How to Underwrite Gambling Merchants: A US Licensing and Payments Framework

Understanding the US Gambling Landscape

US gambling underwriting is a licensing problem first, payments problem second.

‍

When a merchant approaches you for US card acceptance for betting, casino, DFS, or similar gambling services, the complexity isn't in the payment rails - it's in navigating a fragmented regulatory landscape where each state operates as its own jurisdiction. Unlike most merchant categories where you verify business legitimacy and fraud controls, gambling requires you to become a quasi-regulatory auditor, validating licensing status across multiple jurisdictions before you even consider payment risk.

‍

This guide walks you through the complete underwriting framework Ballerine uses to evaluate US gambling merchants.

‍

The Regulatory Patchwork

The United States operates under a state-by-state gambling framework following the 2018 Supreme Court decision in Murphy v. NCAA, which struck down the Professional and Amateur Sports Protection Act (PASPA). This decision allowed states to legalize sports betting independently, creating a complex jurisdictional map.

‍

As of 2025, the landscape includes:

‍

38+ states

With some form of legal sports betting, online, retail, or both

6 states

With legal online casino or iGaming: NJ, PA, MI, WV, DE, CT

19 states

Where daily fantasy sports is explicitly legal and regulated

Tribal gaming

Jurisdictions operating under separate federal frameworks under IGRA

Source: American Gaming Association - State Gaming Map

‍

‍

‍

Federal Compliance Baseline

Before examining state licenses, understand the federal requirements that apply to all US gambling operators:

‍

1. Wire Act (18 U.S.C. § 1084): Prohibits interstate gambling-related wire communications for sports betting. The 2011 DOJ opinion narrowed this to sports betting only, opening the door for online poker and casino where states permit.

‍

2. Unlawful Internet Gambling Enforcement Act (UIGEA, 31 U.S.C. §§ 5361-5367): Doesn't prohibit gambling itself, but prohibits payment processors from knowingly accepting payments for unlawful internet gambling. This places compliance burden on payment facilitators.

‍

3. Bank Secrecy Act/AML Requirements: Gambling businesses accepting $10,000+ in cash equivalent (including electronic deposits) must register as Money Services Businesses with FinCEN (31 CFR § 1021.380).

‍

Key takeaway: Even with state licenses, federal law makes YOU (the payment processor) liable for facilitating unlawful gambling transactions. Your underwriting must verify state-level legality to maintain UIGEA compliance.

‍

‍

‍

What We Verify: The Complete Checklist

‍

1. License Type and Issuing Authority

Why it matters: Different gambling verticals require different licenses, issued by different state authorities, with varying levels of scrutiny. A merchant saying "we're licensed" is meaningless without specifics.

‍

License Categories

‍

Sports Betting Licenses

• Operator License: Authorizes accepting wagers, setting odds, holding player funds
• Platform Provider License: Tech vendors operating betting infrastructure
• Vendor/Supplier License: Provides services (odds feeds, payment processing, compliance tools)

‍

Example: In Pennsylvania, operators need a Sports Wagering Certificate ($10M license fee), while suppliers need a Sports Wagering Supplier License.

Source: Pennsylvania Gaming Control Board - Sports Wagering

‍

Online Casino/iGaming Licenses -
Only available in NJ, PA, MI, WV, DE, CT. These are the most stringent licenses, requiring:

• Partnership with existing land-based casino (market access)
• Multi-year probity investigations
• $10M-20M in licensing fees
• Ongoing technical audits

‍

Example: In New Jersey, you need an Internet Gaming Permit issued by the Division of Gaming Enforcement (DGE), which requires a partnership with an Atlantic City casino license holder.

Source: NJ Division of Gaming Enforcement - Internet Gaming

‍

Daily Fantasy Sports (DFS) Registrations -
DFS operators often require registrations rather than full licenses in states where DFS is classified as a "game of skill" rather than gambling:

‍

• Lighter regulatory touch
• Lower fees ($5K-50K vs millions)
• Still requires consumer protection compliance

‍

Example: In New York, DFS operators must register with the Gaming Commission and pay a 15% tax on gross revenue.

Source: NY State Gaming Commission - Interactive Fantasy Sports

‍

Social Casino Exemptions -
Some operators claim exemption by offering "social casino" (play-money only, no cash prizes). This is NOT gambling in most jurisdictions BUT:

• Verification required that no real-money prizes are awarded
• In-app purchases for virtual currency have payment implications
• Some states still regulate (Washington prohibits social casino)

‍

What to Request -

‍

Required documents:

1. Primary License Certificate: Official document from state gaming authority showing:
   
   • License number and type
   • Legal entity name (must match merchant application)
   • Issue and expiration dates
   • Authorized activities and limitations
   • State(s) of operation
     ‍
2. License Verification: Don't rely solely on provided documents. Verify directly:
   
   • New Jersey: DGE Licensee Search
   • Pennsylvania: PGCB Public Lookup
   • Nevada: Gaming Control Board Licensees
   • Call the regulatory body's licensing department to confirm active status
     ‍
3. Multi-State Operators: If they claim licenses in multiple states, request ALL state licenses. We've seen merchants show their "best" license (usually New Jersey) while operating unlicensed in other states.
   ‍
4. Vendor Agreements: For platform providers/suppliers, request operator agreements showing which licensed operators they serve. They should NOT be accepting consumer payments directly unless they hold operator licenses.

‍

Red Flags

‍

• "We're pursuing licenses": Not licensed = cannot process payments. Period.
• Offshore licenses: Curacao, Malta, or UK licenses are irrelevant for US operations and often signal intent to serve US customers unlawfully
• Tribal licenses without state compacts: Tribal gaming operates under IGRA, but online gambling from tribal lands serving customers off-reservation requires state compacts (see Michigan v. Bay Mills Indian Community)
• Mismatched entities: License issued to "ABC Gaming LLC" but merchant application from "ABC Inc."

‍

2. State Coverage Mapping

A license doesn't grant nationwide rights. You need precise geographic boundaries to configure payment blocking and comply with UIGEA.

