How serious operators run withdrawals: threshold actions, source-of-funds documentation, reverse withdrawal compliance, SAR triggers, UKGC SLA.
Withdrawal operations are where iGaming AML compliance stops being theoretical and becomes operational. Every request is simultaneously a customer-experience moment, a regulatory checkpoint and a financial-crime detection event — and the £500, £2,000, £10,000 and €10,000 thresholds in UKGC, MGA and 5AMLD/6AMLD rulebooks dictate whether that withdrawal leaves in 24 hours or 30 days. This playbook is for operators who need a working procedure, not a regulatory summary.
Every withdrawal procedure begins with the same question: which threshold has the player crossed, cumulatively or in a single transaction? The thresholds are not interchangeable. Each one triggers a different procedure, owned by a different team, with different documentation requirements.
The seven thresholds that matter operationally in 2026:
| Threshold | Trigger window | Regulator / framework | Required action |
|---|---|---|---|
| £500 | 30-day cumulative net deposits | UKGC (LCCP 3.4.3) | Affordability flag, open-source check, markers of harm review |
| £2,000 | Single transaction or 24-hour cumulative | 5AMLD / UK MLR 2017 | Full **CDD** identity verification, 3DS2 challenge, account flagging |
| £10,000 | Single withdrawal request | UKGC + EU AMLR | Documented **source of funds** review, risk rating refresh |
| £10,000 | Annual cumulative deposits | UKGC LCCP | Deep affordability review, **EDD**, manager sign-off |
| €10,000 | Monthly cumulative | EU AMLR | **EDD**, PEP/sanctions re-screen, ongoing monitoring uplift |
| €15,000 | Single transaction | 4AMLD legacy threshold | Mandatory **CDD** (often already satisfied by lower 5AMLD trigger) |
| £150,000 | Annual deposits | UKGC GRA programme review | Full AML programme review, MLRO escalation, board reporting |
These thresholds compound. A player who deposits £600 in 30 days then requests a £12,000 withdrawal hits affordability and source-of-funds review simultaneously. Your rules engine needs to evaluate each transaction against all seven, not just the nearest one.
Regulators do not view these as ceilings beyond which you act. They view them as floors below which you cannot defend inaction. The LCCP is risk-based, not threshold-based — the threshold map is the floor of expected behaviour, not the trigger for it.
For the broader regulatory architecture this sits inside, see our AML compliance guide for online gambling.
The £500 net deposits in 30 days threshold is where the UKGC's affordability framework activates. "Net deposits" means deposits minus withdrawals — a player who deposits £700 and withdraws £250 is at £450 net and below the trigger.
At this threshold the operator must conduct what the UKGC calls a "light-touch" affordability check. It cannot be intrusive enough to disrupt the normal player journey, but it must be documented. In practice this means:
The documentation step is the one operators most often skip and most often get fined for. When a player complains or files a regulatory submission, the operator is asked to produce the affordability file. "We ran an automated rules check" is not an answer. A dated internal memo — analyst name, data reviewed, documented conclusion — is.
"Open-source" is read generously: it includes any data the operator can lawfully access, including paid credit-bureau APIs that fall short of a full credit check. Most tier-1 UK operators use a layered approach — automated bureau lookup first, manual analyst review second, full credit check only at the £2,000+ level.
A single transaction (deposit or withdrawal) of £2,000 or more, or cumulative 24-hour activity exceeding £2,000, triggers full CDD under 5AMLD and UK MLR 2017. This is non-negotiable and applies to all licensed gambling operators in the UK and EU.
What "full CDD" means operationally:
Reverse withdrawal monitoring matters at this threshold. Once a player crosses £2,000, withdrawal friction must reduce, not increase. The UKGC's position since 2024 is explicit: operators making withdrawal harder than deposit will be fined.
This is also the point where your KYC provider's automated decision is no longer sufficient alone. Most UKGC enforcement at this level cites "over-reliance on automated KYC outcomes" — the operator accepting a PASS without human review of the underlying documents. See KYC provider comparison for iGaming.
A single withdrawal request of £10,000 or more is the threshold at which documented source of funds review becomes mandatory. It is also the point at which most operators discover their procedures are inadequate.
Source of funds (SoF) answers a narrow question: where did the specific money used in this transaction come from? The acceptable evidence is therefore transaction-level: a payslip showing the salary that funded the deposit, a bank statement showing the credit that preceded the transfer, a sale-of-asset receipt that explains a windfall.
