Latvia - IAUI and self-locks
(Section: "Markets and Jurisdictions")
1) Market picture and role of IAUI
Latvia is an EU member with centralized oversight of gambling and lotteries. Profile regulator - Izložu un azartspēļu uzraudzības inspekcija (IAUI). The Inspectorate licenses, controls operations, maintains registers (including the register of self-locks), coordinates Responsible Gaming (RG) and initiates blocking of illegal domains/payments.
2) Legal framework and role allocation
Parliament/Government - Gambling law and by-laws.
Ministry of Finance - market policy and fiscal coordination.
IAUI - licensing, supervision, RG requirements, self-locking register, checks and sanctions.
Financial Intelligence/Police - AML/CFT control and investigations.
Advertising and consumer protection authorities - compliance with advertising restrictions and informing players.
3) Licensing: offline and online
Offline: casinos, gaming salons, bets - on individual permits and locations; requirements for premises, personnel, CCTV, cash discipline.
Online: remote provision of games/bets under a license with a confirmed technical platform, logging and interfaces for supervision.
Key persons: fit & proper, disclosure of beneficiaries and source of funds.
Local presence: legal entity/representative office, settlement account, responsible persons for AML/RG.
Certification: RNG/game modules, reporting showcases, integrations.
4) Register of self-locks (self-exclusions)
What is it: a centralized state register of persons who voluntarily restricted access to gambling (online and offline).
Key principles:- The minimum self-holding period is usually 12 months; early cancellation is not allowed.
- Full coverage: All licensed operators are required to check the register prior to admission to play/payout.
- Identification: player's application through e-identification (eID, Internet bank, etc.) or in person; entry into the register occurs immediately after confirmation.
- Confidentiality: Data is used solely for RG and admission control purposes.
- Extraterritoriality: Latvian licensed operators are required to comply with restrictions regardless of the user's access channel (including online).
Self-locking operator responsibilities
1. Checking the status of each user at registration, login and before financial transactions (deposit/payment).
2. Auto-reject attempts to register/play players in the registry.
3. Blocking marketing: no mailings/promos for self-excluded individuals.
4. Store status check logs with timestamps and results.
5. UX transparency: clear links/instructions on how to apply for self-locking, visible RG markings.
5) Additional RG tools (over self-holding)
Self-limiting: deposit/rate/time limits, timeouts, "cooling."
Early risk signals: loss pursuit patterns, frequent deposits, nightly activity, case escalation to RG service.
Staff training: mandatory training to identify vulnerable players.
Communications: Honest information about chances/risks, with no promises of "easy wins."
6) KYC/AML and identification
KYC/KYB: verification of identity/age (18 +), address, beneficiaries, sanctions/PEP, source of funds for triggers.
Remote verification: acceptable with reliable providers and video procedures.
Transactional monitoring: limits, anomalies, connectivity of accounts and means of payment; suspicious transaction reports.
Data storage: KYC-dossier, logs of inspections and alerts on time.
7) Tax & Reporting (High)
Gaming tax: levied by product type; base - usually GGR/NGR (bets − wins), taking into account local rules for bonuses/void/cashout.
Corporate income tax: at the national rate.
VAT: bets/winnings, usually outside the scope of VAT; related services are subject to general procedure.
Reporting: monthly/quarterly forms by products and channels, annual audit.
8) IT circuit and regulator access
Logs and traceability: immutable logs (WORM), time synchronization, full chain "stavka→raschet→vyplata→korrektirovka."
Interfaces: uploads/APIs for IAUI, test accounts, secure channels.
Reliability: fault tolerance, backup, DR/BCP with specified RPO/RTO.
Security: encryption at rest/in transit, secret management, RBAC/SoD, regular pentests/scans.
9) Advertising, Marketing & Affiliates
Bans: targeting minors, misleading messages, aggressive offers.
RG-marking: mandatory warnings and references to help/self-locking.
Bonuses: transparent T&C (wagers, deadlines and mouthguards), correct accounting in GGR/NGR.
Affiliates: contracts, white list of approved creatives, compliance evidence log (screenshots/URL/dates), quick recall of materials at the request of the regulator.
10) Fighting illegal operators
IAUI maintains a list of illegal domains and initiates their blocking from communication/payment providers. Advertising of illegal immigrants in the media and with partners is the basis for fines and other measures of influence.
11) Checks and sanctions
Office: reconciliation of reporting, tax payments, anomalies in GGR/NGR, player complaints.
On-site/IT audit: log inspection, sampling sessions/tickets, staff interviews, "secret buyers."
Sanctions: fines, additional charges, freezing/revoking licenses, blocking domains/payments, instructions to correct UX/RG processes.
Mitigating factors: voluntary disclosure of errors, prompt corrective measures, strengthening of internal controls.
12) Entry roadmap (operator playbook)
1. Strategy: product matrix (casino/betting/lotteries), offline/online, partners and providers.
2. Legal structure: local legal entity/representative office, beneficiaries, bank account.
3. Licensing: document package, key persons, RG/AML policies, financial model.
4. IT readiness: certification of RNG/modules, logs, reporting showcases, integration with the register of self-locks.
5. Marketing and affiliates: RG labeling, white list of creatives, quick recall process.
6. UAT and pilot: delimitation test (self-holding/self-limiting), check of NGR/GGR formulas and uploads.
7. Go-Live: freeze configurations, incident response plan, SLA with providers.
8. First 90 days: rhythm of declarations, reconciliation of deviations, internal RG/AML audit.
13) Compliance checklists
IAUI and self-lock register
- Registry Access and Player Status Check Procedures
- Timestamped Registry Call/Response Logs
- UX sections: self-lock links, RG information, age warnings
- Blocking marketing emails for self-excluded
AML/KYC & RG
- KYC/KYB Policies, Sanctions/PEP, Sources of Funds
- STR/SAR Monitoring, Escalation Threshold Scenarios
- Self-limiting: deposit/rate/time limits, timeouts
- Staff Training, Vulnerable Client Scenarios
Engineering and safety
- RNG Certificates/Platforms, Version Control
- Immutable logs, time synchronization, log retention
- DR/BCP with tests; pentests/scans on schedule
- RBAC/SoD, secret management, encryption
Marketing & Affiliates
- Approved creatives and compliance log
- Procedures for quick recall and blocking offending partners
- Tracking promos for RG compliance
14) KPI and control
RG: the share of players with active limits, the speed of blocking access when entering the registry (<1 min), the response time of the support to RG calls.
AML/KYC: average verification time, share of false positives, SLA for escalation of incidents.
Fiscal: timeliness of declarations ≥99%, discrepancy otchetnost↔billing <0.5%.
Information base: MTTR on incidents, pentest coverage, closure of critical vulnerabilities on time.
Marketing: the share of compliant creatives, the speed of reviews, the lack of communication with self-excluded.
15) FAQ
How long does self-locking last?
The minimum term is usually 12 months; early cancellation is not provided.
Should the operator check the registry every time they log in?
Yes I did. Verification is mandatory during registration, authorization and before financial transactions.
Is it possible to work online without a local presence?
Typically, local structure/responsible persons and compliance with technical/fiscal requirements are required.
How to take into account bonuses in NGR/GGR?
According to the local rules for reflecting bonuses/void/cashout; erroneous accounting leads to additional charges and sanctions.
Note
Tax rates, reporting formats, technical specifications for integration with the self-lock register and advertising requirements are periodically updated. Before submitting an application and the first reporting period, check the current requirements and form templates to exclude additional charges and stops of operations.