State

Legal status

License status

Go-live date

Restrictions

NJ

Legal - Sports & Casino

Licensed (IG-123456)

Active

21+ only

PA

Legal - Sports & Casino

Licensed (PA-SB-789)

Active

21+ only

NY

Legal - Sports only

Licensed (NY-2023-001)

Active

21+, in-person registration required

CA

Not legal

N/A

N/A

BLOCKED

NV

Legal - Sports (retail only)

No online license

N/A

BLOCKED for online

‍

Key considerations:

In-person registration requirements: Some states require initial registration at physical locations:

• New York (until 2022): Required in-person registration at upstate casinos for online sports betting
• Illinois: Required in-person registration initially, later removed
• Check current requirements as these evolve

‍

Some licenses restrict betting to on-property only:

• Nevada: Most online sports betting apps are geo-restricted to casino property
• New Jersey: Can accept bets statewide, not just casino premises

‍

Age requirements:

• Most states: 21+
• Montana, Rhode Island, Washington State (tribal): 18+ allowed
• Your payment systems should enforce age verification before processing

Source: Legal Sports Report - State-by-State Guide

‍

‍

Verification Process -

‍

1. Request their geofencing documentation:
   
   • Which geolocation vendor they use (GeoComply, Localize, Neosurf)
   • How they handle edge cases (near state borders, mobile users)
   • Logs showing blocking effectiveness
     ‍
2. Review their Terms of Service and restricted jurisdiction lists: Should clearly list prohibited states
   ‍
3. Test their platform:
   
   • Use VPN to attempt access from prohibited states
   • Check if they accept registrations with addresses in unauthorized states
   • Verify age gates and identity verification flow
     ‍
4. Check regulatory actions: Search "[Company Name] + cease and desist" or check:
   
   • State gaming commission enforcement actions
   • Attorney General consumer protection actions
   • Better Business Bureau complaints

‍

Example: In 2022, multiple state AGs sent cease-and-desist letters to offshore gambling sites. If your merchant received one, they have demonstrated willful non-compliance.

‍

‍

‍

3. Operator vs Supplier Classification

Why it matters: Operators and suppliers have fundamentally different risk profiles and regulatory requirements. Misclassification leads to improper underwriting and compliance gaps.

‍

Operator Definition -

‍

An operator (or "license holder") is an entity that:
‍

• Accepts wagers directly from consumers
• Sets odds and betting lines (or contracts with odds provider under their license)
• Holds player funds in segregated accounts
• Bears gambling liability for payouts
• Owns customer relationships and marketing

‍

Examples: DraftKings, FanDuel, BetMGM, Caesars Sportsbook

Payment pattern: High volume of small deposits ($10-500), frequent withdrawals, 90-120% payout ratios

‍

Underwriting requirements:

• Full gaming license in each operating state
• Segregated player fund accounts (review bank statements)
• Reserve requirements to cover player balances
• Responsible gaming program documentation
• Marketing/advertising compliance proof

‍

Supplier/Vendor Definition -

‍

A supplier (or "platform provider") is an entity that:

• Provides technology infrastructure to licensed operators
• Does NOT accept consumer wagers directly
• Operates under operator's license (white-label or turnkey)
• May process payments on behalf of operators as a service

‍

Examples: Kambi (odds/platform provider), GAN (online casino platform), Paysafe (payment processing)

Payment pattern: Lower transaction volume, business-to-business payments, licensing/revenue share fees

‍

Underwriting requirements:

• Vendor/supplier license or verification of exemption
• Contracts with licensed operators showing relationship
• Proof they do NOT hold consumer funds directly
• Data security and tech compliance certifications
• If processing payments: PCI-DSS, SOC 2 reports

‍

‍

The Gray Area: White-Label and API Arrangements

Many modern gambling operations blur operator/supplier lines -

‍

White-label arrangements:

‍

Operating model

How it works

Payments & funds handling

Risk & notes

White-label arrangements

Supplier provides the full platform including technology, odds, and risk management.
Operator holds the gambling license and owns the customer relationship.

Clarify who processes payments and who holds player funds. This must be explicitly documented in contracts.

High risk if payment responsibility is unclear.
Always obtain written confirmation.

API integrations

Operator consumes supplier APIs for odds, pricing, and bet settlement.
Core platform and customer experience remain with the operator.

Operator maintains payment processing and fund custody.

Generally clearer classification.
Still verify data flow and fund ownership.

Affiliate networks

Affiliates promote gambling sites in exchange for commission.

Affiliates must never process payments or accept wagers.

If payments or wagers are involved, classification is incorrect.
Affiliates should not require gambling payment processing.

‍

‍

What to request?

‍

1. Business model documentation: Detailed explanation of their role in the value chain
2. Operator agreements (for suppliers): Contracts showing which licensed operators they serve
3. Payment flow diagrams: Visual showing money movement from consumer to ultimate recipient
4. Account structure:
   
   • Do they hold consumer funds? (Operator)
   • Do they only receive B2B payments from operators? (Supplier)
     ‍
5. State vendor licenses: Even suppliers often need state registration:
   
   • Pennsylvania: Sports Wagering Supplier License required
   • New Jersey: Vendor registration with DGE
   • Check each operating state's requirements

‍

Red Flags

‍

• "We provide technology but also process payments": This is operator-level activity requiring operator licenses
  ‍
• Supplier claiming exemption from all licensing: Most states require vendor registration even for tech providers
  ‍
• B2C marketing by "supplier": If they're advertising to consumers, they're operating as a brand, which suggests operator activity
  ‍
• Comingled funds: Supplier receiving consumer funds alongside operator fees suggests operator activity

‍

‍

4. AML Program Requirements

Gambling businesses are FinCEN-regulated MSBs under the Bank Secrecy Act (31 CFR 1021.380). Inadequate AML programs expose you to regulatory liability as their payment processor.

