This box is not visible in the printed version.
As part of your Anti-Money laundering commitments, you will need to make sure that you keep up to date with any applicable learning.
Published: 3 October 2025
Last updated: 3 October 2025
This version was printed or saved on: 18 October 2025
Online version: https://www.gamblingcommission.gov.uk/licensees-and-businesses/guide/anti-money-laundering-and-counter-terrorist-financing-casework-trends
Overview: As part of your commitment to ensuring compliance with anti-money laundering and counter-terrorist financing legislation, you will need to ensure that you keep up to date with any applicable learning that the Gambling Commission publishes (as required under Licence Condition 12.1.1(3) of the Licence Conditions and Codes of Practice).
This bulletin sets out common trends the Gambling Commission has identified during recent compliance and enforcement activity.
Under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (the Regulations), the Commission is required to adopt a risk-based approach to the supervision of casinos. Sharing information to ensure that casino operators are compliant with the Regulations, is a key part of our approach.
Licence condition 12.1.1(3) also requires operators to ensure that their policies, procedures and controls are implemented effectively and take into account any applicable learning or guidelines published by the Commission. Therefore, this bulletin should be used as a prompt for operators to review their money laundering and terrorist financing (MLTF) risk assessments and related policies, procedures and controls to ensure that they remain up-to-date, appropriate and effective.
The bulletin should be read in conjunction with the Commission’s AML guidance document for casinos.
The bulletin consists of the following sections:
We have seen cases where operators have not followed a sufficiently risk-based approach when compiling their money laundering and terrorist financing (MLTF) risk assessments, because they have not considered all relevant risks associated with their operation, including those within the Gambling Commission’s risk assessment and our emerging risks bulletins.
As set out in Regulation 18(1) (opens in new tab) operators must take appropriate steps to identify and assess the risks of money laundering and terrorist financing to which the business is subject to. As set out in paragraph 2.4 of our guidance, the risk-based approach involves the following steps:
When preparing MLTF risk assessments, operators must review all areas of the Commission’s risk assessment that are relevant to their licensed activity or activities. Operators must then review each of the individual risks in that area and consider how these relate to their specific business. Additionally, licensees must consider the risks shared by the Commission in its emerging risks bulletins. There are also a number of high-risk factors listed in Regulation 33(6), and discussed in paragraph 6.33 of our guidance, that must be taken into account.
As well as the risks discussed in Commission publications, as per Regulation 18(2)(b) of the Regulations (discussed in paragraph 2.9 of our guidance), licensees should also consider other key MLTF risks that their businesses could reasonably be exposed to, relating to:
As required by licence condition 12.1.1(1), MLTF risk assessments must be reviewed in the light of any changes of circumstances, including the introduction of new products or technology, new methods of payment by customers, changes in the customer demographic or any other material changes, and in any event reviewed at least annually.
Operators must also assess the risk of proliferation financing and must take account of information in the report by HM Treasury referred to in Regulation 16A (the proliferation financing risk assessment).
Version control records can assist with record keeping (step 4 of the risk-based approach) relating to the risk-based approach and can assist operators, including during compliance assessments, in demonstrating they are actively assessing and managing MLTF risk by considering risk information published by the Commission.
We have seen cases where AML and counter-terrorist financing (CTF) policies, procedures and controls do not appear to have regard to the operator’s MLTF risk assessment. This disconnect can mean that risks identified in the risk assessment are not appropriately mitigated by the controls, or that risk assessments are incomplete.
As required by licence condition 12.1.1(2), following completion of and having regard to the risk assessment, and any review of the assessment, licensees must ensure they have appropriate policies, procedures and controls to prevent money laundering and terrorist financing. As noted in step 2 of the risk-based approach, this means that, once the risk assessment has been completed, it must be used to devise appropriate policies, procedures, and controls to prevent MLTF. As part of this, operators need to ensure that the risks identified in their risk assessment are addressed within their policy documentation.
In practice, there must be a close relationship between the risk assessment and the policies, procedures and controls, and they must not be produced or operate in isolation.
