Login
Sign up

AML & CTF Policy

1) Purpose, scope, and guiding principles

How BinoBet identifies and verifies customers, as well as how we detect and prevent money laundering, terrorist financing, and associated financial crimes, are all detailed in this Policy. It covers the whole player lifecycle, from signing up to playing, depositing to withdrawing, changing to closing their account, and applies to all channels (website, mobile apps, support).

Our principles are simple:

  • Risk-based: stronger checks where risk is higher.
  • Law-led: we comply with the Wwft, the Sanctions Act 1977 and associated decrees, the Dutch Remote Gambling Act and licence conditions, and GDPR/AVG.
  • Timely: checks are performed before risk is crystallised (e.g., before first withdrawal).
  • Proportionate: we collect only what we need and retain it only as long as required.
  • Documented: decisions are recorded so an independent reviewer can understand the “what, why, and when”.

This Policy is supported by detailed procedures and work instructions. Where this Policy and a procedure differ, the stricter control applies.

2) Legal and regulatory framework

  • Wwft (Prevention of Money Laundering and Terrorist Financing Act)
  • Sanctions Act 1977 and EU/UN sanctions regulations
  • KSA licence conditions, policy rules, and guidance for remote gaming
  • GDPR/AVG for processing personal data
  • Consumer and civil law obligations related to fairness and transparency

We track legal changes and update procedures without delay. The MLRO ensures staff are briefed on material updates.

3) Governance, roles, and accountability

  • Board of Directors — sets risk appetite, approves this Policy and the Enterprise-Wide Risk Assessment (EWRA), receives quarterly AML/KYC metrics and notable case summaries.
  • MLRO — owns the programme; approves scenarios, investigates escalations, files suspicious transaction reports (STRs) with FIU-Netherlands, and can pause gameplay or payments. Reports independently to the Board.
  • Deputy MLRO — ensures continuity when the MLRO is unavailable.
  • First line (Payments, Support, VIP, Operations, Growth) — performs CDD/EDD collection, transaction reviews, case documentation, and timely escalations.
  • Second line (Compliance & Risk) — designs controls, monitors effectiveness, runs thematic reviews, and provides challenge.
  • Third line (Internal Audit) — tests programme design and effectiveness at least annually.
  • All employees — complete training before system access and annually thereafter, and report suspicions immediately (“if in doubt, escalate”).

A formal RACI is maintained for onboarding, withdrawals, transaction monitoring, sanctions hits, and STR filing.

4) Risk-based approach (RBA)

4.1 Enterprise-Wide Risk Assessment (EWRA)

At least annually, and on material change (new product, market, partner, or payment method), we assess inherent risk across customers, products, channels, geography, and delivery. We evaluate control strength, determine residual risk, and set thresholds (e.g., velocity limits, EDD triggers). EWRA outcomes are approved by the Board.

4.2 Customer risk rating

Each player has a dynamic score at onboarding and throughout their lifecycle. The model considers identity attributes, device signals, payment behaviour, deposit/withdraw patterns, product mix, sanction/PEP/adverse-media results, affordability indicators, and previous compliance history. Risk scores are tiered Low / Medium / High / Severe and drive CDD depth, monitoring intensity, and review frequency.

4.3 Product and channel risk

Remote onboarding, instant deposits, fast withdrawals, and peer-to-peer value transfers present higher risk. We do not accept cash, anonymous vouchers without traceability, or crypto unless explicitly permitted and approved by the Board and the regulator. New features require a documented pre-launch risk assessment.

5) Customer Due Diligence (CDD)

5.1 When we perform CDD

  • before establishing a relationship or allowing play;
  • before first withdrawal;
  • upon suspicion of ML/TF;
  • when information appears false, inconsistent, or outdated;
  • when a player’s risk score or behaviour triggers a review.

5.2 Identification data

We collect full legal name, date of birth, nationality, residential address, email, mobile number, and preferred language. We also capture device identifiers and IP for security and geolocation checks.

5.3 Verification methods

  • Identity: passport, EU/EEA ID card, Dutch driving licence, residence permit (valid, unexpired).
  • Biometrics: selfie or live video with liveness detection and likeness match, where permitted.
  • Electronic verification: trusted data sources and document-authenticity checks.
  • Address: document ≤ 3 months old (bank statement, utility bill, BRP extract) or reliable e-verification.

