Face Verification
Address Verification
Document Verification
Age Verification
VideoIdent
Fast ID
Docless Verification
Consent Verification
NFC Verification
Business Verification
Due Diligence
Investor Verification
E-Signature
QES
AML Screening
Transaction Monitoring
Adverse Media
Business AML Screening
PEP & RCA
Sanctions
Watchlist
Behavioural Biometrics
Device Fingerprinting
Biometric Face Authentication
MFA
Fraud Hub
Onboarding
Ongoing Monitoring
KYC
KYB
KYI
Age Assurance
Identity Verification
Workforce IAM
Candidate Verification
Compliance
Fraud prevention
Trust & safety
Global expansion
Product Managers
Compliance Officers
Fraud Analysts
Developers
Deepfake
Bonus Abuse / Promotion Abuse
Account Takeover
Synthetic Identity Fraud
Document Fraud
Impersonation Fraud
Multi-Accounting
Fraud Networks
Chargeback Fraud
Money Mule Activity
Party Fraud
Regulatory & Compliance Risks
Fintech
Crypto
iGaming
Forex
Social Network
Marketplace
Banking
Gig Economy
Payments
Ride Hailing
Adult Content
Blind Spot Audit
Deepfake Detector
Liveness Spoofs
Document Originality
Document Deepfake
Global Trust Platform
Journey Builder
Case Management
Shufti AI
Fraud Analytics
Vendor Comparison
Brand Personalisation
IDV Modes
AI Compliance Co-Pilot
OCR
Secure Capture
Deployment Options
Identity Methods
API Documentation
Mobile SDKs
Service Status
Help Center
Contact Us
Technical Support
Supported Documents
Supported Countries
Content library
Blogs
News
Reports
Insights
Knowledgebase
ROI calculator
About
Career
Press Release
Certifications
Partnership
Awards
Events & Webinar
Interactive Demo
Podcast Studio
Spotlight Studio
Gaming & iGaming
Protect your licence, your players, and your revenue from one compliance platform
Age verification, player KYC, AML screening, and self-exclusion register integration in a single flow. Shufti covers player verification, fraud prevention, and ongoing compliance for licensed gaming operators across 240+ countries actively processed.
Proven Performance
Our impact, by the numbers
- <30sMedian Time-to-Decision
- 4,000+Watchlists Screened
- 240+Countries Actively Processed
Trusted by Leading Digital Enterprises Worldwide
Compliance Without Compromise
Why iGaming Choose Shufti
-
Stay Ahead of Regulatory Change
UKGC LCCP, the MGA Player Protection Directive, KSA Cruks, Spelpaus, GlueStV, and the EU DSA age-assurance regime each impose distinct operator obligations. Shufti's compliance rule sets and jurisdiction coverage update continuously, so regulatory changes do not require engineering sprints.
-
Stop Fraud Before It Reaches Your Platform
Deepfake face attacks, synthetic identities, and organised multi-account rings hit gaming platforms at every stage of the player lifecycle. Shufti's iBETA Level 3-certified liveness detection and device intelligence intercept fraud at first contact, before a fraudulent account is ever verified.
-
Verify Players Without Losing Them
A median decision time under 30 seconds across 240+ countries actively processed means legitimate players clear verification before abandonment becomes a risk. Risk-tier configuration routes low-risk players through lighter checks without reducing scrutiny on high-risk segments.
Secure Every Stage Of The iGaming Customer Lifecycle
Sign Up
Bot Account Farming
Scripts mass-register sportsbook and casino accounts to sweep welcome bonuses, free spins, and no-deposit offers before a single human has signed up. Proprietary Device Fingerprinting spots shared emulator stacks and rotating proxies across every "unique" signup. Behavioural Biometrics kills the sweep at registration; machine-speed form fills and zero dwell time have no human equivalent. The Fraud Hub blocks the ring before any bonus credit is allocated.
Synthetic Identity Registration
A fraudster builds a fictitious player profile from leaked PII to pass onboarding checks. Shufti's eIDV independently cross-references the declared identity against government, telco, and credit bureau databases; an identity with no real-world footprint does not clear the check. The Fraud Hub holds the account pending manual review.
