€225,730 Administrative Penalty
Imposed 23 March 2026
3 Regulatory Failures
CDD, CRA, and transaction monitoring
€2,000 Daily Ongoing Charge
Until full remediation verified by FIAU
On 23 March 2026, Malta’s Financial Intelligence Analysis Unit imposed a €225,730 penalty plus a €2,000 daily ongoing charge on Stanleybet Malta Limited for systematic failures in customer due diligence and transaction monitoring. The official FIAU notice identifies the exact compliance gaps, and Sentinel Compliance Platform™ closes every one of them.
What the FIAU Found
On 23 March 2026, Malta’s Financial Intelligence Analysis Unit (FIAU) imposed three simultaneous measures on Stanleybet Malta Limited, a remote gaming operator holding a Business-to-Consumer Gaming Service License from the Malta Gaming Authority, providing gaming services through a network of physical betting shops in a European Union jurisdiction.
The measures followed a targeted review initiated in 2025. The FIAU’s Compliance Monitoring Committee found serious and systematic failures in three interconnected areas: customer due diligence, customer risk assessment, and transaction monitoring. The core problem was structural, as the company had no system in place to cumulatively link transactions across its betting shop network to individual customers, making it impossible to know who it was actually serving.
“The lax approach adopted by the Company with respect to the fundamental legal requirement to know who it is servicing, which is a cornerstone of the entire AML/CFT framework, could not only have adversely impacted its own operations, but also exposed the Maltese jurisdiction to certain unmanaged ML/FT risks.”
FIAU Compliance Monitoring Committee — Administrative Measure Publication Notice, 23 March 2026
Four Compliance Failures Identified by the FIAU
No Cumulative Transaction Tracking Across the Betting Shop Network
The company applied CDD measures only when a customer deposited €2,000 or more in a single transaction, or when multiple transactions from the same customer within the same betting shop on the same day cumulatively reached €2,000. It had no system to link transactions across multiple betting shops, or to track deposits over a 180-day rolling period as required by law. The FIAU found that customers could visit different outlets within the network, even within the same town or city, and circumvent the threshold entirely. The €2,000 monitoring criterion also failed to align with the legal requirement to calculate the threshold on the basis of lifetime deposits or a 180-day rolling period.Reliance on Staff Recognizing Customers by Sight
One of the measures used to monitor whether the €2,000 threshold was reached across transactions relied on betting shop employees recognizing customers by sight. The FIAU Committee described this as presenting “inherent weaknesses,” a method that is by definition unreliable and unverifiable, and one that provides no auditable record of the identification determination or its outcome.
Incomplete Customer List, No Customer Risk Assessments
Because the company could only associate transactions with customers who made single deposits of €2,000 or more, it did not hold a complete list of end customers. This directly prevented the company from carrying out customer risk assessments (CRA), establishing business and risk profiles, and applying the CDD measures required by the Prevention of Money Laundering and Funding of Terrorism Regulations (PMLFTR). The FIAU noted that the company was unable to monitor transactions throughout business relationships with the clients it was actually servicing.
Generic and Insufficient Customer Profile Information
For identified customers with deposits over €2,000, the customer profile information gathered was “insufficient and inadequate.” Onboarding forms contained only broad classifications: employment status recorded as “employed,” “unemployed,” or “student”; source of funds recorded as “savings,” “wages,” or “dividends.” In some cases, data fields were left blank entirely. The FIAU noted that such generic descriptions fail to explain a customer’s financial standing and “would never be deemed sufficient to meet this obligation, independently of the risk presented.”
The Three Measures Imposed
The FIAU’s Compliance Monitoring Committee imposed three simultaneous measures under the PMLFTR. The combination was a fixed penalty, a continuing daily charge, and a formal directive, reflecting the Committee’s assessment that the failures were not isolated errors but systematic gaps requiring immediate
Administrative Penalty: €225,730 under Regulation 21(1) of the PMLFTR, for the combined failure to establish and know customers, conduct customer risk assessments, and collect adequate customer profile information.
