In October 2025, the UK Gambling Commission fined Platinum Gaming Limited ÂŁ10 million for anti-money laundering failures. It was not an isolated case. Throughout the year, the Commission penalized more than a dozen operators for similar violations, and the root cause kept repeating: inadequate source-of-funds checks. Criminals know this is the soft spot in iGaming compliance, the gap between verifying who someone is and verifying where their money comes from.
At VerifyPDF, we process thousands of financial documents every month, and fake bank statements are among the most common submissions we receive from online gambling operators. The pattern we see is consistent: casinos invest heavily in ID verification but barely glance at the bank statements and utility bills that come in alongside it. That imbalance is exactly what fraudsters exploit.
This post breaks down the three document categories every online casino must verify, the red flags in each and why automated PDF forensics is the only realistic way to catch tampered documents at scale.
The three documents every casino must verify (and why only one gets serious attention)
Online gambling regulations across the EU, UK and most licensed jurisdictions require operators to collect three categories of documents during KYC onboarding and ongoing due diligence:
- Identity documents, passports, national ID cards, driving licenses. Used to confirm the player is who they claim to be.
- Proof of address, utility bills, council tax letters, bank correspondence. Confirms the player’s residential address matches their declared location.
- Source of funds, bank statements, payslips, tax returns, investment statements. Required when a player’s deposits exceed certain thresholds or trigger enhanced due diligence.
Here is the problem: most operators have invested significantly in category one. They use identity verification providers that scan passports with NFC chips, run biometric face matching and check documents against government databases. That part of the stack is mature.
But categories two and three? Those are still handled by a compliance analyst opening a PDF, squinting at it and making a judgment call. And that is where the fraud happens.
As we covered in our analysis of why ID verification alone is not enough, confirming someone’s identity says nothing about whether their bank statement is real. A player can pass ID checks with a genuine passport and then submit a completely fabricated bank statement showing income they do not have. The identity is real. The financial document is fake.
Red flags in fake bank statements that manual reviewers miss
Bank statements are the most commonly forged financial documents we see at VerifyPDF. This tracks with what we described in the rising threat of fake bank statements, they are easy to forge, widely required and difficult to verify visually.
For iGaming compliance teams specifically, here are the red flags that matter:
Metadata inconsistencies. Every PDF carries metadata, the software that created it, the creation date, modification timestamps, font libraries. A genuine bank statement generated by HSBC’s online banking portal will have a consistent producer signature. A document edited in Adobe Acrobat or created from a template in Canva will not. This is invisible to the human eye but immediately detectable by document forensics software.
Font mismatches. When fraudsters edit a PDF, they rarely have access to the exact proprietary fonts a bank uses in its statements. They substitute close alternatives. At normal zoom levels, you cannot tell the difference. At the binary level, the font tables do not match what the bank actually uses.
Round numbers and suspicious patterns. Fraudsters creating source-of-funds documentation tend to use round deposit amounts (€5,000.00 on the first of every month) and clean balances. Real bank accounts are messy, direct debits come out on different days, amounts vary and balances fluctuate irregularly. A compliance analyst looking at a two-page statement might not catch this, but pattern analysis across thousands of known-genuine statements will.
Inconsistent formatting between pages. Banks generate statements programmatically. That means every page has identical margins, headers, footers and table structures. When a fraudster edits one page (say, to inflate a balance) the formatting often shifts slightly, a header that is 2 pixels higher, a column that is 1mm wider. You will not see this. Software will.
Creation software does not match the issuing bank. If a Barclays statement was supposedly generated by Barclays’ system but the PDF producer field says “Microsoft Word” or “wkhtmltopdf,” something is wrong. In our experience, this single check catches a significant percentage of amateur forgeries.
Proof of address: the weakest link in iGaming KYC
If bank statements are the most targeted document, proof of address is the least scrutinized. And fraudsters know it.
A utility bill or council tax letter typically contains very little verifiable information. There is a name, an address, a date and an amount. No transaction history, no complex formatting, no security features. That makes them trivially easy to forge.
Here is how simple it is: a fraudster downloads a utility bill template from Telegram or a dark web marketplace, changes the name and address, exports to PDF and submits. These templates are widely available, as we detailed in our coverage of social media template farms. The entire process takes less than five minutes.
What should compliance teams look for?
- Template reuse. Fraudsters share templates, which means the same underlying PDF structure gets submitted by different players. Document forensics can fingerprint the creation signature and flag when the same template appears multiple times across different accounts.
- Mismatched dates. A utility bill dated January 2026 should have been created around that time. If the PDF metadata shows it was created in March 2026 (or worse, five minutes before submission), that is a red flag.
- Image-based PDFs. Some fraudsters scan a printed template or take a screenshot of an edited document and convert it to PDF. This destroys the text layer and makes traditional text extraction impossible. But it also means the document has no selectable text, a strong indicator that someone is trying to hide the document’s origins.
- Geographic inconsistencies. The address on the utility bill says London, but the player registered from an IP in Romania and their ID was issued in a different country. None of these are conclusive alone, but cross-referencing documents against each other (and against registration data) surfaces patterns that individual document review misses.
Why automated document checks outperform manual review in gambling compliance
Let’s be direct: manual document review does not scale in online gambling.