‍

Federal Registration Requirements

FinCEN MSB Registration (Required if the merchant):

• Accepts $10,000+ in cash or cash equivalents within a gaming day (31 CFR 1021.380(b)(3))
• For online gambling, "cash equivalents" include deposits via cards, ACH, e-wallets

‍

What to verify:

‍

1. Form 107 (Registration of Money Services Business): Request copy showing:
   
   • Business name and address
   • Type of MSB activity (check "casino/gambling")
   • Registration number
   • Filed within 180 days of meeting threshold
     ‍
2. Verify registration: Search FinCEN MSB Registrant Search (Note: Public access limited; may need to request proof from merchant)
   ‍
3. Renewal compliance: Registration expires every 2 years, must be renewed
   ‍

Source: FinCEN - Money Services Business Registration

‍

Required AML Program Components

Under 31 CFR 1021.210, gambling MSBs must maintain a written AML program including:

‍

1. Internal Policies and Procedures

Request their BSA/AML Policy Manual covering:

• Customer Due Diligence (CDD) procedures
• Enhanced Due Diligence (EDD) triggers
• Transaction monitoring thresholds and rules
• Record retention policies (5 years minimum)
• Suspicious activity identification criteria

‍

What good looks like:
‍50-100+ page manual with specific dollar thresholds, escalation procedures, examples of suspicious patterns

‍

Red flag:
‍Generic template without gambling-specific scenarios

‍

2. Designated AML Compliance Officer

Must appoint individual responsible for AML program:

• Request name, title, qualifications
• Verify they have authority and resources
• Should be senior-level, not outsourced overseas

‍

3. Ongoing Training Program

Employees handling transactions must receive AML training:

• Request training materials and attendance records
• Should cover gambling-specific typologies (structuring, chip dumping, collusion)
• Annual refresher training minimum

‍

4. Independent Testing/Audit

Annual independent review required:

• Request most recent audit report
• Should be conducted by external firm or separate internal audit dept
• Report should identify deficiencies and remediation plans

‍

Red flag: No audit conducted, or audit is 2+ years old

‍

Transaction Monitoring Requirements

‍

Currency Transaction Reports (CTRs):

• Required for cash transactions over $10,000 in a gaming day (31 CFR 1021.311)
• For online gambling: Typically triggered by deposit aggregation
• Request their CTR filing procedures and evidence of filed CTRs

‍

Suspicious Activity Reports (SARs):

• Required within 30 days of detecting suspicious activity (31 CFR 1021.320)
• Common gambling SAR triggers:
  
  • Structuring: Multiple deposits just under reporting thresholds
  • Rapid movement: Deposit followed immediately by withdrawal (money laundering)
  • Minimal play: Deposits with little actual gambling activity
  • Third-party funding: Payments from accounts not matching player name
    ‍
• Request SAR filing statistics (numbers only, not actual SARs which are confidential)

‍

What to ask:
"How many SARs did you file last year?" Reputable operators file dozens to hundreds. Zero SARs suggests inadequate monitoring.
Source: FinCEN - Casino and Card Club Red Flags

‍

‍

Enhanced Due Diligence (EDD) Requirements

Gambling operators must conduct EDD for high-risk customers:
‍

```

Control area

What it covers

What to request

Key expectations

PEP screening

Identification and enhanced monitoring of Politically Exposed Persons.

PEP screening vendor details (World-Check, Dow Jones, etc.).

Screening required at onboarding and periodically thereafter.

OFAC / sanctions screening

Real-time screening against SDN lists and sectoral sanctions.

OFAC and sanctions compliance procedures and escalation flows.

Transactions must be blocked immediately upon a confirmed match.

High-value player monitoring

Enhanced oversight for players with large transaction volumes.

Thresholds defining high-value players (typically $10K+ deposits).

Must include source of funds verification and ongoing monitoring.

```

‍

‍

State-Specific AML Requirements

Some states impose additional requirements:

‍

New Jersey:

• Casino Control Act requires AML procedures beyond federal minimums
• Must file Suspicious Transaction Reports (STRs) with DGE in addition to federal SARs
• Source: N.J.A.C. 13:69C-4

‍

Pennsylvania:

• Sports wagering operators must submit AML plans to Gaming Control Board for approval
• Must report unusual or suspicious transactions to Board
• Source: 58 Pa. Code § 1103.7

‍

‍

What to Request from Merchant

Complete AML documentation package:

```

Control area

What it covers

What to request

Key expectations

PEP screening

Identification and enhanced monitoring of Politically Exposed Persons.

PEP screening vendor details (World-Check, Dow Jones, etc.).

Screening required at onboarding and periodically thereafter.

OFAC / sanctions screening

Real-time screening against SDN lists and sectoral sanctions.

OFAC and sanctions compliance procedures and escalation flows.

Transactions must be blocked immediately upon a confirmed match.

High-value player monitoring

Enhanced oversight for players with large transaction volumes.

Thresholds defining high-value players (typically $10K+ deposits).

Must include source of funds verification and ongoing monitoring.

```

If they cannot provide these, they are not ready for payment processing.

‍

‍

‍

5. Age and Geo Controls (Technical Verification)

Why it matters:
‍Unlike license verification (administrative) and AML (financial), age and geo controls are technical safeguards preventing unlawful transactions in real-time. These are your first line of defense against UIGEA liability.

‍

Geolocation Technology Requirements

Why self-reported location is insufficient: Users can easily lie about location. You need device-level verification that's harder to spoof.

‍

State regulatory requirements: Most states mandate specific geolocation technology:

• New Jersey: Requires real-time geolocation "within acceptable limits to determine location" (interpreted as within state borders)
• Pennsylvania: Requires geolocation that ensures player is within state boundaries
• Michigan: Mandates geolocation system approved by Gaming Control Board

Source: Geolocation Compliance Requirements by State

‍

Required Geolocation Capabilities

Multi-factor location verification- Best practice uses 3+ signals:
‍

1. GPS (Device Location Services)
   
   • Latitude/longitude from device GPS chip
   • Most accurate (3-10 meter precision)
   • Can be disabled by user or spoofed with modified devices
2. Wi-Fi Positioning
   
   • Triangulates location based on nearby Wi-Fi access points
   • Works indoors where GPS signal is weak
   • Database of Wi-Fi AP locations (Google, Skyhook, etc.)
3. Cell Tower Triangulation
   
   • Uses cellular network tower signals
   • Less accurate (100-1000 meter precision)
   • Harder to spoof than GPS
4. IP Address Geolocation
   
   • Least accurate (city-level at best)
   • Should be LEAST weighted factor
   • Easily bypassed with VPN/proxy

‍

What good looks like:
‍Geolocation vendor uses weighted algorithm combining all signals, requires 2-3 factors to agree before allowing transaction.