Multi-Account Creation
A player opens multiple accounts using name variants and family IDs to claim the same welcome bonus or free-spin offer repeatedly. Device Fingerprinting links every registration to the same device and network cluster. The Fraud Hub intelligently surfaces the coordinated pattern before any bonus credit is allocated.
Geolocation Spoofing
A player in a restricted jurisdiction (e.g., a blocked US state or sanctioned country) registers via a residential proxy to appear locally compliant. Device Fingerprinting detects VPN and proxy signals inconsistent with a genuine residential connection. Address Verification finds no real footprint at the declared location, holding the registration before platform access is granted.
Proxy Abuse
A device farm routes hundreds of casino sign-up attempts through emulated devices and rotating residential proxies to appear as independent users. Device Fingerprinting identifies emulator signatures at OS level, scoring each device's hardware and network profile against known emulator indicators. Shared proxy infrastructure across the cluster surfaces the farm as a single coordinated operation before any account is activated.
Stolen Identity Registration
A fraudster uses real victim credentials purchased from a breach market to open a player account, relying on the victim's clean history to pass initial checks. eIDV detects contact detail mismatches with the known data footprint for that identity. Face Verification requires a live selfie; the fraudster holds the document but not the face, stopping the account cold.
Mule Recruitment Onboarding
Operators unknowingly onboard money mules recruited via social media or fake job ads to open gaming accounts for layering illicit funds. AML Screening flags known mule recruitment indicators and consolidated adverse media at the point of sign-up. The Fraud Hub identifies device clusters and referral chains consistent with organised mule onboarding rings, holding accounts for enhanced review.
Verify Age
Underage Access via Fake ID
A minor submits a borrowed or fabricated document to meet age requirements on a gambling or casino platform. Shufti's Age Verification applies an age estimation screen before document capture, flagging significant inconsistency early. Document Verification detects edits and printing inconsistencies specific to tampered documents. A document that fails does not advance the player to the platform.
Borrowed-ID Age Bypass
A minor uses a parent's or sibling's verified ID, assuming the document alone will pass the age gate. Face Verification matches the live selfie against the face on the document; a minor submitting an adult's ID fails both the face match and the age estimation check before the session proceeds.
Document Forgery
A fraudster submits a dark-web-purchased or forged passport to pass KYC at a licensed gambling platform. Document Verification runs forensic tamper detection across fonts, holograms, and MRZ structure. NFC Verification reads the cryptographic chip in e-passports; a chip that cannot be cloned means image manipulation fails at the chip level.
AI Face Attack
An attacker injects an AI-generated deepfake video into the selfie step to pass face-match KYC without the real player present. Shufti's Face Verification applies 3D depth mapping and micro-movement liveness analysis at capture. The iBETA Level 3 ISO/IEC 30107-3 certification confirmed 0% APCER against expert-grade attacks; a synthetic face is rejected on liveness grounds before identity is assessed.
Self-Exclusion Bypass via New Identity
A self-excluded player re-registers using a new document and a slightly altered name, expecting the operator to check only declared fields. Shufti's 1:N Face Verification screens every new applicant's selfie against all previously enrolled and excluded faces. AML Screening cross-references the new registration against self-exclusion indicators; the player is identified by face before the account is activated.
KYC Recycling
A fraudster reuses the same real identity package across multiple iGaming platforms, exploiting siloed KYC checks to onboard at each operator independently. eIDV detects unusually high-frequency onboarding attempts at point of entry. Face Verification links the same biometric identity across multiple applications, flagging the recycled identity without requiring cross-platform data sharing.
Self-Exclusion Bypass via New Identity
A fraudster submits a template-based fake ID to pass KYC at a licensed iGaming platform. Document Verification runs forensic analysis detecting printing characteristics, font rendering, and metadata anomalies genuine documents don't share. NFC Verification confirms whether the document holds a valid cryptographic chip; template fakes that appear visually authentic fail at the forensic or chip stage.
Risk Screening
Sanctions & Watchlist Evasion
A sanctioned player registers at an iGaming operator using a transliterated name or alias not matching the exact string. Shufti's AML Screening applies fuzzy matching and phonetic algorithms across consolidated 4,000+ watchlists and 215+ sanctions regimes; every name variant is processed simultaneously. A match on any variant holds the registration before a single game is played.