A mid-sized online casino might process hundreds of KYC document submissions per day. During major sporting events or promotional periods, that number spikes. Each submission typically includes 2-4 documents.
A thorough manual review of a bank statement takes 15-20 minutes if done properly. That includes checking formatting, cross-referencing metadata and verifying the issuing bank’s known PDF structure. Most compliance teams do not have that kind of time.
So they do a quick visual check instead. Does it look like a real bank statement? Is the name correct? Does the balance seem reasonable? That level of review might catch a badly made fake, but it will not catch a sophisticated one.
The UK Gambling Commission’s enforcement records tell a consistent story: AML and social responsibility failings are the predominant categories of regulatory action. The operators had identity verification in place. What they lacked was meaningful scrutiny of the financial documents.
Automated document forensics changes the equation in three ways:
- Speed. VerifyPDF checks a document in less than 5 seconds. That means a four-document KYC submission gets fully analyzed in under 20 seconds instead of 30-60 minutes of manual review.
- Consistency. A human reviewer’s accuracy drops after the 50th document of the day. Software does not get tired, does not have a bad Monday and does not develop blind spots. Every document gets the same level of scrutiny as the first.
- Depth. Automated analysis checks things humans cannot see: metadata signatures, binary-level font tables, creation tool fingerprints and structural anomalies. These patterns only emerge when comparing against known-genuine templates from thousands of banks and institutions.
This does not mean you fire your compliance team. It means you let software handle the detection layer so your analysts can focus on investigating flagged cases rather than manually eyeballing every PDF that comes in. As we explored in AI fraud detection vs manual checks, the most effective setup is a hybrid approach, automated screening with human judgment on escalated cases.
What regulators expect (and what they fine you for)
Regulators are not vague about their expectations. The UK Gambling Commission, the Malta Gaming Authority (MGA) and Curaçao’s new regulatory framework all require operators to conduct enhanced due diligence that goes beyond identity verification.
The MGA’s AML/CFT framework, enforced jointly with Malta’s Financial Intelligence Analysis Unit (FIAU), requires operators to conduct customer due diligence including source-of-funds checks when player activity exceeds defined thresholds. “Verify” does not mean “glance at.” It means conducting checks sufficient to detect forgery.
Recent enforcement actions paint a clear picture:
- UK, October 2025: Platinum Gaming Limited (operator of Unibet) fined ÂŁ10 million. The Commission found repeated AML failures including inadequate source-of-funds checks on high-spending players.
- Lithuania, 2024: Olympic Casino Group fined €8.4 million after a former fund manager gambled millions in stolen money through their platform. The documents submitted during compliance checks should have raised red flags but did not.
- Netherlands, July 2025: The Kansspelautoriteit (KSA) issued official warnings to three licensed operators for AML breaches, citing inadequate customer due diligence and deficient transaction monitoring.
The trend is clear. Regulators are moving from “did you collect the documents?” to “did you actually verify them?” And “a team member looked at it” is no longer an acceptable answer.
How to build a document verification layer that actually works
If you are running compliance for an online casino, here is a practical framework:
Step 1: Stop accepting screenshots and photos. Require original PDF documents for bank statements, utility bills and payslips. Images and screenshots destroy the metadata layer that makes forensic analysis possible. This single policy change eliminates a huge category of low-effort fraud.
Step 2: Automate first-pass screening. Route every incoming document through automated forensics before a human touches it. The system should check metadata consistency, font integrity, structural formatting, creation tool signatures and cross-reference against known templates. Documents that pass get approved automatically. Documents that get flagged go to a human analyst for review.
Step 3: Cross-reference across document types. A player submits a passport, a utility bill and a bank statement. The name should match across all three. The address on the utility bill should match the bank statement. The dates should make sense together. Automated cross-referencing catches inconsistencies that individual document review misses.
Step 4: Build a feedback loop. When your team confirms a fraudulent document, feed that data back into your detection system. Over time, you build a library of known fraud patterns specific to your player base and the markets you operate in.
At VerifyPDF, we have built our system around exactly this workflow. Our API processes documents in under 5 seconds, assigns risk ratings (Trusted, Low risk, Needs attention, High risk) and provides detailed analysis of every flag detected, giving your compliance team the information they need to make fast, defensible decisions.
The cost of getting this wrong
Getting document verification wrong in iGaming is not just a regulatory risk. It is a business survival issue.
A single AML fine can run into the millions. License revocations shut operators down entirely. And beyond the direct financial impact, there is reputational damage, players check licensing status and a public enforcement action erodes trust fast.
But there is a less obvious cost too. When fraudsters successfully submit fake bank statements and forged source-of-funds documentation, they are often laundering money through your platform. That puts your casino on the wrong side of criminal investigations, not just regulatory ones.
The operators who get this right treat document verification as a core part of their infrastructure, not an afterthought bolted onto identity checks. They invest in automated document forensics, they require original PDFs and they build cross-referencing into their workflows.
The ones who do not? They end up in enforcement reports.
If you are building or upgrading your iGaming compliance stack, try VerifyPDF to see how automated document forensics catches what manual review cannot. Your compliance team will thank you. Your regulator will too.