‍

Geofencing Edge Cases

‍

State border proximity:

• Problem: User 50 feet from state border may show GPS coordinates in neighboring state
• Solution: Request their "border buffer" policy. Reputable operators deny service within 1-2 miles of unlicensed state borders or require additional verification.

‍

VPN/Proxy detection:

• Problem: Users in restricted states use VPNs to mask location
• Solution: Request their VPN detection methods:
  
  • IP address blacklists (known VPN/proxy servers)
  • DNS leak detection
  • WebRTC leak detection
  • Port scanning for VPN indicators
  • Multiple failed geolocation attempts = red flag

‍

Location spoofing apps:

• Problem: Rooted/jailbroken phones can run location spoofing apps
• Solution: Ask about device integrity checks:
  
  • Jailbreak/root detection
  • Developer mode detection
  • Mock location setting detection (Android)

‍

Tribal land complications:

• Problem: User physically on tribal casino property in state without online gambling
• Solution: Should be blocked unless tribal-state compact explicitly allows
• Request map of tribal geofences if applicable

‍

What to Request from Merchant

‍

Control area

What to review

What to request

Key expectations

Geolocation vendor contract

Third-party provider used to determine player location.

Executed contract with approved vendor (GeoComply, Localize, Neosurf, GeoGuard).

Homegrown or unknown vendors are a red flag due to insufficient testing.

Geolocation configuration documentation

Technical logic used to determine user location.

Signals used, weighting logic for conflicting signals, accuracy thresholds, and border buffer zones.

Configuration must meet jurisdiction-specific precision requirements.

VPN / proxy blocking procedures

Controls to prevent location masking and circumvention.

Detection methods, blacklists in use, and blacklist update frequency.

Outdated or static lists increase evasion risk.

Geolocation testing evidence

Validation that controls work as intended.

Penetration testing reports, regulatory approvals if required, and logs of blocked out-of-state attempts.

Evidence should demonstrate consistent blocking of unauthorized states.

Failure handling

Behavior when location confidence is insufficient.

Decision logic and fallback rules.

Must default to DENY to prevent unauthorized wagering.

User experience

How and when geolocation checks are presented to the user.

Screenshots or recordings of the geolocation flow.

Geolocation must occur before accepting deposits, not after.

‍

‍

Age Verification Technology

Why age gates are insufficient: Checkbox "I am 21+" is not verification. Underage gambling is both illegal and reputationally catastrophic.

‍

State requirements:

• All states require age verification, but rigor varies
• New Jersey: Must verify age and identity using "reliable third-party databases"
• Pennsylvania: Must verify age at registration before allowing play

Source: Internet Gambling Age Verification Best Practices

‍

Required Age Verification Capabilities

‍

Tier 1: Identity Document Verification (Required)

At registration, must verify government-issued ID.

‍

Document types accepted:

• Driver's license (most common)
• State ID card
• Passport
• Military ID

‍

Verification process:

1. User uploads photo/scan of ID
2. OCR extracts data (name, DOB, ID number)
3. Compare ID data against registration information
4. Verify document authenticity:
   
   • Check for known forgery indicators
   • Validate barcode/PDF417 data matches visual fields
   • Verify security features (holograms, microprinting)

‍

Acceptable vendors:

• Jumio
• Onfido
• Trulioo
• Veriff
• Vouched

‍

What to verify:
‍Request their ID verification vendor contract and accuracy statistics (false positive/negative rates).

‍

Tier 2: Database Cross-Verification (Recommended)

Cross-check provided information against third-party databases.

Credit bureau verification:

• Experian, Equifax, TransUnion offer identity verification APIs
• Confirms name, address, DOB match credit file
• Does NOT pull credit score (soft inquiry)

Public records databases:

• LexisNexis, Acxiom, others
• Verify identity against utility bills, property records, etc.

SSN verification (if collected):

• SSA database validation
• Confirms SSN issued and matches name/DOB

What to verify:
Request list of databases used and match rate requirements (e.g., must match 2 of 3 databases).

‍

Tier 3: Knowledge-Based Authentication (Optional)

‍

For high-risk accounts or failed verification, ask questions only real person would know:

• "Which of these addresses have you lived at?"
• "What was your first car loan amount?"

‍

What to verify:
Request KBA vendor (typically credit bureau product) and when it's triggered.

‍

Self-Exclusion and Responsible Gaming Integration

‍

State self-exclusion lists:

• Most states maintain lists of individuals who have self-excluded from gambling
• Operators MUST check against these lists and block excluded persons
• Example: New Jersey maintains statewide self-exclusion list, operators must check at registration and daily

‍

What to request:

1. Self-exclusion list access documentation: Proof they receive and check state lists
2. Update frequency: Should check daily or real-time
3. Multi-state exclusion: If operating in multiple states, must check ALL state lists
4. Blocking procedures: Excluded persons must be prevented from registering AND must have existing accounts closed

‍

Third-party exclusion services:

• ICRG (International Centre for Responsible Gaming): Multi-jurisdiction exclusion database
• Some operators participate in voluntary cross-operator exclusion

‍

Account-level controls:

• Deposit limits (daily/weekly/monthly)
• Time limits (session duration limits)
• Self-exclusion options (24 hours, 30 days, permanent)
• Reality checks (pop-ups showing time/money spent)

‍

What to request:

1. Responsible gaming policy documentation
2. Screenshots of user-facing controls
3. Statistics on self-excluded accounts (volume, not identities)

‍

Testing and Validation

Before approving the merchant, conduct your own tests:

‍

1. Geolocation testing:
   
   • Use VPN to attempt access from prohibited states
   • Test near state borders
   • Try disabling location services
   • Result: Should be blocked in all scenarios
     ‍
2. Age verification testing:
   
   • Attempt registration with fake DOB (underage)
   • Use mismatched information
   • Result: Should be rejected or require additional verification
     ‍
3. Self-exclusion testing:
   
   • Request they demonstrate lookup against exclusion list
   • Ask how they handle cross-state exclusions

‍

‍

6. Payouts Model and Payment Flow

The flow of funds determines liability, reserve requirements, chargeback risk, and fraud exposure. This is where licensing meets payment operations.

