Risk Assessment and Threat Levels

1) Objectives and scope

The goal is to provide a consistent, repeatable, and verifiable approach to identifying, measuring, and managing the risks of iGaming operations, compliance, and reducing overall business vulnerability.
Coverage: AML/KYC/KYB, sanctions and PEP screening, payment and behavioral fraud schemes, data breaches and cyber threats, platform accessibility (SLA/SLO), regulatory changes, partner/provider risks, responsible play (RG).

2) Basic concepts and scales

Risk = probability of event × amount of damage (finance, legal consequences, SLA/player experience, reputation).
Threat - the source of the event (external/internal actor, process, vulnerability).

• Informational (Info) - signal without immediate impact, monitoring.
• Low - local incidents, elimination within the shift.
• Medium - impact on one region/process, requires escalation within 4 hours
• High - cross-service impact/loss growth, mandatory escalation ≤ 1 h.
• Critical - significant damage/regulatory risks/mass unavailability; immediate incident-bridge, notice to management and lawyers.

• 1 - extremely rare; 2 - rarely; 3 - possible; 4 - likely; 5 - almost certainly.

• 1 - insignificant; 2 - low; 3 - average; 4 - high; 5 - critical.

3) 5 × 5-matrix and escalation thresholds

Risk score = L × I (1-25).

• 1-5 Green (acceptable): monitoring, prevention.
• 6-10 Yellow (requires a plan): deadlines and responsible.
• 11-15 Orange (accelerated decline): Sprint challenges, frequent control.
• 16-25 Red (unacceptable): immediate escalation, temporary "overlap" and protective measures.

• Yellow: up to 24 hours → risk owner.
• Orange: up to 4 hours → to the Head of Discipline.
• Red: ≤ 15 min → incident-bridge, C-level/legal service/PR/compliance.

4) Risk categories for iGaming

1. AML/Sanctions/PEP: false/positive positives, circumvention of restrictions, "mulling," mixing of means.
2. KYC/KYB: fake documents, synthetic identities, fraud of partners/affiliates.
3. Payment fraud: chargebacks, bonus abuse, "washing through cash outs," multi-accounting.
4. Cybersecurity/Data: phishing, ATO (account hacking), PII leaks, DDoS, API vulnerabilities.
5. Operational resilience: SLA degradation, release incidents, payment chain failures.
6. Regulatory and fines: non-compliance with local rules, reporting, advertising.
7. Responsible play (RG): dependency escalations, self-disengagement, limits.
8. Third circuit/Vendors: supplier drop, data processing violations, sanction risks.

5) Evaluation methodology (end-to-end cycle)

1. Identification:

sources: anti-fraud logs, SIEM/SOAR, case management, regulatory reports, player complaints, partner monitoring, pentest reports.

2. Analysis of causes and scenarios:

"what if" through the channels: registration → verification → deposits → bonuses → conclusions → support.

3. Quantification:

SLE/ALE: one-time and annual expected damage;

Ranges: P10/P50/P90 (including seasonality);

Stress tests: a surge in traffic/campaigns/sports events.
4. Control assessment: preventive, detective, corrective measures; efficiency (proportion of locks, FPR/FNR).
5. Processing plan: accept/reduce/transfer (insurance/outsourcing )/eliminate (process change).
6. Monitoring and reporting: KRI/KPI, dashboards, post-incident retrospectives.

6) Key Risk Indicators (KRI) and KPIs

• Share of sanctions/POP alerts for 1k registrations; manual check time;% false positive.

• Chargeback Rate; Net Fraud Loss% of GGR;% bonus abuse; conversion of the fraud signal to blocking.

• ATO rate for 1k logins; time to detection (MTTD) and time to recovery (MTTR); number of critical vulnerabilities.

• SLO uptime; frequency of incidents per release; rollback success.

• % self-disconnections; the proportion of players exceeding the limits; support reaction time.

