UAE Commercial Gaming Regulations and GCGRA Compliance & Licensing Guide

The UAE’s commercial gaming market is likely to reach up to $5 billion in annual gross gaming revenue at full maturity, according to Morgan Stanley estimates. But for operators, license fees and capital aren’t the only costs; compliance is. Here’s what operators need to know about GCGRA licensing and compliance.

UAE Commercial Gaming Market from Prohibition to Regulation

In 2023, the UAE became the first Gulf state to have a federal regulator of commercial gaming. The General Commercial Gaming Regulatory Authority (GCGRA), headquartered in Abu Dhabi, has taken gaming in the country under its exclusive control. This comprises businesses that offer lotteries and internet gaming to sports betting and brick-and-mortar casino resorts.

The commercial gaming market in the UAE has undergone a number of developments since then. In late 2024, the UAE Lottery was started with its original licensee. Commercial gaming policy paper issued in 2025. In Ras Al Khaimah, Wynn Resorts received the first land-based casino license in the country in its 3.9-billion-dollar Al Marjan Island resort, the doors of which will be opened by early 2027. In December 2025, the first licensed online gaming site in the UAE was launched, known as play971, which is a Coin Technology Projects LLC corporate entity that is geo-blocked and requires registration.

What is GCGRA’s Commercial Gaming Compliance Framework?

As a matter of fact, the UAE gaming model is closely related to that of Singapore, controlled-entry, compliance preparedness, and risk-based supervision, and the similarity is attributed to the fit-suited and licensing regulations in the U.S. mature jurisdictions such as Nevada.

The GCGRA mission statement is aimed at the safety of players, responsible gaming, social responsibility, and integrity of operations. The above objectives are reflected in the licensing system, which requires the operators to demonstrate their financial position. It also demands declaring ownership structure and having a technical infrastructure that it can use to fulfil AML/CFT requirements.

In 2025, two important regulatory developments impacted Commercial Gaming Compliance:

• Gaming Operators Categorised as DNFBPs

Since the official UAE law, nowadays Commercial Gaming Operators fall into the category of DNFBPs (Article 3 of the Cabinet Resolution No. 134 of 2025), which is triggered by AED 11,000 for each individual financial transaction or related transactions. This connects them to virtual asset service providers. Like other financial institutions, they are required to meet the equal due diligence requirement, keep good records, monitor transactions, and comply with reporting requirements.

• Child Digital Safety Law Mandate Age Verification

The Federal Decree-Law No. 26 of 2025 on Child Digital Safety directly prohibits the act of permitting minors to access commercial games over the Internet. The operators need to impose parental restrictions, age verification, and technical barriers to restrict access of underage users.

Failure to comply or abuse may lead to severe consequences for operators. The new federal AML law permits fines up to AED 100 million (approximately 27 million) based on the nature and severity of AML violations to organizations, and individuals may receive up to ten years in prison.

Legal Framework Governing Commercial Gaming in the UAE

The numerous federal laws that govern the licensed operators in the UAE include, but are not limited to:

• Federal Decree by Law No. 10 of 2025 (Updated AML/CFT Law)
• Cabinet Resolution No. 134 of 2025 (Regulations Implementing Law No. 10 of 2025)
• Cabinet Decision No. 74 of 2020 (Concerning Terrorism Lists and UN Sanctions)
• Federal Decree Law No. 7 of 2014 (Combating Terrorism Offences)
• Federal Decree-Law No. 26 of 2025 (Concerning Child Digital Safety)

The Seven Compliance Pillars Every GCGRA Operator Needs

C-suite executives intending to enter a new market or a license must learn the GCGRA requirements of player protection, KYC, and AML. These needs can be summarized into 7 key pillars of operation.

1. Strong Customer Due Diligence during Onboarding

All players should be recognized and authenticated prior to being allowed to deposit, bet, or withdraw. The GCGRA anticipates full identity verification and sufficient controls. Practically, to fulfil those expectations, many operators will have to authenticate documents, confirm them with a biometric check, and cross-reference them with government-issued credentials. Enhanced due diligence (EDD) is required for high-risk players or those in high-risk jurisdictions.

