Cookies on the Gambling Commission website

The Gambling Commission website uses cookies to make the site work better for you. Some of these cookies are essential to how the site functions and others are optional. Optional cookies help us remember your settings, measure your use of the site and personalise how we communicate with you. Any data collected is anonymised and we do not set optional cookies unless you consent.

Set cookie preferences

You've accepted all cookies. You can change your cookie settings at any time.

Skip to main content
  1. Home
  2. Licensees and businesses

Anti-money laundering and counter-terrorist financing other operators (non-casinos) casework trends: October 2025

This bulletin sets out common trends the Gambling Commission has identified during recent compliance and enforcement activity.

Licence condition 12.1.1(3) requires operators to ensure that their policies, procedures and controls for anti-money laundering are implemented effectively and take into account any applicable learning or guidelines published by the Commission. Therefore, this bulletin should be used as a prompt for operators to review their money laundering and terrorist financing (MLTF) risk assessments and related policies, procedures and controls to ensure that they remain appropriate and effective.

The bulletin should be read in conjunction with the Commission’s advice document.

Contents

The bulletin consists of the following sections:

Money laundering and terrorist financing risk assessments

Issue 1: insufficient consideration of relevant risks

We have seen cases where operators have not followed a sufficiently risk-based approach when compiling their money laundering and terrorist financing (MLTF) risk assessments, because they have not considered all relevant risks associated with their operation, including those within the Gambling Commission’s risk assessment and our emerging risks bulletins.

Action

As set out in paragraph 18.1 of our advice document, operators should take a risk-based approach to MLTF. This involves a number of steps:

  1. Identify the MLTF risks that are relevant to the operator.
  2. Design and implement policies, procedures and controls to manage and mitigate these assessed risks.
  3. Monitor and improve the effective operation of these controls.
  4. Record what has been done, and why.

When preparing MLTF risk assessments, operators should review all areas of the Commission’s risk assessment that are relevant to their licensed activity or activities. They should then review each of the individual risks in that area and consider how these relate to the business. Additionally, licensees should consider the risks shared by the Commission in its emerging risks bulletins.

As discussed in paragraph 18.19 of our advice, licensees also need to consider the other MLTF risks their business is exposed to, including those related to:

  • country or geographic risk
  • customer risk
  • transaction risk
  • product risk.

As required by licence condition 12.1.1(1), MLTF risk assessments must be reviewed in the light of any changes of circumstances, including the introduction of new products or technology, new methods of payment by customers, changes in the customer demographic or any other material changes, and in any event reviewed at least annually.

Version control records can assist with record keeping (step 4 of the risk-based approach) relating to the risk-based approach and can assist operators, including during compliance assessments, in demonstrating they are actively assessing and managing MLTF risk by considering risk information published by the Commission.

Issue 2: disconnect between risk assessments and policies, procedures and controls

We have seen cases where AML and counter-terrorist financing (CTF) policies, procedures and controls do not appear to have regard to the operator’s MLTF risk assessment. This disconnect can mean that risks identified in the risk assessment are not appropriately mitigated by the controls, or that risk assessments are incomplete.

Action

As required by licence condition 12.1.1(2), following completion of and having regard to the risk assessment, and any review of the assessment, licensees must ensure they have appropriate policies, procedures and controls to prevent money laundering and terrorist financing. As noted in step 2 of the risk-based approach outlined above, this means that once the risk assessment has been completed, it must be used to devise appropriate policies, procedures, and controls to prevent MLTF. As part of this, operators need to ensure that the risks identified in their risk assessment are addressed within their policy documentation.

In practice, there must be a close relationship between the risk assessment and the policies, procedures and controls, and they must not be produced or operate in isolation.

Customer and transaction monitoring

Issue

The Gambling Commission has identified cases where customer and transaction monitoring have not taken place in line with the Commission’s advice. We have seen examples where relevant risk factors related to a customer and their transactions have not been identified either at all, or not sufficiently early enough in the customer’s journey, as a result appropriate risk-based ‘know your customer’ (KYC) measures have not taken place.

