Rikstoto was placed under formal scrutiny after the Norway Gambling Commission and the national financial supervisory authority uncovered several serious breaches of anti money laundering requirements across the betting operator’s activities. The investigation revealed a structured pattern of missing controls, ignored legal duties, and undocumented decisions that weakened the company’s ability to detect suspicious behavior. The case is especially serious because Rikstoto operates with an exclusive betting license, meaning it carries a heightened responsibility to prevent illicit funds from circulating through its platform.

The AML red flags that pushed Rikstoto into regulatory intervention

During the supervisory inspection, regulators expected to see a mature system with documented knowledge of customers, traceable information on transactions, and ongoing monitoring. Instead, they discovered missing risk assessments, incomplete records, and a lack of traceable evidence that customer controls had taken place. The operators acknowledged that politically exposed persons were not subjected to the enhanced steps that law requires at the beginning of a customer relationship. Data loss also occurred during a migration to a new internal system, leaving gaps that impaired the ability to reconstruct activity.

The authorities set specific correction deadlines. If Rikstoto does not prove that the breaches have been fixed, the company can face a running daily fine of 10,000 NOK per violation until all issues are resolved, along with an additional administrative penalty that may reach 2 million NOK. The gambling regulator signaled clearly that AML requirements do not leave room for internal shortcuts or exceptions. A licensed gambling operator cannot decide to simplify a process that the law defines as mandatory.

This article examines what the supervisors found, why the controls collapsed, and what this case reveals about the importance of serious anti money laundering capabilities in the gambling sector. The focus is entirely on financial crime risks, failures, and the consequences that emerge when a reporting entity chooses convenience over compliance.

AML failures at Rikstoto and regulatory pressure

The supervisory findings stated that Rikstoto did not have a functioning risk framework and was unable to demonstrate that anti money laundering duties were applied in a structured or repeatable manner. The review revealed that the company had two separate internal documents meant to describe the exposure to illicit funds. Neither document showed how risks were assessed, how inherent and residual exposure differed, or which controls were assigned to mitigate the threats. Critical sections did not include information drawn from the company’s internal activity, such as past alert handling or patterns of unusual betting volumes. Without this foundation, Rikstoto could not prove that it understood how criminals might use its betting service to place and withdraw money to hide its origin.

The gambling authority expects reporting entities to assess the exposure created by their specific business model. A universal template is not sufficient. Risk must be tied to real data, meaning actual customer behavior, internal case files, and previous incidents. When risk identification is missing, follow up controls tend to be reactive, late, and inconsistent. That is exactly what the supervisors found. The internal file reviews showed that customers were not assigned a risk level at onboarding. Instead, any risk classification was done later, based on how customers behaved during betting activity. This created a backward model of risk control, where the operator observed transactions first and assigned risk later. That approach is incompatible with financial crime laws that require preventive and proactive methods.

The audit also identified that Rikstoto did not ask customers about the purpose of the relationship or the expected volume of funds. Without these baseline details, any attempt to identify abnormal patterns becomes guesswork. If an individual suddenly deposits significant amounts, the operator cannot determine whether this represents a suspicious change or a variation within the expected behavior of a recreational gambler.

The failures reached a higher level of concern when the regulators reviewed how Rikstoto handled politically exposed persons. The obligations are straightforward. When a customer is identified as a PEP, enhanced customer verification must be carried out immediately, including validating the origin of funds used for betting. However, Rikstoto implemented its own rule, applying enhanced steps only if a PEP wagered above a certain monetary amount within a two year period. The supervisors clarified that this internal threshold has no legal basis and violates the mandatory rule of enhanced checks at the point of onboarding.

As the inspection progressed, the regulators identified a pattern. The lack of a risk model, the lack of proper monitoring, and the weak onboarding practices were not separate incidents. They were interlinked elements of a compliance structure that existed more on paper than in real processes.

At the end of the audit, the authorities warned that if Rikstoto fails to resolve all identified breaches by the set deadlines, they can impose a daily fine of 10,000 NOK per violation until full remediation is documented. In addition, the company can face an administrative penalty that may reach 2 million NOK. For a betting monopoly, the reputational cost of unresolved AML breaches may be even higher than the financial one.

How inadequate risk assessment created blind spots

Risk assessments are not optional administrative paperwork. They are the engine that drives decisions on how to identify risky customers and which transactions require deeper investigation. When done correctly, they shape the design of transaction monitoring systems, assign risk tiers to customers, and guide resource allocation. The supervisors found that Rikstoto’s assessment did not perform any of these functions.

Rather than identifying high exposure scenarios, the documentation contained generic statements that were not connected to operational evidence. It lacked references to past cases or alert trends that could inform the likelihood and severity of different risk categories. The company also failed to evaluate external inputs, such as the types of payment instruments used by customers. Cash deposits and instant mobile wallet transfers can create scenarios where funds are injected quickly and withdrawn as winnings, leaving minimal audit trail. These situations require enhanced monitoring and deeper data enrichment. However, Rikstoto’s risk assessment did not flag these methods as requiring additional scrutiny.

Risk assessments also drive the decision to apply enhanced onboarding steps. The supervisors expected to see a link between the assessed exposure of different customer groups and the depth of information collected. That link did not exist. Customers were treated under a uniform process, regardless of whether their betting activities aligned with normal consumer patterns or whether other indicators suggested a higher level of financial exposure.

Because the risk assessment was not used operationally, the company missed multiple triggers that should have escalated customers to enhanced due diligence. In compliance, the absence of a decision trail is as serious as making the wrong decision. Without a record, the operator cannot prove that a check occurred or that any logic guided the decision.

