Open navigation
Search
Search
All expertise
Explore our breadth of expertise.
International Desks
Helping you access overseas markets with support from our country and region-specific experts.
Sectors View all
Practice Areas View all
Offices
Discover the scope of our presence in the jurisdiction.
Global Reach
Learn about our capabilities beyond borders.
CMS United Kingdom
All insights
Leverage our expert analysis, intelligence and thought leadership for your strategic advantage.
Personalised updates
Receive tailored insights and intelligence that apply directly to your business.
Topics in Focus View all
Insights by type
CMS Spotlight: join our events and webinars!
CMS News
Stay up to date with our growth, evolution and our many successes.
CMS Press Office
Contact us
For all general enquiries.
About CMS
CMS Careers

Select your region

International Europe Africa Asia-Pacific The Americas Middle East
Legal Update

Gambling operators hit by flurry of Gambling Commission regulatory action

15 Dec 2025 United Kingdom 20 min read

Between May and December 2025, the Gambling Commission of Great Britain (the “Commission”) took regulatory action against a total of 13 gambling operators for a range of compliance failings in respect of their anti-money laundering (“AML”), counter-terrorism financing (“CTF”), social responsibility (“SR”), technical, and hosting obligations. The actions taken by the Commission included a series of financial penalties and regulatory settlements, as well as licence suspension (an enforcement tool the Commission relatively rarely deploys). Set out below is a summary of each action taken, the Commission’s findings, and the key takeaways for operators.

1. Spreadex Limited (“Spreadex”)

On 7 May 2025, the Commission imposed a fine of £2,022,000 on Spreadex following a review of its operating licence for AML and SR failings. The Commission also imposed a warning under section 117(1)(a) of the Act and attached an additional condition to Spreadex’s licence under section 117(1)(b) of the Act requiring Spreadex to undergo a third-party audit to ensure it is effectively implementing its AML and safer gambling policies, procedures and controls. The failings dated back to the period between September 2022 and November 2023.

AML and CTF

The Commission concluded that Spreadex had breached the requirements under paragraphs 1, 2 and 3 of LCCP 12.1.1:

  • Spreadex’s risk assessment failed to consider key customer, product, geographic and payment risks as detailed in the Commission’s guidance.
  • Spreadex’s policies, procedures and controls were not appropriate to prevent money laundering or terrorist financing. Spreadex was overly reliant on customers’ self-reported financial position and customers could continue depositing substantial amounts of money without providing source of funds information.

SR

The Commission found that Spreadex had failed to comply with paragraph 9(c) of SRCP 3.4.3, which requires licensees

to tailor the type of action they take based on the number and level of indicators of harm exhibited, which must include strong or stronger actions as the immediate next step where appropriate rather than increasing action gradually (Paragraph 9 of SRCP 3.4.3. The Commission found that Spreadex had failed to conduct a stronger form of customer interaction to ensure that a customer who hit a daily deposit limit a number of times in a short period of time was not potentially suffering gambling-related harm.

2. Grace Media (Gibraltar) Limited (“Grace Media”)

On 26 June 2025, the Commission imposed a financial penalty of £60,000 on Grace Media following a regulatory investigation outside of a licence review which identified SR failings in relation to self-exclusion and direct electronic marketing consent.

It was acknowledged by the Commission that Grace Media has policies and procedures in place regarding self-exclusion and direct electronic marketing consent, and that the breaches arose from a human error in the application of those policies. 

SR

The Commission found that Grace Media had failed to comply with:

  • Self-exclusion (SRCP 3.5.3 para 2): these provisions are designed to ensure that customers who choose to self-exclude are effectively protected. Grace Media breached the requirements relating to sending marketing materials to self-excluded customers.
  • Direct electronic marketing consent (SRCP 5.1.11): this provision requires that consumers can only be sent direct electronic marketing communications with their informed and specified consent, they have the opportunity to withdraw that consent, and where consent is withdrawn that consumer is no longer contacted.

