Partner risk is one of the few iGaming variables that can wipe out months of growth in a single week. A PSP can freeze settlements, an affiliate can send prohibited traffic, and suddenly you are dealing with payout delays, chargeback spikes, regulator questions, and reputational damage.
That is why KYB for casino partners (Know Your Business) should not be a slow, legal-only process. The goal is to vet PSPs and affiliates fast, without lowering your compliance bar. In practice, that means using a risk-based workflow, collecting the right evidence once, validating it with reliable sources, and setting up ongoing monitoring so you do not have to “re-KYB” from scratch every quarter.
KYB vs KYC, and why casinos need a different playbook
KYB is the business equivalent of KYC. Instead of verifying an individual player, you verify a company and the people controlling it (ultimate beneficial owners, directors, and signatories), plus its licenses, policies, operational controls, and financial resilience.
Casinos need a specialized KYB approach because partner failure modes are unique:
- PSPs can create funds-flow risk (settlement holds, negative balances, chargeback exposure), data security risk (PCI scope, tokenization), and compliance risk (sanctions, restricted geos, high-risk MCC handling).
- Affiliates can create acquisition fraud (fake FTDs, incentivized traffic), advertising and regulatory risk (misleading claims, missing 18+ disclosures), and geo leakage (traffic from blocked or unlicensed jurisdictions).
A good KYB system answers two questions:
- Should we work with this partner? (risk acceptability)
- If yes, under what controls and terms? (risk mitigation and enforceability)
The fast path: risk-based KYB tiers (so you do not over-collect)
Speed comes from not treating every partner like a bank acquisition. Start with a tiering model that determines depth of checks, required evidence, and who must sign off.
Here is a practical tiering framework you can use immediately.
| Partner type | Typical risk drivers | Suggested KYB tier | Review depth | Re-check cadence |
|---|---|---|---|---|
| Tier-1 PSP (custody, payouts, card acquiring, crypto onramp) | Funds custody, sanctions exposure, chargebacks, data security | High | Full KYB + technical and financial review | Quarterly + continuous screening |
| Tier-2 PSP / APM provider (limited rails, no custody) | Operational resilience, fraud patterns | Medium | KYB + control validation | Semi-annual |
| Media affiliate (SEO/content) | Brand claims, geo targeting, compliance disclosures | Medium | KYB lite + marketing compliance checks | Semi-annual |
| Sub-affiliate network / incentive-heavy traffic | Fraud, attribution manipulation, prohibited traffic | High | Full KYB + traffic proof + strict contract guardrails | Quarterly |
| Small direct affiliate | Lower volume, lower systemic risk | Low | KYB lite | Annual |
The tier should be driven by impact, not by how “famous” the partner is.
A 48-hour KYB workflow that actually works
If you want fast partner onboarding, you need a repeatable pipeline with clear artifacts and owners.
Phase 0 (1 hour): Define scope and the “no-go” rules
Before you collect any documents, define your non-negotiables. Examples:
- “No custody without audited segregation and incident response.”
- “No affiliates that buy traffic from specific networks or use incent traffic.”
- “No PSPs that cannot support our target jurisdictions or cannot evidence licensing coverage.”
This prevents the most common time-waster: doing weeks of KYB only to discover a deal is structurally impossible.
Phase 1 (same day): Partner intake form (single source of truth)
Use a standardized intake form for both PSPs and affiliates. You are trying to capture:
- Legal entity details (registered name, number, jurisdiction)
- Ownership and control (UBOs, directors, authorized signatories)
- Regulatory posture (licenses, registrations, permitted geos)
- Operational contacts (compliance, finance, technical)
- Products and flow description (what they do, where funds/data move)
If you run a modular iGaming platform, it helps when onboarding is designed like a Shopify-style experience where partner setup follows consistent templates, but the KYB evidence should still be stored in an audit-friendly repository.
Phase 2 (24 hours): Evidence request pack (minimal, but complete)
Ask for a tight evidence pack. If you request everything, you will get nothing quickly.
Core KYB evidence (applies to PSPs and affiliates):
- Certificate of incorporation (or equivalent)
- Register extract (showing directors)
- UBO declaration (and IDs for UBOs if required by your policy)
- Proof of address for the entity (where applicable)
- Sanctions and PEP policy statement (or equivalent compliance policy summary)
- Signed confirmation of compliance with applicable advertising and AML obligations
PSP-specific evidence:
- Licensing/registration evidence for relevant services and geographies
- PCI DSS evidence if they touch card data (attestation / compliance statement)
- Information security overview (ISO 27001 certificate, SOC 2 report, or security questionnaire response)
- Settlement and safeguarding description (where funds sit, who controls wallets/accounts)
- Chargeback and dispute process overview
- Sub-processor list (banking partners, acquirers, onramp providers)
Affiliate-specific evidence:
- Traffic sources summary (paid, organic, social, influencer, email)
- Top geos and targeting method (self-reported)
- Examples of creatives, landing pages, and claims they use
- Prior operator references (if available)
- Confirmation of age-gating and required disclosures (18+, responsible gambling messaging)
Phase 3 (24 to 48 hours): Verification checks and risk scoring
This is where you gain speed by using objective checks instead of subjective debates.
