The prevention of money laundering and combating the financing of terrorism
3 - Risk assessments
A money laundering and terrorist financing risk assessment is a product or process based on a methodology, agreed by the parties involved, that attempts to identify, analyse and understand money laundering and terrorist financing risks. It serves as the first step in addressing the risks and, ideally, involves making judgments about threats, vulnerabilities and consequences.
Risk is a function of three factors
Persons, or groups of people, objects or activities with the potential to cause harm, including criminals, terrorist groups and their facilitators, their funds, as well as past, present and future money laundering or terrorist financing activities.
Things that can be exploited by the threat or that may support or facilitate its activities and means focussing on the factors that represent weaknesses in AML or CTF systems or controls or certain features of a country, particular sector, financial product or type of service that make them attractive for money laundering and terrorist financing.
This refers to the impact or harm that money laundering or terrorist financing may cause, including the effect of the underlying criminal and terrorist activity on financial systems and institutions, the economy and society more generally.
The key to any risk assessment is that it adopts an approach that attempts to distinguish the extent of different risks to assist with prioritising mitigation efforts, rather than being a generic box-ticking exercise.
The risk assessment process should consist of the following standard stages:
The identification process begins by developing an initial list of potential risks or risk factors when combating money laundering and terrorist financing. Risk factors are the specific threats or vulnerabilities that are the causes, sources or drivers of money laundering and terrorist financing risks. This list will be drawn from known or suspected threats or vulnerabilities. The identification process should be as comprehensive as possible, although newly identified or previously unidentified risks may also be considered at any stage in the process.
Analysis involves consideration of the nature, sources, likelihood, impact and consequences of the identified risks or risk factors. The aim of this stage is to gain a comprehensive understanding of each of the risks, as a combination of threat, vulnerability and consequence, in order to assign a relative value or importance to each of them. Risk analysis can be undertaken with varying degrees of detail, depending on the type of risk, the purpose of the risk assessment, and the information, data and resources available.
The evaluation stage involves assessing the risks analysed during the previous stage to determine priorities for addressing them, taking into account the purpose established at the beginning of the assessment process. These priorities can then contribute to development of a strategy for the mitigation of the risks.
Money laundering and terrorist financing risks may be measured using a number of factors. Application of risk categories to customers and situations can provide a strategy for managing potential risks by enabling casino operators to subject customers to proportionate controls and monitoring.
The standard risk categories used by FATF for casinos are:
- country or geographic risk
- customer risk
- transaction risk.
Casinos should also consider the risks posed by particular products they offer.34
Country and geographic risk
Some countries pose an inherently higher money laundering and terrorist financing risk than others. In addition to considering their own experiences, casino operators should take into account a variety of other credible sources of information identifying countries with risk factors in order to determine that a country and customers from that country pose a higher risk. Casino operators may wish to assess information available from FATF and non-governmental organisations which can provide a useful guide to perceptions relating to corruption in the majority of countries.
Customers that are associated with higher risk countries, as a result of their citizenship, country of business or country of residence may present a higher money laundering and terrorist financing risk, taking into account all other relevant factors. Remote casinos should check customer location because of the additional risks which arise from cross-border operations. The country or geographic risk can also be considered in conjunction with the customer risk.
Determining the potential money laundering and terrorist financing risks posed by a customer, or category of customers, is critical to the development and implementation of an overall risk-based framework. Based on its own criteria, a casino should seek to determine whether a particular customer poses a higher risk and the potential impact of any mitigating factors on that assessment. Application of risk variables may mitigate or exacerbate the risk assessment.
Categories of customers whose activities may indicate a higher risk include:
- customers who are PEPs, family members of PEPs or known close associates of PEPs
- high spenders – the level of spending which will be considered to be high for an individual customer will vary among casino operators, and among casinos managed by the same operator
- disproportionate spenders – casino operators should obtain information about customers’ financial resources so that they can determine whether customers’ spending is proportionate to their income or wealth
- casual customers – this includes tourists, participants in junkets and local customers who are infrequent visitors
- regular customers with changing or unusual spending patterns
- improper use of third parties – criminals may use third parties or agents to avoid CDD undertaken at the threshold or to buy chips, or they may be used to gamble so as to break up large amounts of cash
- junkets – junkets can pose several higher risks, including criminal control of the junket operator or participants, the movement of funds across borders which obscures the source and ownership of the money gambled by participants and their identities, and structuring, refining and currency exchange risks
- multiple player accounts – some customers will open multiple player accounts under different names to hide their spending levels or to avoid breaching the CDD threshold
- unknown or anonymous customers – these customers may purchase large amounts of chips with cash at casino tables, and then redeem the chips for large denomination notes after minimal or no play.
