Signing an AML tool contract can feel like buying a fire alarm while the kitchen’s already smoking. Sales demos look polished, the promises sound safe, and your team just wants something that keeps regulators happy without grinding growth to a halt.
That’s where AML vendor due diligence earns its keep. For small iGaming teams, the risk isn’t only “picking the wrong vendor.” It’s picking a vendor you can’t defend in an audit, can’t integrate cleanly, or can’t afford once volumes ramp.
This guide gives you a practical checklist, plus a copy‑paste questionnaire you can send to vendors before legal reviews start.
Why vendor due diligence matters (even if you’re small)
A regulator doesn’t care that you have a lean team. They care that your controls work, your decisions are documented, and your third parties don’t create blind spots.
In iGaming, vendor risk shows up fast:
- KYC friction that tanks conversion, or weak checks that invite bad actors.
- Noisy alerts that bury your reviewers, or missing alerts that create reporting exposure.
- Data gaps between gameplay, payments, and player profiles, which weakens investigations.
- Audit pain when you can’t explain rules, thresholds, or model changes.
If you want a benchmark for what “good AML posture” looks like in gaming, the American Gaming Association AML best practices guide is a useful reference point for building expectations.
Checklist overview: score the vendor like a regulator will
Before you get pulled into feature debates, align on three outcomes:
- Regulator-ready evidence: Can you show how alerts are generated, reviewed, and closed?
- Operational fit: Can two people run this on a Monday morning after a busy weekend?
- Commercial control: Are fees predictable as deposits, alerts, and markets expand?
A simple approach that works for small teams: give each area a Red/Amber/Green rating and require “evidence” for every Green.
| Due diligence area | What to verify | Evidence to request |
|---|---|---|
| KYC/IDV + screening | Coverage, accuracy, edge cases | Sample reports, match logic, test results |
| Transaction monitoring | Rule control, tuning, explainability | Rules list, alert examples, QA process |
| Case management | Workflow, audit trail, SAR support | Audit logs, case exports, role permissions |
| Security + privacy | Encryption, access, retention | SOC 2/ISO docs, DPA terms, pen test summary |
| SLAs + support | Response times, incident handling | SLA, escalation path, postmortem template |
| Pricing | Unit economics and overage risk | Rate card, scenarios, renewal clauses |
If you’re still tightening your own processes, it helps to review an iGaming KYC workflow audit guide first, so your vendor questions match your actual player journey.
AML vendor due diligence questions that catch problems early
1) Regulatory fit and licensing reality
Don’t ask “Are you compliant?” Ask what they’ve proven and where.
Good questions:
- Which jurisdictions do you actively support in iGaming, and what changes did you make in the last 12 months?
- How do you handle risk-based thresholds (low, medium, high risk players) without hard-coding everything?
- What evidence can you provide that your workflows stand up to audits?
For context on what KYC expectations can include in gaming, Persona’s overview of KYC for online gaming is a solid baseline.
2) Product coverage: KYC, monitoring, and investigations
Small teams need breadth, but also control.
Look for:
- Configurable rules (not “submit a ticket and wait”).
- Clear separation of fraud signals vs AML signals (they overlap, but reporting needs clarity).
- Case tools that let you record decisions, attach evidence, and export cleanly.
If your alert strategy is still forming, this guide on simple transaction monitoring rules for iGaming can help you define what your vendor must support.
3) Security and privacy questions (don’t skip this)
AML tools sit on sensitive player and payment data. Treat this like selecting a payments partner.
Ask about:
- Encryption in transit and at rest, plus key management basics.
- Role-based access, MFA, and immutable audit logs.
- Data retention options by jurisdiction and your ability to delete on request when allowed.
- Sub-processors, hosting regions, and incident response timelines.
For a broader vendor-risk mindset (especially cyber posture), Bitsight’s vendor due diligence checklist is a good reference.
4) Operations: implementation, tuning, and human workload
A common failure mode is “Great tool, nobody can run it.”
Validate:
- Integration timeline with your stack (payments, game server events, CRM, data warehouse).
- Who owns tuning and QA (you, them, or shared), and how often it happens.
- Onboarding support, training format, and what “go-live” really means.
A practical test: request three anonymized alert examples, then ask your ops lead to estimate review time. If it takes 20 minutes per case and you expect 100 alerts a day, the math doesn’t work.
5) Commercials, SLAs, and exit plan
Pricing surprises usually hide in unit metrics: per check, per alert, per screened name, per API call, per seat.
Confirm:
- Clear unit definitions and overage rules.
- SLA for uptime and support response, plus an escalation path.
- Exit: data export format, timelines, and deletion confirmation.
If you’re preparing for licensing, keep your vendor answers aligned with your broader paper trail. This iGaming license compliance documentation checklist helps you map “vendor proof” to what reviewers often ask for.
Copy‑paste AML vendor questionnaire (send this before procurement)
Use this as an email or doc. Require links or attachments for any “Yes.”
Company and scope
- Legal entity name, HQ country, and primary hosting region(s):
- Do you serve iGaming operators today? If yes, which products (casino, sportsbook, poker)?
- Which jurisdictions do you actively support (list), and what is your update process for new rules?
- Do you use sub-processors? Provide a current list.
KYC/IDV and screening
- What identity and document checks do you support (ID, selfie, liveness, address)?
- How do you handle sanctions, PEP, and adverse media screening (sources, match logic, tuning)?
- Can we set risk tiers and triggers (deposit thresholds, gameplay patterns, payment changes)?
- Provide 2 sample screening reports (anonymized).
Transaction monitoring
- Can we create and edit rules without vendor tickets? Describe the workflow.
- Do you support real-time monitoring, batch monitoring, or both?
- What data do you need at minimum (payments, gameplay, KYC status, device, IP)?
- Provide 3 anonymized alerts with full “why flagged” explanations.
- How do you reduce false positives over time (tuning, feedback loops, QA)?
Case management and auditability
- Does each case keep a full audit trail (who did what, when, and why)?
- Can we attach evidence (documents, chat logs, payment notes) and export cases?
- Do you support SAR/STR workflows or at least structured report notes?
- What retention settings are available per case and per data type?
Security, privacy, and reliability
- Do you have SOC 2, ISO 27001, or equivalent? Provide the latest report/certificate.
- Encryption in transit and at rest: yes/no, plus brief details.
- Access controls: RBAC, MFA, SSO options (if any).
- Incident response: breach notification timeline and support contact method.
- Uptime SLA and the last 12 months of uptime metrics (or status page link).
Commercials and contract
- Pricing model (per check, per alert, per user, other). Include a rate card.
- List all likely extras (set-up, integrations, premium support, data storage, overages).
- Contract term, renewal mechanics, and price increase caps (if any).
- Offboarding: export formats, timelines, fees, and deletion confirmation process.
Conclusion: make vendor answers part of your compliance evidence
Small iGaming teams don’t win by asking more questions. They win by asking the right ones, then saving the proof in a place they can find during an audit. That’s the real point of AML vendor due diligence.
Send the questionnaire, score the responses, and push back on vague claims. If a vendor can’t explain how an alert is created, supported, and reviewed, it’s not an AML system, it’s a liability.
Adeyemi Adetilewa leads the editorial direction at IdeasPlusBusiness.com. He has driven over 10M+ content views through strategic content marketing, with work trusted and published by platforms including HackerNoon, HuffPost, Addicted2Success, and others.