Cookies on the Gambling Commission website

The Gambling Commission website uses cookies to make the site work better for you. Some of these cookies are essential to how the site functions and others are optional. Optional cookies help us remember your settings, measure your use of the site and personalise how we communicate with you. Any data collected is anonymised and we do not set optional cookies unless you consent.

Set cookie preferences

You've accepted all cookies. You can change your cookie settings at any time.

Skip to main content
  1. Home
  2. Licensees and businesses

Anti-money laundering and counter-terrorist financing casino casework trends: October 2025

This bulletin sets out common trends the Gambling Commission has identified during recent compliance and enforcement activity.

Under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (the Regulations), the Commission is required to adopt a risk-based approach to the supervision of casinos. Sharing information to ensure that casino operators are compliant with the Regulations, is a key part of our approach.

Licence condition 12.1.1(3) also requires operators to ensure that their policies, procedures and controls are implemented effectively and take into account any applicable learning or guidelines published by the Commission. Therefore, this bulletin should be used as a prompt for operators to review their money laundering and terrorist financing (MLTF) risk assessments and related policies, procedures and controls to ensure that they remain up-to-date, appropriate and effective.

The bulletin should be read in conjunction with the Commission’s AML guidance document for casinos.

Contents

The bulletin consists of the following sections:

Money laundering and terrorist financing risk assessments

Issue 1: insufficient consideration of relevant risks

We have seen cases where operators have not followed a sufficiently risk-based approach when compiling their money laundering and terrorist financing (MLTF) risk assessments, because they have not considered all relevant risks associated with their operation, including those within the Gambling Commission’s risk assessment and our emerging risks bulletins.

Action

As set out in Regulation 18(1) (opens in new tab) operators must take appropriate steps to identify and assess the risks of money laundering and terrorist financing to which the business is subject to. As set out in paragraph 2.4 of our guidance, the risk-based approach involves the following steps:

  1. Identify the MLTF risks that are relevant to the operator.
  2. Design and implement policies, procedures and controls to manage and mitigate these assessed risks.
  3. Monitor and improve the effective operation of these controls.
  4. Record what has been done, and why.

When preparing MLTF risk assessments, operators must review all areas of the Commission’s risk assessment that are relevant to their licensed activity or activities. Operators must then review each of the individual risks in that area and consider how these relate to their specific business. Additionally, licensees must consider the risks shared by the Commission in its emerging risks bulletins. There are also a number of high-risk factors listed in Regulation 33(6), and discussed in paragraph 6.33 of our guidance, that must be taken into account.

As well as the risks discussed in Commission publications, as per Regulation 18(2)(b) of the Regulations (discussed in paragraph 2.9 of our guidance), licensees should also consider other key MLTF risks that their businesses could reasonably be exposed to, relating to:

  • their customers
  • the countries or geographic areas in which they operate
  • their products or services
  • transactions
  • delivery channels.

As required by licence condition 12.1.1(1), MLTF risk assessments must be reviewed in the light of any changes of circumstances, including the introduction of new products or technology, new methods of payment by customers, changes in the customer demographic or any other material changes, and in any event reviewed at least annually.

Operators must also assess the risk of proliferation financing and must take account of information in the report by HM Treasury referred to in Regulation 16A (the proliferation financing risk assessment).

Version control records can assist with record keeping (step 4 of the risk-based approach) relating to the risk-based approach and can assist operators, including during compliance assessments, in demonstrating they are actively assessing and managing MLTF risk by considering risk information published by the Commission.

Issue 2: disconnect between risk assessments and policies, procedures and controls

We have seen cases where AML and counter-terrorist financing (CTF) policies, procedures and controls do not appear to have regard to the operator’s MLTF risk assessment. This disconnect can mean that risks identified in the risk assessment are not appropriately mitigated by the controls, or that risk assessments are incomplete.