‍

Understanding Gambling Payment Flows

Operator-Direct Model (Most Common):

‍

Key characteristics:

• Operator holds consumer funds in pooled player accounts
• Deposits and withdrawals flow through same payment processor (ideally)
• Operator bears gambling liability and must have reserves for player balances

‍

Payment processor role:

• Process deposits (card, ACH, e-wallet)
• Process withdrawals (ACH, card pushback, e-wallet)
• Hold reserves to cover player balances and chargebacks

‍

Platform Provider Model:

‍

Key characteristics:

• Platform provider processes payments but passes funds to licensed operator
• Operator remains custodian of player funds
• Platform is payment facilitator, not gambling operator

‍

Payment processor role:

• Process deposits on behalf of operator
• Verify pass-through to operator occurs
• Operator (not platform) should hold reserves

‍

Hybrid/White-Label Model:

‍

Key characteristics:

• Platform provides tech, operator provides license
• Revenue/risk sharing arrangement
• Can be unclear who holds what funds

‍

Payment processor role:

• Requires careful contract review to determine who holds reserves
• May need to split reserves between platform and operator

‍

Critical Payment Questions to Ask

‍

1. Fund Custody

Q: "Where are player funds held between deposit and payout?"

‍

What good looks like:

• Segregated player accounts separate from operational funds
• Clear ledger showing player balances vs company funds
• Held at US-licensed financial institution (not offshore)

‍

Red flags:

• Comingled funds (player money mixed with operational capital)
• Held offshore
• Cannot provide bank statements showing segregation

‍

2. Payout Ratios

Q: "What is your typical payout-to-deposit ratio?"

‍

Industry benchmarks:

• Sports betting: 92-96% (house edge 4-8%)
• Online casino: 88-96% depending on games (slots lower, table games higher)
• DFS: 85-91% (rake/entry fees)

‍

What this means for payment processing:

• If $100K deposits per month, expect $92-96K withdrawals
• Need to ensure merchant has funds to process withdrawals
• Higher-than-expected ratios may indicate:
  
  • Bonus abuse: Players exploiting promotions
  • Arbitrage: Sharp bettors finding value bets
  • Fraud: Coordinated attack
  • Money laundering: Minimal play, quick turnover

‍

Red flags:

• Cannot provide payout ratio data
• Payouts consistently exceed deposits (unsustainable)
• Wildly varying ratios month-to-month without explanation

‍

3. Withdrawal Processing Times

Q: "What is your average withdrawal processing time?"

‍

Industry standards:

• Instant/Same-day: Leading operators (DraftKings, FanDuel) offer instant bank transfers
• 1-3 business days: Standard ACH processing
• 3-5 business days: Acceptable but slower
• 7+ days: Red flag, suggests cash flow issues

‍

What to verify:

• Request withdrawal processing statistics from last 3 months
• Check complaints (Reddit, Trustpilot) about delayed withdrawals
• Verify they're not using withdrawal delays as retention tactic

‍

Red flags:

• Pending withdrawal periods >72 hours
• Many complaints about withdrawal delays
• Different processing times for winners vs losers (discriminatory)

‍

4. Reserve Requirements

Q: "How much in player funds do you currently hold?"

This determines your reserve/holdback requirements as payment processor.

‍

Calculating required reserves:

Reserve Requirement = Player Balances + Chargeback Risk + Regulatory Buffer

‍

Example:

- Player balances: $500,000 (total in all player accounts)

- Expected chargebacks: 1-2% of volume = $50,000/month

- Regulatory buffer: 10% = $50,000

- Minimum reserve: $600,000  

‍

What to request:

1. Current player liability report: Total funds owed to players right now
2. Bank statements: Verify sufficient funds to cover player balances
3. Historical chargeback data: Last 12 months, by category
4. Bonus liability: Outstanding promotional credits owed to players

‍

Red flags:

• Cannot provide player balance totals
• Player balances exceed cash on hand (insolvency risk)
• Unwilling to provide financial statements

‍

5. Payment Methods Accepted

Q: "Which deposit and withdrawal methods do you support?"

‍

Common methods:

‍

Deposits:

• Credit/debit cards (Visa, Mastercard) - most common, highest chargeback risk
• ACH/bank transfer - lower risk, slower
• PayPal - some states, lower risk
• Play+ (prepaid card) - closed loop, lowest risk
• Cash at casino cage - retail integration

‍

Withdrawals:

• ACH/bank transfer - most common
• Card pushback (return to original card) - limited by card networks
• PayPal - where available
• Check - slow, legacy
• Play+ - instant, preferred by operators
• Cash at casino cage - retail integration

‍

What good looks like:

• Multiple deposit options (convenience)
• Fast withdrawal options (customer satisfaction)
• Closed-loop systems where possible (Play+, PayPal)

‍

Red flags:

• Cards only (no alternatives = high chargeback exposure)
• No withdrawal method matching deposit method
• Wire transfer only (common in unlicensed offshore sites)
• Cryptocurrency (not permitted in most US jurisdictions)

‍

Chargeback and Dispute Handling

Why gambling chargebacks are unique:

‍

1. High dispute rates: Gambling has among highest chargeback rates (1-3% typical)
   ‍
2. Common dispute reasons:
   
   • "I didn't authorize this" (friendly fraud / gambling problem denial)
   • "Service not provided" (account closure disputes)
   • "Spouse made charge" (household disputes)
   • Legitimate fraud (stolen card)
     ‍
3. Card network restrictions: Some card issuers block gambling transactions, forcing users to use workarounds that later lead to disputes

‍

State Regulations on Disputes:

New Jersey: DGE rules require operators to:

• Maintain records of all transactions for 7 years
• Provide documentation for dispute resolution
• Have clear terms regarding deposits/withdrawals
• Source: N.J.A.C. 13:69O-1.4