The Gambling Commission has identified cases where risk profiles of individual customers have not been compiled in line with the Commission’s guidance. We have seen examples where risk factors related to a customer have not been identified either at all, or not sufficiently early enough in the customer’s journey. As a result, appropriate risk-based customer due diligence has not taken place.
As discussed in paragraph 6.2 of our guidance, at the commencement of the business relationship with the customer, operators will need to consider who the customer is, what they do, where they live and do business, and the nature of the product or service they require. This information will enable the operator to determine the level of risk associated with the customer and, in turn, the initial and ongoing customer due diligence and monitoring that is required. Full details of the source of funds to be used in the relationship will also need to be established using a risk-based approach.
Customer risk profiling must be informed by the operator’s wider risk assessment, and operators need to assess the extent to which a particular customer triggers the risk factors considered in the risk assessment and graduate the risk profile of the customer, and the level of customer due diligence undertaken, accordingly.
Regulation 28(12) requires that customer due diligence (CDD) measures including ongoing monitoring are conducted in line with the level of risk posed. In addition, Regulation 33 sets out the circumstances where enhanced customer due diligence (ECDD) measures must be applied. In order to meet this requirement, casino operators must consider an appropriate range of risks to be able to identify cases where a customer is presenting as high-risk.
We have seen cases where licensees have only begun customer risk-profiling and associated risk-based customer due diligence procedures when a financial threshold has been reached, despite other, non-spend related risk factors being clearly present from the commencement of the business relationship.
Additionally, some of the financial thresholds we have reviewed were set at an inappropriately high level for the risks present within the licensee’s business model and customer base.
In some of the examples we have seen, there has been an over-reliance on financial thresholds to the detriment of other risk factors, and thresholds set at an inappropriately high level. This has allowed customers with significant risk factors to use the casino without appropriate risk-based due diligence taking place, or only taking place once the customer had deposited and withdrawn large sums of money.
Licence condition 12.1.1(2) requires that licensees must ensure they have appropriate policies, procedures and controls to prevent money laundering and terrorist financing. As set out previously, this includes risk profiling customers from the commencement of the business relationship, and considering whether they trigger risk factors from the operator’s risk assessment (paragraph 6.2 of our guidance), including those related to gambling activity, payment methods and geographical risk. Operators then need to conduct risk-based customer due diligence and ongoing monitoring.
Financial threshold controls can be a useful tool in combatting money laundering and terrorist financing (MLTF), however, they must not be relied upon in isolation and must be set at a level that is appropriate based on the individual licensee’s MLTF risk assessment, business model and customer base, and the customer risk profile.
We have seen cases where documentation and information has not been appropriately scrutinised, and risk indicators present within the documentation have not been identified by the operator or appropriately acted upon.
In some examples, this included bank statements with significant third-party deposits evident and/or outgoings higher than income. We have also seen examples where, although the documentation contained indicators suggesting the document was false or fraudulent, the required enhanced customer due diligence (ECDD) was not conducted.
We have also seen examples where record keeping and decision logs have not been adequately maintained in relation to the review of customer documentation, this has made it challenging for operators to manage customer risk effectively and demonstrate this to the Gambling Commission (also see record keeping section).
As discussed in April 2025’s emerging risks bulletin, where documents are received from a customer, operators need to ensure that these documents are appropriately scrutinised.
As per Regulation 33(1)(e) of the Regulations and the Commission’s guidance, casino operators must apply ECDD measures and enhanced ongoing monitoring, in addition to the required customer due diligence (CDD) measures, in any case where the operator discovers that a customer has provided false or stolen identification documentation or information, and the operator proposes to continue to deal with the customer.
In order to meet this requirement, operators need to have appropriate controls in place to identify such cases and need to ensure that their staff are appropriately trained to assess customer documentation, including how to identify false documents. Operators also need to ensure that the review of documentation and associated decision making is appropriately recorded (also see record keeping section).
We have seen cases where Personal Management Licence (PML) holders have not had sufficient oversight of AML controls and have not taken appropriate steps to ensure compliance is achieved in order to uphold the licensing objectives.