PEP Exposure Without EDD
A politically exposed person registers on a sportsbook without disclosing their status, expecting a basic name-match check to miss them. Shufti's AML Screening covers four PEP tiers including associates and close family members. A match triggers an automatic EDD workflow requiring defensible source-of-funds documentation before the account is activated, in line with LCCP and FATF guidance.
Adverse Media Concealment
A player with a criminal history or regulatory breach confines their coverage to local-language media that English-only systems miss. Shufti's AML Screening covers 50,000+ adverse media sources across 80+ languages, applying severity classification intelligently to each result. Coverage in any language surfaces alongside the player's risk profile before account activation.
Self-Excluded Player Re-Onboarding
A GamStop, Cruks, or Spelpaus self-excluded player attempts to onboard at a licensed operator under the same or slightly modified identity. Shufti's AML Screening queries self-exclusion schemes in real time at every new registration. A match triggers the operator's configured response; account hold or rejection; before the player reaches the platform.
High-Risk Jurisdiction Misrepresentation
A player in a restricted jurisdiction (e.g., a blocked US state or sanctioned country) declares a permitted country of residence, relying on a VPN exit node to pass an IP check. Device Fingerprinting detects VPN and proxy signals inconsistent with a genuine residential connection. Address Verification finds no real footprint at the declared location. AML Screening confirms whether the declared jurisdiction carries elevated risk, holding the registration before deposit access is granted.
Beneficial Owner Sanctions Concealment
A corporate iGaming account is structured through shell layers specifically designed to place a sanctioned UBO several steps from the named applicant. Shufti's Due Diligence maps the full corporate ownership chain to the ultimate beneficial owner, processing every intermediate layer. A sanctioned UBO anywhere in the chain blocks the account at the corporate verification stage, not only if the sanctioned person is the named director.
Deposit
Stolen Card
A fraudster loads a stolen card onto a newly created casino account, aiming to convert the balance to a withdrawal before the cardholder disputes. Device Fingerprinting scores the device against known CNP fraud profiles. Transaction Monitoring detects deposit velocity and funding patterns inconsistent with a genuine player. A high-risk combination holds the transaction for review before funds are credited.
Friendly Fraud
A verified player makes a deposit, plays their balance, then disputes the charge with their bank claiming the transaction was unauthorised. Consent Verification records the player's explicit, timestamped authorisation of each deposit within their verified session. The consent record is an irrefutable evidence artefact; when the chargeback arrives, the operator presents it and removes the unauthorised-transaction basis for the claim.
Money Mule Deposit
An iGaming account receives deposits from multiple unrelated third parties before layering toward a withdrawal. Transaction Monitoring detects third-party funding patterns inconsistent with a registered payment method. AML Screening cross-references deposit sources against watchlists in real time. The Fraud Hub accumulates signals and surfaces the mule pattern for compliance review before funds are released.
Layering and Structuring (Smurfing)
A laundering network splits a large illicit sum across dozens of casino accounts and sessions, each deposit deliberately kept below trigger thresholds. Transaction Monitoring detects sub-threshold clustering across accounts linked by device or identity. The Fraud Hub connects the ring through shared device identifiers and surfaces the structuring pattern for AML review before any withdrawal is permitted.
Card-Not-Present Fraud
Fraudsters run automated scripts against the deposit endpoint using batches of stolen card numbers, completing multiple deposits per minute. Device Fingerprinting identifies scripted behaviour and CNP fraud device profiles. Transaction Monitoring flags deposit velocity exceeding any plausible human session rhythm; high-velocity clusters are blocked and routed to the fraud review queue.
Test-Card Carding Attacks
Attackers run rapid micro-transactions against the casino deposit endpoint to validate stolen card numbers, keeping each transaction low enough to avoid triggering fraud review. Transaction Monitoring detects the rapid low-value sequence as a carding pattern rather than independent events. Device Fingerprinting links all test transactions to a single device profile; the device is blocked before full-value exploitation begins.
Play / Bet
Bonus and Promo Abuse
A player creates multiple accounts to claim the same welcome bonus or free-spin offer, or coordinates a network to sweep refer-a-friend rewards. Face Verification (1:N) confirms each verified account belongs to a biometrically distinct individual. Device Fingerprinting links accounts sharing hardware or network identifiers. The Fraud Hub presents the cluster as a single case before bonuses are distributed.
