How cryptocurrency casinos are licensed

Why crypto casinos need a double license

Crypto-casino operates at the junction of two regulations:

1. Gaming license (online gambling) - the right to offer slots, live games, bets, lotteries; RTP/RNG requirements, complaints, responsible play, log storage, etc.

2. License/registration VASP (Virtual Asset Service Provider) - the right to work with virtual assets (custodial wallets, crypto reception/output, VA↔fiat exchange), with responsibilities for AML/CTF, KYC and Travel Rule.

💡 In a number of jurisdictions, one gaming license plus notification mode for VA is sufficient; in others, both statuses are required.

Business model and impact on requirements

Custodial model (casino holds customers' wallets): usually requires VASP status, hard online screening, key storage (M-of-N, cold), limits and incident procedures.

Noncostodial model (client's wallet, smart contracts/payment providers): risks are lower, but VASP duties and AML control are most often applied anyway (source of funds, sanctions, Travel Rule for cross-platform transfers).

What the regulator checks when issuing a license

1) Company and owners

Legal structure (constituent documents, register of beneficiaries).

Fit & Proper key persons: reputation, no convictions, specialized experience.

Source of shareholder funds (SoW) and capitalization (minimum authorized/operating capital).

2) Product and technology platform

RNG and "provably fair": certification by independent laboratories + cryptographic proof of honesty (does not replace certification).

Backhoe and logs: event logs, immutable records (WORM/timestamps), storage by license term.

Infrastructure: fault tolerance, monitoring, DRP/BCP, penetration test/security audit.

Integrations: payments (fiat/crypto), game providers, oracles, CCM/sanction screeners.

3) Compliance and player protection

KYC/CDD/EDD: policy, triggers, documents; verification of the owner of the payment method/wallet.

AML/CTF: risk assessment (BWRA), monitoring rules, graph and online analytics, SAR/STR procedures, tipping-off prohibition.

Travel Rule: data exchange in VA transfers (where required), VASP/exchanges whitelist.

Responsible play: deposit/loss/time limits, self-exclusion, age control.

Complaints and ADR/Ombudsman: order of consideration, terms, arbitration.

Protection of players' funds: segregation/guarantee accounts/insurance, insolvency policy.

4) Marketing and geo-blocking

Advertising/affiliates: guides, prohibitions "dark patterns," disclosure of bonus conditions.

Geo-restrictions and sanctions: IP/GPS/ASN control, black-lists jurisdictions, POP/Sank screening with rescreening.

Package of documents: what to prepare in advance

Constituent documents, register of beneficiaries, ownership diagram.

Fit & Proper questionnaires (KYC for directors/beneficiaries): passports, certificates of absence of convictions, resume, recommendations.

Financial plan and risk model: P & L/CF, product description, load forecast.

Policies and procedures: AML/CTF (BWRA, EDD, SAR/STR), CCM/sanctions, responsible play, complaints/ADR, data retention, incidents, information security.

Tech dossiers: architecture, role access, logs, DRP/BCP, bugbounty, pentest results.

Agreements and SLAs with providers (game studios, PSP/crypto processing, KYC providers, online analytics).

RNG/Platform Laboratory Certificates/Reports.

Player retention policy and confirmation of bank/custodial agreements.

Dates and stages (typical rhythm)

1. Prescoping (2-6 weeks): selection of jurisdiction, model evaluation (custodial/no), GAP analysis of requirements.

2. Package preparation (4-12 weeks): finalization of policies, contracts, architecture, collection of certificates and certifications.

3. Submission and interaction (8-20 weeks): Q&A with the regulator, improvements, face-to-face interviews of key persons.

4. Conditional approval → production-audit → license.

5. Post-license: regular reporting, independent audits, recertification, personnel training.

(Actual deadlines are highly dependent on jurisdiction and document readiness.)

Compliance Budget (Outline)

One-time: application/due-diligence fees, laboratory certifications, legalization of documents, consultations.

Annual: license fee, supervisory fees, regulatory audits, KYC/AML/online analytics providers, pentests, insurance, ADR contributions.

Operating: PSP/crypto processing, hosting/CDN, case-management, training, policy updates.

Technical and crypto-specific requirements

Onchain screening of incoming/outgoing transactions; risk tags (mixers, hacks, sanctions).

Custodial wallets: cold storage, multi-subscription, limits, alerts, activity log; circuit breaker policy.

Smart contracts: at least two independent audits, admin rights control (timelock, multisig), migration plan.

Provably fair: hash-sid, client verification; the regulator's requirements for independent verification remain.

Data and privacy: DPIA, minimization, PII encryption "on disk and in the channel," retention periods, data subject rights.

Frequent errors of applicants

"Only provably fair - without RNG certification." The regulator will not accept.

There is no intelligible Travel Rule and no VASP/Exchanges whitelist. Failures/delays.

Weak segregation of player funds and unclear custodial storage scheme.

No BWRA/EDD triggers (only "total AML" without risk matrices).

Marketing through affiliates in banned geo - tough sanctions up to recall.

Unformed relationships with providers (no SLA/audit/incident-reporting rights).

Insufficient qualification of key persons (compliance officer "concurrently").

How to Select a Jurisdiction (Comparison Box)

Product coverage (slots, live, rates, crypto payments).

Whether VASP is required and under which models (custodial/non-custodial).

Fiscal burden (GGR/profit tax, VAT, charges).

Speed of review/predictability of procedures.

Access to payment rails (banks, stablecoin issuers, PSP).

License reputation (traffic conversion, trust of providers and players).

Checklist before submission

1. Company structured, beneficiaries disclosed, fit & proper passed.

2. KYC/AML/Travel Rule, BWRA, EDD matrix and case management are ready.

3. RNG is certified, provably fair implemented and documented.

4. Custodial processes: cold-storage, multisig, limits, incidents, activity log.

5. ADR, responsible gambling, complaints and SLAs are spelled out.

6. Geoblocking/sank screening, device/IP intelligence, list of prohibited jurisdictions.

7. Contracts with providers, right to audit, plan B for failures.

8. Audit/training plan for the year ahead.

Mini-FAQ

Do all crypto casinos need a VASP license?

No, it depends on the model. But with custodial wallets and/or VA↔fiat exchange - almost always yes.

Is it possible to do only "provably fair" without RNG certification?

No, it isn't. Providers and regulators require independent certification of RNG and the platform.

Is KYC mandatory if crypto payments?

Almost everywhere yes: KYC/AML and sledge screening are the basic standard, plus Travel Rule in the corresponding modes.

How do I protect my players' funds?

Segregation of accounts/wallets, cold storage, multiple signatures, limits, insurance/guarantees and an understandable withdrawal procedure in case of force majeure.

What about marketing through affiliates?

Contracts with compliance clauses, traffic verification, prohibition of "dark" advertising and promotions in blocked geo.

Crypto-casino licensing is not one paper, but a system: legal transparency and fit & proper, certified product (RNG + provably fair), strong AML/KYC with Travel Rule, online screening and protection of players' funds, plus reporting and auditing discipline. Operators who embed compliance-by-design in architecture and processes gain sustainable access to payments, the trust of providers and players - and, as a result, predictable growth without regulatory surprises.