Are No-KYC Online Casinos Legal? A Look Into the Trend and Regulatory Implication of No-KYC Online Casinos
How can we ensure our iGaming platform has a payment stack that satisfies every compliance layer without compromising the product?
Before going further, we must understand what an iGaming payment stack is exactly and the mechanisms behind in order to know what is the ideal iGaming secure payment.
A payment stack discussed here is a framework that businesses use to manage transactions and payments processes. It is not a single platform or a provider but an ecosystem combining financial institutions, networks and technology layers.
Within your payment stack, payment architects must include compliance layers, which may vary from 3 to 6 layers, depending on your iGaming business model. The most common layers include the following:
While conflict exists when rigid regulatory requirements (such as KYC, AML/CFT, FATF Travel Rules and cross-border taxes) clash with demand for frictionless transactions, all of these layers must work together. You, as an operator, should build a payment stack that suits the needs of your business model, geography, growth ambitions, jurisdiction requirements and license requirements.
Here we will explore different considerations that may be involved when developing your payment stack.
Also read: How Does the Licensing Architecture Would Look Like for Meta’s New Prediction Market App?
One of the first challenges in designing a compliant payment stack is combining local legal requirements with primary licensing rules.
For example, Germany’s State Treaty on Gambling (GlüStV 2021) created a unified legal framework for online gambling and sports betting across the 16 federal states. Through this framework, virtual slots, poker and sports bettings were legalized while introducing strict player protection rules, namely a €1,000 monthly deposit limit and a €1 maximum stake limit per slot spin.
The issue here is that a payment service provider processing a transaction will have no way of knowing what a player has already spent on a different platform.
While Germany has built a tracking system (LUGAS) to resolve this issue, this creates a new burden for payment service providers to query transactions in real time before approving each deposit. They will now have to check if they are legally allowed to accept payments, whether players have hit their monthly spending limit and whether the payment is for a type of game that is allowed.
Beyond licensing requirements, regulators are now shifting from written policies and checklists to proven effectiveness. The AML Act of 2020 essentially rewrote regulatory expectations from ‘technical compliance’ to risk-based and outcomes-oriented programs.
However, plenty of fintechs fail to keep up with the updated landscape as not all of them can demonstrate compliance within hours or prove that their AML/CFT system actually prevents financial crime and there are false positive rates of enforcement throughout mid-size institutions.
Instead, FinCEN proposes that industry leaders track their performance through the following indicators:
In line with the above, there are also behaviour indicators which replace raw transaction volume as monitoring triggers. FinCEN will look at the following:
Also read: We Analyze the “Betting on Events” Trend from Business Models to Licensing
Beyond transaction monitoring, we must also consider in the event of a corporate insolvency, how is a player’s money truly protected?
Segregated player funds accounts are where casino operators have to hold the players’ money separately from their own funds. This protects players in many ways: direct financial security, misappropriation of funds and as a form of fraud deterrent.
However, the label in itself does not determine your protection in the event of an insolvency. Instead, what determines protection is whether the asset is treated as the operator’s property or it is ring-fenced. In terms of banking, ‘ring-fencing’ is a separate core retail banking service from their investment banking services, which are generally off-limits to unsecured creditors.
Thus, if you are a casino operator, you will need to be able to tell the court which assets are ring-fenced.
In Malta, player protection requires operators to prominently display on their website information such as licensee details, sign indicating that underage gaming is not permissible, responsible gaming disclaimer, links to gambling help organizations and message regarding responsible gaming tools and limits.
In the United Kingdom, there are more rigid protection ratings whereby you must inform customers of information regarding fair wins and self-exclusions programs.
For example, GamStop has initiatives for players to voluntarily exclude themselves from all UKGC-licensed gambling platforms for a specific period of time. Operators are also required to offer daily, weekly or monthly deposit limit options for players to control their spending.
The UKGC is generally more strict in issuing fines amounting to £3.25 million to Done Bros (Cash Betting) Limited and £594,000 to Star Racing Limited for failing to meet compliance standards. If you, as a gambling operator, are operating in this region, you must be aware of such protection mechanisms for the players.
We must also consider payment authentication as another layer of regulatory compliance. For instance, transaction Risk Analysis (TRA) is primarily used to evaluate risk scores and various risk factors. TRA exemptions are a form of strong customer authentication applied to low-risk transactions below a certain threshold.
Under PSD2, such low-risk transactions are not always authenticated, which allows low-risk merchants to process transactions with additional verification methods such as 3DS. For you to qualify for a TRA exemption, you must meet certain thresholds regarding the transaction’s risk level and payment environment.
Given that SCA exemptions are standardized under PSD2, there are no jurisdiction-specific exemptions. However, while the legal framework is uniform across the EEA, the applicability is by the payer’s bank who has the final discretion. In practice, countries like Germany and France may be more conservative while Ireland and the Netherlands may be willing to approve such frictionless transactions.
As we mentioned earlier, in Germany, the implementation of Glücksspielstaatsvertrag 2021 (GlüStV 2021) in July 2021 imposed strict deposit limits of €1,000 for licensed online casino players. Here, we also have to consider OASIS, which is Germany’s national self-exclusion system. It is a cross-operator protection layer that affects access, account control and how Germany-facing gambling routes should explain safer gambling before registration.
On the other hand, Sweden’s restriction on credit-funded and anonymous payment means that payment getaways must identify the merchant and payment method before approving the transaction. Payment gateways may block prohibited payments to ensure that payments originate from identifiable users.
Cryptocurrency can be offered legally as a payment method in many jurisdictions without it being classified as a legal tender. What’s important is that there must exist a legal framework which allows the platform to treat it as a voluntary medium of exchange with stringent AML requirements in place.
For this, you must also take the following into consideration:
More into this: How to Start a Bitcoin Casino From Product, Licensing, to Off-Ramping
While cryptocurrency need not be classified as a legal tender to function as a lawful payment method, its acceptance does not exempt the platform facilitating from being imposed legal requirements. You need to be aware that there are still strict requirements that may exist in implementing VFAs or stablecoins under certain jurisdictions.
Hence, there are overlaps between these jurisdictions wherein customer assets are to be segregated from the provider’s own funds and essentially, they impose insolvency protection where customers may retain claims onto their assets should the provider fails.
As seen from above, building a compliant iGaming payment stack is not a one-time exercise. It requires selection of the proper jurisdiction and license, layering AML/CFT requirements with KYC and Travel Rule obligations. Contact us at LegalBison, we are ready to assist you for each of these requirements so you can focus market your platform while we assist you with the licensing paperwork.