Organised Multi-Account Rings
A coordinated fraud ring deploys dozens of iGaming accounts across synthetic and real identities to sweep per-user promotions simultaneously. Shufti's 1:N Face Verification screens every account's selfie against the full enrolled population, identifying shared faces across accounts regardless of the name attached. Device Fingerprinting maps the shared infrastructure across the ring. The Fraud Hub presents the ring as a single case for operator action.
Referral Exploit Fraud
A player self-refers by creating secondary accounts, or coordinates a small group to manufacture a referral cluster and sweep referral credit. Device Fingerprinting detects overlap between referrer and referred accounts, flagging shared device identifiers or network infrastructure at registration. The Fraud Hub scores the cluster against known exploit patterns; referral credit for flagged groups is held pending review.
Account Takeover During Play
An attacker uses a stolen session token to take control of an active casino or sportsbook session, placing large bets while the legitimate player is unaware. Behavioural Biometrics monitors interaction patterns continuously throughout the session; a mid-session shift in typing rhythm, mouse movement, or touch pattern triggers a step-up re-authentication request. The session is suspended until the legitimate account holder confirms their presence biometrically.
Collusion in Multi-Player Games
Two or more players coordinate betting strategy in poker or table games to extract value from other participants while appearing independent. Transaction Monitoring surfaces correlated bet timing, shared net-outcome patterns, and synchronised session activity. The Fraud Hub links the accounts through shared device fingerprints, presenting the coordination as a connected case for review.
Emulator / Device Farming for Play
A bot operator farms loyalty points, tournament entries, or in-game rewards at scale using emulated devices. Device Fingerprinting identifies emulator signatures and headless browser profiles at the session level, applying the same checks as registration throughout each active session. Behavioural Biometrics flags inhuman interaction rhythms; sessions matching bot profiles are terminated and accounts flagged before rewards are distributed.
Withdraw
Account Takeover Withdrawal
An attacker who has gained account access through credential stuffing attempts a full-balance withdrawal to an external wallet before the legitimate owner is alerted. Shufti's Biometric Face Authentication requires a live selfie matched against the enrolled KYC biometric before any withdrawal is processed. Stolen credentials alone cannot authorise a withdrawal without the enrolled face being present.
Money Laundering via Declared Winnings
Illicit funds are deposited across iGaming accounts, minimal play is conducted, and balances are withdrawn as apparent gambling winnings to provide a legitimate origin narrative. Transaction Monitoring flags accounts where the ratio of play engagement to deposit-withdrawal volume is inconsistent with genuine gambling behaviour. AML Screening cross-references the withdrawal destination against watchlists; cash-in and cash-out patterns are escalated for AML review before withdrawal is processed.
Rapid Cash-Out Scheme
A fraudster deposits funds, plays minimally, and attempts a full withdrawal within minutes, completing the cycle before monitoring alerts fire. Transaction Monitoring flags anomalous deposit-to-withdrawal velocity, escalating rapid cash-out patterns inconsistent with the account's play history before the transaction is processed.
Withdrawal Destination Manipulation
An attacker with partial account access swaps the registered payout destination immediately before withdrawal, redirecting funds to a controlled account. Biometric Face Authentication requires step-up biometric re-verification for any destination change; the attacker cannot reroute the payout without producing the account holder's enrolled face. Device Fingerprinting flags the session as a new or suspicious device, triggering an additional hold.
Chargeback After Successful Withdrawal
A player withdraws their winnings, then disputes the original deposit with their card issuer to keep both the withdrawal and a refund. Consent Verification records the player's explicit, timestamped authorisation of the deposit linked to their verified biometric identity. Transaction Monitoring captures the full deposit-play-withdrawal chain; the consent record is presented in response to the chargeback, establishing the deposit was authorised by the verified account holder.
Sanctioned Destination Payout
A player attempts to withdraw funds to a bank account or e-wallet registered in a sanctioned jurisdiction, either directly or via a mule account. AML Screening checks every withdrawal destination against active OFAC, UN, EU, and national sanctions lists before submission. Transaction Monitoring flags new or unverified payout destinations; sanctioned destination transactions are held for compliance review rather than processed automatically.
Account Management
Password Reset Account Takeover
An attacker who has compromised a player's email or phone initiates a password reset to take over the account. Biometric Face Authentication requires live biometric re-verification before any reset is confirmed; the reset is blocked unless the enrolled face is present. MFA (TOTP) adds an authenticator-app layer independent of the compromised channel. Device Fingerprinting flags a reset attempt from a device not previously associated with the account, triggering additional review before the reset is processed.
SIM Swap / 2FA Bypass
An attacker social-engineers a player's mobile carrier into porting their number, then uses redirected SMS codes to bypass 2FA and access the account. MFA (TOTP) eliminates SMS-based authentication entirely, removing the SIM-swap attack vector. Biometric Face Authentication provides a biometric fallback that the attacker cannot satisfy without the enrolled face being present. An authentication attempt from a new device following a port event triggers an additional step-up check before the session is established.
Support Channel Social Engineering
An attacker contacts the support team, provides personal details obtained from a data breach, and requests that limits be raised or registered details be changed on behalf of the legitimate account holder. Shufti's Biometric Face Authentication or Fast ID requires biometric re-verification directly from the account holder for any sensitive account change, separate from whatever the support interaction concludes. No quantity of accurate PII substitutes for the enrolled biometric at the point of change confirmation. The modification is not processed until the account holder completes verification independently.
Identity Detail Change to Evade Screening
A player who has received an AML flag alters their registered name or date of birth in profile settings, expecting the change to reset their screening profile and defer further compliance scrutiny. Shufti's AML Screening treats any modification to core identity fields as a trigger for full re-verification and an immediate AML re-screening run. Document Verification confirms that the newly submitted identity is consistent with the existing enrolled biometric before the change is accepted. eIDV cross-references the updated details against the same independent data sources used at original onboarding, ensuring the modification does not create a clean screening record from a flagged one.
Fraudulent Payment Method Addition
An attacker who has gained partial account access attempts to add their own bank account as a fiat withdrawal destination before initiating a transfer, aiming to redirect funds to a controlled account. Shufti's Biometric Face Authentication requires a biometric step-up for the addition of any new payout destination, not only for the subsequent withdrawal transaction. Device Fingerprinting flags payment method additions attempted from devices not previously associated with the account. The new destination cannot be saved or used without the account holder's live biometric confirmation.
MFA Bombing
An attacker triggers repeated push authentication requests to the legitimate user's device, hoping confusion or fatigue will cause them to approve a prompt they did not initiate. Shufti's MFA implementation is TOTP-based rather than push notification-based, removing the ability to generate unwanted approval requests to the user's device. Behavioural Biometrics flags unusual authentication sequences that deviate from the account holder's established login patterns, surfacing the anomaly even before a user interaction completes. An authentication pattern that does not match the enrolled profile triggers a step-up check rather than proceeding automatically.
Source of Funds Check
Source-of-Funds Document Fabrication
A player approaching the UKGC net-deposit threshold submits a forged payslip or edited bank statement to satisfy the financial vulnerability check without providing genuine income evidence. Shufti's Document Verification applies forensic analysis to income documents, detecting editing artefacts, font inconsistencies, and template markers that distinguish fabricated documents from genuine ones issued by employers or financial institutions. eIDV cross-references the declared employer and income level against independent data sources to confirm that the stated employment exists and is associated with the player's verified identity. A document that fails forensic or electronic corroboration is flagged for manual review before the threshold check is marked as cleared.
Income Misrepresentation
A player submits a self-declaration that significantly overstates their annual salary, aiming to avoid triggering the enhanced affordability scrutiny applicable at the relevant net-deposit threshold. Shufti's eIDV cross-references the self-declared income figure against independent financial and employment data associated with the player's verified identity. Address Verification confirms that the player's residential profile is consistent with the declared income bracket and lifestyle indicators. A declared income figure that does not align with the player's verifiable financial footprint is flagged for further review before the declaration is accepted.
Source-of-Wealth Fabrication
A high-deposit player presents fabricated documentation claiming inheritance proceeds, a business sale, or investment returns to explain a large account balance that is inconsistent with their registered income profile. Shufti's Document Verification examines the submitted source-of-wealth documents for forensic indicators of fabrication, including editing artefacts and structural inconsistencies specific to forged legal or financial documents. Due Diligence cross-references the stated wealth event, such as a named business sale or inheritance, against publicly available commercial and legal records. A claimed wealth origin that produces no verifiable public record is escalated to the compliance team before the player's risk tier is adjusted.
