Curaçao Sets New Crypto Compliance Rules for Online Gambling Operators

The Curaçao Gaming Authority has issued a new crypto policy guideline for B2C online gambling operators, setting phased requirements for blockchain analytics, wallet controls, VASP due diligence and audit-ready crypto transaction records through June 2027.

The Curaçao Gaming Authority has published a dedicated crypto policy guideline for online gaming operators, introducing a more detailed compliance framework for gambling businesses that accept digital assets. The document, dated June 2026, applies to B2C licence holders and to group entities that support licensed operations through crypto-related workflows.

The framework covers the full cryptocurrency lifecycle inside a licensed remote gambling business, including deposits, wagering, withdrawals and treasury management. It forms part of Curaçao’s wider regulatory shift under the National Ordinance on Games of Chance, known as the LOK, which replaced the island’s old offshore licensing model with direct oversight by the CGA.

CGA Moves Crypto Gambling Into a Stricter Compliance Model

The new guideline treats crypto as a permitted payment channel for gambling services, not as a separate financial product. Operators may accept crypto payments connected to gambling activity, but they cannot function as an exchange, payment service provider or virtual asset service provider.

Licensed operators are not allowed to convert crypto to fiat or crypto to crypto for users, offer trading or swapping services, or provide custody and wallet services outside gambling-related transactions. The CGA also requires operators to make clear to players that exchanges used to buy or sell crypto remain outside the operator’s responsibility.

AML, KYC and Blockchain Analytics Requirements

The CGA states that cryptocurrency use does not reduce existing AML/CFT, KYC or responsible gambling obligations. Operators that accept digital assets must set out their crypto-specific controls inside the AML/CFT policy submitted through the CGA portal.

Blockchain analytics capability is now central to the compliance model. The regulator does not mandate a specific provider, but it expects operators to achieve the necessary functionality through internal systems, external vendors or a combined setup, requiring them to:

• Trace the origin and destination of crypto funds.
• Identify exposure to high-risk or prohibited sources, including mixers, scams, darknet markets and sanctions-linked wallets.
• Risk-score wallets and transactions before or during player activity.
• Screen deposit addresses at the point of deposit.
• Monitor transaction patterns over time.
• Verify source of funds for KYC, enhanced due diligence and audit purposes.
• Screen destination wallets before withdrawals are processed.

Stablecoins Preferred, Privacy Coins Treated as High Risk

The CGA classifies cryptocurrencies as high-risk assets and says operators are expected to conduct asset-specific risk assessments. The policy expresses a preference for fiat-backed regulated stablecoins where operators have a choice, while other crypto assets must be handled according to their risk profile.

Privacy-enhancing assets receive specific attention. The guideline names Monero, shielded Zcash transactions, Dash privacy features and Litecoin’s MWEB as examples of assets or functions that can obscure transaction data and limit monitoring, blockchain analysis and source-of-funds checks.

The policy also requires operators to assess meme coins and highly speculative tokens based on liquidity, volatility, governance maturity and financial-crime risk. Wrapped tokens and bridged assets cannot be accepted where the provenance, backing, custody or transaction history of the underlying asset cannot be independently verified.

Sanctioned cryptocurrency mixers, tumblers, sanctions-listed wallet addresses and assets flagged by recognised blockchain analytics providers fall into the prohibited category. The CGA also reserves the right to designate additional digital assets, token types or transaction mechanisms as prohibited where equivalent risks emerge.

Wallet Ownership, Segregation and Withdrawal Controls

All wallets connected to a licensed operation must be owned or controlled by the licensed legal entity or by an approved group or payment entity. Personal wallets, UBO-linked wallets, employee wallets and informal wallet arrangements are prohibited.

The policy requires segregation between player-flow wallets, operational wallets and treasury wallets. Player funds must be separated from company funds, while hot, warm and cold wallet structures must be documented, risk-assessed and supported by appropriate controls:

• Hot wallets: may support day-to-day deposits and withdrawals, with balances limited to operational needs.
• Warm wallets: may be used for liquidity management with enhanced access and approval controls.
• Cold wallets: may be used for reserves, treasury or longer-term safeguarding, provided access, key management, reconciliation and auditability are maintained.
• Additional safeguards: multi-signature controls, withdrawal whitelisting, MFA, hardware security modules or equivalent measures must be applied where proportionate to wallet value and risk.