Action

As required by licence condition 12.1.1(2), following completion of and having regard to the risk assessment, and any review of the assessment, licensees must ensure they have appropriate policies, procedures and controls to prevent money laundering and terrorist financing. As noted in step 2 of the risk-based approach, this means that, once the risk assessment has been completed, it must be used to devise appropriate policies, procedures, and controls to prevent MLTF. As part of this, operators need to ensure that the risks identified in their risk assessment are addressed within their policy documentation.

In practice, there must be a close relationship between the risk assessment and the policies, procedures and controls, and they must not be produced or operate in isolation.

Customer risk profiling

Issue

The Gambling Commission has identified cases where risk profiles of individual customers have not been compiled in line with the Commission’s guidance. We have seen examples where risk factors related to a customer have not been identified either at all, or not sufficiently early enough in the customer’s journey. As a result, appropriate risk-based customer due diligence has not taken place.

Action

As discussed in paragraph 6.2 of our guidance, at the commencement of the business relationship with the customer, operators will need to consider who the customer is, what they do, where they live and do business, and the nature of the product or service they require. This information will enable the operator to determine the level of risk associated with the customer and, in turn, the initial and ongoing customer due diligence and monitoring that is required. Full details of the source of funds to be used in the relationship will also need to be established using a risk-based approach.  

Customer risk profiling must be informed by the operator’s wider risk assessment, and operators need to assess the extent to which a particular customer triggers the risk factors considered in the risk assessment and graduate the risk profile of the customer, and the level of customer due diligence undertaken, accordingly.

Regulation 28(12) requires that customer due diligence (CDD) measures including ongoing monitoring are conducted in line with the level of risk posed. In addition, Regulation 33 sets out the circumstances where enhanced customer due diligence (ECDD) measures must be applied. In order to meet this requirement, casino operators must consider an appropriate range of risks to be able to identify cases where a customer is presenting as high-risk.

Over-reliance on financial threshold controls

Issue

We have seen cases where licensees have only begun customer risk-profiling and associated risk-based customer due diligence procedures when a financial threshold has been reached, despite other, non-spend related risk factors being clearly present from the commencement of the business relationship.

Additionally, some of the financial thresholds we have reviewed were set at an inappropriately high level for the risks present within the licensee’s business model and customer base.

In some of the examples we have seen, there has been an over-reliance on financial thresholds to the detriment of other risk factors, and thresholds set at an inappropriately high level. This has allowed customers with significant risk factors to use the casino without appropriate risk-based due diligence taking place, or only taking place once the customer had deposited and withdrawn large sums of money.

Action

Licence condition 12.1.1(2) requires that licensees must ensure they have appropriate policies, procedures and controls to prevent money laundering and terrorist financing. As set out previously, this includes risk profiling customers from the commencement of the business relationship, and considering whether they trigger risk factors from the operator’s risk assessment (paragraph 6.2 of our guidance), including those related to gambling activity, payment methods and geographical risk. Operators then need to conduct risk-based customer due diligence and ongoing monitoring.

Financial threshold controls can be a useful tool in combatting money laundering and terrorist financing (MLTF), however, they must not be relied upon in isolation and must be set at a level that is appropriate based on the individual licensee’s MLTF risk assessment, business model and customer base, and the customer risk profile.

Scrutiny of documentation

Issue

We have seen cases where documentation and information has not been appropriately scrutinised, and risk indicators present within the documentation have not been identified by the operator or appropriately acted upon.

In some examples, this included bank statements with significant third-party deposits evident and/or outgoings higher than income. We have also seen examples where, although the documentation contained indicators suggesting the document was false or fraudulent, the required enhanced customer due diligence (ECDD) was not conducted.

We have also seen examples where record keeping and decision logs have not been adequately maintained in relation to the review of customer documentation, this has made it challenging for operators to manage customer risk effectively and demonstrate this to the Gambling Commission (also see record keeping section).

