The iGaming Go-Live Checklist: 47 Things to Verify Before Your First Real-Money Bet

Section 1: Legal and Licensing

1. Gaming license physically issued (not applied for — issued)

Applied-for status isn't sufficient to legally accept deposits. Confirm the license is issued, valid, and covers your planned product types (casino, sports betting, poker).

2. License displayed on website correctly

Regulator name, license number, and where required — a clickable verification link. Check your regulator's specific requirements for how license information must be displayed.

3. Terms and Conditions reviewed by a qualified iGaming lawyer

Not drafted by AI, not copy-pasted from another site. Reviewed by a lawyer who specializes in gaming law in your license jurisdiction. Pay the €3,000–€8,000 — it's cheap insurance.

4. Privacy Policy GDPR-compliant (or equivalent for your jurisdiction)

For operators serving EU players: full GDPR compliance required. Includes: data controller identification, legal basis for processing, retention periods, player rights, DPA contact.

5. Responsible Gambling policy published and accurate

Your RG page must accurately describe the tools you actually have implemented. If you say players can set deposit limits and the deposit limit feature isn't working, you've a regulatory compliance failure from day one.

6. Cookie consent banner functional and compliant

Required for EU players. Implement properly — pre-ticked boxes aren't compliant under GDPR.

7. Age verification process tested end-to-end

18+ verification at registration. Test the flow for players who enter an underage date of birth. They must be blocked, not just warned.

8. Geoblocking configured and tested

Every jurisdiction where you're not licensed to operate must be blocked. Test with VPN from restricted countries to confirm the block functions. Document which countries are blocked and why.

9. Affiliate agreement template reviewed by legal

Your affiliate T&Cs determine your financial exposure and fraud protection. Don't use an unreviewed template.

10. Domain registered and trademarked (where appropriate)

Confirm you own your domain and have filed for trademark protection in your primary markets. Brand protection from day one costs less than enforcement later.

Section 2: Compliance and KYC

11. KYC flow tested for all verification types

Test: passport, national ID card, driver's license. Test selfie matching. Test address verification. Test on both desktop and mobile. Test with intentionally poor-quality documents to see how the system handles them.

12. KYC provider live and integrated (not just contracted)

Signed contract ≠ live integration. Have QA tested the KYC flow from player perspective? Have you received and reviewed a real verification result?

13. AML transaction monitoring configured with correct thresholds

Define your monitoring rules before going live. What transaction patterns trigger review? What amounts trigger enhanced due diligence? Document the thresholds and the process.

14. MLRO appointed and trained (where required)

MGA and UKGC require a designated Money Laundering Reporting Officer. This person must be named, qualified, and operational before you accept deposits.

15. Self-exclusion system tested with real test account

Create a test account, self-exclude it, then attempt to register a new account with the same email, same device, same payment method. All three should be blocked. If any path allows re-registration, the self-exclusion is broken.

16. National self-exclusion register integration tested (where applicable)

GAMSTOP (UK), CRUKS (Netherlands), Spelpaus (Sweden) — if your license requires integration, it must be live and tested before launch.

17. Responsible gambling tools all functional

Deposit limits, session time limits, reality checks, cooling-off periods, loss limits. Each must be tested with a real account. Particularly test that limit reductions take effect immediately and limit increases have the required cooling-off period.

18. Suspicious Activity Report (SAR) procedure documented

Who receives SAR reports internally? Who files with the relevant authority? What's the timeline? What level of suspicious activity triggers a SAR vs. Internal monitoring? Document this before your first suspicious transaction occurs.

19. Player funds segregation verified (where required)

MGA and several other jurisdictions require player funds to be held in segregated accounts separate from operational funds. Confirm this is implemented correctly with your bank and documented.

20. Customer support team RG training completed

Customer support staff who will interact with players must have responsible gambling training. They need to know how to identify distress signals, how to respond, and how to escalate.

Section 3: Payments

21. Minimum two payment processors live and tested

Not contracted — live. Make a real test deposit with each processor. Make a real test withdrawal. Confirm funds arrive in the correct wallet.

22. All advertised payment methods tested with real transactions

If your website shows Visa, Mastercard, NETELLER, and Bitcoin, all four must work before you go live. Don't advertise payment methods that are pending integration.

23. Withdrawal flow tested end-to-end including KYC trigger

Test: player deposits → plays → requests withdrawal above the KYC threshold → KYC documents uploaded → verified → withdrawal processed → funds received. The entire flow.

24. Withdrawal processing time tested against your advertised SLA

If you say "withdrawals within 24 hours," test whether your system actually delivers that. The first week of operations will have manual review overhead — account for it.

25. Anti-fraud rules configured

Velocity limits: maximum deposits per hour, per day. Card use: one card per account rule. Multiple account detection: same card used on multiple accounts triggers review.

26. Chargeback management process documented

When a chargeback arrives (and it will), who handles it? What evidence do you submit to the processor? What's the timeline? Have this documented before the first one arrives.