This has included cases where risk assessments and policy documentation have not been kept under review and the effectiveness of their implementation has not been appropriately considered (as per licence condition 12.1.1(3)).
As a condition of their licence, PML holders are required to:
As set out in paragraph 4.2 of our guidance for casinos, senior management must be fully engaged in the processes for a casino operator’s assessment of risks for money laundering and terrorist financing (MLTF) and proliferation financing (PF) and must be involved at every level of the decision making to develop the operator’s policies and processes to comply with the Regulations.
Where serious AML failings are identified, PML holders may undergo a review of their licence under section 116 of the Gambling Act 2005, which can result in the suspension or revocation of their licence, or the imposition of a financial penalty. More information regarding licence reviews can be found in the Commission’s Licensing, compliance and enforcement under the Gambling Act 2005: policy statement June 2022.
We have seen several cases recently where employees of gambling operators have been inadequately trained on AML and counter-terrorist financing (CTF) matters. Issues have included:
As set out in Regulation 24, and paragraphs 4.21 to 4.36 of the Commission’s guidance, all relevant employees of casinos must be appropriately trained on AML and CTF matters. One of the most important controls for the detection and prevention of money laundering is for an operator to ensure that its employees are alert to the risks of money laundering and are well trained in identifying unusual activities or transactions which appear to be suspicious. The effective application of even the best designed control systems can be quickly compromised if the employees applying those systems are not adequately trained. We consider that the effectiveness of the training is important to the overall success of an operator’s AML strategy.
As detailed in our guidance, casino operators should take reasonable steps to ensure that employees are aware of the money laundering risks faced by the operator, the operator’s procedures for managing those risks, the identity and responsibilities of the person responsible for making reports to the National Crime Agency (NCA), and the potential effect of a breach of the Proceeds of Crime Act (POCA) on the operator and its employees.
We have seen instances of gambling operators failing to undertake sufficient due diligence measures in relation to their third-party business relationships, including where licensees have received third-party investments or entered into white-label partnerships.
Casino operators must ensure that they have appropriately risk assessed their dealings with third parties, including white-label partners and any entities providing loans and/or investments, as these risks have both been noted as high risk in the Gambling Commission’s 2023 risk assessment. Please also see our Emerging Risks Bulletin of April 2025, which discusses this risk.
The Commission expects casino operators to obtain the necessary assurances regarding white-label partnerships by conducting adequate due diligence on the third party to ensure (amongst other things) that they are competent and reliable. Casino operators are also reminded of social responsibility code provision (SRCP) 1.1.2 responsibility for third parties, which sets out that licensees are responsible for the actions of third parties with whom they contract for the provision of any aspect of the licensee’s business related to the licensed activities.
The Commission also expects that any casino operators who rely on a third parties to conduct any aspect of their business related to the licensed activities must have sufficient oversight and controls in place in order to ensure that all activities are carried out in accordance with the LCCP, notably but not exclusively, social responsibility and anti-money laundering requirements.
Casino operators are reminded that any failings, such as failure to conduct customer due diligence (CDD) and enhanced customer due diligence (ECDD) on customers by the white-label partners, is the responsibility of the licensee, not the white-label partner.
As referenced in the emerging risks bulletin, licensees should consider risks to the licensing objectives in their due diligence checks on white-label partners. This should include giving consideration to any activity the third party is involved in outside of Great Britain (GB) that the Commission considers medium or high risk as defined in our money laundering and terrorist financing (MLTF) risk assessment, as well as activity that is illegal in either GB or the territory in which it is conducted.
The assessment of risks should also include consideration of the risks posed to the operator by the jurisdictional location of their third party, transactions and arrangements with business associates, and third-party suppliers such as payment providers and processors, including their beneficial ownership and source of funds. Effective management of third-party relationships should assure operators that the relationship is a legitimate one, and that they can evidence why their confidence is justified (see paragraph 2.11 of our guidance).