‍

Pennsylvania: Must maintain records available for audit, including transaction logs

‍

What to Request from Merchant

‍

Chargeback data package:

1. Historical chargeback reports: Last 12 months
   
   • Volume by reason code
   • Win/loss rates by reason code
   • Monthly trend
     ‍
2. Chargeback response process:
   
   • Who handles representments?
   • Average response time
   • Documentation standards (what evidence do they provide?)
     ‍
3. Fraud prevention measures:
   
   • Address Verification System (AVS) usage
   • CVV requirement
   • 3D Secure implementation (Verified by Visa, Mastercard SecureCode)
   • Velocity controls (limit rapid repeat deposits)
     ‍
4. Dispute resolution policies:
   
   • Terms & Conditions regarding disputes
   • How they handle "problem gambling" claims
   • Refund policies for canceled/excluded accounts

‍

What good looks like:

• Chargeback rate <2% of volume
• 50% win rate on representments (shows strong documentation)
• 3D Secure implemented (shifts liability to issuer)
• Clear T&Cs acknowledged at registration

‍

Red flags:

• Chargeback rate >3%
• No chargeback data available (new merchant OR not tracking)
• Poor representment win rate (<30%)
• No 3D Secure implementation
• Vague dispute policies

‍

Bonus and Promotion Structures

Promotional offers impact payment flows and can indicate abuse or fraud.

‍

Common gambling promotions:

• Deposit match: "Deposit $100, get $100 bonus" (doubles player balance)
• Free bets: Risk-free wagers (player keeps winnings, operator absorbs loss)
• Odds boosts: Enhanced odds on specific bets
• Cashback: Return of losses (e.g., "10% back on losses")

‍

Payment implications:

1. Bonus abuse: Sophisticated players exploit promotions for guaranteed profit
   
   • Example: Deposit match on multiple accounts, bet both sides
   • Results in unusual payout ratios and rapid withdrawals
     ‍
2. Liability: Bonuses are liabilities that must be funded
   
   • Request: Outstanding bonus liability (total promotional credits issued but not yet played)
     ‍
3. Playthrough requirements: Bonuses typically require wagering before withdrawal
   
   • Example: "Deposit $100, get $100 bonus, must wager $5,000 before withdrawal"
   • Verify they enforce these (prevent immediate withdrawal of bonuses)

‍

What to request:

1. Promotion terms and conditions: Full documentation of all active offers
2. Bonus liability report: Current outstanding promotional credits
3. Bonus abuse prevention: Controls to detect multi-accounting, arbitrage
4. Playthrough tracking: System to enforce wagering requirements

‍

Red flags:

• Extremely generous bonuses without playthrough (unsustainable, attracts abusers)
• Cannot quantify bonus liability
• No abuse prevention controls

‍

‍

‍

What Good Looks Like: The Complete Profile

When all elements come together, a well-prepared gambling merchant presents:

‍

Documentation Package

‍

Category

Requirement

Regulatory

Active gaming licenses for all operating states (verified independently)

State-by-state eligibility matrix

Vendor/supplier licenses where required

Regulatory correspondence file (no unresolved actions)

Compliance

FinCEN Form 107 (MSB registration)

Written BSA/AML program (50-100+ pages, gambling-specific)

Designated AML officer with qualifications

Independent AML audit (within last 12 months)

Training records

SAR filing statistics

Transaction monitoring system documentation

Technical

Geolocation vendor contract (GeoComply or similar)

Geolocation configuration and testing reports

VPN/proxy detection procedures

ID verification vendor contract (Jumio, Onfido, etc.)

Age verification process documentation

Self-exclusion list access and checking procedures

Responsible gaming controls documentation

Financial

Bank statements showing segregated player accounts

Player liability report (current balances owed)

12-month financial statements

Payout ratio data

Withdrawal processing time statistics

Reserve calculation showing adequate funds

Payments

12-month chargeback data by reason code

Fraud prevention documentation (AVS, 3DS, velocity controls)

Dispute resolution policies

Bonus liability report

Payment flow diagrams

‍

‍

Operational Indicators

‍

Strong operators demonstrate:

• Clear, documented processes for every compliance requirement
• Dedicated compliance team (not outsourced)
• Proactive regulatory engagement (not reactive)
• Industry association membership (AGA, iDEA, etc.)
• Institutional investors or public company (higher accountability)
• Long operational history in regulated markets
• Marketing compliance (no underage targeting, responsible gambling messaging)

‍

Testing Results

‍

Before final approval, you should have:

• Verified geolocation blocks VPN access
• Verified geolocation blocks prohibited state access
• Verified age verification rejects underage attempts
• Verified self-exclusion lookup functionality
• Reviewed customer complaints (minimal, resolved quickly)
• Confirmed licensing status via regulatory phone call
• Reviewed sample of marketing materials (compliant)

‍

‍

‍

Common Misses: Red Flags That Disqualify Merchants

‍

1. "We are licensed" without state scope

‍

The claim: "We're a licensed gambling operator in the United States."

The problem: This is meaningless without specifics. There is no "US gambling license."

What's really happening:

• They have ONE state license but are serving customers in unauthorized states
• They have an offshore license (Curacao, Malta, etc.) and mistakenly think it authorizes US operations
• They're in the application process but not yet approved
• They're operating under someone else's license without proper white-label agreements

How to catch it:

1. Ask: "Please provide your license number and issuing state for every state where you accept customers."
2. If they hesitate, provide only one license, or mention "international" licenses, STOP.
3. Cross-reference their website's Terms of Service - which states do they list as eligible?
4. Check their geolocation - attempt access from multiple states

‍

Real-world example:
A DFS operator claimed to be "licensed in the US" but only held a New York registration. Investigation revealed they were accepting players from Texas (where DFS is legally gray) and Florida (explicitly illegal at the time). They were facilitating unlawful gambling under UIGEA.

‍

Why it matters:
Processing payments for unlawful gambling violates UIGEA. The payment processor (you) faces potential penalties, even if the merchant claimed to be licensed.