3. 888 UK Limited (“888”)

On 7 August 2025, the Commission announced that 888 will pay a £33,075 financial penalty following a regulatory investigation outside of a licence review which found that 888 had failed to comply with SR requirements, specifically relating to customer identification in failing to link customer accounts. This action followed an investigation into a key event submission by 888. The Commission acknowledged that 888, which forms part of the evoke group of companies, had self-identified the breach, took remedial action, and co-operated fully with the Commission throughout the investigation.

SR

The Commission found that 888 had failed to comply with the requirements under paragraph 3 of SRCP 3.9.1.  Licensees are required to be able to identify all accounts held by the same individual and, where multiple accounts are permitted, can link and manage these accounts collectively to apply self-exclusion, monitoring, credit, and financial limits across all of a customer’s accounts. 888 failed to take all reasonable steps to ensure that references to a customer holding more than one account included customers holding one or more accounts with them and one or more accounts with a group company.

4. ProgressPlay Limited (“ProgressPlay”)

On 21 August 2025, the Commission announced that ProgressPlay had been issued a £1m fine in respect of breaches of AML requirements and SR failings found during a licence review. The Commission also issued a warning to ProgressPlay and attached an additional condition to their licence requiring ProgressPlay to conduct a third-party audit within 6 months of the Commission’s review. The fine follows on from a previous enforcement action issued in 2022 for similar failings which resulted in a fine of approximately £170,000.

AML and CTF

The Commission concluded that ProgressPlay had failed to comply with the following requirements under paragraphs 1, 2 and 3 of LCCP 12.1.1:

  • Risk assessment deficiencies: ProgressPlay had failed to conduct appropriate AML and CTF risk assessments or implement controls to minimise these risks. In failing to consider risks associated with their business, ProgressPlay had failed to take a sufficient risk-based approach to AML.
  • Source of funds: ProgressPlay had failed to scrutinise transactions sufficiently in customer relationships, including verification of source of funds.

SR

The Commission found that ProgressPlay had failed to comply with the requirements under paragraphs 1, 4, 9 & 12 of SRCP 3.4.3:

  • An absence of adequate systems and processes in place to effectively monitor customer activity at the point of account opening.
  • Employing a customer interactions policy which failed to adequately identify and evaluate potential harm associated with gambling.
  • Lack of effective processes to assess the impact of individual customer interactions, resulting in an ongoing risk of harm and uncertainty over the further actions needed.

5. Maple International Ventures Limited (“Maple”)

On 17 September 2025, the Commission announced that Maple, operator of the Lottomart.com casino and betting platform, will pay £360,000 as part of a regulatory settlement. This follows a section 116 review under the Act, which identified deficiencies in Maple’s AML/ CTF and SR measures.

The settlement includes a £50,000 divestment to socially responsible initiatives. Maple has issued a public statement acknowledging breaches of the LCCP requirements, noting that some requirements have since been updated.

AML and CTF

The Commission concluded that Maple had failed to comply with the requirements under paragraphs 1, 2 and 3 of LCCP 12.1.1:

  • Risk Assessment Deficiencies (LCCP 12.1.1(1)): between June 2023 and June 2024, Maple’s AML/CTF risk assessment was not appropriate. It failed to consider risks adequately, such as organised crime and mule accounts and did not reflect the Commission’s latest guidance.
  • Adoption of Appropriate Policies and Controls (LCCP 12.1.1(2)): between May and October 2024, Maple had failed to ensure it had appropriate policies, procedures and controls in place, and their existing controls were not always effective.
  • Effective Implementation of Policies and Controls (LCCP 12.1.1(3)): between May and October 2024, Maple had failed to implement its policies, procedures and controls effectively to prevent money laundering and terrorist financing. There were delays in money laundering risks being identified and action being taken. For example, due diligence failings were found where customers could transact beyond financial thresholds prior to their identity verification checks being completed.