Source of wealth (SoW) answers a broader question: how did this player accumulate their overall financial position? SoW evidence is structural: tax returns, business accounts, inheritance documentation, property records, investment portfolio statements.
Most regulators expect SoF for transaction-triggered reviews and SoW for player-status reviews (high-roller programmes, VIP onboarding, PEP-adjacent players). At the £10,000 single-withdrawal trigger, SoF is the primary requirement; SoW becomes required if the player is also flagged as a high-risk customer for any other reason.
The UKGC has fined operators repeatedly for treating SoF as a tickbox: a single payslip from a player who deposits £40,000 a month, or "I work in finance" as a written declaration with no supporting evidence. The expected standard:
A risk-rating refresh accompanies every £10,000+ review. New PEP screens, fresh sanctions check, adverse-media sweep through a tool like World-Check, Refinitiv or ComplyAdvantage. If any of these now hit, the case escalates to EDD and the MLRO queue.
The UKGC's withdrawal SLA is 24 hours for verified players. "Verified" is the load-bearing word: it means full KYC complete, no pending document requests, no open compliance reviews. The MGA's standard is 1-3 business days for verified players.
These SLAs are absolute for verified accounts. Delays are permissible only where there is a documented, regulator-recognised reason: pending source-of-funds review, suspicious activity investigation, ongoing SAR consideration. "We are busy" is not a permissible reason. "Our PSP is slow" is not a permissible reason — that is the operator's commercial problem to solve.
What this means for queue design:
The MGA framework is more forgiving on time but stricter on documentation. Operators licensed by both regulators design to the UKGC clock and the MGA documentation standard.
For more on how this fits into the wider banking and PSP architecture, see iGaming banking requirements.
A functioning withdrawal operation has seven discrete steps. Each step has an owner, a tool, an SLA and a paper trail.
| Step | Owner | Typical tool | SLA |
|---|---|---|---|
| 1. Player submits withdrawal request | Player (self-service) | Cashier UI | Real-time |
| 2. Automated rules engine evaluates thresholds | Risk engine | In-house or vendor (Featurespace, ComplyAdvantage) | <1 second |
| 3. Risk team triage | Withdrawal ops analyst | Case management (e.g. Salesforce, in-house) | <2 hours |
| 4. Documentation request to player | Risk analyst | Player messaging + secure upload | <1 business hour |
| 5. Documentation review and risk decision | Senior analyst / MLRO | Manual review + audit log | <8 business hours |
| 6. Approve / pend / reject / SAR | Senior analyst / MLRO | Case management | Immediate at decision |
| 7. Payment release | Payments ops | PSP API | <2 hours from approval |
Step 4 is where player experience is won or lost. The documentation request must explain what is needed, why, how long it takes and what happens next. Operators who send "please upload bank statement" and stop responding have the worst retention and the most chargebacks.
Step 6 has an underrated outcome: pend — a hold pending more information, not a rejection. Pend cases need a documented re-review date (typically 7 days) and cannot be left open indefinitely. Open pends are themselves an enforcement risk.
Source-of-funds documentation has hardened into a specific industry standard. Knowing what your reviewers will accept and what they will reject is the difference between a clean withdrawal and a regulatory enquiry.
| Document | Acceptable for SoF | Notes |
|---|---|---|
| Payslip (most recent 3 months) | Yes, primary | Must show employer, gross, net, deductions |
| Bank statement (3 months) | Yes, primary | Must show salary credit; redactions only on unrelated transactions |
| Accountant letter | Yes, for self-employed | Must be on letterhead, signed, dated within 3 months |
| P60 / P11D (UK) | Yes, supporting | Annual summary; corroborates payslip |
| Tax return / SA302 | Yes, primary for self-employed | HMRC-issued preferred over self-prepared |
| Business accounts | Yes, for company owners | Filed accounts plus latest management accounts |
| Inheritance documentation | Yes, with corroboration | Grant of probate + solicitor's letter |
| Property sale documentation | Yes, with corroboration | Completion statement + bank credit |
| Crypto wallet history | Yes, increasingly | Chain-analysis report (Chainalysis, Elliptic) usually required |
| Self-declaration only | No | Never sufficient on its own |
| Gambling winnings from another operator | Conditionally | Statement from licensed operator required; offshore unlicensed sources rejected |
The red flags in bank statements are well-defined and most analysts learn them in their first week:
When in doubt, ask for corroboration. Two documents that tell the same story are worth more than one document that tells a clean story on its own.