This is where onboarding experience would be a competitive differentiator. Manual review operators with each instance will experience bottlenecks that deter conversion rates. Through AI-based verification, which combines document scanning, facial biometric matching, and real-time risk scoring, platforms will be able to finalize the onboarding process in a few seconds and satisfy regulatory requirements.

2. AML Screening and Ongoing Monitoring

According to Cabinet Resolution No. 134 of 2025, which was adopted by GCGRA, gaming operators must screen players, transactions, and business relations with the terrorist and sanctions lists. Authority also needs to have mechanisms for identifying and monitoring Politically Exposed Persons (PEPs). However, this check is not a one-time check. Players have to be carefully monitored by the operators. They are supposed to seek suspicious patterns of transactions, transaction speed variations, as well as actions that might indicate money laundering or terrorist financing.

The operators that handle the enormous number of customers every day require automated solutions that can be complemented with AI, which can manage the volume and intricacy of the screening of an increasing number of customers.

3. Age Verification and Child Digital Safety

The responsible gaming system designed by the GCGRA and the law of child digital safety of 2025 form a multi-layered directive. Players should be confirmed to be of age, and technical measures must be used to bar entry of minors to commercial games.

GCGRA compliance will not accept a superficial check or a self-proclaimed age. Operators require document-backed age confirmation, which may be complemented with biometric age determination to perform re-verification without friction.

4. Responsible Gaming Enforcement

Besides this, the regulation demands having a responsible gaming program, comprising deposit limits, cooling-off periods (at least 72 hours), self-exclusion options, player education, and specific responsible gaming supervision.

The GCGRA mandates that the responsible gaming programs be audited by an approved auditor every two years. These means operators require systems that generate clean and auditable records of how all players were counterchecked and how responsible gaming controls were used.

And since the self-exclusion and deposit limits, which are the controls of responsible gaming, require self-identification of the player, the identity verification layer becomes the enforcement mechanism of the entire responsible gaming plan, not the age gate at sign-up.

5. Geo-Restriction and Exclusion Zone Enforcement

The compliance of geo-location in the UAE is more sophisticated than most of the regulated markets. It operates on a number of levels, and operators must understand and use each of them.

The technical specifications of the GCGRA, based on GLI-19 (interactive gaming systems) and GLI-33 (event wagering systems), mandate the application of certified geolocation technology that limits the ability of a platform to access users physically situated in its authorized premises. It is not a guideline; it is embedded in the licensing criteria.

The GCGRA offers federal licensing, but according to market reports, each of the seven emirates of the UAE may opt out to allow gaming in its emirate. However, no such official communication from GCGRA exists to date.

Further, there can be exclusion zones within an emirate that otherwise allow commercial gaming within its limits. Practically, this implies that platforms can only accept users who are physically located within certain distinct zones within the territory of the UAE.

Hence, geo-restriction, identity checks, and age checks, as well as sanctions screening, should be functioning as a system. The location information of a player must be supported by their identity information. The appearance of a UAE-issued ID with an attempt to log in in an unauthorized jurisdiction or exclusion zone should set off a flag.

6. Suspicious Activity Reporting and Transaction Monitoring

When the requirements are necessary, licensed operators must keep records of all transactions involving players and submit Suspicious Activity Reports (SARs) to the Financial Intelligence Unit of the UAE. It is expected to be proactive, not reactive reporting. The transaction monitoring systems should raise red flags on rapid deposits and withdrawals (structuring) patterns, abnormal cross-border fund flows, and activities not in line with the profile of a player.

Guidelines on record retention normally mandate all transaction records and KYC information. Together with related compliance measures, they should be safely kept for at least five years.

7. License Application Readiness

A crucial fact that operators must learn is that the GCGRA does not assess compliance infrastructure after it has been licensed but rather at the time of licensing. Licensing also involves the evaluation of the applicant’s AML/CFT systems, responsible gaming plans, technical architecture, and the competency of directors and senior management. In a market where the supply of the license is deliberately restricted, and the number of operators is reportedly one per emirate. At that, the ability to prove the existence of a mature, automated compliance stack may be the difference between a successful application and a rejected one.

