Skip to main content

The prevention of money laundering and combating the financing of terrorism

Identifying and assessing the risks

2.8 The Regulations require casino operators to take appropriate steps, taking into account the size and nature of its business, to identify and assess the risks of money laundering and terrorist financing to which its business is subject, taking into account:

  • information on the risks of money laundering and terrorist financing made available to them by the Commission
  • risk factors, including factors relating to:
    • its customers
    • the countries or geographic areas in which it operates
    • its products or services
    • its transactions
    • its delivery channels (Regulation 18(1), (2) and (3)).

2.9 Casino operators must:

  • keep an up-to-date record in writing of all the steps taken to identify and assess the risks of money laundering and terrorist financing to which its business is subject
  • provide the written record, the risk assessment it has prepared and the information on which it was based to the Commission on request (Regulation 18(4) and (6)).

2.10 The casino operator should assess its risks in the context of how it is most likely to be involved in money laundering, criminal spend or terrorist financing. Assessment of risk is based on a number of questions, including:

  • What risk is posed by the business profile and customers using the casino?
  • What risk is posed to the casino operator by transactions with business associates and suppliers, including their beneficial ownership and source of funds?
  • Is the business high volume consisting of many low spending customers?
  • Is the business low volume with high spending customers, perhaps who use and operate within their cheque cashing facilities?
  • Is the business a mixed portfolio? Are customers a mix of high spenders and lower spenders and/or a mix of regular and occasional customers?
  • Are procedures in place to monitor customer transactions across outlets, products and platforms and to mitigate any money laundering potential?
  • Is the business local with regular and generally well-known customers?
  • Are there a large proportion of overseas customers using foreign currency or overseas based bank cheque or debit cards?
  • Are customers likely to be individuals who hold public positions (PEPs)?
  • Are customers likely to be engaged in a business which involves significant amounts of cash?
  • Are there likely to be situations where the source of funds cannot be easily established or explained by the customer?
  • Are there likely to be situations where the customer’s purchase or exchange of chips is irrational or not linked with gaming?
  • Is the majority of business conducted in the context of business relationships?
  • Is there a local clustering of gambling outlets which makes it easier for a person to launder criminal proceeds over multiple venues and products?
  • Does the customer have multiple or continually changing sources of funds (for example, multiple bank accounts and cash, particularly where this is in different currencies or uncommon bank notes)?
  • Does the customer have multiple or changing addresses?
  • Has the customer ever presented a fraudulent identity document or failed to provide an identity document repeatedly on request?
  • Does the customer’s behaviour follow a pattern or is it constantly changing or did it change suddenly recently?
  • In relation to remote gaming, does the customer use shared internet protocol addresses, dormant accounts or virtual private network (VPN) connections? (Among other things, this could indicate that a group of people are using the same device or location to gamble for the purposes of committing fraud).

As noted in paragraph 1.44, operators should also give due consideration to the money laundering risks posed by their business-to-business relationships, including any third parties they contract with. The assessment of these risks is based, among other things, on the risks posed to the operator by transactions and arrangements with business associates and third-party suppliers such as payment providers and processors, including their beneficial ownership and source of funds. Effective management of third-party relationships should assure operators that the relationship is a legitimate one, and that they can evidence why their confidence is justified. (An example of good practice guidelines on conducting third party due diligence can be found at:

Next chapter: Risk assessments