Operations and Compliance → KYC procedures and inspection levels

KYC procedures and inspection levels

1) Why KYC

KYC (Know Your Customer) - the foundation of responsible and safe operation of the iGaming platform: prevents the access of minors, reduces the risks of fraud/laundering, supports the requirements of licenses and payment partners, protects reputation.

• Confirm identity and age.
• Assess the player's baseline risk and set up risk-based measures.
• Ensure transaction traceability and depozit↔vyvod connectivity.
• Support AML/Responsible Gaming and provider/regulator requirements.

2) KYC principles

1. Risk-Based Approach (RBA): the depth of verification depends on the profile (country, payment methods, behavior).
2. Progressive Disclosure: Collect exactly as much data as needed at the current risk level.
3. Evidence-by-Design - All decisions and documents are saved as an audit trail.
4. Privacy-first: minimization of personal data, masking, role and time-limited access.
5. Re-Verification: repeated checks during risk events (conclusions, growth of limits, change of details).
6. Explainable & Consistent - Rules and exceptions are documented and verifiable.

3) Verification levels (Tiered KYC)

KYC0 - Pre-registration/Friction light

Collection of country, age (self-attest), email/phone (OTP).
Pre-sanction/POP screening by name/phone/mail (low confidence).
Limitations: no deposits/withdrawals, only content/bonus review with no bets.

KYC1 - Basic identification

Identity document (passport/ID/vod. credential) + selfie/biometric liveness (by market).
MRZ/barcode validation, validity date control, country of issue.
Age verification, primary sanction/PEP screening.
Deposit/rate/withdrawal limits are basic.

KYC2 - Address Confirmation (PoA)

Document confirming the address (utility bill/bank statement/register), KBA if necessary.
Geo-consistency: IP/device/payment method ≈ registration address.
Extended limits and pin access.

KYC3 - EDD/SoF/SoW

By risk triggers: large turnovers/conclusions, VIP, suspicious patterns, high-risk geo/methods.
Source of funds (SoF) and origin of wealth (SoW): income statements, salary, taxes, statements.
Interviews/written explanations are possible.
Access to high limits/expedited conclusions - after approval.

4) Level Rise Triggers/Re-KYC

Financial: amount of single withdrawal, turnover for the period, frequent changes in payment methods.
Behavioral: abnormal win/loss profile, night activity, many short sessions.
Technical: frequent device changes/IP/ASN, proxy/high-risk networks.
Profile: name/address/date of birth discrepancies between sources.
Event: change of payment details, growth of limits, connection of a VIP plan.

5) Sanctions, PEP and negative media

Screening at: registration, completion of KYC1/2/3, before major withdrawal, when changing details.
Revalidate when reference books are updated (daily/weekly).
Coincidence logic: fuzzy match with imminent, manual triage of borderline cases.
References to sources/cases - in evidence.

6) Documents and alternatives

ID/passport/water. rights, PoA: utility bill, bank statement ≤ 3 months

Alternatives: eID/BankID/proactive API providers, KBA (knowledge-based), confirmation by microtransaction.
Biometric: selfie with liveness check; store biometrics templates only if necessary and according to local regulations.
Deviations: black and white copies, expired documents, blurred photos - auto-deviation rules.

7) Data & Privacy

Minimization: we request only the necessary; separate KYC artifacts and game/marketing data.
Accesses: RBAC/ABAC, file read/issue logs, watermarks.
Retention: by jurisdiction/license (usually 5 + years after last surgery).
Encryption: at rest/in transit, keys in HSM/Vault, temporary URLs for viewing.
Data subject requests: SLA for export/correction/deletion within acceptable limits.

8) Controls-/Policy-as-Code (fragments)

yaml policy_id: KYC-TIERING-001 tiers:
- name: KYC1 allow: deposits<=base_limit & withdrawals<=0 require: [id_doc, selfie_liveness, sanctions_check]
- name: KYC2 allow: deposits<=mid_limit & withdrawals<=mid_limit require: [proof_of_address, ip_geo_consistency]
- name: KYC3_EDD allow: deposits<=high_limit & withdrawals<=high_limit require: [source_of_funds, enhanced_screening]
overrides:
- country: <ISO>
set: {mid_limit: <amount>, high_limit: <amount>}
review_sla_days: 180 owner: head_of_compliance

yaml control_id: KYC-REVERIFY-PAYOUT scope: payouts trigger:
expr: payout_destination_changed==true actions:
- block: payout
- request: "kyc_level>=KYC2"
- notify: aml_ops evidence:
fields: [old_dest,new_dest,kyc_level,player_id]

yaml control_id: SANCTIONS-RESCREEN scope: player_profile trigger:
expr: sanctions_list_version_updated==true OR risk_band>=high actions:
- rescreen: full
- flag: manual_review_if_score>threshold

9) SOP (fragments)

SOP: Verification of KYC1

1. Check package completeness (ID + selfie, download metadata).
2. Validate the document (MRZ/barcode, date, country), verify full name/DR.
3. Match selfie (face match, liveness).
4. Drive out sanctions/RAP; in case of matches → triage.
5. Assign KYC1, update limits, record evidence.

SOP: KYC2 (PoA)

1. Check document ≤ 90 days, address in valid format/language.
2. Match address to IP/device/payment methods.
3. Issue KYC2, expand limits/outputs, record evidence.

SOP: EDD/SoF (KYC3)

1. Request list of documents (salary/taxes/statements) and clarifications.
2. Match amounts/frequencies/sources to sales volume and profile.
3. Resolution: Approve/Restrict/Close; on suspicion - SAR/AML process.
4. Update risk profile, limits, evidence.

10) Integrations

KYC providers: IDV, PoA, biometric, sanctions/PEP (batch + event-driven).
Payments: source-to-source control, velocity, holds until KYC completion.
AML/Case-management: joint player card, statuses, SLA.
CRM/Support: communication templates, KYC, ETA and dunning statuses.
DWH/BI: showcases of KYC events, reporting on license periods.

11) KPI/OKR

• KYC1 median TAT, KYC2 PoA TAT, EDD Turnaround, Re-KYC TAT.
• Auto-pass Rate (without manual participation), Manual Tail (manual share).
• Sanctions/PEP Hit Rate and Precision on confirmed cases.

• False Reject Rate of documents, Doc Quality Fail%.
• Mismatch IP/Address frequency, Payout Blocked due to KYC (median time to unlock).
• Evidence Completeness ≥ 98%.

• KYC Drop-off by steps, CSAT/NPS by KYC processes.

12) Checklists

• Data consents/policies adopted.
• Initial sanction screening was performed.
• Communication channels are confirmed (OTP/email).

• Valid ID and selfie, passed liveness.
• Name/DR/country match.
• Sanctions/REP: "clear" or the path to triage.

• PoA is fresh and readable; address is normalized.
• Geo-consistency (IP/device/payment method).

• The complete set of documents, the amounts correspond to the turnover.
• Decision and rationale fixed (evidence), risk profile updated.

• Reason and date, locks/limits applied correctly.
• Communication sent to player (ETA/steps).

13) Anti-patterns

Universal "heavy" testing for all - high failures and costs.
Manual checks without SLA/logs and double control.
Storage of biometrics/documents without strict grounds and retention.
There is no connection to payments: withdrawal is possible before KYC2/3.
Lack of re-screening of sanctions and event re-KYC.
Two versions of the truth: KYC in Excel and transaction data in DWH without docking.

14) 30/60/90 - implementation plan

• Approve KYC policy (tiers, triggers, SLA, retention).
• Connect IDV/sanctions/PEP, run KYC1 and PoA flow.
• Set up Controls-as-Code: re-KYC for payout-change, sanction rescreening.
• Enable evidence storage and RBAC.

• EDD/SoF processes, champlon communications and case-management.
• Integration with payments (source-to-source, velocity), auto-block up to KYC2/3.
• KPI dashboards (TAT, Auto-pass, Manual Tail, Hit-Rate).
• Pilot biometric liveness/BankID (where available).

• Manual Tail reduction ≥ 30%, KYC1 median TAT ≤ target, False Reject ↓.
• Re-KYC and sanction re-screening regulations, compliance audit.
• Binding KPI to OKR commands (Compliance/Ops/Payments/Support).

15) FAQ

Q: When to request an address (PoA)?
A: When the threshold of deposits/conclusions is reached, the geo/method does not comply or according to the requirements of the country/license.

Q: When is SoF/SoW needed?
A: At high RPM/VIP, anomalies, high-risk geo/methods, before major withdrawal.

Q: How to reduce failures on KYC?
A: Mobile prompts/ocr validation, clear photo requirements, BankID/eID support, step separation, fast feedback.

Q: How to protect privacy?
A: Minimization, encryption, strict RBAC/access logs, automatic retention and deletion policy.