When accepting loans into their business, licensees are reminded of licence condition 15.2.1(3) and the licensing objective to prevent gambling from being a source of crime or disorder, being associated with crime and disorder or being used to support crime. The Commission is able to request additional information about any loans or other money entering the business, as per our Licensing, Compliance and Enforcement statement.
We have identified cases where licensees are either not recording, or inadequately recording, their rationale and decision making on AML matters. We have seen examples of inadequate record keeping in relation to risk reviews undertaken by the operator on particular customers, including where the outcome of the review was not recorded.
We have also seen cases where the process undertaken to assess money laundering and terrorist financing (MLTF) risk has been inadequately recorded, and cases where records have not been kept in relation to staff training on AML.
As noted on our website, during compliance assessments, the Gambling Commission operates on the basis of ‘show me, don’t tell me’. This means that we want operators to demonstrate how their business is compliant. Keeping accurate and up-to-date records in relation to AML decision making across the operation will greatly assist operators in demonstrating their compliance, and a failure to keep accurate records will impact compliance outcomes.
As discussed in the Commission’s guidance (paragraphs 2.32 and 3.5, as well as chapter 7) and Regulation 40, customer records need to be accurately maintained, and decisions recorded. These records need to be made at the time of the decision, adding them retrospectively is not sufficient.
In relation to risk assessments, Regulation 18 and paragraph 2.10 of our guidance state that casino operators must keep an up-to-date record in writing of all the steps taken to identify and assess the risks of money laundering, terrorist financing and proliferation financing to which its business is subject.
In relation to training records, Regulation 24(1)(b) and paragraph 4.33 of the Commission’s guidance, stipulate that casino operators must maintain a written record of the measures in place to train relevant employees.
For more information in relation to record keeping for casino licence holders please see chapter 7 of our guidance.
We have seen an increase in the use of artificial intelligence (AI), algorithms and behavioural models for AML purposes. Typically, these technologies seek to identify red flags for money laundering and terrorist financing (MLTF) within a customer’s profile and/or behaviour. Many then go on to give an aggregated score which can be used to generate (or contribute to) a customer’s risk rating.
These controls can be a useful tool in combatting MLTF, however, we have identified that some operators do not fully understand how their algorithms work as an AML control and have not ensured that they have been implemented effectively (as per licence condition 12.1.1(3)).
When implementing AML controls, operators need to ensure that their controls address the risks identified in their MLTF risk assessment, and that such controls are appropriate to the business and implemented effectively.
During compliance assessments, we will typically ask for information about the algorithm’s methodology to assist us in assessing whether the control is appropriate and implemented effectively, particularly in addressing the risks identified in the operator’s risk assessment.
We will examine what is scored, how this is weighted and why, what the thresholds for different risk levels are, how escalations are triggered, and how the operator ensures the effectiveness of the algorithm. Where the control in place is a predictive model, we will seek to understand what the model is trying to predict and how it makes these predictions. During the customer review part of the compliance assessment, we will examine how the algorithm operates in practice in relation to specific customers, and test whether this is appropriate and effective.
We have identified compliance concerns where, due to the configuration of the algorithm, high-risk indicators have not been identified and/or escalated by the automated control in place. Operators must ensure that their suite of AML controls (including any algorithms, other reports and manual processes) are appropriately identifying risks so that risk-based due-diligence can take place.
We have also seen examples where models need a certain level or length of activity before they will score a customer. This can mean that some customers are able to conduct high levels of activity in the early stages of opening an account that is not subject to the controls from the algorithm. Operators need to ensure that the overall controls in place are appropriate at all stages of the customer relationship.
In some cases, models are designed to predict cases where suspicious activity reports (SARs) may be submitted in the future, and have been programmed using the profiles of customers where SARs have been submitted in the past. However, there have been cases where other risk indicators present in an account (but not seen in the previously submitted SAR cases) have not been identified due to the model’s configuration. Operators must ensure that their overall suite of controls can identify all relevant risk factors (as noted in the operator’s risk assessment) in a customer’s profile and behaviour.