Source: UIGEA Enforcement - DOJ Guidance

‍

2. Affiliate traffic with weak controls

‍

The claim: "We drive customer acquisition through affiliate partners."

The problem: Affiliates often operate in regulatory gray zones, using aggressive marketing tactics that violate state laws.

What's really happening:

• Affiliates are marketing in unauthorized states to drive traffic
• Affiliates are making misleading claims ("guaranteed wins," "no risk")
• Affiliates are targeting vulnerable populations (minors, problem gamblers)
• The merchant claims ignorance: "We don't control what affiliates do"

Why it's a problem:

1. Regulatory: Many states hold operators responsible for affiliate marketing
   
   • New Jersey: Operators liable for affiliate content [N.J.A.C. 13:69O-1.7(g)]
   • Pennsylvania: Operators must ensure affiliates comply with advertising standards
     ‍
2. Payment risk: Affiliate-driven traffic has higher fraud rates
   
   • Bonus abuse (affiliates teach users how to exploit offers)
   • Multi-accounting (same person creates multiple accounts via different affiliate links)
   • Synthetic identities
     ‍
3. Reputational: Aggressive affiliate marketing attracts regulatory scrutiny

‍

How to catch it:

1. Request affiliate agreements: Review contracts between merchant and affiliates
   
   • Do agreements require affiliates to comply with state marketing laws?
   • Do agreements prohibit targeting excluded states?
   • Do agreements prohibit misleading claims?
     ‍
2. Review affiliate marketing materials:
   
   • Request sample affiliate websites, ads, social media
   • Look for: targeting of excluded states, minor-appealing content, misleading claims
     ‍
3. Check traffic sources:
   
   • Request analytics showing customer acquisition by source
   • What % comes from affiliates vs direct?
   • Which states have highest affiliate traffic?
     ‍
4. Affiliate vetting process:
   
   • How does merchant approve new affiliates?
   • Do they conduct background checks?
   • Do they monitor ongoing compliance?

‍

Red flags:

• 50% of traffic from affiliates (over-reliance)
• No affiliate compliance monitoring
• Affiliate agreements lack regulatory compliance clauses
• Merchant cannot provide list of active affiliates
• Affiliates using aggressive tactics (bonuses with no playthrough, "guaranteed" language)

‍

What good looks like:

• Detailed affiliate compliance manual
• Regular affiliate audits (quarterly reviews of marketing materials)
• Affiliate training on regulatory compliance
• Ability to immediately terminate non-compliant affiliates
• <30% of traffic from affiliates (diversified acquisition)

‍

Real-world example:
A sports betting operator used affiliates to drive traffic from states where they weren't licensed. Affiliates ran Google Ads targeting those states. When state AG investigated, operator claimed ignorance, but payment processor was named in enforcement action for facilitating unlawful gambling.

‍

3. Unclear payout roles

‍

The claim: "We're a technology platform connecting players with gambling opportunities."

The problem: This vague description obscures who actually holds player funds and processes payouts, making it impossible to properly assess risk.

What's really happening:

• They're trying to avoid operator-level licensing by claiming to be "just tech"
• They DO process payments but don't want to admit it
• They have a complex multi-party arrangement they don't want to explain
• They're facilitating peer-to-peer gambling (legally problematic)

‍

Why it's a problem:

1. Regulatory: If they're processing payouts, they're likely operating as an operator (or payment processor) and need appropriate licenses
2. Reserve requirements: You can't properly calculate reserves if you don't know who holds funds
3. Chargeback liability: Unclear who's responsible for funding chargebacks
4. Fraud risk: Complex payment flows obscure fraud

‍

How to catch it:

1. Ask the direct question: "When a player deposits $100 and wins $50, where does that $150 go before they withdraw it?"

What good looks like: "Deposit goes into player account held in our name at [Bank Name], segregated from operational funds. Winnings are credited to the same player account. Withdrawal goes from that account via ACH to player's bank."

‍

Red flags:

• "It depends..."
• "Funds flow through our technology partners..."
• "We're just the platform, the operators handle payments..."
• "It's complicated, but we can explain later..."

2. Request payment flow diagram: Visual representation showing:
   
   • Customer → [Payment Method] → [Processor] → [Merchant/Operator Account] → [Intermediaries?] → [Final Destination]
   • Withdrawal flow in reverse
   • Who touches funds at each step?
     ‍
3. Review Terms of Service:
   
   • Search for "funds," "deposits," "withdrawals"
   • Who does the customer have a financial relationship with?
   • Whose name appears on bank/card statements?
     ‍
4. Request bank statements:
   
   • Where are player funds actually held?
   • In whose name is the account?
   • Is it segregated or comingled?

‍

Complex scenarios that require extra scrutiny:

‍

Peer-to-peer gambling:

• Example: Poker rooms where players bet against each other, not the house
• Platform takes "rake" (commission)
• Question: Who holds the prize pool before the game concludes?
• Risk: If platform holds funds, they need operator license even though they're not "house"

‍

Multi-party white-label:

• Platform Provider provides tech
• Licensed Operator provides license
• Payment Processor processes transactions
• Question: Who is the merchant of record? Who holds player funds?
• Risk: Everyone points fingers when something goes wrong

‍

Offshore-US hybrid:

• Technology platform hosted offshore
• US-licensed entity as "face"
• Question: Where do funds actually flow?
• Risk: Potentially structured to evade US regulations

‍

What good looks like:

• Single entity as merchant of record
• That entity holds licenses in all operating states
• Clear custody of player funds
• Direct payment processing relationship
• Transparent Terms of Service

‍

Real-world example:
A "fantasy sports platform" claimed to be just technology, but investigation revealed they held player entry fees in pooled accounts before distributing prizes. They were operating as a fantasy sports operator but only had a technology vendor license. This was unlicensed money transmission.

