Five AML training gaps we see repeatedly in Gibraltar iGaming firms
Gibraltar's iGaming sector is one of the most heavily supervised gambling jurisdictions in the world. The Gibraltar Gambling Commissioner and the GFSC (for those operators that also hold financial services permissions) both conduct regular supervisory visits, and AML compliance is consistently among the top areas of focus.
Despite this, the same training failures appear repeatedly across operator compliance programmes, from small B2B suppliers to large B2C platforms. These are the five we encounter most often.
1. Training mapped to UK or Malta regulation, not Gibraltar
The majority of off-the-shelf AML e-learning platforms are built for the UK gambling market, with content referencing the Gambling Commission, UKGC Licence Conditions and Codes of Practice, and the Money Laundering Regulations 2017. Some platforms offer a Malta variant referencing MGA requirements.
None of this content is adequate for Gibraltar. The Gibraltar Gambling Commissioner operates under a distinct legal framework: POCA 2015 rather than POCA 2002, the Gambling Act 2025 rather than the UK Gambling Act 2005, and the Commissioner's own Social Responsibility Codes of Practice rather than the UKGC's equivalent.
Staff who complete UK-focused AML training have not been trained in Gibraltar AML law. They cannot identify the relevant authority for a SAR disclosure (the GFIU, not the NCA), and they may be unaware that the tipping-off restrictions under POCA 2015 section 37 differ in important respects from the UK equivalent.
2. No role differentiation
A standard practice in poorly designed training programmes is to give the same content to every member of staff, regardless of their function or exposure to AML risk. The customer support agent who processes withdrawal queries faces entirely different risks to the MLRO, the payments team lead, or the director with board-level accountability.
POCA 2015 and the GFSC Guidance Notes both require a risk-based approach to training, meaning that the content, depth, and frequency of training should be proportionate to the role's exposure. Senior managers and directors must understand governance obligations that are irrelevant to junior staff. Customer-facing staff need detailed training on identifying at-risk behaviour and suspicious activity indicators. These are not the same programme.
3. Annual training with no ongoing reinforcement
Most operators complete AML training once per year, often at onboarding and then annually thereafter, and consider the obligation satisfied. The GFSC's position is that this is a minimum, not a standard, particularly for operators with higher-risk customer bases or business models.
Ongoing reinforcement, whether through short scenario-based modules, policy reminders following regulatory updates, or periodic supervisor briefings, is increasingly expected as part of an adequate training programme. Regulators distinguish between firms that treat training as a compliance checkbox and those that use it as a genuine control.
4. No verification of understanding
Attendance records are not the same as training records. A member of staff who sat through a one-hour e-learning module and clicked through to completion may have retained nothing of substance. The GFSC's AML Guidance Notes are explicit that training should include a means of verifying comprehension, typically an assessment.
In supervisory visits, the Commissioner and GFSC are increasingly asking to see assessment scores, not just completion records. Firms that cannot demonstrate that staff understood the training, not merely that they attended it, are in a weaker evidential position.
5. No audit trail for regulatory purposes
When a supervisory visit or enforcement investigation occurs, the first request is typically for the training log. Firms that maintain training records in spreadsheets, email chains, or the individual memory of the MLRO are consistently found wanting.
A complete training audit trail includes: the date of training, the specific topics covered, the format (in-person, e-learning, scenario-based), the individual's assessment result or confirmation of comprehension, and the name of the person responsible for delivering or commissioning the training.
This record needs to be producible on request, covering at minimum the past three years. For firms with high staff turnover, maintaining records for former employees is equally important. A training gap relating to a departed member of staff who handled high-risk accounts is still a gap.
Closing these five gaps does not require a large training budget or an external consultant. It requires Gibraltar-specific content, role-differentiated delivery, regular reinforcement, comprehension assessment, and a clean audit trail. Each of these is achievable within the structure of any existing compliance programme.