SR

The Commission found that, between May and October 2024, Maple had failed to comply with the requirements under paragraphs 1, 4, 5 (a, b, c and d) and 11 of SRCP 3.4.3:

  • Inadequate Customer Interaction Systems (SRCP 3.4.3(1)): Maple did not adequately implement systems to identify, act and evaluate signs of gambling harm.
  • Monitoring and Detection Gaps (SRCP 3.4.3(4)): processes to monitor customer activity from account opening were not always effective, and systems to identify duplicate and linked accounts had weaknesses. For example, a customer was able to create a duplicate account and deposit substantial funds before the duplicate account was detected.
  • Insufficient Harm Indicators (SRCP 3.4.3(5)(a–d)): Maple lacked effective controls for detecting harmful behaviour, such as binge gambling, spikes in activity, overnight play and high-stake patterns after big wins.
  • Lack of Automated Processes for Strong Indicators of Harm (SRCP 3.4.3(11)): Maple’s policies lacked clear definitions of strong indicators of harm and did not include any corresponding automated actions.

6. Petfre (Gibraltar) Limited  (“Petfre”)

On 1 October 2025, the Commission announced that Petfre, operator of Betfred’s online service, betfred.com and oddsking.com, will pay a £240,000 penalty following a regulatory finding that features in some of its online slot games were non-compliant with technical requirements. It was acknowledged that Petfre had identified the breach, proactively reported it to the Commission, and took immediate action to decommission all affected games. Petfre co-operated fully with the Commission throughout the investigation.

Technical Requirements:

The Commission found that Petfre had failed to comply with the technical requirements under LCCP 2.3.1:

  • Failure to Display Net Position. Certain online slot games offered by Petfre failed to display the consumer’s net position during gaming sessions.
  • Celebration of Losses as Wins. Some games offered by Petfre celebrated returns that were less than or equal to the total stake gambled as wins. The Commission raised concerns that such celebratory effects could impair a player’s ability to interpret their gameplay accurately and make informed decisions.

7. Platinum Gaming Limited (“Platinum Gaming”)

On 22 October 2025, the Commission announced that Platinum Gaming, operator of unibet.co.uk and uk.bingo.com, had been issued with a £10 million financial penalty following a licence review. In addition to the fine, the Commission imposed a warning on Platinum Gaming and, under section 117(1)(b) of the Act, attached an additional condition to Platinum Gaming’s licence requiring it to undergo a third-party audit and internal investigation.

The Commission found breaches of AML requirements and failures in Platinum Gaming’s SR controls between January 2023 and May 2024. This is the second enforcement action against Platinum Gaming, after the Commission imposed a £2.9 million fine in 2023 for similar failings.

AML

The Commission concluded that Platinum Gaming failed to comply with the following requirements under paragraphs 1, 2 and 3 of LCCP 12.1.1 (prevention of money laundering and terrorist financing) and LCCP 12.1.2 (AML measures for operators based in foreign jurisdictions):

  • Platinum Gaming’s money laundering and terrorist financing risk assessment did not consider customers whose accounts were previously closed for AML/CTF concerns prior to 2023. This allowed certain blocked customers to gamble by opening new accounts.
  • Although identified in Platinum Gaming’s risk assessment, there was no evidence that high‑risk indicators - such as high‑risk occupation, high levels of transactions through deposit/withdrawal activity, and significant losses - were considered during customer reviews.
  • Platinum Gaming’s AML policy lacked clear criteria for conducting customer due diligence and enhanced due diligence, including how measures were determined based on customer risk levels.

