If you’re running a small sportsbook, iGaming AML risk assessment can feel like building a parachute while you’re already in the air. You’re expected to know your players, spot suspicious patterns, and document decisions, even if your “compliance team” is one person with a shared inbox.
The good news is you don’t need a 60-page enterprise report to do this well. You need a clear process, consistent scoring, and proof you can explain to a regulator, bank, or payment partner.
This guide gives you a practical workflow and a copy-ready template you can adapt in a single afternoon.
What regulators and partners expect
Most jurisdictions now judge AML programs by one big idea: the risk-based approach. That means you identify where money laundering risk is most likely in your operation, set controls that match that risk, and review it as your business changes.
Across markets, the basics keep repeating:
- KYC and CDD at onboarding (and when risk changes).
- EDD for high-risk players (PEPs, high-value, higher-risk geographies, unusual behavior).
- Sanctions screening and watchlist checks.
- Transaction monitoring that can detect patterns, not just single events.
- SAR/STR reporting when activity is suspicious, plus strong record-keeping.
If you want context on what typical operator controls look like, the American Gaming Association AML best practices guide (PDF) is a useful benchmark. For an iGaming-focused view of how risk shows up online, the overview from Forvis Mazars on AML risk in iGaming is a solid read.
The small-operator workflow (9 steps you can repeat every quarter)
Here’s a simple process you can run without turning it into a “project that never ends”:
1) Define scope and boundaries
Write down what the assessment covers: brands, domains, jurisdictions, payment methods, and product types (sports, casino, poker, bingo). If something’s out of scope (like an affiliate program not yet live), state it.
2) Gather the data you already have
Small operators usually have more data than they think. Pull what’s easy:
- Player counts by country
- Deposit and withdrawal volumes by method
- Bonus usage, chargebacks, failed payments
- Top 20 players by net deposits and withdrawals
- SAR/STR logs (even if zero filed)
3) Identify your AML risk factors
Use categories that map to how laundering actually happens online: Customer, Geography, Payment Methods, Product, Delivery Channel, Transaction Behavior, Third Parties (processors, affiliates, game providers).
For practical iGaming examples of laundering patterns, ComplyAdvantage’s overview of online gambling money laundering gives scenarios you can translate into monitoring rules.
4) Score inherent risk (before controls)
“Inherent” means what the risk would be if you had no controls. Use a 1 to 5 scale: 1 = Low, 3 = Medium, 5 = High.
5) Map your controls to each risk
List what you actually do, not what a policy says you do. If a control isn’t consistently applied, score it lower.
6) Score control effectiveness (how well controls work)
Again, 1 to 5: 1 = Weak or inconsistent, 3 = Reasonable, 5 = Strong and proven.
7) Calculate residual risk (what remains)
Use a simple rule your team can repeat:
Residual risk = Inherent risk + (3 − Control effectiveness)
This keeps “3” as neutral. Strong controls (4 to 5) reduce residual risk; weak controls (1 to 2) increase it. Cap the final score between 1 and 5.
8) Get approvals and lock the evidence
Add sign-off from the MLRO (or equivalent) and a senior manager. Save the version used for the period, plus your data extracts.
9) Monitor and review
Set a review cadence (quarterly is realistic for most small operators) and define “trigger events” that force an earlier update.
Risk factors matrix you can reuse (with scoring cues)
Use this as your baseline. It’s not exhaustive, but it covers what most regulators and banks ask about.
| Risk factor | Inherent risk indicators (examples) | Typical controls (examples) |
|---|---|---|
| Customer | New accounts with high deposits, PEP exposure, mismatched ID signals | KYC verification, PEP screening, EDD triggers, SOF checks |
| Geography | Players from higher-risk or sanctioned exposure locations | Geo-blocking, sanctions screening, country risk scoring |
| Payment methods | Third-party payments, rapid method switching, crypto use | Name-match checks, wallet screening, velocity rules |
| Product | High liquidity features (fast in and out), certain game mechanics | Stake limits, bonus abuse controls, monitoring scenarios |
| Delivery channel | VPN/proxy use, device farming, shared IPs | Device fingerprinting, IP intelligence, step-up verification |
| Transaction behavior | Deposit-withdrawal churn, “just under threshold” patterns | Automated alerts, manual review playbooks, holds |
| Third parties | Affiliates with poor oversight, weak processor controls | Affiliate due diligence, processor audits, contract clauses |
For sanctions and AML stages that often trip up smaller operators, the practical overview from Dilisense on AML and sanctions compliance in iGaming is helpful when you’re writing your “controls” section.
