How a Compliance Lead Files a SAR in 30 Minutes Instead of 5 Days
BastionPlay is an MGA-licensed European operator headquartered in Malta, running casino, sportsbook, and poker verticals for approximately 25,000 monthly active players across EUR and GBP markets. The platform generates around €8M per week in gross gaming revenue — a scale that puts it firmly in regulatory crosshairs. As Head of Risk & Compliance, Elena Vasquez is responsible for ensuring that every suspicious transaction is identified, investigated, and reported before it becomes a regulatory incident.
Products used: AML Transaction Monitoring, Network Analysis, Regulatory Reporting
30 minutes | full investigation and SAR package compiled
7 | linked accounts identified across the cluster
€340K | in suspicious funds frozen pending regulatory review
Challenge
Tuesday mornings begin the same way for Elena: a coffee, a review of overnight alerts, and — at least once every few weeks — the particular sinking feeling that comes from finding a structuring pattern in the overnight transaction log.
Structuring is one of the most time-consuming AML alerts to investigate properly. Unlike a single large suspicious transaction, structuring cases are defined by what's conspicuously absent: each individual deposit sits just below the threshold that triggers automatic enhanced due diligence. The €10,000 reporting threshold is a bright line that every serious money launderer knows by heart. The pattern isn't one transaction — it's seven accounts, forty-one deposits, and a coordinated fund flow that looks unremarkable in isolation and deeply suspicious in aggregate.
Before Gaming Mind AI, an investigation like this was a multiday ordeal. Elena's team would start by pulling the flagged accounts from the transaction system, then manually cross-reference against player records in a separate KYC tool, then query payment processor logs, then build a link analysis by hand in a spreadsheet to identify shared devices, IPs, and beneficiaries. Each tool lived in a different system. Each export required a different format. Pulling together a complete picture — transaction history, network connections, fund flow diagram, and regulatory threshold analysis — took three to five business days of focused analyst work. The SAR would land on the FIU's desk four or five days after the pattern was first spotted, by which time the money had long since moved.
"Structuring cases are the hardest thing we investigate, because the signal is spread across accounts that all look clean individually. You have to see the whole picture at once — the deposits, the network, the fund flow — and you have to do it fast enough for a freeze to matter. That's not possible when your data lives in six different systems."
— Elena Vasquez, Head of Risk & Compliance, BastionPlay
The MGA expects SARs to be filed promptly. "Promptly" isn't defined with a precise clock, but the practical standard among compliance officers is same-day or next-day for high-confidence cases. BastionPlay was consistently three to five days behind that standard — not from negligence, but from the sheer mechanical effort of assembling evidence across disconnected systems.
Solution
On this particular Tuesday, the overnight monitoring system had flagged seven accounts for an unusual clustering of deposits between €8,500 and €9,800. Elena opened Gaming Mind AI at 8:47 a.m. and described what she'd been sent. Thirty minutes later, she had a complete evidence package on her screen and was drafting the SAR.
Here's how the investigation unfolded:
Elena: "I've got seven accounts flagged overnight for potential structuring — deposits consistently just below €10K. Can you pull the full transaction history and show me what the pattern looks like across all seven?"
| Account | Deposits (18 days) | Min Deposit | Max Deposit | Total | Peak Hours |
|---|---|---|---|---|---|
| ACC-001 | 7 | €8,500 | €9,700 | €55,300 | 10 PM–2 AM |
| ACC-002 | 6 | €8,700 | €9,800 | €54,200 | 10 PM–2 AM |
| ACC-003 | 7 | €8,600 | €9,750 | €56,100 | 11 PM–2 AM |
| ACC-004 | 5 | €8,500 | €9,600 | €43,900 | 10 PM–1 AM |
| ACC-005 | 6 | €8,800 | €9,800 | €52,700 | 11 PM–2 AM |
| ACC-006 | 5 | €8,500 | €9,700 | €42,900 | 10 PM–2 AM |
| ACC-007 | 5 | €8,600 | €9,800 | €36,100 | 11 PM–2 AM |
| Total | 41 | €8,500 | €9,800 | €341,200 | 10 PM–2 AM |
⚠️ Gaming Mind flags: High-confidence structuring pattern detected — 41 deposits across 7 accounts over 18 days, every single one between €8,500 and €9,800, never once crossing the €10,000 reporting threshold. Aggregate sum of €341,200 would have triggered mandatory enhanced due diligence reporting seven times over as a single transfer. Timing cluster (10 PM–2 AM) is inconsistent with recreational player behaviour.
