Sign in
Sign Up

Anti-Money Laundering & Counter-Terrorist Financing Policy

Last updated: 27 October 2025

This AML/CFT Policy sets out how Golden Panda prevents its products and services from being used for money laundering, terrorist financing, or other financial crime. It applies to everyone who designs, builds, operates, or uses the Platform: employees, contractors, partners, and players. The Policy is written for a risk-based program aligned with EU standards, the Dutch Wwft (Wet ter voorkoming van witwassen en financieren van terrorisme), the Dutch Sanctions Act 1977, relevant EU sanctions regulations, and FATF recommendations. It should be read together with our KYC Policy, Payments Policy, Privacy Policy (GDPR/AVG), and Terms & Conditions.

1) Purpose and guiding principles

We operate a “safety-first” AML program built on five pillars:

  1. clear governance and accountability;
  2. a documented risk assessment that drives controls;
  3. proportionate Customer Due Diligence (CDD/KYC);
  4. real-time and retrospective monitoring with swift escalation; and
  5. training, testing, and continuous improvement.

We do not accept anonymous play, third-party funding, or attempts to disguise the origin of funds. Where legal or ethical doubt exists, we decline or exit the relationship.

2) Legal framework and definitions

  • Wwft & Sanctions Act. We apply CDD, monitoring, record-keeping, sanctions screening, and suspicious activity reporting in line with Dutch and EU rules.
  • FATF. We map our control set to FATF’s 40 Recommendations and relevant sectoral guidance for remote gaming.
  • Personal data. AML processing uses GDPR/AVG legal bases of legal obligation and legitimate interests; see our Privacy Policy for details.
  • Money laundering and terrorist financing terms follow Wwft/AMLD definitions. “Virtual assets” include crypto such as BTC, ETH, USDT, etc.

3) Governance, roles, and accountability

  • Board accountability. The Board approves this Policy, sets risk appetite, and receives quarterly AML/CFT reports.
  • MLRO.The framework is owned by a Money Laundering Reporting Officer and a deputy. They approve high-risk onboarding, decide on the results of internal cases, and send reports to the right FIU. The MLRO works alone and has complete access to all data, systems, and staff.
  • First line (Operations/Payments/Support). Executes controls at onboarding, during play, and at payout. Escalates red flags immediately.
  • Second line (Compliance). Designs policy, sets monitoring thresholds, performs QA and thematic reviews.
  • Third line (Internal Audit/Independent Testing). Performs periodic end-to-end effectiveness reviews.

We maintain a Conflicts of Interest register and separation between commercial incentives and AML decisions.

4) Risk-based approach (RBA)

We document and review an enterprise-wide AML risk assessment at least annually, and after major changes. It covers:

  • Customer risk: residency, occupation/source of income, prior account behaviour, PEP exposure.
  • Product risk: slots, live casino, high-velocity features, jackpots, bonuses, and any feature that can be used for value transfer.
  • Channel risk: remote onboarding, device types, VPN/proxy signals.
  • Geographic risk: sanctioned or high-risk jurisdictions, conflict regions.
  • Payment risk: cards, e-wallets, bank transfers, and virtual assets; presence of mixers, risky exchanges, or cross-chain bridges.

Risks drive CDD tiering, monitoring rules, and escalation paths.

5) Customer acceptance and CDD tiers

We accept players only after passing CDD. Tiers reflect risk:

  • Simplified CDD. Not used for remote gaming.
  • Enhanced Due Diligence (EDD). Mandatory where higher risk is identified, including any of: PEP hits, adverse media, unusual wealth compared with profile, crypto address risk, high-risk country exposure, frequent chargebacks, or complex payment patterns.

Threshold guidance (illustrative, not exhaustive):

  • Aggregate deposits or withdrawals ≥ €2,000 within 24 hours or ≥ €10,000 within 30 days trigger EDD/SoF (Source of Funds) review.
  • Any single crypto payout ≥ €1,000 triggers Travel-Rule style information exchange where applicable and advanced blockchain analytics.
  • Multiple accounts, third-party funding, or repeated VPN/proxy use move the relationship to high risk pending resolution.

