Login
Sign up

AML & KYC Policy

1) Purpose, scope, and principles

Our goal is to safeguard players and the Platform’s integrity through the implementation of a risk-based anti-money-laundering and know-your-customer program that complies with the requirements of the Wwft, Sanctions Act 1977, Remote Gambling Act, and KSA license.

Principles.

  • Not a one-size-fits-all approach, but rather controls that scale according to risk.
  • Reasonable: gather just the essentials; keep records as short as possible.
  • The time to conduct these tests is just before the danger becomes apparent, such as before the first payout.
  • The who, what, where, and when of judgments are recorded for the benefit of an impartial reviewer
  • I am an independent MLRO who is able to file STRs with the FIU-Netherlands and suspend games and payments without hindrance.
  • We never reveal when suspicion or reporting is being considered or made, so there is no tip-off.

2) Legal and regulatory framework

  • Wwft — Prevention of Money Laundering and Terrorist Financing Act.
  • Sanctions Act 1977 and EU/UN sanctions regulations.
  • Remote Gambling Act, KSA licence conditions, policy rules, advertising and duty‑of‑care guidance.
  • GDPR/AVG for lawful, secure processing of personal data.
  • Dutch consumer and civil law (fairness, transparency, records).

BinoBet monitors legislative change and updates this Policy and SOPs promptly. Material changes are communicated to staff and vendors.

3) Governance, roles, and accountability

  • Board of Directors — sets risk appetite; approves this Policy, the Enterprise‑Wide Risk Assessment (EWRA), and key thresholds; receives quarterly AML/KYC MI.
  • MLRO — owns the programme; approves scenarios; investigates escalations; files STRs; may pause gameplay or payments; reports independently to the Board and engages with regulators and FIU‑NL.
  • Deputy MLRO — continuity for absences; executes delegated tasks.
  • First line (Payments, Support, VIP, Operations, Growth) — performs CDD/EDD, collects evidence, documents cases, escalates on time.
  • Second line (Compliance & Risk) — designs controls, challenges first‑line decisions, runs thematic reviews, calibrates thresholds.
  • Third line (Internal Audit) — independently tests design and effectiveness at least annually.
  • All employees — complete training before access, annually thereafter, and ad‑hoc when laws change; report suspicions immediately.

A maintained RACI defines who Requests, Approves, Consults, and Informs for onboarding, EDD, withdrawals, sanctions hits, and STRs.

4) Risk‑based approach (RBA)

4.1 Enterprise‑Wide Risk Assessment (EWRA)

At least annually, and on material change (new product, payment method, market, provider), we assess inherent risk across customers, products, channels, geographies, interfaces, and delivery. We evaluate control strength, compute residual risk, and set thresholds for alerts, EDD, and payout holds. The Board reviews and approves the EWRA.

4.2 Customer risk rating

Every player is assigned a dynamic score (Low/Medium/High/Severe) at onboarding and continuously thereafter. Factors include identity consistency, device risk, payment behaviour, deposit/withdraw patterns, product mix, sanctions/PEP/adverse‑media results, CRUKS status, affordability indicators, and prior compliance history. The rating drives CDD depth, monitoring intensity, and refresh frequency.

4.3 Product and channel risk

Remote onboarding, fast deposit/withdraw loops, and features that allow quick value movement raise risk. We do not accept cash, anonymous vouchers without traceability, or crypto unless explicitly permitted by law and approved by the Board and regulator. New features require a pre‑launch risk assessment and sign‑off by Compliance and the MLRO.

5) Customer Due Diligence (CDD)

5.1 When we perform CDD

  • before establishing the relationship or enabling play;
  • before first withdrawal;
  • upon suspicion of ML/TF;
  • when information is false, inconsistent, or outdated;
  • when risk score, limits, or behaviour trigger review.

5.2 Minimum data collected

Full legal name, date of birth, nationality, residential address, e‑mail, mobile number, language, and consent/communication preferences. Device identifiers and IP are collected for security and geolocation.

5.3 Verification methods (layered)

  • Identity: passport, EU/EEA ID, Dutch driving licence, residence permit (valid, unexpired).
  • Liveness & likeness: selfie/video with liveness detection; biometric match to document photo (where lawful).
  • Document authenticity: machine‑read (MRZ/Barcode), hologram checks, forgery signals.
  • Electronic verification: trusted databases and credit bureau proxies where permitted.
  • Address: bank statement, utility bill, BRP extract (≤ 3 months), or reliable e‑verification.
  • Payment ownership: redacted bank statement showing name & IBAN; masked card image (first 6 and last 4 digits). Third‑party funding is prohibited.

