🇲🇹 Office 1, Piazzetta Business Plaza, Ghar il-Lembi Street, Sliema SLM 1560, Malta. 📱Contact us on: +356 99408536

Contact Us

    Curacao B2C Licence Compliance 2026: CGA Rules Explained

    Curacao B2C Licence Compliance 2026: CGA Rules Explained

    Curacao B2C licence compliance in 2026 is now a central issue for operators, and October 2026 is the date every Curaçao B2C operator needs circled right now. That’s when the CGA starts enforcing its new guidance on player-facing terms and conditions and based on what the updated framework actually says, a lot of operators are going to need more time to get ready than they think.

    The guidance landed in April 2026 as part of the broader LOK rollout. The guidance explains how operators must write and present T&Cs, how they must capture and record consent, what they must do when terms change, how they must disclose KYC and AML procedures, and how they must manage the full account lifecycle under the new rules. It provides detailed, specific, and enforceable requirements. The CGA has been explicit that non-compliance is a licence condition breach not a paperwork issue.

    This piece works through what the rules actually require, what catching up looks like in practice, and why getting compliant is worth more than just avoiding a fine.

    The Problem Behind Curacao B2C Licence Compliance Changes

    Spend five minutes reading the CGA’s guidance document and the frustration behind it becomes obvious. Regulators repeatedly encountered the same issues: operators used T&Cs that bore no resemblance to how the platform actually operated, buried bonus conditions so deep in legal text that no real person could find them, introduced KYC checks only when players tried to cash out, and implemented term changes without informing players.

    None of that is unique to Curaçao-licensed operators. It’s been a criticism of offshore iGaming broadly for years. But Curaçao has been carrying the reputational weight of it — banks and payment processors that apply extra scrutiny to CGA-licensed businesses aren’t doing that arbitrarily. They’re doing it because the jurisdiction historically tolerated practices that better-regulated markets had already banned.

    The LOK framework was built to change that picture. The T&C guidance is one of its more concrete outputs specific requirements, not general principles. The Curaçao Gaming Authority has given operators six months. After October, the enforcement machinery runs.

    What the Rules Actually Say

    One-click access — and language that actually makes sense

    T&Cs need to be accessible within one click on every platform you operate desktop, mobile, in-app. Not findable after some effort. Not a link that goes to a page that links to the actual document. One click from wherever the player is.

    And they need to be readable. Not by a lawyer by the player. The CGA has been direct about this: dense boilerplate that obscures what players are agreeing to is not acceptable under the new framework. If your terms primarily protect the operator in disputes instead of informing the player of the actual deal, the CGA is targeting that problem.

    Your T&Cs have to match what you actually do

    This one causes the most trouble in practice, because it requires operators to look honestly at the gap between what their terms say and how the platform behaves. Payment methods that are accepted but not listed. Withdrawal timeframes that are aspirational rather than real. Operators have changed promotional mechanics since they last updated the terms.

    Under the new Curaçao B2C licence compliance rules, that gap is a breach. If your terms say 24-hour withdrawals and your actual processing time is longer, that’s the issue. The requirement isn’t just to have compliant-looking documents it’s for those documents to reflect operational reality.

    Curacao B2C Licence Compliance: Active Consent Requirements

    The “by continuing to use this site you accept our terms” era is over in Curaçao. The CGA now requires active consent a checkbox, a deliberate action, something the player actually does rather than something that’s assumed from their behaviour. That consent record has to be stored. The regulator can ask for it.

    The same standard applies when terms change in ways that matter. Players can’t be deemed to have accepted a material update because they kept logging in after an email was sent. They need to actively accept the new terms. That means building consent capture into your change management process, not bolting it on afterwards.

    Retroactive changes on players — now a breach

    Operators have historically updated terms mid-campaign, applied the new version to existing players, and then cited those terms in disputes. That’s now a compliance failure. Changes that disadvantage players require notice in advance and genuine re-acceptance before they take effect. The only exceptions are corrections that don’t affect players negatively.

    What this means practically: you need a proper change management process for your T&Cs. Not just a version update and an email blast actual consent capture before the change applies to anyone.

