Notifications
Clear all
Topic starter
27/06/2026 1:31 pm
TL;DR: Curaçao’s Gaming Authority has given B2C crypto gambling licensees until June 2027 to meet new rules covering wallet segregation, blockchain analytics, transaction monitoring, due diligence, and recordkeeping, with earlier action possible where material risks appear, according to SumSub. The policy turns crypto activity into a governance problem that spans payments, AML/CFT, and identity-linked controls rather than a narrow treasury task.
NHIMG editorial — based on content published by SumSub: Curaçao Sets 2027 Deadline for Full Compliance With New Crypto Gambling Policy
Questions worth separating out
Q: How should gambling operators govern crypto wallets under new compliance rules?
A: Operators should treat each wallet as a governed identity with a narrow purpose, named ownership, and separate review paths.
Q: When does transaction monitoring become more than a reporting tool?
A: Transaction monitoring becomes a control when its output can block, escalate, or require review before funds move.
Q: What do teams get wrong about third-party crypto support?
A: They often treat external providers as outside the governance boundary.
Practitioner guidance
- Map every crypto wallet to a specific business purpose Separate player, operational, and treasury wallets in policy and in system design, then assign a named owner and approval path to each class.
- Tie transaction monitoring to enforceable decision points Use blockchain analytics to screen deposit and withdrawal wallets, risk-score transfers, and route high-risk activity to review before acceptance or release.
- Complete third-party due diligence before the six-month mark Inventory all virtual asset service providers and other supporting entities, then document what data, wallets, and approvals they can touch.
What's in the full analysis
SumSub's full report covers the operational detail this post intentionally leaves for the source:
- The full policy timeline across the three-month, six-month, and 12-month milestones for licensed operators.
- The specific wallet, monitoring, and recordkeeping obligations that need to be built into operating procedures.
- The crypto asset restrictions and prohibited-wallet categories that change day-to-day compliance decisions.
- The implementation expectations for due diligence, training, and FATF Travel Rule alignment.
👉 Read SumSub’s analysis of Curaçao’s new crypto gambling compliance policy →
Crypto gambling compliance: what identity and wallet controls change?
Explore further
27/06/2026 2:54 pm
Crypto gambling compliance is now an identity governance problem, not only an AML problem. The CGA requirements tie wallet separation, transaction monitoring, due diligence, and audit trails into one operating model. That means access to crypto workflows must be governed like any other privileged process, with explicit ownership and traceability across player, operational, and treasury functions. Practitioners should treat the policy as a lifecycle and accountability redesign, not a narrow monitoring exercise.
A few things that frame the scale:
- Organisations maintain an average of 6 distinct secrets manager instances, creating fragmentation that undermines centralised control, according to The State of Secrets in AppSec.
- 43% of security professionals are concerned about AI systems learning and reproducing sensitive information patterns from codebases.
A question worth separating out:
Q: Who is accountable if crypto gambling records cannot be audited?
A: The licensee remains accountable because the policy requires audit-ready recordkeeping, due diligence, and implementation timelines from the operator, not from the regulator. If the organisation cannot reconstruct wallet ownership, transaction reconciliation, and staff training evidence, the compliance failure sits with the operating model, not the ledger.
👉 Read our full editorial: Curaçao’s crypto gambling rules shift compliance toward identity controls