27. Currency conversion rates and fees transparent to players

If you charge a conversion fee, it must be disclosed before the player deposits. Hidden currency fees are a source of player disputes and regulatory attention.

28. Bonus payment flows tested

If you've a welcome bonus, test the entire flow: deposit → bonus credited → wagering tracked → wagering completed → bonus converted to withdrawable balance → withdrawal processed. Every step.

Section 4: Technical

29. SSL certificate active and valid

HTTPS everywhere. The .app TLD (igaminghub.app) requires HTTPS by default — good. Verify the certificate is valid for all subdomains you use.

30. Load testing completed

What happens when 1,000 players are simultaneously active? When 5,000? Have you tested? If you haven't load-tested, you don't know whether your launch marketing will take down your site.

31. Mobile performance benchmarked

Google PageSpeed Insights and Core Web Vitals on mobile. Target: LCP under 2.5 seconds on 4G. Any score below "Good" is revenue loss on mobile.

32. Game loading tested on low-end Android devices

Most of your players won't have premium smartphones. Test on a mid-range Android device (2–3 year old, 3G/4G connection) to understand the real player experience.

33. RNG certification obtained from approved lab

For your platform's in-house games and any games not certified by studios. Required by most license jurisdictions.

34. Backup and disaster recovery tested

When the database goes down, how long does recovery take? Have you tested the restore process? What's the maximum acceptable downtime? Document and test the answer.

35. Data backup encryption verified

Player data is sensitive. Backups must be encrypted. Verify that your backup process includes encryption and that the decryption key is securely stored separately from the backup.

36. Platform SLA agreement executed with your provider

Get the SLA in writing. What's the uptime guarantee? What are the financial penalties for breach? How is downtime calculated and reported?

Section 5: Game Content

37. All game categories populated and tested

Slots, live casino, table games, crash/fast games. Every category that appears on your site must have live, functional games behind it. Empty category pages kill trust.

38. Game rules pages accurate and in player's language

Each game should have accessible rules in the player's language. This is a regulatory requirement in many jurisdictions.

39. RTP values accurate and displayed (where required)

Several jurisdictions require RTP to be displayed per game. Verify accuracy — incorrect RTP display is a regulatory violation.

40. Live casino tested during peak hours

Live casino has table capacity limits. Test during your expected peak hours to ensure table availability is adequate. A player who can't find an open seat churns.

41. New game integration process documented

When a new studio release happens next week, who's responsible for getting it live? What's the expected timeline? Document the process so it happens smoothly under normal operations.

Section 6: Marketing and Acquisition

42. Welcome bonus terms clear, fair, and regulatory-compliant

No unreasonable wagering requirements. No hidden game restrictions. Maximum win caps clearly disclosed. Bonus expiry clearly stated. Have legal review the bonus terms.

43. Bonus abuse detection configured

Multiple accounts using the same bonus: detected and blocked. Minimum odds requirement for sports bonuses: enforced. Device fingerprinting for multi-accounting: active.

44. Affiliate tracking platform live and tested

Affiliate link → click tracked → registration tracked → FTD tracked → commission calculated. Test the entire flow before your first affiliate sends traffic.

45. Email marketing and transactional email flows tested

Welcome email: delivered? Bonus notification: delivered? KYC request: delivered? Password reset: delivered? Check spam folder placement — transactional emails landing in spam lose players at critical moments.

46. Customer support channels tested with realistic queries

Live chat: what's the actual response time? Email: what's the actual response time? Test with realistic queries (bonus question, withdrawal question, game issue) and measure the quality of response.

47. Analytics and reporting baseline established

Google Analytics or equivalent (GA4) configured and tracking. Payment processor dashboards accessible. Platform reporting verified against manual calculation. Day 1 data must be clean — retrofitting analytics after launch loses your most valuable early data.

The Pre-Launch Sign-Off Process

Before your go-live date:

One week before:

Run through sections 1–4 (legal, compliance, payments, technical). Everything should be green. Red items block launch.

Three days before:

Run through sections 5–6 (content, marketing). Any yellow items should be resolved or have documented mitigation plans.

Day before:

Full smoke test: create a new player account, complete KYC, make a deposit, receive a welcome bonus, play 10 rounds of a slot and a live table game, request a withdrawal, verify receipt. If any step fails — you're not ready.

Launch day:

Monitor payment acceptance rates, registration conversion, live chat queue depth, and game availability in real-time. Have your platform provider and payment processor contacts on standby.

What to Do When You Find a Problem

Red flag (blocks launch):

• Any compliance or KYC failure
• Payment deposit or withdrawal not working
• License not physically issued
• Self-exclusion system not working

Yellow flag (document and monitor):

• Performance below target but functional
• Secondary payment method issues
• Non-critical content gaps

Post-launch priority:

Any item identified as yellow must have an owner, a deadline, and a resolution date. Weekly review until all items are green.