Philippines - CEZA

(Section: "Markets and Jurisdictions")

1) What is CEZA and how does it differ from PAGCOR

CEZA (Cagayan Economic Zone Authority) is a special economic zone and freeport in northern Luzon. In the iGaming context, CEZA historically provides offshore interactive licenses (for exporting services), while PAGCOR combines the functions of a national regulator and a local market operator (land casinos, eGames/eBingo) and draws offshore categories in its own contour (POGO/IGL).
The key idea of ​ ​ CEZA: to serve foreign markets and severely block access for persons located in the Philippines.

2) Institutions and roles

CEZA - issues/extends offshore interactive licenses, sets technical/operational standards, monitors compliance.
Management/accreditation company of the zone (historically - master license/accreditation structures) - acceptance of applications, audit of suppliers, monitoring.
AMLC (Anti-Money Laundering Council) - AML/TF: CDD/EDD, STR/CTR, training, checks.
BIR/DOF - taxes and fees (gambling/franchise fees, corporate, deductions).
NTC/telco - domain/network block measures.
DOLE/Immigration/DILG/PNP - labor/migration, site inspections, enforcement.

3) What the CEZA license covers

B2C operators (offshore iGaming): casinos (RNG/LV), sports betting, P2P games, other interactive products aimed at foreign jurisdictions.
B2B providers: game studios, platforms/aggregators, risk/anti-fraud modules, hosting/NOC/SOC, stream studios, BPO centers, processing as part of an offshore service.

4) Geo-block and target compliance

Mandatory PH-block: IP/ASN, mobile networks, GPS/ligation by device; ban Philippine BIN/UPI counterparts/local wallets, currency filters.
Leak tests: regular "punctures" of protection, control of mirrors, search for PH access with reports and fixes.
Marketing: creatives/landings must not contain Filipino localization; PH influencers and traffic sources hitting the country are prohibited.

5) License categories and accreditations (high level)

Interactive Gaming Operator (IGO) - B2C export operator.
Interactive Gaming Support/Service Provider (IGSP) - content, platform, studios, call centers, anti-fraud, hosting.
Data Center/Studio/BPO Accreditation - sites and infrastructure services.
Inside the categories are subspecies by product: casino RNG/live, sportsbook, exchange, bingo/keno, p2p/skill, etc.

6) Process requirements

Certification of RNG/game modules and calculation engines; version control, SDLC with default security.
WORM logging of the chain "deposit/bet → game/calculation → payment → adjustment," NTP synchronization, hash bindings, retention according to the standard.
SOC/NOC: availability/security monitoring, IDS/IPS, DDoS protection.
DR/BCP: targeted RPO/RTO, periodic exercises.
Supervisory access: secure APIs/uploads, test accounts, incident and request SLAs.

7) AML/KYC and consumer protection (offshore)

KYC/EDD: customer identification, age verification, sanctions/PEP, SoF/SoW by triggers (large deposits, fast repetitions, device/card connectivity).
Transactional monitoring: risk profiles, P2P/crypto converter anomalies, "split" payments.
STR/CTR: AMLC escalation procedures; journal of investigations.
Responsible Gaming: deposit/loss/time limits, time out/" cooling, "self-exclusion; banning marketing to the vulnerable/self-excluded; visible risk warnings.

8) Taxes and fees (framework)

CEZA license fees: primary/annual fee by category (operator/provider/site), security deposits/collateral.
Gambling fees/duties: for offshore - special regimes on GGR and/or franchise fees in conjunction with CEZA.
Corporate/personal tax: rates in accordance with the current tax framework, staff deductions (incl. expatriates), local LGU fees (if applicable).
Accounting: separately by product/geography/channel; correct reflection of bonuses, void/cashout, jackpots.

9) Advertising, Affiliates and Content Policy

Zero-PH-target: prohibit any communication to the PH audience.
Countries of destination: creatives/lends/offers comply with local laws of the target market.
Affiliates: contracts with geo-filters, a list of "prohibited" sites, a compliance log (creatives/URL/dates/geo/target), an instant recall mechanism, a ban on mirrors/cloaking.