Tax Residency Fraud
A player falsely declares residency in a lower-risk or lower-tax jurisdiction to reduce their assigned risk tier and avoid the enhanced financial checks applicable in their actual country of residence. Shufti's Address Verification cross-references the declared tax jurisdiction against independent address data associated with the player's verified identity. A mismatch between declared residence and the identity's verifiable address footprint triggers an EDD workflow requiring additional documentation before the declaration is accepted. The player's risk tier is recalculated based on the verified jurisdiction rather than the one they chose to declare.
Mule Claim of Legitimate Income
An account that has been receiving third-party mule transfers submits employment documentation to explain the inflows as salary payments, expecting income evidence alone to satisfy the source-of-funds check. Shufti's Transaction Monitoring cross-references the deposit pattern, specifically the origin accounts and transfer timing, against the income profile the player has submitted for the check. AML Screening flags third-party funding sources whose structure and frequency are inconsistent with genuine salary or employment income. The combination of irregular deposit origin and submitted employment evidence is presented together for compliance review rather than being assessed in isolation.
Shell Company Funding Concealment
A corporate player routes deposits through a chain of shell entities designed to place the true source of funds several ownership layers from the account holder's registered name. Shufti's Due Diligence maps the full corporate structure behind each depositing entity, tracing every holding layer to the ultimate beneficial owner regardless of the depth of the structure. Each identified UBO and connected entity is screened against AML watchlists, sanctions lists, and adverse media databases. A deposit chain that terminates in a shell entity with no verifiable commercial activity is escalated before funds are applied to the account balance.
Close Account
Pre-SAR Closure
A player who anticipates a suspicious activity report requests account closure and simultaneously invokes GDPR erasure rights, aiming to destroy transaction evidence before the report is filed. Shufti's AML Screening and Transaction Monitoring trigger a mandatory final compliance review on any account closure request, independent of the stated reason. Regulatory retention obligations under UKGC LCCP and FATF Recommendation 22 override the erasure request for records that fall within the mandatory retention window. Closure is processed only after the SAR review is complete and retention obligations are confirmed as met.
Balance Extraction Before Closure
An account holder initiates a full-balance withdrawal immediately after receiving a compliance communication, then submits a closure request, aiming to move all funds out of reach before any hold can be applied to the account. Shufti's Transaction Monitoring flags full-balance withdrawal events that follow compliance communications as a priority signal requiring immediate review. An automatic hold is applied to the balance before the withdrawal clears the account. The closure request is not processed until the hold is reviewed and resolved by the compliance team.
Re-Application Under New Identity
An offboarded or excluded player applies for a new account using a different document and a modified name, expecting the operator to check new registrations only against the identity fields submitted rather than against the platform's full biometric history. Shufti's 1:N Face Verification screens every new applicant's selfie against all previously enrolled accounts, including deactivated and excluded ones, at the point of KYC capture. AML Screening cross-references the new registration against the operator's closure and exclusion records associated with the returning player's prior account. The returning player is identified by biometric regardless of the identity they choose to present.
Self-Exclusion Register Evasion Post-Closure
A player closes their account and immediately registers with a self-exclusion scheme, then applies to a sister brand or the same operator before the exclusion has propagated to the new registration check. Shufti's self-exclusion register integration queries the relevant API in real time at every new registration, not on a periodic batch cycle. Daily automated re-checks on all active accounts catch newly registered exclusions before the player's next session on any connected platform. Biometric deduplication confirms the returning player's identity at registration regardless of the name or document they submit.
GDPR Erasure to Destroy Evidence
A player invokes Article 17 erasure rights targeting transaction records that are directly relevant to an open or anticipated AML investigation, expecting the erasure request to be processed automatically without compliance review. Shufti's AML Screening applies regulatory retention flags to records that fall within mandatory retention obligations under UKGC LCCP and FATF Recommendation 22 requirements. An erasure request covering a flagged record is routed to the compliance team rather than processed automatically by the platform. The records are retained for the duration of the applicable regulatory obligation, and the erasure is deferred and explained to the requestor in accordance with data protection guidance.
