How the Curaçao Gaming Authority's June 2026 crypto guideline reshapes wallet segregation, hot/warm/cold treasury and VASP selection — and why it makes you bankable.
The Curaçao Gaming Authority has put crypto operators on notice. Its June 2026 crypto policy guideline sets out, in detail, the wallet and treasury controls the regulator now expects from any licensed operation that touches digital assets — and most operators currently fall short. The headline shift is simple: how you hold, segregate and move crypto is no longer a back-office detail; it is a licensing condition and, just as importantly, the single biggest factor in whether a bank, EMI or acquirer will ever touch you.
This guide takes the banking, payments and treasury lens. It walks through what the CGA now expects on wallet ownership, segregation by purpose, hot/warm/cold architecture, transaction handling and VASP selection — and shows how getting this right turns a chronically un-bankable crypto operation into one a serious institution will actually onboard.
The CGA's June 2026 crypto policy guideline is a statement of expected controls, not statute — but treating it as optional would be a mistake. The regulator has made clear it expects licensees taking crypto to demonstrate, on request, that their wallet architecture, fund segregation and transaction handling meet the standard. The full text is published by the Curaçao Gaming Authority.
For most operators the guideline formalises practices the better-run businesses already follow and the rest have ignored. It pulls wallet management out of the engineering team's informal habits and into a documented, risk-assessed, auditable framework — the same framework banks have been asking crypto-taking operators to evidence for years.
The practical effect is that the regulator and the banking sector now want to see the same thing. That alignment is the opportunity. An operator that builds to the CGA standard is, almost as a by-product, building the exact treasury story that unlocks fiat banking. The sibling Curaçao crypto policy pillar covers the regulatory framing in full; this article stays on the money.
The foundational rule is about ownership. Every wallet used in the licensed operation must be owned and controlled by the licensed legal entity itself, or by an approved group or payment entity. There is no room for ambiguity about whose wallet is whose.
That rules out a set of arrangements that are still depressingly common in the sector:
All of these are now prohibited under the guideline. The reasoning is straightforward: if a wallet sits outside the licensed entity, the operator cannot demonstrate accountability for the funds in it, cannot cleanly segregate player money from company money, and cannot give a regulator or a bank a reliable picture of where value sits.
This is the same instinct that drives bank de-risking. A bank reviewing a crypto-taking operator wants to see corporate ownership of every relevant address and a clean line between player and company funds. Player funds should be held in segregated wallets that the entity owns — not pooled with operational cash, and never parked in a personal account. Get this wrong and you will fail both the licence review and the bank's onboarding due diligence.
Ownership is the first layer. Segregation by purpose is the second. The CGA expects wallets to be separated according to what they are for, so that accountability is clear and player and company funds are never commingled. Three buckets matter.
Player-flow wallets handle the movement of player money — deposits in, withdrawals out. These are the wallets through which customer funds transit, and they must be ring-fenced from the operator's own money.
Operational wallets cover the running of the business — paying suppliers, settling provider fees, funding day-to-day liquidity that belongs to the company rather than to players.
Treasury wallets hold reserves, retained earnings and long-term balances. This is the operator's own capital, safeguarded for the long term and not exposed to daily transactional churn.
Keeping these distinct does two things at once. It satisfies the regulator's requirement that player funds are identifiable and protected, and it gives the operator a treasury structure that banks recognise and respect. The discipline of a documented player-flow / operational / treasury split is exactly what an underwriter looks for when assessing whether a crypto operator manages money like a real business or like a hobby.
Within that purpose-based segregation, the guideline expects a documented, risk-assessed and controlled wallet architecture along the familiar hot/warm/cold spectrum. Each tier carries a different risk profile and therefore a different control standard.
Hot wallets are connected and used for day-to-day player deposits and withdrawals. Because they are online and operationally exposed, balances should be limited to operationally-necessary amounts — only enough to service expected near-term withdrawal demand.
Warm wallets sit between hot and cold, used for liquidity management and rebalancing. They warrant enhanced access controls and formal transaction-approval procedures because they move larger sums than the hot tier.
Cold wallets hold treasury, reserves and long-term safeguarded funds offline. Here the emphasis is on access control, key management, reconciliation and auditability — the funds move rarely, but every movement must be controlled and evidenced.