Action

As set out in the Commission’s Proceeds of Crime Act (POCA) advice document in paragraph 18.6, in order to detect customer activity that may be suspicious, it is necessary to monitor all transactions or activity. The monitoring of customer activity should be carried out using a risk-based approach. Higher risk customers should be subjected to a frequency and depth of scrutiny greater than may be appropriate for lower risk customers. Operators should be aware that the level of risk attributed to customers may not correspond to their commercial value to the business.

As set out in paragraph 18.7 of the POCA advice document, where a customer is assessed as presenting a higher risk, additional information in respect of that customer should be collected. This will help the operator judge whether the higher risk that the customer is perceived to present is likely to materialise and provide grounds for proportionate and recorded decisions.

Licence conditions 12.1.1(2 and 3) set out the requirement that AML policies procedures and controls must be appropriate, have regard to the operator's risk assessment, be implemented effectively, and be kept under review. In line with this requirement, customer and transaction monitoring must be informed by the operator’s risk assessment, and follow a risk-based approach.

Over-reliance on financial threshold controls

Issue

We have seen cases where licensees have only begun customer and transaction monitoring, and associated 'know your customer' (KYC) procedures, when a financial threshold has been reached, despite other, non-spend related risk factors being clearly present from the start of the customer’s journey.

Additionally, some of the financial thresholds we have reviewed were set at an inappropriately high level for the risks present within the licensee’s business model and customer base.

In some of the examples we have seen, there has been an over-reliance on financial thresholds to the detriment of other risk factors, and thresholds set at an inappropriately high level. This has allowed customers with significant risk factors to use the gambling business without appropriate risk-based KYC taking place, or only taking place once the customer had deposited and withdrawn large sums of money.

Action

Licence condition 12.1.1(2) requires that licensees must ensure they have appropriate policies, procedures and controls to prevent money laundering and terrorist financing. As set out above, this includes monitoring all transactions or activity, considering where customers trigger factors within an operator’s risk assessment (not only spend risk factors, but all relevant ones), and commencing risk-based KYC measures. For higher risk customers this information should include an understanding of where the customer’s funds and wealth have come from.

Financial threshold controls can be a useful tool in combatting money laundering and terrorist financing (MLTF), however, they must not be relied upon in isolation and must be set at a level that is appropriate based on the individual licensee’s MLTF risk assessment, business model and customer base.

Scrutiny of documentation

Issue

We have seen cases where documentation and information has not been appropriately scrutinised, and risk indicators present within the documentation have not been identified by the operator, or appropriately acted upon.

In some examples this included bank statements with significant third-party deposits evident and/or outgoings higher than income. We have also seen examples where although the documentation contained indicators suggesting the document was false or fraudulent, appropriately risk-based 'know your customer' (KYC) did not take place.

Action

As discussed in April’s 2025’s emerging risks bulletin, where documents are received from a customer, operators need to ensure that these documents are appropriately scrutinised and that staff have been trained to identify relevant risk factors. Where a customer is assessed as presenting a higher risk, additional information in respect of that customer should be collected.

Personal management licensee responsibilities

Issue

We have seen cases where Personal Management Licence (PML) holders have not had sufficient oversight of AML controls and have not taken appropriate steps to ensure compliance is achieved in order to uphold the licensing objectives.

This has included cases where risk assessments and policy documentation have not been kept under review and the effectiveness of their implementation has not been appropriately considered (as per licence condition 12.1.1(3)).

Action

As set out in paragraph 18.11 of our advice, a risk-based approach requires the full commitment and support of senior management.

As a condition of their licence, PML holders are required to:

  • take all reasonable steps to ensure that the way in which they carry out their responsibilities in relation to licensed activities does not place the holder of the operating or any relevant premises licence in breach of their licence conditions
  • keep themselves informed of developments in gambling legislation, codes of practice and any Gambling Commission guidance (whether issued on the Commission’s website or communicated directly to licence holders) relevant to their role.

Where serious AML failings are identified, PML holders may undergo a review of their licence under section 116 of the Gambling Act 2005, which can result in the suspension or revocation of their licence, or the imposition of a financial penalty. More information regarding licence reviews can be found in the Commission’s Licensing, compliance and enforcement under the Gambling Act 2005: policy statement June 2022.

