AML & KYC Policy 

1. Purpose and scope

It is applicable to all of our Platform’s products, processes, and channels. It also regulates the collection and use of consumer data in conformity with regulations pertaining to consumer protection and privacy. This Policy is meant to supplement our Privacy Notice, Terms & Conditions, Security Standards, and Policy on Responsible Play.

This Policy covers:

• governance and roles;
  
• our risk‑based approach;
  
• customer due diligence (CDD) and enhanced due diligence (EDD);
  
• ongoing monitoring, screening, and transaction surveillance;
  
• investigations and suspicious transaction reports;
  
• record‑keeping and audit;
  
• training and awareness;
  
• use of technology and suppliers;
  
• data protection and confidentiality;
  
• breach management and disciplinary actions.
  

2. Legal and regulatory framework

We operate under Dutch and EU law and follow guidance from the Kansspelautoriteit (KSA) and Financial Intelligence Unit‑Netherlands (FIU‑NL). Key instruments include:

• Wwft — the Dutch Prevention of Money Laundering and Terrorist Financing Act;
  
• Sanctions Act 1977 and related decrees;
  
• Remote Gambling Act and licence conditions set by the KSA;
  
• EU AML Directives and technical standards;
  
• GDPR/AVG for data protection and data subject rights.
  

Where rules conflict, BinoBet follows the stricter requirement. We monitor legal updates and adjust this Policy and our controls when needed.

3. Risk‑based approach (RBA)

3.1 Principles

We tailor our controls to the level of risk. We consider customer, product, channel, geography, and transaction factors. We do not accept customers or activity where risk cannot be reduced to an acceptable level.

3.2 Enterprise‑wide risk assessment (EWRA)

At least once a year, and on material change, we run an EWRA. It identifies inherent risks, assesses control effectiveness, and sets our residual risk appetite. Results are documented, approved by the Board, and translated into control changes, staffing needs, and technology roadmaps.

4. Governance and responsibilities

4.1 Board and senior management

The Board owns AML/CFT risk and sets the tone for compliance. It approves the EWRA, this Policy, and the annual compliance plan. Senior management ensures resources, independence, and escalation paths for the AML function.

4.2 Money Laundering Reporting Officer (MLRO)

The MLRO is responsible for ensuring compliance on a daily basis, keeping processes up to date, investigating alerts, deciding on FIU-NL reporting, communicating with the KSA and law enforcement, and reporting to the Board every three months. When deemed necessary, the MLRO may block transactions and has unfettered access to data and systems. If the MLRO is not available, a deputy MLRO will step in.

4.3 First line of defence

Operations, Customer Support, Payments, Marketing, and Product teams own the risks in their processes. They must follow procedures, perform documented checks, and escalate promptly.

4.4 Second and third lines

Compliance (second line) designs the framework, advises, and challenges. Internal Audit (third line) independently evaluates the framework’s design and effectiveness at least annually.

4.5 Training and competence

All staff complete AML/CFT induction training before system access and annual refreshers after that. Role‑based modules exist for Support, Payments, VIP, and Tech. Training completion is a condition of continued access.

5. Customer due diligence (CDD)

5.1 When CDD is required

• before or at the point of establishing a business relationship;
  
• before processing a withdrawal;
  
• on suspicion of money laundering or terrorist financing;
  
• when we doubt the truth of previously obtained data;
  
• on risk triggers (Section 8.5).
  

5.2 Identifying the customer

Customers are required to provide us with a great deal of personal data, including full names, dates of birth, nationalities, residential addresses, and phone numbers. Verification of identity is done by trustworthy and third-party sources, such as Dutch driver’s licenses, residence permits, or official documents provided by the government, such as a passport or an EU/EEA ID. While possible, people employ E-ID tools. We might ask for a live video feed or photo to make sure you look the part.

5.3 Address verification

We verify address with a recent (≤3 months) document such as a bank statement, utility bill, or BRP extract. Electronic address verification tools may be used where reliable.

5.4 Ownership of payment methods

Deposits and withdrawals must use methods in the customer’s name. We may request bank statements showing the customer’s name and IBAN, or a masked card image. Third‑party payments are prohibited.

5.5 Purpose and nature of the relationship

We understand the player’s expected use of the Platform: intended products, estimated spending, funding sources, and withdrawal patterns. This helps establish a baseline for monitoring.

5.6 Failure of CDD

If CDD cannot be completed, we do not start or continue the relationship. Accounts are restricted, and funds may be returned where legally permissible. If suspicion exists, we consider an FIU‑NL report.

6. Enhanced due diligence (EDD)

EDD is applied when higher risk is identified. Triggers include PEP status, non‑resident indicators, complex payment behaviour, high velocity of deposits/withdrawals, adverse media, or unusual product use.