Key AML/CTF Risk Areas Identified in the 2025 GCGRA Policy Paper

The 2025 GCGRA policy paper indicates certain susceptibilities existing in the different sectors that must have well-organized risk-based controls across the commercial gaming operations. The main categories of risks have been identified as:

Anonymity & Cash Transactions Risks

ML is revealed in transactions (which are not identified by players). Based on the example, a number of cash buy-ins of less than the identity verification limits. Mitigation entails account-based play, limits on cash transactions, and structuring detection.

Player Account Abuse & Behavioral Risks

Among the risks are the use of third parties to store and transfer illegally created money with the use of their player accounts. Account takeovers, use of third parties as mules, and smurfing are also some of the methods that are used to gain account access. Account abuse can be prevented with the help of dynamic risk scoring, verification of sources of funds, real-time monitoring, risk-based due diligence, account security, and authentication prior to access.

Payment & Cross-Border Risks

Foreign jurisdiction and third-party payments, including the payment of gambling by another person or the payout of gambling to third-party accounts, result in a high risk of money laundering and allow criminals to isolate themselves from unlawful funds. These risks may be reduced through EDD of third-party or cross-border payments, authentication of the identity of the players or third parties, frequency of third-party payments, and the scope of third-party payments to PEPs.

High-Value Transaction and VIP Player Risks

Any VIP player or individuals who convert large sums of money in gambling may carry a greater risk of money laundering since the source of their wealth or money may have been as a result of illegal activities. These risks can be eliminated through specialized personnel training, monitoring by senior management, source of funds and wealth verification, and enhanced due diligence.

Internal & Employee Risks

Criminal organizations can use employee complicity to launder funds in the gaming industry. Internal fraud or employee collusion can be discouraged by having separation of duties, a whistleblower mechanism, pre-training, screening, and background checks.

Market Direction, Growth, and Opportunities For New Licenses

The gaming market in the UAE is not targeting volume players, cutting corners. The GCGRA has strategically developed a model of limited supply and high compliance. Not only is the scarcity of licenses coupled with the strict license standards, but operators who invest early in sound KYC and AML infrastructure are not simply evading fines; they are also creating a competitive moat.

For example,  Morgan Stanley projects that the market has the potential to produce between 3 and 5 billion in gross gaming revenue per annum at maturity time. To eliminate legal ambiguity and to indicate permanence, the UAE civil code has been formally revised to eliminate its old gambling provisions. The resort is a structural fulfilment of Wynn. Online gaming is live. More operator licenses to other emirates are expected. The GCGRA has signed an MOU with the gaming regulators of New Jersey, which signifies its desire to be able to fulfil international standards in gold.

To the operators, vendors, and technology providers, it is high time to develop compliance credibility before the next wave of licenses is issued.

How Shufti Fits Into Your GCGRA Compliance Strategy?

Shufti offers a single, AI-driven identity verification and compliance solution to gaming operators that meets financial crime prevention requirements and responsible gaming requirements. Whether you’re an operator preparing a GCGRA license application or a platform onboarding its first players, Shufti supports you with capabilities that regulators expect.

• Identity verification across 10,000+ types of documents in multiple languages that serve as the basis of KYC and self-exclusion.
• Biometric authentication with certified liveness detection is necessary to prevent multi-accounting, impersonation, and spoofing, supporting responsible gaming programs that rely on knowing exactly who each player is
• AML screening against sanctions, PEP, and watchlist databases with continuous monitoring as risk profiles evolve
• Age verification combining document checks with facial age estimation, enforcing the GCGRA’s responsible gaming framework, and the 2025 child digital safety law
• Device and geo-intelligence, including VPN/proxy detection, IP reputation checks, and device fingerprinting, complement certified geolocation providers while adding identity-layer assurance
• Risk-based waterfall orchestration that adjusts verification intensity by player risk level: low-risk players pass through quickly via behavioral biometrics, while high-risk individuals receive proportionate scrutiny, including full document and biometric checks
• Audit-ready records with complete verification histories that support your licensing narrative, ongoing regulatory reporting, and responsible gaming program audits

In a market where your compliance posture can determine whether you get a license at all, the choice of IDV partner is a strategic decision.

Book a demo to explore how Shufti can support UAE gaming compliance.