The pattern crystallised immediately. Across seven accounts, forty-one deposits had landed over eighteen days — every single one between €8,500 and €9,800, with a hard ceiling that never once crossed €10,000. The timing distribution was equally revealing: deposits clustered between 10 p.m. and 2 a.m. local time, with a sharp drop-off during business hours. Gaming Mind flagged this as a high-confidence structuring pattern and noted that the aggregate sum — €341,200 — would have triggered mandatory enhanced due diligence reporting seven times over had it arrived as a single transfer.
Elena: "Are any of these accounts connected to each other? Shared IPs, devices, phone numbers, anything linking them at the registration or KYC stage?"
| Link Type | Identifier | Accounts Sharing | First Shared | Most Recent Shared |
|---|---|---|---|---|
| IP Address | 185.220.xx.11 | ACC-001, ACC-002, ACC-004, ACC-006 | Day 1 | Day 17 |
| IP Address | 185.220.xx.47 | ACC-002, ACC-003, ACC-005, ACC-007 | Day 3 | Day 18 |
| IP Address | 91.108.xx.92 | ACC-001, ACC-003, ACC-004 | Day 2 | Day 14 |
| Device Fingerprint | DFP-A1B2 | ACC-001, ACC-004, ACC-006 | Day 1 | Day 16 |
| Device Fingerprint | DFP-C3D4 | ACC-002, ACC-005 | Day 4 | Day 18 |
| Phone Number | +356 79xx xxxx | ACC-003, ACC-007 | Day 5 | Day 12 |
⚠️ Gaming Mind flags: All 7 accounts are a single coordinated entity operating 7 aliases. Accounts were registered across a 6-week window — staggered just enough to avoid triggering pattern-based registration alerts individually, but fully visible when mapped as a network. Three shared IPs appear across at least 4 accounts each; two device fingerprints span multiple account logins; one phone number was reused across two registrations.
The network map made Elena's stomach drop. All seven accounts weren't seven strangers — they were a tightly connected cluster. Three shared IP addresses appeared across at least four accounts each, two device fingerprints appeared in multiple account logins, and one phone number had been used across two accounts during registration. Gaming Mind drew the network in seconds, annotating each link with the first and most recent shared-session timestamps. What had appeared to be seven individual low-value depositors was a single coordinated entity operating seven aliases. The accounts had been registered across a six-week window — staggered just enough to avoid triggering pattern-based registration alerts individually, but visible the moment you mapped them together.
Elena: "Show me the fund flow. Where are the deposits coming from, and where are the withdrawals going?"
| Direction | Payment Method | Sender / Recipient Name | Matches Account Name | Amount (EUR) | Jurisdiction Risk |
|---|---|---|---|---|---|
| Inbound | E-wallet A | "Sender Name 1" | No | €112,400 | Standard |
| Inbound | E-wallet B | "Sender Name 2" | No | €98,600 | Standard |
| Inbound | Bank card | "Sender Name 3" | No | €81,300 | Standard |
| Inbound | Crypto on-ramp | "Sender Name 1" | No | €48,900 | Elevated |
| Outbound | E-wallet (consolidated) | Withdrawal Dest. A | — | €187,400 | Standard |
| Outbound | Bank account | Withdrawal Dest. B | — | €153,800 | 🔴 Elevated (layering flag) |
⚠️ Gaming Mind flags: Platform used as a pass-through. Deposits arrived through 4 payment methods under 3 distinct sender names — none matching any registered account name. Withdrawals concentrated to 2 destinations: one e-wallet received €187,400 across the cluster; one bank account in an elevated-risk jurisdiction received the remainder. Wagering-to-deposit ratio across all 7 accounts: 4.3% vs. platform average of 67%.
The money came in through four different payment methods — two e-wallets, a bank card, and a crypto on-ramp — spread across three distinct sender names, none of which matched the registered account name on any of the seven profiles. It flowed out through two withdrawal destinations: a single e-wallet that had received €187,400 across the cluster, and a bank account in a jurisdiction Gaming Mind flagged as elevated-risk for layering activity. The platform had been used as a pass-through. Deposits arrived, minimal wagering activity occurred — enough to technically satisfy bonus terms but nowhere near the level consistent with recreational play — and then withdrawals exited to consolidated destinations. The wagering-to-deposit ratio across all seven accounts was 4.3%, compared to a platform average of 67%.
