Cookies on the Gambling Commission website

The Gambling Commission website uses cookies to make the site work better for you. Some of these cookies are essential to how the site functions and others are optional. Optional cookies help us remember your settings, measure your use of the site and personalise how we communicate with you. Any data collected is anonymised and we do not set optional cookies unless you consent.

Set cookie preferences

You've accepted all cookies. You can change your cookie settings at any time.

Skip to main content


The prevention of money laundering and combating the financing of terrorism

Gambling Commission guidance for remote and non-remote casinos: Fifth edition (Revision 3).

  1. Contents
  2. Part 6 - Customer due diligence
  3. 4 - Customer due diligence measures

4 - Customer due diligence measures

CDD measures consist of:

  • identifying the customer, unless the identity of the customer is known to, and has been verified by, the casino operator
  • verifying the customer’s identity, unless the customer’s identity has already been verified by the casino operator
  • where there is a beneficial owner who is not the customer, identifying the beneficial owner and taking reasonable measures to verify the identity of the beneficial owner so that the casino operator is satisfied that it knows who the beneficial owner is
  • assessing and, where appropriate, obtaining information on the purpose and intended nature of the business relationship.83

Where a person claims to act on behalf of a customer (such as an agent), the casino operator must:

  • verify that the person is authorised to act on the customer’s behalf
  • identify the person
  • verify the person’s identity on the basis of documents or information which, in either case, is obtained from a reliable source which is independent of both the person and the customer.84

For the purposes of CDD, 'verify' means verifying on the basis of documents or information which, in either case, have been obtained from a reliable source which is independent of the person whose identity is being verified. Documents issued or made available by an official body are to be regarded as being independent of a person even if they are provided or made available to the casino operator by, or on behalf of, that person.85

Information may be regarded as 'obtained from a reliable source which is independent of the person whose identity is being verified' where:

  • it is obtained by means of an electronic identification process, including by using electronic identification means or by using a trust service86, and
  • that process is secure from fraud and misuse and capable of providing an appropriate level of assurance that the person claiming a particular identity is in fact the person with that identity.87

These requirements apply to customers of both remote and non-remote casinos. Aside from these checks being a statutory requirement in the Regulations, they also help casino operators to avoid the commission of criminal offences under POCA.

The Regulations define casino as 'the holder of a casino operating licence'.88 The holder of a casino operating licence does not need to repeat CDD if a customer visits another casino operated by that licensee. CDD records held by a casino operator will need to be available across the operator’s different casino premises and the policies and procedures must include details of how the operator will manage this. Casino operators should note that CDD is ongoing and may need updating for changes in the customer’s circumstances and personal details.

The ways in which a casino operator meets the requirements for CDD and the extent of the measures it takes must reflect the risk assessment it has carried out, and its assessment of the level of risk arising in any particular case. This may differ from case to case.89

In assessing the level of risk arising in a particular case, casino operators must take account of factors including, among other things:

  • the purpose of a customer account, transaction or business relationship
  • the amount deposited by a customer or the size of the transactions undertaken by the customer
  • the regularity and duration of the business relationship.90

A casino operator is not required to continue to apply CDD measures in respect of a customer where all of the following requirements are met:

Casino operators should satisfy themselves that the sources of information employed to carry out CDD checks are suitable to mitigate the full range of risks to which they might be exposed, and these would include money laundering and social responsibility risks. For example, local or open source information, such as press reports, may be helpful in carrying out these checks. However, operators should ensure that they are not placing an overreliance on one source of information to conduct these checks.


Casino operators must be able to demonstrate to the Commission that the extent of the CDD measures they take are appropriate in view of the risks of money laundering and terrorist financing, including risks:

  • identified by the operator’s risk assessment
  • identified by the Commission and in information made available by the Commission.92


83Regulation 28.
84Regulation 28(10).
85Regulation 28(18).
86Within the meanings those terms have in Regulation 2014/910/EU of the European Parliament and the Council of 23 July 2014 on electronic identification and trust services for electronic communications in the internal market.
87Regulation 28(19).
88Regulation 14(1)(b).
89Regulation 28(12).
90Regulation 28(13).
91Regulation 28(15).
92Regulation 28(16).

Previous section
Customer due diligence requirements
Next section
Timing of verification
Is this page useful?
Back to top