Close-and-Reopen Cycling
A player deliberately closes their account and re-registers to reset their bonus eligibility, loyalty tier, or risk score, expecting each new account to be treated as a completely fresh customer with no history. Shufti's Device Fingerprinting carries risk signals associated with a device beyond account closure, so a re-registration from the same hardware inherits the prior account's flags at the point of sign-up. Face Verification (1:N) links the new registration to the closed account at the selfie capture step, regardless of the name or document submitted. The Fraud Hub presents the cycling pattern as a connected record and the returning player's prior risk classification is applied to the new account.
Built For Every Role That Owns The Onboarding Decision
Combine products across identity, compliance, and fraud defence to build a verification stack that meets your regulatory requirements; without rebuilding the integration each time the rulebook changes.
Compliance Officer
Stop manually reconciling data across four compliance vendors. Shufti produces a single, jurisdiction-mapped evidence package for every player decision, updated in real time, exportable for any examiner.
Head of Product
Configure age gates, self-exclusion checks, and financial vulnerability triggers per jurisdiction without an engineering sprint. Risk-tiered routing keeps the player journey clean for low-risk accounts.
Head of Engineering
Deploy a single REST API covering age verification, KYC, AML screening, self-exclusion registers, and ongoing monitoring. Average integration timelines and full SDK coverage available for review.
Fraud Analyst
A unified Fraud Hub surfaces device signals, behavioural patterns, and biometric deduplication results in one view. Cut manual review time and stop chasing flags across disconnected dashboards.
Everything you need to know in one place
Frequently Asked Questions
In the UK, UKGC Licence Condition 17 and SR Code 3.2.11 require age and identity verification before any deposit or play. The EU Digital Services Act adds age-assurance obligations for high-risk services including gambling. Malta Gaming Authority, the Dutch KSA via the Cruks register, Sweden's Spelpaus, and Germany's GlueStV each impose distinct integration requirements. FATF Recommendation 22 applies AML obligations to casino operators as DNFBPs. Shufti maintains compliance rule sets across all of these jurisdictions.
Shufti supports configurable net-deposit threshold triggers. When a player reaches the applicable threshold within the rolling 30-day window, the source-of-funds documentation workflow activates within the existing session. The outcome, evidence type, and timestamp are stored in the audit trail. The UKGC's approach confirms that most accounts will be resolved using publicly available credit data without requiring manual document uploads, and Shufti's integration supports this data-first approach.
GamStop integration queries the API at registration and every login, with daily automated re-checks of all active accounts to catch newly self-excluded players before their next session. The same architecture supports Cruks in the Netherlands, Spelpaus in Sweden (including the real-time API requirements live from August 2026), OASIS in Germany, and equivalent national registers. Each exclusion match produces a timestamped record stored in the audit trail.
iBETA Level 3 is an evaluation under ISO/IEC 30107-3 Presentation Attack Detection that covers expert-grade attacks: high-fidelity silicone masks, AI-generated deepfake video, and injection attacks targeting the verification stream. Shufti passed Level 3 on both iOS and Android with 0% APCER and 0% BPCER, confirmed 6 May 2026. For gaming operators, this means the liveness check cannot be bypassed by the attack types currently in circulation on dark-web fraud markets.
Where local regulation permits, Shufti supports electronic identity verification flows that confirm name, address, and date of birth against government, telco, and credit bureau databases without a physical document scan. NFC verification is available for players with e-passport-capable devices, providing chip-level assurance. Jurisdiction-specific policy configuration in Journey Builder determines which flow applies to each player segment without engineering intervention.
A sandbox environment is available for integration testing using a standard API key. The single REST API covers age verification, document verification, biometric liveness, AML screening, self-exclusion register integration, and ongoing monitoring, removing the multi-vendor integration cycle that typically extends deployment timelines. Full production integration timelines depend on platform architecture and the number of jurisdictions in scope.
Evaluate Shufti Against Your Current Gaming Stack
UKGC LCCP, the MGA Player Protection Directive, and GamStop mandatory integration require a compliance architecture that connects player identity to ongoing AML monitoring to self-exclusion to source-of-funds checks on a single evidence chain. Point-solution stacks cannot share identity records, produce consistent audit trails, or respond to regulatory changes from a single configuration source.