Peru recently implemented a new regulatory and supervisory regime for online gambling and sports-betting operators. The framework is built on prior legal instruments establishing the legality of remote gaming and wagering, with clear mandates to prevent money laundering and terrorist financing. Under this regime, operators must implement a full anti-money laundering / counter-financing of terrorism (AML/CFT) compliance system, including policies, procedures, controls, transaction monitoring, customer due diligence (CDD), and reporting obligations. Remote gaming platforms are now considered “obligated subjects” under the the AML laws.

Before this regulatory update, online gaming was a known risk area: the remote platforms and sports betting operators could be used to layer illicit funds, disguise origin through fake winning transactions, or structure operations to avoid detection. The new legal instruments close many of those gaps by imposing obligations that had previously applied mostly to traditional financial institutions or casinos.

Key components of the AML compliance architecture

Under the new legal regime, operators must set up a “Sistema de Prevención de Lavado de Activos y Financiamiento del Terrorismo” (SPLAFT). This means that each operator must maintain risk-based policies to identify, evaluate, and mitigate money-laundering and terrorist-financing risks inherent to their business. Required controls include verifying identity not only of players but also of directors, managers, beneficial owners, employees, and service providers or suppliers. All transactions must be recorded and suspicious operations reported to the the national financial intelligence unit (FIU).

Operators must designate both a primary and an alternate compliance officer responsible for managing and overseeing the prevention system, internal controls, training staff, ensuring record-keeping, and preparing periodic reporting (including annual reports on the effectiveness of the their prevention systems). Records of all operations, customer identity data, bets, winnings, deposit flows, payouts, and user account histories must be retained for a number of years consistent with statute of limitations or regulatory retention periods.

Technical standards require remote gaming platforms to transmit economic data (bets, wins, losses, deposits, payouts) in real time to regulatory databases so that authorities can audit or monitor flows. Also, certification and homologation of platforms (software, betting systems, progressive systems, etc.) are mandated so that the platforms are auditable and transparent.

Money laundering typologies exploited in the sector

With remote gambling and sports betting, there are multiple ways money laundering schemes can be embedded. One common typology is layering via fake winnings: an illicit actor might deposit funds, place small bets that ensure wins (through fixed or manipulated events or gaming algorithms), then withdraw “clean” money that appears as legitimate winnings. This hides the origin of funds and provides plausible cover. Betting winnings appear as lawful proceeds.

Another method is structuring deposits in smaller amounts across multiple accounts or using third parties; or using affiliates or user accounts belonging to different persons or nominee accounts to spread or disguise flows. Because winnings can be transferred or used for further bets or cash out, it becomes an attractive channel for layering and integration. Also politically exposed persons (PEPs) or high-risk persons may exploit such platforms to funnel funds across borders, especially in jurisdictions with weak AML oversight in remote gaming.

Online platforms often use third-party payment processors or digital wallets; if these are not well regulated or supervised, they may provide corridors for deposits or withdrawals that cannot easily be traced. Without strong identity verification or transaction monitoring, criminals can exploit these gaps to move illicit funds.

Enforcement, sanctions, and compliance implications

The regulatory update imposes clear sanctioning mechanisms on operators who fail to comply with AML obligations. Unauthorized operation, or operating platforms or betting rooms without proper authorization or homologation, can lead to severe fines. Operators must also comply with technical requirements such as providing regulatory access to servers, databases, and user information. Failure to provide access or hide information or manipulate platforms can be treated as administrative infractions.

Penalties may include fines in terms of tax units, debarment, revocation of authorization, or domain blocking, IP or website blocking, or suspension of operations. Regulators can also confiscate or destroy assets used in unauthorized remote gaming operations. Operators are required to present guarantees or warranties (for example via bank guarantees or deposits) to secure obligations.

From a compliance perspective, operators must train staff formally on AML/CFT controls and responsible gaming, keep audit logs, transmit daily or real-time economic data to regulatory data centers, and ensure they are fully authorized and certified by independent laboratories. Periodic audits are required, either by authorized certification laboratories or independent external auditors.

Lessons for AML practitioners and compliance teams

AML practitioners can draw multiple lessons from this case. First, remote online gambling is now recognized as a high-risk sector for money laundering due to the ease of layering via bets, manipulation, and payouts disguised as winnings. Compliance programmes must incorporate risk assessments specific to remote gaming, including the risk of fixed bets, collusion, algorithm manipulation, or third-party accounts.

Second, compliance officers must integrate with the platform’s technical architecture – ensuring that transactional data, account flows, bet outcomes, deposit/withdrawal flows are captured, monitored, and reported appropriately. Real-time or near-real-time data transmission to regulators enhances monitoring capabilities.

Third, because foreign entities may operate via branches or third-party providers, beneficial ownership rules and due diligence on service providers or platform providers are critical. Directors, beneficial owners, and linked service providers must be vetted, and their identities subject to scrutiny under AML rules.

Fourth, compliance frameworks must include periodic audits, internal testing, and stress testing to identify anomalies such as suspicious winning patterns or suspicious patterns of deposits and withdrawals. Patterns that deviate from expected gaming behaviour can indicate laundering.

Finally, compliance teams should monitor regulatory developments: thresholds for suspicious transaction reporting, obligations for politically exposed persons (PEPs), deposit thresholds, or regulatory deadlines to adapt systems within specified grace periods.

---

Related Links

• Supreme Decree No. 005-2023 of the Ministry of Foreign Trade and Tourism regulating remote gaming and sports betting
• Law No. 31557 and its amendment law No. 31806 establishing remote gaming regulation
• Risk assessment report by the supervisory authority on money laundering and terrorist financing in Peru
• Official guidelines on obligated subjects for AML/CFT in gaming operators
• Public registry / official portal for authorized operators

Other FinCrime Central News About Peru’s Endemic Bribery and Money Laundering Issue

• Peru’s President Toledo Gets 13 Years for Odebrecht Money Laundering
• Former Peruvian President and Wife Both Sent to Jail for 15 years for Money Laundering

Source: IGAMINGTODAY, by Eduardo

Some of FinCrime Central’s articles may have been enriched or edited with the help of AI tools. It may contain unintentional errors.

Want to promote your brand, or need some help selecting the right solution or the right advisory firm? Email us at info@fincrimecentral.com; we probably have the right contact for you.