- Verify corporate existence via the relevant company registry.
- Verify licensing status via the regulator register where applicable.
- Screen entity and key controllers against sanctions lists (for example, OFAC and EU sanctions).
- Validate domain ownership and brand footprint (affiliate sites, social accounts).
For sanctions screening and guidance on risk-based controls, FATF materials are a useful baseline reference for how regulators expect risk-based programs to work (FATF Recommendations).
Phase 4 (same week): Contract guardrails and go-live checklist
Do not treat KYB as “approval only.” Your contract is how you enforce the risk controls you just identified.
For PSPs, align commercial terms with operational realities (SLAs, settlement, reserves). For affiliates, align payout mechanics with compliance and fraud prevention.
KYB for PSPs: what to validate (and what operators often miss)
1) Licensing coverage and “who is actually regulated”
A common pitfall is confusing a brand name with the regulated legal entity.
Validate:
- The exact entity name on contracts matches the regulated entity (or is properly appointed)
- The license scope covers the services you use (acquiring, payment initiation, money transmission, crypto onramp)
- Territorial coverage and restrictions (where they can serve you and where they cannot)
If your casino offers both crypto and fiat, this matters even more because the PSP stack often includes multiple entities (acquirer, onramp, banking partner, custody provider).
2) Funds flow, custody, and safeguarding
Ask the PSP to describe the funds flow in plain English, then confirm it matches reality:
- Where do player deposits land?
- When does the balance become playable?
- Who holds the funds (PSP, bank, custodial wallet)?
- What can trigger holds (risk rules, manual review, compliance alerts)?
If you support crypto rails, you should also map custody and withdrawal controls. Spinlab describes support for merchant custodial wallets and crypto onramp solutions. In KYB terms, that means you should be explicit about:
- Wallet governance (who can sign, how approvals work)
- Hot wallet limits and replenishment rules
- Incident response and freeze capabilities
A solid companion read is Spinlab’s guide to crypto-specific obligations such as the Travel Rule, because PSP selection and KYB are tightly connected to how compliant transfers are executed (Travel Rule compliance for crypto casinos).
3) Fraud, dispute handling, and “who eats the loss”
PSP decks love approval rate slides. KYB should focus on loss allocation.
Validate:
- Chargeback ownership (operator vs PSP) and representment support
- Fraud tooling and what you control vs what they control
- Reserve policy (when they can hold funds, how long, based on what triggers)
If you want a practical view of dispute evidence and operational readiness, Spinlab’s chargeback guide is a useful operator-level benchmark (chargeback representment for casinos).
4) Security posture and data minimization
You do not need every PSP to be “perfect,” but you do need to understand your exposure.
Validate:
- PCI DSS scope (and whether tokenization keeps you out of scope)
- Incident response timelines and notification duties
- Access controls, audit logging, and least-privilege operations
For card-related programs, it helps to align your internal expectations with PCI DSS 4.0 realities (PCI DSS for iGaming).
5) Technical integration risk (the hidden KYB dimension)
A PSP that “passes KYB” can still be a bad partner if they create systemic outages or reconciliation debt.
Validate:
- Sandbox quality and test coverage
- Webhook reliability and idempotency patterns
- Reconciliation artifacts (what reports exist, fields, timing)
- Uptime SLA and service credits
If you use payment routing or orchestration, your KYB should include how the PSP behaves under failure and cascading scenarios (casino payment orchestration).
KYB for affiliates: verify ownership, traffic integrity, and marketing compliance
Affiliate KYB fails most often in two places: ownership opacity and traffic opacity.
1) Beneficial ownership and control (yes, for affiliates too)
Affiliates are counterparties that can expose you to regulator scrutiny. Treat them like businesses, not “publishers.”
Validate:
- Legal entity and signatories
- UBOs for higher-risk tiers (networks, sub-affiliates, unusually high volumes)
- Payment destination alignment (entity name matches bank account or wallet owner)
2) Traffic sourcing and proof of quality
For fast vetting, you are not trying to predict lifetime performance. You are trying to avoid obvious bad traffic.
Request:
- Breakdown of traffic sources (with percentages)
- Top landing pages and sample tracking links
- Geo distribution and how they enforce geo targeting
Then verify:
- The affiliate’s properties actually rank or have audience reach consistent with claims
- Their creatives comply with your rules (no prohibited claims, no misleading bonus language)
For teams building affiliate programs at scale, Spinlab’s operational playbook is a good reference point for structuring tracking, governance, and partner scorecards (high-ROI affiliate program for casinos).
