iGaming Compliance Checklist 2026: What Operators Need

When people look for an iGaming compliance checklist, they usually want a document they can work through and tick off. Most of what’s available online gives them exactly that a list of categories with a box next to each one. AML policy: tick. KYC procedures: tick. Responsible gaming tools: tick. Privacy policy: tick.

The problem is that regulators don’t audit ticks. They audit whether things actually work.

Last year, I reviewed a compliance file for an operator licensed for eighteen months. The operator had ticked every box. AML policy existed. KYC was documented. Responsible gaming tools were live on the platform. The compliance officer was named. What the review found was that the AML policy hadn’t been updated since the application, the KYC thresholds weren’t being applied consistently, the responsible gaming monitoring alerts were sitting in a queue unreviewed for six weeks, and the compliance officer had produced two board reports in eighteen months.

Not one item on the checklist was missing. None of them were working.

This article is an attempt to write an iGaming compliance checklist the way it should be used not as a documentation exercise, but as a working test of whether the compliance programme is functioning.

iGaming Compliance Checklist: Corporate Structure Requirements

Before the compliance checklist starts, the corporate structure needs to be right. Everything else the AML framework, the key function appointments, the regulatory reporting runs through the operating entity. If the operating entity does not meet the licensing jurisdiction’s requirements, the compliance programme built on top of it starts with a foundational problem.

Regulators assess the ownership structure as part of every compliance review. A complex or opaque UBO chain creates questions that slow both the original application and every subsequent review. Substance requirements real employees, real management decisions, real economic activity in the licensing jurisdiction are assessed continuously, not just at licensing.

How to build the corporate structure correctly before licensing, and why getting it wrong creates compliance problems that compound over time, is covered in iGaming corporate structure in 2026.

iGaming Compliance Checklist: AML Framework

The Financial Action Task Force framework that underpins gaming AML requirements defines what functioning AML looks like. The checklist item isn’t ‘having an AML policy in place.’ It’s ensuring the AML framework describes the actual business, stays current, and generates the monitoring outputs regulators expect to see.

AML Risk Assessment

The risk assessment needs to describe the specific business the actual markets served, the actual payment methods accepted, the actual player profile not a generic gaming operator. The team must review it at least annually. The team must update it whenever the business changes materially, including new markets, new payment methods, new game types, or significant changes in player volume. The version sitting in the compliance folder from the licensing application, never touched since, is a finding waiting to happen.

Transaction Monitoring

The monitoring system needs to generate alerts. Someone with authority must review those alerts and act on them. The team must document the review outcomes. An alert queue that’s weeks old with no review history is not a monitoring system it’s evidence that monitoring isn’t working. Regulators ask for the alert history, the review timelines, and the outcomes. Those records need to exist and they need to tell a coherent story.

SAR Filing History

An operator who has processed millions of transactions over several years and filed no suspicious activity reports is not running a uniquely clean operation. They’re almost certainly running a monitoring system that isn’t catching what it should. Regulators know this. A SAR filing history of zero across a meaningful operating period is one of the clearest audit flags there is.

What functioning AML looks like in practice and the specific gaps that show up most often when regulators examine it is covered in detail in iGaming AML compliance in 2026.

iGaming Compliance Checklist: KYC Procedures

KYC isn’t a registration step. That’s the misunderstanding that creates most of the gaps regulators find. It’s a continuous process that needs to surface changes in the customer profile warranting updated due diligence.

Onboarding Verification

Identity verification against independent sources not just document collection before meaningful platform use. Age verification. Source of funds verification triggered at the relevant threshold, which for the MGA is €2,000 in cumulative deposits. The process needs a clear procedure for edge cases: what happens when automated verification returns a fail, what happens when declared address doesn’t match verification results, what happens when a player submits expired documents. Operators who have a verification system but no procedure for when it doesn’t return a clean result have a gap that creates problems in both regulatory reviews and fraud exposure.

Ongoing Customer Monitoring

A player verified at onboarding doesn’t stay statically verified. Deposit volumes that escalate significantly without updated source of funds documentation are a flag. New funding sources particularly from different geographies or via new payment methods warrant review. Withdrawal patterns that change relative to play activity are worth examining. The monitoring needs to compare a player against their own historical baseline, not just against fixed thresholds.

