Celton Manx Limited, the Isle of Man-based company behind SBObet, has agreed to pay a discretionary civil penalty of GBP3.94 million ($5.01 million) following a regulatory investigation by the Isle of Man Gambling Supervision Commission (GSC), which uncovered widespread and systemic breaches of the jurisdiction’s anti-money laundering and countering the financing of terrorism (AML/CFT) framework.
The penalty stems from a compliance inspection initiated in October 2024, shortly before Celton Manx surrendered its license under the Online Gambling Regulation Act 2001 (OGRA) on May 9th, 2025. The GSC conducted an anti-money laundering review based on a sample of customer files and found multiple failings under the Gambling (Anti-Money Laundering and Countering the Financing of Terrorism) Code 2019.
Among the most serious breaches were the operator’s failure to ensure that its Network Partners were applying AML standards at least equivalent to those mandated in the Isle of Man. The company also lacked adequate systems for customer monitoring, as required by paragraphs 15(2) and 15(6) of the Code, and failed to perform risk assessments on customer exposure to money laundering, terrorist financing, and proliferation financing, contravening paragraph 8(2).
Further issues included the absence of documentation showing customer risk assessments in accordance with paragraphs 8(3) to 8(8), and the inability to identify and verify legal arrangements and persons under paragraph 10(3) to 10(5). Celton Manx was also unable to provide evidence of a Business Risk Assessment as required by paragraph 6(1), nor had it implemented Enhanced Due Diligence procedures in high-risk scenarios, contrary to paragraph 14(1) to 14(4).
The investigation revealed gaps in customer identity verification processes (paragraph 11), failures to act on suspicious activity (paragraph 15(4)), and a Technology Risk Assessment policy that was too generic and infrequently reviewed, violating paragraph 7. Compliance monitoring procedures were also deemed inadequate under paragraph 25, and the appointed MLRO and AML/CFT compliance officer lacked sufficient expertise, falling short of requirements under paragraphs 21 and 25.
On at least one occasion, Celton Manx failed to submit a Suspicious Activity Report (SAR) to the Financial Intelligence Unit in a timely manner, breaching paragraphs 22 and 24. The company also did not maintain suitable procedures for record retrieval as mandated by paragraph 18, and its training program failed to meet the requirements of paragraph 27, particularly in tailoring content to the Network Services Model and ensuring all staff completed necessary training.
Despite the gravity of the findings, the Commission acknowledged that Celton Manx cooperated fully and constructively with the investigation, admitting the breaches early and entering into a settlement that resulted in a 30 percent discount on the original penalty of GBP5.63 million ($7.17 million).
While the Commission’s review did not extend to determining whether money laundering had actually occurred, Celton Manx maintained that its internal investigations did not identify any such activity or any customer detriment.
The GSC reiterated that licensees are expected to uphold the highest standards of governance, compliance, and risk management. The Commission’s National Risk Appetite Statement, issued in May 2025, emphasized that operators targeting higher-risk regions such as East and Southeast Asia will face increased scrutiny and must demonstrate sophisticated risk controls.
While companies from the mentioned regions are in theory still free to apply for an Isle of Man license, in practice it has led to an exodus of existing license holders and many B2C operators and B2B suppliers now looking at other jurisdictions, such as Anjouan, Curacao or Nevis instead.