Training

Issue

We have seen several cases recently where employees of gambling operators have been inadequately trained on AML and counter-terrorist financing (CTF) matters. Issues have included:

  • employees not being trained on the operator’s policies, procedures and controls and how to follow these in practice
  • employees not receiving training on what to do where they have knowledge or suspicion of money laundering (ML) or terrorist financing (TF)
  • employees not being trained on how to identify and escalate money laundering and terrorist financing (MLTF) risks in customer behaviour and customer documentation (see the area of concern relating to the scrutiny of documentation).

Action

One of the most important controls for the detection and prevention of money laundering is for an operator to ensure that its employees are alert to the risks of money laundering and well trained in identifying unusual activities or transactions which appear to be suspicious.

As discussed in paragraphs 13.1 and 13.2 and section 23 of the Gambling Commission’s advice document, employees face criminal penalties under Proceeds of Crime Act (POCA) if they are involved in money laundering unless they make a report of known or suspected money laundering activity. It is important, therefore, that employees are made aware of their legal obligations and how to correctly discharge them. Operators should also take reasonable steps to ensure that employees are aware of the money laundering risks faced by the operator, the operator’s procedures for managing those risks, the identity and responsibilities of the person responsible for making reports to the National Crime Agency (NCA), and the potential effect of a breach of POCA on the operator and its employees.

Third-party business relationships

Issue

We have seen instances of gambling operators failing to undertake sufficient due diligence measures in relation to their third-party business relationships, including where licensees have received third-party investments or entered into white-label partnerships.

Action

Operators need to ensure that they have appropriately risk assessed their dealings with third parties, including white-label partners and any entities providing loans and/or investments. These risks have both been noted as high risk in the Gambling Commission’s 2023 risk assessment. Please also see our Emerging Risks Bulletin of April 2025, which discusses this risk.

The Commission expects operators to obtain the necessary assurances regarding white-label partnerships by conducting adequate due diligence on the third-party to ensure (amongst other things) that they are competent and reliable. Operators are also reminded of social responsibility code provision (SRCP) 1.1.2 responsibility for third parties which sets out that licensees are responsible for the actions of third parties with whom they contract for the provision of any aspect of the licensee’s business related to the licensed activities.

As referenced in the emerging risks bulletin, licensees should consider risks to the licensing objectives in their due diligence checks on white-label partners. This should include giving consideration to any activity the third-party is involved in outside of Great Britain (GB) that the Commission considers medium or high risk as defined in our money laundering and terrorist financing (MLTF) risk assessment, as well as activity that is illegal in either GB or the territory in which it is conducted.

The assessment of risks should also include consideration of the risks posed to the operator by the jurisdictional location of their third-party, transactions and arrangements with business associates, and third-party suppliers such as payment providers and processors, including their beneficial ownership and source of funds. Effective management of third-party relationships should assure operators that the relationship is a legitimate one, and that they can evidence why their confidence is justified (see paragraphs 1.3 and 18.12 of our advice document).

When accepting loans into their business, licensees are reminded of licence condition 15.2.1(3) and the licensing objective to prevent gambling from being a source of crime or disorder, being associated with crime and disorder or being used to support crime. The Commission is able to request additional information about any loans or other money entering the business, as per our Licensing, Compliance and Enforcement statement.

Record keeping

Issue

We have identified cases where licensees are either not recording, or inadequately recording, their rationale and decision making on AML matters. We have seen examples of inadequate record keeping in relation to risk reviews undertaken by the operator on particular customers, including where the outcome of the review was not recorded.

We have also seen cases where the process undertaken to assess money laundering and terrorist financing (MLTF) risk has been inadequately recorded, and cases where records have not been kept in relation to staff training on AML.

Action

As noted on our website, during compliance assessments, the Gambling Commission operates on the basis of ‘show me, don’t tell me’. This means that we want operators to demonstrate how their business is compliant. Keeping accurate and up-to-date records in relation to AML decision making across the operation will greatly assist operators in demonstrating their compliance, and a failure to keep accurate records will impact compliance outcomes. These records need to be made at the time of the decision, adding them retrospectively is not sufficient.

Operators are expected to adopt a risk-based approach, where MLTF risks are assessed and managed in a way that is proportionate. As part of this approach, operators are expected to record what has been done and why, for example.

