Last year, Norway’s gambling regulator fined Norsk Tipping NOK 36 million. The offense was not fraud. It was not money laundering. A bug in the operator’s iOS app had disabled self-exclusion tools for several months. Players who wanted to stop gambling could not. The regulator classified the failure as regulatory negligence and priced it accordingly.
That fine sat in the trade press for a day or two before the next compliance story arrived. It deserved more attention. Not for the amount — $3 million barely registers in an industry where a single six-month period produced roughly $160 million in global gambling penalties in 2025 — but for what the episode reveals about where regulators are now drawing the line. Infrastructure failures are no longer operational mishaps. They are, in the eyes of licensing authorities across multiple jurisdictions, the operator’s liability.
The implications run well beyond self-exclusion tools.
The Verification Layer Nobody Audits
An iGaming platform’s compliance stack typically receives scrutiny at three points: the KYC vendor contract, the AML monitoring dashboard, and the legal team’s jurisdiction-by-jurisdiction licensing brief. What tends to sit outside that scrutiny is the communication infrastructure that makes identity verification possible in the first place — specifically, the delivery of the one-time password that gates account creation, deposit authorization, and, in markets like Brazil, re-authentication after 30 minutes of device inactivity.
This is not a theoretical concern. Player abandonment across the online gambling industry runs at roughly 70%, with verification friction — including technical failures at the authentication step — cited as a primary driver alongside data-privacy reluctance. A portion of those failures trace back to OTP non-delivery: the code was sent, the carrier routed it, and the player never saw it. No error is logged. The platform records a drop-off. Someone attributes it to UI friction and moves on.
The cost of that drop-off is already significant purely as lost revenue. Against the regulatory environment now taking shape, it carries an additional weight. Brazil’s Secretaria de Prêmios e Apostas, which moved from guidance to active enforcement at the start of 2026, has already issued fines targeting platforms with weak identity verification protocols. The regulator now mandates real-time validation of Brazil’s national tax ID against the federal Receita Federal database at the point of onboarding. Verification that fails at the communication layer — because the OTP never arrived — does not satisfy that requirement, regardless of how robust the KYC tooling behind it is.
Fines under Brazil’s framework can reach R$2 billion in extreme cases. More practically, the operative punishment is license revocation, which removes an operator from the fastest-growing regulated iGaming market in Latin America. That market, alongside Mexico, Colombia, and Peru, is projected to exceed $10 billion in combined online gaming revenue within the next few years.
The Problem with SMS as a Single Source of Truth
There is a related structural issue that deserves more candid discussion in operator boardrooms than it currently receives.
SMS OTP now accounts for roughly 89 percent of all international A2P SMS traffic, making it the largest single attack surface in most iGaming applications. That concentration creates fraud exposure. It also creates a different kind of regulatory risk, which has been building across financial-services regulators for the past 18 months. FINRA in the United States retired SMS as an acceptable authentication factor by July 2025. The UAE Central Bank gave financial institutions until March 2026 to eliminate SMS and email OTPs entirely — a deadline that has now passed. India’s Reserve Bank is moving toward the same position for digital payments. Singapore and Malaysia have issued parallel directives to their major banks.
These are financial services regulators, not gaming authorities. The iGaming industry is not yet subject to the same mandates. The trajectory matters regardless. Operators expanding into newly regulated markets, many of which are actively building their compliance frameworks by reference to financial services standards, are building on a channel whose regulatory shelf life is contracting.
The standard industry response to this is to add WhatsApp as an alternative OTP channel. That is a reasonable first step. It is not, on its own, a strategy. WhatsApp requires internet connectivity, is restricted in several relevant markets, and introduces its own compliance considerations under Meta’s API policies. Voice OTP offers reach advantages where smartphone penetration is lower. RCS is becoming viable in specific geographies. The question is not which single alternative replaces SMS. The question is how delivery logic is structured so that the optimal channel for each user, in each market, at each moment, is selected automatically — and that a pre-built fallback sequence triggers without requiring player action or support intervention when the primary channel fails.
Infrastructure as a Compliance Argument
In my work with iGaming operators, I find that CPaaS infrastructure is generally treated as a procurement decision: cost per message, API reliability, coverage maps.
Across the operators I’ve worked with expanding across European and LATAM markets simultaneously, the sequence tends to look the same. The compliance stack gets built carefully — KYC vendor selected, AML monitoring configured, legal counsel engaged market by market. The communication layer gets procured. A tier-one SMS provider, competitive per-message pricing, solid uptime SLA on paper. The two workstreams rarely speak to each other.
The problem surfaces later, usually at the worst possible moment. An operator launches in a new jurisdiction, acquisition spend is running, and a segment of players in that market quietly stops converting at the verification step. Not dramatically — no error spike, no system alert. Just a softening in the registration completion rate that takes weeks to properly diagnose. When we trace it back, the cause is almost always the same: a carrier route performing below threshold in that specific market, an OTP expiry window too short for the actual delivery latency, or a channel with lower penetration than the team assumed when they chose it as the default. By that point the operator has already absorbed the acquisition cost for every player who didn’t make it through.
What changes after that conversation is rarely the KYC stack. It is the assumption that message delivery is someone else’s problem.
The compliance team and the communications vendor rarely occupy the same conversation. That separation made sense when verification was deferred — when operators could complete KYC by first withdrawal and the OTP was simply a convenience layer. Regulations across the UK, EU, Brazil, and LATAM have systematically closed that deferral window. The UK Gambling Commission’s updated identity verification rules, which took effect in mid-2025, require verification before the first deposit or gambling session. Brazil’s 2026 enforcement posture requires real-time validation before any gambling activity begins and recurring re-authentication throughout the session. What was once a convenience layer is now a gate that regulators inspect.
Treating the communication infrastructure that operates that gate as a procurement line item is, at this point, a miscategorization. When Norway’s regulator fined Norsk Tipping over a broken app feature, the reasoning was explicit: if a safety-critical tool is inoperative, the operator is accountable. The same logic, applied to OTP delivery in a market where pre-deposit verification is mandatory, leads to a similar conclusion.
The operators I watch building robustly for this environment are doing two things. They are designing multi-channel delivery logic from the outset — not adding fallback channels reactively after a carrier incident — and they are subjecting that logic to the same documentation and audit readiness that they apply to their KYC and AML stacks. Neither step is technically complex. Both require recognizing that the communication layer is not background infrastructure. In markets where a failed verification event is also a compliance event, it is the front line.