Verifying the identity of online gamblers: Legal requirements and technical solutions

Mgr. Jáchym Petřík
Mgr. Jáchym Petřík
11.3.2026 | ARROWS law firm

In the Czech Republic, it is not possible to operate legal online gambling without strict identity verification of every player. The Gambling Act and the AML Act impose an obligation to carry out thorough registration as well as checks in the Register of Excluded Persons. Without a functional system, you face fines of up to CZK 50 million and the loss of your licence. Read how to set up your processes correctly and avoid sanctions.

The photo shows a lawyer addressing issues relating to legal online gambling.

Quick summary

  • Identity verification is mandatory upon registration – every player must be fully identified and verified before being allowed to participate in gambling; online play cannot be anonymous, not even up to a limit.
  • Crippling fines are possible – a breach of the obligation to identify players or failure to properly check the RVO may result in a fine of up to CZK 50 million and the loss of the basic licence in the Czech Republic.
  • The system must check the RVO in real time – the operator is required, at each player login, to automatically verify whether the player is recorded in .
  • Compliance is a continuous process – technical details, API configuration, and links to AML legislation under Czech law require expert legal and technical oversight.

What the Gambling Act says about identity verification

Czech regulation is strict when it comes to verifying players’ identities and, in 2026, fully reflects European standards as well as the digitalisation of public administration in the Czech Republic. The Gambling Act imposes on every operator the obligation to ensure that registration and identification details are accurate and that the player is over 18 years of age. 

The attorneys at ARROWS advokátní kancelář deal with this topic on a daily basis and know exactly what regulators focus on during supervision. Under the Act and related regulations, you must keep and report accurate data: player identification, age and identity verification, and detailed gaming and financial data.

If your system contains errors, or if it does not allow remote access for supervisory authorities and automated data reporting to AISG, you expose yourself to the risk of fines of up to CZK 50 million. The system must be fully functional in live operation 24/7, and any reporting outages are strictly penalised under Czech law.

Main legal framework and shortcomings

A gambling operator is a so-called obliged entity under Act No. 253/2008 Coll. (the Czech AML Act). This means your obligations do not end with identity verification at registration. You must carry out ongoing customer due diligence, monitor transactions, assess the player’s risk profile, and report suspicious transactions to the Financial Analytical Office (FAÚ) (the Czech financial intelligence unit).

Failure to report or systemic failures in AML processes may lead to sanctions under the Czech AML Act. Depending on the type of breach, these sanctions can reach millions to tens of millions of Czech crowns; for financial institutions, even higher amounts. In practice, this means your software solution must have several key functionalities built in.

You must ensure automated identity verification at registration, checks against the Register of Excluded Persons at each login, and transaction monitoring with anomaly detection. It is also essential to maintain an immutable audit trail and to comply with information obligations towards the Czech Customs Administration and the Ministry.

Related questions 

1. What happens if I do not correctly record a player’s identity?
If you allow a person to play whom you have not properly identified, you commit an administrative offence under Czech law. If it is found that the player was a person recorded in the RVO or a person under 18, you face sanctions at the upper end of the range (up to CZK 50 million) and revocation of the licence, which in practice means the end of the operator’s business in the Czech Republic.

2. Do I have to report every transaction to the Ministry?
Not every individual bet in real time “manually”, but your system must automatically send data to AISG in the prescribed structure and frequency (daily batches, gaming data). At the same time, you report suspicious transactions to the FAÚ without undue delay if they show signs of money laundering or terrorist financing under Czech AML rules.

3. What type of document is sufficient for identity verification?
In online gambling, identification is carried out remotely. Czech law prefers the use of electronic identification means (e.g., BankID) or mediated identification (Czech POINT). If you use document upload and a “liveness check”, this process must meet the strict evidentiary and reliability requirements of the Czech AML Act (§ 11).

Technical solution: From remote identification to monitoring

In online gambling, technology is the key to legality. Remote identification is a way to verify a player without a physical meeting. Under the Czech AML Act, this verification must be sufficiently robust to eliminate doubts about identity. The most commonly used and safest solution in the Czech Republic is BankID – a service that verifies a client’s identity using data verified by a bank.

Another option is uploading two identity documents in combination with a verification payment from an account held in the player’s name, or using public administration services (Czech POINT). Biometric methods – such as liveness detection combined with OCR extraction of document data – are a modern standard that minimises the risk of fraud involving stolen documents.

