AML Compliance for Gambling Operators in Bulgaria (2026)

Legal framework

Gambling operators as obliged entities

Under Art. 4(11) of the AMLA, gambling operators are obliged entities within the meaning of the Act. This includes:

• Operators of gambling in gaming halls
• Casino operators
• Online gambling operators
• Operators of betting on the results of sports competitions and random events
• Lottery operators

European framework

The obligations stem from Directive (EU) 2015/849 (Fourth Anti-Money Laundering Directive), as amended by Directive (EU) 2018/843 (Fifth Directive). The gambling sector is expressly included within the scope of obliged entities under Art. 2(1)(3)(f) of the Directive.

National supervisory authorities

• State Gambling Commission (SGC) — the licensing and supervisory authority for gambling activities under the Gambling Act
• State Agency for National Security (SANS) — the competent authority under Art. 108 of the AMLA for receiving and analysing reported suspicious transactions and operations
• National Revenue Agency (NRA) — supervisory authority for the application of the AMLA for certain categories of obliged entities

Amendment of 14 May 2024

With the amendment to the Gambling Act of May 2024 (promulgated in State Gazette No. 40 of 2024), a new coercive administrative measure was introduced — definitive revocation of the issued licence upon systematic violation of specified provisions of the AMLA. “Systematic” means three or more violations within a single calendar year. This measure significantly raises the stakes for non-compliance with AMLA obligations.

CDD threshold — EUR 2,000

Special conditions under Art. 12 AMLA

Art. 12 of the AMLA provides specific thresholds for the application of customer due diligence (CDD) measures by gambling operators:

1. Upon registration in the register under Art. 74(1) of the Gambling Act — identification is performed upon the initial registration of the customer
2. Upon payment of winnings and/or placement of bets at a total value equal to or exceeding the BGN equivalent of EUR 2,000, regardless of whether the transaction is carried out through a single operation or several linked operations
3. Upon purchase, exchange or cashing of chips or other tokens evidencing winnings at a total value equal to or exceeding EUR 2,000

This threshold is significantly lower than the standard threshold of EUR 15,000 for most categories of obliged entities under Art. 11 of the AMLA.

Concept of “linked operations”

Linked operations exist when a customer is paid a winning amount in connection with a bet placed, where the individual amounts do not exceed the AMLA threshold, but their aggregate gives grounds for CDD. For example: repeated and multiple purchases of chips in a gaming hall during a single visit, where the total value reaches EUR 2,000.

When the value of the operation cannot be determined at the time of its execution, CDD measures are applied at the moment the value is determined, if it equals or exceeds EUR 2,000 (Art. 12(2) AMLA).

Customer identification

Which customers are subject to identification

Gambling operators must carry out identification of natural person customers only. This is because the Gambling Act permits only adults with full legal capacity to participate in gambling (Art. 8 GA).

Operators are not required to identify:

• Beneficial owners and legal representatives of legal entity customers
• Proxies of natural or legal person customers

Identification data

Under Art. 53(1) of the AMLA, the following data is collected for natural persons:

• Full name (first, middle and family name)
• Date and place of birth
• Official personal identification number (EGN or LNCh)
• Country of issuance, series and number of the identity document
• Citizenship
• Permanent address or address of residence

Verification of identification

Verification of identification is performed through:

• Presentation of an official identity document (ID card, passport)
• Matching the data in the document with those declared by the customer
• For foreign nationals — a valid passport or residence document

Establishing the source of funds

The declaration is not sufficient

According to NRA Opinion reg. No. M-91-00-45/18.04.2024, for establishing the source of funds it is not sufficient to require from the customer only the declaration under Appendix No. 4 to Art. 47(1) of the AMLA Implementing Regulation (PPZMIP).

Operators must require documents evidencing the source of funds, the type depending on the declared source:

• Employment income: Information about the employer, annual income document, payslip or annual tax return
• Savings: Bank statement and explanation of how the savings were accumulated
• Sale of property: Copy of the transaction agreement, extract from the property register
• Business activity: Financial statements, tax returns
• Inheritance or gift: Certificate of heirs, notarial deed of gift

Risk-based approach

When applying source-of-funds measures, operators must apply a risk-based approach (Art. 25 AMLA). The scope and depth of verification depend on the assessed risk:

• Low risk: Identity document and source-of-funds declaration
• Standard risk: Declaration plus supporting documents
• High risk: Enhanced due diligence — multiple documents, database checks, enhanced monitoring

Politically exposed persons (PEPs)

Obligation to identify

Operators are required to establish whether the customer is a politically exposed person (PEP), a family member of a PEP, or a person known to be closely associated with a PEP (Art. 36–40 AMLA).

According to the NRA Opinion, for this purpose it is not sufficient to require only the declaration under Appendix No. 1 to Art. 26(1) of the PPZMIP. Operators must apply additional measures:

• Checks in public databases and media
• Specialised PEP lists (if available)
• Internal procedure for identifying PEPs

Enhanced CDD for PEPs

When a customer is identified as a PEP, enhanced CDD measures apply (Art. 36(4) AMLA):

• Obtaining approval from senior management
• Adequate measures to establish the source of funds
• Enhanced ongoing monitoring of the business relationship

Internal rules under the AMLA

Content

Under Art. 101 of the AMLA, gambling operators are required to adopt internal rules for the control and prevention of money laundering and terrorist financing. These must include:

1. Criteria for identifying suspicious operations and transactions related to money laundering or terrorist financing
2. Procedures for the use of technical means for preventing and detecting money laundering
3. The internal control system for monitoring compliance with AMLA obligations
4. Procedures for collecting, retaining and disclosing information
5. Procedures for staff training
6. The risk assessment at the obliged entity level
7. Procedures for applying CDD measures

Approval and updates

Internal rules are approved by the senior management of the operator and must be submitted for approval to SANS within 4 months of adoption (Art. 103(5) AMLA). When legislation changes, the rules must be updated and resubmitted.