The table below summarises how the three tiers differ in purpose, balances and controls.
| Wallet tier | Purpose | Typical balance | Connectivity | Key controls |
|---|---|---|---|---|
| Hot | Day-to-day player deposits and withdrawals | Operationally-necessary only | Online | MFA, withdrawal whitelisting, automated limits, monitoring |
| Warm | Liquidity management, rebalancing | Moderate working float | Semi-online / MPC | Enhanced access controls, transaction-approval procedures, multi-signature |
| Cold | Treasury, reserves, long-term safeguarding | Bulk of funds | Offline | Multi-signature, HSM or equivalent, strict key management, reconciliation, full audit trail |
Across all three tiers the guideline expects controls proportionate to value and risk: multi-signature approval so no single person can move funds alone, withdrawal whitelisting so funds can only leave to pre-approved addresses, multi-factor authentication on access, and hardware security modules (HSMs) or equivalent for key protection. The principle is proportionality — the more value and the more risk a wallet carries, the stronger the controls around it must be.
Controls are only credible if they are evidenced. The CGA expects operators to keep records that allow the regulator — or a bank, or an auditor — to reconstruct exactly what happened to crypto held in the operation. That record set should evidence:
This record-keeping is the connective tissue between the regulatory expectation and the banking one. A bank's enhanced due diligence on a crypto operator will ask for precisely this evidence. An operator that already maintains it walks into the banking conversation able to answer the hard questions on day one — which is rare, and which underwriters notice. For the wider compliance picture, the crypto AML and blockchain analytics guide goes deeper on monitoring and screening.
The guideline's default expectation on transactions is conservative and deliberate: withdrawals should be processed to the same wallet and in the same crypto asset as the original deposit. A player who deposits USDT from a given address should, by default, be paid out the same USDT to the same address. This closes off the most obvious laundering and layering routes.
The CGA recognises this is not always practical at scale. Crypto volatility and operational inefficiency mean a same-asset, same-address rule can be unworkable for a high-volume operator. So the guideline permits two alternatives — but only with equivalent controls in place.
The first alternative is withdrawal to a different wallet address. This is allowed only where the destination address is whitelisted, pre-screened, verified as belonging to the same customer, and has passed KYC and AML checks. The point is that paying out elsewhere is acceptable only if the operator has positively established the destination still belongs to the verified player.
The second alternative is withdrawal in a different crypto asset or stablecoin. This is permitted only where the full transaction flow stays transparent and auditable, the conversion runs through a regulated VASP, and records are maintained throughout. Converting a BTC deposit to a USDC payout is fine — provided the conversion path is documented and the regulated intermediary is identifiable.
One hard rule sits across all of this: players cannot transfer amounts to each other on the platform. The operator is not a peer-to-peer payment venue, and player-to-player transfers create an obvious channel for value movement that defeats the entire control framework. These transaction rules dovetail with the broader iGaming crypto payment integration discussion of deposit and withdrawal flows.
Not all crypto assets carry the same risk, and the CGA treats crypto as a high-risk category overall. Its clear preference for funds held or settled in the operation is fiat-backed, regulated stablecoins — assets whose value is pegged and whose issuer sits under a recognised regime — over volatile or opaque tokens.
That preference flows directly into treasury strategy. Holding reserves in a fiat-backed stablecoin reduces the volatility risk that makes auditors and bankers nervous, and it simplifies the reconciliation between crypto balances and fiat books. The guideline also expects an asset-specific risk assessment: the operator should be able to justify, per asset, why it is held and how its particular risks are managed.
The deeper treatment of asset tiers and which assets to avoid entirely sits in the sibling crypto AML and blockchain analytics article — this guideline's treasury angle is simply that a stablecoin-weighted reserve, properly risk-assessed, is both the regulator's preference and the more bankable posture.
Most crypto operators rely on third parties — exchanges, custodians, payment providers — to move and convert funds. The CGA mandates no specific provider and no specific jurisdiction. Instead it expects a risk-based selection: the operator chooses its VASP partners deliberately, on the strength of their controls, and documents why.
The critical point is one operators consistently get wrong. Using a third party does not transfer or reduce your own obligations. Your AML and CFT duties, transaction monitoring, player-protection responsibilities and incident-reporting obligations remain yours, whatever your VASP does. Outsourcing the plumbing does not outsource the accountability.
When selecting a VASP, the guideline expects the provider to be regulated, registered or under reputable oversight in its home jurisdiction, and to demonstrate:
The operator should document both the due diligence performed and the risk assessment behind the choice. This is, again, the same evidence a bank wants. An operator who can show a documented, risk-based VASP selection process is demonstrating the exact counterparty-risk discipline that underpins a bankable crypto operation. The crypto business banking and VASP compliance guide expands on counterparty due diligence.
