The Curaçao Gaming Authority (CGA) has published a comprehensive guide on cryptocurrency policies for licensed iGaming operators. Released on June 24, the guidance is aimed at B2C license holders and covers all cryptocurrency operations, including deposits, betting, withdrawals, and treasury management. It also applies to group structures supporting licensed activities.
The regulator classifies cryptocurrencies as high-risk assets and favors operators working with regulated fiat-backed stablecoins. Here are the key points highlighted by iGN:
Direct Prohibitions:
- Operators are prohibited from acting as exchanges, payment services, or VASPs, converting cryptocurrencies among themselves or to fiat, offering trading, exchanges, as well as storage, transfer, and wallet services outside gaming operations.
- Acceptance of assets linked to sanctioned mixers and tumblers, as well as wallets from sanctions lists or flagged by blockchain analytics, is forbidden.
- Wrapped and bridge assets whose origin, backing, or history cannot be independently verified are banned, including wrapped versions of well-known cryptocurrencies.
- Personal wallets, beneficiary wallets, and employee wallets are prohibited; player funds must be stored in segregated wallets, and players cannot transfer funds to each other within the operator's product.
Analytics and Compliance Requirements:
- Implementation of blockchain analytics and transaction monitoring to track the origin of funds and identify high-risk sources (the regulator mentions Chainalysis, Elliptic, and TRM Labs but does not prescribe a specific provider).
- Wallet screening at the deposit stage and verification of the destination wallet before withdrawals.
- Compliance with the Travel Rule (FATF Recommendation 16) for transfers between regulated VASPs, including the transfer of sender and receiver data to the regulator upon request.
- Verification of third-party VASPs, with compliance responsibility remaining with the operator.
Specific Asset and Wallet Classes:
- The licensee's policy must address private cryptocurrencies that obscure transaction data (Monero, Zcash, Dash, Litecoin MWEB).
- Memecoins require categorization based on liquidity, volatility, management maturity, and financial crime risk.
- Accepting funds from non-custodial wallets and through DeFi protocols is allowed with wallet ownership verification and risk control.
- Pooled and omnibus wallets are permissible if transactions can be attributed to specific players.
Implementation Timeline:
- Immediate: Prohibitions on sanctioned wallets, mixers, banned assets, and operator roles as VASPs.
- By September 2026: Uploading the crypto policy to the CGA portal with an adaptation schedule.
- By December 2026: Risk assessments, VASP verification, wallet ownership control, and staff training.
- By June 2027: Complete wallet segregation, blockchain analytics, transaction reconciliation, and whitelisting addresses for withdrawals.
The guide does not introduce new obligations but details AML/CFT requirements already embedded in the LOK 2024, transitioning cryptocurrency operations into a full compliance perimeter with specific operational steps and deadlines extending to 2027.