Transaction risk including means of payment
Casinos should consider operational aspects (products, services, games, accounts and account activities) that can be used to facilitate money laundering and terrorist financing.
Land-based and remote casinos also have the following potential transaction risks:
- proceeds of crime – there is a risk that the money used by a customer has been gained through criminal activity, so greater monitoring of high spenders will help to mitigate the risk
- cash – customers may use non-remote casinos to exchange large amounts of criminal proceeds, or may deposit criminal proceeds into an internet gambling account at a non-remote casino
- transfers between customers – customers may transfer money between themselves or may borrow money from unconventional sources, including other customers, which can offer criminals an opportunity to introduce criminal proceeds into the legitimate financial system through the casino
- use of casino deposit accounts – criminals may use accounts to deposit criminal proceeds and then withdraw funds with little or no play
- redemption of chips, tickets or tokens for cash or cheque, particularly after minimal or no play.
Particularly in remote casinos:
- multiple gambling accounts or wallets – customers may open multiple accounts or wallets with an operator in order to obscure their spending levels or to avoid CDD threshold checks
- changes to bank accounts – customers may hold several bank accounts and regularly change the bank account they use for the remote casino operator
- identity fraud – details of bank accounts may be stolen and used on remote gambling websites, or stolen identities may be used to open bank accounts or remote gambling accounts
- pre-paid cards – these cards pose the same risks as cash, as remote casino operators normally cannot perform the same level of checks on the cards as they can on bank accounts
- e-wallets – some e-wallets accept cash on deposit or cryptocurrencies, which pose a higher risk, and some customers may use e-wallets to disguise their gambling
- games involving multiple operators – for example, poker games often take place on platforms shared by a number of remote gambling operators, which can facilitate money laundering by customers, such as chip dumping.
Product risk includes the consideration of the vulnerabilities associated with the particular products offered by the casino operator. In non-remote casinos there are a number of gambling opportunities that offer the potential for a money launderer to place funds and generate a winning cheque or similar with minimal play. These are more fully discussed in transaction risk including means of payment and include the use of cash and casino deposit accounts, and the redemption of chips. Also, a number of gambling activities take place in remote and non-remote casinos where customers effectively play against each other. This offers the money launderer a means to transfer value by deliberately losing to the individual to whom they want to transfer the funds.
Products which may pose a money laundering risk for the casino operator include:
- peer to peer gaming
- gaming where two or more persons place opposite, equivalent stakes on even, or close to even, stakes. For example, the same stake on red and on black in a game of roulette, including electronic roulette
- gaming machines which can be used to launder stained or fraudulent bank notes.
The risk categories or factors described previously are not intended to be prescriptive or comprehensive. They will not apply universally to all casino operators and, even when they are present, there may be different risk outcomes for different operators and premises, depending upon a host of other factors. However, the factors are intended as a guide to help casino operators conduct their own risk assessments, and to devise AML or CTF policies, procedures and controls which accurately and proportionately reflect those assessments.
The weight given to the risk factors used by the casino operator in assessing the overall risk of money laundering and terrorist financing, both individually or in combination, may vary from one operator or premises to another, depending on their respective circumstances. Consequently, casino operators also must make their own determination as to the weight given to risk factors.
Risk levels may be impacted by a number of variables
These will also have an impact on the preventative measures necessary to tackle the risks in a proportionate manner.
These variables include:
- whether the casino operator’s business model is focused on attracting a large number of customers who gamble relatively small amounts
- whether the casino operator’s business model is focused on attracting a small number of customers who gamble relatively large amounts
- speed and volume of business
- for non-remote casinos, the size of the premises
- the customer profile, for example whether the majority of customers are regular visitors or are members
- the customer profile, for example whether the casino relies on passing trade, including tourists or those who are part of junkets (for non-remote casinos)
- for non-remote casinos, whether the casino has VIP rooms or other facilities for high rollers
- types of financial services offered to customers
- types of customer payments and payment methods
- types of gambling products offered
- the customers’ gambling habits
- staffing levels and staff experience and turnover
- the type and effectiveness of existing gambling supervision measures and mechanisms
- whether the casino operator owns or manages other non-remote and remote casinos
- whether the casino operator offers different types of gambling
- whether the casino operator has other internet gambling websites
- whether the casino is standalone or integrated with other leisure facilities
- whether the casino operator is based in one country or has a gambling presence in multiple countries.
