Written by: Kacper Osiewalski, Lead Backend Engineer, Digital Colliers
The UK affordability trigger sits at £150 net deposits per rolling 30 days. That's the number your risk team is measured against, and it's the number the Gambling Commission expects you to see in something close to real time. The problem isn't the rule. The problem is that most operators can't compute the input.
The threshold is a join, not a number
Net deposits per rolling 30 days sounds like a single figure. In practice it's a windowed sum over every deposit, minus every withdrawal, per player identity, across every product they touch. If a player deposits £80 into the sportsbook wallet on day one, £40 into casino on day fourteen, and £50 into poker on day twenty-eight, you're already at £170. None of your product teams see it. Your payments team sees three separate authorisations to three separate merchant descriptors.
The RCI guidance that came into force in August 2022 and expanded in 2024 assumes you can answer questions like this on demand. The regulator is not interested in why your data model makes it hard.
Where the silos actually sit
If you've grown by acquisition, or you white-label a vertical, the shape is familiar. You end up with something like this:
Sportsbook on one platform, with its own wallet and its own player ID.
Casino on a second platform, often a third-party RGS, with a different player ID mapped by an internal service.
Poker on a third stack, frequently the oldest and least loved.
Payments as a fourth system, with PSP-level records that don't cleanly map to product wallets.
KYC and CRM as fifth and sixth, holding the golden customer record that nobody fully trusts.
Each system has its own definition of a deposit. Some count the authorisation, some count settlement, some count the wallet credit. Refunds, chargebacks, bonus conversions and inter-wallet transfers all muddy the number. You can compute net deposits inside any one product in an afternoon. Computing it across all of them, per player, on a rolling window, in minutes rather than days, is a serious data engineering problem.
Why batch ETL won't save you
The pattern I keep seeing is a nightly job that stitches product data into a warehouse, a BI dashboard for compliance, and a manual review queue the next morning. That worked when the regulator was asking annual questions. It does not work when the threshold is a rolling 30-day window and interventions are expected before harm accrues.
Around one in four UK-licensed operators fails to achieve a satisfactory AML rating on first assessment. When you read the public enforcement notices, the same phrases keep appearing: the operator did not identify the trigger in time, the operator relied on a monthly review, the operator's systems did not aggregate across brands. That is not a policy failure. That is a data pipeline failure with a policy label on it.
The cost of getting it wrong is not abstract. UK penalties for the most serious AML breaches reach up to 15% of gross gaming yield. Kindred publicly reported £14M in compliance-team cost in 2023, and that is the price of doing it reasonably well, not the price of getting it wrong.
What the joined player view actually needs
If you're planning this work for 2026, the shape of the build is roughly:
A canonical player identity service that maps every product-level ID to one person, including historic aliases from acquired brands.
A streaming event bus where every deposit, withdrawal, bonus, refund and transfer lands within seconds, tagged with product, wallet, and PSP reference.
A materialised rolling-window aggregate per player, keyed on that canonical ID, refreshed on every event rather than nightly.
A rules layer that fires interventions when the aggregate crosses £150, or the earlier internal thresholds most operators set below it.
An audit trail that lets you show the regulator, on request, exactly what you knew about a player at any given minute.
None of the individual pieces are exotic. Kafka or Kinesis, a warehouse with streaming ingestion, a feature store, a rules engine. The hard part is the identity resolution and the definitional work: agreeing, across product owners who each think their number is right, what a deposit is.
The cost of leaving it
Every month you run without a joined view, you're accepting two risks. The first is regulatory: an intervention you failed to make becomes evidence in an enforcement case. The second is commercial: your responsible gambling team spends its day running SQL by hand instead of talking to players who need the conversation. Neither risk shows up on a roadmap until it shows up in a public notice.
The £150 threshold isn't going away, and it isn't going up. The operators who'll be comfortable in 2026 are the ones treating the joined player view as core infrastructure, not a compliance side project.
Sources
This article was originally published on the Digital Colliers Blog. Digital Colliers helps DACH and UK companies implement AI — see our AI consulting services or contact us.
Top comments (0)