Where an account has been escalated by the algorithm, we have seen cases where the relevant team within the operation has been unable to see why the escalation was generated, and have not been able to address the risks because they are unaware of what has been identified by the model. Operators should ensure that staff responsible for resolving escalations from these models have sufficient information to address the risks identified and can effectively implement AML procedures in line with licence condition 12.1.1. Recent casework has demonstrated that whilst automated controls can increase efficiency and contribute to an operator’s wider AML framework, properly trained AML staff are still required to identify and manage suspicious activity, as well as effectively safeguard operators from being exposed to significant MLTF risks.
The Gambling Commission has seen examples where third parties, including artificial intelligence (AI) and consultancy firms, have been used to draft operator’s risk assessments, and policy, procedure and control documentation. We have identified cases where incorrect information has been included in the documentation, and where operators were not aware of the content of their own policies, which were then not appropriate to the business or implemented effectively.
Whilst the Commission recognises that some licensees seek third-party support, the responsibility for complying with the licence conditions and codes of practice, the Commission’s guidance and the Regulations, remains with the licensee.
As previously stated, senior management within the licensee must be fully engaged in the processes for a casino operator’s assessment of risks for money laundering, terrorist financing and proliferation financing, and must be involved at every level of the decision making to develop the operator’s policies and processes to comply with the Regulations. As part of this, it is imperative that licensees ensure that their risk assessment and policies and procedures are appropriate to their business, implemented effectively, and that they accurately reflect the business and the controls in place.
Operators are also reminded licence code 1.1.2 which states licensees are responsible for the actions of third parties with whom they contract for the provision of any aspect of the licensee’s business related to the licensed activities.
This bulletin sets out common trends the Gambling Commission has identified during recent compliance and enforcement activity.
Licence condition 12.1.1(3) requires operators to ensure that their policies, procedures and controls for anti-money laundering are implemented effectively and take into account any applicable learning or guidelines published by the Commission. Therefore, this bulletin should be used as a prompt for operators to review their money laundering and terrorist financing (MLTF) risk assessments and related policies, procedures and controls to ensure that they remain appropriate and effective.
The bulletin should be read in conjunction with the Commission’s advice document.
The bulletin consists of the following sections:
We have seen cases where operators have not followed a sufficiently risk-based approach when compiling their money laundering and terrorist financing (MLTF) risk assessments, because they have not considered all relevant risks associated with their operation, including those within the Gambling Commission’s risk assessment and our emerging risks bulletins.
As set out in paragraph 18.1 of our advice document, operators should take a risk-based approach to MLTF. This involves a number of steps:
When preparing MLTF risk assessments, operators should review all areas of the Commission’s risk assessment that are relevant to their licensed activity or activities. They should then review each of the individual risks in that area and consider how these relate to the business. Additionally, licensees should consider the risks shared by the Commission in its emerging risks bulletins.
As discussed in paragraph 18.19 of our advice, licensees also need to consider the other MLTF risks their business is exposed to, including those related to:
As required by licence condition 12.1.1(1), MLTF risk assessments must be reviewed in the light of any changes of circumstances, including the introduction of new products or technology, new methods of payment by customers, changes in the customer demographic or any other material changes, and in any event reviewed at least annually.
Version control records can assist with record keeping (step 4 of the risk-based approach) relating to the risk-based approach and can assist operators, including during compliance assessments, in demonstrating they are actively assessing and managing MLTF risk by considering risk information published by the Commission.
We have seen cases where AML and counter-terrorist financing (CTF) policies, procedures and controls do not appear to have regard to the operator’s MLTF risk assessment. This disconnect can mean that risks identified in the risk assessment are not appropriately mitigated by the controls, or that risk assessments are incomplete.
As required by licence condition 12.1.1(2), following completion of and having regard to the risk assessment, and any review of the assessment, licensees must ensure they have appropriate policies, procedures and controls to prevent money laundering and terrorist financing. As noted in step 2 of the risk-based approach outlined above, this means that once the risk assessment has been completed, it must be used to devise appropriate policies, procedures, and controls to prevent MLTF. As part of this, operators need to ensure that the risks identified in their risk assessment are addressed within their policy documentation.
