Cookies on the Gambling Commission website

The Gambling Commission website uses cookies to make the site work better for you. Some of these cookies are essential to how the site functions and others are optional. Optional cookies help us remember your settings, measure your use of the site and personalise how we communicate with you. Any data collected is anonymised and we do not set optional cookies unless you consent.

Set cookie preferences

You've accepted all cookies. You can change your cookie settings at any time.

Skip to main content


The prevention of money laundering and combating the financing of terrorism

Gambling Commission guidance for remote and non-remote casinos: Fifth edition (Revision 3).

  1. Contents
  2. Part 6 - Customer due diligence
  3. 2 - Risk-based customer due diligence and risk profiling

2 - Risk-based customer due diligence and risk profiling

Customer risk assessments or customer risk profiling will be informed by the operator’s money laundering or terrorist financing or proliferation financing risk assessment. The operator should assess the extent to which a particular customer triggers the risk factors considered in the risk assessment and graduate the risk profile of the customer accordingly.

This allows operators to take a risk-based approach to customer due diligence, with measures being proportionate to their risk rating. The information that is collected at the commencement of the business relationship with the customer will enable the operator to determine the level of risk associated with the customer and, in turn, the initial and ongoing customer due diligence and monitoring that is required.

Operators will need to consider:

  • who the customer is
  • what they do, where they live and do business
  • the nature of the product or service they require.

Full details of the source of funds to be used in the relationship will also need to be established using a risk-based approach.

The objective of risk-based customer due diligence is to ensure that, as the risks within the business relationship increase, so the level of information obtained and verified increases proportionally.

Risk profiling

The operator should have a policy that is graduated to reflect the risk of the customer. Any risk profiling should also include screening for politically exposed persons (PEPs) and sanctioned persons.

Operators are reminded that sanctions legislation prohibits doing business with sanctioned persons, and PEPs are considered high risk under UK AML legislation72.

Higher-risk customers

The authority for signing off new customers should be graduated according to risk. Higher-risk customers should always be escalated to senior management. There is also an expectation that firms will have systems in place to monitor customer behaviours and amend customer risk ratings accordingly. For example, a customer may initially be assessed as low risk but may later display activity which moves them to a high risk category.

For those customers rated as high risk, either initially or later in the business relationship, the firm will need to conduct mandatory enhanced customer due diligence73. This means employing additional measures, including approval from senior management for the business relationship, and conducting enhanced ongoing monitoring.

For some types of higher-risk accounts and relationships the customer’s source of wealth will also need to be established

Source of wealth checks are mandatory for PEPs74 and in the case of business relationships with customers situated in high-risk third countries or transactions where either of the parties to the transaction are resident in a high-risk third country75.

Lower-risk customers

For those customers assessed as low risk, the firm can conduct simplified customer due diligence. Those customers who are medium risk should undergo standard customer due diligence.


72Regulation 35.
73Regulation 35.
74Regulation 35(5).
75Regulation 33(3A).

Previous section
Next section
Customer due diligence requirements
Is this page useful?
Back to top