SR

The Commission found that Platinum Gaming failed to comply with paragraphs 1, 2, 4, 5, 7, 9, 11 and 12 of SRCP 3.4.3 (Customer Interaction):

  • Platinum Gaming’s customer interaction system failed to flag a new player as at risk despite the player losing £5,000 within 24 hours of registration and over £16,000 in less than three months.
  • Failure to interact with high‑risk play. Platinum Gaming did not interact with a customer who lost over £31,000 within nine months, reached their monthly loss limit six times, and exhibited signs of high-velocity gambling.
  • Failure to identify behavioural markers of harm and binge gambling. Platinum Gaming failed to identify a customer who exceeded their £2,500 loss limit within 16 minutes of registering their account as potentially being at risk of harm.
  • Failure to interact during high-volume play. Platinum Gaming did not interact with a customer who staked £73,000 and lost £4,100 over a 23‑day period.

8. Spribe OÜ (“Spribe”)

On 30 October 2025, the Commission announced that it had suspended the software operating licence of Spribe under section 118(2) of the Act whilst a licence review is conducted.

The Commission cited suitability concerns arising from serious non-compliance with licensing requirements for hosting – Spribe did not hold a host licence with the Commission, which it requires games providers to do so that host their own gambling software (as opposed to such software being hosted by their B2C operator customers). The Commission directed that all hosting activity conducted by Spribe must cease immediately until a suitable hosting licence is obtained.

The Commission reiterated that, under section 33 of the Act, providing facilities for gambling (which it deems hosting activities to involve) without an appropriate licence can be considered a criminal offence, and that it takes a robust approach to unlicensed activity. Spribe is expected to notify any parties affected by service disruption and ensure that all operations are halted.

9. VGC Leeds Limited (“VGC Leeds”)

On 31 October 2025, the Commission announced that it had suspended the operating licence of VGC Leeds while it conducts a licence review under section 116 of the Act. The Commission’s decision followed concerns that activities may have been conducted contrary to the Act, which were not in accordance with licence conditions and that VGC Leeds may be unsuitable to carry on the licensed activities.

The Commission’s compliance assessment raised specific concerns around the maintenance and implementation of effective AML policies, procedures and controls. The Commission also identified serious issues with decision‑making processes and the operators’ response to identified AML and CTF risks, which in turn raised questions about the overall effectiveness of governance and risk management arrangements. The Commission characterised these failings as significant, presenting a serious threat to the licensing objectives of keeping crime out of gambling.

10. NetBet Enterprises Limited (“NetBet”)

On 5 November 2025, the Commission announced that it had concluded a licence review under section 116 of the Act following a compliance assessment of NetBet, operator of netbet.co.uk. The Commission identified failings in NetBet’s AML/CTF and SR controls across their online betting and casino activities between October 2023 and July 2024, which fell foul of the requirements under LCCP 12.1.1 and 15.3.1, and SRCP 3.2.11, 3.4.3 and 5.1.9.

The matter was resolved by way of a regulatory settlement, with NetBet making a payment of £650,000 in lieu of a financial penalty to socially responsible causes. NetBet was instructed to make immediate and sustained improvements to its systems, including strengthening risk assessments, enhancing its identification and response to indicators of harm, and ensuring data accuracy. NetBet was required to commission an independent audit of its policies, procedures and controls to ensure that the improvements are embedded and are operating effectively in practice. In addition, NetBet was required to issue a public statement outlining the facts of the case.

AML/CTF

The Commission identified the following AML/CTF failings:

  • An over-reliance on financial triggers that did not adequately account for customers’ true affordability.
  • Where significant gambling activity was accompanied by concerning customer behaviours this was nevertheless assessed as low risk.
  • NetBet’s AML and CTF risk assessment omitted key risks, including those in respect of third-party business relationships, higher-stakes gambling, and controls relating to third‑country nationals resident in the UK.

SR

The Commission identified the following SR failings:

  • NetBet had not implemented effective customer interaction systems and processes to minimise the risk of gambling-related harm.
  • Indicators of harm, such as overnight play, rapid deposit velocity, exhausting limits and escalated gameplay were not identified in a timely manner and were often detected only after manual reviews.

The Commission also found that NetBet had recorded inaccurate information when filing regulatory returns.

