UK Gambling Regulation: What New Betting Sites Must Follow
A single compliance lapse can close an operator overnight.
Minutes after a new betting app goes live, customer complaints flag missing age checks and lax anti‑money‑laundering flows. Regulators can open investigations from a single report; media scrutiny and blocked payment partners follow fast.
An operator must treat compliance as a product feature: embed robust KYC, transaction monitoring, deposit and stake limits, clear safer‑gambling paths, record‑keeping and timely incident reporting. Staff training, documented policies and privacy‑conscious data flows are needed from day one. Noncompliance is both a legal exposure and a business risk — licence revocation, frozen funds and reputational damage all reduce long‑term viability. Compliance must be designed in, not bolted on.
- Typical licensing application timeline: 3–6 months.
- Regulatory fines and penalties can reach seven figures; suspension or revocation possible.
- Record‑keeping and AML/SAR obligations continue after launch.
Licence duties: fit, finance and consumer protection
A UK gambling licence is not a one‑time permission; it imposes ongoing obligations that must be demonstrably met. At application, the regulator assesses fit‑and‑proper controls and financial probity — and then expects the business to keep meeting those standards throughout operation. For operators starting out, consult the practical application guidance before launch.
Regulatory expectations cluster around three themes. Key requirements include:
- Governance and personnel checks: senior staff and controllers must pass suitability checks and wrongdoing must be prevented by clear policies.
- Financial probity: adequate capital, audited accounts, segregation of player funds and liquidity to meet liabilities.
- Consumer protection: effective safer‑gambling tools, transparent terms, speedy complaints handling and AML/CFT controls.
Treat the licence as an ongoing compliance programme: maintain written policies, regular staff training, internal audits, incident logs and timely regulator reporting. External reviews and automated monitoring reduce drift.
Customers can and should verify a bookmaker’s permission as a public check on trustworthiness; learn how to check a bookmaker’s licence number before engaging. A visible licence number and up‑to‑date compliance statements signal that obligations are active, not just historic.
Practical budget and timeline planning
Operators that plan realistically avoid launch slippage and cash shortfalls. Upfront and continuing charges matter: the application and annual fees are only part of the picture — see the detailed cost breakdown for typical figures and fee bands.
Common budget items
- Application and annual licence fees
- Compliance staff (AML officer/MLRO, compliance manager)
- Transaction monitoring and KYC systems
- Legal, audit and advisory fees
- Payment processing and banking setup
Timelines depend on complexity and preparedness. Allow time for background checks, financial probity reviews and system testing; a standard application often needs several months — consult the typical timelines and common delays to set realistic milestones. Complex ownership or remediation requests can extend this further.
Practical steps: include a contingency reserve, budget an ongoing compliance line (often a few percent of revenues), appoint a qualified MLRO early, and schedule quarterly reviews of forecasts to catch cost creep before launch.
Identity, age and AML/CTF checklist
-
Capture ID and age evidence
Collect government ID, selfie or certified electronic verification at signup. Keep original images and verification vendor responses with timestamps. See why bookies verify ID for typical regulator expectations.
-
Confirm identity and sanctions screening
Run name/address matching, watchlist, PEP and sanctions checks. Log screening scores, rule versions and any manual overrides.
-
Risk-based AML profiling and affordability
Assign risk bands using transaction history, source-of-funds indicators and deposit patterns. Perform basic affordability checks where risk or stake levels demand it and record the rationale.
-
Ongoing monitoring and trigger rules
Implement automated alerts for unusual behaviour, deposit spikes or contested withdrawals. Retain alert records, investigator notes and final outcomes.
-
Retain audit trails and evidentiary copies
Store raw files, hashed copies, decision logs and retention metadata in immutable storage. Capture who acted, when, and why for every manual decision.
Keep concise, discoverable evidence.
Timestamped ID images and vendor reports Versioned rulesets, alert outputs and manual-review notes Affordability worksheets and signed customer statements where used Immutable logs showing user, time and actionMaintaining these items simplifies audits and demonstrates a consistent, risk‑based approach.
Handling GamStop registrations
At registration operators must run a GamStop check against the national self‑exclusion list and immediately prevent account creation or block access for positive matches. The check is normally an API lookup; operators are required to keep an auditable record of the query, result, timestamp and responsible staff. See how GAMSTOP works for background.
Expected safer‑gambling measures include clear written confirmation to the customer, cancelling pending wagers, marking the record as barred, and escalating borderline cases to the safer‑gambling team. Practical steps on a match: mark and lock the account, notify the registrant, log the action and follow internal SLA for disputes.
Privacy obligations demand data minimisation: retain only identifiers needed to evidence the match, encrypt stored records and follow a documented retention schedule. For specifics about what GAMSTOP shares and operator duties, consult privacy and data sharing.
