UI for Compliance and Control

1) Why do you need it

• Transparency: it is clear what, who and why requests/decides.
• Traceability - You can play any step from the log.
• Predictability: the rules are clear in advance, the outcomes are understandable.
• Humanity: tone without stigma, especially in sensitive scenarios.

2) Compliance areas in iGaming and their UX patterns

1. KYC/KYB - Identity/Business Verification

Patterns: step master, document checklist, ETA, preview and photo tips, reload, status "under review."

2. AML/Sanctions/PEP - Transaction and Person Monitoring

Patterns: risk speed with explainability, match card, escalation and second opinion, SAR/STR drafts.

3. Responsible play - limits and self-exclusion

Patterns: easy limit setting, visual progress, neutral tone, cooling periods.

4. Privacy and Consent - GDPR/CCPA, etc.

Patterns: consent center, data export/deletion, access logs, minimization.

5. Security and Access - RBAC/SoD/2FA

Patterns: role matrix, elevation request, double control, confirmation of sensitive operations.

6. Incidents and Audits - Monitoring and Post Mortem

Patterns: incident card, time line, associated communication (banner/letter), prevention measures.

3) Information architecture (skeleton of the Compliance section)

Dashboard: KYC/AML statuses, queues, alerts, KPI (SLA, TtV - time-to-verify).
Checks: KYC/KYB, sanctions/PEP, sources of funds (SoF), transaction monitoring.
Rules and Policies - Script Designer, Versions, Publications.
Logs and reports: actions, accesses, data export, SAR/STR.
Settings: roles/rights, provider integrations, notification templates.

4) KYC screen: checklist + master pattern

Composition: progress (steps), list of required documents, photo quality tips, preview, status, ETA, communication channel.

• "This will take ~ 2 minutes. Prepare a document and a well-lit area"
• "Photo without glare, corners and text are visible. If necessary, repeat"
• A11y: explicit labels, voiced instructions, 'aria-live = "polite"' for statuses, focus on the first error.

5) AML/sanctions: risk, overlap and explainability

• Sources of risk: geo, devices, behavior, sanctions/RAP lists, transaction patterns.
• Match card: photo/name/date of birth/list source/threshold. Buttons: "Escalation," "Exclude (justify)," "Link to profile."
• Explainability: "Risk increased by (1) 87% name match, (2) uncharacteristic output volume, (3) fresh device with no history."
• Actions with double control (four-eyes): blocking, final deviation, limit change.

6) Responsible play: neutral tone and quick action

Components: LimitsControl, Self-Exclusion, SessionTimer, RiskAlert.

• Neutral, respectful tone without pressure.
• Setting limits in 2-3 steps, confirmation and visible progress.
• Explanations "why we are asking" in the neighboring block.
• Microcopy: "You can set a daily deposit limit. This will help control costs"

7) Privacy and consent

Consent Center: list of processing targets (analytics, marketing, personalization), switches, consent date, "learn more."

Data subject rights: download the archive, request deletion, view the access log.
Minimization: show which fields are optional and why mandatory fields are needed.

Microcopy: "We request access to the camera only for a photo of the document. Snapshots are encrypted and stored for a limited time"

8) Roles, rights and double control

RBAC-matrix: roles against actions (view/edit/approve/export).
SoD: one employee cannot both create and approve a payment/report.
Escalation of rights: "Request one-time access" → reason → deadline → auto-recall.
2FA and confirmations: for sensitive operations - re-entry/subscription.

9) Alerts, statuses and prioritization

Single scale: info → notice → warning → error → critical.

Critical - Global Banner + Log + Notify Owner.
Noise control: grouping of the same type of events, frequency restrictions, "dnd" mode.
Статусы KYC/AML: `none | pending | additional info | approved | rejected | expired`.

10) Rule Builder and Versioning

UI model: "if... that... otherwise..." with a library of conditions (geo, limit, behavior, source of funds).
Simulator: run on historical data, expected response rate, FPR/TPR.
Versions and publications: draft → review → release; change log; rolling back the version.

Tagging: "beta," "regions," "channels."

11) Activity logs and audit trails

Single event card: who + when + what + why (link to rule/policy), old/new value, source of request (UI/API).
Filters: by user/action/object/result.
Export/Subscriptions - Schedule and Format (CSV/JSON).
Non-modifiable: read-only marks, integrity control.

12) Incidents and communication with users

Incident Screen: Description, Impact, Affected Providers/Methods, ETA, Owner, Timeline, Associated Tickets, Post Mortem Notes.
Communication: banner in the product (with segmentation), e-mail/push, status page.