For withdrawals, the default expectation is payment to the same wallet and in the same crypto asset as the original deposit. Alternatives are permitted when equivalent controls are documented. A withdrawal to a different wallet can be allowed if the wallet is whitelisted, screened, verified as belonging to the same customer and cleared through KYC/AML checks. Payment in another crypto asset or stablecoin can also be used when the conversion flow is transparent, auditable and conducted through a regulated VASP.

Platform-level player-to-player transfers are not permitted under the guideline.

Travel Rule and Third-Party VASP Oversight

The CGA’s crypto policy incorporates the FATF Travel Rule for transfers involving regulated entities, exchanges, custodial wallet providers and VASPs. Required originator and beneficiary information must accompany applicable crypto-asset transfers and be available to competent authorities on request.

The use of third-party VASPs or payment providers does not transfer compliance responsibility away from the gambling operator. Operators must document due diligence and risk assessments covering AML/CFT controls, Travel Rule capability, sanctions screening, transaction monitoring, operational resilience and transparency.

Incident Reporting Extends to Crypto Failures

Crypto-related incidents must be identified, assessed and reported under the incident reporting requirements established by the LOK. The policy lists several examples that can trigger reporting obligations:

• Compromised private keys, wallet access breaches or unauthorised transactions.
• Exchange outages, blockchain congestion or failed crypto processing.
• Fraud schemes involving coordinated deposit and withdrawal patterns, chip dumping or collusion.
• Material discrepancies in wallet balances or transaction records.
• Exposure to sanctioned wallets, mixers or other prohibited sources.
• Smart contract failures, blockchain forks or chain-level disruptions.

Phased Implementation Runs Until June 2027

The policy enters into force through a phased timetable. Immediate restrictions are already attached to the most sensitive risks, while full technical implementation runs through mid-2027.

• Immediate effect: prohibitions on sanctioned wallets, mixers, prohibited crypto assets, personal or UBO-linked wallets, and operators acting as exchanges, payment providers or VASPs.
• September 2026: operators must upload a crypto policy to the CGA portal, including an adoption and compliance timeline.
• December 2026: licence holders must complete crypto risk assessments, VASP due diligence, wallet ownership controls, transaction monitoring procedures and staff training.
• June 2027: operators must fully implement wallet segregation, blockchain analytics capability, reconciliation processes, withdrawal whitelisting or equivalent controls, and audit-ready record-keeping.

The CGA may require earlier implementation where material risks are identified.

Why This Matters: The Direct Impact on Turkey-Facing Offshore Sites

While these compliance timelines set a strict regulatory roadmap for the global sector, the CGA’s update carries immediate relevance for the Turkish market. Turkish gambling and betting activity is tightly controlled under a domestic licensing structure, and offshore casino or betting sites do not gain local legality by displaying an overseas licence.

A large share of Turkey-facing unauthorised offshore betting and casino sites have historically presented Curaçao licences as part of their public-facing legitimacy claims. Turkish-linked illegal betting investigations have also identified websites whose operating companies displayed Curaçao licences, while international reporting has described how the former sub-licensing model allowed Curaçao-linked operators to expand across regulated markets without local authorisation.

The new CGA framework does not legalise offshore operators in Turkey or any other restricted market. It raises compliance expectations for Curaçao-licensed brands that use crypto payments, including websites, affiliates and mirror-domain networks that reach users in jurisdictions where local authorisation is required.

A Higher Bar for Curaçao-Licensed Crypto Casinos

The guideline signals a shift from broad offshore licensing toward more detailed operational supervision. Curaçao-licensed crypto casinos and sportsbooks will need stronger controls around wallet architecture, transaction screening, asset acceptance, player withdrawals and third-party payment relationships.

Operators with limited chain monitoring, unclear wallet ownership, exposure to privacy-enhancing assets or weak VASP due diligence face a heavier compliance burden. For players and market observers, a Curaçao licence will increasingly depend on how an operator implements the CGA’s crypto controls rather than on the licence label alone.