AML and KYC are the two compliance functions every licensed iGaming operator must run, and the two most operators underestimate the cost of. KYC (Know Your Customer) verifies who a player is. AML (Anti-Money Laundering) is the wider system that stops the operator being used to move dirty money. They are not optional, they are not a one-time setup, and the way they are designed has a direct, measurable effect on conversion. This is the operator-side view of what they are and how to run them well.
What KYC is
KYC is identity verification: proving a player is a real person, of legal age, who they claim to be, and - when risk or thresholds require it - that their funds come from a legitimate source. In practice it means document verification with a liveness check, age and address verification, sanctions and politically-exposed-person (PEP) screening, and, for higher-risk or higher-value players, source-of-funds and source-of-wealth checks. In tightening regulated markets, much of this now happens at onboarding or before the first withdrawal rather than only after a problem surfaces.
What AML is
AML is the programme around KYC. It takes the identity data and adds ongoing transaction monitoring, risk scoring, screening, and the obligation to file suspicious-activity reports to the relevant authority. A real AML programme has a named responsible person, written policies, staff training, record-keeping, and a risk assessment that is actually used rather than filed. KYC tells you who the player is; AML decides what to do about the risk they represent over the life of the account.
AML vs KYC: the simple distinction
KYC is a step; AML is the system. KYC is the verification gate. AML is the continuous programme of monitoring, screening and reporting that uses KYC data plus behavioural signals to detect laundering. You cannot run effective AML without KYC, but KYC on its own is not AML. Operators that treat verification as the whole of compliance miss the monitoring and reporting obligations that regulators actually enforce against.
When it is required
From licensing onward, in every regulated market. UKGC, MGA, the Dutch KSA, Ontario and offshore regimes all mandate an AML programme and KYC - they differ in thresholds, timing and intensity, not in whether they apply. UK affordability and source-of-funds expectations sit at the strict end; some offshore regimes are lighter, but none are zero. Choosing a licence is therefore partly a choice about how heavy the AML/KYC obligation will be, which is why it belongs in the compliance picture from the start.
The real operator problem: compliance vs conversion
Verification lands at the exact moment a player is trying to deposit or withdraw - the worst possible point to introduce friction. Badly designed KYC kills conversion there; over-light KYC fails the regulator. The answer is risk-based design: minimal friction for low-risk players, escalating checks only when risk flags appear, and verification sequenced so it interrupts the funnel as little as possible while still meeting the bar. That is a design and sequencing problem as much as a legal one, and it sits alongside payment risk management in the operator stack.
Getting it right
The operators who handle AML/KYC well build it into the operating model from launch rather than retrofitting it after a regulator query - retrofitting is far more expensive and risky. The work spans vendor selection (KYC and monitoring tooling), policy and risk assessment, the compliance team structure to run it, and the funnel design that keeps conversion alive. It is one of the operator-side calls an iGaming compliance consultant helps get right, within the full how to start an online casino sequence.