KYC requirements and inspection levels

1) What KYC is and why it's needed

KYC (Know Your Customer) is a set of customer identification and verification procedures to reduce the risks of money laundering (AML), terrorism financing (CFT), fraud and violations of sanctions regimes. In iGaming KYC is supplemented by age verification, geo-restrictions, sources of funds and responsible play (limits, affordability).

• Confirm the identity and age of the player.
• Establish residency/address, check geo-acceptability.
• Exclude sanctions, terrorist and PEP risks.
• Understand sources of funds/wealth (SOF/SOW) at high limits.
• Ensure continuous monitoring and timely reversals.

2) Risk-based approach (RBA)

• Geography: country of registration/residence, entrances from "high-risk" jurisdictions.
• Payments: method, channel (card, A2A, crypto-onramps), deposit/withdrawal pattern.
• Behavior: turnover speed, bets, bonus schemes, multiaccounting, IP/Device anomalies.
• Client status: PEP, sanctions, adverse media (Adverse Media).
• Product risk: casino/bets, high limits, P2P transfers.

RBA is reflected in KYC levels (see below), escalation triggers, and review frequency (CDD ↔ EDD).

3) KYC levels (example for iGaming)

L0 - Basic tolerance (age & geo pre-check)

Goal: Instant onboarding funnel with minimal friction.
Data: e-mail/phone, full name, date of birth, country, consent.
Checks: age (date-of-birth + external base/SDK), IP/GeoIP, device, basic watchlist.
Limitations: low deposit/withdrawal limits, no P2P, limited bonuses.
Reversing: when the turnover/output threshold is reached.

L1 - Standard Identification (CDD)

Documents: 1 identity document (passport/ID/water license) + selfie-liveness, in some countries - a separate age verification.
Address: address declaration + soft check (phone match, aggregator banks, credit files, postal DB).
Automatic checks: sanctions/PEP/Adverse Media, duplicate devices/payments, behavioral biometrics.
Limits: average deposit/withdrawal limits; opportunity to participate in tournaments/promos.

L2 - Advanced Validation (EDD )/Sourcing (SOF)

Documents: proof of address (utility bill/bank statement ≤3 months), confirmation of income (statements, income certificates, payslips, contract), if necessary - SOW (sale of an asset, inheritance).
Interview/risk questionnaire: short form on sources of funds, employment, expected turnover.
Technical control: enhanced AML monitoring triggers, more frequent re-verification of sanctions/RAP.
Limits: high; access to VIP programs/highly liquid payments.

L3 - Ultra-risk profile/VIP High-Roller/Cross-border

Additionally: audited reports/confirmation of assets, letters from the bank, declarations.
Manual compliance review + 4-eyes.
Monitoring frequency: high, transaction event reviews, detailed SOW.

4) Identity checks: methods and quality

Dock verification: OCR + MRZ + NFC (if available), anti-tamper, portrait comparison.
Selfie-liveness: active (facial expressions/movements) or passive; anti-spoofing (masks, re-play).
Biometrics: face-match, sometimes voice/behavioral.
Non-documentary verification: through banks/aggregators (open-banking), credit bureaus, mobile operators (SIM KYC).
Quality: minimum requirements for resolution, lighting; deviations - "gray sheet" + manual processing.

5) Age, geography and admissibility

Age: automatic birth date check + external registers/SDK, secondary control on L1.
Geo: blocking banned countries/states; IP reconciliation, GPS/telemetry of the device, BIN country of the map, address from the document.
Regional subtleties: different address proofs/ID formats (Latin/Cyrillic, name transliteration, multiple official languages, patronyms).

6) Sanctions, PEP and adverse media

Sanctions: list matching (UN/EU/OFAC/HMT and local), auto-update, fuzzy match with custom threshold.
PEP: classification (international/national/local; PEP-related individuals).
Adverse Media: negative publications on key topics (fraud, corruption).
Procedures: positive matches → manual validation, escalation, compliance report.

7) Source of Funds (SOF) и Source of Wealth (SOW)

When required: exceeding deposit/withdrawal thresholds, VIP status, rare large transactions, risk flags.

• Bank statements for 3-6 months, income statements, tax returns.
• Evidence of one-time receipts: sale of real estate/shares, inheritance, dividends, loan agreement.
• Status confirmations (PI/company), contract, employer letter.

8) KYB (for merchants/partners/affiliates)

Registration documents, articles of association, beneficiaries (UBO), ownership structure.
Directors/UBO: KYC, sanctions/PEP.
Proof of address and activity (site, contracts, accounts).
Payment and traffic monitoring (for affiliates): anti-fraud, lead quality, geo and traffic source.

9) Revalidation triggers (rev-KYC) and event EDD

Reaching turnover/output limits.
Change of full name/address/payment instruments, suspicious patterns (cyclical deposits/quick conclusions).
Negative media, updates to sanctions lists, new devices/IP clusters.
Prolonged inactivity + sudden activity.
Data "hygiene": rev-KYC once every 1-3 years (RBA-dependent).