Elena: "What's the wagering activity like on these accounts? I need to know if there's any legitimate gaming activity or if this is pure pass-through."
| Metric | 7 Flagged Accounts | Platform Average | Variance |
|---|---|---|---|
| Wagering-to-deposit ratio | 4.3% | 67.0% | 🔴 −62.7 pp |
| Total deposits | €341,200 | — | — |
| Total wagered | €14,700 | — | — |
| Avg session duration | <4 minutes | ~38 minutes | 🔴 −90% |
| Game type | Low-volatility slots (near-100% RTP) | Mixed verticals | 🔴 Anomalous |
| Avg stake per bet | Near minimum | Market-rate | 🔴 Minimum only |
| Bonus-hunting activity | None | Present | 🔴 Absent |
| Progressive jackpot activity | None | Present | 🔴 Absent |
| Live casino sessions | None | Present | 🔴 Absent |
⚠️ Gaming Mind flags: Wagering activity is a thin veneer of legitimacy — 4.3% wager rate is 12× below platform average. All wagering concentrated in minimum-stake, near-100% RTP slots. No behavioral signatures of genuine recreational play (no bonus-hunting, no progressive jackpot activity, no live casino). Pattern matches known pass-through typology: gaming used instrumentally to cycle funds through deposit-withdrawal loop.
The numbers were stark. The seven accounts had collectively wagered €14,700 out of €341,200 in total deposits — a 4.3% rate that sits twelve times below the platform average. What little wagering occurred was concentrated in low-volatility slots with near-100% RTP, placing minimum stakes, in sessions averaging under four minutes. Gaming Mind surfaced a pattern it had seen in previous cases on the platform: accounts using gaming as a thin veneer of legitimacy while routing funds primarily through the deposit-withdrawal cycle. The activity was technically within ToS limits, but it bore none of the behavioural signatures of genuine recreational play — no bonus-hunting, no progressive jackpot activity, no live casino sessions. The platform had been instrumentalised.
Elena: "Pull the regulatory threshold analysis. I need to document exactly how each account stayed below the reporting threshold and what the aggregate exposure is."
| Account | No. of Deposits | Max Single Deposit | Min Gap Between Deposits | Account Total | MGA Threshold Breached? |
|---|---|---|---|---|---|
| ACC-001 | 7 | €9,800 | 44 hrs | €55,300 | No (individually) |
| ACC-002 | 6 | €9,750 | 48 hrs | €54,200 | No (individually) |
| ACC-003 | 7 | €9,800 | 42 hrs | €56,100 | No (individually) |
| ACC-004 | 5 | €9,700 | 50 hrs | €43,900 | No (individually) |
| ACC-005 | 6 | €9,800 | 46 hrs | €52,700 | No (individually) |
| ACC-006 | 5 | €9,700 | 44 hrs | €42,900 | No (individually) |
| ACC-007 | 5 | €9,800 | 42 hrs | €36,100 | No (individually) |
| Cluster Total | 41 | €9,800 | 42 hrs (min) | €341,200 | 🔴 Yes — 34× over aggregate threshold |
⚠️ Gaming Mind flags: Architectural precision confirmed — maximum single deposit €9,800, minimum inter-deposit spacing 42 hours, designed to defeat per-transaction monitoring. Combined cluster total of €341,200 breaches the EU AML aggregate threshold 34× over. Report formatted as a structured regulatory exhibit with citations to specific MGA and EU AML framework articles, ready to attach directly to a SAR as a supporting exhibit.
Gaming Mind generated the threshold analysis as a structured regulatory exhibit. Each of the seven accounts showed the same architectural precision: maximum single deposit of €9,800, minimum spacing of forty-two hours between deposits, aggregate individual account totals ranging from €34,000 to €67,000. The combined cluster total of €341,200 was broken down against both the MGA's individual transaction reporting obligations and the EU's AML threshold framework, with citations to the specific articles. Elena didn't write a line of this — it arrived formatted, referenced, and ready to attach to a SAR as a supporting exhibit.
Elena: "Generate the SAR evidence package. I need everything — account profiles, network diagram, fund flow, threshold analysis, and your assessment of the ML typology."
| SAR Package Component | Status | Detail |
|---|---|---|
| Account summaries (×7) | 🟢 Complete | KYC flags and registration anomalies highlighted per account |
| Network graph | 🟢 Complete | All shared IPs, device fingerprints, phone numbers annotated with timestamps |
| Fund flow diagram | 🟢 Complete | Amounts, payment methods, and flagged destination jurisdictions included |
| Regulatory threshold analysis | 🟢 Complete | Per-account and cluster-level breakdown; MGA and EU AML citations |
| FATF typology classification | 🟢 Complete | Sub-typology: deposit structuring with minimal wagering as pass-through mechanism |
| SAR recommendation | 🟢 Complete | Confidence level stated; plain-English narrative for FIU analyst |
| Compilation time | — | <40 seconds |
⚠️ Gaming Mind flags: Complete SAR evidence package generated in under 40 seconds. Typology maps to FATF guidance on layering through gambling platforms (deposit structuring, minimal wagering, pass-through). Package is regulator-ready — pre-formatted with MGA audit template headings and FATF classification codes. FIU analyst can read and act on the plain-English narrative in 90 seconds.