11. Videoslots Limited (“Videoslots”)

On 20 November 2025, the Commission announced that it had imposed a warning, a £650,000 financial penalty and an additional licence condition requiring an independent third‑party audit on Videoslots, which operates videoslots.co.uk, mrvegas.com and megariches.com. The action followed findings that, between October 2023 and February 2024, Videoslots had breached AML/CTF and SR requirements.

AML/CTF

The Commission found that Videoslots had failed to comply with AML/CTF requirements under paragraphs 2 and 3 of LCCP 12.1.1 (prevention of money laundering and terrorist financing ). Videoslots' AML/CTF policies and procedures had significant gaps, including record‑keeping omissions and an over-reliance on ineffective algorithms. For example, AML risk thresholds were not triggered for a customer who funded their account with over £75,000 in digital prepayment vouchers within a 16-day period. This resulted in a failure to conduct timely and effective customer due diligence or request source of funds information, and the customer being able to transfer the proceeds to multiple accounts in different destinations.

SR

The Commission found that Videoslots had failed to comply with SR requirements under paragraphs 1 and 4 of SRCP 3.4.1 (Customer Interaction):

  • Videoslots relied on systems that were ineffective in identifying harm or potential associated harms when monitoring customer activity. Although monthly deposit limits were set for customers by monitoring systems, the limits ran across a calendar month and did not include initial deposits. For example, one customer lost £7,500 over an 18 day period despite having a £2,000 monthly deposit limit in place.
  • Videoslots system’s failed to identify and interact with potentially at‑risk customers. For example, one customer lost £6,550 over three days within a two-month period without any interaction from Videoslots.

12. Deadheat Racing Limited (“Deadheat Racing”)

On 21 November 2025, the Commission announced that it had suspended Deadheat Racing’s operating licence with immediate effect while it undertakes a licence review under section 116 of the Act. The review and suspension follow concerns that Deadheat Racing’s activities may have been inconsistent with the licensing objectives, breached SR and AML licence conditions, and that Deadheat Racing may be unsuitable to carry on licensed activities.

The Commission has made clear that, during the suspension, it expects Deadheat Racing to treat consumers fairly and keep them fully informed of any impactful developments of the suspension.

13. Done Brothers (Cash Betting) Limited (“Done Brothers”)

On 3 December 2025, the Commission announced that it had imposed a £825,000 financial penalty on Done Brothers, the operator of Betfred’s retail estate, issued a warning under section 117(1)(a) of the Gambling Act 2005, , and attached an additional licence condition under section 117(1)(b) requiring a third‑party audit to ensure effective implementation of required changes. The Commission noted that the failings identified were predominantly technical breaches. This is Done Brothers’ second enforcement action by the Commission, after they paid a regulatory settlement of £3.25m in 2023 for AML and SR failings. 

AML

The Commission found that Done Brothers had failed to comply with AML requirements under paragraph 2 of LCCP 12.1.1 (prevention of money laundering and terrorist financing) between May 2024 - March 2025:

  • Done Brothers was not able to identify and manage effectively money laundering risks associated with customers using B3 gaming machines. While Done Brothers used machine alerts and daily reports, the practices in place at the time meant they were unable to assess overall customer spend and associated money laundering and terrorist financing risks.
  • There was no effective policy to identify and handle customers who may be subject to financial sanctions.
  • Thresholds for enquiries regarding customers’ source of income were not appropriately risk‑based, being set at £15,000 for losses and £125,000 for stakes during a 365‑day period.

SR

The Commission found that Done Brothers had failed to comply with SR requirements under paragraph 1 of SRCP 3.4.1 (Customer Interaction) between May 2024 and November 2024:

  • Done Brothers was notable to identify spend and associated financial indicators of gambling harm adequately for customers using B3 gaming machines.
  • Following identification of risk indicators, customer interactions did not always take place and, when they did, they were not conducted in an appropriate way to minimise the risk of gambling‑related harm.
  • The quality of interactions, particularly when evaluating the impact of the interaction, did not meet the standards required.