Microcopy: "Payment provider X is unstable. Some users have a delay of enrollment of up to 30 minutes. We are working on a fix"

13) Explainable UI

For each automatic outcome - visible factors and "how to challenge."

In case of refusal: we explain exactly as much as possible by policy (without disclosing anti-fraud).

• "Your output has been temporarily suspended due to a document mismatch. Please upload additional proof of address. This is due to legal requirements to combat money laundering"

14) Compliance Design System

• KYCChecklist, DocumentUpload, LivenessHint, RiskBadge, RiskFactors, CaseTimeline, ConsentCenter, LimitSetter, AuditTable, IncidentBanner, DualApprovalModal.
• Status and priority tokens, microcopy templates for failures, data requests and notifications.

15) Availability (A11y) and localization

Full keyboard navigation, focus rings, AA contrasts.
'aria-live = "assertive" 'for critical warnings,' polite'for informational.
Long languages (DE/TR), date/currency formats, RTL, legal accuracy of terms.
Log tables with 'th/scope', readable headers.

16) Safety in UI

Masking sensitive data by default, "show" is an explicit action.
Session timeouts, re-entry confirmations at critical steps.
History of inputs/devices, notifications of new inputs.
Clear permission texts (camera/geo/files) and reasons.

17) Performance and reliability

Virtualize long logs, save filters to URL.
Skeletons instead of spinners; retreats with understandable pauses.
Degradation of functions with an explanation ("part of the data sources is not available").
Autosave SAR/STR drafts and policies.

18) Quality metrics (minimum)

TtV (time-to-verify) median/p95.
KYC/AML queues (task age, backlog).
Share of auto-up and appeals/escalations.
FPR/TPR rules, revalidation after edits.
Time-to-Resolve incidents, SLA compliance.
Form errors/document loading failures.
CSAT on failures/verification (tone and clarity of explanations).

19) Checklists

KYC screen before release

• Progress/ETA, clear photo/file requirements.
• Inline validation, focus on first error, 'aria-' correct.
• Reload file and preview, auto-save draft.
• Neutral tone, localization, mobile restrictions are taken into account.

AML/Sanctions

• Risk-rate with visible factors and sources.
• Hit Card - Actions, Escalation, Log.
• Dual control for high-risk operations.
• Rule simulator and versioning.

Logs/Audit

• Filters, export = screen, record immutability.
• The time line of events is clear, links to primary sources.

20) Anti-patterns

Placeholder instead of label in KYC forms.

"Error 400/failure" without explaining "what next."

Color as the only risk/status signal.
Mixing roles and actions (no SoD).
There is no rule versioning and no migrations.
Prohibit scaling on mobile (invisible document details).
"Instant" where there are ETAs and checks.

21) Microcopy templates

Document request

"We need a document confirming the address (utility bill no older than 3 months). Format: JPG/PNG/PDF up to 10MB"

Intermediate status

"Documents received. Verification will take up to 15 minutes. We will notify you of the outcome"

Failure (neutral)

"We could not confirm the data. Please upload a clearer photo - corners and text are visible"

AML match (for operator)

"Match by name (87%) with EU Sanctions list. A second opinion is required"

Limits

"Set a weekly deposit limit of 1,000 UAH. You can change it at any time"

22) Key screen layouts (frames)

A. Compliance dashboard

KPI (TtV, auto-update share, queue) → alerts → case queue → quick actions.

B. KYC Case Card

Status/rate/sources → documents (previews) → → decision checklist (approve/hold/reject) → log.

C. AML match

Match details → risk factors → escalation/exclusion → SAR draft → double confirmation.

D. Consent Center

Target list, switches, clarifications, consent date, export/deletion, access log.

23) Implementation process (step by step)

1. Audit scenarios: KYC/AML/limits/consent/logs.
2. MVP-компоненты: KYCChecklist, DocumentUpload, RiskBadge, ConsentCenter, AuditTable.
3. Policies/Rules: Constructor + Versions + Simulator.
4. Logs/reports: single format, export, subscriptions.
5. A11y/i18n: checklists, autotests, manual runs.
6. Metrics and experiments: baseline, TtV/FPR goals, quarterly reviews.

Final cheat sheet

Transparency, explainability, predictability - three compliance whales in UI.
Roles, dual controls, and logs - basic security.
Neutral tone and accessibility - respect for the user and legal stability.
Rule versions + simulator - managed changes without surprises.
Measure TtV, FPR/TPR, queues, Time-to-Resolve - and improve the cycle.

It is necessary - I will prepare the screen frame for your processes (KYC/AML/limits/consent), texts and i18n keys, as well as checklists for release verification.