Payment compliance audits by gambling regulators (UKGC, MGA, GGL, ARJEL, KSA, ADM, DGOJ, AGCO, and their tier-1 peers) follow a consistent pattern across jurisdictions. The specific controls vary by framework but the underlying checklist categories are the same. This is the operator-side guide to what the auditor will actually look at.
Category 1: PCI DSS compliance
If your operation processes, transmits, or stores cardholder data, PCI DSS compliance is mandatory. The regulator will not be satisfied with "we are PCI DSS compliant" as a statement. They will want to see specific documentation.
Documentation regulators expect. Current PCI DSS Attestation of Compliance (AoC) for the merchant level appropriate to transaction volume. Self-Assessment Questionnaire (SAQ) or Report on Compliance (RoC) depending on volume. Quarterly external vulnerability scans by ASV (Approved Scanning Vendor). Annual penetration testing report. Network segmentation diagram showing cardholder data environment isolation.
Common audit findings. SAQ submitted but not the right level for transaction volume. ASV scans expired. Penetration testing performed annually but not testing the actual cardholder environment. Cardholder data flowing through non-segmented infrastructure.
Category 2: PSD2 Strong Customer Authentication (SCA)
For European operators, PSD2 SCA compliance applies to most card and account-to-account transactions. The regulator will audit whether SCA is being applied correctly and whether the exemptions in use are properly justified.
Documentation regulators expect. Authentication flow documentation showing which transactions trigger SCA and which use exemptions. Exemption use justification (low-value, transaction risk analysis, recurring, etc.). SCA challenge success rate by transaction type. False-positive and false-negative review on SCA outcomes.
Common audit findings. SCA implementation that defaults to challenges (impacting conversion) or defaults to exemptions (impacting compliance). Exemption use not properly justified per the PSD2 regulatory technical standards. SCA flow not tested against the operator's specific transaction patterns.
Category 3: AML transaction monitoring
The single most important payment-compliance area in tier-1 gambling regulation. Regulators want to see that suspicious transactions are detected, escalated, and reported. They want specifics, not generalities.
Documentation regulators expect. Transaction monitoring rules library with specific thresholds and triggers. False-positive and false-negative tuning evidence. SAR (Suspicious Activity Report) volume and outcome tracking. PEP and sanctions screening procedures with screening engine documentation. Source of funds verification protocols at threshold levels (typically EUR 2,000 cumulative or per-transaction depending on jurisdiction).
Common audit findings. Transaction monitoring rules that have not been updated to match current player behaviour. SAR volume that is too low (suggests under-detection) or too high (suggests over-flagging and poor tuning). Source of funds documentation collected but not reviewed substantively. PEP screening that misses adverse media.
Category 4: Segregation of player funds
Tier-1 regulators require player funds to be held separately from operator working capital. The regulator will audit whether this segregation is real and whether the documentation supports operator-side claims.
Documentation regulators expect. Designated client-money account agreements with banking partner. Daily reconciliation between player wallet balances and segregated account balances. Auditor confirmation of segregation. Documentation of what happens to client money in operator insolvency.
Common audit findings. Client money technically segregated but commingled at the banking layer. Reconciliation performed monthly rather than daily. Insolvency-protection language in account documentation that is weaker than the regulator expects.
Category 5: Withdrawal verification and KYC at threshold
Regulators audit whether the operator is verifying player identity properly before significant withdrawals. The threshold varies (typically EUR 2,000 cumulative withdrawal in most EU regulated frameworks).
Documentation regulators expect. KYC trigger logic by withdrawal threshold. Documentation of verification documents collected, by player. EDD (Enhanced Due Diligence) procedures for high-value players or risk-flagged segments. Source of wealth verification at higher thresholds.
Common audit findings. KYC at first withdrawal rather than threshold (some regulators require earlier, some later). Document review that is automated but not substantively assessed. EDD procedures that exist on paper but are not consistently applied.
Category 6: Chargeback and dispute handling
Less heavily audited than the categories above but increasingly attended to. Regulators want to see that chargebacks are tracked, that disputes are handled fairly to players, and that excessive chargeback rates trigger internal review.
Documentation regulators expect. Chargeback rate tracking by category. Player dispute resolution procedures. Documentation of representment outcomes where applicable. Internal escalation when chargeback rates exceed defined thresholds.
Category 7: Bonus and promotional payment accounting
Where bonuses are paid out as cashable balances, the regulator audits how these are accounted for, how wagering requirements are tracked, and whether players are treated fairly when bonus terms apply.
Documentation regulators expect. Bonus T&C documentation that is clear and accessible. Wagering requirement tracking per player. Documentation of bonus expiry and forfeiture logic. Evidence that bonus disputes are handled fairly.
Category 8: Withdrawal processing time
Tier-1 regulators are increasingly auditing actual withdrawal processing times against advertised processing times. The UK Gambling Commission has been most explicit about this; others are following.
Documentation regulators expect. Withdrawal processing time statistics by payment method. Documentation of why specific withdrawals took longer than advertised. Evidence that operational SLAs are being met.
Category 9: Third-party payment processor due diligence
Where the operator uses payment processors or aggregators, the regulator audits whether the operator has conducted appropriate due diligence on the third party.
Documentation regulators expect. Processor due diligence documentation. PCI DSS compliance evidence for processors handling cardholder data. AML compliance evidence for processors involved in fund movement. Service-level documentation.
How to prepare for an audit
The structural move is to maintain a running audit pack rather than assemble one when notified. The pack covers all nine categories above, refreshed quarterly, ready to provide on 24-hour notice. Operators with running audit packs typically clear audits without findings. Operators that scramble at audit notice consistently produce findings.
Beyond the documentation, the operational reality is that tier-1 regulators trust operators who can explain their controls credibly. Audit staff can tell the difference between operators who designed their compliance proactively and operators who built it to pass a checklist. The strategic posture is to design for substance, not for audit performance.
Where to start
For operators preparing for a tier-1 regulator audit or building payment compliance from the ground up, the conversation is usually faster on WhatsApp than over a longer engagement. Current setup, target jurisdiction, audit timeline. Same-day reply with an honest read on where the gaps sit.