What due diligence covers
Due diligence in gambling sits across two distinct workflows. Customer due diligence (CDD) is the AML-mandated identity, sanctions, and source-of-funds assessment performed at onboarding and during the life of the customer relationship. Vendor or counterparty due diligence is the risk-and-integrity assessment a regulated operator applies before contracting with payment processors, KYC vendors, game studios, or platform providers.
Both workflows share a common spine: identity verification, ownership transparency, regulatory standing, sanctions and PEP screening, and adverse-media review. The depth of each layer depends on risk, with documented criteria triggering escalation to Enhanced Due Diligence.
Customer due diligence tiers
Simplified Due Diligence (SDD) is allowed only in narrowly defined low-risk scenarios and is rare in mainstream iGaming. Customer Due Diligence (CDD) is the standard tier, covering identity document verification, address proof, age verification, and screening against sanctions and Politically Exposed Person (PEP) lists. Enhanced Due Diligence (EDD) applies to higher-risk relationships and adds source-of-funds documentation, source-of-wealth assessment, occupation verification, and ongoing enhanced monitoring.
EDD triggers include high deposit values, high transaction velocity, customers in high-risk jurisdictions identified by FATF or the EU, PEP matches, source-of-funds inconsistencies, and behavioural red flags surfaced by transaction monitoring. Thresholds are operator-specific and documented inside the AML risk assessment.
Vendor and counterparty due diligence
Operators must satisfy regulators that their suppliers do not introduce regulatory or reputational risk. UKGC Licence Conditions and Codes of Practice require licensees to manage third-party risk. MGA imposes similar expectations under its supplier-management requirements. The typical vendor due-diligence pack covers: corporate-structure documentation, ultimate beneficial ownership, licensing status in operator markets, financial standing, information-security certifications, AML and sanctions screening of the vendor entity and its principals, and references from other operator customers.
Renewals revisit the original assessment. Material changes, such as ownership transfer, sanctions exposure, or licence loss, trigger reassessment and potentially contract termination.
Frequently asked questions about What Is Due Diligence in iGaming?
EDD is required for high-risk customer relationships under EU AML directives and UK Money Laundering Regulations. Common triggers are PEP status, customers in FATF-listed high-risk jurisdictions, high deposit values, and behavioural red flags. Operators document their EDD trigger thresholds inside their AML risk assessment.
KYC is the identity verification component. Due diligence is the broader risk assessment that includes KYC plus source-of-funds analysis, sanctions and PEP screening, adverse-media review, and ongoing monitoring. KYC sits inside the wider due-diligence framework.
Most major jurisdictions require retention for at least 5 years after the end of the customer or vendor relationship. UK Money Laundering Regulations specify 5 years from the end of business relations. Operators commonly retain longer to satisfy the strictest market they operate in.
Operational components such as identity verification, screening, and document collection can be outsourced to specialist vendors. Accountability for the result, however, cannot be outsourced. The named compliance officer at the regulated operator remains personally accountable to the regulator.