Higher level of risk
Deciding that a customer presents a higher risk of money laundering or terrorist financing does not automatically mean that the person is a criminal, money launderer or terrorist financier. Similarly, identifying a customer as presenting a low risk of money laundering or terrorist financing does not mean that the customer is definitely not laundering money or engaging in criminal spend. Employees therefore need to remain vigilant and use their experience and common sense in applying the casino operator’s risk-based criteria and rules, seeking guidance from their nominated officer as appropriate.
Many customers carry a lower money laundering or terrorist financing risk. These might include customers who are regularly employed or who have a regular source of income from a known source which supports the activity being undertaken. This applies equally to pensioners, benefit recipients, or to those whose income originates from their partner’s employment or income.
Conversely, many customers carry a higher risk of money laundering. These may include known criminals, customers who are not regularly employed or who do not have a regular source of income from a known source which supports the level of activity being undertaken, or problem gamblers.
A drug dealer, whose only legitimate source of income for ten years was state benefits, spent more than £1 million in various gambling establishments over the course of two years, and lost some £200,000. All the transactions appeared to involve cash.
A grandparent with no previous gambling history, on a state pension, began to make weekly bets of about £100. Investigations later revealed that the grandparent was placing the bets on behalf of a grandson, a known criminal, and that the money spent was the proceeds of his criminal activity.
Multiple sources of funds
An individual was in receipt of state benefits with no other apparent form of income, but then gambled significant amounts through a licensed operator. Deposits of over £2 million were made to an online gambling account over the course of about two years from multiple sources, such as debit card and credit card, and various e-money and e-wallet services. Investigations revealed that their gambling was funded by criminal activity.
Multiple gambling transactions
Over an extended period, an individual who claimed to be a gambling addict stole equipment worth a substantial amount of money from their employer and resold it for their own gain. They then used most of these criminal proceeds to gamble, depositing almost £6 million into an online gambling account and losing almost £5 million, involving about 40,000 individual gambling transactions. The individual remained in employment throughout this period.
Large volumes of cash
A customer spent a large volume of cash at a casino, including a significant quantity of Northern Irish and Scottish bank notes. The customer told staff that the cash came from restaurants and takeaway food establishments that they ran around the UK. This explanation was accepted at face value by the staff. However, in reality the customer did not own any legitimate businesses and was later convicted of money laundering offences arising from criminal activity.
Where a customer is assessed as presenting higher risk, additional information in respect of that customer should be collected. This will help the casino operator judge whether the higher risk that the customer is perceived to present is likely to materialise, and provide grounds for proportionate and recorded decisions. Such additional information should include an understanding of where the customer’s funds and wealth have come from. While the Commission recognises that some relationships with customers will be transient or temporary in nature, casino operators still need to give consideration to this issue.
If casinos adopt the threshold approach to CDD, part of the risk-based approach will involve making decisions about whether or when verification should take place electronically. Casino operators must determine the extent of their CDD measures, over and above the minimum requirements, on a risk-sensitive basis depending on the risk posed by the customer and their level of gambling.
In order to be able to detect customer activity that may be suspicious, it is necessary to monitor all transactions or activity35 The monitoring of customer activity should be carried out using the risk-based approach. Higher risk customers should be subjected to a frequency and depth of scrutiny greater than may be appropriate for lower risk customers. Casino operators should be aware that the level of risk attributed to customers may not correspond to their commercial value to the business.
Casino operators are best placed to identify and mitigate risks involved in their business activity. A crucial element of this is to have systems and controls to identify and link player activity, and for senior management to oversee risk management and determine whether their policies, procedures and controls are effective in design and application. Reliance on third parties to conduct risk assessment and management functions does not relieve the operator of its responsibility to assess and manage its own risks. Third party services should not be used in isolation or relied upon solely, and casino operators should be satisfied that the information supplied by the third party is sufficiently detailed, reliable and accurate.
There is a risk that customers will place and layer criminal proceeds through gambling transactions. We recommend that one way of mitigating this risk is to link the pay out of winnings with the means by which a customer pays for gambling transactions. We acknowledge that this will not eliminate the risk, but returning winnings in the same form, for example in cash or back to the same bank account, limits the opportunity for a money launderer to layer the proceeds of criminal activity. Where it is not feasible to return funds to the source or in the same form, casino operators should have controls in place to manage the risk of money laundering or terrorist financing occurring in these circumstances.
34 The risk categories used by the Commission in Money laundering and terrorist financing risk within the British gambling industry are customer, product and means of payment (as well as operator controls, and licensing and integrity controls). Regulation 18 of the Regulations require casinos to take into account risks factors, including factors in relation to their customers, the countries or geographic areas in which they operate, their products or services, transactions and delivery channels.
35 Regulation 8.
Identifying and assessing the risks Next section
Dynamic risk management
Last updated: 12 July 2023
Show updates to this content
Formatting issues corrected.