AML and KYC Risks for Gambling Operators in the Czech Republic: Avoiding FAU Fines

3.4.2026 | ARROWS law firm

Operators of online and land-based gambling in the Czech Republic face one of the strictest regulatory regimes in Europe. This is not only about complying with the Gambling Act, but also about complex obligations arising from the AML Act and European regulations. This framework includes rules whose breach can cost operators hundreds of millions. This article explains what risks a company faces and how to avoid mistakes leading to sanctions from the Financial Analytical Office (Finanční analytický úřad).

In the image, we see a lawyer discussing the regulation of gambling.

Article contents

Key takeaways
Identification and identity verification (KYC)
Enhanced customer due diligence and politically exposed persons
Register of excluded persons
Contact person for the FAU
Sanctions and their impact

Key takeaways

Obliged entity: Gambling operators are defined under Act No. 253/2008 Coll. (the AML Act) as obliged entities. They must comply with a comprehensive set of measures including identification, customer due diligence, record-keeping and reporting.
Identification and identity verification (KYC): For online gambling, identification is always mandatory upon registration. Without a functioning KYC system and identity verification, you face sanctions in the tens of millions of CZK and the loss of your licence.
Register of excluded persons (RVO): Checks must be performed in real time at every login. A technical failure in the connection to is not an excuse.
Reporting suspicious transactions (OPO): Must be submitted to the FAU without undue delay. Late, incomplete or unsubmitted means a risk of crippling fines.
Contact person: As of 2025, there is an obligation to appoint and notify a contact person for communication with the FAU.
Sanctions: Maximum fines for the gambling sector under the AML Act can reach up to CZK 130 million or 10% of total annual turnover.

Legal framework: Why are gambling operators “obliged entities”?

Act No. 186/2016 Coll., on Gambling regulates the operation itself, licensing and player protection. In parallel, however, operators are also subject to Act No. 253/2008 Coll., on Certain Measures against the Legalisation of Proceeds of Crime (the AML Act). The gambling sector is explicitly listed in Section 2 of this Act as an obliged entity.

The reason lies in the nature of the business: gambling is transaction-intensive and enables rapid capital turnover, which makes it attractive for money laundering. Funds from illegal sources can be “laundered” through gaming accounts more easily than through a transparent banking system if control mechanisms are not in place.

In 2026, the situation is even stricter due to the direct applicability of European regulations and the activities of the new European Anti-Money Laundering Authority (AMLA), which harmonises supervisory practice across the EU.

Two parallel legal regimes

A gambling operator in the Czech Republic must simultaneously meet the requirements of two key authorities:

1. Ministry of Finance and the Customs Administration: Supervise compliance with the Gambling Act (licences, technical parameters of games, , responsible gambling).

2. Financial Analytical Office (FAU): Supervises compliance with AML obligations (identification, customer due diligence, OPO, ).

Both regimes must be complied with in parallel. A perfect gaming system with a licence is useless if you fail in transaction monitoring under the AML Act. A compliance department is therefore not an administrative burden, but a necessary condition for the continued existence of your licence.

Identification and identity verification (KYC)

In the gambling industry (especially online), stricter rules apply than in ordinary commerce. Before a player deposits the first funds or starts playing, you must establish their identity, verify the accuracy of the data, check PEP status, and screen sanctions lists and the Register of excluded persons (RVO).

For online games, identification must be completed before allowing participation in the game. For land-based casinos, identification is required upon entry to the gaming area or for a transaction exceeding the statutory threshold; in practice, however, casinos identify every visitor upon registration.

Verification methods in 2026

For online identity verification (remote onboarding), the following methods are accepted in the Czech Republic:

1. Bank identity (BankID): The fastest and safest method. The bank guarantees the client’s identity.

2. Submission of copies of documents + verification payment: The player uploads documents and makes a payment from an account held in their name in the EU/EEA. This method is more administratively demanding.

3. Czech POINT: In-person identification at a public administration contact point.

4. Biometric verification (Liveness Check): A modern method using real-time capture of the face and ID document via certified software that prevents the use of a mask or photograph.

Simply sending a scan of an ID card by email without additional control mechanisms (such as a verification payment or liveness check) is insufficient according to the FAU’s current interpretative guidance.

Most common mistakes and their impact

Data of a player registered in the past may be outdated in 2026, for example due to a change of ID document or residence. The law requires ongoing monitoring, and if you do not have a re-verification process, you are in breach of Section 9(2) of the AML Act.

Another mistake is the absence of sanctions screening at registration. If you do not automatically screen every new player against international sanctions lists, you risk establishing a relationship with a person whose assets must be frozen, which is a breach not only of the AML Act but also of EU regulations.

