Operations and Compliance → KYB Partner Verification

KYB Partner Verification

1) Why KYB in iGaming

Partners directly affect the risk profile of the platform: the quality of traffic and marketing, the safety of payments and the honesty of games, compliance with local regulations. Correct KYB reduces regulatory and financial losses (fines, locks, chargeback), accelerates the connection of new markets and increases the stability of the supply chain.

• Establish the identity of the company, beneficiaries (UBO) and control over sanctions risks.
• Confirm the right to offer services (licenses, certifications, domain rights).
• Record contractual guard rails (RG/Ads/Privacy/Security/SLA).
• Implement continuous monitoring and timely response to violations.

2) Partner taxonomy (who passes KYB)

Affiliates/publishers/influencers (traffic, creatives, funnels).
Payment providers/processors/aquiers (KYC/AML, returns, reporting).
Game providers/aggregators/studios (licenses, RNG/certification, RGS).
Platform/infrastructure vendors (hosting, KMS/Vault, monitoring).
Media and performance agencies (advertising, branding, traffic procurement).
Outsource support/kYC/AML bureaus (PD processing, subprocessors).

3) KYB principles

1. Risk-Based: the depth of verification depends on the type of partner, jurisdiction, volume of traffic/transactions.
2. Evidence-by-Design: all conclusions are supported by documents/screenshots/logs.
3. One Source of Truth: a single register of partners with versions and audits.
4. Least Surprise: the contract encodes expectations in advance (SLA, RG/Ads, Privacy, Security).
5. Continuous Monitoring: reassessment by event (change of UBO, bursts of chargeback, complaints).

4) Data Model: Partner Register (YAML)

yaml partner_id: AFF-2025-0197 type: affiliate     # affiliate    payment    game_provider    aggregator    infra    agency    outsourced_ops legal_name: "Acme Media Ltd."
registration:
country: MT number: C123456 registry_link: <ref>
ubo:
owners: [{name: "John Doe", share: 60%}, {name: "Jane Roe", share: 40%}]
sanctions_screened: true licenses:
- kind: marketing_agency
- jurisdiction: EU contact_points:
compliance: compliance@acme finance: billing@acme risk:
inherent: medium geo_scope: [EU, LATAM]
products: [casino, betting]
agreements:
sla: {kpi: ["lead_quality","complaints_rate"], remedies: ["traffic_pause","fee_adjustment"]}
ads_policy_ack: true data_processing_addendum: true monitoring:
kpis: {chargeback_rate: 0.3, complaint_rate: 0.2}
last_review: 2025-09-30 status: approved     # pending    approved    suspended    terminated review_sla_days: 180 owner: partner_compliance_team

5) Policies and controls (as Code)

Partner risk-tiering policy

yaml policy_id: KYB-TIERING-001 tiers:
- name: low criteria: [type==infra AND handles_pii==false]
requirements: [registry_extract, tax_id, sanctions_ubo]
- name: medium criteria: [type in {affiliate,agency,game_provider}]
requirements: [registry_extract, tax_id, sanctions_ubo, domain_ownership, bank_details, references]
- name: high criteria: [type==payment OR handles_funds==true OR high_risk_geo==true]
requirements: [all_medium, pci_or_equal, aml_program, license_copy, financials, security_controls, incident_sla]
overrides:
- when: country in {UK,ES,IT,NL}
add: [local_license_proof, ads_local_rules_ack]

Sanctions/Negative Media Controls for UBO/Directors

yaml control_id: KYB-SANCTIONS-UBO-01 scope: partner.onboard trigger: on_create OR ubo_changed==true actions:
- screen: sanctions_pep_adverse_media
- require: manual_review_if_score>threshold evidence:
fields: [sources, match_score, analyst_decision]

Control of marketing violations (affiliates)

yaml control_id: ADS-COMPLIANCE-02 scope: affiliate_creatives trigger:
expr: scan(creative.text    landing) contains banned_claims OR audience_targeting includes minors OR missing_disclaimers==true actions:
- pause: traffic
- notify: marketing_compliance
- issue: corrective_action_plan

Control of payment risk (providers)

yaml control_id: PSP-RISK-01 scope: payments trigger:
expr: chargeback_rate_30d > agreed_threshold OR downtime>sla_minutes actions:
- reduce: routing_weight 20%
- notify: vendor_risk
- open: incident_with_provider

6) Documents and confirmations (by type)

• Extract from register/charter/directors and UBO, tax number.
• Bank details (confirmed), address, contact persons.
• Security/Privacy Policies, DPA/Data Processor Agreement.

• Domain/accounts (ownership/admin access), site portfolio, traffic sources.
• Signature Ads/Brand-guidelines; a blacklist of wording; UTM registry.

• License/registration, PCI DSS/equivalent, audit report.
• Merchant/Aquiring contracts, chargeback/returns rules, reporting.

• B2B licenses/RNG certificates/test labs; game list/mathematician.
• Uptime/RGS SLA, release/version process, change log.

• Certificates (ISO 27001/SOC2), DPIA (for personal data), list of sub-processors.
• Incident and notification procedures.

