AML monitoring and rules

1) AML monitoring objectives and RBA principle

• Early detection of placement → layering → integration patterns.
• Reduction of regulatory and payment risk (banks/PSP, card schemes).
• Consistency with risk-based approach (RBA): Depth of control and speed of response depend on customer/geo/product profile and amount.

2) Risk map: what we take into account in the model

Customer risk (KYC): account age, Tier/KYC/EDD, SoF/SoW, PEP/adverse media.
Geo/jurisdictions: sanctions, high FATF risk, cross-border routes.
Payment methods: cards (MCC 7995), A2A, wallets, crypto (in/out).
Behavior and relationship graph: common IP/devices/means of payment (multi-account/mules).
Transactions and funds movements: velocity, amount, frequency, time-to-within.
Gaming context: deposits → short activity → withdrawal; abnormal session returns.

3) AML monitoring architecture (online + offline)

1. Collection of events in real time: deposits, rates, conclusions, transfers, KYC/KYB changes, anti-fraud alerts.
2. Rule Engine (≥ 50-150 ms per solution) :/hold/escalation triggers.
3. Scoring/ML layer: composite risk rate, graph features (mules, "farms" of accounts).
4. Case Management: prioritization, checklists, timeline, attachments.
5. DWH & reporting: aggregates, trends, KPIs, model training.
6. Integrations: KYC/KYB, PSP, KYT (crypto) providers, sanction screening, Travel Rule.

4) Rules Library (kernel)

1. Structuring/Smurfing

Lots of deposits just below the review/SoF limit in a short window.
Highly fragmented turnover → quick output to different details.

2. Rapid In–Out / Short Dwell

Deposit → minimum or zero game → fast withdrawal (T + 0/T + 1).
The output amount does not match the player's revenue profile.

3. Mule/Proxy Use

One 'device/IP' supports multiple accounts with different payers.
Shared cards/wallets between independent accounts.

4. Layering through methodology

A2A chains/wallets/crypto with currency conversion and transfers between sub-wallets.

5. Bonus Abuse (AML-relevant)

Network clusters of accounts, synchronous deposits for minimum amounts, quick conclusions of bonus winnings.

6. High-Risk Geo / PEP / Adverse Media

Customer transactions with EDD tags or on a pop-up sanctions match.

7. Chargeback-pumping

Series of deposits with further chargebacks and timely "cashing" conclusions.

8. Crypto-on/off-ramp anomalies

Input/output through high-risk addresses (mixers, darknet, scam clusters), high'risk _ score'of KYT provider.

5) Parameters and thresholds (normalization example)

Velocity: deposits ≥ N for 24h; unique means of payment ≥ M.
Time-to-within: percentage of leads ≤ T minutes after deposit.
Structuring: share of payment events in the range '[threshold − ε, threshold)' for 7 days.
Graph: degree (device/IP/card)> quantile of the 99th percentile; proximity to known clusters (embeddings).
KYT (crypto): address/exchange with risk category ≥ R; connections ≤ 2 hops with prohibited entities.
Geo risk: operations from/to high-risk countries or sanctions.

Thresholds are adaptive: down for new accounts/high-risk geo and up for clean-history and Tier2 + customers.

6) Example rules (pseudo-SQL)

sql
-- Rapid In-Out: Deposit → Quick Withdrawal
IF sum(withdraw. amount WHERE ts BETWEEN now()-1d AND now()
AND withdraw. time_from_last_deposit <= 30m) >= X
AND gameplay. activity_score <= Y
THEN ALERT('RAPID_IN_OUT')

-- Structuring: SoF threshold crushing
IF count(deposit WHERE amount BETWEEN (S-δ) AND (S-1)
AND ts BETWEEN now()-7d AND now()) >= K
THEN ALERT('STRUCTURING')

-- Mule network: a common device/card for ≥ N accounts in 14 days
IF distinct(accounts USING device_id OR card_token) >= N
THEN ALERT('MULE_NETWORK')

-- Crypto KYT: Address/Exchange Risk
IF kyt_risk_score >= R OR kyt_exposure_to_mixer <= 2_hops
THEN ALERT('KYT_HIGH_RISK')

7) Prioritization and routing of alerts

Severity: High (sanctions/KUT high risk/PEP + anomaly), Medium (rapid in-out/structuring), Low (velocity without output).
Routing: line Investigations L1/L2/L3, escalation to Compliance/Legal.
Deadlines: High - analysis ≤ 4 hours; Medium — ≤ 24 ч; Low - ≤ 72 h.
Actions: temporary hold/limit, document request (SoF/EDD), blocking, SAR/STR.