The guideline draws a firm line around what a licensed operator may do with crypto. An operator may accept crypto for gambling — and only for gambling. It must not act as an exchange, payment service provider or VASP in its own right, must not convert crypto for users as a service, and must not offer custody or wallet services outside the gambling product.
The distinction matters because crossing it pulls the operator into an entirely separate regulatory regime it is not licensed for — and instantly makes it un-bankable, because no bank wants an unlicensed money-services business as a client. The regulatory pillar covers this in full; here it is enough to say: stay in your lane. See the Curaçao crypto policy pillar for the detailed treatment.
Here is the part most operators miss. Everything the CGA now expects — corporate-owned wallets, player-flow / operational / treasury segregation, controlled cold storage, documented VASP due diligence, clean transaction records — is precisely what banks, EMIs and acquirers want to see before they will touch a crypto-taking iGaming operator.
Crypto is the single hardest vertical to bank, as anyone who has read our crypto business bank account guide knows. Underwriters reject crypto-taking operators not because crypto is illegal but because most applicants cannot evidence control over their own funds. Segregated player money, a documented treasury, reconciled cold storage and a defensible VASP selection process materially improve bankability. They turn the conversation from "we can't assess your risk" into "show us the records" — a question a compliant operator can answer.
There is a second half to every crypto operation: the fiat side. Players cash out, suppliers want paying, and reserves eventually need a fiat home. That means a banking relationship and a reliable fiat off-ramp sitting alongside the crypto stack. An operator with a clean wallet architecture but no fiat banking is only half-built; one with neither is not a business a bank will engage with.
GetBanked helps operators design the whole stack — compliant crypto wallet architecture, fiat banking and treasury — as one coherent structure rather than two disconnected halves. That includes introductions to flat-fee and SaaS-model crypto payment setups, so operators stop bleeding volume-based commissions, alongside the offshore and high-risk banking relationships that handle the fiat leg. For the banking landscape, see our guides to the best offshore banks for high-risk businesses and Curaçao gaming licence banking.
The operators who will thrive under the CGA's 2026 guideline are the ones who stop treating wallet management as an engineering afterthought and start treating it as the treasury and banking discipline it has become. The regulator and the bank are now asking the same question. Answer it once, properly, and you satisfy both.
Yes. Under the CGA's June 2026 crypto policy guideline, every wallet used in the licensed operation must be owned and controlled by the licensed legal entity or an approved group or payment entity. Personal wallets, UBO-linked wallets, employee wallets and informal arrangements are prohibited. The regulator wants clear corporate accountability for every address, with player funds held in segregated wallets that the entity owns.
Hot wallets handle day-to-day player deposits and withdrawals and should hold only operationally-necessary balances. Warm wallets manage liquidity and rebalancing, with enhanced access controls and transaction-approval procedures. Cold wallets hold treasury and reserves offline, with the strongest controls — multi-signature, HSMs or equivalent, strict key management, reconciliation and full auditability. Controls should be proportionate to the value and risk each tier carries.
The CGA's default expectation is same-asset, same-wallet withdrawals. A different asset or stablecoin is permitted only where the full flow stays transparent and auditable, the conversion runs through a regulated VASP, and records are maintained. A different wallet address is permitted only where it is whitelisted, pre-screened, verified as belonging to the same customer, and has passed KYC and AML checks. Players cannot transfer amounts to each other on the platform.
No. Using a third party does not transfer or reduce your AML, CFT, monitoring, player-protection or incident-reporting obligations — they remain the operator's. The VASP must be regulated, registered or under reputable oversight in its home jurisdiction and demonstrate AML/CFT controls, Travel Rule capability, sanctions screening, transaction monitoring, operational resilience and transparency. Document both the due diligence and the risk assessment behind your choice.
Directly and substantially. Banks, EMIs and acquirers reject crypto-taking operators that cannot evidence control over their funds. Corporate-owned, purpose-segregated wallets, documented treasury, reconciled cold storage and a defensible VASP selection process are exactly what underwriters want to see. Building to the CGA standard materially improves bankability and gives you the records to answer due-diligence questions on day one.
Build a wallet and banking stack your regulator and your bank both trust — submit a free pre-approval and we'll respond within 24 hours.
Get Free Pre-ApprovalSubmit a free pre-approval in 2 minutes. We respond within 24 hours with a realistic outcome.
Get Free Pre-Approval