7) KYB Process: Application to Monitoring

1. Intake: application/questionnaire, collection of documents, creation of a partner card.

2. Screening: UBO/directors - sanctions/PEP/address media, registry checks.

3. Risk assessment: type, geo, volume, products, access to personal data/finance.

4. Agreement: inclusion of guard rails (SLA, Ads, RG, Security, Privacy, audit rights).

5. Tech/content onboarding: integration tests, domain/creative whitelisting.

6. Monitoring: KPIs and alerts (ads violations, chargeback, downtime, complaints).

7. Review/re-faith: by SLA or event (UBO change, risk spikes, regulator complaint).

8. Sanctions/termination: plan→pause→terminate→report (in case of serious violations).

8) RACI

9) KPI/OKR

Coverage: the share of partners with the full KYB package ≥ 98%.
Review SLA: timely extension/review ≥ 95%.
Ads Violations Rate (affiliates): ↓ QoQ; Time-to-Pause in case of violation ≤ 24 hours.
Chargeback Contribution by PSP: within contractual thresholds.
Downtime/Incident MTTR (providers): within SLA.
Evidence Completeness: ≥ 98% of cards with correct artifacts.
Audit Findings TTR: ≤ 90 days.

10) Checklists

• Register/Charter, UBO, Directors, Tax No.
• Sanctions/REP/address media: clear/trial/exceptions.
• Licenses/certificates/right to provide services.
• Contract + DPA + audit rights + SLA/Remedies.
• Ads/RG/Privacy/Security policies are signed.
• Bank details confirmed.
• Tech checks: domains/UTM/creatives/endpoints/logging.
• The card in the register is filled in, the risk level is assigned.

• Ads scanner: no banned creatives/targeting.
• Traffic/Quality/Complaints Corridor KPIs.
• PSP: chargebacks/downtime/errors within SLA.
• Games/content: versions are certified, releases are pledged.
• SLA review, documentary updates received.

11) SOP (fragments)

SOP: Reaction to Affiliate Breach

1. Autoscan → violation (claim/targeting/disclaimer).
2. Immediately 'pause traffic' + notification of partner with template CAP (Corrective Action Plan).
3. Correction period ≤ 48 hours; rescan.
4. Repeated breach → reduction/termination; evidence to the registry.

SOP: PSP Escalation

1. Trigger'chargeback _ rate _ 30d> threshold'or downtime> SLA.
2. Weight reduction of the route, incident with the provider, postmortem.
3. Financial impact/compensation under the contract; report to the Risk Committee.

SOP: Re-faith when changing UBO/director

1. Get updated documents, restart sledge screening.
2. Recalculate risk, limit/pause if necessary.
3. Update the card, notify the teams involved.

12) UX and Automation

Partner Portal - Upload documents, statuses, review reminders

Auto-scans of ads: text/banner/landing pages for forbidden wording, age markers, show times.
Provider telemetry: uptime, bugs, SDK/RGS versions, release annotations.
Alerts: bursts of chargebacks, complaints, CTR anomalies, sledging updates.
AI summaries: clustering violations by partner/geo, CAP hints.

13) Security and privacy

RBAC/ABAC: role accesses, watermarks for documents.
Encryption: at rest/in transit, secrets in vault, temporary links.
Retention: retention by law/contract, auto-removal by term.
Logging: all changes to cards/documents/decisions - to the audit log.

14) Anti-patterns

Fuzzy Remedies in the contract → endless "letters of happiness."

KYB "for show": no UBO or verification only at the start, without monitoring.
Lack of DPA/audit rights - inability to verify incidents.
Universal depth of inspection without consideration of risk/geo/types of services.
Scattered tables without SSOT and versions.
Connecting traffic before signing Ads/Brand guidelines.

15) 30/60/90 - implementation plan

• Approve KYB and risk-tiering policies by partner type.
• Launch the Partner Register (SSOT) and document/questionnaire templates.
• Enable UBO/Director Sunk Screening and Basic Ads Scanner.
• Standardize contractual guard rails (SLA/Remedies, DPA, audit rights).

• Enable KPI monitoring (ads violations, chargeback, downtime).
• Automate event-based re-faith (UBO change, risk spikes).
• Expand the Ads scanner (languages, formats), provider telemetry, reporting.

• Coverage KYB ≥ 98%, Review SLA ≥ 95%, Evidence ≥ 98%.
• Lowering Ads Violations Rate and Chargeback Contribution into target corridors.
• Conduct an internal audit of KYB processes; record OKR for the next quarter.

16) FAQ

Q: Do partner subcontractors need to be checked?
A: Yes, if they handle your traffic/personal data/finances - require sub-processor disclosures and audit power.

Q: How to respond quickly to advertising violations?
A: Fix 'pause within ≤24h', CAP ≤48h and re-audit in the contract. Autoscan + alert in # marketing-compliance.

Q: What to do with controversial sledging matches?
A: Manual triage with sources/scoring, escalation in Head of Compliance; with criticism - a temporary pause of cooperation.

Q: When to reconsider partner risk?
A: By SLA (180 days) or upon event: UBO change, spikes in complaints/chargebacks, precedents among regulators.