Risk assessment

Own risk assessment

Art. 98 of the AMLA requires operators to carry out their own risk assessment for money laundering and terrorist financing. The assessment must consider:

Customer-related risk factors:

• Customers from high-risk jurisdictions (EC and FATF lists)
• Politically exposed persons
• Customers with unusually high bets
• Customers who systematically cash chips without significant play

Product-related risk factors:

• Games that allow rapid exchange of large sums (e.g. high-stakes roulette)
• Online gambling with anonymous payment methods
• VIP rooms with reduced monitoring

Geography-related risk factors:

• Location of the premises (border regions, tourist centres)
• Customers from high-risk jurisdictions

Indicators of suspicious operations

Typical indicators in the gambling sector:

• A customer purchases chips of significant value and leaves without playing or after minimal play
• A customer systematically cashes chips at amounts just below the EUR 2,000 threshold (structuring)
• A customer shows lack of interest in the outcomes of the game
• Unusually large amounts inconsistent with the declared source of funds
• A customer seeks to exchange currency by purchasing and immediately cashing chips
• Multiple persons place bets on behalf of the same customer

Reporting obligations

Reporting suspicious operations

Under Art. 72(1) of the AMLA, upon identifying a suspicion of money laundering or terrorist financing, the operator is obliged to notify SANS immediately, before the execution of the operation if possible, or immediately thereafter.

The notification includes:

• Customer identification data
• Description of the operation or transaction
• Grounds for suspicion
• Documents relating to the operation

Reporting operations above certain thresholds

Operations and transactions valued at EUR 2,000 or more are subject to registration and retention, even if they are not suspicious.

Prohibition on disclosure (tipping off)

Art. 78 of the AMLA prohibits obliged entities and their employees from disclosing to the customer or to third parties that a notification has been made to SANS or that a money laundering investigation is being conducted.

Staff training

Obligation under Art. 101(7) AMLA

Operators are required to provide training to their employees on AMLA matters. Training must include:

1. Initial training — upon commencement of employment
2. Periodic training — at least once annually
3. Training upon changes — when significant changes to legislation or internal rules occur

Training content

• Legal framework (AMLA, PPZMIP, Measures Against the Financing of Terrorism Act — ZMFT)
• Procedures for customer identification and verification
• Indicators of suspicious operations in the gambling sector
• Internal reporting procedures
• Employee responsibilities
• Sanctions for non-compliance

Documentation

Training must be documented — date, participants, topics, trainer. Documentation is retained and may be requested during inspections.

AML compliance officer

Appointment

Under Art. 106 of the AMLA, gambling operators are required to designate a senior management employee responsible for the implementation of AMLA measures. This officer must:

• Have direct access to senior management
• Have the necessary resources and access to information
• Be promptly notified by staff of suspicious operations

Functions

• Coordination of the internal control system
• Decision-making on reporting to SANS
• Organisation of training
• Maintenance of registers and documentation
• Liaison with supervisory authorities

Record retention

Periods

Under Art. 67 of the AMLA:

• Identification documents and information are retained for 5 years after termination of the business relationship
• Data on operations and transactions is retained for 5 years after execution

Data protection

Retention must comply with Regulation (EU) 2016/679 (GDPR) and the Personal Data Protection Act. Access to data must be restricted to authorised persons.

Sanctions for non-compliance

Administrative sanctions under the AMLA

Art. 116 of the AMLA provides:

• For legal entities: property sanction of BGN 2,000 to 20,000 (approximately EUR 1,000 to 10,000) for a first violation, and BGN 5,000 to 50,000 (approximately EUR 2,500 to 25,000) for a repeat violation
• For particularly serious violations: up to BGN 2,000,000 (approximately EUR 1,000,000) or up to 10% of annual turnover

Licence revocation

Under the May 2024 amendment to the Gambling Act, upon three or more AMLA violations within a single calendar year, the SGC may apply a coercive administrative measure — definitive revocation of the licence.

Criminal liability

In cases of serious violations (deliberate failure to report, facilitation of money laundering), criminal liability may be engaged under Art. 253–253b of the Criminal Code.

Practical recommendations

1. Invest in a technical solution — an automated transaction monitoring system that generates alerts when thresholds are reached
2. Train staff regularly — croupiers and cashiers are the first line of defence
3. Update internal rules — after every amendment to the AMLA or SANS guidance
4. Document everything — during inspections by the SGC or SANS, the availability of complete documentation is decisive
5. Do not rely solely on declarations — require supporting documents for the source of funds
6. Build a compliance culture — from the top down, from management to every employee

Conclusion

The obligations of gambling operators under the AMLA are substantial and continue to expand. The lowered threshold of EUR 2,000 (versus the standard EUR 15,000), combined with the new measure of licence revocation for systematic violations, makes compliance activity of vital importance for the sector. A systematic approach — encompassing internal rules, training, technical infrastructure and effective monitoring — is the only way to manage regulatory risks.

The Innovires Legal team can assist you with developing internal AML rules, conducting risk assessments, training staff, and ensuring full compliance with the AMLA. Contact us for a consultation.

This article is prepared for informational purposes only and does not constitute legal advice. For specific questions regarding the application of the AMLA in the gambling sector, please consult a qualified legal adviser. The information is current as of the publication date (28 March 2026) and may be affected by subsequent legislative changes.