3) Advertising and influencer compliance checks
Even if you do not run influencer campaigns directly, your affiliates might. You need contractual control and monitoring.
Validate:
- Required disclosures (ad labeling, 18+, responsible gambling references)
- Prohibited geos and brand usage rules
- Content approval workflows for higher-risk affiliates
If your acquisition mix includes creators, it is worth aligning your affiliate KYB with common compliance pitfalls under EU ad frameworks (influencer compliance pitfalls).
4) Fraud controls unique to affiliate programs
Affiliate fraud is often “soft,” it looks like performance until you reconcile downstream signals.
Your KYB should include a plan for:
- Holding periods or clawbacks for suspicious cohorts
- Rules for duplicate accounts and bonus abuse
- Policy on incent traffic, brand bidding, and sub-affiliate disclosure
Spinlab’s bonus abuse playbooks map well to what you should enforce at partner level, not just at player level (bonus abuse detection).
A practical KYB scorecard (copy and adapt)
A scorecard prevents politics from overriding risk. Keep it simple: a few categories, a few weighted questions, and clear outcomes.
| Category | PSP examples | Affiliate examples | Typical decision outcome |
|---|---|---|---|
| Identity and ownership | Entity verified, UBOs disclosed | Entity verified, UBOs disclosed (as required) | Pass, conditional, fail |
| Licensing and compliance | License scope verified, AML policy fit | Marketing compliance commitments | Pass, conditional, fail |
| Operational resilience | SLAs, incident response, reconciliation | Reporting cadence, creative approval workflow | Pass, conditional |
| Financial and settlement risk | Reserves, safeguarding, dispute allocation | Payout method risk, invoice hygiene | Pass, conditional |
| Fraud and abuse exposure | Controls, monitoring, shared signals | Traffic transparency, fraud history | Pass, conditional, fail |
| Data security and privacy | PCI/security posture | Data handling of player PII (if any) | Pass, conditional |
Define “conditional pass” controls upfront, for example:
- Lower initial volume caps
- More frequent reporting
- Shorter settlement cycles only after performance evidence
- Mandatory creative pre-approval
Red flags that should pause onboarding (PSPs and affiliates)
You should not need a committee to stop a bad partner. Create a short red-flag list that triggers an automatic escalation.
PSP red flags
- Refusal to explain funds flow or reserve triggers
- Vague licensing answers (“we are compliant globally”)
- No clear incident response process
- Frequent changes in contracting entity without clear rationale
- Pushback on audit logging or reconciliation fields
Affiliate red flags
- Unwillingness to disclose traffic sources, or “it’s proprietary” as a blanket response
- Inconsistent geo targeting claims versus observed audience footprint
- Creatives with aggressive or misleading bonus claims
- Requests for unusual tracking setups that reduce auditability
- Pressure to pay faster than your fraud and compliance window allows
Continuous KYB: monitoring is what makes “fast” safe
The fastest KYB is the one you do once, then maintain.
A lightweight continuous KYB layer includes:
- Sanctions screening refresh for entity and controllers
- License status re-check for regulated PSPs
- KPI monitoring tied to partner risk
- PSP: approval rate shifts, chargeback rate, payout failure rate, settlement delays
- Affiliate: FTD-to-KYC pass rate, chargeback rate, bonus abuse rate, geo mismatch rate
This is where platforms with real-time analytics and consolidated payment and affiliate tooling reduce manual work. If your stack already supports partner modules such as a bonus engine, fraud prevention, compliance controls, and analytics, you can instrument partner risk metrics the same way you instrument player funnels.
Spinlab’s ecosystem includes analytics and partner tooling, and you can connect KYB status to operational controls (for example, limiting partner volume, applying stricter fraud rules, or gating certain payment rails) using platform configuration and APIs rather than ad hoc spreadsheets.
How Spinlab helps teams operationalize partner vetting (without pretending KYB is “solved”)
KYB is ultimately a governance process, not a single feature. But the platform you run can either make KYB painful or make it enforceable.
If you are using Spinlab’s modular iGaming platform, the relevant capabilities to map into your KYB workflow are:
- Integrated payments and crypto readiness (so PSP setup, rails, and custody choices are visible and configurable in one place)
- KYC/AML compliance tooling (so partner-driven risk can trigger step-up verification and monitoring)
- Advanced fraud prevention (so you can enforce conditional-pass controls without manual review overload)
- Affiliate and bonus engine (so affiliate onboarding and payout governance can be centralized)
- Open API integration (so KYB outcomes can be connected to your internal ticketing, contract repository, or screening provider)
If you want to reduce the time from “we found a partner” to “we can safely go live,” book a walkthrough and map your PSP and affiliate KYB workflow to your actual rails, jurisdictions, and growth plan at spinlab.studio.