming Association’s best-practices summarize how the industry operationalizes this (risk assessment, cage controls, surveillance corroboration).
  • BOI whiplash in 2025. After litigation swings, the US Financial Crimes Enforcement Network (FinCEN) issued an interim final rule on March 21, 2025 removing Corporate Transparency Act beneficial-ownership reporting requirements for US companies and persons (a major shift for KYC/EDD data sourcing). Casinos should update onboarding SOPs and third-party risk questionnaires accordingly.
  • Legacy risk indicators still matter. FinCEN’s casino risk indicators and red-flag guidance (though older) remain relevant—especially when fused with modern analytics and camera evidence in case files.

What to do now (US):

  • Refresh CDD/EDD templates to reflect current BOI availability, and expand your source-of-funds/source-of-wealth narratives where corporate UBO data is thinner.
  • Audit CTR/SAR workflows for completeness, narrative quality, and timeliness.

4) APAC Snapshots: Macau, Singapore & Australia

  • Macau’s VIP reset. Post-crackdowns, Macau has capped junket promoters and, since 2023, restricted revenue sharing with casinos (now using capped commissions instead). As of July 2025, the government maintained a 50-junket cap through 2026; only ~22 junkets actually operate, far below pre-2014 levels. Casinos must hard-wire enhanced due diligence and transparency into any junket activity.
  • Singapore’s tightening. Singapore consolidated and modernized gambling law via the Gambling Control Act 2022 and continues to amend the Casino Control Act to tighten regulation and safeguards (including controls on junkets, credit, age/entry restrictions, and licensing fitness). Compliance teams should align cage controls and credit policies to the latest rule changes.
  • Australia’s enforcement posture. AUSTRAC has escalated actions against casino groups (e.g., a A$450m Crown penalty in 2023) and continues targeted audits and litigation against gambling operators in 2024–2025. Expect sustained scrutiny on risk assessments, PEP/SoF/SoW checks, and transaction monitoring adequacy.

What to do now (APAC):

  • Treat junkets and premium-player programs as high-risk with board-level oversight.
  • Perform geo-risk reviews (cross-border cash, remittance corridors) and align with local guidance (e.g., AUSTRAC indicators).

5) UK & New Zealand: Guidance + Active Supervision

  • United Kingdom. The UK Gambling Commission (UKGC) is an AML supervisory authority for remote and non-remote casinos and frequently issues fines and remediation orders. In 2025, enforcement actions continued against operators for AML and social-responsibility failures (e.g., penalties against ProgressPlay and others). Use UKGC’s guidance and “emerging risks” updates to refresh your risk assessments.
  • New Zealand. DIA and fellow supervisors publish practical AML/CFT program guidance (risk assessment first, then program), with annual reporting obligations and sector updates—useful templates even beyond NZ.

6) What Good Looks Like: A Risk-Based Casino AML Program (Land-Based & Online)

A) Governance & Risk Assessment

  • Board-approved enterprise-wide risk assessment (EWRA) specific to cages, tables, slots, online wallets, loyalty programs, junkets/third parties, and payment rails.
  • Risk taxonomy that weights cash intensity, customer profiles (PEPs, high-rollers), delivery channels (on-premise vs. remote), geographies, and product features.
  • Policies & standards mapped to each risk: KYC/CDD, EDD triggers, SoF/SoW, TMS rules, surveillance handoffs, SAR narratives.

B) KYC, EDD & Source-of-Funds/Wealth

  • Tiered onboarding: basic KYC (government ID/biometric match, age, address), then EDD for higher risk (PEP/adverse media, beneficial owners for entities, SoF/SoW evidence, cash-intensive businesses).
  • Event-driven refresh: thresholds for sudden deposit spikes, rapid redemption, or new payment methods.
  • Travel Rule (EU operations): ensure required originator/beneficiary data travels with funds or eligible crypto transfers via compliant partners.

C) Transaction Monitoring & Surveillance

  • Controls mapped to typologies: minimal gaming, chip walking, buy-in with large cash then rapid cash-out, front-money deposits in cash, chip passing between patrons, third-party wagering. Build rules that stitch time-at-table + wager size + video corroboration.
  • Cross-channel linkage: unify cage logs, player-tracking, POS, hotel folios, online wallet events, and device/IP intelligence.
  • Behavioral baselining: identify short-session high rollers with unusual win/loss ratios or repetitive buy-cash-out patterns; escalate for EDD and possible SAR.

D) Cash, Cages & Table Operations

  • 10K currency thresholds (US) → CTR; split-transaction detection (structuring) at the cage; dual custody for high-value chip inventories.
  • Marker and front-money controls: recordkeeping, repayment scrutiny, and responsible credit policies (consider local restrictions like Singapore’s).

E) Junkets, Promoters, and Third Parties

  • No blind pools. Prohibit pooled funds without player-level transparency; obtain KYC for each participant.
  • Contractual clauses: audit rights, UBO declarations, sub-agent disclosure, SoF/SoW standards, and on-site oversight.
  • Macau-style caps/limits and no revenue sharing in certain regimes require policy rewrites and KPIs that monitor promoter conduct.

F) Suspicious Activity Reporting (SAR/STR)

  • Standardized red-flag library (with local additions), narrative playbooks, and timelines per jurisdiction.
  • Evidence packs: attach cashier logs, play history, KYC summary, and surveillance stills; use consistent 5W1H narrative structure.

G) Training & Testing

  • Role-specific training for cage, tables, host/VIP teams, online KYC ops, and AML investigators; measure through quality-assurance scoring of SARs and KYC files.
  • Independent testing at least annually; board reads out results and remediation.

7) The Modern Casino AML Tech Stack

Identity & KYC

  • IDV/orchestration platforms (document + biometric liveness), PEP/sanctions/adverse media screening, and address/payment verification.
  • Device fingerprinting and behavioral biometrics help spot multi-accounting and bonus abuse (iGaming).

Transaction Monitoring & Case Management

  • Modular rules + machine learning for patterns like minimal play, rapid cash-outs, cross-account chip passing.
  • Graph analytics to connect wallets, devices, and promoters; visualize third-party relationships typical in junket ecosystems.

Travel Rule & Payments

  • TRPs (Travel Rule providers) for crypto-enabled flows; PSP integrations to capture payer/payee data and return error codes into case files.

Surveillance Fusion

  • Link video timelines to TMS alerts so investigators can jump to a suspicious buy-in/cash-out window and add stills to the SAR.

Assurance & Evidence

  • Immutable audit trails, model-risk documentation, and explainability (why an alert fired) are critical to pass regulator reviews.
  • UK: Regular penalties for AML/SR weaknesses continue; use UKGC’s enforcement page and emerging-risk notes as triggers to re-assess your controls.
  • Australia: AUSTRAC maintains pressure—headline penalties (e.g., Crown) plus audits of regional casinos and litigation against betting operators. Expect focus on risk assessments, EDD, and monitoring effectiveness.
  • EU: AMLA’s rise means more consistent supervision over time; prepare for EU-level thematic reviews.
  • US: Despite the March 2025 BOI pull-back, BSA obligations for casinos remain; regulators will look for compensating controls (SoF/SoW rigor, entity-KYC depth).

9) A 12-Month Implementation Roadmap (Practical & Auditable)

Quarter 1 — Baseline & Gaps

  • Refresh EWRA with explicit coverage of minimal gaming, chip walking, third-party betting, and junkets.
  • Map regulatory obligations by venue and entity, noting EU AMLA timelines, EBA Travel Rule scope, US BSA/CTR/SAR, and local APAC rules.
  • Convene a cross-functional steering group (Compliance, Cage/Operations, Security/Surveillance, Payments, IT).

Quarter 2 — Policy & Data Model Uplift

  • Update KYC/EDD policies (SoF/SoW tiers, PEP handling, entity KYC without BOI) and Travel Rule procedures.
  • Define alert library for casino typologies; deploy first-wave rules.

Quarter 3 — Tech Enablement & Training

  • Roll out IDV, screening, TMS + case management, and surveillance integration.
  • Train cage, hosts, and dealers on red flags; stand up SAR narrative QA.

Quarter 4 — Test, Remediate, Evidence

  • Commission independent testing; close findings with dated evidence.
  • Produce an AML Program Annual Report for the board and be audit-ready.

10) Key Metrics & Board Reporting

  • KYC: pass rates, manual review %, average time to verify; EDD completion times.
  • Monitoring: alert volumes by typology, true-positive rate, median time to disposition.
  • Reporting: SAR submission timeliness, regulator query turnaround.
  • Training: completion %, post-training QA improvement.
  • Assurance: % of remediation items closed on time; external testing opinions.

11) FAQ (5 Quick Answers)

1) Do casinos need to follow the EU Travel Rule?

If your casino (or its payment/crypto partners) sends funds or eligible crypto assets within scope of Regulation (EU) 2023/1113, you must ensure the required originator/beneficiary data accompanies transfers. The EBA’s 2024 guidelines clarify expectations and became applicable Dec. 30, 2024.