High-Value Player Files

Enhanced due diligence files for high-value players need to be current. A file from onboarding two years ago with no subsequent review doesn’t reflect ongoing monitoring. PEP screening needs to happen continuously, not just at registration PEP status changes as people enter and leave public roles. Senior management must document sign-off on PEP relationships as a genuine assessment, not treat it as a formality.

iGaming Compliance Checklist: Key Functions

The Malta Gaming Authority requires a set of mandatory key functions. The checklist item isn’t ‘naming key functions.’ It’s ensuring key functions operate genuinely and produce the outputs regulators expect to see.

Compliance Officer

Named. Passed fit-and-proper. Has a direct reporting line to the board or CEO not through a commercial director. Has genuine authority to escalate concerns and flag activities that create regulatory risk. Is producing board reports that contain real compliance data findings, escalations, outcomes not one-paragraph summaries saying compliance is satisfactory. Is monitoring the full regulatory picture continuously, not just at renewal.

MLRO

Named. Gaming-specific AML experience, not just general financial services compliance. Genuine operational involvement in the AML programme not a title on a document while a junior analyst runs the actual monitoring. Authority to halt activity that creates AML risk. Actually involved in what the SAR filings contain.

Responsible Gaming Function

Overseeing behavioural monitoring that runs effectively, generates alerts, and ensures the team reviews and documents those alerts. Assessing promotional activities against responsible gaming standards before they go live. Reporting to the board on player protection performance with real data intervention volumes, self-exclusion statistics, complaint trends. Independent enough from the commercial side of the business to flag concerns without commercial override.

What the compliance officer role requires in practice, why nominal appointments consistently fail regulatory review, and what genuine board reporting looks like is covered in the iGaming compliance officer role in 2026.

iGaming Compliance Checklist: Responsible Gaming

Deposit limits, loss limits, session limits, reality checks, self-exclusion, cooling-off periods. The checklist item isn’t ‘having tools in place.’ It’s ensuring tools function correctly and integrate with the marketing system.

Tools That Actually Work

Deposit limits must apply across all payment methods not just card deposits while leaving e-wallet deposits uncapped. Increases to limits subject to cooling-off periods. Decreases taking effect immediately. Self-exclusion that blocks marketing communications immediately, not just account access. These are system requirements, not policy commitments. A self-exclusion tool that doesn’t block marketing emails is non-compliant regardless of what the policy says.

Marketing Integration

Self-excluded players receive no marketing. Players in cooling-off periods receive no marketing. Players who have reduced their deposit limits don’t receive bonus offers that work against that stated intention. These requirements need the marketing system to share data with the responsible gaming system in real time. Operators running them as separate systems with no connection between them have a structural compliance gap that creates exposure in both regulatory reviews and the substance of their player protection programme.

Behavioural Monitoring

Proactive identification of at-risk player patterns escalating stakes, chasing losses, session length changes, rapid deposit sequences after losses. Alerts generated. Alerts reviewed by someone with authority to act. Interventions documented. Outcomes recorded. A programme that generates no interventions across an active player base for months is not running a clean operation. It’s running a monitoring system that isn’t looking properly.

iGaming Compliance Checklist: Data Protection

GDPR applies to any operator processing personal data of EU residents, regardless of where the operator is based. The checklist item isn’t ‘privacy policy exists.’ It’s ‘the full GDPR framework is operational.

Record of Processing Activities

A written record mapping every type of personal data processing what data, for what purpose, on what legal basis, retained how long, shared with whom. This is one of the first documents a supervisory authority requests in any investigation. An operator without one, or with one that doesn’t reflect current processing, starts any investigation in a difficult position.

Breach Response Procedure

GDPR requires notification to the relevant supervisory authority within 72 hours of becoming aware of a breach. Seventy-two hours from awareness not from completed investigation. The response procedure must define who has authority to make the notification decision, what information the team gathers first, and which supervisory authority receives it. Operators who don’t have this written down before an incident happens consistently struggle with the 72-hour window.

Third-Party Processor Agreements

Every third party processing player data game providers, payment processors, KYC verification services, CRM platforms, responsible gaming monitoring tools needs a written Data Processing Agreement before the processing starts. Gaming operators add technology vendors regularly. A compliance process that doesn’t include data protection review as a standard part of vendor onboarding will always be incomplete.

iGaming Compliance Checklist: Regulatory Reporting

Regulatory reporting obligations begin from the date the licence becomes active, not at the first renewal. Therefore, operators must build monthly and quarterly returns, incident notifications, and change notifications into their operational processes from day one.

Reporting Calendar

A compliance calendar mapping every regulatory reporting obligation against its submission deadline, with ownership assigned. Not a spreadsheet someone checks occasionally a live operational tool with reminders and accountability. The operator who discovers a missed quarterly return when a regulator asks about it is in a worse position than the one who submits a late return proactively with an explanation.

Change Notifications

Material platform changes updates to game mathematics, RNG software, payment processing, regulatory reporting systems require regulatory notification and in most cases pre-approval before deployment. Operators running agile development cycles need a process for identifying which releases require regulatory notification. Built into the release cycle. Not looked up when a review finds it’s been missed.

How the compliance checklist maps to the licence application review what gets submitted, what gets assessed, and where the gaps most often are is covered in how the iGaming licence application process works in 2026. And how the checklist evolves into the ongoing compliance obligations that run through the licence term is in iGaming post licensing in 2026.

iGaming Compliance Checklist: The Annual Audit

Annual independent compliance audits are required under most major licensing frameworks. The checklist item isn’t ‘annual audit scheduled.’ It’s ‘the audit will find that what the compliance framework says is happening is actually happening.’

That’s a different test. A compliance officer’s board reports that say AML monitoring is functioning, combined with an absence of monitoring records when the auditor asks for them, is the most consistent finding in gaming compliance audits. The audit doesn’t create the gap. It reveals it.

Frequently Asked Questions

What should an iGaming compliance checklist cover?

A functioning iGaming compliance checklist covers: corporate structure and ownership documentation, the AML framework including risk assessment, transaction monitoring, and SAR filing history, KYC procedures for both onboarding and ongoing customer monitoring, key function appointments with genuine operational outputs, responsible gaming tools and behavioural monitoring, data protection obligations including the Record of Processing Activities and breach response procedure, regulatory reporting procedures including the compliance calendar and change notification process, and the annual compliance audit. The checklist is only useful if each item tests whether the thing is functioning, not just whether it exists.

What do regulators actually look at when auditing iGaming compliance?

The AML alert history volumes, review timelines, outcomes and whether alerts are being reviewed properly or sitting in a queue. KYC files for a sample of players, particularly high-value players, to check whether ongoing monitoring has happened and whether documentation is current. Compliance officer board reports to assess whether they contain real compliance information or general reassurances. Responsible gaming intervention records how many interventions were made, when, and what the outcomes were. The regulatory reporting history whether returns were submitted on time and whether change notifications were made when required. In every case, regulators are testing whether what the compliance framework says is happening is actually happening operationally.

How often should the AML risk assessment be updated?

At minimum annually. Also whenever the business changes materially  new markets added, new payment methods accepted, significant changes in player volume, new game types offered, changes to corporate structure. The risk assessment submitted at licensing describes the business at that point in time. It needs to reflect the business as it currently operates. An outdated AML risk assessment — one that describes a different version of the business from the one actually running is one of the most consistent findings in post-licensing compliance reviews.

What is the difference between a compliance checklist item existing and functioning?

A checklist item exists when there is a document or system or appointment that satisfies the technical requirement. It functions when it produces outputs that demonstrate it is working operationally. An AML policy exists. An AML framework functions when the team keeps the risk assessment current, reviews alerts promptly with documented outcomes, and ensures the SAR filing history reflects actual monitoring activity. A responsible gaming monitoring system exists. It functions when alerts are generated, reviewed by someone with authority, and interventions are documented with outcomes. Regulators audit function, not existence. The gap between the two is where most post-licensing compliance findings originate.

How does the compliance checklist connect to the licence application?

The licence application demonstrates that the compliance framework is in place. The ongoing compliance programme demonstrates that it is functioning. Regulators treat these as different assessments. An application that shows a well-designed AML framework passes the application review. A post-licensing audit that finds the AML framework outdated for eighteen months and identifies monitoring alerts left unreviewed for weeks reveals a gap between what the operator submitted and what the business actually operates. Getting the compliance checklist right at application and then maintaining it as a functioning operational programme is what keeps the licence term clean.

What happens when a compliance audit finds gaps?

A formal finding requires a remediation plan submitted to the regulator with defined timelines — typically thirty to ninety days depending on severity. Remediation involves building the monitoring processes that should have existed, catching up on reporting that was missed, restructuring key function arrangements that weren’t functioning. That work involves external compliance support that wasn’t budgeted, running alongside normal operations, consuming management time while the business still needs to function. Every case I’ve seen has cost more to fix than a properly maintained compliance programme would have cost from the start.