In April 2025, the UK Gambling Commission released a comprehensive update on emerging money laundering and terrorist financing risks across the gambling sector (Emerging money laundering and terrorist financing risks from April 2025). Although directed at licensed operators in Great Britain, the Commission’s insights have wider relevance beyond the UK context. They highlight systemic vulnerabilities that increasingly affect gambling markets globally, particularly in jurisdictions such as Romania, where AML compliance frameworks continue to evolve in line with international expectations set by the FATF and the European Union.

As the UK’s statutory regulator for the gambling industry, the Gambling Commission has increasingly emphasised risk-based supervision and the need to adapt compliance expectations to digital and financial innovation. This focus is reflected in the April 2025 update, which outlines current threats and sets clear expectations for how operators should respond.

The following twelve risks, outlined in the April 2025 update, reflect the Commission’s current priorities and form the basis for operator action going forward.

1. Misuse of money service business (MSB) facilities within Casinos

The continued use of casinos to provide money service business (MSB) facilities, such as foreign currency exchange and third-party transfers, remains high risk. In particular, attempts to deposit high denomination foreign banknotes (e.g. EUR 500 notes) signal elevated money laundering exposure. Despite a decrease in the number and volume of MSB transactions across the sector, high-value exchanges still occur, and MSB activity is categorized by the Commission as posing elevated ML/TF risk. Other risks identified include payments received from politically exposed persons (PEPs) or persons on financial sanction lists, the use of multiple payment methods, reliance on third-party due diligence providers, and funds transferred from unknown sources or unlicensed MSBs. Where MSB activity is offered, the Commission expects it to be reflected in operators’ risk assessments and mitigated by appropriate enhanced customer due diligence measures.

2. Use of AI tools to bypass customer due diligence

A growing concern raised in the report is the use of artificial intelligence to undermine due diligence processes. The Commission, echoing findings from the National Crime Agency, points to an increase in the use of deep-fake technology, facial swaps, and forged documentation generated by AI in attempts to bypass onboarding procedures. These methods not only undermine traditional due diligence processes but also increase the likelihood that fraudulent accounts will be used as vehicles for money laundering or terrorist financing. Operators are expected to train staff specifically in the detection of AI-manipulated documents and to review the integrity of all documentation received. Where falsified or AI-generated documents are identified, this must trigger a suspicious activity report (SAR) with appropriate referencing.

3. Fraudulent account creation and exploitation of personal data

The Commission has observed cases where individuals are approached by third parties offering money in exchange for identity documents and personal data, which are subsequently used to open multiple gambling accounts. Not only are these customers frequently defrauded, never receiving the promised payment, but their personal data is often used to facilitate illicit activities, including the operation of unlicensed betting services or the creation of so-called "mule accounts". Operators should review ID verification procedures regularly and act immediately where gaps are identified, ensuring their systems are capable of identifying third-party or synthetic identities.

4. Vulnerabilities in open-loop payment systems

Open-loop systems, where funds are withdrawn to a different method than that used for deposit, are recognised as a known money laundering risk. These systems allow the transfer of funds in a way that can obscure the origin or destination of money and are also vulnerable to the use of fraudulent or stolen cards. The Commission recommends the use of closed-loop systems as best practice. Where operators continue using open-loop systems, the associated risks must be documented within their ML/TF risk assessments and mitigated through effective controls.

5. Games developed by licensed software providers appearing on unlicensed websites

The Commission is aware that games created by UK-licensed software providers have been made available on unlicensed websites accessible to British consumers. This places operators at risk of facilitating illegal gambling and receiving funds derived from criminal activity. Licensed operators are expected to monitor all business relationships and terminate any that result in illegal gambling being made available in Great Britain. The Commission requires proactive engagement and expects operators to provide details of measures taken to prevent further breaches.