The complete package landed in Elena's screen in under forty seconds. It contained: seven individual account summaries with KYC flags and registration anomalies highlighted; the network graph with all shared identifiers annotated; the fund flow diagram with amounts, payment methods, and flagged destination jurisdictions; the regulatory threshold analysis as a standalone exhibit; and a typology classification mapping the pattern against the FATF guidance on layering through gambling platforms, specifically the sub-typology of deposit structuring with minimal wagering as a pass-through mechanism. Gaming Mind included a SAR recommendation with a confidence level and a plain-English narrative of the suspected activity — the kind of summary a financial intelligence analyst at the FIU could read in ninety seconds and understand completely.
Elena: "Before I file, are there any other accounts on the platform that have interacted with any of these seven — received transfers, shared bonus codes, anything?"
| Account | Connection Type | Shared Identifier | Last Overlap | Confidence | Action |
|---|---|---|---|---|---|
| EXT-001 | Secondary | Shared IP (cluster IP-2) | 6 weeks prior | 🟡 Medium | 30-day watchlist |
| EXT-002 | Secondary | Shared IP (cluster IP-1) | 4 weeks prior | 🟡 Medium | 30-day watchlist |
| EXT-003 | Secondary | Shared device fingerprint (DFP-A1B2) | 6 weeks prior | 🟡 Medium | 30-day watchlist |
⚠️ Gaming Mind flags: Three additional accounts surfaced with secondary connections to the primary cluster — two via shared IPs, one via a shared device fingerprint, all dating back 4–6 weeks. None meet the threshold for immediate SAR inclusion. All three added to BastionPlay's internal watchlist with automatic re-evaluation at 30 days. SAR covers the core 7 accounts with a note that the investigation remains ongoing.
Gaming Mind ran a sweep of the full account population against every identifier tied to the seven flagged accounts. Three additional accounts surfaced with secondary connections — two had logged in from an IP that appeared in the primary cluster, one had used a shared device fingerprint once, six weeks prior. None met the threshold for immediate SAR inclusion, but Gaming Mind flagged all three for enhanced monitoring and recommended a 30-day watchlist with automatic re-evaluation. Elena added them to BastionPlay's internal watchlist with a single click, and the SAR filed covered the core seven with a note that the investigation was ongoing.
Results
SAR filed the same day instead of 3–5 business days later
Elena filed the SAR with Malta's FIAU at 9:19 a.m. — thirty-two minutes after she opened the investigation. The complete evidence package was attached. The previous baseline for a case of this complexity was three to five business days of analyst time. The speed advantage matters beyond compliance optics: the freeze was in place before the accounts could initiate further withdrawals.
€340K in suspicious funds frozen at the right moment
All seven accounts were suspended and the €340K in deposits was frozen pending regulatory review within the same morning session. The two primary withdrawal destinations received freeze notifications through the payment processors before any further outbound transfer could be processed. Timing is everything in AML — and the gap between a Tuesday morning freeze and a Friday afternoon SAR is, in many cases, the gap between recovering funds and not.
A 7-account network identified that no single-account alert would have caught
The structuring architecture was specifically designed to defeat single-account monitoring. Each account, reviewed individually, cleared every automated threshold. It was the network view — shared IPs, device fingerprints, fund flow concentration — that revealed the coordinated structure. Gaming Mind surfaced the complete network in under two minutes of conversation, a process that would have taken Elena's analysts the better part of a day using manual cross-referencing across systems.
A regulator-ready evidence package, not a compliance team's rough notes
The SAR that went to the FIAU was not an internal draft that needed reworking before submission. It arrived pre-formatted, with FATF typology classifications, MGA regulatory citations, and a structured narrative. Elena reviewed and submitted it as-is. The quality of the package reduces back-and-forth with regulators and demonstrates the kind of systematic monitoring capability that MGA licensing reviews specifically evaluate.
Three additional accounts flagged for monitoring before they escalated
The extended network sweep identified three secondary accounts that didn't meet SAR thresholds but warranted watchlist placement. Under the previous process, these accounts would not have been identified at all during the initial investigation — the manual workload of the primary case consumed the full bandwidth of the analyst team. Catching secondary connections early is how compliance teams prevent a resolved case from re-opening six weeks later.
"Thirty minutes from first flag to filed SAR. I've never done that before in fifteen years of compliance work. And it wasn't a rushed job — the evidence package was better than anything we'd produced manually, because the AI could see every connection simultaneously across all seven accounts. The MGA expects prompt filing. For the first time, 'prompt' actually means what it's supposed to mean."
— Elena Vasquez, Head of Risk & Compliance, BastionPlay
Read in another language
Want to see how Gaming Mind AI can help your operation?
Get a Demo