EDD measures may include:

• senior management approval before onboarding or before increasing limits;
  
• additional identity verification (e.g., certified copies, multiple documents);
  
• detailed source of funds (SOF) and source of wealth (SOW) checks with documentary proof;
  
• lower transaction limits and tighter monitoring scenarios;
  
• periodic reviews at shorter intervals.
  

If SOF/SOW cannot be reasonably evidenced, we restrict or terminate the relationship.

7. Screening and sanctions compliance

7.1 Sanctions screening

We screen customers at onboarding and daily thereafter against EU, UN, Dutch national, UK, and US lists as appropriate under the Sanctions Act. A positive or potential match is escalated immediately to the MLRO. Accounts are frozen as required by law until cleared.

7.2 PEP screening and treatment

We screen for politically exposed persons and close associates/relatives. PEPs require EDD, approval by senior management, lower thresholds for review, and tighter limits. We maintain auditable records of decisions.

7.3 Adverse media

We run adverse media checks for higher‑risk customers and on risk triggers. Credible negative news indicating financial crime leads to EDD, restrictions, or exit.

8. Ongoing monitoring and surveillance

8.1 Principles

We monitor behaviour to ensure it aligns with the stated purpose and risk profile. Monitoring is both automated and manual.

8.2 Transaction monitoring scenarios (illustrative)

• rapid cycles of deposit‑play‑withdraw with minimal gaming activity;
  
• high‑value deposits followed by low‑risk play and fast withdrawal;
  
• use of multiple payment instruments with different IBANs;
  
• deposits from and withdrawals to newly added methods shortly before a big cash‑out;
  
• repeated failed deposits across cards;
  
• device or IP anomalies, including Tor/VPN use;
  
• structuring just below verification thresholds;
  
• activity inconsistent with declared income or affordability checks;
  
• cross‑account patterns suggesting syndicates or mule networks.
  

8.3 Responsible play signals

We integrate responsible‑play data (session length, chasing losses, sharp changes in spend). Harm indicators can also be financial‑crime indicators. We coordinate actions between the AML and Safer Gambling teams.

8.4 Alert handling

Alerts are triaged by risk. Low‑risk alerts are cleared with notes. Medium‑ and high‑risk alerts move to investigation. We apply holds on withdrawals where necessary. Each step is recorded in the case management system.

8.5 Review triggers

We perform a KYC refresh when: limits increase, payment methods change, the risk score increases materially, a large withdrawal is requested, or on periodic cycles (12, 24, or 36 months depending on risk).

9. Investigations and reporting

9.1 Case management

Investigations follow a documented workflow: intake, scoping, evidence collection, analysis, decision, and closure. We keep a full audit trail, including screenshots of key data.

9.2 Information gathering

We may request additional documents: recent bank statements, payslips, tax returns, contracts of sale, inheritance documents, or proof of winnings from another operator. We assess plausibility, consistency, and affordability.

9.3 Decision outcomes

Possible outcomes include: clear with no action; clear with conditions (limits, monitoring); request more information; restrict deposits or withdrawals; suspend account; or terminate the relationship.

9.4 Suspicious transaction reports (STR)

If suspicion remains that funds are the proceeds of crime or related to terrorist financing, the MLRO files an STR without delay with FIU‑Netherlands. We include all relevant facts, reasons for suspicion, and supporting documents. Tipping‑off is prohibited; we do not tell the customer that an STR has been filed.

9.5 Law enforcement and regulator liaison

We cooperate with lawful requests and court orders. Requests are validated by Legal and the MLRO before disclosure. Disclosures are logged.

10. Payments and withdrawal controls

• We only accept payments from accounts in the customer’s name.
  
• We return withdrawals to the original funding method where possible.
  
• High‑risk payment types (prepaid cards without KYC, anonymous vouchers) are disallowed.
  
• Limits apply to new payment instruments until checks are complete.
  
• We block third‑party and cash transactions.
  
• Currency is EUR. Currency conversion, if offered, follows transparent rates and is monitored for abuse.
  

11. Records, retention, and audit

We keep CDD files, transaction histories, alert and case records, STR files, training logs, and audit trails for the periods required by Wwft and licence conditions. Records must be accurate, complete, and retrievable within reasonable time. Electronic records are protected against alteration and unauthorised access.

Internal Audit conducts yearly reviews of design and operating effectiveness, including sampling of CDD files, alert handling, STR decisions, and data security controls. Findings lead to time‑bound remediation plans.

12. Training and awareness

All staff complete induction and annual refresher training covering: typologies and red flags, sanctions and PEP handling, CDD/EDD requirements, transaction monitoring basics, responsible‑play intersections, data protection, and reporting pathways. Scenario‑based workshops are run for high‑exposure teams (Payments, VIP, Support). Training effectiveness is tracked through assessments and QA sampling.

13. Technology and data

13.1 Systems

We use tools for identity verification, document authenticity checks, device intelligence, transaction monitoring, PEP/sanctions/adverse‑media screening, and case management. Changes to rules or models follow change management with testing and sign‑off by Compliance.