We verify beneficial ownership and authority when the account is a legal person (if supported), including UBO identification and control structure.

6) Identification & verification (KYC)

  • Identity evidence. Government-issued photo ID (passport, ID card, residence card), plus liveness/biometric checks. Proof of address via bank/e-money statement or utility bill (recently issued).
  • Name matching & collision. We match identity against the payment instrument owner. Mismatch requires remediation or rejection.
  • PEP & sanctions screening. Performed at onboarding and continuously thereafter, using EU/UN lists and reliable PEP/adverse-media datasets aligned with the Sanctions Act.
  • Ongoing KYC. We refresh KYC on risk triggers, material profile change, or on a time-based cycle for higher-risk players.

If verification fails or the player refuses to cooperate, we freeze withdrawals and may suspend or close the account.

7) SoF/SoW (Source of Funds/Wealth)

Where EDD is required we may request:

  • recent payslips or employer confirmation;
  • bank/e-money statements showing consistent income;
  • sale of asset contracts;
  • business income evidence (e.g., tax filings);
  • for crypto: exchange withdrawal receipts, wallet history, proof of ownership.

We assess plausibility: the level and pattern of play must make sense for the player’s circumstances. If not, we restrict or exit the relationship.

8) Payments, methods, and crypto controls

  • No third-party payments. Funding and payout methods must be in the player’s own name.
  • Card/e-wallet/bank. We require SCA/3-D Secure where applicable and maintain velocity/risk rules for each provider.
  • Crypto (“virtual assets”).
    • Accept only supported networks; unknown contracts or unsupported chains are rejected.
    • Blockchain analytics can be applied to incoming and outbound addresses, revealing things like sanctions, darknet services, scams, stolen assets, and high-risk VASP linkages.
    • Mixers, tumblers, privacy pools, gambling-to-gambling hops, and addresses linked to sanctions or illegal behavior should not be deposited or withdrawn from.
    • Where Travel-Rule style obligations apply, exchange the required originator/beneficiary information with the counterparty VASP.
    • Require one clean withdrawal route that is demonstrably controlled by the player.

9) Geolocation, VPNs, and prohibited jurisdictions

We figure out where you are by looking at your device and network signals. If we find a location that is not allowed or is allowed but not allowed, or if VPN or proxy use hides the real location, we stop real-money features until we can look into it. We don’t let gamers from countries with strict restrictions or where remote gaming is against the law sign up.

10) Real-time and post-event monitoring

We combine rules, typologies, and data science to detect unusual behaviour:

  • rapid cycles of deposit–minimal play–withdrawal;
  • multiple accounts or multiple funding sources tied to the same identity, device, or IP;
  • structuring (many small transactions below thresholds);
  • bonus/value transfer abuse;
  • sudden stake escalations and high volatility inconsistent with known profile;
  • back-to-back transfers between fiat and crypto to obfuscate source;
  • high-risk counterparties (PSPs or VASPs) and cross-jurisdiction patterns.

Alerts are triaged by trained analysts using a case management system with full audit trails. Outcomes may include: no issue, player contact, limit reduction, mandatory cool-off, SoF/SoW request, account restriction, or closure. Where suspicion forms, we escalate to the MLRO.

11) Suspicious activity, freezing, and reporting

  • Internal escalation. Analysts escalate promptly to the MLRO when facts indicate knowledge, suspicion, or reasonable grounds to suspect ML/TF or sanctions evasion.
  • External reporting. The MLRO determines whether to file a report to the competent Financial Intelligence Unit (FIU) under national law. We do not “tip off” the player.
  • Account action. The MLRO may maintain, restrict, or terminate the relationship, and may freeze funds where permitted by law.
  • Record of decision. Every SAR/STR decision includes a clear rationale and supporting evidence.

12) Sanctions screening and embargoes

We screen players and counterparties at onboarding and on a continuous basis against EU/UN sanctions lists and any other applicable national lists required by law. Matches are handled under a documented playbook. We block transactions where sanctions risk cannot be cleared.