8) Investigations: Process and artefacts

• Customer profile (KYC tiers, SoF/SoW, PEP/sanctions, history).
• Timeline: deposits/play/outputs, IP/devices, geo, connected accounts.
• Payment identifiers: PSP ids, ARN/RRN, wallets/addresses.
• KYT report (for crypto): path of funds, risk clusters, exchange tags.
• Result: Approve/Close, EDD & monitor, Freeze & Report.

Communication with the client: SoF/document request templates, response times, consequences of failure to provide.

9) SAR/STR and interaction with regulator/partners

Submission criteria: reasonable suspicion of laundering/financing/sanctions violations.
Content: brief description, facts and timeline, amounts/details, connection with known schemes, measures, contact of the person responsible.
Terms: depending on the jurisdiction (often - "without delay" after establishing suspicion).
Confidentiality: prohibition of informing the client about the fact of SAR (tipping-off).
Interaction with the acquirer/PSP: transfer of risk intelligence (within the framework of the contract and the law).

10) Sanctions and screening vs AML monitoring

Sanctions/PEP/Adverse Media screening - personality/company filter.
AML monitoring is a filter of behavior and transactions.
They complement each other: the sanctions hit raises the priority of AML alerts and the EDD/hold trigger.

11) Crypto Streams: KYT, Travel Rule, off-/on-ramp

KYT (Know Your Transaction): address/exchange risk providers, on-chain tracing, source/recipient categorization.
Travel Rule: exchange of sender/receiver attributes between VASPs during threshold transfers (where applicable).
Off-/On-ramp policies: white-list exchanges/providers, banning high-risk P2P sites, limits on amounts/frequency, hold on primary outputs after crypto entry.

12) Metrics, quality control and model risk

• Alert Precision/Recall.
• Share of High-alerts closed in SLA.
• Average investigation time (p50/p95).
• SAR-conversion (alerts → reports).
• Repeated alerts on the same clusters (recurrence).
• Percentage of false positive locks (impact per conversion).

Validation of models/rules: backtesting, feature stability, drift (PSI), quarterly - rule review, annually - independent verification.

13) Governance and responsibility

AML policy: roles (MLRO/Head of Compliance), thresholds, geo-matrix, list of prohibited sources.
Change-control: RFC for new rules/thresholds, change log, A/B business impact assessment.
Training: annual trainings, knowledge tests, case library.
Audit and retention: storage of cases/solutions/data according to requirements (usually 5 + years), protected storage, access via RBAC.

14) Anti-patterns

"One size for all": same thresholds for all countries/methods/clients.
Reactive monitoring without online - "catch-up" control.
Lack of graph analytics → multi-accounts/mules are not caught.
Ignoring KYT/Travel Rule on crypto threads.

There are no clear SLAs for investigations, alerts are piling up with "debt."

No AML ↔ KYC/KYB/Payments Orchestrator communication (no hold/on-wire limits).

15) Implementation checklist

• Risk Assessment: risk map by customer/geo/method/product.
• Rule Engine online + rule library (structuring, rapid in-out, mule, KYT, geo).
• Scoring/ML + graph features; threshold calibration and prioritization.
• Case system with templates, timelines, checklists and SLAs.
• Integrations: KYC/KYB, Sanctions/PEP, PSP, KYT, Travel Rule.
• SAR/STR processes, playbook "Freeze & Report," prohibition of tipping-off.
• Quality metrics (precision/recall, SLA, SAR-conversion), dashboards and alerts.
• Change management and annual independent testing.
• Data retention/access policies, encryption, auditing.
• Team training (Payments/Risk/Compliance/Support) and regular drills.

16) Summary

Strong AML monitoring in iGaming is an online Rule Engine + ML/graph linked to ASC/ASC/sanctions/ASC, clear SLA investigations, SAR/STR discipline, and constant calibration of thresholds at real risk. Such a circuit cuts off laundering, keeps partner infrastructure in the "green zone" with banks/PSP and almost does not hit the conversion of bona fide players.