In practice, there must be a close relationship between the risk assessment and the policies, procedures and controls, and they must not be produced or operate in isolation.
The Gambling Commission has identified cases where customer and transaction monitoring have not taken place in line with the Commission’s advice. We have seen examples where relevant risk factors related to a customer and their transactions have not been identified either at all, or not sufficiently early enough in the customer’s journey, as a result appropriate risk-based ‘know your customer’ (KYC) measures have not taken place.
As set out in the Commission’s Proceeds of Crime Act (POCA) advice document in paragraph 18.6, in order to detect customer activity that may be suspicious, it is necessary to monitor all transactions or activity. The monitoring of customer activity should be carried out using a risk-based approach. Higher risk customers should be subjected to a frequency and depth of scrutiny greater than may be appropriate for lower risk customers. Operators should be aware that the level of risk attributed to customers may not correspond to their commercial value to the business.
As set out in paragraph 18.7 of the POCA advice document, where a customer is assessed as presenting a higher risk, additional information in respect of that customer should be collected. This will help the operator judge whether the higher risk that the customer is perceived to present is likely to materialise and provide grounds for proportionate and recorded decisions.
Licence conditions 12.1.1(2 and 3) set out the requirement that AML policies procedures and controls must be appropriate, have regard to the operator's risk assessment, be implemented effectively, and be kept under review. In line with this requirement, customer and transaction monitoring must be informed by the operator’s risk assessment, and follow a risk-based approach.
We have seen cases where licensees have only begun customer and transaction monitoring, and associated 'know your customer' (KYC) procedures, when a financial threshold has been reached, despite other, non-spend related risk factors being clearly present from the start of the customer’s journey.
Additionally, some of the financial thresholds we have reviewed were set at an inappropriately high level for the risks present within the licensee’s business model and customer base.
In some of the examples we have seen, there has been an over-reliance on financial thresholds to the detriment of other risk factors, and thresholds set at an inappropriately high level. This has allowed customers with significant risk factors to use the gambling business without appropriate risk-based KYC taking place, or only taking place once the customer had deposited and withdrawn large sums of money.
Licence condition 12.1.1(2) requires that licensees must ensure they have appropriate policies, procedures and controls to prevent money laundering and terrorist financing. As set out above, this includes monitoring all transactions or activity, considering where customers trigger factors within an operator’s risk assessment (not only spend risk factors, but all relevant ones), and commencing risk-based KYC measures. For higher risk customers this information should include an understanding of where the customer’s funds and wealth have come from.
Financial threshold controls can be a useful tool in combatting money laundering and terrorist financing (MLTF), however, they must not be relied upon in isolation and must be set at a level that is appropriate based on the individual licensee’s MLTF risk assessment, business model and customer base.
We have seen cases where documentation and information has not been appropriately scrutinised, and risk indicators present within the documentation have not been identified by the operator, or appropriately acted upon.
In some examples this included bank statements with significant third-party deposits evident and/or outgoings higher than income. We have also seen examples where although the documentation contained indicators suggesting the document was false or fraudulent, appropriately risk-based 'know your customer' (KYC) did not take place.
As discussed in April’s 2025’s emerging risks bulletin, where documents are received from a customer, operators need to ensure that these documents are appropriately scrutinised and that staff have been trained to identify relevant risk factors. Where a customer is assessed as presenting a higher risk, additional information in respect of that customer should be collected.
We have seen cases where Personal Management Licence (PML) holders have not had sufficient oversight of AML controls and have not taken appropriate steps to ensure compliance is achieved in order to uphold the licensing objectives.
This has included cases where risk assessments and policy documentation have not been kept under review and the effectiveness of their implementation has not been appropriately considered (as per licence condition 12.1.1(3)).
As set out in paragraph 18.11 of our advice, a risk-based approach requires the full commitment and support of senior management.