If a player who has been betting small amounts for months suddenly deposits hundreds of thousands, or logs in from high-risk jurisdictions, the system must generate an alert. Such systems today use elements of machine learning. However, the operator cannot rely on automation alone. Czech law requires oversight by a natural person (a compliance officer), regular employee training, and updates to risk assessments.

Practical failures in implementing technical solutions

The attorneys at ARROWS advokátní kancelář encounter situations in practice where an operator has the theory set up correctly, but the technical implementation fails. For example, the system verifies identity via BankID, but does not correctly store the permanent residence data in the player account.

A common issue is also where the RVO check is performed, but if the connection to the Ministry fails, the system still “lets” the player into the game. Biometric verification sometimes accepts illegible scans of documents, or transaction logs are not retained for the statutory period of 10 years under Czech legislation.

Related questions

1. What is the difference between BankID and Czech POINT for gambling purposes?
BankID is a fully digital method – the player verifies themselves by logging into online banking; it is fast and user-friendly. Identification via Czech POINT requires the player to physically visit a contact point, be identified in person, and provide the operator with a document confirming identification (or its conversion). BankID is preferred in the online environment for its convenience and security.

2. What does “liveness detection” mean?
It is a technology that verifies in real time that a live person is present at the device, rather than a photograph or video being presented to the camera. The user is prompted to perform a movement (blink, turn their head). Without this element, remote verification using an identity document cannot be considered secure under Czech regulatory expectations.

3. How often must the system be updated?
The system must be updated whenever there is a change in legislation or in the technical standards of the Ministry of Finance of the Czech Republic (MF ČR). At the same time, you must have a valid certificate of expert assessment (certification) of the gaming system. Any material change to the system requires a new assessment by an authorised person and approval by the ministry.

Register of Excluded Persons (RVO)

The Register of Excluded Persons (RVO) is a non-public information system administered by the Ministry of Finance of the Czech Republic. It includes individuals who are not allowed to participate in gambling, for example persons receiving subsistence benefits, persons in insolvency, or persons undergoing addiction treatment.

Checking the RVO is not optional – it is an absolute obligation at every login to a user account. Technically, this is an API query: your system sends the player’s identification data and the ministry returns a flag (YES/NO). 

If the response is YES (the person is in the register), the system must not allow them to play. A common mistake is an incorrectly configured timeout or a missing record of the check in the audit log. The inclusion of child support non-payers in the RVO in 2024 led to a sharp increase in the number of persons in the register.

Operators had to ensure their systems could handle the volume of queries and correctly interpret the new statuses. If the system allows a person in the RVO to register, this may be possible, but participation in gambling must be strictly blocked.

Panic Button and the option of self-exclusion

In practice, the term “Panic Button” is often used to describe the statutory obligation to place a visible and easily accessible link on the gaming area pages to the RVO website or directly to the registration form. The player must be able to decide at any time to be entered into the register. The operator is obliged not only to allow this choice, but also to ensure it technically.

The Czech Gambling Act also provides for mandatory breaks and the option to set self-limiting measures, such as betting or loss limits. If a player reaches their limits or sets a break, the system must uncompromisingly disconnect them from the game. Malfunctioning of these mechanisms is one of the most common reasons for imposing high fines.

Risk table – RVO checks and player identification

Risks and sanctions

How ARROWS helps (office@arws.cz)

Game allowed for a person in the RVO: Fine of up to CZK 50 million and risk of losing the licence – this is the most serious administrative offence.

Audit and setup of the RVO process: ARROWS’ Czech legal team, in cooperation with IT experts, will review the logic of your RVO queries and ensure the process complies with the MF ČR technical specification.

Failure to apply a self-limiting measure: The player set a limit, the system ignored it. Sanctions in the millions.

Compliance monitoring: We will set rules to verify the functionality of self-limiting measures and prepare a complaints procedure for these situations.

Missing audit trail of the RVO check: An inspection finds that logs proving you queried the RVO are missing.

Setting up audit records: We will ensure your documentation and data outputs stand up to an inspection by the Czech Customs Administration.

Ignoring new groups in the RVO: The system does not filter child support non-payers.

Legislative update: ARROWS, a Prague-based law firm, will notify you in time about changes in categories of excluded persons and assist with updating your General Terms and Conditions.

KYC check – identification and verification of source of funds

KYC (Know Your Customer) is a core pillar of AML legislation. In online gambling in the Czech Republic, you must know who your player is and where their funds come from. The process includes customer identification, screening of politically exposed persons (PEP) and sanctions lists. For online gambling, full identification must be completed at registration, i.e., before the player begins to play in full.

There is no “anonymous deposit up to EUR 1,000” as with certain types of one-off exchanges. If the player or their transaction shows risk factors, you must carry out enhanced customer due diligence, which includes documenting the source of funds. The system must perform these checks continuously, for example when a player becomes a “high roller”.

Politically exposed persons and sanctions lists

PEPs are natural persons who hold or have held a prominent public function, and persons close to them. The Czech AML Act requires you to establish the origin of assets for these persons and to have transactions approved by the statutory body or an authorised person. At the same time, you must screen sanctions lists in real time (Czech Republic, EU, UN).

If you accept a deposit from a person on a sanctions list, you breach the Czech Act on the Implementation of International Sanctions, which also carries criminal-law risks. Operators must use databases that change dynamically.

Attorneys from ARROWS, a Prague-based law firm, help set internal policies so that these checks are effective and demonstrable.

Related questions 

1. When do I have to verify the source of funds?
Mandatorily always for politically exposed persons, for persons from high-risk countries, and in cases where the transaction shows signs of a suspicious transaction or reaches the thresholds set in your System of Internal Principles (SVZ), typically in the thousands of EUR.

2. What if the player refuses to document the source of funds?
In that case, you must not carry out the transaction, you must terminate the business relationship (close the account), and consider filing a Suspicious Transaction Report (OPO) with the FAÚ (the Czech Financial Analytical Office).

3. Do I have to report deposits from foreigners?
The mere fact that a player is a foreign national is not a reason to report, but it may increase the risk profile. For foreign nationals, correct identity verification (passport, residence permit) and screening against international sanctions lists are key.

Reporting suspicious transactions and monitoring

One of the most important obligations is filing a Suspicious Transaction Report (OPO) with the FAÚ (the Czech Financial Analytical Office). A suspicious transaction may include cash deposits into an account followed by a transfer into the game without an apparent economic reason, or attempts to avoid identification.

The report must be submitted without undue delay after the suspicion is identified. A strict prohibition of so-called “tipping off” applies, meaning you must not inform the player or third parties that a report has been filed or that the FAÚ is conducting an investigation. Breaching confidentiality is a separate offence with a high fine.

Inspections by the Ministry of Finance and the Czech Customs Administration

Supervision of compliance with the Czech Gambling Act is carried out primarily by the Czech Customs Administration and the Ministry of Finance. Inspectors have access to your data in AISG and may conduct in-depth audits. If they identify discrepancies between reality and the reported data, or non-functioning RVO mechanisms, they initiate administrative proceedings.

GDPR and personal data protection

Gambling operators process sensitive personal data, which is subject to the General Data Protection Regulation (GDPR). Data processing for the purposes of the Gambling Act (ZHH) and AML obligations is a so-called legal basis for processing, so you do not need the player’s consent, but you must comply with the information duty.

If a data breach occurs, you must report it within 72 hours to the Office for Personal Data Protection (ÚOOÚ) in the Czech Republic and, in the event of a high risk, also to the affected players themselves. In practice, this requires database encryption, strict access-rights management, and logging of employees’ access to players’ data. It is also necessary to set up secure processes for transferring data to public authorities.

Reporting, monitoring and GDPR

Risks and sanctions

How ARROWS can help (office@arws.cz)

Failure to report a suspicious transaction to the FAÚ: Sanctions under the Czech AML Act and possible criminal prosecution for negligent money laundering.

Analysis and reporting of STRs: We assist with assessing suspicious transactions and drafting reports for the FAÚ so that they are legally robust.

Personal data breach: GDPR fine of up to EUR 20 million, reputational damage.

GDPR audit and DPO services: We will set up security policies, data processing agreements, and we can act as your Data Protection Officer (DPO).

Breach of the “tipping off” prohibition: Disclosing an investigation to the player.

Employee training: We train your staff on confidentiality and the correct procedure when communicating with a problematic client.

