FinTelegram has reviewed a whistleblower report indicating that Germanyโs financial watchdog BaFin has registered a case concerning Yapily Connect UAB, the Lithuanian licensed arm of the UK open-banking group Yapily. The allegations are explosive: regulated Pay by Bank infrastructure was allegedly used to process deposits for offshore casino brands targeting German players without a local licence.
If this case is realโand the materials reviewed by FinTelegram strongly suggest it isโthen BaFin is finally being forced to confront the ugly truth regulators have preferred to ignore: illegal casino schemes are no longer relying only on shady card acquirers and crypto workarounds. They are increasingly running through layered open-banking stacks, often hidden behind anonymous gateways, technical service providers, and mainstream banking interfaces.
Key Findings
- Whistleblower case at BaFin: According to materials reviewed by FinTelegram, BaFin has registered a whistleblower submission concerning Yapily Connect UAB and the alleged processing of deposits for offshore gambling platforms targeting Germany.
- Seven casino brands named: The report lists betiro.com, joocasino.com, fonbet.com, allspins1.co, bullcasino.com, jackpika.com, and theslotz1.co as examples of brands allegedly using Yapily-linked payment flows while not appearing on Germanyโs legal gambling whitelist, according to the whistleblower dossier.
- Core compliance angle: The allegations focus on two obvious pressure points: merchant screening / ongoing monitoring and AML / risk-management failures for a regulated payment initiation service provider.
- Official Yapily messaging cuts the other way: Yapily still markets open banking for iGaming, says Yapily Connect lets firms start using open banking without acquiring their own AISP or PISP licences, and publicly claims โzero toleranceโ for compliance and financial-crime risk.
- Yapily Connect UAB remains actively licensed: The Bank of Lithuania register still lists Yapily Connect UAB under authorisation LB002045 as a payment institution providing payment initiation and account information services.
- FinTelegram has documented the pattern before: Previous reporting connected Yapily-linked rails to Contiant, Klyme, Winhero, BetAlice, Mega.bet, LuckyWins, and repeated Revolut open-banking touchpoints in offshore casino flows.
- BaFin confidentiality means silence proves nothing: BaFin says its whistleblower office handles reports confidentially and checks every lead in several stages, so the absence of a public announcement does not mean the matter is inactive.
Compliance Analysis
1. A whistleblower file has now reached the German regulator
FinTelegram has reviewed a report that appears to originate from the same whistleblower who filed the matter with BaFin. The dossier alleges that Yapily Connect UAB processed or enabled payment initiation flows connected to offshore casino brands targeting German users without the required local gambling authorisation.
That matters because Germanyโs online gambling market is not a regulatory mystery. The Gemeinsame Glรผcksspielbehรถrde der Lรคnder (GGL) is the central authority for cross-state online gambling supervision and maintains a public whitelist of permitted operators. In other words, the licensing question is not hidden in a fog of legal uncertainty; regulators already provide a public framework for determining whether an operator is authorised.
If the whistleblower material is accurate, then this is not a marginal paperwork issue. It would point to a regulated payment rail being used, directly or indirectly, to funnel consumer money into gambling offers that should not have been serviced in Germany at all.
2. Yapilyโs own marketing makes the story even more uncomfortable
What makes this case especially explosive is the contrast between public messaging and the alleged payment reality.
On its official website, Yapily actively markets a solution for gaming and gambling, including the line โEverything you need to win more iGaming operators.โ On the same page, it promotes Yapily Connect as a way to โstart using open banking without the need to acquire AISP or PISP licenses.โ Separately, Yapily states in its compliance materials that it maintains โzero toleranceโ for compliance and financial-crime risk, and in a February 2026 clarification post it stressed that it operates regulated infrastructure under ongoing supervision in the UK and EU.
That is precisely why the BaFin angle is so serious. If a company markets regulated open-banking infrastructure to iGaming, and if that infrastructure then repeatedly shows up in flows for unlicensed offshore casinos, regulators cannot simply shrug and pretend the licensed player is too far removed from the merchant.
3. Yapily Connect UAB is not a ghost entity โ it is a licensed payment institution
Official records at the Bank of Lithuania show that Yapily Connect UAB remains authorised under LB002045, with a payment institution licence valid since 23 December 2020. The register shows activity in payment initiation services and account information services.
That status matters because payment initiation service providers are not decorative API vendors. They sit in a regulated position within the payment chain. Recent legal commentary on BaFinโs updated AML guidance notes that any earlier limitation on AML obligations for payment initiation service providers has been removed, meaning those firms must comply fully with applicable AML obligations.
So the central question is brutally simple: what exactly did Yapily know, what should it have known, and what did it do when repeated high-risk casino flows surfaced?
4. FinTelegram has already mapped the pattern
This BaFin case does not fall out of the sky. It lands on top of a long trail of FinTelegram reporting.
FinTelegram previously reported that Contiant, a Bulgarian technical service provider, was acting in front of Yapilyโs regulated rails and effectively piggybacking on Yapily Connect UAB to process high-risk gambling traffic. That architecture is important because it creates distance between the licensed payment initiator and the casino merchant while still using the regulated rail.
