Ireland Puts Remote Bookmakers on High Alert in 30-Point Money Laundering Plan

Key Points

• Ireland’s updated national risk assessment rates remote bookmakers as carrying “significant” money laundering risk, the highest level in the gambling sector, a step up from their lower classification in 2018 and 2019.
• Private members’ gambling clubs must hold a licence for the first time, and those operating without proper certification face criminal penalties.
• Every gambling operator must move to a closed-loop payment system, and the GRAI will publish a due diligence standard covering cryptocurrency accepted as a source of betting funds.

On 18 June, the Irish government released a national financial crime risk assessment alongside a 30-point action plan that pushed remote bookmakers to the highest money laundering risk level the country has ever assigned to a gambling operator. Tánaiste and Minister for Finance Simon Harris stood alongside Minister for Justice Jim O’Callaghan to present the plan, the first time Ireland has refreshed its gambling risk framework since 2018 and 2019.

Remote bookmakers carried a lower risk profile under the previous review. Now they sit at “significant,” sharing the top of the scale with only one other category: private members’ gambling clubs. Every other part of Ireland’s gambling sector sits below them on the rating. What separates this review from earlier ones is what comes attached to it. Specific legal obligations now follow the risk ratings, and for operators and marketers working in this space, that is the part worth reading carefully.

Remote Bookmakers Draw the Sharpest End of the New Rules

The upgrade did not come from nowhere. Three structural features of remote bookmaking pushed it to the top of the risk scale. Volume is the first problem. Deposits, withdrawals, bonus credits and account transfers run through these platforms in their thousands every single day, producing a financial flow wide enough to make consistent monitoring genuinely difficult. Prepaid cards are the second issue. A customer can load one and use it to fund a gambling account without any connection to a verified bank account, which makes tracing the actual source of funds far harder than it looks. White-label arrangements sit at the third concern. The operator a customer interacts with may be fronting for a company whose ownership structure and compliance record are almost impossible to verify from outside.

Harris did not leave much room for interpretation. “Criminals are becoming increasingly sophisticated, exploiting technology, operating across borders and adapting rapidly to change. The government cannot stand still in the face of these threats,” he said. For remote operators, the “significant” label is not administrative paperwork. Enhanced customer due diligence follows. Stronger transaction monitoring follows. Closer oversight from the Gambling Regulatory Authority of Ireland follows. Compliance programmes designed around the 2018 and 2019 ratings are already out of date.

Private Members’ Clubs Step into Regulated Territory

The remote bookmaker reclassification touches a familiar part of the market. The private members’ club decision is something else entirely: it closes a gap that Irish gambling law has carried for decades without fixing. These are members-only venues running live poker tables, slot machines and casino-style games. Under the Gaming and Lotteries Act of 1956, they were simply not treated as gambling businesses, which meant no licence, no AML obligations, and no duty to report anything suspicious to anyone.

Under the new plan, that position is gone. Private members’ clubs must now register with the Anti-Money Laundering Compliance Unit in the Department of Justice, a requirement that did not exist for them in any form before this plan was published. Directors and beneficial owners must obtain certificates of fitness from An Garda Síochána, renewed every three years. Running one of these clubs without that certification is now a criminal offence. Fines reach €5,000. Imprisonment of up to 12 months applies on summary conviction.

The risk assessment is clear about why this gap finally had to close. Cash moves through these venues regularly, and adequate controls have not existed to track it. The closed membership model means unusual behaviour is almost invisible to anyone not already inside. The government also raised a specific concern: criminal enterprises acquiring or quietly controlling these clubs, then using the exclusivity model as a wall against outside scrutiny. And because no licensing framework existed, nobody actually knows how large this segment is or how much money moves through it. That blind spot, built up over decades of zero regulation, is what the GRAI is now being asked to map.

Closed-Loop Payments and Crypto Checks Now Cover the Whole Market

The two high-risk categories draw most of the attention, but two separate requirements land on every operator in the sector, and both of them reach into the relationship between operators and their marketing partners. The closed-loop payment rule is the first. Whatever account a customer uses to deposit money must be the account that receives any withdrawal. Deposit by debit card, withdraw to that same debit card. No exceptions built into the rule.

