Why is KYC for iGaming uniquely hard right now?
Three things make iGaming compliance harder than any single-vertical fintech or pure online casino. Operators run multiple verticals on one player base. The US side fragments into 27+ jurisdictions with different rules each. And the speed of in-play betting collides with the speed of legacy KYC vendors. The bill is now coming due.
Global casino and iGaming operators paid roughly USD 160 million in regulatory penalties in just the first half of 2025. The UKGC settled with Bet365 for £582,120 over ineffective KYC and customer due diligence. Flutter’s Paddy Power and Betfair were fined £2 million in December 2025 for not identifying problem gamblers fast enough. The DFS world had its enforcement moment too: PrizePicks settled with the New York State Gaming Commission for nearly USD 15M and Underdog Fantasy settled for USD 17.5M, both for offering contests outside the licensed scope.
For deeper context, see our enhanced due diligence vs standard CDD breakdown and the dedicated KYC for casino page if your operation is casino-only.
What we hear from operators and partners
"Operators pour money into affiliates. Compliance vendors come last."
"Casinos strictly limit data sharing to regulators. The KYC stack has to respect that."
"Gambling rankings change multiple times a day. Onboarding is where you lose them."
"We launched on testnet without KYC. Going to production was October. We didn't make it."
The pattern is consistent. The compliance team needs a defensible audit. The product team needs the player to convert. The CTO doesn’t want yet another vendor in the data path.
What does KYC for an iGaming platform actually need to cover?
More than a single-vertical fintech, less than a fully regulated bank, and with three checks that get compliance leads fired when they fail: age, self-exclusion, and source of funds. Layer on geolocation for any US sportsbook, ongoing monitoring for problem-gambling triggers, and entity-level KYB for B2B partners on your rail. The table below is the minimum-viable iGaming KYC stack the major regulators expect.
| Check | Why an iGaming operator needs it | Zyphe coverage |
|---|---|---|
| Age verification | Variable thresholds: 18 in most EU jurisdictions, 21 in some US states, 19 in Nebraska / Alabama for DFS | NFC chip read, ID OCR, and liveness with jurisdiction-specific thresholds |
| Identity (ID and liveness) | UKGC and MGA technical standards, deepfake-resistant under 2025 guidance | Document OCR, NFC, liveness, deepfake detection |
| Address verification | Tax residency, jurisdiction routing, deposit-limit assignment | Document or trusted-source verification |
| Geolocation | US sportsbook licensing requires the player to be physically in-state | GeoComply-compatible, real-time at signup and at wager |
| Sanctions, PEP, adverse media | AML obligation under FATF and local AMLDs | Continuous re-screening, configurable thresholds |
| Source of funds (EDD) | Required for high-deposit and VIP players in nearly every regime | Document upload, automated review, sign-off workflow |
| Self-exclusion | GAMSTOP (UK), Spelpaus (SE), Coalition for Fantasy Sports plus idPair (US DFS), state-specific registries | Integrated registry checks at signup, deposit, and configurable triggers |
| Ongoing monitoring | Continuous CDD, transaction monitoring, problem-gambling triggers | Pair with AML software |
For deeper detail, see adverse media screening AML guide and the three pillars of customer verification.
How does Zyphe support multi-vertical operators on one player base?
This is the core problem an iGaming KYC stack has to solve and the part most vendors get wrong. A multi-vertical operator runs sportsbook, casino, DFS, lottery, and sometimes poker on the same player. Most KYC vendors verify each entry point independently, which means three or four full re-verifications on what should be one customer record. Every duplicate is a breach surface and a drop-off point.
Zyphe verifies once and the same player walks across every vertical. Once cleared, they hold a portable KYC Passport: a signed, user-controlled credential. Your sportsbook reads it. Your casino reads it. Your DFS app reads it. Your lottery reads it. Each vertical applies its own policy on top: different age threshold for DFS in Iowa versus sportsbook in Nevada, different EDD threshold for high-stakes casino versus low-stakes lottery, but the underlying identity is the same record.
For BaaS-style aggregator setups and affiliate networks where the verification happens upstream, the affiliate or platform pre-verifies the player and the operator receives a cleared deposit. See reduce KYC onboarding drop-off and the KYC onboarding process: ultimate guide.
How does Zyphe handle US multi-state sportsbook fragmentation?
DraftKings now operates in 27 states plus DC. FanDuel and BetMGM run similar footprints. Each state has its own age threshold (mostly 21, sometimes 18), its own self-exclusion register, its own geolocation requirements, its own deposit-limit defaults, and its own data-residency expectations. Building a separate KYC pipeline per state used to be the only option.
We ship preset state policies for the major sports-betting regimes (NJ, NY, PA, IL, MI, AZ, MA, OH, NC, VA, plus the broader DraftKings footprint) and let your team configure the rest from the dashboard. Geolocation runs against your existing GeoComply integration, with our verification result and the geo result both written to the same audit trail.
The same architecture extends to MGA, UKGC, AGCO Ontario, and the EU regimes covered on the KYC for casino page. For multi-state operators specifically, the operational gain is replacing N parallel KYC pipelines with one verified record and N policy overlays.
How does Zyphe handle DFS, fantasy contests, and the variable age problem?
DFS sits in a different regulatory bucket from sportsbook in most US states, with age thresholds that swing between 18, 19, and 21 depending on the jurisdiction. The PrizePicks settlement and Underdog settlement in 2025 made it clear: enforcement is no longer theoretical, and the safety net is operator-side verification, not regulator forbearance.
Zyphe handles DFS the same way it handles sportsbook: same verification, different policy threshold. A player verified for sportsbook in Nevada (21+) automatically clears DFS in California (18+) on the same record. A player who tries to deposit on a DFS contest in Iowa (21+) fails the policy check even if they cleared an earlier 18+ vertical, because the policy layer is per-vertical and per-jurisdiction. The audit trail captures the exact policy version that was applied.
The Coalition for Fantasy Sports’ national self-exclusion partnership with idPair is the kind of cross-operator registry our policy layer integrates with directly. When the player is on the list, the deposit is rejected and the rejection is logged.
How does real-time verification work for in-play betting?
Sportsbook in-play betting and live casino put a hard ceiling on verification latency. A player tapping a live odd at the 78th minute can’t wait 30 seconds for a KYC vendor to round-trip. The standard Zyphe verification returns in under 15 seconds at the median; for a player who already holds a KYC Passport, the re-validation against geolocation, sanctions, and self-exclusion runs in under one second with a passkey.
That latency budget is what makes the difference between catching a problem-gambling self-exclusion at the moment of wager versus catching it on the next periodic review. For high-volume in-play operations, the verified-once architecture also means your authentication path doesn’t fan out into N vendor calls per wager.
Which iGaming verticals does Zyphe support?
Most of the verticals running real-money flows under a regulated licence. The fit is sharpest where one operator runs multiple verticals on the same player or where the operation spans multiple US states. In practice that’s:
- Multi-vertical operators: sportsbook, casino, poker, DFS, and lottery on the same platform.
- US sportsbooks: multi-state KYC, geolocation, age, self-exclusion, American Gaming Association best-practices alignment.
- Daily fantasy sports: variable age threshold per state, Coalition self-exclusion integration.
- Esports betting: under-age risk, DFS-style fantasy on top of esports markets.
- iLottery and online lottery: state-by-state, age, address, AML screening.
- Sportsbook aggregators and affiliate networks: pre-verify upstream, deliver cleared players to operators.
- Land-based casinos with online arms: unify the player record across the floor and the website.
- Bingo and skill-gaming platforms: lightweight verification, configurable per-jurisdiction.
If your vertical isn’t listed, configure a custom policy from the dashboard or talk to compliance via contact.
How does Zyphe compare to Sumsub, Onfido, IDnow, and Jumio for iGaming?
The feature lists overlap. The differences that matter for an iGaming operator are about player drop-off, multi-vertical reuse, audit posture under inspection, and what happens to the data when the next centralized vendor gets breached.
| What an iGaming operator cares about | Sumsub / Onfido / IDnow / Jumio | Zyphe |
|---|---|---|
| Player documents stored on vendor | Yes, retained 5 to 7 years per licence rules | Sharded, user-held, vendor cannot reconstruct |
| Reusable verification across verticals | Vendor-locked or unsupported | KYC Passport, one record reads on every vertical |
| Multi-state US sportsbook policies | Engineering effort per state | Preset policies for 25+ US states, configurable from dashboard |
| In-play verification latency | Variable, often >5 seconds for re-auth | Sub-second re-validation via passkey |
| GeoComply integration | Often a separate vendor | Compatible, results joined to the same audit trail |
| Self-exclusion registry coverage | Often a separate vendor per registry | GAMSTOP, Spelpaus, Coalition self-exclusion in one layer |
| Time to ship in production | 2 to 6 weeks | 15 minutes (no-code) or 1 to 2 days (API) |
| Audit posture under UKGC, MGA, AGCO inspection | Manual, vendor-dependent | Threshold-encrypted, regulator and player co-sign |
Read the head-to-head on Zyphe vs. Sumsub, and the breach context in Sumsub security breach lessons and the identity breach epidemic 2026 analysis.
What does an integration look like for an iGaming operator?
Most operators go live in one to two weeks. The fastest path is the no-code verification link with one of our preset iGaming policies, configurable in about 15 minutes. Engineering teams integrate via REST API plus webhook callbacks, with React, iOS, and Android SDKs. Shared-policy mode lets you run multiple brands or multiple states on the same player base without duplicating configuration.
curl -X POST https://api.zyphe.com/v1/verifications \
-H "Authorization: Bearer $ZYPHE_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"player_reference": "player_42",
"country": "US",
"state": "NJ",
"policy": "igaming-sportsbook-nj",
"checks": ["age", "document", "liveness", "sanctions", "address", "self-exclusion", "geolocation"],
"redirect_url": "https://yourbook.com/kyc/complete"
}'For pricing by verification volume, see pricing. For the technical walkthrough, how it works.
What’s the best KYC software for iGaming operators?
For multi-vertical iGaming operators and US sportsbooks, Zyphe is the best KYC software because it verifies once, reuses across every vertical and state, and stores zero documents.