10) Enforcement and block measures

NTC/telco: domain/application/mirror locks, CDN/hosting requests.

Financial routes: suppression of payments in favor of illegal immigrants, attack on "pseudo-merchants."

Inspections: offices/studios/VRO, migration and labor, labor protection, fire safety, CCTV/logging.
Sanctions: fines, suspension/cancellation of license/accreditation, blacklists of domains/companies, aggravated cases.

11) Entry roadmap (operator & provider playbook)

A) B2C statement (offshore IGO)

1. Structure: beneficiaries (fit & proper), capital/deposit, office/sites (data center/studio, if necessary).
2. Geo-contour: provable PH-block; map of destination countries, local legal requirements; off-switch by country.
3. Technique: RNG/platform certification, WORM logs, SOC/NOC, DR/BCP, API for CEZA.
4. Payments/AML: KYC routes only, anti "pseudo-merchants," SoF/SoW, STR/CTR in AMLC.
5. RG/Ads: limits/self-exclusion, creative/channel whitelisting, compliance journal.
6. UAT/Go-Live: GGR/NGR/bonus tests, DDoS/logging stress tests, checking mirrors and PH blocks.

B) B2B provider (IGSP: content/platform/studios/BPO/hosting)

1. Accreditation: category/subcategory, SLA/versions/escrow, IP rights.
2. Security/data: DPIA/DTIA, segmentation of environments, access log, encryption, key management.
3. Reporting: performance and compliance showcases, release/log audits.

12) Information security checklists

Technology and information security

• RNG/Module/Platform Certification; SDLC с security gates
• WORM logs, NTP, retention; immutable event hashes
• Encryption at rest/in transit; RBAC/SoD; secret management
• SOC/NOC, IDS/IPS, DDoS protection; DR/BCP tests
• Secure uploads/APIs for CEZA; Incident SLAs

Geo/Ads

• Provable PH Block (IP/ASN/GPS/Payments/Languages)
• Compliance Log Creative/URL/Date/Geo/Target
• Off-switch by country/site banning mirrors/cloaking

AML/KYC & RG

• CDD/EDD, Sanctions/PEP; SoF/SoW by Trigger
• STR/CTR procedures in AMLC; training; case contango
• Limits/timeout/self-exclusion; banning promo self-excluded

Taxes/Accounting

• Current rates/fees confirmed; deposits made
• Separate accounting of GGR/NGR/bonuses/void/cashout by geo/channels
• Reporting/payment calendar; discrepancy control <0.5%

13) First year KPI

Fiscal: timely filing ≥99%; discrepancy otchetnost↔billing <0.5%

AML/KYC: mean KYC time; proportion of valid STR/CTR; reduction of "anonymous" routes

RG: share of accounts with active limits; Self-exclusion TTR <1 min

IS/resilience: MTTR incidents; closing high-vulns on time; successful DR exercises

Marketing/geo: 0 PH hits; 100% geo/ads compliance

14) FAQ

Is it possible to work with Filipino players under a CEZA license?
No, it isn't. CEZA - offshore mode: strict prohibition of PH-access and PH-target.

How is CEZA different from PAGCOR?
CEZA - economy zone with an offshore interactive model; PAGCOR is a national locale regulator and its own offshore circuit. Frameworks, fees and processes vary.

Are live studios allowed at CEZA?
Yes, within the accreditation/category and in compliance with information security/personnel/migration requirements (platforms, CCTV, access, labor/migration).

What are the key risks?
Violation of the PH block, weak AML/KYC and "pseudo-merchants," mirrors/cloaking in marketing, non-compliance with the return of logs and SLA to the regulator.

Note

Category taxonomy, fiscal parameters, technique/marketing requirements, and enforcement practices are evolving. Before legally significant steps, it is necessary to verify the current documents of CEZA and related authorities (AMLC/BIR/NTC/immigration/labor), as well as confirm the contours of the geo-block and reporting for the target markets.