The CGA's June 2026 crypto guideline expects blockchain analytics, Travel Rule data and asset risk tiers. What casinos must build to stay bankable.
Accepting crypto deposits does not exempt an online casino from a single line of its anti-money-laundering obligations. The Curaçao Gaming Authority (CGA) made that explicit in its June 2026 crypto policy guideline: crypto is treated identically to fiat for AML, CFT and Responsible Gambling purposes, and operators must now spell out their crypto controls in the AML/CFT policy submitted on the CGA portal. This guide breaks down what the CGA now expects — blockchain analytics, asset risk tiers, Travel Rule data, incident reporting — and why getting it right is what keeps you bankable.
The single most important message in the CGA's June 2026 guideline is also the simplest: crypto is not a regulatory loophole. The CGA AML policy applies equally to fiat and crypto flows, and the same is true of its Responsible Gambling expectations. An operator that runs a rigorous AML/CFT programme on card and bank rails but treats crypto as an unmonitored side door has, in the CGA's view, no programme at all.
This matters because the assumption that crypto sits outside the rulebook is still widespread. It does not. The thresholds, the KYC obligations, the source of funds documentation and the suspicious-activity reporting duties that apply to fiat deposits apply identically to their crypto equivalents. A £10,000-equivalent stablecoin deposit triggers the same enhanced scrutiny as a £10,000 bank transfer. For the threshold mechanics, see our iGaming withdrawal operations and AML playbook.
The CGA now expects operators to detail their crypto-specific controls explicitly in the AML/CFT policy they submit through the CGA portal. A generic policy that mentions "we accept cryptocurrency" without describing how deposits are screened, how wallets are risk-scored, or how prohibited assets are blocked will not satisfy the guideline. The crypto section of your policy has to read like an operating manual, not a marketing line.
This is a guideline of expected controls rather than statute — but in practice the distinction is academic. The CGA assesses licence applications and ongoing compliance against the controls it sets out, and a portal submission that ignores them is a submission that invites questions. Treat the guideline as the floor of expected behaviour. For the wider Curaçao regulatory picture, see our Curaçao crypto policy guide for iGaming.
The CGA recognises that operators commonly use blockchain analytics solutions — naming Chainalysis, Elliptic and TRM Labs as examples — as an integrated way to meet their crypto AML/CFT obligations. Crucially, the CGA mandates no specific provider. What it requires is that the full set of functions is achieved, whether through a single commercial tool, an internal capability, or a combination of internal systems plus an external vendor.
The principle the CGA sets is blunt: operators do not need to be blockchain analysts, but they cannot operate blindly. You are not expected to build forensic chain-tracing capability in-house. You are expected to have a documented, working means of seeing where crypto comes from and where it goes, and of acting on what you see.
A compliant blockchain-analytics capability — however it is assembled — must be able to do four things:
The evidencing requirement is the one operators underestimate. A dashboard that turns a wallet red is not, by itself, compliance. The CGA expects you to be able to produce the underlying analysis — the trace, the risk drivers, the decision taken — for any flagged transaction. That audit trail is what distinguishes a programme that works from one that merely subscribes to a tool.
The guideline structures crypto screening around four functions that map to the points in the customer lifecycle where exposure enters. An operator's crypto AML policy must deliver all four — partial coverage (screening deposits but not withdrawals, for instance) leaves an open laundering channel.
| Function | When it runs | What it does | Risk it controls |
|---|---|---|---|
| Deposit screening | At the point of deposit | Screens the incoming wallet address; risk-scores it and flags exposure to darknet markets, scams and mixers | Tainted funds entering the platform |
| Ongoing transaction monitoring | Continuously, post-deposit | Detects new risk exposure and suspicious patterns as they emerge over the customer relationship | Risk that materialises after onboarding |
| Source-of-funds verification | At KYC/EDD triggers | Traces the origin of funds and documents it for the customer file and audit | Inability to evidence legitimacy of funds |
| Withdrawal screening | Before any outbound transfer | Screens the destination wallet before funds leave the platform | Sending funds to sanctioned or prohibited addresses |
Deposit screening is the front door. Every incoming wallet address is screened and risk-scored at the moment of deposit, with exposure to darknet markets, scams and mixers flagged before funds are credited. A deposit from an address with direct mixer exposure should never silently clear.
