Written by: Luke Sobieraj, Founder & COO, Digital Colliers
If you run compliance or data at a UK-licensed operator, you already know the number. Roughly one in four operators fails to hit a satisfactory AML rating on first assessment. That's not a compliance culture problem. That's a data problem wearing a compliance costume.
The data you need to pass is almost always already in your systems. It's just spread across four stores that were never designed to talk to each other, and nobody's built the pipe.
The four data stores nobody joined up
Every operator I've seen has the same rough shape. Player and KYC data lives in one place. Wallet, deposit, and withdrawal data lives in another. Game and session data lives with the platform provider or a warehouse copy of it. And the interaction data, the RCI stuff, lives in a CRM or a customer service tool.
For AML you need all four, joined by player, aligned on time, and queryable in minutes not days. Most operators can get any two of these joined cleanly. Three is a stretch. All four, on demand, with the affordability signals layered on top? That's the engineering job most teams haven't finished.
When the Commission asks how you spotted a customer breaching affordability, the answer has to be a query, not a story.
The affordability example that breaks most stacks
UK affordability checks trigger at £150 net deposits per rolling 30 days. Sounds simple. It isn't.
Net deposits means deposits minus withdrawals. Rolling 30 days means you can't just run it on calendar months. Per player means you need identity resolution that handles duplicate accounts, shared payment methods, and the messy edges. And you need to know not just that the threshold was crossed, but when, and what interaction happened next.
If your team is writing that SQL by hand every time the regulator asks, you've already lost. The passing operators built this once, as a pipeline, with the threshold logic in code and the interaction trigger wired into the CRM. The RCI guidance has been in force since 31 August 2022 and got expanded in 2024. There's been time to build it. Most haven't.
The SQL-under-time-pressure trap
Here's the pattern I keep seeing on failing assessments. The Commission asks for evidence. A senior analyst opens a notebook. They write a query joining wallet to KYC to sessions. They eyeball the results. They write it up.
That query has never been code-reviewed. It's never been tested against known cases. It gets rewritten slightly differently every time someone asks. And the evidence pack that lands on the regulator's desk is the output of ad-hoc SQL that nobody can reproduce a month later.
That's not compliance failure. That's a team doing engineering work without engineering practices. Version control, tests, a single source of truth for what "affordability breach" actually means in your data model. The operators passing on first attempt have that. The operators failing don't.
What the passing operators built
Look at anyone who's cleared their AML rating cleanly and you'll find some version of the same stack underneath.
- A player-360 layer that joins KYC, wallet, gameplay, and interactions on a stable player key.
- Threshold logic (affordability, velocity, source-of-funds triggers) defined once in code, not re-derived per query.
- An interaction log that ties every RCI touchpoint back to the risk signal that caused it.
- Evidence generation that runs on a schedule, not on a fire drill.
None of this is exotic. It's the same warehouse-plus-transformation pattern that any decent data team ships for revenue reporting. The difference is that most operators built it for revenue and never built it for risk. Kindred publicly reported £14M in compliance-team cost in 2023, and a lot of that spend across the industry is people doing work that a pipeline should be doing.
Compliance rating is a lagging indicator
This is the part that matters. Your AML rating tells you what your data infrastructure looked like six to twelve months ago. By the time you fail, the fix is a year of engineering work you didn't start.
And the downside is not theoretical. UK penalties for the most serious AML breaches reach up to 15% of gross gaming yield. That's a number that pays for a lot of pipeline work.
If your team is running SQL by hand for the audit, the rating you get next isn't really about compliance effort. It's about whether you treated the data problem as engineering, or as paperwork.