Keep query logs with timestamp, result and staff ID.
Encrypt stored identifiers and restrict access.
Apply a retention schedule and securely delete data when no longer required.
Marketing and promotions: dos and don'ts
Operators must make promotions clear, accurate and prominent. Follow CAP and ASA expectations that key terms (eligibility, wagering requirements, minimum stake, opt‑outs) are not hidden in small text; see the CAP/ASA explainer on free bet ads for practical examples.
Do:
- Use plain language and prominent terms for free‑bets and bonus offers.
- Apply robust age‑ and affinity‑targeting to avoid appealing to under‑18s.
- Keep wagering requirements explicit and time limits visible.
Don't:
- Imply guaranteed returns or call a bonus “risk‑free” when conditions apply.
- Bury key restrictions behind lengthy T&Cs.
- Run influencer posts without clear commercial disclosure — consult guidance on disclosures for gambling influencers.
For platform specifics, operators should check rules about paid ads on social platforms such as advertising on Instagram in the UK via the Instagram advertising explainer.
Breach consequences: CAP and ASA rulings can force ad withdrawal, public corrections and fines; repeated breaches attract regulatory scrutiny.
Tip: keep audit trails of promotional approvals and influencer agreements to evidence compliance.
Handling customer complaints, evidence and IBAS escalation
How should operators log a complaint?
Record each complaint immediately in a central complaints register with a unique ID, customer reference, date/time, channel and a concise summary of allegations. Update the entry with investigation steps, contacts and the final outcome.
What remediation and resolution steps are required?
Acknowledge receipt promptly and carry out an impartial investigation; remedies can include refunds, stake reinstatements, bonus corrections or account adjustments where appropriate. If a systemic fault emerges, correct the cause and document the corrective actions taken.
What evidence must be kept and for how long?
Preserve transaction logs, timestamps, screenshots, chat transcripts, identity checks and decision notes to show what occurred and why. Keep records in line with licence and AML rules (commonly several years) and follow expectations set out for dispute evidence in case of escalation guidance on evidence for IBAS complaints.
When should matters be escalated to an independent adjudicator (IBAS)?
Escalate if the operator’s final decision is rejected by the customer or the complaint remains unresolved within internal timeframes. Follow IBAS submission rules and time limits, and provide the compiled evidence pack before referring the dispute to the independent adjudicator how to complain to IBAS.
Common misconceptions about offshore operations
Serving UK customers without a UK licence still breaches UK regulation and can trigger enforcement.
Regulators can pursue directors, freeze assets and work with banks and advertisers to disrupt services, creating major commercial exposure.
Customers can escalate disputes via UK channels, chargebacks and public complaints even if the operator is offshore.
That increases reputational and operational stress; see the risks and red flags for offshore operators regulators commonly use when investigating.
Avoiding licence duties may cut short‑term costs but often leads to fines, lost banking and blocked advertising.
Payment processor removal, frozen funds and marketing bans can halt revenue quickly; contingency planning must account for shutdown scenarios.
How regulators test ongoing controls
Regulators look for controls that operate reliably, are overseen, and leave clear evidence. Assessment focuses on whether monitoring flags real harms, suspicious activity is escalated and reported correctly, and changes are controlled and audited.
-
Transaction monitoring and SARs
Assessment checks tuning, alert triage, investigation quality and SAR timeliness. Keep examples of alerts, decision notes and SAR narratives to show rationale and outcomes.
-
Management information and audits
MI should show trends, KPIs and remediation actions; internal and external audit reports demonstrate independent testing. Retain dashboards, historical reports and audit responses as evidence.
-
Change management and vendors
Regulators expect documented change control, testing, risk sign‑off and rollback plans; vendor contracts must include SLAs, security obligations and a right-to-audit clause.
Log decisions and investigators' notes automatically alongside transactions.
Store historical MI snapshots and alert-tuning records for review.
Contractually require vendor deliverables, test evidence and audit access.
Build SAR templates and a timestamped chain of custody for records.
Run quarterly tabletop exercises and keep signed minutes as proof of governance.
-
Apply for licence
Select licence, submit documents and track UKGC timelines before build.
-
Set KYC & AML
Implement age checks, ID verification, affordability screening and GamStop linkage.
-
Core controls
Deploy real‑time monitoring, SAR processes, safer‑gambling tools and limits.
-
Approve marketing
Obtain CAP/ASA checks, finalise transparent T&Cs and targeting rules.
Licence, controls, marketing
- Start licence early
- Activate AML and KYC
- Get marketing sign‑off
Obtain the licence first, deploy core AML/KYC and safer‑gambling controls, then run only approved marketing campaigns.