As a condition of their licence, PML holders are required to:
Where serious AML failings are identified, PML holders may undergo a review of their licence under section 116 of the Gambling Act 2005, which can result in the suspension or revocation of their licence, or the imposition of a financial penalty. More information regarding licence reviews can be found in the Commission’s Licensing, compliance and enforcement under the Gambling Act 2005: policy statement June 2022.
We have seen several cases recently where employees of gambling operators have been inadequately trained on AML and counter-terrorist financing (CTF) matters. Issues have included:
One of the most important controls for the detection and prevention of money laundering is for an operator to ensure that its employees are alert to the risks of money laundering and well trained in identifying unusual activities or transactions which appear to be suspicious.
As discussed in paragraphs 13.1 and 13.2 and section 23 of the Gambling Commission’s advice document, employees face criminal penalties under Proceeds of Crime Act (POCA) if they are involved in money laundering unless they make a report of known or suspected money laundering activity. It is important, therefore, that employees are made aware of their legal obligations and how to correctly discharge them. Operators should also take reasonable steps to ensure that employees are aware of the money laundering risks faced by the operator, the operator’s procedures for managing those risks, the identity and responsibilities of the person responsible for making reports to the National Crime Agency (NCA), and the potential effect of a breach of POCA on the operator and its employees.
We have seen instances of gambling operators failing to undertake sufficient due diligence measures in relation to their third-party business relationships, including where licensees have received third-party investments or entered into white-label partnerships.
Operators need to ensure that they have appropriately risk assessed their dealings with third parties, including white-label partners and any entities providing loans and/or investments. These risks have both been noted as high risk in the Gambling Commission’s 2023 risk assessment. Please also see our Emerging Risks Bulletin of April 2025, which discusses this risk.
The Commission expects operators to obtain the necessary assurances regarding white-label partnerships by conducting adequate due diligence on the third-party to ensure (amongst other things) that they are competent and reliable. Operators are also reminded of social responsibility code provision (SRCP) 1.1.2 responsibility for third parties which sets out that licensees are responsible for the actions of third parties with whom they contract for the provision of any aspect of the licensee’s business related to the licensed activities.
As referenced in the emerging risks bulletin, licensees should consider risks to the licensing objectives in their due diligence checks on white-label partners. This should include giving consideration to any activity the third-party is involved in outside of Great Britain (GB) that the Commission considers medium or high risk as defined in our money laundering and terrorist financing (MLTF) risk assessment, as well as activity that is illegal in either GB or the territory in which it is conducted.
The assessment of risks should also include consideration of the risks posed to the operator by the jurisdictional location of their third-party, transactions and arrangements with business associates, and third-party suppliers such as payment providers and processors, including their beneficial ownership and source of funds. Effective management of third-party relationships should assure operators that the relationship is a legitimate one, and that they can evidence why their confidence is justified (see paragraphs 1.3 and 18.12 of our advice document).
When accepting loans into their business, licensees are reminded of licence condition 15.2.1(3) and the licensing objective to prevent gambling from being a source of crime or disorder, being associated with crime and disorder or being used to support crime. The Commission is able to request additional information about any loans or other money entering the business, as per our Licensing, Compliance and Enforcement statement.
We have identified cases where licensees are either not recording, or inadequately recording, their rationale and decision making on AML matters. We have seen examples of inadequate record keeping in relation to risk reviews undertaken by the operator on particular customers, including where the outcome of the review was not recorded.
We have also seen cases where the process undertaken to assess money laundering and terrorist financing (MLTF) risk has been inadequately recorded, and cases where records have not been kept in relation to staff training on AML.
As noted on our website, during compliance assessments, the Gambling Commission operates on the basis of ‘show me, don’t tell me’. This means that we want operators to demonstrate how their business is compliant. Keeping accurate and up-to-date records in relation to AML decision making across the operation will greatly assist operators in demonstrating their compliance, and a failure to keep accurate records will impact compliance outcomes. These records need to be made at the time of the decision, adding them retrospectively is not sufficient.
Operators are expected to adopt a risk-based approach, where MLTF risks are assessed and managed in a way that is proportionate. As part of this approach, operators are expected to record what has been done and why, for example.
As set out in paragraph 19.5 of the Proceeds of Crime Act (POCA) advice customer relationships need to be managed proficiently and records should be maintained as to what information was communicated to the customer, why it was communicated and what considerations were made.
For more information in relation to record keeping, see the Duties under POCA.
We have seen an increase in the use of artificial intelligence (AI), algorithms and behavioural models for AML purposes. Typically, these technologies seek to identify red flags for money laundering and terrorist financing (MLTF) within a customer’s profile and/or behaviour. Many then go on to give an aggregated score which can be used to generate (or contribute to) a customer’s risk rating.
These controls can be a useful tool in combatting MLTF, however, we have identified that some operators do not fully understand how their algorithms work as an AML control and have not ensured that they have been implemented effectively (as per licence condition 12.1.1(3)).
When implementing AML controls, operators need to ensure that their controls address the risks identified in their MLTF risk assessment, and that such controls are appropriate to the business and implemented effectively.
During compliance assessments, we will typically ask for information about the algorithm’s methodology to assist us in assessing whether the control is appropriate and implemented effectively, particularly in addressing the risks identified in the operator’s risk assessment.
We will examine what is scored, how this is weighted and why, what the thresholds for different risk levels are, how escalations are triggered, and how the operator ensures the effectiveness of the algorithm. Where the control in place is a predictive model, we will seek to understand what the model is trying to predict and how it makes these predictions. During the customer review part of the compliance assessment, we will examine how the algorithm operates in practice in relation to specific customers, and test whether this is appropriate and effective.
We have identified compliance concerns where, due to the configuration of the algorithm, high-risk indicators have not been identified and/or escalated by the automated control in place. Operators must ensure that their suite of AML controls (including any algorithms, other reports and manual processes) are appropriately identifying risks so that risk-based due-diligence can take place.
We have also seen examples where models need a certain level or length of activity before they will score a customer. This can mean that some customers are able to conduct high levels of activity in the early stages of opening an account that is not subject to the controls from the algorithm. Operators need to ensure that the overall controls in place are appropriate at all stages of the customer’s journey.
In some cases, models are designed to predict cases where suspicious activity reports (SARs) may be submitted in the future, and have been programmed using the profiles of customers where SARs have been submitted in the past. However, there have been cases where other risk indicators present in an account (but not seen in the previously submitted SAR cases) have not been identified due to the model’s configuration. Operators must ensure that their overall suite of controls can identify all relevant risk factors (as noted in the operator’s risk assessment) in a customer’s profile and behaviour.
Where an account has been escalated by the algorithm, we have seen cases where the relevant team within the operation has been unable to see why the escalation was generated, and have not been able to address the risks because they are unaware of what has been identified by the model. Operators should ensure that staff responsible for resolving escalations from these models have sufficient information to address the risks identified and can effectively implement AML procedures in line with licence condition 12.1.1.
Recent casework has demonstrated that whilst automated controls can increase efficiency and contribute to an operator’s wider AML framework, properly trained AML staff are still required to identify and manage suspicious activity, as well as effectively safeguard operators from being exposed to significant MLTF risks.
The Gambling Commission has seen examples where third parties, including artificial intelligence (AI) and consultancy firms, have been used to draft operator’s risk assessments, and policy, procedure and control documentation. We have identified cases where incorrect information has been included in the documentation, and where operators were not aware of the content of their own policies, which were then not appropriate to the business or implemented effectively.
Whilst the Commission recognises that some licensees seek third-party support, the responsibility for complying with the licence conditions and codes of practice and the Commission’s advice, remains with the licensee.
As previously stated, senior management within the licensee must be fully engaged with the operator’s risk-based approach to AML. As part of this, it is imperative that licensees ensure that their risk assessment and policies and procedures are appropriate to their business, implemented effectively, and that they accurately reflect the business and the controls in place.
Operators are also reminded of Licence code 1.1.2 which states licensees are responsible for the actions of third parties with whom they contract for the provision of any aspect of the licensee’s business related to the licensed activities.