Ongoing transaction monitoring acknowledges that risk is not static. A wallet that screened clean at deposit can later receive funds from a newly sanctioned entity, or a customer's pattern of behaviour can shift toward structuring. Monitoring detects new exposure and suspicious patterns across the life of the relationship, not just at the first touch.
Source-of-funds verification is where blockchain analytics feeds the KYC and EDD file. When a threshold or risk flag triggers a source of funds review, the operator traces the fund origins on-chain and documents the result. This is the crypto-native equivalent of the bank-statement-and-payslip standard that applies to fiat — and it must meet the same evidential bar.
Withdrawal screening closes the back door. Before any outbound transfer, the destination wallet is screened. The point is to avoid sending funds to a sanctions-linked or otherwise prohibited address — a failure that turns the operator from a victim of laundering into a participant in it. For how withdrawal screening sits inside the wider payout workflow, see our iGaming withdrawal operations and AML playbook.
The CGA expects operators to categorise the digital assets they accept by risk, and to address that categorisation explicitly in policy. The guideline sets out a clear hierarchy from preferred assets through permitted-with-controls to expressly prohibited. The table below summarises it.
| Tier | Asset type | CGA treatment |
|---|---|---|
| Preferred | Fiat-backed regulated stablecoins | Lowest-risk crypto category; preferred for transactability and traceability |
| Permitted with controls | Pooled/omnibus VASP wallets | Only where the operator can attribute transactions to individual customers |
| Permitted with controls | Meme / highly-speculative tokens | Must be categorised on objective criteria before acceptance |
| Restricted — policy must address | Privacy-enhancing coins (Monero, Zcash, Dash, Litecoin MWEB) | Designs that defeat monitoring and source-of-funds tracing |
| Do not accept | Wrapped / bridged assets of unverified origin | Where provenance, custody, backing or history cannot be independently verified |
| Expressly prohibited | Assets from sanctioned mixers/tumblers or sanctioned/flagged wallets | Prohibited outright; the CGA may designate further prohibited assets |
Fiat-backed regulated stablecoins sit at the preferred end. Their value is anchored, their issuers are increasingly regulated, and they move on transparent chains — which makes them the most traceable and the lowest-risk crypto an operator can take.
At the other end, the expressly prohibited category is non-negotiable. Crypto assets that originate from, pass through, or are associated with sanctioned mixers or tumblers are prohibited, as are assets linked to sanctioned wallet addresses or flagged by a recognised blockchain analytics provider. The CGA also reserves the right to designate further prohibited assets and mechanisms over time, so an operator's policy should reference the provider's flagging rather than a fixed static list. Sanctions exposure is also the fastest route onto a banking de-risking list — see our MATCH list guide for iGaming for how flagged activity propagates through the payments ecosystem.
The categories in between — privacy coins, pooled wallets, meme tokens and wrapped assets — require nuance, and are covered next.
Privacy coins are designed to obscure transaction data, which directly defeats the monitoring and source-of-funds tracing the CGA requires. The guideline specifically names Monero, Zcash (including shielded transactions), Dash (where its privacy features are used) and Litecoin MWEB (an optional privacy layer). An operator's policy must explicitly address how it treats these assets.
The conflict is structural: if you cannot trace the origin of a deposit, you cannot meet your source-of-funds obligation, and you cannot run meaningful blockchain analytics. Most operators that take crypto seriously either decline privacy coins outright or accept them only under tightly defined conditions with elevated EDD. Whatever the decision, the guideline requires it to be a documented, reasoned policy position — not a silent default.