As set out in paragraph 19.5 of the Proceeds of Crime Act (POCA) advice customer relationships need to be managed proficiently and records should be maintained as to what information was communicated to the customer, why it was communicated and what considerations were made.

For more information in relation to record keeping, see the Duties under POCA.

Artificial intelligence and algorithms used for AML purposes

Issue

We have seen an increase in the use of artificial intelligence (AI), algorithms and behavioural models for AML purposes. Typically, these technologies seek to identify red flags for money laundering and terrorist financing (MLTF) within a customer’s profile and/or behaviour. Many then go on to give an aggregated score which can be used to generate (or contribute to) a customer’s risk rating.

These controls can be a useful tool in combatting MLTF, however, we have identified that some operators do not fully understand how their algorithms work as an AML control and have not ensured that they have been implemented effectively (as per licence condition 12.1.1(3)).

Action

When implementing AML controls, operators need to ensure that their controls address the risks identified in their MLTF risk assessment, and that such controls are appropriate to the business and implemented effectively.

During compliance assessments, we will typically ask for information about the algorithm’s methodology to assist us in assessing whether the control is appropriate and implemented effectively, particularly in addressing the risks identified in the operator’s risk assessment.

We will examine what is scored, how this is weighted and why, what the thresholds for different risk levels are, how escalations are triggered, and how the operator ensures the effectiveness of the algorithm. Where the control in place is a predictive model, we will seek to understand what the model is trying to predict and how it makes these predictions. During the customer review part of the compliance assessment, we will examine how the algorithm operates in practice in relation to specific customers, and test whether this is appropriate and effective.

We have identified compliance concerns where, due to the configuration of the algorithm, high-risk indicators have not been identified and/or escalated by the automated control in place. Operators must ensure that their suite of AML controls (including any algorithms, other reports and manual processes) are appropriately identifying risks so that risk-based due-diligence can take place.

We have also seen examples where models need a certain level or length of activity before they will score a customer. This can mean that some customers are able to conduct high levels of activity in the early stages of opening an account that is not subject to the controls from the algorithm. Operators need to ensure that the overall controls in place are appropriate at all stages of the customer’s journey.

In some cases, models are designed to predict cases where suspicious activity reports (SARs) may be submitted in the future, and have been programmed using the profiles of customers where SARs have been submitted in the past. However, there have been cases where other risk indicators present in an account (but not seen in the previously submitted SAR cases) have not been identified due to the model’s configuration. Operators must ensure that their overall suite of controls can identify all relevant risk factors (as noted in the operator’s risk assessment) in a customer’s profile and behaviour.

Where an account has been escalated by the algorithm, we have seen cases where the relevant team within the operation has been unable to see why the escalation was generated, and have not been able to address the risks because they are unaware of what has been identified by the model. Operators should ensure that staff responsible for resolving escalations from these models have sufficient information to address the risks identified and can effectively implement AML procedures in line with licence condition 12.1.1.

Recent casework has demonstrated that whilst automated controls can increase efficiency and contribute to an operator’s wider AML framework, properly trained AML staff are still required to identify and manage suspicious activity, as well as effectively safeguard operators from being exposed to significant MLTF risks.

Third-party drafting of risk assessments and policies

Issue

The Gambling Commission has seen examples where third parties, including artificial intelligence (AI) and consultancy firms, have been used to draft operator’s risk assessments, and policy, procedure and control documentation. We have identified cases where incorrect information has been included in the documentation, and where operators were not aware of the content of their own policies, which were then not appropriate to the business or implemented effectively.

Action

Whilst the Commission recognises that some licensees seek third-party support, the responsibility for complying with the licence conditions and codes of practice and the Commission’s advice, remains with the licensee.

As previously stated, senior management within the licensee must be fully engaged with the operator’s risk-based approach to AML. As part of this, it is imperative that licensees ensure that their risk assessment and policies and procedures are appropriate to their business, implemented effectively, and that they accurately reflect the business and the controls in place.

Operators are also reminded of Licence code 1.1.2 which states licensees are responsible for the actions of third parties with whom they contract for the provision of any aspect of the licensee’s business related to the licensed activities.

Previous page
Casino casework trends: October 2025

Last updated: 3 October 2025

Show updates to this content

No changes to show.

Is this page useful?
Back to top