Periodic Penalty Payment: €2,000 per day under Regulation 21(5) of the PMLFTR, for the specific and continuing failure to cumulatively link transactions to individual customers. This ongoing charge continues until the FIAU is fully satisfied that the failure has been remediated.
Follow-Up Directive under Regulation 21(4) of the PMLFTR, requiring the company to submit a detailed Action Plan including: implementation of a system to cumulatively link transactions per customer across all betting shops, a mechanism to identify when a customer’s activity transitions from occasional transactions to a business relationship, evidence that CDD, CRA, and customer profiling obligations are being met, and updates to the frameworks for collecting customer information and ongoing monitoring.
Key Takeaway From the FIAU Notice
The FIAU explicitly warned that while the company cooperated and had implemented some training, those efforts were insufficient: “the revision of internal processes and controls, without implementing the fundamental legal requirement for the Company to identify and recognize who the vast majority of its customers are, is inherently ineffective.” Staff training without systematic technology is not a compliance program.
How Sentinel Compliance Platform™ Closes Every Gap Identified
Every failure the FIAU identified in the Stanleybet case maps to a specific capability that Sentinel Compliance Platform™ from Truth Technologies provides. The failures were not complex; they were foundational: know your customer, track their transactions cumulatively, maintain complete records, build risk profiles. These are the core functions that Sentinel Compliance Platform™ automates.
FIAU Finding — Stanleybet | Sentinel Compliance Platform™ Capability |
|---|---|
No system to cumulatively link transactions across betting shop network to individual customers | Automated KYC screening links customer identity across all touchpoints — name, DOB, address, and citizenship matching with the lowest false positive rate in the industry |
Reliance on staff recognising customers by sight to track €2,000 threshold | Continuous Customer Monitoring (CCM) automatically tracks and re-screens customer activity — no manual recognition required, no human error gap |
No complete customer list — unable to assess ML/FT risk for most customers | Comprehensive customer database with full audit trail of every identity verification and screening decision, sortable and exportable on demand |
Unable to classify when occasional transactions become a business relationship | CCM with New Data Alert continuously monitors transaction patterns — flags when customer activity reaches thresholds requiring reclassification and enhanced obligations |
Customer profiles limited to generic terms — “employed,” “savings,” insufficient for CRA | Structured customer profiling with incident workflow management — documents specific employment, source of funds, and risk classification in auditable, reviewable records |
No adequate transaction monitoring throughout business relationships | PEP screening, adverse media monitoring, and sanctions screening with daily updates — continuous visibility across the full customer lifecycle |
No auditable evidence of CDD and CRA decisions for FIAU examination | Un-editable audit logs capture every screening decision, review outcome, and compliance action — timestamped and exportable as PDF or Excel on demand |
What Gaming Operators Must Act On Now
The Stanleybet case is the FIAU’s most explicit public statement on what it expects from gaming operators with physical betting shop networks. The key takeaways from the official notice apply broadly to any gaming operator, whether online or retail, operating in Malta or under a Maltese license serving EU customers.
The FIAU’s position is direct: a subject person must be able to cumulatively link all transactions executed by the same customer across all outlets and time periods in order to determine when the €2,000 deposit threshold is reached. This applies whether the customer is engaged in occasional transactions or a business relationship. Monitoring within a single outlet, on a single day, is insufficient.
The ongoing €2,000 daily penalty reinforces the point: the failure continues to accrue financial consequences until the structural technology gap is remediated. Staff training, policy updates, and internal audits are recognized as positive steps, but the FIAU has been clear that these do not substitute for the fundamental requirement to identify and track customers systematically.
Note: This article is for informational purposes only and does not constitute legal advice. AML/CFT compliance obligations vary by entity type, sector, and jurisdiction.
▶ Request a Free Demo of the Sentinel Compliance Platform™
References:
Financial Intelligence Analysis Unit (FIAU), Publication Notice – Stanleybet Malta Limited, 23 March 2026, available at: https://fiaumalta.org/app/uploads/2026/03/Publication-Notice-23032026-2.pdf