13.2 Data quality

We minimise manual data entry, run validation rules, and reconcile data across systems. Data lineage and control ownership are documented. Defects are prioritised based on risk to investigations or reporting.

13.3 Privacy and security

We process personal data under GDPR/AVG. Access to AML data is on a need‑to‑know basis, logged and reviewed. Sensitive documents are encrypted in transit and at rest. We retain only what is necessary and delete or anonymise when retention expires.

14. Third parties and outsourcing

Where we use vendors (for KYC, screening, payments, or analytics), we conduct due diligence covering licensing, security, privacy, and sanctions controls. Contracts include audit rights, SLAs, breach notification duties, and data‑processing terms. We monitor performance and risk at least annually. Outsourcing never transfers our regulatory obligations—BinoBet remains responsible.

15. Breaches, incidents, and disciplinary action

Suspected breaches of this Policy must be reported to the MLRO immediately. The MLRO and Legal coordinate investigations and remedial steps. Serious breaches may be reported to the KSA or FIU‑NL and can lead to disciplinary action up to and including dismissal. Where customer harm is identified, we prioritise containment and, where lawful, customer notification.

16. Communication and customer experience

We write to customers in clear language when requesting documents or explaining restrictions. We avoid jargon and set realistic timelines. We never request full card numbers or online banking passwords. We explain how we protect their data and why checks are necessary. We coordinate with the Responsible Play team when interactions touch both areas.

17. Metrics and management information

We track: onboarding pass/fail rates; time to verify; number of alerts and conversion to cases; case ageing; STR volumes and turnaround; PEP/sanctions matches; training completion; QA pass rates; audit findings; and outcome metrics (e.g., prevented losses, blocked withdrawals). The MLRO reports quarterly to the Board, highlighting trends and resource needs.

18. Policy maintenance and approvals

This Policy is reviewed at least annually, or sooner if laws, risks, or business models change. Updates are drafted by Compliance, reviewed by Legal and key stakeholders, and approved by the Board. Superseded versions are archived with a change log.

19. Red flags (non‑exhaustive)

• Multiple accounts linked by devices or IPs;
  
• Frequent deposits with minimal or no play;
  
• Round‑tripping funds through different payment methods;
  
• Structuring deposits/withdrawals to avoid thresholds;
  
• Sudden spikes in spending inconsistent with known income;
  
• Payments from high‑risk geographies or sanctioned territories via intermediaries;
  
• Use of VPN, TOR, or remote desktop tools;
  
• Third‑party behaviour (e.g., many accounts using the same IBAN);
  
• Attempts to bribe or pressure staff;
  
• Adverse media linking a customer to fraud, corruption, or organised crime;
  
• Links between responsible‑play harm signals and unusual funding sources.
  

20. Customer lifecycle controls (summary checklist)

Onboarding

• Collect and verify identity; sanctions/PEP screening; device fingerprinting; initial risk score; set default limits.
  

Funding

• Accept only named methods; verify ownership; monitor first deposits for velocity and patterns.
  

Play

• Monitor gameplay vs. baseline; link AML and Safer Gambling alerts; block obvious abuse.
  

Withdrawal

• Reconfirm identity on risk triggers; pay to source of funds; review activity since last check.
  

Periodic review

• Refresh KYC on risk‑based cycles; reassess SOF/SOW for higher‑risk customers.
  

Exit

• Document reasons; retain records; report where required; monitor for attempted re‑entry.
  

21. Tipping‑off and confidentiality

We comply with legal prohibitions on tipping‑off. Staff must not inform a customer that their activity is under investigation or that an STR has been filed. Internal communications about cases are limited to need‑to‑know recipients and use approved secure channels.

22. Interaction with other policies

This Policy should be read together with:

• Terms and Conditions;
  
• Privacy Notice and Data Retention Standard;
  
• Information Security Policy;
  
• Responsible Play Policy;
  
• Sanctions Compliance Standard;
  
• Third‑Party Risk Management Standard;
  
• Incident Response Plan.
  

23. Glossary

• CDD: Customer Due Diligence
  
• EDD: Enhanced Due Diligence
  
• EWRA: Enterprise‑Wide Risk Assessment
  
• FIU‑NL: Financial Intelligence Unit–Netherlands
  
• KSA: Kansspelautoriteit
  
• MLRO: Money Laundering Reporting Officer
  
• PEP: Politically Exposed Person
  
• RBA: Risk‑Based Approach
  
• SOF/SOW: Source of Funds / Source of Wealth
  
• STR: Suspicious Transaction Report
  
• Wwft: Dutch AML/CFT law
  

24. Version control

• Owner: MLRO
  
• Approved by: Board of Directors
  
• Review cycle: Annual or on material change
  
• Change log: maintained in the Compliance repository