    Keep your version history, and upload it to the portal

    Every version of your T&Cs needs to be archived and available. When a player dispute depends on the terms in place at the date of registration, you need to produce that version. When the CGA wants to see how your terms have evolved, you need to show them the trail.

    Upload current and historical versions to the CGA portal. This is an explicit requirement and it gives the regulator direct visibility which is exactly the point.

    Curacao B2C Licence Compliance: KYC and AML Disclosure Shift

    The verification rules are where a lot of operators will face the sharpest operational challenge. The pattern the CGA was explicitly targeting: players sign up, deposit, play and only discover the KYC requirements when they try to withdraw. That’s now prohibited.

    Operators must disclose all verification requirements at the start of the relationship, including what they may request and when they trigger checks. What constitutes enhanced due diligence and what thresholds apply. A player opening an account needs to understand the full verification picture before they put money in. The CGA’s position is that discovering this at withdrawal is unfair and it won’t be acceptable under the new framework.

    If your current onboarding flow doesn’t include that upfront KYC disclosure and many don’t it needs rebuilding. Your T&Cs need to spell out the AML and CFT process in terms a player can actually read and understand, not by reference to internal policies.

    How Curaçao licences are recognised by other jurisdictions is directly tied to how seriously operators take this. The context for that is covered in detail in iGaming licence recognition in 2026 it’s worth reading alongside this if you’re thinking about the broader licensing picture.

    Account Suspension, Closure, and Dormancy — The Detail in the Rules

    The guidance gets specific about what has to happen at each stage of a player account’s life, and how that has to be communicated in the T&Cs.

    Suspension and termination: what triggers it, what the player’s rights are during the period, how they get their funds back, and how disputes get escalated. All of this needs to be in the T&Cs, clearly, not scattered across multiple policy documents the player will never find.

    Dormancy fees are an area the CGA called out specifically. Charging monthly fees on inactive accounts is still permitted but only if the fees are proportionate, disclosed upfront, and written into the T&Cs in plain terms at the time the player signs up. Using fine print as cover for dormancy charges that most players don’t know about isn’t going to pass scrutiny anymore.

    Account closure and what happens to player funds: the T&Cs have to be explicit what happens, on what timeline, through what process. ‘Applicable law will govern’ is not a sufficient explanation. Specific. Clear. Documented.

    What Non-Compliance Actually Looks Like

    The CGA’s enforcement approach under the new framework moves in steps. First comes a formal directive the regulator identifies a problem and gives you a defined window to fix it. That’s the opportunity to remedy without financial consequences.

    If the fix doesn’t happen, or if the same issues keep appearing, the response escalates. Financial penalties. Licence suspension. In cases where the non-compliance is serious enough or has been going on long enough revocation. The guidance is explicit that failing to meet the T&C requirements constitutes a breach of licence conditions, not a minor administrative lapse. That framing determines how seriously the regulator treats the escalation.

    The upload requirement operators putting current and historical T&Cs directly on the CGA portal is part of this. It means the regulator isn’t waiting for complaints to identify problems. They have the documents and they can check compliance themselves. That changes the dynamic from reactive enforcement to active monitoring.

    Curacao B2C Licence Compliance: What It Takes to Get Compliant

    The operators I’ve seen assume this is a quick documentation exercise always underestimate it. Getting Curaçao B2C licence compliance right requires work across legal, product, and operations not just a policy update.

    Start with a proper audit of your existing T&Cs against the CGA guidance, requirement by requirement. Not a general read a systematic check. Most operators find things they didn’t expect.

    Then the redraft. Generic templates built for the old Curaçao sub-licence regime don’t meet the new standard. The language has to be clear, the content has to match your actual operations, and the structure has to make the important things findable. That requires legal expertise that understands both the CGA’s requirements and the specific way your platform works.

    Platform and UX Changes

    Platform work comes next and it’s usually more involved than operators plan for. Consent capture at registration, acceptance flows for material changes, T&C placement that meets the one-click standard across all your platforms. These are development tasks with their own timelines.

