FOR SALE: B2B Malta Gaming Licence (MGA) | issued in 2024 | valid for 10 years | active bank account | FOR SALE: B2C Malta Gaming Licence (MGA) | Type 1 Casino | active bank account | licence renewal July 2026 | FOR SALE: Curacao Gaming Licence (CGA) | Curacao entity | CY payment agent | active bank account |

Contact Us

    iGaming Due Diligence Checks in 2026

    iGaming Due Diligence Checks in 2026

    iGaming due diligence doesn’t come from one direction. The issue usually becomes obvious only after the first serious review begins.

    The licensing regulator runs one version. The bank runs a different one. The payment processor runs a third. The game studio’s commercial team, the affiliate network, the platform provider each has its own assessment of whether the operator is a counterparty they’re comfortable working with. These assessments share some inputs but they’re asking different questions and they’re not coordinated. Passing one doesn’t mean passing the others.

    An operator came through for advice after losing two payment processing relationships within three months of each other. The first relationship ended after a routine risk review. During that review, the processor concluded that the operator’s AML framework no longer met its updated standards. The second ended when the processor discovered the first relationship had ended which they took as a signal regardless of the reason. The operator had a valid gaming licence, had passed the initial onboarding for both processors, and hadn’t done anything that changed. What changed was the processors’ own risk appetite and review cadence.

    iGaming due diligence in 2026 is ongoing. Not a one-time gate.

    iGaming Due Diligence: The Regulator Assessment

    Regulatory due diligence has two phases that operators sometimes conflate. The application phase, where the regulator assesses the prospective operator before issuing the licence. And the ongoing phase, where the regulator assesses whether the licensed operation matches what the application described.

    The application phase is what most licensing guides cover. Corporate documentation. UBO chain and source of wealth. AML framework. Responsible gaming programme. Key function appointments. Fit-and-proper assessment of directors and beneficial owners. For Malta, this is intensive and detailed. For Curaçao post-LOK, substantially more rigorous than it was under the old regime. Smaller jurisdictions vary considerably.

    The ongoing phase is the one that catches operators who treated licensing as a documentation exercise. Annual compliance audits examining whether the programme produces outputs not whether it exists on paper. Regulatory reporting reviewed for consistency with the described operation. Key function board reports assessed for substantive content rather than nominal presence.

    What regulators specifically test in ongoing reviews

    Whether the AML monitoring thresholds are calibrated to the actual transaction patterns of the operation as it runs today, not the projected patterns described at application two years ago. Whether SAR filing volumes are plausible for the transaction flows. Responsible gaming tools must function technically, not merely appear in documentation as functioning. Whether key function holders can demonstrate operational engagement with their roles rather than nominal appointment to them. Whether the corporate structure matches what was disclosed at application or has changed without notification.

    iGaming Due Diligence: What Banks Actually Assess

    Banking iGaming due diligence is the assessment that most operators underestimate and most feel the consequences of most acutely. The Wolfsberg Group framework for correspondent banking risk assessment is a reference point for how international banks approach gaming clients. What it establishes: gaming is a high-risk category requiring enhanced due diligence, and that enhanced due diligence looks at the licensing jurisdiction quality, the AML programme credibility, the beneficial ownership transparency, and the business model’s coherence.

    The bank’s assessment is independent. The licensing regulator validated the operator’s AML framework for licensing purposes. The bank’s compliance team validates it for banking purposes. These are different standards applied by different teams with different risk appetites. A programme that satisfied the licensing regulator may not satisfy the bank, especially if the licensing jurisdiction carries a weak jurisdictional AML signal.

    The questions banking iGaming due diligence asks that most operators haven’t prepared for: what does the monitoring actually produce show us the last quarter’s alert volumes, review timelines, and closure documentation. What’s the SAR filing history. How has the AML framework been updated since launch as the operation has evolved. Who in the organisation has the authority to file a SAR without commercial sign-off.

    These aren’t trick questions. They’re the questions that separate operators running genuine compliance programmes from those who built documentation for the application and haven’t maintained it since.

    iGaming Due Diligence: Payment Processors and Acquirers

    Payment processor iGaming due diligence sits closest to where the consequences of failure are most immediate. No payment processing means no player deposits. No player deposits means no revenue. The relationship between payment processor assessment and operational viability is direct.

    Processors assess: the licensing jurisdiction’s credibility, the AML programme quality, the chargeback history or projections, the business model coherence, the beneficial ownership transparency, and increasingly the responsible gaming integration capability. Do the deposit limits enforce at the payment layer. Does self-exclusion block payment processing or just platform access. Can the processor’s systems receive real-time player status data to support responsible gaming enforcement.

    The last category is newer and catching operators off guard. Processors working with gaming operators in regulated European markets face their own obligations around responsible gaming support. They’re asking operators to demonstrate integrations that many operators haven’t built.

    Periodic review is the part operators don’t plan for. Initial onboarding passes. The processor sets a review schedule quarterly, semi-annual, annual depending on the risk rating they assigned. At review, the same questions come back with updated answers required. An operator who passed initial onboarding but hasn’t maintained their AML programme, their responsible gaming integrations, or their documentation currency discovers the gap at the review.

    iGaming Due Diligence: The Supply Chain Assessment

    Game studios, platform providers, and content aggregators run their own iGaming due diligence before entering commercial relationships with operators. This is the category most licensing guides don’t mention, and it’s where operators with smaller licensing jurisdictions most often discover commercial limitations they didn’t anticipate.

    The European Gaming and Betting Association has tracked the tightening of supply chain due diligence standards across European gaming companies. Tier-1 studios apply their own policies about which operator licensing jurisdictions their content can be distributed to, and those policies have become more stringent as the studios’ own regulatory relationships have intensified. The practical result: operators licensed in jurisdictions that don’t meet studio supply policies can’t access Tier-1 content, regardless of how good the operator’s own compliance programme is.

    Platform providers run similar assessments. A technology provider with regulatory relationships in major jurisdictions can’t afford to supply infrastructure to operators whose compliance posture creates regulatory risk for the provider. Their iGaming due diligence on prospective operator clients has become more rigorous as their own regulatory exposure has grown.

    Affiliate network assessments

    Affiliate networks increasingly assess operator licensing and compliance status before accepting them onto their platforms. An operator with a valid gaming licence who can’t demonstrate responsible marketing practices marketing restricted from reaching self-excluded players, age verification gates, responsible gaming messaging is a commercial risk for the affiliate network in markets where those requirements are enforceable. The affiliate network’s iGaming due diligence on operators has followed the same trajectory as everyone else’s.

    iGaming Due Diligence: UBO and Source of Wealth

    Beneficial ownership and source of wealth documentation appears in every iGaming due diligence process. Regulator, bank, payment processor, institutional partner all of them need to understand who actually controls the operation and where the funding came from.

    The documentation challenge: complex ownership structures. A UBO who sold a business in one jurisdiction, invested across two more, participated in a private equity structure, and is now funding a gaming operation has a source of wealth story that needs careful specialist legal preparation to tell coherently. Gaps in the documentation missing supporting evidence for a particular transaction, an unexplained period, an entity in the chain without complete records generate information requests in every due diligence process the operator goes through.

    Not once. Every time.

    The operator who invests in getting source of wealth documentation properly prepared coherent, verifiable, complete at every level of the ownership chain does it once and has it ready for every subsequent assessment. The operator who patches the documentation in response to each information request does it repeatedly under time pressure, producing varying versions that create consistency problems across different assessors.

    The consistency problem: When the source of wealth narrative submitted to the gaming regulator differs in material details from the version submitted to the bank, which differs from the version submitted to the payment processor even in minor ways, even by accident the inconsistency creates its own credibility problem. Assessors cross-reference. Differences get flagged. The documentation process that’s supposed to build confidence undermines it instead. Getting one version right and using it consistently is much cheaper than managing the fallout from inconsistency.

    iGaming Due Diligence: What Good Preparation Looks Like

    The operators who move through multiple simultaneous iGaming due diligence processes most smoothly share some characteristics.

    Source of wealth documentation prepared to the highest expected standard before the first application, not rebuilt for each assessor. A single coherent narrative, specialist legal-reviewed, complete at every ownership chain level.

    AML frameworks written for the actual business rather than copied from templates. Monitoring thresholds calibrated to the actual expected transaction patterns. Risk assessments that name the specific markets, payment methods, and player demographics of the operation. Updated when material business changes occur, not left as static documents from the application date.

    Responsible gaming integrations tested and documented. Quarterly functional tests confirming deposit limits enforce at the payment layer, self-exclusion blocks both platform and marketing, behavioural monitoring generates alerts at plausible rates. Test records available to show assessors who ask.

    Corporate structure documented transparently. Where management decisions are made. Where the compliance function is based. What the operational presence in the licensing jurisdiction actually consists of. None of this presented as a claim documented with evidence.