5.4 Purpose and intended nature

We record product preferences and expected activity (approximate spend, typical deposit methods, frequency). The baseline informs monitoring and affordability assessments.

5.5 Incomplete or failed CDD

If CDD cannot be completed promptly, we restrict activity and—where lawful—return funds to source. If suspicion exists, the MLRO assesses whether to file an STR.

6) Enhanced Due Diligence (EDD)

EDD is applied where higher risk is present, including:

  • PEPs (including close associates/relatives) or other high‑profile exposure;
  • adverse media pointing to fraud, corruption, tax evasion, or organised crime;
  • complex patterns (large, rapid, or structured transactions) not aligned with profile;
  • links to higher‑risk geographies, industries, or sanctioned persons;
  • non‑resident indicators, frequent device/IP changes, proxy/VPN use;
  • large wins or cash‑out velocity inconsistent with play and prior activity.

EDD measures can include senior‑management approval, additional identity evidence, independent address proof, Source of Funds (SOF)/Source of Wealth (SOW), reduced limits, watch‑list flags, and more frequent monitoring. Absence of reasonable SOF/SOW leads to restriction or exit.

7) Screening and watch‑lists

  • Sanctions: screen all players at onboarding and daily thereafter against EU/UN/Dutch lists; where relevant, UK/US lists are considered to prevent indirect risk. Confirmed matches trigger refusal or freeze actions under the Sanctions Act.
  • PEP: identify PEPs and apply EDD; approvals logged; refresh cycles shortened.
  • Adverse media: for higher‑risk players, search reputable sources; material findings escalate.
  • CRUKS: checked at login and session start; positive results block play.

All screening decisions are logged with reviewer identity, timestamps, and evidence.

8) Ongoing monitoring

8.1 Philosophy

Monitoring combines rules, machine‑learned risk signals, and human review. We compare behaviour to the individual baseline and to peer groups. AML signals are fused with responsible‑gambling indicators to produce a coherent risk view.

8.2 Illustrative scenarios

  • Rapid deposit → minimal play → withdrawal (value recycling).
  • Round‑tripping between many payment instruments.
  • Many failed deposits/declines or card tests.
  • Adding several new cards/IBANs in short windows.
  • Structuring below verification thresholds.
  • New devices, TOR/VPN/remote desktop, or long‑distance IP jumps.
  • Withdrawals to newly added instruments; name mismatches.
  • Spikes in deposits inconsistent with declared SOF/SOW.
  • Cross‑account patterns that suggest syndicates or value transfer.
  • Bonus abuse signals overlapping with AML red flags.

8.3 Case handling

Alerts are graded Low/Medium/High/Severe. Low risk can be closed with rationale. Medium+ triggers investigation; withdrawals may be paused pending review. Each action (document request, limit change, pause) is recorded with reason, owner, and next review date.

8.4 Periodic refresh & triggers

KYC refresh cycles: typically 12/24/36 months by risk tier. Additional refresh triggers: limit increases, new payment instruments, large or rapid withdrawals, sanctions/PEP changes, address changes, and reactivation after dormancy.

9) Payments and value movement controls

  • Accept only methods in the player’s name; use pay‑to‑source where possible.
  • Apply velocity caps for new accounts and new instruments.
  • Split large payouts where banking limits or risk controls require.
  • Prohibit anonymous or untraceable funding methods; crypto not accepted unless authorised by law and approved by the Board.
  • Monitor chargebacks; winnings linked to charged‑back deposits are contingent until resolution.

10) Investigations & outcomes

10.1 Workflow

  1. Intake: alert raised by rule/model/staff.
  2. Scope: define hypothesis; apply interim controls (e.g., pause withdrawal).
  3. Evidence: gather KYC pack, payments, gameplay, device data, communications, external sources.
  4. Customer contact: request targeted docs (SOF/SOW, ownership).
  5. Analysis: compare to baseline and peer norms; assess plausibility.
  6. Decision: clear; clear with conditions; restrict; suspend; exit; recommend STR.
  7. Closure: record rationale, evidence, next review.