5.4 Payment method ownership

Deposits and withdrawals must use instruments in the player’s name. We may request a redacted bank statement (name + IBAN) or masked card image (first 6 and last 4 digits). Third-party funding and money-mule patterns are prohibited.

5.5 Purpose and intended nature

We record how a player expects to use the Platform (product selection, approximate spend, funding sources). This baseline informs monitoring and affordability checks.

5.6 Failure to complete CDD

If CDD cannot be completed in a reasonable time, we restrict activity, decline transactions, and—where lawful—return funds to source. If suspicion exists, the MLRO assesses whether to file an STR.

6) Enhanced Due Diligence (EDD)

EDD applies when higher risk is present, including but not limited to:

  • PEPs, their close associates or family members;
  • adverse media suggesting fraud, corruption, tax evasion, or organised crime;
  • complex structures or unusual, large, or rapid transactions not aligned with profile;
  • connections to higher-risk geographies or industries;
  • non-resident indicators, frequent device/IP changes, or proxy/VPN usage;
  • large wins or cash-out velocity inconsistent with prior activity.

EDD measures may include senior management approval, additional identity evidence, independent address verification, Source of Funds (SOF)/Source of Wealth (SOW) documentation, tighter limits, more frequent reviews, and ongoing monitoring. If SOF/SOW cannot be reasonably evidenced, we restrict or end the relationship.

7) Screening (sanctions, PEP, adverse media)

  • We screen all players at onboarding and daily thereafter against EU, UN, and Dutch sanctions lists; where relevant, UK/US lists may also be considered. Positive or potential matches are escalated immediately. We refuse or freeze transactions where the law requires.
  • We identify PEPs and apply EDD plus senior approval; periodic refresh cycles are shorter for PEP relationships.
  • We conduct adverse-media checks for higher-risk players using reputable sources; material hits trigger EDD or exit.

All screening results and decisions are logged with timestamps and reviewer identifiers.

8) Ongoing monitoring

8.1 Principles

Monitoring uses automated rules, machine-learned risk signals, and human review. Behaviour is compared to a personal baseline and to peer groups. AML insights are joined with safer-gambling indicators to form a single risk picture.

8.2 Illustrative scenarios

  • Rapid deposit → minimal play → withdrawal cycles (value recycling).
  • Round-tripping between many payment instruments.
  • Frequent failed deposits or card declines.
  • Many new cards/IBANs added in short periods.
  • Structuring just below verification thresholds.
  • New devices, TOR/VPN/remote desktop usage, or distant IP jumps.
  • Withdrawals to newly added instruments or to bank accounts with mismatched names.
  • Spikes in deposits inconsistent with salary or declared SOF/SOW.
  • Cross-account patterns suggesting syndicates or value transfer.

8.3 Case handling

Alerts are graded Low/Medium/High/Severe. Low risk can be cleared with documented rationale. Medium+ escalates to investigation; withdrawals may be paused pending review. Every action (hold, request for documents, limit change) is recorded with reason, owner, and next review date.

8.4 Periodic refresh

We refresh KYC on cycles tailored to risk (e.g., 12/24/36 months). Triggers include limit increases, new payment instruments, large withdrawals, and profile changes.

9) Payment controls

  • Accept deposits only from instruments in the player’s name; return withdrawals to source where possible (pay-to-source).
  • Apply velocity caps and cooling-off periods to new instruments and to new accounts.
  • Split large payouts where banking or risk constraints require.
  • Decline anonymous funding; prohibit crypto unless legally permitted and approved by the Board.
  • Monitor chargebacks; winnings tied to charged-back deposits may be treated as contingent until resolved.

10) Investigations, outcomes, and reporting

10.1 Investigation workflow

  1. Intake — alert created by a rule, model, or staff referral.
  2. Scope — define questions to answer; set interim controls (e.g., pause withdrawal).
  3. Data gathering — KYC pack, payments, devices, gameplay, communications, external sources.
  4. Customer contact — request SOF/SOW or payment ownership documents if needed.
  5. Analysis — compare behaviour to baseline and peer norms; assess plausibility of funds.
  6. Decision — clear; clear with conditions; restrict; suspend; exit; recommend STR.
  7. Closure — record rationale, evidence, and next review.