13) Record-keeping

We keep CDD, transaction, monitoring, and reporting records for the minimum periods required by law (typically five years under Wwft for AML records; longer where fiscal rules or litigation hold apply). 

14) Training and awareness

  • Induction training for all staff before system access.
  • Annual refresher tailored to role (Support, Payments, Risk, Tech, Marketing).
  • Targeted workshops on new typologies (e.g., crypto mixers, cross-chain bridges, AI-driven fraud).
  • Effectiveness checks: quizzes, quality assurance of case notes, and scenario drills.

No one should handle a payout, CDD exception, or sanctions hit without current training.

15) Reliance, outsourcing, and third parties

We may use external providers (KYC vendors, PSPs, VASPs, analytics) but retain accountability. Every provider is subject to due diligence, contractual data-processing terms, performance SLAs, and periodic reviews. Reliance on third parties for CDD is documented and, where used, satisfies legal criteria (e.g., timely data access, no outsourcing of responsibility).

16) Independent testing and quality assurance

Compliance does second-line quality assurance on a few onboarding files, alerts, and closures. At least once a year, an independent test (an internal audit or a certified outside party) checks the design and operation to see how well they work. The results are sent to the Board and MLRO along with plans for fixing the problems and deadlines.

17) Data protection and confidentiality

AML data is sensitive. Access is role-based and logged. We use encryption in transit and at rest, event monitoring, secret management, and secure development practices. AML processing follows the principles of purpose limitation, data minimisation, and storage limitation. See the Privacy Policy for your GDPR/AVG rights and how to exercise them.

18) Breaches, incidents, and whistleblowing

Right away, you need to tell someone inside the company if you think there are issues with data, security, or control. We look at problems fast, contain them, fix them, and report them to the right people as needed. We also write down what we learned. There is no way to punish someone who blows the whistle in good faith.

19) Prohibited behaviours (non-exhaustive)

  • using third-party or corporate cards without clear ownership;
  • depositing from stolen or compromised payment instruments;
  • using mixers/tumblers, privacy pools, or sanctioned services;
  • value transfer via minimal-risk game play;
  • structuring to avoid CDD thresholds;
  • account sharing, multi-accounting, or identity rental;
  • providing forged or altered documents.

Violations may result in account closure, confiscation consistent with law and our Terms, and reporting to authorities.

20) Red-flag typologies (illustrative)

  • Frequent deposits followed by immediate withdrawals with minimal play (“churn”).
  • Numerous failed verification attempts or inconsistent identity details.
  • Funding patterns inconsistent with declared occupation/income.
  • Use of many different cards or wallets shortly after onboarding.
  • Crypto deposits from high-risk services or sanctioned clusters; withdrawals rapidly forwarded to mixers or cross-chain bridges.
  • Sudden relocation signals or persistent VPN/proxy masking.
  • Rapid, coordinated play across multiple accounts/devices.

Analysts should record context, request clarifications where appropriate, and escalate without delay if suspicion persists.

21) Policy management

This Policy is reviewed at least annually, and sooner where laws, guidance, risks, products, or technology change materially. The MLRO proposes updates; the Board approves them. The latest version is made available to staff and partners.

Plain-English recap

  • We use a documented, risk-based AML program with strong CDD, ongoing monitoring, and swift MLRO decisions.
  • We screen for sanctions and PEPs continuously, and we keep robust records for the legally required periods.
  • We do not allow third-party funding, mixing services, or disguised location. Crypto flows are analysed with blockchain tools and subject to Travel-Rule style measures where applicable.
  • If activity doesn’t make sense for a player’s profile—or if a red flag appears—we slow down, ask for evidence, restrict, or exit. When suspicion forms, we report it as the law requires.
  • Training, testing, and clear accountability keep the framework effective.

This document describes how Golden Panda meets its AML/CFT obligations. It does not replace applicable law or regulator guidance. Where this Policy and local law differ, the stricter requirement applies.

Welcome bonus

ARE YOU SURE YOU WANT TO EXIT?

+100 FREE SPINS

Sign In