Curacao's LOK Regime: What iGaming Operators Must Do to Stay AML-Compliant

Curacao's online gaming sector entered a new regulatory era on 24 December 2024 when the Landsverordening op de Kansspelen (LOK) came into force, replacing the NOOGH framework with a centralized, government-issued licensing model administered by the Curaçao Gaming Authority (CGA). The transition is not administrative. The LOK introduces substantive AML and KYC obligations, mandatory FATF-aligned frameworks, FIU reporting via goAML, and requirements for designated compliance officers, all of which must be operationalized through live systems, written policies, and verifiable audit trails. 

This article sets out what the CGA expects at the program level and identifies the infrastructure that determines whether an operator is genuinely compliant or simply licensed.

{{snippets-guide}}

From NOOGH to LOK: What Changed

Under the NOOGH framework, four private master license holders stood between the regulator and operators, compliance standards varied widely, and enforcement was inconsistently applied. The LOK dismantles that model entirely. All licenses are now issued directly by the CGA, recorded in a public register, and subject to ongoing supervision. The sublicense system was revoked effective 31 January 2025, and operators without a valid LOK license lost the right to operate.

Each licensed entity is now individually accountable for its AML program, KYC controls, suspicious transaction reporting, and compliance staffing. In structural terms, Curacao has moved toward the model operated by Malta and the UK Gambling Commission, even if enforcement maturity is still developing.

The AML Legal Framework

Curacao's AML obligations derive from two statutes alongside the LOK itself. The National Ordinance on the Identification when Rendering Services (LID) governs customer identification and verification. The National Ordinance on the Reporting of Unusual Transactions (LMOT) governs detection and reporting of suspicious activity to FIU Curaçao. Both were amended in 2024, and the CGA's AML/CFT policy took effect on 9 January 2025.

Operators must also comply with FATF and Caribbean FATF (CFATF) standards, which form the baseline against which the CGA measures program adequacy. A program that meets the letter of the LID and LMOT but fails to reflect FATF principles on risk-based supervision will not satisfy the CGA.

The Risk-Based Approach

The CGA requires a documented risk-based approach (RBA) calibrated to each customer relationship. A standard customer depositing through a regulated payment method in a low-risk jurisdiction attracts standard CDD. A customer depositing via cryptocurrency from a high-risk jurisdiction, or whose transaction patterns are inconsistent with their stated profile, must automatically trigger enhanced due diligence. Operators unable to demonstrate how they apply risk ratings in practice will face scrutiny during CGA reviews.

KYC Thresholds, CDD, and EDD

Under the LID, identity verification is required before processing transactions at or above the applicable threshold, placed by industry practitioners in the NAf 4,000 to 5,000 range, roughly EUR 2,000 to 2,500. That is not high by international standards, and operators who have designed KYC workflows on the assumption that few players will trigger verification are likely to find those systems inadequate.

Standard CDD covers identity verification, address confirmation, and source of funds where relevant. Enhanced due diligence is required for customers presenting elevated risk indicators:

• PEP status or connection to a PEP
• Residence in a high-risk or sanctioned jurisdiction
• Use of cryptocurrency or anonymous payment methods
• Transaction volumes inconsistent with declared income
• Unusual deposit patterns or rapid withdrawal cycles

EDD is not a one-time event. It requires ongoing monitoring and documented review at risk-appropriate intervals.

PEP and Sanctions Screening

PEP status carries specific obligations under the LID and FATF Recommendation 12. Accepting deposits from a PEP without conducting EDD, obtaining senior management approval, and implementing enhanced monitoring is a direct AML breach regardless of whether the funds prove clean. For operators with international player bases, PEP density is elevated in Latin America, the Middle East, Southeast Asia, and sub-Saharan Africa. Automated screening at onboarding and continuous monitoring against updated databases is the only operationally viable approach, since PEP status can change after a player has already been onboarded.

Sanctions screening must cover the OFAC SDN list, the EU consolidated list, the UN Security Council Consolidated List, and the UK OFSI list. The LOK does not specify which lists are required, but FATF compliance implies coverage of all major international regimes. Screening against a single jurisdiction's list while accepting players from multiple markets will not satisfy the CGA.

