The Gambling Commission published its risk assessment into money laundering and terrorist financing (the “Commission’s Risk Assessment”) on 18 December 2020. This followed HM Treasury’s and the Home Office’s National risk assessment (the “National Risk Assessment”) published the day prior, which the Commission took into account in its review.
The Commission’s Risk Assessment highlights the key risks the British gambling industry is facing, and builds on the Commission’s previous risk assessment which we commented on here.
The Commission reminds operators that under Licence Condition 184.108.40.206, licensees must “take into account any applicable learning or guidance published by the Gambling Commission”. Operators must therefore take note of the Commission’s Risk Assessment and ensure this plays a part in their considerations when reviewing their own risk assessment, policies and procedures.
When compared to the overall risk levels in the Commission’s previous risk assessment published on 26 June 2019, the only change in classification is that the risk of terrorist financing has moved from medium to low. Casinos (both remote and non-remote) and betting (non-remote, off-course) remain high risk:
The Commission notes that although the National Risk Assessment rates the overall money laundering and terrorist financing risk in the gambling sector as low, this low risk score is rated in comparison to all other regulated financial sectors. In contrast, the Commission compares the risk of each of the individual gambling sub sectors being vulnerable to money laundering and terrorist financing.
The Commission’s Risk Assessment details the existing inherent, additional inherent and emerging risks within each sub sector. Given the high risk categorisation of casinos, we set out below key risks the Commission has raised in this regard.
The Commission has previously noted its concern that operators are setting financial triggers for conducting CDD or EDD too high, and considers this to be an inherent risk within the sector. The Commission has flagged high financial triggers as a risk, and that it considers many operators are failing to consider money laundering or terrorist financing risks below this level.
The Commission also considers there to be a risk of infiltration of organised crime groups (OCGs) in remote casino and betting businesses, particularly by using ‘mule’ accounts (when money is transferred through a gambling account to break the audit trail). The Commission highlighted that vulnerable individuals or university students are often targeted.
An emerging risk is noted to be reliance on payment providers to conduct KYC checks. The Commission has previously shared guidance on reliance on third parties, and has reminded operators not to rely on payment providers to conduct these checks. The National Risk Assessment also remarked that an increasing number of casinos are using third parties for Source of Funds or Source of Wealth checks. Whilst this is permitted under the Money Laundering Regulations 2017, The National Risk Assessment warned that casinos should not forget that they retain ultimate responsibility, and as such, it is crucial to ensure that any third party used is competent.
The Commission highlighted cryptoassets as an emerging risk, with some operators now accepting cryptoassets as payment, and reminded operators to review their risk assessments to ensure they are up to date. The National Risk Assessment also warned of the vulnerabilities of cryptoassets, as the origin of these funds can be more easily disguised.
The ability for customers to use gambling apps, whilst being more convenient for customers, presents a risk for operators. The Commission highlighted that risks with ‘bring your own devices’ include: transactions being carried out without undertaking KYC checks; transactions not being monitored in real time; the anonymity of customers; and ‘smurfing’ (a money laundering method whereby a customer will, to avoid suspicion, make many low-level transactions).
The Commission highlighted that casinos offering money service businesses (“MSBs”), such as cheque cashing or foreign currency exchange, needed to be particularly aware of their obligations. Such casinos should ensure that curiosity as to a customer’s source of funds is maintained and a risk-based approach in place. The National Risk Assessment noted that criminals may consider MSBs an attractive route due to a perception that there are fewer checks in place, particularly if they are already known to the casino.
The overall risk rating for terrorist financing in gambling has moved from medium to low (since the Commission’s previous risk assessment).
The National Risk Assessment noted that gambling is not considered to be an attractive method for terrorist financing, and there is limited evidence to show that the gambling sector is being used for these purposes. However, the Commission noted that operators must still be alert to the risks, including in relation to large cash transactions, the use of mule accounts and moving funds using MSBs. The Commission also warned operators to watch out for ‘red flag’ indicators, including a customer’s spending being inconsistent with their occupation, using multiple foreign bank accounts, smurfing, using MSBs and suspicious words/phrases known to be related to terrorist ideology.
The Commission’s Risk Assessment highlights the key risks that the gambling industry is currently facing in relation to money laundering and terrorist financing. It is crucial for operators to take note of these risks and revise their own risk assessments where appropriate. In addition, and in line with Licence Condition 220.127.116.11, licensees must “ensure that such policies, procedures and controls are implemented effectively, kept under review, revised appropriately to ensure that they remain effective”.
The Commission, in its October 2020 enforcement action, criticised BGO Entertainment Limited and Games Account Network PLC (which we reported on here) for failing to have adequate risk assessments in place, and not taking into account of the Commission’s guidance (including their own risk assessment). More recently, in March 2021, in a review of In Touch Games Limited’s operating licence, the Commission found that the operator had failed to conduct an appropriate risk assessment, as they did not take into account the risk of customers using payment providers which also act as a cryptocurrency exchange. Operators must reflect on the learnings and updated risks from the Commission’s Risk Assessment and ensure that these are taken into account to mitigate risk within their own business.