    Staff training is real work too. Customer support needs to understand the new verification disclosure approach. Your compliance function needs to know the updated monitoring obligations. The CGA doesn’t just check that the documents exist it also verifies that operators actually follow the documented processes.

    And the portal setup. Uploading current and historical T&Cs to the CGA portal, getting the version archive in order, making sure the access and management is in place. If you haven’t used the portal’s document functions before, don’t underestimate the time.

    Operators who’ve been through recent MGA compliance work will recognise a lot of this the standard Curaçao is now setting is broadly consistent with what Malta has required for some time. For anyone thinking about how this fits with a dual-licence strategy or a potential Malta upgrade, the breakdown in Malta vs Curacao licence: which is right in 2026 covers the comparison in full.

    The Compliance Upside — Why This Is Worth More Than Avoiding a Fine

    Look at these changes purely as a compliance burden and you miss the business case. Operators who meet the standard end up better positioned in several ways that have direct commercial value.

    Banking and payment processing relationships are the obvious one. The friction Curaçao-licensed businesses face with certain banks and PSPs comes partly from the jurisdiction’s historical standards. Operators who are demonstrably meeting the new CGA requirements transparent T&Cs, proper consent capture, upfront KYC disclosure are a different kind of counterparty than one that isn’t. That doesn’t change overnight, but it changes.

    Player retention is less obvious but more immediate. Surprise KYC at withdrawal, unclear terms, unexplained account restrictions these generate chargebacks, complaints, and players who leave and don’t come back. Fixing the T&C framework fixes a lot of the root causes of player churn at the same time.

    If you’re thinking about the business in terms of eventual sale or institutional investment, compliance history matters. A clean CGA record under the new framework is a different asset to potential buyers or investors than one with enforcement history. The M&A implications of iGaming compliance are covered in iGaming mergers and acquisitions in 2026 the due diligence section particularly is relevant to how compliance records get scrutinised in a transaction.

    Before October: What Needs to Be Done

    • Audit your current T&Cs against the CGA guidance line by line. Don’t assume the gaps are small.
    • Get legal support on redrafting — generic templates won’t meet the new accessibility and clarity requirements.
    • Rebuild your consent capture flows. Active acceptance at registration, re-acceptance for material changes, records retained.
    • Write out your KYC, AML and CFT procedures in plain language in your player-facing documentation. Upfront, not at withdrawal.
    • Check withdrawal, dormancy, and account closure procedures against the specific requirements in the guidance.
    • Upload current and historical T&Cs to the CGA portal.
    • Set up a compliance calendar for ongoing T&C maintenance this isn’t a one-time fix.

    Curacao B2C Licence Compliance: Frequently Asked Questions

    When exactly does enforcement start?

    The CGA published the T&C guidance in April 2026. Enforcement begins six months after publication, making October 2026 the effective deadline for all B2C licence holders.

    What counts as active consent under the new rules?

    A deliberate action by the player typically ticking a checkbox at registration. The platform can’t assume consent from continued use. The consent record has to be stored and producible if the regulator asks for it.

    Can you still change your terms once live?

    Yes but changes that disadvantage players require advance notice and active re-acceptance before they apply. You can’t backdate terms changes to existing players. Operators treat corrections that don’t affect players negatively differently.

    What’s the upfront KYC disclosure requirement in practice?

    Operators must disclose all verification requirements including what documents they may request, when they trigger checks, and what enhanced due diligence thresholds apply before players deposit. Under Curaçao B2C licence compliance standards from October 2026, operators cannot introduce KYC requirements for the first time at withdrawal.

    What does non-compliance result in?

    Graduated enforcement: first a formal corrective directive with a fix window, then financial penalties if unresolved, then suspension, then revocation for serious or persistent cases. The CGA has categorised T&C non-compliance as a breach of licence conditions not a minor issue.

    B2B operators — does this apply to them?

    The T&C policy targets B2C licence holders operators who deal directly with players. B2B suppliers aren’t in scope for the player terms requirements specifically, though the LOK compliance framework applies to all CGA licence categories.

    Share this article: