Remote enforcement public statement – lessons to be learned
In 2017 our Compliance teams undertook a series of assessments focussed on the measures that remote gambling operator should have in place to prevent money laundering and terrorist financing and, in particular, their compliance with the following legislation and licence conditions:
- Licence condition 12.1 Prevention of money laundering and terrorist financing
- The Proceeds of Crime Act 2002 (POCA) and Terrorism Act 2000 (TACT).
- The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (the Regulations).
In carrying out those assessments Commission officials also identified action that needed to be taken in respect of social responsibility (SR) code breaches. The failings raised significant concerns about the effectiveness of the management and mitigation of risks to the licensing objectives in the remote casino sector.
Lessons to be learned
Based on our investigations to date, common failings by the remote gambling operators included:
- Failure to conduct an appropriate assessment of ongoing and emerging risks of money laundering and terrorist financing and implement policies, procedures and controls which manage the identified risks effectively.
- Failure to introduce measures for customer due diligence, ongoing monitoring of customers, and enhanced customer due diligence which are sufficiently business or external risk-focused (including considering lessons from previous casework). Failure to implement internal controls and monitoring systems relevant to the size and complexity of the business, including the number of customers and their profile (such as jurisdictional risk) and the variety and type of products and services provided.
- Failure to keep adequate records of responsible customer interactions and engagement.
- Failure to provide staff with appropriate training to ensure that they are aware of, and know how to deal with, transactions, activities or situations which may be related to money laundering or terrorist financing.
- Failure to put into effect policies and procedures which make specific provision for the use of all relevant sources of information where there are concerns that a customer’s behaviour may indicate problem gambling.
Summary of evidence following compliance assessment findings
Breaches of Licence condition 12.1.1 Anti-money laundering - Prevention of money laundering and terrorist financing/The Regulations
Risk assessment - Licence condition 184.108.40.206 requires an operator to conduct an assessment of the risks of their business being used for money laundering and terrorist financing. Such risk assessment must be appropriate and must be reviewed as necessary in the light of any changes of circumstances, including the introduction of new products or technology, new methods of payment by customers, changes in the customer demographic, or any other material changes, and in any event reviewed at least annually.
Furthermore, completion of a money laundering and terrorist financing risk assessment has been a requirement of most operating licences since October 2016. There is guidance on risk assessments in The Prevention of Money Laundering and Combating the Financing of Terrorism - Guidance for remote and non-remote casinos and Proceeds Of Crime Act 2002 Part 7 - Money Laundering Offences.
An appropriate money laundering and terrorist financing risk assessment allows operators to focus their efforts and resources where the risks are highest and to raise standards in financial crime risk management. This will enable the general and specific money laundering and terrorist financing risks an operator is facing to be identified, determining how these risks are mitigated by the operator’s AML programme and controls, and establishing the residual risks that remain for the PMLs who are responsible for ensuring that the Licensee implements and adheres to the LCCP, AML controls and obligations. The Commission believes that PMLs also bear responsibility for some of the failures identified.
Licence condition 220.127.116.11 requires operators to implement policies, procedures and controls to mitigate money laundering and terrorist financing risk. Failure to comply with this licence condition puts the licensing objective of preventing gambling from being a source of crime or disorder, being associated with crime or disorder, or being used to support crime at risk. It is also a breach of Regulation 19 of the Regulations (Policies, controls and procedures).
Customer due diligence (CDD)/Enhanced customer due diligence (EDD) - Casino operators are required to conduct CDD when they establish a business relationship with a customer, suspect money laundering or terrorist financing or doubt the veracity or adequacy of documents or information previously obtained for the purposes of identification or verification.
Casino operators must also apply CDD measures in relation to any transaction that amounts to €2,000 or more, whether the transaction is executed in a single operation, or in several operations which appear to be linked. In addition, they must also apply enhanced due diligence (EDD) where a customer presents a higher risk of money laundering or terrorist financing.
In our initial assessments the Commission found a lack of evidence of ongoing monitoring of customer accounts, which is a breach of regulation 28(11) (Customer due diligence measures) of the Regulations. We are concerned that where ongoing monitoring of customer accounts is not proactively undertaken, both money laundering and/or social responsibility issues will go unreported.
Training - Casino operators must ensure that employees receive sufficient training in relation to anti money laundering and counter terrorist financing. This includes understanding the requirements of the Regulations, the Terrorism Act 2000, the Proceeds of Crime Act 2002 (POCA), and General Data Protection Regulation (GDPR) and how to apply the operator’s policies, procedures and controls effectively, including the requirements for CDD, EDD and record keeping and the submission of suspiciousactivity reports(SARs). Operators must maintain records of training provided to employees. Failure to provide adequate training and maintain appropriate records of training is a breach of Regulation 24 (Training) of the Regulations and therefore a breach of Licence condition 12.1.2.