{{snippets-case}}

MLRO Requirements

The LOK requires a designated compliance officer functioning as an MLRO: independent, suitably qualified, and capable of making autonomous decisions on suspicious transaction reporting without commercial pressure. The MLRO's responsibilities include:

• Developing and maintaining the written AML program
• Overseeing staff training and internal SAR management
• Filing unusual transaction reports to FIU Curaçao via goAML
• Managing the CGA portal's incident-reporting module for security breaches and financial irregularities
• Conducting regular internal reviews of program effectiveness

Failure to report incidents through the CGA portal in a timely manner is itself a compliance breach, separate from any underlying AML failure.

Transaction Monitoring and goAML Reporting

The LMOT requires monitoring for ML/TF indicators and reporting to FIU Curaçao via goAML. Registration on goAML is mandatory before accepting real-money deposits. Common red flags in online gaming include rapid deposit-withdrawal cycles with minimal play, fragmented deposits across multiple payment methods, volume increases without corresponding gameplay changes, and cryptocurrency use combined with anonymization techniques.

The filing threshold for an unusual transaction report is suspicion, not certainty. Operators who delay filing because they cannot confirm wrongdoing are misapplying the legal standard and accumulating liability for each period of non-disclosure.

Cryptocurrency and Wallet Screening

The CGA's AML/CFT policy treats cryptocurrency deposits as inherently higher risk. Anonymous wallets and mixer-based deposits require enhanced scrutiny, and accounts must be refused or terminated where source-of-funds verification cannot be achieved. Each crypto-depositing customer requires CDD at or below the applicable threshold, with EDD applied where the wallet or transaction pattern is high-risk. Operators must implement blockchain analytics tools capable of flagging wallets associated with sanctioned entities, darknet markets, or ransomware activity. Accepting a deposit from a flagged wallet, even unknowingly, creates immediate AML exposure.

Licensing Fees and the Supervisory Relationship

B2C operators pay a total annual fee of EUR 47,450 (EUR 24,490 to the National Treasury, EUR 22,960 in CGA supervisory fees). B2B supplier licenses carry an annual fee of EUR 24,490. These represent a substantial increase over the NOOGH regime and reflect the CGA's intent to fund genuine supervision. Operators generating more than EUR 50 million annually face additional audit and reporting obligations. The CGA holds enforcement powers including fines, license suspension, and referral to the Public Prosecutor's Office.

Building an AML Program That Satisfies the CGA

A compliant AML program under the LOK is operational infrastructure, not a document. Its core components are interconnected: CDD data feeds into transaction monitoring, monitoring outputs feed the UTR workflow, and screening results feed EDD decisions. A gap in any one component creates downstream failures in the others. The seven elements the CGA will look for are:

• A written Business Risk Assessment covering customer base, products, payment channels, and geography
• Documented CDD and EDD procedures specifying what is collected, when EDD triggers, and how decisions are recorded
• Automated screening covering PEP databases, sanctions lists, and adverse media with defined escalation paths
• A transaction monitoring system with calibrated, regularly reviewed rules and documented case management
• A registered goAML account and an internal UTR assessment and filing process
• A staff training program with records delivered at onboarding and periodically thereafter
• A designated MLRO with documented authority, independence, and board-level reporting access

Conclusion

The LOK has brought Curacao's licensing framework materially closer to Malta and UK standards. Operators who treat it as a paperwork exercise face license suspension, fines, and reputational damage with payment processors and affiliate partners who conduct their own due diligence. Those who invest in integrated, automated, and auditable compliance infrastructure are not simply meeting a regulatory requirement. They are building the foundation that makes a sustainable licensed business in Curacao viable at all.

sanctions.io is a highly reliable and cost-effective solution for real-time screening. AI-powered and with an enterprise-grade API with 99.99% uptime are reasons why customers globally trust us with their compliance efforts and sanctions screening needs.

To learn more about how our sanctions, PEP, and criminal watchlist screening service can support your organisation's compliance program: Book a free Discovery Call.

We also encourage you to take advantage of our free 7-day trial to get started with your sanctions and AML screening (no credit card is required).

‍