What this removes is a well-used route: money enters a gambling account from one place, then leaves to a completely different destination, passing through the platform like a transit point. That technique, known as layering, pushes funds across multiple accounts to make the original source harder to find. The closed-loop rule cuts that route off. For operators running large volumes of customer accounts, wiring this control into existing payment infrastructure is not a minor update.

Cryptocurrency is the second requirement. The GRAI will publish an industry-wide standard for due diligence covering crypto accepted as a source of betting funds, setting a common benchmark all operators must reach. Operators will need clear procedures for checking where deposited crypto comes from, proper documentation of anything that looks unusual, and tighter onboarding for customers arriving with digital assets. O’Callaghan described the full package as “a practical roadmap for keeping Ireland’s response effective, proportionate and fit for purpose.”

Marketers running campaigns around crypto deposit options need to take note of this one specifically. Source-of-funds checks will add friction to some customer journeys. Any promotional message built around the speed or simplicity of crypto deposits will need to reflect what the onboarding process actually looks like once the GRAI standard lands. Selling a frictionless experience that no longer exists is a compliance problem as much as a marketing one.

Irish Regulators Have Already Proved They Will Use These Powers

There is a recent and specific example of how Irish regulators respond to AML failures. In November 2025, the Central Bank fined Coinbase Europe Limited €21,464,734 for failing to properly monitor more than 30 million transactions between 2021 and 2025. The cause was coding errors in Coinbase’s transaction monitoring system, not deliberate evasion. The Central Bank did not treat that distinction as a reason to reduce the seriousness of the breach. The fine became the first enforcement action the regulator had taken against a crypto firm, and one of the four largest penalties in its history.

The Coinbase case sat in financial services rather than gambling. What it established, though, travels across sectors: technical monitoring failures carry the same weight as deliberate non-compliance under Irish AML law. The GRAI is being built inside that same enforcement culture. Across Europe, the direction is the same. In July 2025, the Dutch Kansspelautoriteit issued formal instructions to three gambling operators for failing to investigate the source of players’ funds and for inconsistent risk classification, with warnings that heavier sanctions would follow if the problems were not fixed. Gambling regulators across the continent are receiving more enforcement tools. They are also using them.

The GRAI Is Still Finding Its Feet

The GRAI was formally established on 5 March 2025 under the Gambling Regulation Act 2024, replacing a fragmented system where separate agencies applied separate rules to separate parts of the gambling market. The AMLCU holds the competent authority position for now, during the transition. Full consolidation of supervisory powers under the GRAI is still moving through public consultation and draft secondary regulations, a process that has no fixed public completion date.

The plan does not pretend otherwise. Licensing reforms are still running. The transfer of authority between agencies is incomplete. Specific regulatory detail for certain categories, machine-based casinos among them, has not yet been set out in full. A dedicated national taskforce will coordinate efforts against terrorist financing and sanctions evasion, pulling in the Defence Forces, An Garda Síochána, the Central Bank and Revenue under the same structure.

Timing is the real limitation. The GRAI is a young regulator and the framework around it is still taking shape in stages. Several obligations within the 30-point plan cannot be enforced until secondary regulations are formally in place, and those regulations have not yet been published. O’Callaghan acknowledged the gap while keeping the commitment clear. “The government will continue to monitor emerging risks and update its response as necessary to ensure Ireland remains resilient in the face of a rapidly evolving threat environment,” he said.

Expert Analysis

Three elements of this plan carry immediate practical weight. The closed-loop payment rule is binary: a payment system either meets the requirement or it does not, with no grey area available for regulators or operators to debate. Mandatory licensing for private members’ clubs introduces a compliance requirement to a segment that has never carried one, and the criminal penalties sitting behind it make non-compliance a direct personal risk for directors and beneficial owners, not just an organisational one. Once the GRAI publishes the crypto due diligence standard, operators will have a fixed benchmark to be audited against. Right now, that standard does not exist. When it does, there will be no ambiguity about what is expected.

For marketers, the closed-loop rule and the crypto standard change the product sitting behind every campaign. A longer withdrawal journey because of payment routing rules is a changed customer experience. Crypto onboarding that now requires source-of-funds documentation is a changed customer experience. Affiliate campaigns, welcome offer structures, and crypto deposit promotions all of them need to reflect what the product actually is now, not what it was before this plan landed. The compliance environment and the marketing environment have merged. Treating them as separate is no longer an option.