During the assessments, whilst Money Laundering Reporting Officers (MLRO’s) frequently confirmed that they had industry experience within payments and fraud, in some cases the MLROs were not in possession of formal AML/TF qualifications relevant to UK legislation. It was of real concern that some MLROs were unable to provide suitable explanations as to what constitutes money laundering and terrorist financing and had no understanding of the main principles under POCA. Across all businesses there was a lack of understanding of how criminal spend could affect the business.
SARs/decision making – We found little evidence of effective considerations given to SAR submissions to the National Crime Agency (NCA) or equivalent local Financial Intelligence Unit (FIU). The Commission receives reports from the UK FIU and notes that in feedback to operators they often conclude that there was insufficient information provided within the SAR to conduct an in-depth analysis of the money laundering or terrorist financing risk. We saw evidence within operators’ records that they had assumed that the FIU had approved the ongoing business relationship and had therefore incorrectly decided that they did not need to undertake further monitoring of the business relationships.
In particular operators and PML’s need to be aware of the Defence Against Money Laundering (DAML) regime, whereby they can request from the National Crime Agency (NCA) where they have suspicion that property they intend to deal with is in some way criminal, and that by dealing with it they risk committing one of the principal money laundering offences under the Proceeds of Crime Act 2002 (POCA).
In some cases, MLROs had neither made nor kept any note of specific cases or referrals and there were no documented risk assessments. There was also a lack of understanding as to what constitutes ‘tipping off’ under section 333A of POCA.
Failed to comply with a code of practice issued under Section 24 of the Gambling Act 2005- Social responsibility (SR) code provision 18.104.22.168 (e) (i) & 22.214.171.124 (e) (ii).
Compliance with a social responsibility code provision (SRCP) is a condition of the Licence by virtue of Section 82(1) of the Act.
SR code provision 126.96.36.199(e) states ‘’licensees mustput into effect policies and procedures for customer interactions where they have concerns that a customer’s behaviour may indicate problem gambling’’. The policies must include specific provision for making use of all relevant sources of information to ensure effective decision making, and to guide and deliver effective customer interactions, including in particular:
- provision to identify at risk customers who may not be displaying obvious signs of, or overt behaviour associated with, problem gambling: this should be by reference to indicators such as time or money spent
- specific provision in relation to customers designated by the licensee as ‘high value’, ‘VIP’ or equivalent.
We reviewed a large number of customer accounts during the assessments and identified potential signs of problem gambling based on consumers’ gambling pattern and spend. In many cases however this behaviour did not trigger a customer interaction.
Customer account records did not show any evidence of customer interactions taking place and operators were of the view that these customers did not raise any concerns. As a result, we have made findings that licensees were in breach of social responsibility code provision 188.8.131.52(e) (i) customer interaction.
Personal Management Licences
We have frequently signalled to the industry that we expect Personal Management Licence Holders to play a central role in ensuring that gambling operators meet the standards we expect.
So far, as part of this review, we have taken action against nine PML holders – four have received a warning, we have accepted the surrender of a further three, and two have been issued with Advice as to Conduct notices. Three PMLs are still subject of ongoing investigation.
Our investigation continues and any further action taken against PML holders will also be published in our sanctions register.
We have discovered a number of failings in the actions of PML holders and in order to avoid regulatory action all PML holders are reminded that they are subject to a number of conditions under section 75 of the Gambling Act 2005 which include:
Personal licence holders must take all reasonable steps to ensure that the way in which they carry out their responsibilities in relation to licensed activities does not place the holder of the operating or any relevant premises licence in breach of their licence conditions. Personal licence holders must keep themselves informed of developments in gambling legislation, codes of practice and any Commission guidance (whether issued on the Commission website or communicated direct to licence holders) relevant to their role. Holders of personal management licences must keep their technical competence in respect of their licensed activities up to date. In particular, the Commission expects PML holders to
- uphold the licensing objectives and ensure compliance of operators with the LCCP
- organise and control their affairs responsibly and effectively
- have adequate systems and controls to keep gambling fair and safe
- conduct their business with integrity
- act with due care, skill and diligence
- maintain adequate financial resources
- have due regard to the interest of consumers and treat them fairly
- have due regard to the information needs of consumers and communicate with them in a way that is clear, not misleading, and allows them to make an informed judgment about whether to gamble
- manage conflicts of interest fairly
- disclose to the Commission anything which the Commission would reasonably expect to know
- work with the Commission in an open and cooperative way
- comply with both the letter and spirit of their licence, the licence of their operator, and associated Commission regulations.
PML holders are responsible for ensuring that the Licensee implements and adheres to the LCCP and Regulatory obligations including AML controls. PML holders retain responsibility for compliance with their own licence obligations - they are not excused by virtue of the actions or inaction of line management, nor by delegating responsibility for their functions to another person without exercising adequate oversight.