In a Nutshell
- Commercial gaming is a high-risk DNFBP sector under the UAE NRA; board-level AML accountability is not optional.
- Boards must ensure their governance structure addresses GCGRA obligations and AML laws.
- The AML framework should be explicitly mapped to gaming-sector AML risks including virtual asset flows, marketplace manipulation, and cross-border player exposure.
- The absence of a statute of limitations for ML/TF/PF offences under Federal Decree-Law No. 10 of 2025 means historic governance failures remain perpetually actionable.
- Proliferation financing is now a standalone offence; gaming operators with international virtual asset exposure must integrate PF risk governance into board reporting.
Commercial gaming is explicitly rated as a high-risk sector in the UAE AML framework. That rating carries implications that flow directly to the board table. This article addresses how senior decision-makers in gaming operations should structure AML accountability, what governance structures are required, and where regulatory liability falls when those structures are absent or inadequate.
Why Commercial Gaming Demands Board-Level AML Governance
The UAE’s National Risk Assessment identifies commercial gaming as a sector with elevated ML, TF, and PF exposure because of its structural characteristics: high cash and virtual asset transaction volumes, partial anonymity in participation, the convertibility of gaming assets into value, and a cross-border player base that includes participants from FATF grey and black list jurisdictions.
Federal Decree-Law No. 10 of 2025 imposes liability on responsible persons within regulated entities, not only on the entities themselves. For a commercial gaming operator, this means that a board member or senior executive proven responsible for a compliance failure in the AML programme faces personal consequences, including restriction of management powers and administrative fines under Article 17 of the Decree-Law.
Dual Regulatory Framework: GCGRA and AML Law
Commercial gaming operators in the UAE must satisfy two regulatory regimes simultaneously. The GCGRA regulates financial crime prevention within the gaming sector under its licensing framework. Federal Decree-Law No. 10 of 2025 and Cabinet Resolution No. 134 of 2025 establish the AML/CFT obligations that apply to all DNFBPs, including gaming operators.
The governance implication for boards is that satisfying the GCGRA does not constitute satisfaction of the AML law, and satisfying the AML law does not by itself satisfy all GCGRA requirements. The enterprise-wide risk assessment approved by the board must explicitly address both regimes, identify the overlapping requirements, and ensure that the compliance function is designed to meet both simultaneously.
Three Lines of Defence in Commercial Gaming AML
← scroll to see full table →
| Line | Specific Responsibilities in Commercial Gaming |
|---|---|
| First Line (Gaming Operations) | Executing player CDD and EDD at onboarding; flagging unusual player behaviour; monitoring in-game activity for red flags; escalating suspicious patterns to compliance |
| Second Line (Compliance and Risk) | Setting monitoring rules specific to gaming typologies; overseeing STR quality; managing GCGRA regulatory relationship; reporting to the board on programme effectiveness and sector-specific risk developments |
| Third Line (Internal Audit) | Independent testing of CDD and EDD quality for high-risk player relationships; sampling monitoring alert dispositions; reviewing marketplace manipulation detection capabilities; reporting to the audit committee |
What the Board Must See About Gaming Sector AML Performance
Board-level AML reporting for a commercial gaming operator should include, at a minimum:
- High-risk player onboarding volumes and EDD completion rates, distinguishing PEP, cross-border, and VA-linked player categories.
- STR filing volumes by typology (marketplace manipulation, prize fraud, virtual asset laundering), with trend analysis.
- Monitoring system performance metrics, including false positive rates and average alert closure times.
- Adverse findings from GCGRA, and the status of any remediation commitments.
- Virtual asset flow exposure, including the proportion of gaming activity funded through VA channels and any VARA compliance issues identified.
- Proliferation financing exposure arising from international player relationships or dual-use virtual asset flows.
Liability Architecture: Where Responsibility Falls
When a commercial gaming operator’s AML programme fails, the regulatory framework provides a clear liability architecture. The institution as a legal entity bears primary liability for administrative penalties under Article 17 of Federal Decree-Law No. 10 of 2025. The responsible persons, meaning those board members, executives, and managers who can be shown to have been responsible for the failure, face personal consequences, including restriction of their powers and individual fines.
For gaming operators, the most common sources of regulatory liability are failure to apply EDD to high-risk players, delayed or inadequate STR filing, and absence of monitoring controls calibrated to gaming-specific typologies. Each of those failures has a governance ownership dimension: it reflects a decision or non-decision made at the compliance function or board level about the design of the AML programme.
The removal of any statute of limitations for ML/TF/PF offences under Article 37 of Federal Decree-Law No. 10 of 2025 means that governance failures from earlier periods remain actionable. For instance, a gaming operator that expanded its VA-linked gaming offering in 2023 without integrating PF risk into its board-approved enterprise-wide risk assessment may face regulatory scrutiny for that omission today.
Proliferation Financing: The New Governance Obligation for VA-Linked Gaming
Federal Decree-Law No. 10 of 2025 introduces proliferation financing as a standalone criminal offence, distinct from terrorism financing. For commercial gaming operators whose platforms involve virtual asset flows or have a significant international player base, PF risk governance is now a board-level obligation.
The enterprise-wide risk assessment required under Article 5 of Cabinet Resolution No. 134 of 2025 must address PF risk explicitly. For a gaming operator, this means assessing whether its virtual asset infrastructure, its international player relationships, or its marketplace mechanisms create exposure to PF risks, and whether its monitoring controls are designed to detect PF-related transaction patterns.
GRC Advisors: AML Governance for Commercial Gaming Operations
GRC Advisors works with boards and senior management in commercial gaming operations to build governance frameworks that address the dual regulatory requirements of the GCGRA and the UAE AML law. Our advisory services cover enterprise-wide risk assessment design for gaming sector risks, board reporting framework development, and remediation support following supervisory examination findings. Contact GRC Advisors to discuss how your board can take effective ownership of AML risk in your gaming operation.
Frequently Asked Questions
Is the CEO personally liable if the gaming operator's STR programme is found to be inadequate?
Personal liability under Federal Decree-Law No. 10 of 2025 applies to persons proven responsible for a violation. Whether a CEO faces personal exposure depends on whether they had governance responsibility for the AML programme’s design and effectiveness, whether they received adequate management information, and whether they took appropriate action when problems were identified. CEOs who can demonstrate active governance oversight are in a materially stronger position than those who cannot.
What governance change is required if the gaming operator begins accepting virtual asset payments?
Accepting virtual asset payments changes the operator’s risk profile and regulatory obligations materially. The enterprise-wide risk assessment must be updated to reflect VA-specific typologies and PF risk. The compliance function must extend its monitoring capabilities to cover VA transaction monitoring and Travel Rule compliance where applicable. VARA regulatory requirements must be assessed and integrated into the governance framework. The board should require a formal risk assessment update as a precondition for launching VA payment acceptance.
How should the board handle a GCGRA examination finding that also has AML implications?
GCGRA examination findings with AML implications should be escalated to the board level, not handled solely within the compliance function. The board should require root-cause analysis, a documented remediation plan with measurable milestones, and an internal audit review of the remediation.