Transaction monitoring and reporting suspicious transactions

A suspicious transaction (OPO) is defined in Section 6 of the AML Act. In the gambling context, this typically includes deposits of large amounts in cash, deposits followed by withdrawals without gameplay, use of third parties’ payment instruments, or unusual behaviour inconsistent with the player’s profile.

Reporting process

If you detect a suspicious transaction, you must report it to the FAU without undue delay, usually within 5 calendar days from identifying the suspicion. The report is submitted electronically in encrypted form.

It is strictly prohibited to inform the client or any third party that an OPO has been filed or that an investigation is underway (so-called tipping-off). If there is a risk that executing the transaction would frustrate the securing of proceeds, it may be necessary to delay the transaction for up to 24 hours, or longer on the FAU’s instruction. If you fail to report a suspicious transaction and the authorities uncover it, you face crippling sanctions for inaction.

Enhanced customer due diligence and politically exposed persons

Enhanced due diligence (Section 9a of the AML Act) is mandatory in situations presenting higher risk. It particularly concerns politically exposed persons (PEPs) and their close associates, clients from high-risk third countries, or complex and unusually large transactions without an apparent economic purpose.

As part of EDD, you must additionally establish and document the source of wealth and the source of funds used in the transaction. A player’s affidavit is not sufficient; bank statements, income confirmations or property sale agreements are required.

Register of excluded persons

RVO is a key player-protection tool and includes persons receiving subsistence benefits, persons in insolvency, persons subject to a gambling ban, as well as persons who have requested registration themselves. The operator must verify the player in the RVO upon registration, at each login to the user account (online), and upon entry to the gaming premises (land-based).

This check must be carried out automatically via the API interface of the information system (AISG). If the RVO system does not respond, you must not allow the player to gamble, and technical outages on the operator’s side are not an excuse.

Internal Policies System and Risk Assessment

Every gambling operator must have a written Internal Policies System (SVZ) and a Risk Assessment. The Risk Assessment identifies specific risks related to games, distribution channels, and the customer base, and must be updated regularly.

The SVZ serves as a manual for employees on how to proceed with identification, detection of suspicious transactions, and record-keeping. It must be approved by the statutory body and sent to the FAÚ within 60 days of obtaining the licence or making a change; otherwise, the operator will not pass an inspection.

Contact Person for the FAÚ

From 2025, all obliged entities, including gambling operators, are required to appoint a specific employee as the contact person for the FAÚ and to notify the authority accordingly.

This person must be reachable, must have access to information on clients and transactions, and is the primary communication channel for the FAÚ’s operational instructions. Failure to comply with this notification obligation is considered an offence.

Sanctions and Their Impact

AML sanctions in the gambling sector are set extremely high to be deterrent even for large international holding groups.

In addition to financial penalties, the FAÚ may order remedial measures, such as suspending the onboarding of new clients until deficiencies are remedied, which may have a worse impact on the business than the fine itself.

Risks and How to Minimise Them

Given the complexity of the legislation, it is virtually impossible for gambling operators to handle compliance internally without specialised legal support.

Potential issue	How ARROWS helps (office@arws.cz)
Non-functional AML processes	We will carry out a comprehensive audit of your internal regulations and the actual functioning of your KYC/AML processes.
Inspection by the FAÚ / Customs Administration	We will represent you during the inspection.
STR reporting	We will assess disputed transactions and help you prepare a qualified suspicious transaction report so that you meet your statutory obligation.
Employee training	The law requires regular staff training (at least once a year).

FAQ

1. Do I have to report a suspicious transaction even if it did not go through (e.g., I refused it)?
Yes, the obligation to report a suspicious transaction also applies to an attempt to carry out such a transaction. If a client wants to deposit suspicious funds and you refuse the transaction, you still must file an STR with the FAÚ.

2. How long do I have to retain data?
Under Section 16 of the AML Act, you must retain identification, due diligence, and transaction data for 10 years from the end of the business relationship or the execution of the transaction.

3. Is sanctions screening mandatory for all players?
Yes, you must ensure that none of your players is on a sanctions list. In the online environment, automated screening at registration is recommended, followed by regular re-screening of the entire database, as sanctions lists change dynamically.

Disclaimer: The information contained in this article is for general informational purposes only and serves as a basic guide to the issue as of 2026. Although we strive for maximum accuracy, laws and their interpretation evolve over time. We are ARROWS Law Firm, a member of the Czech Bar Association (our supervisory authority), and for the maximum security of our clients, we are insured for professional liability with a limit of CZK 400,000,000. To verify the current wording of the regulations and their application to your specific situation, it is necessary to contact ARROWS Law Firm directly (office@arws.cz). We are not liable for any damages arising from the independent use of the information in this article without prior individual legal consultation.

Read also: