On May 6, 2026, three more U.S. states — Oklahoma, Tennessee, and Louisiana — edged within striking distance of final votes on bills that would criminalize the sweepstakes-casino business model. They join California, which under AB 831 made operating a sweepstakes casino a misdemeanor and, critically, extended liability to every vendor in the value chain: payment processors, geolocation providers, gaming content suppliers, platform providers, financial institutions, and media affiliates. New York’s Attorney General has already forced 26 platforms out of the state. Eight states have now passed bans. The dual-currency promotional model that fueled a multi-billion-dollar industry is being legislated out of existence in real time.
For AML and compliance leaders, this is not a gaming-industry story. It is a financial-crime governance story that will define your 2026 examination cycle. If your bank, BaaS sponsor, processor, MSB, or geolocation vendor touches a sweepstakes operator, the question is no longer whether you have AML controls. The question is whether those controls can prove, in writing and on the record, that you are not aiding and abetting an unlicensed gambling enterprise.
- What Actually Changed: From Operator Risk to Vendor Liability
The structural break in 2026 is the move from operator-only liability to ecosystem liability. For years, sweepstakes operators argued that a dual-coin promotional model — Gold Coins for fun, Sweeps Coins redeemable for prizes — sat outside state gambling statutes. State attorneys general have rejected that argument, and legislators have responded by writing the contrary view directly into criminal codes.
California’s AB 831 is the template. It does not stop at the operator. It captures any entity that knowingly supports the operation — payment processors, geolocation certifiers, KYC providers, BaaS sponsors, content suppliers, and even media affiliates running paid promotions. New York’s enforcement-first posture, Mississippi’s licensing carve-outs, and the May 2026 OK/TN/LA bills follow the same architecture. The result is a single, urgent compliance question: do you know which of your merchants, sub-processors, or program managers depend on this revenue line, and have you priced in the exit risk?
2. The AML Angle: It Is Bigger Than “Is This Gambling?”
When a state declares an activity unlawful, the funds it generates are, by definition, proceeds of illegal activity. That triggers a chain of AML obligations that most institutions have not stress-tested for the sweepstakes vertical.
Suspicious Activity Reports must surface the fact that an operator’s revenue is sourced from a banned activity within a specific state. Volume-based rules will not catch this; geographic-rule logic and customer-status reviews will. Beneficial Ownership and Customer Due Diligence files described a “social gaming” or “promotional sweepstakes” model — the legal characterization has now changed, and periodic refresh is no longer a calendar exercise but the moment your file either documents the change or memorializes that you missed it. Sanctions and affiliated-party screening must account for offshore promotional vendors designed for jurisdictional arbitrage; once an activity is illegal in California or New York, that layering pattern looks materially different to an examiner. And the line between fraud and AML — chargebacks, mule activity, bonus abuse — is no longer defensible as separate workstreams on these merchants.
3. Geolocation: From Marketing Tool to Compliance Evidence
Geolocation was historically a player-experience and licensing-attestation control. Under the new statutes, it becomes evidentiary. If a California or New York user can transact on a sweepstakes platform after the ban’s effective date, the platform — and any vendor certifying its controls — is exposed. Operators that relied on perimeter-only geofencing without periodic independent re-certification, drift testing, VPN/proxy detection, and audit logs are now sitting on a control deficiency that converts into legal liability the moment a regulator subpoenas the logs.
Independent Certification of Geolocation Controls is no longer a marketing badge. It is the document an operator’s General Counsel needs in their drawer when a state AG’s civil investigative demand arrives, and the document a sponsor bank or processor will need before continuing the relationship into Q3 2026.
4. The Banking-Stack Question: Sponsor Banks, BaaS, and High-Risk Processing
Sponsor banks and BaaS providers are already being pushed by examiners to demonstrate end-to-end visibility into program managers and their merchants. Sweepstakes is now the cleanest stress test of that visibility. Three questions every program management team should be able to answer this quarter: Which downstream merchants in your program derive revenue from sweepstakes coin sales — directly, through aggregator routes, or through affiliated entities? How fast can you stop processing for a specific state’s residents on a specific operator, and can you evidence that lookback to an examiner within 48 hours? And where do redemption-side flows route — to consumer wallets, to gift-card rails, to ACH, to crypto off-ramps — and is each route in your enterprise risk assessment with a documented control?
These are not theoretical questions. They are the questions the next OCC or state DFS examination will open with, and they are the questions sponsor-bank credit committees are using to decide whether to maintain or exit specific program-manager relationships.
5. What Smart Operators and Their Vendors Are Doing Right Now
The market is not waiting for federal preemption — there isn’t going to be any. The institutions and operators that will be standing in Q4 2026 are taking five concrete steps: reclassifying the enterprise-wide risk assessment to move sweepstakes from “emerging high-risk” to “named high-risk” with quantified state-by-state revenue concentration; implementing state-segmented blocking with audit trails — not a single global toggle, but granular, state-specific, effective-date-aware blocking with retained evidence of every block; sequencing independent AML and geolocation audits before state action, because an audit completed before a CID is far more useful than one completed after; refreshing sub-processor and program-manager diligence, with contracts amended now to add representations about underlying merchant activity, audit rights, and immediate-termination triggers; and adopting fractional Chief Compliance Officer coverage where in-house capacity is thin, because operators that lost their CCO last year will not hire fast enough.
FinCheck’s Perspective and the Way Forward
At FinCheck LLC, we have spent the last two years advising sweepstakes operators, sponsor banks, MSBs, BaaS platforms, and high-risk processors on exactly this vertical. Our view, candidly, is that this is not a regulatory cycle that resets. The dual-coin model as it has been operated will not survive 2026 in its current form, and the institutions that financed it must now demonstrate they are not financing what is becoming a domestic predicate offense in eight (and counting) states.
The work splits into three lanes. First, for operators: an honest, fast independent AML and geolocation audit, a state-by-state revenue and exposure map, and a credible wind-down or re-licensing plan for affected states — before the AG decides the timeline for you. Second, for banks, BaaS, and processors: an immediate program-level review of downstream merchant exposure, contract uplift, refreshed CDD/EDD on every sweepstakes-adjacent customer, and a documented decision file on each relationship. Third, for vendors — geolocation certifiers, KYC/AML tooling, payment gateways: a clear-eyed look at AB 831’s vendor-liability framing and your own written representations about the legality of customer use cases.
The institutions that treat May 2026 as the start of the exam cycle, not the end of an industry story, will be the ones still operating in this space when the dust settles. The ones that wait for a subpoena to start the file will spend 2027 explaining to regulators why they didn’t.
Engage FinCheck
FinCheck LLC partners with FinTechs, MSBs, crypto platforms, gaming and sweepstakes operators, and their banking and processing stacks to deliver independent AML audits, geolocation control certification, fractional Chief Compliance Officer coverage, BSA/AML risk assessments, and state Money Transmitter Licensing support. If your 2026 examination cycle includes any sweepstakes-adjacent exposure, the time to look at the file is now — not in the response window after a state CID lands.
