KYC: documents, verification, SLA

1) Why iGaming KYC and how it affects monetization

• reduces the risk of blocking by payment partners and banks,
• reduces "friendly fraud" and rate chargebacks,
• accelerates conclusions (fewer manual checks) and increases LTV,
• complies with the requirements of regulators and payment service providers.

Principle: risk-based approach - the higher the risk of a client/operation profile, the deeper the check and the shorter the window of tolerance to anomalies.

2) Tiers and indentation triggers

Tier 0 - Easy Registration (pre-KYC)

Collection: e-mail/phone, country, date of birth.
Threshold limits: minimum deposits/rates, no inference.
Auto-screening of sanctions according to basic data (coarse filtering).

Tier 1 - Basic identification

Documents: one document with a photo (passport/ID/drives. certificate).
Controls: liiveness + face-match, MRZ/hologram verification (if supported by the provider).
Limits are raised but withdrawal is limited (e.g. to X per day/week).

Tier 2 - Address/Age and Risk Markets

Documents: Proof of Address (PoA) - utility bill/bank statement ≤ 3 months, or eIDAS/BankID, where available.
Additional: source of funds (SoF) for large deposits/high turnover.
Access to increased limits, quick conclusions.

Tier 3 - Enhanced Due Diligence (EDD)

Documents: SoF/SoW (statements, salary/tax documents, contracts), additional biometrics/video call.
Reasons: PEP matches, high sums, atypical geo/behavior, complex depozit→vyvod patterns.
Manual approval with double control.

Upgrade triggers: deposit/withdrawal amount, total turnover for 30/90 days, coincidence in sanctions/POP/address media, geo/entry into "gray" zones, velocity anomalies, request for a large withdrawal, chargeback history.

3) List of documents and quality requirements

• Passport, nat. ID, driver's license (depending on the country).
• Clear photo/scan, entire document, no glare.
• Checks: number validity, expiration date, MRZ/barcodes, manipulation control (cropping/Photoshop).

• Utility account, bank statement, tax letter, registration at the place of residence.
• Must contain full name, address, date (≤ 90 days), source.

• Account/salary statements, contracts, asset sale documents, dividends.
• Full name/address match with account; a logical association of amounts with behavior in the product.

• Active/passive storm check, comparison with a document (face-match).
• Protection against "replay/print/3D masks."

4) Sanctions, PEP, address media

Sanctions lists: OFAC/EU/UK/UN + local; update daily/hourly.
PEP: persons holding/holding significant government positions, their relatives/related persons.
Adverse Media: negative publications (fraud, laundering, corruption).
Algorithm: fuzzy-matching with thresholds, manual verification of matches, documenting decisions.
Policy: sanctions - stop, PEP - EDD + limits, adverse media - case-by-case (EDD).

5) KYC Orchestrator: How to Connect Providers and Processes

• manages providers (doc-scan/biometry/sanctions/PEP/AML),
• stores the state of the application (state machine),
• trigger upgrades/event reversals (amounts, geo, risk),
• provides idempotency and audit (who checked what and when),
• aggregates the solution: Approve/Reject/EDD/Manual Review.

• 2 + providers to key markets (cross check/feilover).
• Local eID/BankID where available (NordX, Baltics, etc.).
• Data segmentation: Documents are stored in encrypted storage with KMS/HSM.

6) SLA: Target Times and Priorities

• Tier 1 (auto): ≤ 90sec p95.
• Tier 2 (auto PoA): ≤ 5 min p95.
• Tier 2 (manual PoA): ≤ 2 hours p95 (working hours).
• Tier 3/EDD (manual): ≤ 24-48 hours (prioritized high-rollers/leads).

• Auto-payout after successful Tier 1/2: ≤ 15 min p95.
• If reversion/EDD is required: pause ≤ 24 hours with transparent communication.

• After the expiration of documents/change of full name/address/geo or reaching the threshold - ≤ 24 hours.

• Regularly (daily) + for each large payment/withdrawal - on-demand ≤ 60 sec.

7) Deciding matrix

8) UX and transparency (not breaking conversion)

Show the document checklist and status in steps.
Mobile boot support, auto-trim/glare detection.
Localization of prompts, valid PoA formats by country.

Transparent deadlines: SLA timer and "what's next."

Alternative channels: video verification in case of repeated failures of showers.

9) Reverification and life cycle

Document expiration dates - T-30/T-7 reminders

Change in risk (geo/behavior) → "point" field reversals.
Move/rename → PoA/ID update.
Dormant accounts → re-KYC before major activity.

10) Data, storage and privacy

Minimization: keep only the required fields; documents in encrypted blob storage.
Access: RBAC, mTLS, temporary tokens, auditing requests.
Retention: retention according to regulation (often 5 years after the last transaction), then deletion/anonymization.
GDPR/DSR: access/repair/deletion processes; decision logs are impersonal.

11) Monitoring and metrics

Quality/speed

KYC pass rate (Tier1/Tier2/Tier3), auto-app share.
Onboarding time p50/p95, share of manual cases.
Drop-off on steps (ID, rainfall, PoA, SoF).

Risk/compliance

Share of sanctions/RAP matches, EDD cases.
Chargeback rate before/after KYC, fraud incidents by segment.
Errors/false matches in sanctions/PEP.

Operations

SLA hit rate (by onboarding/outputs/EDD).
Repeated requests for documents (%), reasons for deviations.
KYC cost per user (including manual labor).

12) Integration with payments and anti-fraud

KYC signals → transaction scoring (3DS/TRA threshold up/down).
For velocity/fraud flags, EDD/SoF trigger before output.
BIN/geo-politicians: for "heavy" issuers - require Tier 2 earlier.

13) Provider selection and double-sourcing

Criteria: document coverage, accuracy of showers/biometrics, speed, SDK quality, price, privacy, "privacy by design."

Failover to the second provider for degradation/regional failures.
Contract SLA and AoC (attestation of compliance), DPIA/data processing.

14) Anti-patterns

Universal "hard" KYC for all countries/risks → decline in conversion.
Manual check where 95% of auto cases are narrow necks.
Lack of document reversals/expirations - increased risk on conclusions.
Storing excess PIIs without purpose and retention policies are GDPR risks.
Ignore SoF for high-rollers - AML/sanction risk.

15) Implementation checklist (short)

• Tiers, limits, and upgrade triggers are defined.
• Connected KYC Orchestrator, a 2 + provider in key markets.
• Included livnes/face-match, MRZ/anti-tamper.
• Sanctions/PEP/adverse media - daily re-screen + on-demand.
• SLA by onboarding/outputs/EDD, alerts T-3/T-1.
• SoF/SoW procedures for large amounts and EDD.
• Encryption, RBAC, retention, DPIA/GDPR framework.
• UX wizard with hints and local PoA requirements.
• Metrics and dashboards (pass rate, SLA, drop-off, cost/KYC).
• Escalation and rejection playbooks (letter templates, decision logging).

16) Summary

Effective KYC in iGaming is provider orchestration, risk-based levels, fast auto-application of simple cases and strict EDD where there is a risk. Clear SLAs, transparent UX, data minimization and protection, regular re-screening and integration with anti-fraud make conclusions fast, compliance stable, and monetization predictable.