Login
Sign up

AML & CTF Policy

1) Aim and reach

This Policy describes how BinoBet prevents, detects, and responds to money laundering, terrorist financing, and related crime. It covers all channels (web, apps, payments, support), all Dutch‑licensed brands, and every person who works for or with us. If a supplier touches customer data or payments, this Policy applies to them through contract.

2) Laws, rules, and guidance we follow

  • Wwft (Prevention of Money Laundering and Terrorist Financing Act) and its guidance;
  • Sanctions Act 1977 and decrees;
  • KSA licence conditions and policy rules under the Remote Gambling Act;
  • EU AML package (directives/regulations) where applicable;
  • GDPR/AVG for data protection.
    When rules conflict, we apply the strictest requirement. We keep a legal change log and update this Policy when needed.

3) Who does what

Board of Directors — sets risk appetite, approves this Policy and the annual plan, receives quarterly reports.
MLRO — runs the programme day to day, owns procedures, files STRs to FIU‑Netherlands, and can pause payments or gameplay where risk is unacceptable.
Deputy MLRO — ensures cover for leave or conflict.
First line teams (Payments, Support, VIP, Product) — follow procedures, collect documents, record decisions, escalate on time.
Compliance (2nd line) — designs controls, advises, challenges, and performs thematic reviews.
Internal Audit (3rd line) — independently tests design and effectiveness at least yearly.
All staff — complete training and report concerns immediately.

4) Risk‑based approach (RBA)

We do not treat all customers or activities the same. Controls scale with risk.

4.1 Enterprise‑wide risk assessment (EWRA)

Once a year, and on material change, we assess risks across customers, products, channels, and geographies. We rate inherent risk, examine control strength, and define residual risk and appetite. The EWRA drives budgets, staffing, and tooling.

4.2 Customer risk rating

Every account carries a dynamic score informed by identity attributes, device data, payment behaviour, product mix, velocity, affordability flags, sanctions/PEP hits, and adverse media. The score sets CDD/EDD depth and monitoring thresholds.

4.3 Product & channel risk

Remote onboarding, fast withdrawals, and live games introduce specific exposure.BinoBet prohibit cash, anonymous vouchers without traceability, and crypto deposits. New features ship only after a documented risk check.

5) Customer due diligence (CDD)

5.1 When we must identify and verify

  • before opening a relationship;
  • before first withdrawal;
  • when suspicion arises;
  • when previous data looks wrong;
  • on triggers (Section 8.4).

5.2 Identification & verification

We collect full legal name, date of birth, nationality, residential address, email, phone. Verification uses reliable sources: passport or EU/EEA ID, Dutch driving licence, residence permit, selfie/liveness as needed. Address is confirmed with a ≤3‑month document (bank statement, utility bill, BRP extract) or trusted electronic data.

5.3 Payment ownership

Deposits/withdrawals must use methods in the player’s name. We may request a bank statement showing name and IBAN or a masked card image. Third‑party payments and mules are blocked.

5.4 Purpose and expected activity

We record intended products, approximate spend, and usual funding sources to form a baseline for monitoring and affordability checks.

5.5 If CDD fails

If we cannot complete CDD, we restrict the account and, where lawful, return funds to source. If suspicion exists, we escalate to the MLRO and consider an STR.

6) Enhanced due diligence (EDD)

We apply EDD where risk is higher:

  • PEP or close associate/relative;
  • adverse media indicating financial crime;
  • complex or unusual payments;
  • large or fast movements inconsistent with profile;
  • links to higher‑risk geographies or industries.

EDD measures include senior approval, extra ID, independent verification, source of funds (SOF) and source of wealth (SOW) documents, tighter limits, and more frequent reviews. If SOF/SOW cannot be evidenced, we restrict or end the relationship.

7) Screening

  • Sanctions: screen at onboarding and daily against EU/UN/Dutch (and where relevant UK/US) lists. Potential matches are frozen as law requires and escalated to the MLRO.
  • PEP: identify PEPs and close associates; apply EDD, lower thresholds, and frequent reviews.
  • Adverse media: check higher‑risk cases using reputable sources; material hits trigger EDD.

8) Monitoring and alerts

8.1 Core idea

Behaviour is compared with the baseline and peer groups. Alerts are generated by scenarios and by staff.