10.2 Outcomes and actions

  • Clear — no issue; monitoring continues.
  • Clear with conditions — set limits, restrict products, schedule refresh.
  • Request more information — specific documents with deadlines.
  • Restrict/Suspend — temporary pause pending evidence.
  • Exit — relationship ended; funds returned subject to law.
  • STR — suspicion remains that funds are criminal property or linked to TF.

10.3 Suspicious Transaction Reports (STRs)

Where suspicion meets reporting thresholds, the MLRO files an STR with FIU-Netherlands promptly and maintains confidentiality. Tipping-off is prohibited; staff must never reveal that a report is being considered or filed.

10.4 Cooperation with authorities

We respond to lawful requests from FIU-NL, police, prosecutors, the KSA, and courts. Legal and MLRO validate disclosures; we keep audit trails of what was shared and why.

11) Record-keeping and retention

We maintain complete, accurate, and retrievable records:

  • CDD/EDD packs (identity, address, ownership, SOF/SOW);
  • screening logs (sanctions, PEP, adverse media);
  • alerts, cases, decisions, and reviewer notes;
  • transaction histories and reconciliations;
  • STR filings and correspondence (restricted access);
  • training completion, QA results, audits, and remediation.

Retention follows law and licence conditions (e.g., 5–7 years after account closure for KYC/AML under Wwft; 7 years for financial books). When retention ends, we delete or anonymise data. Access is role-based and logged.

12) Data protection and confidentiality

Lawfulness, fairness, openness, purpose limitation, data minimization, accuracy, storage limitation, integrity, and confidentiality are some of the criteria upheld by AML/KYC processing in accordance with GDPR. When sensitive papers are in transit or stored, they are encrypted. When players submit papers, we use secure portals to upload them, add a watermark, and limit downloads. Even if the player asks for the removal of certain records, some must be kept (legal retention takes priority).

13) Technology, models, and change control

All AML/KYC-relevant systems—IDV, document authenticity, device intelligence, sanctions/PEP screening, monitoring, and case management—require Compliance sign-off. Rules and models are version-controlled and tested before go-live. We conduct quality checks, back-testing where applicable, and monitor false-positive/false-negative rates. Data quality reconciliations run daily with incident paths for failures.

14) Training and competence

  • Induction (before access): AML/KYC fundamentals, red flags, escalation, data handling.
  • Annual refresher: policy updates, case studies, assessment (pass mark enforced).
  • Role-specific modules: Payments (chargebacks, pay-to-source), VIP (EDD/SOF/SOW), Support (first-line questions), Product/Tech (risk impacts, logging).
  • Targeted training: new sanctions regime, new payment method, or major rule change.

Access to systems may be suspended if training lapses.

15) Quality assurance (QA) and metrics

Compliance runs routine QA on a sample of onboarding files, withdrawals, and closed cases. Findings feed into coaching and system improvements. The MLRO reports quarterly to the Board on: onboarding pass/refer/decline rates; document turnaround; alerts and conversion to cases; case ageing; sanctions hits and clearance times; STR volumes and time-to-file; withdrawal holds and outcomes; training completion; QA pass rates; audit remediation status.

16) Third parties and outsourcing

We vet KYC vendors, screening partners, payment processors, and hosting providers. Contracts include confidentiality, data-processing terms, audit rights, service levels, incident notification, and sanctions compliance. Outsourcing does not transfer our regulatory obligations; BinoBet remains accountable.

17) Interaction with Responsible Gambling (RG)

Financial-crime and player-protection signals often overlap (e.g., rapid spend increases, night-time sessions, payment distress). AML and RG teams coordinate on shared alerts, agree a single customer contact to avoid mixed messages, and document outcomes consistently. In cases of harm, player-protection measures take precedence.

18) Incidents, breaches, and remediation

When a control fails (e.g., missed screening, payout to third-party account, late STR), we:

  1. Contain the issue (freeze, recall, or halt further action);
  2. Assess impact and legal obligations;
  3. Notify the KSA/FIU-NL or other bodies where required;
  4. Remediate root causes (process, system, training);
  5. Document the incident and lessons learned.

Material incidents are reported to the Board.

19) Policy lifecycle and exceptions

  • Review: at least annually or on legal/operational change.
  • Approval: Board of Directors.
  • Exceptions: must be risk-assessed, time-bound, and approved by the MLRO; blanket exceptions are not allowed.
  • Versioning: change log maintained; archived copies available to auditors and regulators on request.