This deficiency created blind spots that could be exploited by individuals seeking to move illicit funds. When a gambling operator allows customers to engage in activity without a clearly documented expectation of normal behavior, large value transactions can occur without generating alerts. Criminals take advantage of these situations, since the platform effectively becomes a temporary storage or laundering tool. The lack of data also affects law enforcement. If authorities investigate an individual and request historical information, a platform that cannot reconstruct decisions becomes a barrier rather than a partner.

The supervisors concluded that the absence of a structured risk assessment was not simply a documentation gap. It was the starting point of a chain of failures that weakened every downstream control.

---

Weak onboarding and monitoring exposed the platform

Customer onboarding is the first point of defense against illicit activity. Without strong onboarding, monitoring becomes ineffective because there is no baseline profile to compare transactions against. The auditors found that Rikstoto did not collect key information needed to understand customer background, funding source, or expected gambling behavior. Without this knowledge, analysts cannot determine whether rapid deposits represent normal recreational spending or suspicious activity.

The onboarding process lacked proper identity verification evidence in several instances. Missing files included financial statements, funding proof, or confirmations that enhanced steps had been carried out. The results were concerning. In some cases, the operator granted access to betting services without having evidence of the customer’s background or funding origin. In a sector that involves hundreds or thousands of small transactions, even short windows of unverified activity can introduce large exposure.

Monitoring requires calibrated rules that rely on the customer profile created during onboarding. Because the initial data was inconsistent or missing, monitoring could not detect anomalies efficiently. If the system does not know what is normal, it cannot identify what is unusual. The authorities found that the monitoring process lacked clarity on when a customer should be escalated to a higher review tier or when investigators should open a suspicious activity case.

The absence of proper record keeping worsened the situation. During a migration to a different internal system, Rikstoto lost documentation linked to several customers. Even if partial data was later recovered, some files were permanently lost. In financial crime regulation, the inability to provide evidence is equivalent to not having taken any action. Losing files also harms law enforcement, because historical analysis often depends on reconstructing exact transaction sequences.

The supervisors highlighted that the company should have preserved all records for five years after the end of a customer relationship or transaction. Maintaining an auditable trail is essential, not optional. Without records, regulators and investigative authorities cannot retrace funds or understand how a decision was made.

The monitoring issue extended to politically exposed persons. Rather than applying enhanced measures from the outset, Rikstoto placed PEPs into the basic control flow. Enhanced steps were applied later only if betting activity reached an internal threshold. This reversed the required logic. The correct method is to investigate first, not later.

The audit concluded that the weak onboarding and unclear monitoring process reduced the company’s ability to identify suspicious activity early. It also exposed Rikstoto to elevated penalties, since these failures touched multiple mandatory legal obligations.

What this case teaches regulated gambling operators

The Rikstoto case now stands as a clear warning to any gambling operator, especially those with a national or exclusive license. AML compliance is not a technical necessity used to satisfy paperwork demands. It is the only mechanism that prevents betting platforms from being used to hide proceeds of fraud, corruption, or other financial crimes.

Several lessons apply to any operator in the gambling sector:

Customer verification must occur at the beginning
Identity checks are not something that can be postponed. Collecting details about funding, gambling purpose, and expected activity provides a baseline for later monitoring. If the baseline is missing, monitoring has nothing to measure against.

Politically exposed persons require immediate enhanced controls
Creating internal thresholds or shortcuts exposes the operator to enforcement risk. Enhanced steps must be carried out as soon as a PEP is identified, regardless of betting volume. This includes validating funding origins and linking transactions to legitimate sources.

Risk assessments must be operational
Documents that identify exposure must reflect real experience, such as past alerts or known customer patterns. Without this, risks remain theoretical and do not guide actions.

Monitoring requires reliable records
Systems must store data consistently. If an operator cannot provide documents during a review, the action is legally treated as not having taken place.

Failure has real financial consequences
The Norway Gambling Commission set remediation deadlines. If Rikstoto does not resolve every breach, regulators can apply a running daily fine of 10,000 NOK per violation until compliance is proven. In addition, a separate penalty may reach 2 million NOK.

These penalties are designed to prevent operators from viewing AML as optional. They also demonstrate that regulators expect gambling operators to protect the financial system by actively preventing abuse.

For organizations operating in high velocity transactional environments, AML maturity is not optional. It is a core business function that sustains trust. When controls are missing, the operator becomes a conduit for financial crime. Reputational loss often exceeds the monetary penalty.

Gambling platforms are attractive targets because they combine real funds, fast settlement, and limited counterparties. The best defense against exploitation is a rigid and tested AML framework that is applied consistently to every customer, at every stage, without exceptions.

---

Related Links

• Norway Gambling Commission official website
• AML legislation for reporting entities
• National financial supervisory authority portal
• Regulatory requirements for gambling licenses
• Overview of mandatory customer checks

Other FinCrime Central Articles About AML Failures in the Gambling and Betting Industry

• Swedish Regulator Hits FDJ Subsidiary Spooniker with Major AML Penalty
• Isle of Man Hits Celton Manx with £3.9 Million Fine over AML Failures
• Summer Series #6: High-Stakes Compliance in Global Gambling Markets

Source: Lotteritilsynet (PDF)

Some of FinCrime Central’s articles may have been enriched or edited with the help of AI tools. It may contain unintentional errors.

Want to promote your brand, or need some help selecting the right solution or the right advisory firm? Email us at info@fincrimecentral.com; we probably have the right contact for you.