Pooled or omnibus wallets operated by a VASP are permitted only where the operator can attribute transactions to individual customers, assess each customer's source of funds, and monitor and report on that activity. The risk is obvious: a single shared wallet that commingles many customers' funds without attribution makes individual due diligence impossible.
Structures that prevent attribution or auditability are not permitted. If the operator cannot answer "which customer does this on-chain movement belong to?", the pooled-wallet arrangement fails the test regardless of how reputable the VASP is.
The CGA does not prohibit meme or highly-speculative tokens, but it requires them to be categorised on objective criteria before acceptance. The guideline points to three: the asset's liquidity and volatility profile; its governance and ecosystem maturity; and its financial-crime risk, including any anonymity-enhancing design features. A token assessed and documented against these criteria can be accepted with appropriate controls; one accepted because it is popular cannot.
Wrapped tokens and bridged assets of unverified origin must not be accepted where their provenance, custody, backing or history cannot be independently verified — and the guideline explicitly includes wrapped Bitcoin in this caution. These assets add a layer of opacity and counterparty risk: a wrapped token is only as trustworthy as the custodian holding the underlying asset and the bridge that minted it. Where that chain of custody cannot be independently verified, the asset should be declined. The same wallet-segregation discipline that applies to operator treasury applies here — see our iGaming crypto wallet segregation guide.
The Travel Rule is the crypto-sector adaptation of a long-standing wire-transfer rule, set out in the FATF (Financial Action Task Force) Recommendation 16. When crypto-assets transfer between regulated entities — exchanges, custodial wallet providers and other VASPs — the required originator and beneficiary information must accompany the transfer and be available to competent authorities on request.
In practice that means an operator accepting a deposit from, or sending a withdrawal to, another regulated entity must be able to capture and pass on the identifying information FATF specifies: who sent the funds and who is receiving them. The data has to travel with the transaction, and the operator has to be able to produce it if a regulator asks.
A VASP — Virtual Asset Service Provider — is defined under FATF Recommendation 15 as a business that conducts virtual-asset activities such as exchange, transfer, safekeeping or administration on behalf of customers. Identifying which of your counterparties are VASPs is the first step in applying the Travel Rule correctly, because the rule governs transfers between regulated entities specifically. Operators building this capability typically do so alongside their wider banking and VASP compliance stack — see our crypto business banking and VASP compliance guide.
The Travel Rule is also a point of intersection between gaming compliance and banking compliance. A bank or EMI assessing a crypto-taking operator will expect to see that the operator can meet its Travel Rule obligations, because the bank inherits the operator's exposure. Travel Rule readiness is therefore both a CGA expectation and a banking prerequisite.
Unhosted wallets — also called self-hosted or non-custodial wallets — and DeFi protocols are not banned by the guideline. Operators may accept transactions from them. But because there is no regulated counterparty on the other side to share Travel Rule data or perform its own KYC, the operator must set risk-based controls that compensate.
The guideline points to a set of controls for unhosted wallet and DeFi exposure:
The principle is consistent with the rest of the guideline: the absence of a regulated counterparty raises the risk, so the operator's own controls must rise to meet it. An unhosted-wallet deposit that the operator can attribute, trace and risk-score is acceptable; one that arrives as an anonymous black box is not.
The CGA folds crypto into its existing incident-reporting regime under Article 5.10 of the LOK (the National Ordinance on Games of Chance). Crypto-related incidents must be identified, assessed and reported on the same basis as any other reportable incident. The guideline gives operators a non-exhaustive list of what counts.
Reportable crypto incidents include:
The breadth of this list is the point. The CGA is signalling that crypto introduces failure modes — chain reorganisations, bridge exploits, key compromise — that have no fiat equivalent, and that operators are expected to have a process for catching and reporting them. An operator that has never considered how it would report a chain fork or a smart-contract exploit has a gap in its incident framework.
Everything in the CGA guideline points in the same commercial direction: a documented blockchain analytics capability, Travel Rule readiness and a robust sanctions-screening stack are precisely what banks, EMIs and acquirers now expect from any operator taking crypto. The guideline formalises, for Curaçao licensees, a standard the banking sector was already applying informally.
This is the link between compliance and survival. Banks de-risk crypto-exposed gaming clients aggressively, and the operators that get cut are almost always the ones who cannot evidence their controls. A clean, documented crypto AML stack — deposit and withdrawal screening, asset risk tiers, Travel Rule data, an incident process — is what keeps you off the de-risking list and inside the banking system. For the foundations of that wider programme, see our AML compliance guide for online gambling and our AML/KYC compliance guide for high-risk businesses.
The operators who treat the June 2026 guideline as an opportunity — to build a crypto programme a bank would respect — will find banking partners easier to win and keep. The ones who treat it as a box-ticking exercise will keep losing accounts. GetBanked helps operators stand up the compliant crypto AML and banking infrastructure that makes the difference.
No. The CGA names Chainalysis, Elliptic and TRM Labs as examples of solutions operators commonly use, but it mandates no specific provider. What it requires is that the full set of functions is delivered — tracing fund origin and destination, identifying exposure to high-risk and prohibited sources, risk-scoring wallets and transactions, and evidencing suspicious activity for reporting. You can meet this with a single commercial tool, an internal capability, or a combination of internal systems plus an external vendor.
The guideline does not impose an outright ban, but it specifically flags Monero, Zcash (including shielded transactions), Dash where privacy is used, and Litecoin MWEB as privacy-enhancing assets that obscure transaction data and defeat monitoring and source-of-funds tracing. An operator's policy must explicitly address how it treats these coins. Because they conflict directly with the blockchain-analytics and source of funds obligations, most serious operators either decline them or accept them only under tightly defined conditions with elevated EDD.
The Travel Rule, set out in FATF Recommendation 16, requires that when crypto-assets transfer between regulated entities — exchanges, custodial wallet providers and other VASPs — the required originator and beneficiary information accompanies the transfer and is available to competent authorities on request. It applies to crypto casinos whenever they send or receive crypto to or from another regulated entity. A VASP is defined under FATF Recommendation 15 as a business conducting virtual-asset activities such as exchange, transfer or safekeeping on behalf of customers.
Yes. The CGA permits transactions from unhosted wallets, self-hosted wallets and DeFi, but the operator's policy must set risk-based controls. These include verifying wallet ownership or control — for example through a test transaction or a signed message — applying blockchain analytics to the wallet, applying EDD where risk is elevated, and ensuring the transaction does not impair the operator's ability to monitor and report. A deposit that the operator can attribute, trace and risk-score is acceptable; an anonymous, untraceable one is not.
Under Article 5.10 of the LOK, reportable crypto incidents include security breaches (compromised private keys, unauthorised wallet access or transactions), system failures affecting crypto processing (exchange outages, blockchain congestion, failed transactions), crypto fraud schemes (coordinated deposit/withdrawal patterns, chip-dumping, collusion), material discrepancies in wallet balances, anything impairing integrity or traceability, exposure to sanctioned wallets or mixers, smart-contract failures, and blockchain forks or chain-level disruptions. The list is non-exhaustive — anything affecting the integrity, security or traceability of crypto operations should be assessed for reporting.
Directly. Banks, EMIs and acquirers expect a crypto-taking operator to demonstrate a documented blockchain analytics capability, Travel Rule readiness and effective sanctions screening before they will onboard or retain the relationship. The CGA guideline formalises a standard banks were already applying. An operator that can evidence these controls is materially easier to bank and far less likely to be cut in a de-risking review. See our crypto business banking and VASP compliance guide for how this fits the wider banking application.
External regulators and standards referenced: Curaçao Gaming Authority, FATF.
Submit a free pre-approval in 2 minutes — we help crypto-taking operators build a bankable AML stack and respond within 24 hours.
Get Free Pre-ApprovalSubmit a free pre-approval in 2 minutes. We respond within 24 hours with a realistic outcome.
Get Free Pre-Approval