Action

As discussed in April 2025’s emerging risks bulletin, where documents are received from a customer, operators need to ensure that these documents are appropriately scrutinised.

As per Regulation 33(1)(e) of the Regulations and the Commission’s guidance, casino operators must apply ECDD measures and enhanced ongoing monitoring, in addition to the required customer due diligence (CDD) measures, in any case where the operator discovers that a customer has provided false or stolen identification documentation or information, and the operator proposes to continue to deal with the customer.

In order to meet this requirement, operators need to have appropriate controls in place to identify such cases and need to ensure that their staff are appropriately trained to assess customer documentation, including how to identify false documents. Operators also need to ensure that the review of documentation and associated decision making is appropriately recorded (also see record keeping section).

Personal management licensee responsibilities

Issue

We have seen cases where Personal Management Licence (PML) holders have not had sufficient oversight of AML controls and have not taken appropriate steps to ensure compliance is achieved in order to uphold the licensing objectives.

This has included cases where risk assessments and policy documentation have not been kept under review and the effectiveness of their implementation has not been appropriately considered (as per licence condition 12.1.1(3)).

Action

As a condition of their licence, PML holders are required to:

  • take all reasonable steps to ensure that the way in which they carry out their responsibilities in relation to licensed activities does not place the holder of the operating or any relevant premises licence in breach of their licence conditions
  • keep themselves informed of developments in gambling legislation, codes of practice and any Gambling Commission guidance (whether issued on the Commission’s website or communicated directly to licence holders) relevant to their role.

As set out in paragraph 4.2 of our guidance for casinos, senior management must be fully engaged in the processes for a casino operator’s assessment of risks for money laundering and terrorist financing (MLTF) and proliferation financing (PF) and must be involved at every level of the decision making to develop the operator’s policies and processes to comply with the Regulations.

Where serious AML failings are identified, PML holders may undergo a review of their licence under section 116 of the Gambling Act 2005, which can result in the suspension or revocation of their licence, or the imposition of a financial penalty. More information regarding licence reviews can be found in the Commission’s Licensing, compliance and enforcement under the Gambling Act 2005: policy statement June 2022.

Training

Issue

We have seen several cases recently where employees of gambling operators have been inadequately trained on AML and counter-terrorist financing (CTF) matters. Issues have included:

  • employees not being trained on the operator’s policies, procedures and controls and how to follow these in practice
  • employees not receiving training on what to do where they have knowledge or suspicion of money laundering (ML) or terrorist financing (TF)
  • employees not being trained on how to identify and escalate money laundering and terrorist financing (MLTF) risks in customer behaviour and customer documentation (see the area of concern relating to the scrutiny of documentation).

Action

As set out in Regulation 24, and paragraphs 4.21 to 4.36 of the Commission’s guidance, all relevant employees of casinos must be appropriately trained on AML and CTF matters. One of the most important controls for the detection and prevention of money laundering is for an operator to ensure that its employees are alert to the risks of money laundering and are well trained in identifying unusual activities or transactions which appear to be suspicious. The effective application of even the best designed control systems can be quickly compromised if the employees applying those systems are not adequately trained. We consider that the effectiveness of the training is important to the overall success of an operator’s AML strategy.

As detailed in our guidance, casino operators should take reasonable steps to ensure that employees are aware of the money laundering risks faced by the operator, the operator’s procedures for managing those risks, the identity and responsibilities of the person responsible for making reports to the National Crime Agency (NCA), and the potential effect of a breach of the Proceeds of Crime Act (POCA) on the operator and its employees.

Third-party business relationships

Issue

We have seen instances of gambling operators failing to undertake sufficient due diligence measures in relation to their third-party business relationships, including where licensees have received third-party investments or entered into white-label partnerships.

Action

Casino operators must ensure that they have appropriately risk assessed their dealings with third parties, including white-label partners and any entities providing loans and/or investments, as these risks have both been noted as high risk in the Gambling Commission’s 2023 risk assessment. Please also see our Emerging Risks Bulletin of April 2025, which discusses this risk.

