Back to Blog Listing

Why AML compliance is cheaper than the fine

Why AML compliance is cheaper than the fine
Karol Sobieraj Jul 4, 2026 4 min read

Written by: Karol Sobieraj, Founder & CEO, Digital Colliers

If you run an iGaming operation in the UK, the math on AML compliance isn't complicated. It's just uncomfortable. The most serious AML breaches carry penalties of up to 15% of gross gaming yield. Take that number, apply it to your GGY, and compare it to what your compliance function actually costs. For almost every operator I've looked at, the fine is a multiple of the annual spend. Sometimes 5x. Sometimes 20x.

And yet the pattern in enforcement history is remarkably consistent. Operators underinvest, get hit, then spend the fine amount plus remediation plus reputational damage plus lost licences in specific markets. The cheapest moment to fix AML was always eighteen months ago. The second cheapest moment is now.

The actual math nobody wants to run

Kindred Group publicly reported around £14M in compliance-team costs in 2023. That's a top-tier operator running a mature function across multiple regulated markets. For a mid-market operator with £200M GGY, a serious AML breach at the top of the penalty band lands at £30M. That's more than double what one of the largest listed operators spends on its entire compliance apparatus in a year.

Run your own version of this. Take your GGY, multiply by 0.15, and compare to your compliance budget line. If the fine number is bigger, and it almost always is, you're implicitly betting that you won't get caught. That's a bet the Gambling Commission has been winning consistently.

Worth noting: roughly one in four UK-licensed operators fails to hit a satisfactory AML rating on first assessment. That's not a fringe outcome. That's the base rate.

Reactive costs more than the fine itself

When enforcement action hits, the fine is the headline number. The real cost sits underneath it.

  • Remediation work under regulator supervision, usually done by the most expensive consultancies at the worst possible moment
  • Section 116 review, licence conditions, personal management licence reviews for named individuals
  • Player refunds, sometimes going back years
  • Payment processor relationships that get renegotiated on worse terms
  • Marketing spend that gets paused while you sort out RCI and affordability posture
  • Board time, exec time, and legal time that comes out of the growth roadmap

Add it up and the reactive cost is often 2 to 3x the fine. Operators who've been through it will tell you the fine was the cheapest part.

What pre-emptive investment actually looks like

Pre-emptive doesn't mean gold-plated. It means you've built the boring infrastructure before you needed it. A few concrete patterns show up in the operators who don't get hit:

  1. Affordability triggers wired into the platform, not run manually. The £150 net deposit threshold per rolling 30 days isn't a suggestion. If your team is running SQL by hand every morning to spot who crossed it yesterday, you're already behind.
  2. Source-of-funds workflows that fire automatically at defined trigger points, with document capture, review queue, and audit trail in one system.
  3. RCI (Remote Customer Interaction) checks aligned to the 2022 guidance and its 2024 expansion. This is where a lot of operators are exposed right now because they built for the 2022 rules and never revisited.
  4. A single audit-ready view of every intervention, so when the regulator asks what you did about player X on date Y, someone can produce it in minutes rather than weeks.
  5. Model monitoring on any risk-scoring the platform does, so you can defend the logic when asked.

None of this is glamorous. All of it is cheaper than a fine.

Where operators still get it wrong

The pattern I keep seeing is investment in policy without investment in engineering. Compliance teams write good procedures. Then the platform can't actually execute them at scale, so the second line depends on manual review, spreadsheets, and heroics.

That gap between what the policy says and what the system does is exactly what enforcement finds. The Commission doesn't fine you for having a bad policy. They fine you for failing to apply it consistently across your player base.

Operators shipping this well in 2026 tend to treat AML as a data and engineering problem with a compliance owner, not a compliance problem with an engineering ticket. The budget line moves. The fine risk drops. And the compliance team stops being the department that says no and starts being the one that ships.

The fine is always more expensive than the fix. It's just that the fix requires you to write the cheque first.

Related Posts