A SAR (Suspicious Activity Report) is submitted to the UK's National Crime Agency (or MGA's FIAU, or the equivalent FIU in each jurisdiction) when an operator forms a "knowledge or suspicion" of money laundering or terrorist financing. In withdrawal operations, the specific triggers are:
SAR submission is owned by the MLRO. Operationally, the withdrawal analyst escalates the case to the MLRO queue with a documented narrative. The MLRO decides whether to submit, when, and whether to "tip off" the player (almost never — tipping off is itself a criminal offence under UK MLR 2017).
Once a SAR is filed, the withdrawal does not automatically freeze. The operator may continue the transaction unless instructed otherwise by the FIU or unless the operator's own risk assessment determines that release would constitute facilitation of an offence. This is one of the most counterintuitive parts of the regime — get it wrong in either direction and you face enforcement.
For wider AML context for high-risk verticals, see AML/KYC compliance for high-risk businesses.
The single biggest UKGC enforcement theme in 2024 and 2025 was reverse withdrawal. Reverse withdrawal is the operator function that lets a player who has requested a withdrawal cancel it and return the money to their playable balance, typically to continue gambling.
The UKGC's position has hardened to near-prohibition. The regulator considers reverse withdrawal a primary marker of gambling harm: a player who requests a withdrawal has expressed an intention to stop; any operator feature that frictionlessly reverses that intention is, in the regulator's view, designed to exploit harm.
Best practice in 2026 has converged on three options:
Looking at recent enforcement: William Hill (£19.2 million, 2023), Entain (£17 million, 2022), 888 (£9.4 million, 2022) all cited reverse-withdrawal facilitation as part of the failures, though not the sole failure. Operators considering offering reverse withdrawals as a player-retention tool in 2026 are, in our view, taking on regulatory risk that no longer pays back.
UKGC fine examples 2022-2025:
| Operator | Year | Fine | Primary violation |
|---|---|---|---|
| Entain | 2022 | £17.0m | AML and social responsibility failures including reverse withdrawal |
| 888 | 2022 | £9.4m | VIP management, affordability, source of funds |
| William Hill | 2023 | £19.2m | AML, social responsibility, reverse-withdrawal facilitation |
| In Touch Games | 2023 | £6.1m | AML controls, source-of-funds documentation |
| Greentube Alderney | 2023 | £685k | AML and social responsibility |
| Annexio | 2024 | £2.1m | AML controls |
| Hillside (Bet365) | 2024 | £582k | Anti-money-laundering controls |
| TGP Europe | 2025 | £3.3m | AML and source-of-funds failures (third-party brands) |
The dataset is unambiguous: every major UKGC fine since 2022 has cited source-of-funds and affordability failures as primary or supporting violations.
Affordability sits separately from AML but operationally overlaps because both are triggered at withdrawal events. The UKGC's affordability framework has three tiers:
Tier 1: Frictionless open-source check. For players below £500 net deposits in 30 days. The check must be done without disrupting the normal player journey — the player should not need to upload documents, answer questions, or face any visible barrier. Open-source data (electoral roll, county court judgments, soft credit footprint) is enough.
Tier 2: Enhanced affordability. £500-£2,000 monthly. Players in this band can be asked for self-declaration of income, but the operator cannot rely on self-declaration alone. Bureau data should corroborate, and adverse markers (CCJs, bankruptcies, recent default registrations) require manager review.
Tier 3: Full financial-vulnerability review. £2,000+ monthly. Documented evidence of income required: payslip, bank statement, tax return. This tier overlaps with the £2,000 CDD trigger and the £10,000 SoF trigger, and a well-designed operation runs all three reviews together at this level.
A frequent mistake: treating affordability as a one-time check at threshold crossing. It is not. The UKGC expects affordability to be an ongoing assessment that updates with behaviour. A player who passes a Tier 2 check in January but increases deposits 4x by March must be re-reviewed automatically, fresh threshold or not.
Acquiring banks look at the share of gross gaming revenue derived from players above the £2,000 monthly band. Concentration here without affordability documentation is one of the fastest ways to trigger an MID review. See iGaming banking requirements.
