TL;DR: UK gambling is a £15.6 billion market, online gambling generated £6.9 billion GGY, and 37 million active online accounts now sit inside a tighter age-verification and compliance environment driven by the Online Safety Act and regulator expectations, according to SumSub. The programme challenge is no longer simple onboarding checks; it is continuous trust, fraud resistance, and defensible identity assurance at scale.
NHIMG editorial — based on content published by SumSub: a UK gambling age verification guide focused on regulation, fraud, and customer trust
By the numbers:
- The UK gambling industry stands as a £15.6 billion behemoth.
- over 37 million active online accounts
Questions worth separating out
Q: How should security teams design age verification for regulated digital services?
A: Security teams should define the required assurance level first, then match the verification method to that threshold.
Q: Why does age verification become an identity governance issue?
A: Age verification becomes an identity governance issue when the organisation must prove policy compliance, retain evidence, and defend decisions after the user has been admitted.
Q: What do teams get wrong about balancing compliance and user friction?
A: Teams often assume that stronger verification always means more friction, so they either overcollect data or weaken the check.
Practitioner guidance
- Define the assurance threshold first Map the minimum level of confidence required for each gambling or age-restricted journey, then select proofing methods that meet that threshold and preserve an audit trail.
- Layer fraud signals into verification decisions Combine document validation, device intelligence, velocity checks, and exception review so suspicious registrations are challenged without blocking all legitimate users.
- Automate evidence capture for every decision Store what was checked, why the user passed or failed, and which policy applied so compliance teams can answer regulator queries without reconstructing the workflow later.
What's in the full article
SumSub's full article covers the operational detail this post intentionally leaves for the source:
- Jurisdiction-specific verification expectations for the UK gambling market and adjacent age-regulated services
- Practical guidance on balancing onboarding speed with stricter age assurance and fraud checks
- A broader trend view on how online safety and age verification obligations are reshaping digital identity journeys
- Implementation considerations for turning compliance requirements into usable verification workflows
👉 Read SumSub's guide to UK gambling age verification and compliance →
UK gambling age verification: what it means for IAM teams?
Explore further
Age verification is now an identity governance control, not a product feature. The article shows that regulated customer access in UK gambling depends on proof, decisioning, and retention evidence, not just a yes or no age check. That moves the issue into the same governance territory as assurance policy, auditability, and lifecycle control. Practitioners should treat age verification as part of identity risk governance, not a standalone onboarding widget.
A few things that frame the scale:
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to Ultimate Guide to NHIs.
- 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time.
A question worth separating out:
Q: When should organisations re-check an already verified user?
A: Organisations should re-check users when risk changes, account behaviour shifts, or a new regulatory obligation applies to the journey. Verification should not be treated as permanent. A reviewable account model supports revalidation when the original proof is no longer sufficient for current risk.
👉 Read our full editorial: UK gambling age verification is colliding with compliance pressure