The Commission expects casino operators to obtain the necessary assurances regarding white-label partnerships by conducting adequate due diligence on the third party to ensure (amongst other things) that they are competent and reliable. Casino operators are also reminded of social responsibility code provision (SRCP) 1.1.2 responsibility for third parties, which sets out that licensees are responsible for the actions of third parties with whom they contract for the provision of any aspect of the licensee’s business related to the licensed activities.

The Commission also expects that any casino operators who rely on a third parties to conduct any aspect of their business related to the licensed activities must have sufficient oversight and controls in place in order to ensure that all activities are carried out in accordance with the LCCP, notably but not exclusively, social responsibility and anti-money laundering requirements.

Casino operators are reminded that any failings, such as failure to conduct customer due diligence (CDD) and enhanced customer due diligence (ECDD) on customers by the white-label partners, is the responsibility of the licensee, not the white-label partner.

As referenced in the emerging risks bulletin, licensees should consider risks to the licensing objectives in their due diligence checks on white-label partners. This should include giving consideration to any activity the third party is involved in outside of Great Britain (GB) that the Commission considers medium or high risk as defined in our money laundering and terrorist financing (MLTF) risk assessment, as well as activity that is illegal in either GB or the territory in which it is conducted.

The assessment of risks should also include consideration of the risks posed to the operator by the jurisdictional location of their third party, transactions and arrangements with business associates, and third-party suppliers such as payment providers and processors, including their beneficial ownership and source of funds. Effective management of third-party relationships should assure operators that the relationship is a legitimate one, and that they can evidence why their confidence is justified (see paragraph 2.11 of our guidance).

When accepting loans into their business, licensees are reminded of licence condition 15.2.1(3) and the licensing objective to prevent gambling from being a source of crime or disorder, being associated with crime and disorder or being used to support crime. The Commission is able to request additional information about any loans or other money entering the business, as per our Licensing, Compliance and Enforcement statement.

Record keeping

Issue

We have identified cases where licensees are either not recording, or inadequately recording, their rationale and decision making on AML matters. We have seen examples of inadequate record keeping in relation to risk reviews undertaken by the operator on particular customers, including where the outcome of the review was not recorded.

We have also seen cases where the process undertaken to assess money laundering and terrorist financing (MLTF) risk has been inadequately recorded, and cases where records have not been kept in relation to staff training on AML.

Action

As noted on our website, during compliance assessments, the Gambling Commission operates on the basis of ‘show me, don’t tell me’. This means that we want operators to demonstrate how their business is compliant. Keeping accurate and up-to-date records in relation to AML decision making across the operation will greatly assist operators in demonstrating their compliance, and a failure to keep accurate records will impact compliance outcomes.

As discussed in the Commission’s guidance (paragraphs 2.32 and 3.5, as well as chapter 7) and Regulation 40, customer records need to be accurately maintained, and decisions recorded. These records need to be made at the time of the decision, adding them retrospectively is not sufficient.

In relation to risk assessments, Regulation 18 and paragraph 2.10 of our guidance state that casino operators must keep an up-to-date record in writing of all the steps taken to identify and assess the risks of money laundering, terrorist financing and proliferation financing to which its business is subject.

In relation to training records, Regulation 24(1)(b) and paragraph 4.33 of the Commission’s guidance, stipulate that casino operators must maintain a written record of the measures in place to train relevant employees.

For more information in relation to record keeping for casino licence holders please see chapter 7 of our guidance.

Artificial intelligence and algorithms used for AML purposes

Issue

We have seen an increase in the use of artificial intelligence (AI), algorithms and behavioural models for AML purposes. Typically, these technologies seek to identify red flags for money laundering and terrorist financing (MLTF) within a customer’s profile and/or behaviour. Many then go on to give an aggregated score which can be used to generate (or contribute to) a customer’s risk rating.