Chargebacks linked to withdrawal flow follow three patterns:
Pattern 1: Player disputes the original deposit after a withdrawal delay. Player deposits £2,000, requests withdrawal, finds it pending SoF, chargebacks out of frustration. Defence: documented withdrawal timeline showing the player was informed and chose to wait, plus 3DS2 evidence on the deposit.
Pattern 2: "Goods not received" abuse for gambling losses. Player loses, then chargebacks claiming the service was not provided. The most common iGaming chargeback type; rises sharply with withdrawal friction. Defence: gameplay logs, bet history, session records — accepted via Verifi or Ethoca pre-chargeback alerts.
Pattern 3: 3DS2 protection failure on the original deposit. If the deposit was not 3DS2-authenticated, chargeback liability remains with the operator. Defence: there usually isn't one. Prevention: 3DS2 on all deposits above £100, no exceptions.
Our dedicated guide on this topic is iGaming chargeback management.
Withdrawal operations fail in predictable ways. The patterns repeat across operators of every size:
Source of funds is transaction-level: where did the specific money used in this transaction come from? Evidence is a payslip, a bank statement showing the credit, a sale receipt. Source of wealth is structural: how did the player accumulate their overall financial position? Evidence is tax returns, business accounts, inheritance documentation, property records. SoF is required for transaction-triggered reviews (£10,000+ withdrawals, large cumulative deposits). SoW is required for player-status reviews (VIP onboarding, PEP-adjacent players, ongoing EDD).
The UKGC standard is 24 hours for verified players. The MGA standard is 1-3 business days for verified players. "Verified" means full KYC complete, no open compliance reviews, no pending document requests. Both regulators allow delays for documented compliance reasons — pending SoF review, ongoing SAR consideration — but not for operational reasons like "we are busy" or "our PSP is slow". Delays must be documented, time-boxed and communicated to the player.
Yes, but only with documented justification and within the regulator's framework. A withdrawal can be delayed pending KYC completion, pending SoF review, pending SAR investigation, or pending a sanctions-list re-check. It cannot be delayed for commercial reasons. Each delay must have a documented reason, an assigned reviewer, a target completion time and a paper trail. Indefinite "pending" status without a documented decision is itself an enforcement risk.
A reverse withdrawal is when a player who has requested a withdrawal cancels it and returns the money to their playable balance, usually to continue gambling. The UKGC treats this as a primary marker of gambling harm — the player has expressed an intention to stop, and any frictionless reversal exploits that lapse. Best practice in 2026 is either no reverse withdrawals at all or a strict 24-hour cooling-off period with no reversal possible after that window. Operators offering frictionless reversals in 2024 and 2025 featured prominently in enforcement actions.
£500 net deposits over a rolling 30-day window. "Net" means deposits minus withdrawals. The check itself must be frictionless — open-source data, internal markers-of-harm review, no player-facing document request. The output must be documented as an internal memo on file. The £500 figure is a floor, not a ceiling: if a player exhibits clear markers of harm at £300, the operator is expected to act on that. The threshold defines when inaction becomes indefensible, not when action is permitted.
The withdrawal analyst escalates the case to the MLRO queue with a documented narrative explaining the suspicion. The MLRO reviews and decides whether to submit a SAR to the National Crime Agency (UK), FIAU (Malta) or equivalent FIU. The MLRO also decides whether to "tip off" the player — almost always no, as tipping off is itself a criminal offence under UK MLR 2017. Filing a SAR does not automatically freeze the withdrawal: the operator continues to apply normal risk decisioning unless the FIU instructs otherwise or the operator's own assessment concludes that release would constitute facilitation.
Yes, with conversion at the time of transaction. A £10,000-equivalent BTC withdrawal triggers SoF review identically to a £10,000 fiat withdrawal. For crypto-specific SoF, chain-analysis reports (Chainalysis, Elliptic, TRM Labs) are increasingly required and expected. The UKGC's position is that crypto is a payment method, not a different regulatory regime — the same thresholds, the same documentation expectations, with additional chain-analysis evidence layered on. See crypto business banking and VASP compliance for the broader picture.
External regulators referenced: UK Gambling Commission, Malta Gaming Authority, FATF.
Submit a free pre-approval in 2 minutes. We respond within 24 hours.
Get Free Pre-ApprovalSubmit a free pre-approval in 2 minutes. We respond within 24 hours with a realistic outcome.
Get Free Pre-Approval