Read our reports on Contiant here.
The Winhero / Klyme case was even worse. A leaked internal email, accidentally forwarded to a complaining user, allegedly showed Yapilyโs compliance team asking partner Klyme to blacklist the whistleblower rather than suspend or seriously investigate the merchant. FinTelegram described that as compliance theatreโand the label still fits.
The BetAlice review showed another familiar multi-layer path: payment-gateway.io โ puretransfer.io โ mellifera.tech, with Paradis Tech Ltd as payee and Yapily/Wise references in the open-banking flow. Again, the pattern was not one rogue merchant but a structural rail design built for opacity.
More recently, FinTelegramโs tag coverage shows Yapily continuing to surface in cases such as Mega.bet and LuckyWins, alongside broader reporting on Revolutโs recurring role as an open-banking touchpoint in offshore casino payment paths. FinTelegramโs own Rail Atlas stresses that it does not allege Revolut knowingly enables illegal gambling; rather, its infrastructure repeatedly appears in observed paths after multiple intermediary layers.
5. So how can open-banking rails be exploited at scale without consequences?
This is the real scandal. The answer is regulatory fragmentation plus plausible deniability by design.
First, online gambling supervision and payment supervision are split. The GGL watches operators. BaFin watches financial institutions in Germany. Bank of Lithuania supervises Yapily Connect UAB as the home-state regulator. In the UK, another layer sits with the FCA. Then the end-user bank or banking interfaceโsometimes Revolutโsits further downstream. Everyone sees only part of the chain, and everyone has an incentive to say the real responsibility belongs to someone else.
Second, the layered architecture is tailor-made to frustrate supervision:
casino cashier โ anonymous gateway โ technical service provider โ regulated PISP rail โ bank consent screen โ bank account debit โ offshore operator.
Third, Pay by Bank flows are a perfect laundering interface for illegal casinos. They look clean, modern, and consumer-friendly. They bypass the familiar card-acquiring warning signs. They often come without the friction of classic chargeback dynamics. And once the payment path is buried behind domains like paywith.contiant.com or other anonymous gateways, the regulated entity can pretend it is merely providing neutral infrastructure.
Fourth, host regulators often under-enforce. BaFinโs whistleblower office may investigate every lead confidentially, but BaFin is not exactly famous for fast, aggressive, cross-border forensic work in shadow-payment structures. That is the uncomfortable background to this case. If BaFin now has a credible file and still does nothing meaningful, it will reinforce the marketโs working assumption that open-banking casino rails are effectively consequence-free.
6. What BaFin should investigate now
If BaFin wants to be taken seriously, it should not stop at reading the whistleblower file. It should ask for the full operating stack:
- the merchant onboarding files for the relevant gambling-facing clients and intermediaries;
- all due-diligence and periodic review records;
- risk scoring and escalation logs for gambling / high-risk merchants;
- transaction-monitoring alerts and internal decisions;
- the exact role of Contiant, Klyme, and any other technical service providers or white-label partners;
- the cross-border service map showing where Yapily Connect UABโs payment initiation services were actually used;
- evidence of suspicious activity reporting or escalation to competent authorities;
- the relationship between the regulated payment layer and downstream banks or interfaces repeatedly appearing in these flows.
Anything less would be window dressing.
7. The bigger implication: this is not just a Yapily story
This case could become the first real test of whether European regulators are willing to look beyond the old card-acquiring paradigm and confront the new reality: illegal casino payments now move through open-banking infrastructures, crypto on-ramps, and fake-fiat conversion rails in parallel.
FinTelegram has already shown the crypto side through cases involving ChainValley and similar structures. The Yapily/BaFin angle matters because it strikes at the more respectable-looking front endโthe regulated API layer that makes black-market gambling feel like ordinary fintech.
If BaFin follows through, this could become a precedent-setting enforcement moment. If it does not, the message to the market will be even clearer: build enough layers, add a few anonymous gateways, route through a licensed open-banking provider, and regulators will look the other way.
Conclusion
The whistleblower case against Yapily, if pursued properly, could become one of the most important test cases yet for Europeโs open-banking supervision. The central question is no longer whether offshore casinos use modern payment rails. Of course they do. The real question is whether regulators are willing to admit that regulated open-banking infrastructure has become one of the preferred highways for illegal gambling cashflows.
Yapilyโs own public positioningโas a regulated, compliance-focused provider serving iGamingโmeans this case cannot be brushed aside as a misunderstanding about generic technology. If the same names, the same gateways, and the same casino patterns keep surfacing in whistleblower files and transaction trails, then supervisors must decide whether they are supervising substance or merely licensing form.
If BaFin cannot see a problem here, then the problem is bigger than Yapily.
Whistle42 Call
FinTelegram invites whistleblowers, payment professionals, compliance officers, bank employees, former PSP staff, and affected players to submit documents, screenshots, transaction records, merchant descriptors, or internal compliance material relating to Yapily, Contiant, Klyme, Revolut open-banking flows, and offshore casino payment schemes via Whistle42. The open-banking rail story is far from over.