‍

4. Additional Red Flags

‍

Financial red flags:

• Reluctance to provide financial statements
• Negative cash flow
• Player balances exceed liquid assets (insolvency risk)
• Recent ownership changes without regulatory approval
• Pending litigation (especially class actions)

‍

Operational red flags:

• High employee turnover (especially compliance team)
• No US-based compliance staff (overseas outsourcing)
• Generic email addresses (support@, info@) rather than named contacts
• Website down frequently or poor user experience
• Minimal social media presence or negative sentiment

‍

Marketing red flags:

• Celebrity endorsements without responsible gambling disclosures
• Advertising that appeals to minors (cartoons, youth sports, etc.)
• Misleading odds/probability claims
• "Get rich quick" messaging
• No responsible gambling resources on website

‍

Technology red flags:

• No mobile app (all reputable operators have apps)
• Website not SSL secured
• Poor user reviews citing technical issues
• Data breaches or security incidents
• No SOC 2 or ISO 27001 certification

‍

Check these sources for red flags:

• State gaming commission enforcement actions
• Consumer Financial Protection Bureau complaints
• Better Business Bureau (pattern of complaints)
• Reddit gambling communities (r/sportsbook, r/gambling)
• Trustpilot and similar review sites
• Industry news (Legal Sports Report, CDC Gaming Reports)

‍

‍

‍

Your First Question: The Critical Artifact

‍

After reviewing all the above, the single most important artifact to request first is:

"Please provide copies of all active gambling licenses, including license numbers, issuing authorities, and state-specific scope of authorization."

‍

Why this is the first question:

1. Foundation: Without valid licenses, nothing else matters. No amount of compliance or technical sophistication can overcome unlicensed operation.
2. Efficiency: Requesting licenses first saves time. If they can't produce proper licenses, you stop here.
3. Verification: Licenses can be independently verified with regulatory authorities, giving you ground truth.
4. Scope definition: Licenses tell you exactly which states they're authorized to operate in, defining the geographic boundaries for all other verification.
5. Risk classification: License types (operator vs supplier, sports vs casino, etc.) determine which underwriting standards apply.

‍

What you're looking for in the response:

‍

✅ Good response

• New Jersey Internet Gaming Permit #IG-123456 (expires 12/31/2026) - sports betting and casino
• Pennsylvania Sports Wagering Certificate #PA-SB-789012 (expires 6/30/2025) - sports betting only
• Michigan Internet Gaming Operator License #MI-IG-345678 (expires 3/15/2027) - sports betting and casino
  ‍

🚩 Red flag response

‍
"We're licensed to operate in the United States. We're currently in the licensing process in several states."

‍

Follow-up if response is inadequate:

‍
"I need to see the actual license certificates issued by state gaming authorities. Applications in progress do not constitute authorization to operate. We cannot proceed until you provide copies of all active licenses for states where you currently accept customers."

‍

Immediate next steps after receiving licenses:

1. Verify authenticity (same day):
   
   • Call state gaming authority licensing department
   • Confirm license number is active and in good standing
   • Ask about any enforcement actions or pending investigations
     ‍
2. Cross-reference scope (same day):
   
   • Compare licensed states to states listed on merchant's website
   • Check Terms of Service for geographic restrictions
   • Verify they're not accepting customers from unlicensed states
     ‍
3. Determine license type (same day):
   
   • Operator or supplier/vendor?
   • Sports, casino, DFS, or other?
   • This determines which sections of this guide apply
     ‍
4. Request remaining documentation (based on findings):
   
   • If operator licenses: Request full AML, financial, technical documentation
   • If supplier licenses: Request operator agreements, vendor registrations
   • If any concerns: Request explanation before proceeding

‍

This single artifact acts as the gateway to the entire underwriting process. No merchant should proceed past initial inquiry without producing valid, verifiable gambling licenses.

‍

‍

Conclusion: Building a Sustainable Gambling Payments Practice

‍

Gambling merchant underwriting is fundamentally different from standard merchant risk assessment. You're not just evaluating fraud risk and chargeback rates - you're validating regulatory compliance across multiple jurisdictions, assessing technical controls to prevent unlawful transactions, and ensuring financial stability to protect player funds.

‍

The framework we've outlined gives you:

• Regulatory validation: License verification and state-by-state scope mapping
• Compliance assessment: AML programs, FinCEN registration, suspicious activity monitoring
• Technical verification: Geolocation, age verification, responsible gaming controls
• Financial diligence: Reserve requirements, payout models, bonus liability
• Operational risk management: Chargeback handling, dispute resolution, affiliate oversight

‍

Key principles to remember:

1. Licensing is foundational: Never process payments for unlicensed gambling. UIGEA liability flows to you.
2. State-by-state verification: There is no "US gambling license." Each state must be verified independently.
3. Operator vs supplier classification matters: Different risk profiles require different underwriting standards.
4. Technical controls are your first defense: Geolocation and age verification prevent unlawful transactions in real-time.
5. Financial reserves protect everyone: Proper reserves ensure players can be paid and chargebacks can be funded.
6. Documentation is non-negotiable: "We're compliant" means nothing without evidence.

‍

Building expertise in gambling payments -

As you underwrite more gambling merchants, you'll develop pattern recognition:

• Which license types indicate sophisticated operators
• Which geolocation vendors are reliable
• What chargeback rates are sustainable
• Which states have the most rigorous requirements

‍

This expertise becomes a competitive advantage, allowing you to:

• Price risk more accurately
• Approve quality merchants faster
• Identify problems earlier
• Build long-term relationships with reputable operators

‍

The gambling industry is evolving rapidly:

• More states are legalizing online gambling each year
• Regulatory standards are increasing
• Technology is improving (better geofencing, faster payouts)
• Consolidation is occurring (large operators acquiring smaller ones)

‍

Your underwriting framework must evolve with the industry. Stay current by:

• Monitoring state legislative developments (Legal Sports Report, CDC Gaming Reports)
• Following regulatory actions (state gaming commission press releases)
• Participating in industry associations (Payments Innovation Alliance, AGA)
• Reviewing updated guidance from FinCEN and DOJ

‍

‍

Ballerine's role: We provide the infrastructure to make this complex underwriting process manageable - automated license verification, real-time monitoring, risk scoring, and regulatory change alerts.

But the foundational knowledge in this guide gives you the expertise to ask the right questions, identify the red flags, and protect your payment processing business while supporting the growth of regulated gambling.

‍