10.2 Possible actions

  • Clear — no material risk; monitoring continues.
  • Conditions — set limits, restrict products, schedule refresh.
  • Request info — targeted documents with deadlines.
  • Restrict/Suspend — temporary pause pending evidence.
  • Exit — relationship ended; funds returned subject to law.
  • STR — suspicion that funds are criminal property or linked to TF.

11) Suspicious Transaction Reports (STRs)

Where we know, suspect, or have reasonable grounds to suspect ML/TF, the MLRO files an STR with FIU‑Netherlands promptly. We maintain confidentiality, preserve evidence, and do not tip off the player. STR logs include narrative, indicators, amounts, counterparties (if known), and related case IDs.

12) Record‑keeping and retention

We keep complete, accurate, retrievable records:

  • CDD/EDD packs (identity, address, ownership, SOF/SOW).
  • Sanctions/PEP/adverse‑media and CRUKS screening logs.
  • Alerts, cases, decisions, approvals, and audit trails.
  • Payments, reconciliations, chargebacks, and payout routing.
  • STR filings and regulator correspondence (restricted access).
  • Training completion, QA results, audits, and remediation.

Retention: Typically 5–7 years after account closure for KYC/AML under Wwft; 7 years for finance/audit. When retention ends, we delete or anonymise data. Access is role‑based and logged.

13) Data protection & confidentiality

Lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, confidentiality, and integrity are the criteria that AML/KYC processing must follow in order to comply with the General Data Protection Regulation (GDPR). Important documents are encrypted before they are stored and while they are in transit, and secure portals are used for uploading and downloading. Certain records must be kept (legal retention applies), even though a player can choose to have their records removed.

14) Technology and model governance

All AML/KYC systems (IDV, document authenticity, device intelligence, sanctions/PEP screening, monitoring, case management) require Compliance sign‑off. Rules and models are version‑controlled and tested pre‑production; we monitor false‑positive/false‑negative rates and drift. Data quality checks run daily; failures create incidents with owners and SLAs. Vendor changes follow due‑diligence and DPIA steps.

15) Training & competence

  • Induction: AML/KYC fundamentals, red flags, escalation, secure data handling (before system access).
  • Annual refresher: law and policy updates, case studies, assessment (pass mark enforced).
  • Role‑specific: Payments (chargebacks, routing), VIP (EDD/SOF/SOW), Support (first‑line questions), Product/Tech (logging impacts).
  • Targeted: new sanctions regimes, new payment method, or major model change.
    Access may be suspended if training lapses.

16) Quality assurance (QA), metrics, and reporting

Compliance runs periodic QA on onboarding files, withdrawals, and closed cases. Findings feed coaching and scenario tuning. The MLRO reports quarterly to the Board on: onboarding pass/refer/decline rates; document turnaround; alert volumes and case conversion; case ageing; sanctions hits and clearance times; STR volumes and time‑to‑file; withdrawal holds and outcomes; training completion; QA pass rates; audit remediation.

Key Risk Indicators (KRIs) are defined in Appendix G and reviewed monthly.

17) Third parties and outsourcing

We vet KYC vendors, screening partners, PSPs, and hosting providers. Contracts include confidentiality, data‑processing terms, audit rights, SLAs, incident notification, and sanctions compliance. Outsourcing does not transfer our obligations; BinoBet remains accountable.

18) Interaction with Responsible Gambling 

Financial‑crime and player‑protection signals overlap (rapid spend increases, night‑time sessions, payment distress). AML and RG teams coordinate on shared cases and agree a single customer contact to avoid mixed messages. Where harm is evident, player protection takes precedence; AML reviews continue in parallel.

19) Incidents, breaches, and remediation

When a control fails (missed screening, payout to third‑party account, late STR), we:

  1. Contain (freeze or recall funds, pause activity),
  2. Assess impact and notification duties,
  3. Notify KSA/FIU‑NL or others where required,
  4. Remediate root causes (process, system, training),
  5. Document the incident and lessons learned.
    Material incidents are reported to the Board.

20) Policy lifecycle and exceptions

  • Review: at least annually and on legal/operational change.
  • Approval: Board of Directors.
  • Exceptions: risk‑assessed, time‑bound, documented, and approved by the MLRO; blanket exceptions are not allowed.
  • Versioning: change log maintained; archived copies available to auditors and regulators.