Illegal operators and the impact on the market

For 2026 context, it should be noted that the state has intensified its fight against illegal operators in the Czech Republic, including website and payment blocking. Licensed operators that invest in compliance and identity verification have a competitive advantage in the form of credibility and stability. Players are increasingly aware that with an illegal operator they have no guarantee of payout of winnings or protection of their data.

What can specifically happen to you – anonymised real-life examples

Attorneys from ARROWS, a Prague-based law firm, have handled cases that serve as a warning to other operators. An online operator neglected to update the RVO list after the introduction of child-support defaulters and allowed dozens of persons from the register to play.

The result was a fine in the millions of CZK and a conditional licence withdrawal with a deadline to remedy the deficiencies. Another operator did report transactions to AISG, but the data on self-exclusion measures was incorrect due to a coding error. A player who should have had a pause set lost a significant amount and sued the operator.

A support employee alerted a VIP player that the FAÚ had inquired about his account, thereby breaching the tipping-off prohibition. This was followed by an inspection and sanctions against the operator for insufficient training and an inadequate internal control system. In these situations, prevention and expert process set-up are crucial, as the cost of legal compliance is only a fraction of potential sanctions.

Conclusion

Player identity verification in online gambling is a complex legal-and-technical discipline under Czech law. It combines the requirements of the Czech Gambling Act, the Czech AML Act and the GDPR. Any failure exposes you to the risk of fines of up to CZK 50 million and the loss of your licence, without which you cannot operate. Czech legislation in 2026 does not forgive ignorance or technical shortcomings.

Our Czech legal team at ARROWS advokátní kancelář has extensive experience in this area and helps clients set up processes so that they are secure and compliant with the law. ARROWS advokátní kancelář can assist you with a complete compliance solution – from auditing existing systems, through preparing the System of Internal Policies, to representation during inspections by the Czech Customs Administration or proceedings before the FAÚ.

If you do not want to risk the future of your business, entrust compliance to experts. Contact ARROWS advokátní kancelář at office@arws.cz to arrange a consultation.

Most common legal questions on identity verification in online gambling

1. Do I have to verify the identity of all players without exception?
Yes. The Czech Gambling Act requires the registration and identification of every player to participate in an online game. There is no exception for “small bets”. Without identification, it is not possible to create a user account and allow play.

2. Which document is sufficient for identity verification?
For remote identification (online), a simple copy of an ID card sent by email is not sufficient. The procedure under the Czech AML Act must be followed – e.g., sending a copy of the ID + a supporting document + making a verification payment from an account in the player’s name, or using electronic identification (BankID) or Czech POINT. ARROWS advokátní kancelář can help you set up a process that is legally workable in the Czech Republic.

3. What should I do if the system assesses a player as high-risk?
You must perform enhanced due diligence (establishing the source of assets/funds). If doubts persist or the check cannot be completed, you must refuse the transaction, or terminate the business relationship, and consider filing a Suspicious Transaction Report with the FAÚ.

4. How long do I have to retain players’ data?
Under the Czech AML Act, you must retain identification data and transaction data for 10 years from the end of the business relationship or the execution of the transaction. The Gambling Act (ZHH) has specific requirements for data retention in the system.

5. What happens if the system does not check the RVO during an outage?
If the system does not check the RVO (e.g., due to an API outage), it must not allow the player to play. If you allow play without the check, this is a breach of the law punishable by a fine under Czech legislation. The system must be set up on a “fail-safe” principle – in case of doubts or an error, it must block.

6. May I inform the player that the FAÚ is screening them?
Never. This is strictly prohibited (so-called tipping off). The player must not learn that they are the subject of a report or an FAÚ investigation.

Notice: The information contained in this article is of a general informational nature only and is intended for basic guidance based on the legal status as of 2026. Although we take maximum care to ensure accuracy, legal regulations and their interpretation evolve over time. We are ARROWS advokátní kancelář, an entity registered with the Czech Bar Association (our supervisory authority), and for maximum client protection we maintain professional liability insurance with a limit of CZK 400,000,000. To verify the current wording of regulations and their application to your specific situation, it is necessary to contact ARROWS advokátní kancelář directly (office@arws.cz). We accept no liability for any damage arising from the independent use of the information in this article without prior individual legal consultation.

Read also: