AML Compliance for Crypto and Gaming Firms: What Regulators Actually Audit

Having an AML policy is the easy part. Having one that survives a regulatory inspection is entirely different. Most firms that lose licenses do not fail because they lacked documentation. They fail because their documentation described a compliance program that did not actually function.

Regulators across the EU, UK, Malta, and Singapore have sharpened their AML audit practices for crypto exchanges (VASPs and CASPs under MiCA) and gaming operators over the past two years. The enforcement patterns reveal consistent themes: inspectors are not reading your policy manual to admire the prose. They are testing whether the program works in practice, and the gap between paper compliance and operational compliance is where licenses get suspended.

The policy-versus-practice gap

Every licensed firm has an AML policy. Regulators know this. The first thing an inspection team does is test whether staff actually follow it.

A typical inspection starts with a sample of customer files. The inspector pulls 20 to 50 accounts at random (and sometimes not at random, choosing accounts that look interesting based on transaction patterns). For each file, they check:

• Was customer due diligence (CDD) completed before the account was activated, or was it backdated?
• Does the source-of-funds documentation actually explain where the money came from, or is it a generic declaration?
• Were risk ratings assigned correctly according to the firm's own risk matrix?
• When enhanced due diligence (EDD) was triggered, was it meaningfully enhanced, or was it the same CDD with an extra checkbox?

The most common finding across jurisdictions: firms apply EDD inconsistently. The policy says high-risk customers get enhanced review. In practice, the compliance team treats EDD as a formality, collecting one additional document and calling it done. The FCA's AML guidance has flagged this pattern repeatedly in enforcement notices.

Transaction monitoring: the technical audit

Transaction monitoring is where most crypto and gaming firms stumble hardest. Regulators want to see three things:

Calibrated rules, not defaults. If you are running a commercial transaction monitoring system (Chainalysis, Elliptic, ComplyAdvantage, or similar), regulators will ask how you calibrated the alert thresholds. Using vendor defaults is a red flag. Your thresholds should reflect your customer base, product mix, and risk appetite. A crypto exchange handling mostly retail EUR trades needs different thresholds than one processing institutional OTC volume. Regulators know the difference.

Alert handling with documented reasoning. Generating alerts is meaningless if they are mass-dismissed. Inspectors will pull a sample of closed alerts and review the disposition notes. "Reviewed and cleared" with no further explanation is insufficient. They want to see the analyst's reasoning: what was reviewed, what sources were checked, why the conclusion was reached. Malta's MGA has suspended gaming licenses specifically over inadequate alert disposition documentation.

Tuning and feedback loops. Does the firm review false positive rates? Are monitoring rules updated when new products launch or customer demographics shift? A system that has not been tuned since implementation suggests nobody is actually managing it. Singapore's MAS explicitly asks about monitoring system governance during inspections, including who owns the rule set and how often it is reviewed.

What triggers enhanced due diligence

Regulators test whether firms correctly identify EDD triggers. The common ones are well-known: politically exposed persons (PEPs), high-risk jurisdictions, unusual transaction patterns. But inspectors also look for less obvious triggers that firms frequently miss:

• Customers who deposit just below reporting thresholds (structuring indicators)
• Gaming accounts with high deposit volumes but minimal play (potential layering)
• Crypto wallets with connections to mixing services or darknet markets
• Corporate customers with complex ownership structures that obscure beneficial ownership
• Customers who change personal information (address, nationality) shortly after onboarding

The EU's MiCA framework, now administered through national competent authorities, has introduced additional EDD triggers specific to crypto, including transactions involving privacy coins, unhosted wallet transfers above EUR 1,000, and cross-chain bridge activity. Firms licensed under MiCA should have updated their EDD triggers accordingly. Many have not yet done so.

Suspicious activity reporting: quality over quantity

Filing suspicious activity reports (SARs) is a legal obligation. Not filing them is the fastest way to lose a license. But regulators have become equally concerned about the quality of reports filed.

Common SAR failures identified during audits:

• Defensive filing: Submitting SARs on every mildly unusual transaction to avoid liability, without meaningful analysis. Financial intelligence units in the UK, Germany, and Singapore have all complained about being buried in low-quality defensive SARs that waste investigative resources.
• Late filing: Most jurisdictions require SARs within specific timeframes (often 24 to 72 hours for terrorism-related suspicion, 30 days for other suspicious activity). Firms that consistently file late face enforcement action regardless of the filing's content.
• Missing context: A SAR that says "unusual transaction pattern" without describing what made it unusual, what the customer's normal behavior looks like, and what steps the firm took to investigate is nearly useless to law enforcement.
• Tipping off: Informing the customer that a SAR has been filed. This sounds obvious, but regulators have found cases where compliance teams inadvertently disclosed SAR filings through poorly worded account restriction notices.

The specific things that get licenses revoked

Reviewing enforcement actions from the FCA, MGA, MAS, and EU national authorities over the past 18 months, certain patterns emerge consistently:

Compliance officer in name only. The appointed MLRO (Money Laundering Reporting Officer) or compliance officer lacks the authority, resources, or time to actually perform the role. In several cases, the compliance officer was also the CEO, the head of sales, or had no AML training. Germany's BaFin revoked a crypto license in 2025 partly because the compliance officer had no relevant qualifications and had never completed AML training.

No ongoing monitoring. CDD was performed at onboarding but never updated. Customers whose risk profiles changed (new PEP status, sanctions listing, significant changes in transaction behavior) were never re-evaluated. This is a universal finding across jurisdictions.

Outsourced compliance without oversight. Firms that outsource compliance functions to third parties but fail to supervise the outsourced provider. The firm remains legally responsible for compliance regardless of who performs it. Outsourcing the work does not outsource the liability.

Record keeping failures. Missing or incomplete records for customer identification, transaction history, or SAR filings. Most jurisdictions require records to be maintained for five to seven years. Firms that cannot produce records on request during an inspection face immediate enforcement action.

How different regulators approach inspections

EU under MiCA: National competent authorities conduct inspections following ESMA guidelines. The approach varies by member state, but the trend is toward unannounced inspections and thematic reviews (examining one area, such as transaction monitoring, across multiple firms). Lithuania's central bank has been particularly active with on-site inspections of crypto firms.

UK FCA: The FCA uses a risk-based supervisory model. Higher-risk firms get more frequent engagement. The FCA has also increased its use of skilled person reviews (Section 166 orders), where it appoints an independent reviewer at the firm's expense to evaluate compliance. These reviews are expensive (GBP 100,000 to 500,000+) and often precede enforcement action.

Malta MGA: Gaming operator inspections follow a published compliance calendar. The MGA reviews AML programs annually for most licensees, with targeted reviews for firms flagged through STR analysis or market intelligence. The MGA has become more aggressive since EU criticism of Malta's AML framework in 2022.

Singapore MAS: MAS conducts both scheduled and unannounced inspections. The authority has a reputation for thoroughness, often spending multiple weeks on-site for larger firms. MAS also uses mystery shopping and test transactions to evaluate compliance from the customer's perspective.

Practical steps that actually matter

Based on enforcement patterns, the firms that survive inspections well share common traits:

• They test their own controls through internal audits before regulators do. An internal review that identifies and fixes gaps before an inspection demonstrates good faith.
• They invest in compliance staff, not just compliance software. Technology helps, but regulators want to see trained humans making judgment calls.
• They document everything, including the reasoning behind decisions to clear alerts, close investigations, or accept higher-risk customers.
• They treat compliance as a board-level concern, not a back-office function. Regulators look at board minutes for evidence that AML risks are discussed at senior level.

The bottom line: regulators are no longer satisfied with policy documents. They want evidence that policies translate into operational reality. The firms that understand this distinction keep their licenses. The ones that do not, learn the hard way.