Copy-and-paste template: iGaming AML risk assessment (small operator)
Use the template below as your document structure. Keep it short, but complete.
A) Document control
- Operator name:
- Brands/domains covered:
- Jurisdictions covered:
- Assessment period:
- Owner (MLRO/compliance lead):
- Approval (senior manager):
- Next review date:
- Trigger events (pick 3 to 5): new market launch, new payment method, processor change, crypto launch, major VIP growth, regulator request, fraud spike.
B) Business profile (one page max)
- Products offered:
- Player types (recreational, VIP, B2B partners):
- Payment methods and volumes (high-level):
- Third parties used (KYC vendor, payment processor, game providers, affiliates):
- Notes on 2025 changes relevant to you (new market entry, new rules, new product features):
C) Scoring method (keep consistent)
- Inherent risk: 1 to 5
- Control effectiveness: 1 to 5
- Residual risk = Inherent risk + (3 − Control effectiveness), capped 1 to 5
- Risk tiers:
- 1 to 2 = Low (monitor)
- 3 = Medium (improve controls within 60 to 90 days)
- 4 to 5 = High (enhanced controls and senior sign-off)
D) Risk register (copy this table)
| Category | Inherent (1-5) | Key indicators you see | Controls in place | Control (1-5) | Residual (1-5) | Actions, owner, due date |
|---|---|---|---|---|---|---|
| Customer | ||||||
| Geography | ||||||
| Payment methods | ||||||
| Product | ||||||
| Delivery channel | ||||||
| Transaction behavior | ||||||
| Third parties |
E) Control gaps and improvement plan (one page max)
Write 5 to 10 actions you’ll actually complete. Examples:
- Add EDD trigger for net deposits above $X in 30 days.
- Add rule for rapid deposit-then-withdraw behavior.
- Add quarterly affiliate reviews and minimum data requirements.
- Add sanctions rescreening cadence (weekly or daily, depending on your tools).
Worked example (so you can sanity-check your scoring)
Picture a small operator launching in a new market with cards, e-wallets, and a limited crypto option.
- Payment methods inherent risk: 4 (crypto plus multiple rails increases exposure).
- Controls: KYC at onboarding, basic velocity limits, manual reviews for large withdrawals.
- Control effectiveness: 3 (reasonable, but not strong).
- Residual: 4 + (3 − 3) = 4.
Action plan writes itself: tighten crypto wallet checks, add name-matching for payment instruments, and set clearer EDD thresholds tied to net deposits and churn behavior.
The key is consistency. If you re-score next quarter and it drops to 3, you should be able to point to what changed (new rules, better tools, fewer risky countries, stronger reviews).
Ongoing monitoring: keep your assessment alive (without hiring a big team)
A risk assessment is only useful if it shapes day-to-day work. A lightweight “dashboard” can be a spreadsheet plus three weekly metrics:
- Alerts reviewed and closed (with reasons)
- KYC failure rate and top failure causes
- EDD cases opened vs completed (aging matters)
Also set clear triggers for a mid-cycle update:
- A new high-risk payment method
- Rapid VIP growth
- A processor or affiliate change
- A spike in chargebacks or withdrawals
- New jurisdiction entry
Conclusion
A strong iGaming AML risk assessment isn’t about fancy charts. It’s about a repeatable method, honest scoring, and evidence that your controls match your real risks. Start with the template, run the 9 steps, and keep the risk register updated each quarter. If you can explain your choices in plain language, you’re already ahead of most small operators.
Adeyemi Adetilewa leads the editorial direction at IdeasPlusBusiness.com. He has driven over 10M+ content views through strategic content marketing, with work trusted and published by platforms including HackerNoon, HuffPost, Addicted2Success, and others.