AML & Source of Funds

Legal Framework for AML in Finnish Gambling

In Finland, all gambling activities fall under the scope of the Act on Preventing Money Laundering and Terrorist Financing. The National Police Board (Poliisihallitus) is the designated supervisory authority for the gambling sector, and its official guidance treats gambling as a high-risk industry requiring stringent controls.

Until 30 June 2027, these obligations apply exclusively to the state-owned monopoly, Veikkaus Oy. From 1 July 2027, when a partial new licensing system begins, all private operators holding a licence for online casino games, betting, or electronic bingo will be subject to the exact same AML/CTF rules and supervision by the National Police Board. The new Gambling Act, passed in late 2025, makes robust AML procedures a cornerstone of the regulated market.

Core Operator Obligations

Risk Assessment

Every licensed gambling operator must prepare, maintain, and regularly update a formal AML/CTF risk assessment. This is a foundational requirement and the document must be approved by the company's board of directors. The assessment must identify and evaluate the specific money laundering and terrorist financing risks the operator faces, considering its products, customer base, transaction methods, and geographical areas of operation.

Customer Due Diligence (CDD)

Operators must apply risk-based Customer Due Diligence measures for all players. This process begins at registration and continues throughout the customer relationship. The core components of CDD include:

• Identification: Collecting personal details from the customer, such as full name, date of birth, and address.
• Verification: Confirming the customer's identity using reliable and independent sources, typically through secure electronic verification methods against official databases.

Compulsory identification has long been a standard practice for Veikkaus customers. Under the new system launching in July 2027, all licensed operators will be held to this same high standard of knowing their customers.

Source of Funds (SoF) Verification

A critical part of due diligence is understanding the origin of the money a player uses for gambling. According to guidance from the National Police Board, operators must have procedures to verify a player's source of funds (SoF) or source of wealth (SoW). Checks are triggered by risk-based assessments, but specifically when a player makes large or unusual deposits. These funds must be verified before the player is allowed to use them for gambling.

Operators cannot rely on a player's net deposit position or previous winnings as sufficient proof of legitimate funds. Instead, they must request evidence directly from the customer. Common types of evidence include:

• Pay slips or a letter from an employer
• Bank statements showing salary or other regular income
• Tax returns or financial statements
• Documents proving the sale of an asset, an inheritance, or a gift

Special Measures and Reporting

Enhanced Due Diligence (EDD)

In situations deemed to be of higher risk, operators must apply Enhanced Due Diligence. EDD is a more intensive level of scrutiny that must be applied to relationships and transactions involving:

• Politically Exposed Persons (PEPs), their family members, and known close associates.
• Customers connected to countries identified as having high AML/CTF risks.
• Transactions that are complex, unusually large, or have no apparent lawful or economic purpose.

Suspicious Activity Reporting

If an operator knows, suspects, or has reasonable grounds to suspect that funds are linked to criminal activity or terrorist financing, it has a legal obligation to report it. These Suspicious Activity Reports (SARs) must be filed with Finland's Financial Intelligence Unit (Rahanpesun selvittelykeskus) without delay through the secure 'goAML' online portal. It is illegal for the operator to 'tip off' the customer that a report has been made.

Internal Controls and Sanctions

All operators must screen customers against applicable international financial sanctions lists from bodies like the UN and EU. This screening must be done at onboarding and on an ongoing basis. Furthermore, operators are required to provide regular AML/CTF training to all relevant staff and maintain records of this training for at least five years. They must also establish secure and anonymous internal channels for employees to report potential breaches of the regulations (whistleblowing).

What Players Can Expect

Players in Finland's regulated market should expect to be asked to verify their identity and, at times, their source of funds. These requests are a standard legal requirement imposed on the operator and not necessarily a sign of personal suspicion. Providing these documents allows the operator to meet its regulatory obligations.

If a player is unwilling or unable to provide the requested information, the operator must, by law, restrict or terminate the business relationship. This may involve blocking deposits, freezing the account, and preventing further gambling. All personal and financial data collected during these processes is protected under data privacy laws, with the Office of the Data Protection Ombudsman (Tietosuojavaltuutetun toimisto) acting as the supervisory authority.