8.2 Examples of scenarios

  • deposit → minimal play → withdrawal;
  • wagers designed to keep variance near zero;
  • many cards/IBANs used in a short time;
  • attempts just below KYC thresholds;
  • payment to a new bank account ahead of a large cash‑out;
  • device/IP anomalies, VPN/TOR;
  • spend out of line with affordability indicators.

8.3 Case handling

Alerts are triaged (Low/Medium/High/Severe). Medium+ move to investigation; withdrawals may be held. We document every step in the case system with timestamps and evidence references.

8.4 Triggers for refresh

Risk score jumps, new payment instruments, limit increases, large withdrawals, or profile changes trigger a KYC refresh.

9) Investigations and STRs

Workflow: intake → scope → information request → analysis → decision → closure.
Possible outcomes: no issue; conditions (limits/monitoring); ask for more documents; restrict; suspend; exit.
STRs: If suspicion remains, the MLRO files a suspicious transaction report with FIU‑Netherlands without tipping off the customer. We keep supporting evidence and rationale.

10) Payments controls

  • Accept only named payment methods; return funds to source where possible.
  • Cooling‑off and velocity caps for new payment methods.
  • Block cash, untraceable vouchers, and crypto unless specifically approved by law and the Board.
  • Split large withdrawals if risk or network limits require.
  • Monitor chargebacks; linked winnings stay contingent until resolved.

11) Records and retention

We store CDD packs, payment histories, alert logs, case files, STRs, training logs, audits, and system change records for at least the Wwft‑required period. Records must be complete, accurate, and quickly retrievable. Data is protected against alteration and unauthorised access.

12) Technology and change

Identity, screening, monitoring, and case tools require Compliance sign‑off. Rules and models follow change control with testing, approvals, and post‑go‑live checks. We run daily reconciliations and data quality tests; failures are tracked to closure.

13) Data protection

We apply GDPR/AVG principles: lawfulness, fairness, transparency, minimisation, accuracy, storage limits, integrity, and confidentiality. Access to AML data is strictly need‑to‑know and logged. Sensitive documents are encrypted in transit and at rest.

14) Training

Everyone completes AML induction and yearly refreshers; Payments, VIP, and Support take role‑specific modules. Passing assessments is required for continued system access.

15) Incidents and breaches

If a control fails (missed screening, third‑party payment processed, etc.), we: contain; assess obligations; notify KSA/FIU‑NL where required; fix root causes; and document lessons learned. Serious breaches may lead to disciplinary action.

16) Working with Responsible Gambling

Harm indicators often overlap with financial‑crime signals. AML and Safer Gambling teams share relevant alerts and coordinate actions to avoid mixed messages to customers.

17) Third parties and outsourcing

We vet KYC vendors, payment providers, and other suppliers. Contracts include confidentiality, data‑processing terms, sanctions compliance, incident reporting, audit rights, and SLAs. Outsourcing never shifts our obligations—we remain responsible.

18) Reporting and metrics

Quarterly, the MLRO reports to the Board on: onboarding pass/refer rates; verification turnaround; alert volumes and conversion; case ageing; sanctions/PEP matches; STRs filed; withdrawal holds; training completion; QA results; audit findings.

19) Policy lifecycle

Reviewed at least annually or after material change in law, risk, products, or systems. Updates require Board approval. Obsolete versions are archived with a change log.

Appendices (summaries)

A. Red flags

  • Many accounts on one device/IP/payment method;
  • deposits with little play then withdrawals;
  • SOF/SOW refusal;
  • structured amounts near thresholds;
  • VPN/TOR;
  • sudden spend spikes;
  • adverse media linking to fraud/corruption/organised crime.

B. Acceptable documents

ID: Dutch passport, EU/EEA ID/passport, Dutch driving licence, residence permit (valid).
Address: bank statement, utility bill, BRP extract (≤3 months).
Payment: statement with name and IBAN used; masked card image.
SOF/SOW: payslips, tax statements, bank statements, sale/inheritance evidence.

C. Case workflow (visual summary)

  1. Alert → 2) Triage → 3) Data gathering → 4) Analysis → 5) Decision (incl. STR) → 6) Close & schedule review.