There is a particular kind of institutional complacency that only reveals itself after the fact. The gambling industry is, in my experience, rather skilled at it. We are excellent at reacting to regulations that have already been imposed on us, moderately good at lobbying against regulations that are transparently aimed at us, and certainly where the EU is concerned, poor at engaging with the legislative process at the point where our input would actually matter.
It may be that national industry organisations are loathe to cede some level of control to transnational ones, preferring to work with their own parliamentarians and regulators. EU institutions, however, prefer an industry to speak with one voice; a single voice carries considerably more weight.
I confess that I too have not followed this particular development, only having recently been alerted to it by a somewhat frustrated Hermann Pamminger, General Secretary of the European Casino Association, at an industry event.
For background, the AMLA, or to give it its full name, the Anti-Money Laundering and Countering the Financing of Terrorism Authority, became operational on 1 July 2025, headquartered in Frankfurt. It is the product of the EU’s sweeping AML reform package: a set of legislative instruments that replaces the old model of directives transposed inconsistently into 27 different national laws with a single, directly applicable, EU rulebook. Gambling operators are explicitly classified as high-risk obliged entities. The AMLA’s new full framework will apply from July 2027.
Before turning to what concerns me, I should acknowledge what is genuinely positive. I am not normally inclined to applaud everything that emerges from Brussels, but there is a real benefit here.
The gambling sector has spent two decades operating under the patchwork created by successive AML directives. Directives require member states to transpose them into national law and no two member states have ever done so in quite the same way. A licenced operator serving customers in Germany, the Netherlands, Spain, and Belgium has been navigating four materially different compliance regimes simultaneously: different suspicious transaction report formats, different record-keeping requirements and different enforcement approaches.
A single, directly applicable, EU rulebook is therefore welcome. One regime is simply better than 27 and the standardisation of the format of suspicious transaction reports alone will reduce administrative costs for any operator running a multi-market EU business.
Generally less understood is that the rulebook is not yet finished. AMLA is an authority, not merely an administrative body, and it is exercising its rule-making powers through a series of active public consultations that will determine, in practical and binding terms, what the obligations on gambling operators will actually require them to do in the day-to-day operation of their businesses. This is the moment that matters, not 2027, when the rules will have been finalised and compliance departments are scrambling, but now, whilst submissions are still being accepted and the guidelines are still being drafted.
There are four consultations of direct relevance to the gambling sector. One has already closed. The remaining three are open, but time is running out.
The first to close, on 9 March, was AMLA’s consultation on monetary sanctions, administrative measures, and periodic penalty payments. This established how the severity of AML breaches would be graded and what penalty levels would be applied. Given that AMLA has the power to fine directly supervised entities up to 10% of annual turnover, this was not an abstract exercise. It was the opportunity to shape how harshly the gambling sector is to be treated when things go wrong, to argue for proportionality, to distinguish between systemic failures and isolated lapses, and to put the operational realities of gambling compliance in front of the people who will be making enforcement decisions.
As far as I can establish, the industry’s collective response has been close to silence. AMLA will, characteristically, proceed regardless.
The second consultation, on Regulatory Technical Standards (RTS) for group-wide minimum requirements, closes on 15 June. That is next Monday. For any gambling group with operations in multiple EU member states or with licensing arrangements, subsidiaries, or affiliates in non-EU jurisdictions, this RTS is fundamental. It defines the minimum standards for group-wide AML/CFT frameworks and, most critically, what additional measures apply where a subsidiary operates in a country whose AML standards fall below the EU’s. This last point is especially significant for operators who combine an EU licence with operations in Curacao, Gibraltar, or other offshore jurisdictions; the RTS will set binding expectations for how those non-EU operations are brought within the group’s AML framework or ring-fenced from it.
AMLA held a public hearing in May, attended by over 650 participants. If you are a gambling group with any cross-border complexity, you should have been engaging with this. Sadly, there is less than a week left.
The third consultation, on draft guidelines for business-wide risk assessment, closes on 15 July. These guidelines set out the minimum expectations for how every obliged entity must document and maintain its business-wide risk assessment, the foundational document from which all proportionate AML controls are derived. If gambling operators are not at the table making the case that their risk profile and transaction patterns differ materially from those of a retail bank, they risk being treated as one.
The fourth and most recently opened consultation covers guidelines on the ongoing monitoring of business relationships. Launched on 3 June, it remains open until 3 September, with a public hearing scheduled for 2 July. For gambling operators, this is operationally critical. The EU has rated online gambling at the highest possible money-laundering risk in its own Supranational Risk Assessment. Against that backdrop, the ongoing monitoring guidelines will answer questions that matter enormously to day-to-day operations: how frequently must a customer relationship be reviewed, what constitutes adequate transaction monitoring, and what documentation must be maintained to demonstrate compliance. These are not abstract questions. These guidelines will determine how compliance teams are staffed, what technology is required, and how customers experience their interactions with operators.
The Malta Gaming Authority, to its considerable credit, has been more alert to this than some of its licensees appear to have been. Possibly their motivation is different from other European regulators. The MGA has issued multiple notices urging operators to engage with the AMLA consultations, has flagged the deadlines explicitly, and has offered to engage with licensees on sector-specific considerations before they submit. The fact that it has had to repeat these calls, rather than being overwhelmed with responses, tells its own story.
This matters for reasons that extend beyond the immediate compliance calendar. Regulatory standards and guidelines, once finalised, are not easily revised; they become embedded assumptions about how industries operate and what risks they present. The financial sector understands this instinctively; banking trade associations, payment-services bodies, and asset-management groups have been submitting detailed, technically informed responses from the outset. The gambling sector, with a few honourable exceptions, has not.
A more pointed risk is also on the horizon. The Commission’s own Supranational Risk Assessment has already recommended that the €2,000 CDD threshold for gambling be reduced, on the grounds that it is too permissive. If the industry is not engaging coherently with AMLA’s consultation processes, it leaves the door open for the next iteration to be still more restrictive — shaped, in practice, by organisations that may have the least sympathy for gambling-sector self-governance.
Over many years in this industry, I have watched capable operators spend considerable resources lobbying against regulation that was already finalised, resources that would have been far better spent engaging with the process years earlier.
I should be honest about the limits of my enthusiasm for consultation processes, because I suspect some operators share my scepticism. In my experience, they have a tendency to function as exercises that allow the promoter of the proposal to proceed with what it had in mind all along, having accumulated sufficient paperwork to demonstrate that due process was observed.
AMLA will doubtless receive submissions from banking associations, payment-services bodies, gambling operators, civil-society organisations, and national competent authorities. Those submissions will point in entirely different directions. And when submissions conflict directly (the industry arguing for a higher CDD threshold, another body arguing for a lower one), how does AMLA weigh them? The answer, as far as the public record shows, is that it likely will not say. I find the opacity on this point rather more troubling than the consultation itself.
This is a caveat, not an argument for disengagement. Those who do not participate guarantee a worse outcome. Those who do at least keep the conversation alive. The rules written for sectors that remain silent can reflect the assumptions of those who spoke and they, in the gambling sector’s case, have not always been its friends.
The question is will the gambling industry engage with these consultations seriously or in three years’ time, will we be sitting at yet another conference, expressing collective astonishment at obligations that were drafted without us?
I know where my money lies.