2) What changed in the EU with AMLA?

The EU AML package created a central AMLA with supervisory powers (legal existence June 26, 2024; operational mid-2025). It works with national authorities and will increase consistency across the bloc. Plan now for 2027 application of the AML Regulation.

3) Are US casinos still under strict AML rules even after the BOI change?

Yes. Casinos remain BSA financial institutions with program, CTR, and SAR obligations. The March 21, 2025 FinCEN rule removed CTA BOI reporting for US companies/persons, so casinos should adjust KYC/EDD and strengthen SoF/SoW assessment.

4) What’s happening with junkets in Macau?

Macau limits junket promoters and restricts revenue sharing (now capped commissions). In July 2025, authorities confirmed a 50-junket cap through 2026, with far fewer currently operating, reflecting tighter oversight.

5) How active are the UK and Australian regulators?

Very. The UKGC regularly fines operators for AML/SR failures (see 2025 enforcement actions), while AUSTRAC continues audits and litigation, following headline penalties like A$450m against Crown and new actions against betting groups.

Strong Call-to-Action

Don’t wait for an audit letter.

  1. Run a two-week AML readiness sprint: refresh your risk assessment, test three high-risk alerts (minimal gaming, chip passing, rapid cash-out), and QA five recent SARs for narrative quality.
  2. Book a quarterly board briefing on EU AMLA milestones, US BOI changes, and your Travel-Rule posture.
  3. If you want a free compliance checklist with sample alert definitions, SAR templates, and Travel-Rule data fields, say “SEND AML KIT” and I’ll share the pack.

FINAL WORDS

Casinos—land-based and online—sit on the front line of AML/CFT in 2024–2025. The article turns a fast-changing rulebook into an action plan anchored on the FATF risk-based approach: assess product/channel/customer/geo risks, then tailor KYC/EDD, monitoring, and reporting. It spotlights classic gambling typologies—minimal gaming, chip walking/redemption, structuring at cages/slots, pooled bankrolls, and junket opacity—and insists these map to alerts, case playbooks, and surveillance corroboration.

Europe: The new EU AML Authority (AMLA) became operational in mid-2025, with the EU AML Regulation set to apply July 10, 2027. Casinos must also align with the EU Travel Rule (funds/crypto transfers; guidelines effective Dec 30, 2024). Immediate tasks: appoint an AMLA watch lead, run a Travel-Rule gap check, and stage data-model/policy uplifts for 2027.

Brilliant Casino Enhance Fraud Detection Post-AML Reforms

United States: Casinos remain BSA financial institutions (program controls, CTR >$10k, SARs). After Mar 21, 2025, FinCEN’s interim rule removed CTA BOI reporting for US companies/persons, so operators should adjust onboarding and reinforce source-of-funds/wealth narratives and entity KYC.

APAC: Macau has capped junkets (policy reset, fewer active promoters); Singapore continues tightening via modernized gambling/casino laws; Australia’s AUSTRAC maintains aggressive enforcement (risk assessments, EDD, monitoring effectiveness).
UK & NZ: The UKGC actively fines for AML/social-responsibility failures; New Zealand supervisors offer practical program templates.

What good looks like: A board-approved EWRA; tiered KYC/EDD/SoF/SoW; monitoring that fuses game data with surveillance; strong cash/cage controls; transparent junket/third-party frameworks; high-quality SARs/STRs; and role-specific training plus independent testing.

Tech stack: IDV + PEP/sanctions/adverse media, device/behavioral signals, rules + ML monitoring, graph analytics for third-party links, Travel-Rule tooling, and case management with immutable audit trails and model explainability.

Roadmap & KPIs: A 12-month plan (EWRA refresh → policy/data uplift → tech rollout/training → independent test) and board metrics across KYC pass rates, alert precision, SAR timeliness, training QA, and remediation closure.

CTA: Run a two-week readiness sprint (test three high-risk alerts; QA five SARs), brief the board on EU/US changes, and request the free “SEND AML KIT” checklist to operationalize controls now.

Notes & Sources

  • FATF casino guidance and risk-based approach, typologies.
  • EU AML package timelines and AMLA status.
  • EBA Travel Rule Guidelines (EU funds/crypto transfers).
  • US BSA obligations for casinos; AGA best practices; BOI rule change.
  • APAC/UK enforcement and regulatory posture (Macau caps, AUSTRAC actions, UKGC penalties).

This article provides general compliance information and is not legal advice. Always consult local counsel and your regulator for jurisdiction-specific requirements.

Scroll to Top