These controls can be a useful tool in combatting MLTF, however, we have identified that some operators do not fully understand how their algorithms work as an AML control and have not ensured that they have been implemented effectively (as per licence condition 12.1.1(3)).

Action

When implementing AML controls, operators need to ensure that their controls address the risks identified in their MLTF risk assessment, and that such controls are appropriate to the business and implemented effectively.

During compliance assessments, we will typically ask for information about the algorithm’s methodology to assist us in assessing whether the control is appropriate and implemented effectively, particularly in addressing the risks identified in the operator’s risk assessment.

We will examine what is scored, how this is weighted and why, what the thresholds for different risk levels are, how escalations are triggered, and how the operator ensures the effectiveness of the algorithm. Where the control in place is a predictive model, we will seek to understand what the model is trying to predict and how it makes these predictions. During the customer review part of the compliance assessment, we will examine how the algorithm operates in practice in relation to specific customers, and test whether this is appropriate and effective.

We have identified compliance concerns where, due to the configuration of the algorithm, high-risk indicators have not been identified and/or escalated by the automated control in place. Operators must ensure that their suite of AML controls (including any algorithms, other reports and manual processes) are appropriately identifying risks so that risk-based due-diligence can take place.

We have also seen examples where models need a certain level or length of activity before they will score a customer. This can mean that some customers are able to conduct high levels of activity in the early stages of opening an account that is not subject to the controls from the algorithm. Operators need to ensure that the overall controls in place are appropriate at all stages of the customer relationship.

In some cases, models are designed to predict cases where suspicious activity reports (SARs) may be submitted in the future, and have been programmed using the profiles of customers where SARs have been submitted in the past. However, there have been cases where other risk indicators present in an account (but not seen in the previously submitted SAR cases) have not been identified due to the model’s configuration. Operators must ensure that their overall suite of controls can identify all relevant risk factors (as noted in the operator’s risk assessment) in a customer’s profile and behaviour.

Where an account has been escalated by the algorithm, we have seen cases where the relevant team within the operation has been unable to see why the escalation was generated, and have not been able to address the risks because they are unaware of what has been identified by the model. Operators should ensure that staff responsible for resolving escalations from these models have sufficient information to address the risks identified and can effectively implement AML procedures in line with licence condition 12.1.1. Recent casework has demonstrated that whilst automated controls can increase efficiency and contribute to an operator’s wider AML framework, properly trained AML staff are still required to identify and manage suspicious activity, as well as effectively safeguard operators from being exposed to significant MLTF risks.

Third-party drafting of risk assessments and policies

Issue

The Gambling Commission has seen examples where third parties, including artificial intelligence (AI) and consultancy firms, have been used to draft operator’s risk assessments, and policy, procedure and control documentation. We have identified cases where incorrect information has been included in the documentation, and where operators were not aware of the content of their own policies, which were then not appropriate to the business or implemented effectively.

Action

Whilst the Commission recognises that some licensees seek third-party support, the responsibility for complying with the licence conditions and codes of practice, the Commission’s guidance and the Regulations, remains with the licensee.

As previously stated, senior management within the licensee must be fully engaged in the processes for a casino operator’s assessment of risks for money laundering, terrorist financing and proliferation financing, and must be involved at every level of the decision making to develop the operator’s policies and processes to comply with the Regulations. As part of this, it is imperative that licensees ensure that their risk assessment and policies and procedures are appropriate to their business, implemented effectively, and that they accurately reflect the business and the controls in place.

Operators are also reminded licence code 1.1.2 which states licensees are responsible for the actions of third parties with whom they contract for the provision of any aspect of the licensee’s business related to the licensed activities.

Previous page
Anti-money laundering and counter-terrorist financing casework trends Next page
Other operator casework trends: October 2025

Last updated: 3 October 2025

Show updates to this content

No changes to show.

Is this page useful?
Back to top