7) Threat levels and action mapping

8) Thresholds (approximate landmarks - adapt to jurisdictions)

Sanctions/POP: Hit-rate> 1. 5% registrations (Medium), 3% (High).
KYC FPR: > 8% (Medium), 12% (High).
Chargeback Rate: > 0. 8% (Medium), 1. 2% (High), 1. 5% (Critical).
ATO: > 0. 3 per 1k logins (Medium), 0. 6 (High).
SLA of payment providers: uptime <99. 5% week (Medium), 99. 0% (High).
Escalation RG: Dependency Complaints> Baseline by 50% (High).

9) Control measures and architectural patterns

Preventive: sanction/PEP screening on-boarding and before payment; behavioral biometrics; device-fingerprinting; deposit/withdrawal limits; 2FA/WebAuthn; network segmentation; PII encryption; "two-eye" in verifications.
Detective: real-time anti-fraud rules; SIEM correlations; anomaly alerts by KRIs; honeypot accounts.
Corrective: time blocks of functions (bonuses/payouts), increased levels of AML checks, release cutscripts, key/secret rotation, hot fixes.
Processes: RACI for incidents, mandatory post-mortems (with 5 Whys), change control (CAB), regular tabletop exercises.

10) Risk register (field template)

ID, Category, Scenario, Causes/Vulnerabilities, Owners (Business/Tech), L, I, Score, Zone, Controls (Current/Plan), KRIs Threshold, Status, Deadlines, Revision Date.

Example entry

11) Scenario analysis and stress tests

Bonus bonus during a major tournament: a surge in beginners, a sharp increase in deposits for one card/device → tighten velocity rules, limits on promotions, manual checks.
Refusal of the KYC vendor: turn on the backup provider, narrow the corridor of permissible limits, if necessary - temporarily prohibit quick conclusions.
DDoS/uptime degradation: WAF/Rate-Limit activation, geo-cutoff, traffic routing, release freezing.

12) Reporting and Communications

Dashboards: KRIs by domain, "traffic light" zones, current High/Critical cases.
Cadence: Daily Operator Reports, Weekly Trend Bridges, Monthly Risk Committee (Register Update, Downgrade Plans).
Mandatory notifications: regulator/bank/payment partners in case of AML violations/leaks/mass incidents - according to local requirements.
Dock trail: decision log, post-mortem artifacts, CAPA (Corrective and Preventive Actions) control.

13) Roles and Responsibilities (RACI, aggregated)

Business/Compliance: L/I score, mitigation plan, reporting.
Security/FRM: detection, anti-fraud rules, SOAR playbooks.
Data/ML: scoring models, threshold calibration, A/B rules.
Ops/SRE: stability, SLO, autocat/feature flags.
Legal/PR: communications with regulators/banks/public.
Support/VIP: initial reaction to player cases.

14) Implementation (road map)

1. Week 1-2: risk inventory, approval of scales, launch of the basic 5 × 5 matrix and register.
2. Week 3-4: KRIs onboarding, alert integration, RACI and post-mortem patterns.
3. Month 2: reserve providers (CCP/sanctions), SOAR playbooks, backtest rules.
4. Month 3 +: scenario stress test, performance audit, revision of thresholds and risk appetite.

15) Appendices

• Probability: {1: ≤1/god, 2: quarterly, 3: monthly, 4: weekly, 5: daily}
• Impact (finance): {1: <€5k, 2: €5-25k, 3: €25-100k, 4: €100-500k, 5:> €500k}
• Impact (Regulatory): {1: None, 2: Inquiry, 3: Prescription, 4: Penalty Risk, 5: High Risk of Recall/Large Fine}

• AML/KYC ↔ Sanctions/PEP ↔ RG ↔ DLP/PII ↔ SRE/Releases ↔ Payments/FRM.

• Scales/matrix are consistent; KRIs flow count; thresholds are fixed; SOAR playbooks tested; backup providers are connected; monthly risk committee is active; CAPA tracker is underway.

Short TL; DR

Single 5 × 5-matrix + clear KRIs and thresholds → automatic alerts and clear playbooks' and → rapid level escalations (Info→Critical) → regular post-mortems and risk reassessment. This reduces losses, speeds up reactions and strengthens the compliance position in iGaming.