    That’s it, really. None of those are exotic requirements. All of them are things operators should be maintaining anyway for their own operational integrity. The connection to iGaming due diligence success is that assessors all of them, from regulators to game studios are looking for evidence of genuine operational compliance rather than nominal compliance. The evidence exists when the compliance is genuine. It doesn’t when it isn’t.

    iGaming Due Diligence: The M&A Dimension

    Gaming industry M&A is active. Acquisitions, licence transfers, platform migrations each triggers its own iGaming due diligence cycle, and it’s often more intensive than the original licensing process.

    An acquirer buying a gaming operation is buying its compliance history as well as its commercial performance. An operation with a clean compliance record, well-maintained AML documentation, and no regulatory findings transacts more cleanly than one with information request history, compliance gaps, or outstanding regulatory correspondence. The compliance posture of a gaming operation affects its M&A valuation and its acquireability.

    Licence transfer due diligence is intensive. The receiving regulator treats the transfer as effectively a new application the incoming operator’s fit-and-proper, the ownership structure, the AML programme, the compliance history of the operation being transferred. An operation that has been maintaining genuine compliance through its history transfers more cleanly than one that built documentation for the original application and hasn’t maintained it.

    Related: the regulatory frameworks shaping iGaming due diligence requirements at iGaming regulatory frameworks 2026. AML compliance that underpins due diligence outcomes at iGaming AML compliance 2026. KYC requirements relevant to due diligence at iGaming KYC requirements 2026. Banking due diligence in practice at opening a bank account for iGaming 2026. Corporate structure that supports due diligence at iGaming corporate structure 2026.

    Frequently Asked Questions

    What is iGaming due diligence and who conducts it?

    iGaming due diligence is the assessment process that various counterparties run on gaming operators to determine whether they’re a credible, compliant, and commercially viable partner. Regulators conduct it at application and during ongoing compliance reviews. Banks conduct it before opening accounts and periodically thereafter. Payment processors conduct it at onboarding and at scheduled reviews. Game studios and platform providers conduct it before entering supply relationships. Affiliate networks conduct it before accepting operators. Each assessment is independent, uses different standards, and can arrive at different conclusions.

    Why do gaming operators fail banking due diligence even with a valid licence?

    Because the bank’s assessment is independent of the regulator’s. The licensing regulator validated the AML programme for licensing purposes. The bank validates it for banking purposes against the bank’s own standards. These can differ, especially when the licensing jurisdiction carries a weak jurisdictional AML signal or when the operator’s programme hasn’t been maintained since the application. A programme that was adequate at application two years ago may not be adequate for a banking assessment today if the bank’s standards have evolved or if the programme hasn’t been updated as the operation changed.

    What makes source of wealth documentation fail across multiple assessments?

    Inconsistency between versions. When the narrative submitted to the regulator differs in material details from the version submitted to the bank, which differs from the payment processor version even inadvertently assessors who cross-reference find inconsistencies that create credibility problems independent of the underlying facts. Getting one version right, specialist legal-reviewed, complete at every ownership chain level, and using it consistently across all assessments is the approach that avoids this. Rebuilding documentation in response to each information request produces inconsistency.

    How does supply chain due diligence affect operators with smaller licensing jurisdictions?

    Tier-1 game studios apply their own policies about which licensing jurisdictions their content can be distributed to. Operators in jurisdictions that don’t meet those policies can’t access Tier-1 content directly regardless of their own compliance quality. Platform providers run similar assessments. The commercial infrastructure available to an operator is constrained by the licensing jurisdiction signal as well as by the operator’s own compliance posture. This limitation often isn’t discovered until after the licence is issued and the operator begins commercial partner outreach.

    What does iGaming due diligence look for in responsible gaming?

    Whether the tools actually function, not whether they exist on paper. Deposit limits enforcing at the payment processing layer, not just as account settings. Self-exclusion blocking both platform access and marketing communications. Behavioural monitoring generating alerts at plausible rates for the actual player base. Quarterly functional testing records showing the tools have been verified to work after platform and payment updates. Increasingly, payment processors specifically ask about responsible gaming integration capability as part of their own assessment.

    How does M&A due diligence differ from initial licensing due diligence?

    It’s often more intensive. An acquirer is buying compliance history alongside commercial performance, which means the operation’s entire regulatory record is in scope not just the current state of the programme. Licence transfer processes treat the incoming operator effectively as a new applicant. An operation with well-maintained compliance documentation, no regulatory findings, and no outstanding correspondence transfers more cleanly and at better valuations than one with compliance gaps. The compliance posture of a gaming operation affects its M&A attractiveness, which is a commercial argument for genuine compliance maintenance even before the regulatory argument.

    Share this article: