Operations and Compliance → License Types and Requirements

License Types and Requirements

1) Picture of types of licenses

By role:

B2C (operator): the right to offer games to end users (casino, live, betting, poker, lotto, etc.).
B2B (provider): the right to provide a platform/content/services to operators (platform, games/RNG, live studios, payments as a technology provider, hosting).

By vertical (often separate sub-licenses):

Casino/Slots, Live Casino, Sportsbook (fixed-odds, in-play), Poker (P2P), Bingo/Lottery, Fantasy/Skill-based.

By ownership/brand model:

Proprietary license (operator/brand owner).
White-Label (B2C right through platform license with brand sublicense/authorization).
Skin/Brand Authorization (connecting additional brands to an existing license).
Distributed model (local license + cross-regional infrastructure, mirrors/edge/regulatory data localization).

2) Requirements: what regulators ask (framework)

Legal/Corporate

Beneficiaries, ownership structure, no sanctions/convictions.
Local presence (legal entity/representative office/officer in charge).
Provider Contracts (B2B), Content Rights, Hosting/Data Center.

Financial

Minimum authorized capital/reserves, financial guarantees/bank guarantees.
Separate customer accounts/segregation of funds, anti-chargeback procedures.
Audited accounts, sources of beneficiary funds (SoF/SoW).

Technical (platform/infrastructure)

Architecture, logging/observability, redundancy, DR/BCP.
Game integrity: RNG/math, content certification, version change control.
Information security: encryption at rest/in transit, IAM, admin activity log.
Geo-restrictions/data localization, protection against bots and fraud.

RG/KYC/AML

Age/verification of identity and address, POP/sanctions, limits/self-exclusion.
Monitoring of transactions and behavior (velocity, SoF), EDD procedures.
Self-exclusion registers/blacklists, staff training.

Marketing/Advertising/Affiliates

Age disclaimers, prohibition of "risk-free" promises, limitation of channels/time slots.
KYB affiliates, creative library, UTM/traffic source tracing.

Reporting and auditing

Periodic/real-time uploads (GGR, RG cases, complaints, AML/SAR).
External/internal audits: tech audits, game/RNG audits, security/privacy audits.
Incident reporting (SLA notifications of regulator/banks/players).

3) License Register Data Model (YAML)

yaml license_id: B2C-CASINO-<COUNTRY>-<NNN>
role: b2c      # b2c      b2b verticals: [casino, live, betting]
jurisdiction: <ISO-2>
holder: <legal_entity>
brands: [brandA, brandB]
local_presence: required  # required      optional      none valid_from: YYYY-MM-DD valid_to: YYYY-MM-DD financial_guarantee: {type: bank_guarantee, amount: <currency_amount>}
tech_requirements:
rng_cert: true siem_logs: true dr_rto: "30m"
data_localization: false rg_kyc_aml:
kyc_levels: [basic, address, edd]
self_exclusion: registry aml_ruleset: "v3. 1"
ads_affiliates:
disclaimers: [age, wagering_conditions]
restricted_channels: [tv_daytime]
reporting:
frequency: monthly formats: [csv, api]
realtime: [rg_cases]
contacts:
compliance_officer: email@domain mlro: aml@domain review_sla_days: 180 status: active

4) License life cycle and obligations

4. 1. License Claim (Application)

Pre-DD: structure, SoF/SoW, local company/agent, B2B contracts.
Technical package: architectural scheme, security, BCP/DR, release/change processes, logging/audit.
Content: RNG/mathematics, list of providers, integrations.
Operational policies: RG/KYC/AML, incidents, advertising, complaints.
Finance: Capital/Guarantees, Business Plan, Reporting and Tax Forecast.

4. 2. Post-grant

Policy/Controls-as-Code compliance.
Schedule reporting, registry maintenance (complaints, AML/RG cases, incidents).
Approval of changes: releases, new providers, change of hosting/data center, new payment methods.

4. 3. Renewal

Updated RNG/security certificates.
Audit for the period, RG/AML indicators, complaint statistics.
Confirmation of financial stability/guarantees.

4. 4. Variation

Vertical/brand addition, white-label/skin, platform migration.
Notification of change of beneficiaries/directorates.
Changes in advertising policy and affiliate network.

5) Role/vertical commitment matrix (example)

Obligation	B2C Casino	B2C Betting	B2B Platform	B2B Games
Client tools (segregation)	Yes	Yes	N/A	N/A
RNG/Math	Yes	N/A	N/A	Yes I did
Geo-blocking	Yes	Yes	Optionally	Optionally
RG limits/registry	Yes	Yes	Optionally	N/A
KYC/AML (operator)	Yes	Yes	N/A	N/A
Tech-audit/information security	Yes	Yes	Yes	Yes
GGR Reporting/Rates	Yes	Yes	N/A	N/A
Advertising/Affiliates	Yes	Yes	N/A	N/A

6) Application Dossier

Corporate unit

Ownership Structure/Beneficiaries/SoF/SoW.
Local legal entity/representative, powers of officers.

Finance

Audited reporting/plan.
Bank guarantee/insurance/deposit.

Technique

Architecture, observability/logging/auditing, CI/CD, change management.
BCP/DR (RTO/RPO, test protocols), security (encryption, IAM, secrets).
RNG/content certification, game release control.

Operations/Policies

RG/KYC/AML, complaints, incidents/reporting, support/SLA.
Advertising/Affiliates: Rules, Templates, Creative Library.

Reporting

Download formats, frequencies, test files, contact persons.

7) Control in sales: Policy-/Controls-as-Code

Example of RG control of the loss limit (we adapt it to the country):

yaml control_id: RG-LIMIT-LOSS-DAILY scope: bets trigger: loss_today > limit_loss_daily actions:
- block: further_bets
- notify: player_template_rg_limit evidence:
fields: [loss_today, limit, messages_sent, ack]
overrides:
- country: <ISO>
set: {limit_loss_daily: <amount>, cool_off_hours: <N>}
owner: rg_officer review_sla_days: 180

Example of AML velocity control (deposits):

yaml control_id: AML-VELOCITY-01 scope: deposits trigger:
expr: rolling_sum(amount, 1h) > baseline_30d3 OR count_unique(payment_method,1h)>=3 actions:
- flag: aml_review
- limit: withdrawals "hold_24h"
- notify: mlro evidence:
store: s3://evidence/aml-velocity/{player_id}/{ts}
owner: mlro

Release gate by country/license:

yaml policy_id: RELEASE-GATE-COMPLIANCE require:
- country_overrides_present: true
- report_schemas_valid: true
- rg_controls_enabled: true
- ads_templates_localized: true on_fail: block_release

8) License Change Management (SOP, fragments)

SOP: Adding a new brand (skin)

1. Check license terms (whether brand authorization is allowed).
2. Register brand/domain/localization/age tags.
3. Link RG/KYC/AML/Ads policies and reporting.
4. Test reports (brand-split), enable logging.
5. Notify regulator/banks (if required), record evidence.

SOP: Connecting a new game provider

1. Check the status/certificates of the provider in the registry.
2. Agree on content set/verticals, configure RNG/metrics/logging.
3. Update reporting (game/vendor IDs).
4. Release via policy-gate, collect evidence.

9) RACI (functions)

Activity	R	A	C	I
License Application/Renewal	Head of Compliance	COO	Legal/Finance	C-level
Technical package/audits	Platform/SRE	CTO	Security/Compliance	Legal
RG/KYC/AML processes	RG/AML Officers	Head of Compliance	Product/CRM	Support
Advertising/Affiliates	Marketing Compliance	CMO	Legal/Brand	Finance
Reporting/Taxes	Data/BI	Head of Compliance	Finance	C-level

10) Compliance Calendar (example)

Daily: RG/AML monitoring, incident-reporting at facts.
Weekly: ISP/Payment Integration Reports, Alert Compliance Check.
Monthly: regulatory uploads (GGR/beta/RG cases), reconciliations with DWH.
Quarterly: tech audits/security scans, provider reports, Policy/Controls review.
Half year/year: renewal of RNG/IS certificates, audit of the effectiveness of controls, renewal of licenses/authorizations.

11) Anti-patterns

"There is a license - processes later": lack of Controls-as-Code, reports and evidence.
Two versions of the truth: Excel reports ≠ productive logs.
Lack of brand-split in the data, "common heap" of metrics.
Manual EDDs without regulation/timing and logging.
Advertising through affiliates without KYB and creative libraries.
No DR tests/change logs for RNG/games.

12) Maturity metrics

Coverage of control: ≥ 95% of critical points (registration/a deposits/rates/conclusions/bonuses).
Reporting SLA: timeliness of uploads ≥ 98%, schematic errors = 0.
Evidence completeness: ≥ 98% of cases with the correct packages.
RG/AML KPIs: proportion of cases prevented/escalated, False Positive ↓ QoQ.
Audit findings TTR: closing ≤ 90 days.
Policy review SLA Overdue Revisions = 0.

13) 30/60/90 - implementation plan

30 days (foundation):

Create a register of licenses and taxonomy of requirements by roles/verticals.
Raise the basic Controls-as-Code set (RG/AML/reporting).
Build Application Dossier templates (corporate/financial/tech/operational).
Enable release-gate compliance in CI.

60 days (scaling):

Connect reporting showcases and automate uploads (brand-split, country-split).
Integrate RG/KYC/AML into product flow; run evidence-by-design.
Conduct the first internal technical audit and DR/BCP test for licensed RTO/RPO.

90 days (fixation):

Cover 95% of critical points with ≥ controls, Reporting SLA ≥ 98%.
Formalize RACI and commitment calendar; bind KPI to OKR commands.
Prepare the package for license extension/variation (brand/vertical variations).

14) FAQ

Q: What to choose: your own license or white-label?
A: Own license - above САРЕХ/term, but control and business valuation are higher. White-label - faster launch, lower flexibility/rating, dependence on the license owner.

Q: How to minimize the risks of rejection in the application?
A: Strong technical package (security/DR/observability), financial guarantees, transparent SoF/SoW, mature RG/AML processes and evidence-by-design.

Q: How to manage provider/content changes?
A: Through variation procedures: pre-approval, game/RNG version control, reporting and release logging.