10) Data storage, privacy and security

Minimization and goal: collect only what you need for the goal (onboarding, AML, age, region).
Retention periods: usually 5 years after account closure/last transaction (check locally).
Encryption: at rest and in transit; secrets in HSM/vendor-vault.
Access: principle of least privileges (RBAC/ABAC), audit, access logs.
Subject rights: access/correction/deletion (where applicable), transparency on processing.
Vendors: DPIA/UDPA, intercountry data transfers, standard contractual provisions.

11) KYC Architecture and Integration

1. Registration (L0): e-mail/phone → age/geo pre-check → risk pre-score.

2. L1: doc-verification + liveness → sanctions/POP → address (soft).

3. Opening limits/functions → transactional monitoring (behavioral/payment).

4. Escalation to trigger L2/L3 (thresholds, anomalies, VIP).

5. Periodic review + event EDD.

• Providers: ID-vendor, sanctions/POP, address databases, device fingerprint, behavioral biometrics, open-banking/PSP.
• Decision gateway: Rules + ML (risk scoring, graph connections, device clustering).
• Compliance console: case queues, SLAs, four eyes, SAR/STR templates, export reports.
• Logs and auditing: immutable storage (WORM), profile versioning, document archive.
• Availability/stability: asset-regions, backoff/repetitions, degradation to "L0/L1 only" mode when external vendors are unavailable.

12) UX and KYC conversion

Progress bar and split-KYC: L0/L1 first, then L2 as limits increase.
Localization: language, date/name format, document hints (example photo, glare control).
Reloading: "save and continue later," reminders, secure-links.
Availability: mobile SDKs, offline draft mode, image compression.
Fail-safe: soft failure with explanation, manual check channel, SLA for cases.

13) KYC Quality Metrics

Time-to-Verify (TTV): median/95th percentile.
Auto-pass rate and Auto-fail rate, manual processing share.
First Pass Yield (FPY) on documents.
False Positive rate by sanctions/PEP, average clearing time of alerts.
Conversion uplift after UX iterations.
Cost per Verification and cumulative KYC OPEX.
SAR/STR ratio and escalation performance.
Re-KYC completion rate.

14) Policies and templates (sample language)

• L0: up to X €/₴/$/₹ per month, no withdrawal or micro-withdrawal.
• L1: up to Y, standard conclusions.
• L2: High limits + SOF requirement.
• L3: premium limits + SOW and manual compliance.
• EDD triggers: large one-time deposits, accelerated depozit→vyvod cycles, frequent change of means of payment, VPN/proxy, mismatch of countries according to IP/BIN/document.
• Sanctions/POP: onboarding screening + at each payout; review of "borderline" matches within 24 hours.
• Reverification: event + periodic (12-36 months according to RBA).
• Escalation and SAR/STR: mandatory scenarios and submission deadlines, prohibition of client notification (tipping-off).

15) Frequent risks and how to cover them

Synthetic personalities → multisignal: document + face comparison + device graph + open-banking.
Multiaccounting → behavioral biometrics, cookie-less device graph, address/payment clusters.

Bonus bonus → limits up to KYC-level, velocity-rules, partial "deferred bonus."

Fraud with documents → NFC reading of the chip, passive liveness, texture analysis.
Thin file (thin-file) → alternative sources (telco data, open-banking), manual verification.
Transliteration/aliases → normalization of full name, local alphabets, fuzzy match.

16) Mini checklists

• Age, Geo, IP/Device.
• Document + selfie-liveness.
• Sanctions/PEP/Adverse Media.
• Address (soft) → at limit: address (hard).
• Automatic rules and ML scoring.
• Transparent communication, consent.

• Rev-screening sanctions/REP.
• SOF (if threshold is exceeded).
• Checks if the owner of the payment instrument matches.
• Behavioral and payment monitoring (anomalies).

• Completeness of records and relevance of documents.
• Team training and audit trail.
• Vendor test plans (SLA, fault tolerance).
• DPIA/security and access.

17) FAQ (short)

Can I play up to L1? Yes, with L0 with hard limits and age/geo-control - but withdrawal/high limits only after L1.
When to require SOF/SOW? If the turnover/output thresholds are exceeded, VIP status, suspicious patterns or at the request of the regulator.
Do I need screening at every payout? Short sanction rescreening and behavioral monitoring are recommended.
How not to "kill" the conversion? Divide KYC into stages, improve UX, use alternative data sources and auto-pass.

Total

Effective KYC is a balance between business protection and smooth UX. Build L0-L3 levels to your risk profile, automate screening, implement SOF/SOW for high-risk, measure quality metrics, and provide unchangeable auditing. This way you stay in compliance without losing conversion and LTV.