6. Exposure through cryptoasset transactions

The Commission continues to classify cryptoassets as a high-risk payment method. The February 2025 theft of digital assets from the ByBit exchange and the suspected laundering of those assets through online gambling channels, highlights the inherent vulnerabilities associated with virtual currencies. Where operators identify customer funds originating from crypto trading or observe deposits linked to cryptoassets, these should be treated as high-risk indicators. Enhanced due diligence measures are expected in such cases, alongside a broader reassessment of payment-related risks within the business.

7. Unmonitored terminal transactions in land-based casinos

Several land-based operators utilise terminals to facilitate deposits, yet the Commission notes that funds received through such terminals are often subject to insufficient scrutiny. Operators may mistakenly assume that the terminal provider or payment processor is responsible for vetting the source of funds, an assumption that undermines the operator’s regulatory obligations. Where such terminals are used, operators must verify whether the originating account is genuinely owned by the customer and ensure that these funds are integrated into the customer’s broader risk profile for due diligence purposes.

8. Changing customer demographics in non-remote casinos

The Commission notes that some high-end land-based casinos have experienced significant changes in their customer base since the pandemic, shifting from international high-net-worth individuals to a broader domestic audience. In some cases, this shift has not been reflected in updated risk assessments or control measures. Operators must ensure that any change in customer demographics is incorporated into their risk frameworks and that associated procedures are adapted accordingly.

9. Risk indicators in emerging game formats

Crash games, popular in unregulated crypto casinos and now gaining traction in the licensed sector pose unique risks. These games typically allow users to place a bet and cash out at any point before the game "crashes," making rapid transactional activity appear legitimate. However, such features may be exploited to conceal laundering behavior, particularly where a user cashes out shortly after betting with minimal gameplay. Operators introducing crash-style games must assess these products for laundering vulnerabilities and ensure that transactional monitoring is capable of detecting abnormal wagering behaviour within this game format.

10. Use of application registration cards (ARCs)

Application Registration Cards (ARCs), issued by the UK Home Office to asylum seekers, are not valid forms of identity for gambling purposes. However, the Commission has encountered instances in which such cards are used, potentially by vulnerable individuals coerced into opening accounts or acting as account holders for criminal networks. Operators must not accept ARCs as identification and should implement internal safeguards to detect and prevent the exploitation of individuals who may be at risk. If there are concerns about possible exploitation, the Commission expects operators to report such cases to the Modern Slavery Helpline or the police where necessary.

11. Inadequate due diligence on third-party relationships

Finally, the Commission urges operators to conduct a full reassessment of their third-party business arrangements, with a particular focus on white-label partnerships and financial inflows such as loans or capital investments. These relationships, when insufficiently examined, may serve as conduits for criminal funds or obscure beneficial ownership. Operators must take into account the jurisdictional risks of their third parties, assess the legality of associated activities both in the UK and abroad, and ensure that any inflow of funds is supported by clear, documented source-of-funds analysis.

12. Jurisdictions subject to increased monitoring by FATF

The FATF updated its list of high-risk and monitored jurisdictions in February 2025. Operators must ensure that they have processes in place to identify customers and relationships linked to these jurisdictions. Where such links exist, enhanced customer due diligence must be conducted to manage the associated money laundering, terrorist financing, and proliferation financing risks.

Although the April 2025 update is specific to the UK framework, their underlying typologies are not. The convergence of digital gambling, AI manipulation, cryptoassets, and cross-border financial flows means that these risks are inherently transnational. In this sense, the Gambling Commission’s analysis offers practical guidance for AML professionals, regulators, and compliance teams beyond the UK.

For Romanian operators, many of the risks highlighted are increasingly visible within the local market. As such, the UK model can serve as a benchmark for proactive risk mitigation, providing a valuable roadmap for strengthening compliance procedures, internal audit frameworks, and client onboarding protocols.

As a result, the Commission’s update offers a relevant point of reference for operators aiming to align their AML frameworks with emerging international standards.