Comment 

The recent regulatory action by the Commission underscores a continued commitment by the Commission to uphold high standards of compliance across the gambling sector. The breadth and depth of the penalties imposed, which range from suspended licences and substantial financial penalties to warnings and additional licence conditions, demonstrate that the Commission is proactive in taking action against both systemic and isolated failings.

The Commission’s findings make it clear that a ‘tick-box’ approach to compliance is insufficient and that operators must adopt a genuinely risk-based and proactive stance on the effective implementation and ongoing review of policies and procedures, with a particular focus on early detection and intervention in cases of potential harm or suspicious activity. For remote operators, there is an expectation that AML/CTF risk assessments are comprehensive and tailored to business and customer risk profiles, expressly covering high-stakes activity, relevant jurisdictional considerations, third‑party relationships and payment systems. Over-reliance on financial triggers and delayed reaction to risk is likely to be indicative of systemic control weaknesses. In terms of social responsibility compliance, systems should be capable of identifying and acting on indicators of gambling-related harm from the point of account opening and throughout the customer lifecycle, and accurate, timely regulatory reporting remains a baseline expectation.

The Done Brothers findings show that these expectations are extended to land-based operators. In Done Brothers’ case, the Commission expressly noted that the failings were predominantly technical breaches. Nevertheless, Done Brothers received a substantial financial penalty, a warning and an additional licence condition. The Commission’s position remains that customer interaction systems should surface and act on strong indicators of harm promptly, with proportionate and escalated interventions where appropriate.

The suspensions issued to Deadheat Racing, VGC Leeds and Spribe demonstrate that where the Commission identifies significant risks, including suspected breach of requirements  or suitability concerns, it will suspend licences swiftly pending investigation. Notably, these are the Commission’s first licence suspensions since September 2023 - their issuance in quick succession may indicate an increased readiness to suspend licences where appropriate while conducting reviews. For software suppliers, Spribe’s findings underscore the shift towards B2C operators and the need for compliant hosting, as technical or hosting shortcomings can prompt suitability concerns independent of consumer‑facing operations.

The Commission’s willingness to acknowledge mitigating factors such as self-reporting, prompt remedial action, and cooperation during investigations signals that transparency and a culture of continuous improvement are valued. The findings against 888 and Grace Media indicate that where failings are limited to specific issues the Commission may be willing to address these in the context of an investigation outside of a section 116 licence review. However, repeated or systemic failings attract more severe sanctions, reflecting the Commission’s intolerance for recurring non-compliance.

These decisions serve as a reminder to gambling operators of the importance of embedding compliance into the fabric of their operations, and ensuring that governance, decision-making and risk management are sufficiently robust to serve the purpose they were intended to deliver in practice. This includes regular and comprehensive risk assessments, robust customer identification and monitoring systems, and clear, actionable policies for customer interaction and harm prevention. While each case turns on its particular facts, these actions collectively reaffirm that the Commission will use the full range of its investigatory and enforcement tools where failings present heightened risks to consumers or the integrity of the regulatory regime.

Co-Authored by Helena Thornby, Trainee Solicitor at CMS

 

More insights
Gambling Media TMT - Technology, Media & Telecommunications Technology Scotland

Explore more

Publication United Kingdom

Gambling Law Reform Tracker

02 Feb 2026 11 min read
Event United Kingdom

CMS Update Morning: Media, Sports and Entertainment

29 Apr 2026
Back to top Back to top
You will now find all Law-Now content on CMS.law
Explore more
Law-Now, RegZone, LEXplicite and Blogtt have moved to CMS.law. Law-Now has moved to CMS.law. RegZone has moved to CMS.law. LEXplicite has moved to CMS.law. Blogtt has moved to CMS.law.
Learn more Learn more Learn more Learn more
If you want to use third party tools, please enable personalisation cookies as part of your cookie preferences. You can change this setting at any time via the button below or in our Cookie Notice.