This box is not visible in the printed version.
As part of your Anti-Money Laundering commitments, you will need to make sure that you are aware of any emerging risks.
Published: 28 June 2021
Last updated: 8 April 2025
This version was printed or saved on: 30 April 2025
Online version: https://www.gamblingcommission.gov.uk/licensees-and-businesses/guide/emerging-anti-money-laundering-risks
Overview: As part of your commitment to ensuring compliance with anti-money laundering and counter-terrorist financing legislation, you will need to ensure that you keep up to date with any emerging risks that the Commission publishes (as required under Licence Condition 12.1.1(3) of the Licence Conditions and Codes of Practice LCCP).
Licence Condition 12.1.1(3) of the Licence Conditions and Codes of Practice (LCCP), requires operators to keep up-to-date with emerging risks information published by the Gambling Commission.
This emerging risks publication is a trigger for operators to review their money laundering and terrorist financing risk assessments and related policies, procedures and controls to ensure that they remain appropriate and effective.
Some remote and non-remote casinos offer money service business (MSB) facilities, which include:
We are aware of casino customers attempting to deposit large denomination notes of foreign currencies (including €500 notes) into casinos. As noted in HMRC’s document Understanding risks and taking action for money service businesses - GOV.UK (opens in new tab), the sale of high value notes, in any currency, entails a significant money laundering risk and any request to buy or sell €500 notes or quantities of other high denomination notes should be treated as high risk. The UK national risk assessment of money laundering and terrorist financing (opens in new tab) also states that criminals have been known to use currency exchange services to convert criminal cash into high denomination foreign currency notes.
The Commission surveyed the MSB activity offered by casinos and we noted a reduction in the number of casinos offering MSB activity, as well as a reduction in the number and value of MSB transactions. However, numerous high-value transactions are still completed via MSB facilities in casinos, and MSB activity within casinos is still rated as high risk in our risk assessment.
As noted in our risk assessment, other risks linked to MSB activity include:
To ensure that they meet the requirements of the money laundering regulations and the conditions of their licence, casino operators must conduct an appropriate money laundering and terrorist financing risk assessment. Where MSB activity is offered, risk assessments must include an assessment of the money laundering and terrorist financing risks associated with the MSB activity offered. Following this risk assessment, operators must implement appropriate controls to prevent money laundering and terrorist financing and must review these regularly to ensure they remain effective.
Where foreign currency exchange services are offered, operators must have appropriate controls to address the risks associated with large denomination notes.
Due to the risks associated with MSB activity, it is our expectation that customers using MSB facilities offered by casinos are treated as high risk, and are subject to appropriate enhanced customer due diligence measures. More information about enhanced customer due diligence can be found in our guidance The prevention of money laundering and combating the financing of terrorism.
Operators offering MSB facilities must also review and consider HMRC’s MSB guidance (opens in new tab).
The Commission is aware of an increase in the scale and sophistication of attempts to bypass customer due diligence checks using false documentation, deepfake videos and face swaps generated by artificial intelligence. As noted by the National Crime Agency (NCA) in issue 30 of their SARs in Action publication (opens in new tab)(PDF), accounts successfully created using AI are more likely to be used for criminality, such as money laundering or terrorist financing.
Operators must consider all information they hold on a customer and, where documents are received from a customer, must ensure that these documents are appropriately scrutinised. Operators need to ensure their staff are appropriately trained to assess customer documentation, including how to identify false and AI generated documents.
Our guidance (opens in new tab)(PDF) contains more information about what operators must do when a customer is found to have submitted false documentation.
When submitting a SAR in relation to AI generated documents, the NCA has requested that the reference 0752-NECC is included in the relevant field. Please see SARs in Action Issue 30 (opens in new tab)(PDF) for more information.
The Commission has been made aware of consumers being targeted by companies who offer money in exchange for personal details to open multiple gambling accounts in the customer’s name. Consumers are directed to upload their documentation which is then used by the third-party to open large numbers of gambling accounts. Customers are promised a financial reward in exchange for their personal details and documents, but there are reports of customers not receiving the money promised to them. Customers are also told that the documents will be treated securely, however, there is a concern that the documents may be used for other purposes or sold on.
There is a risk that those gaining access to other people’s information and using it to gamble may be acting as unlicensed betting intermediaries. We are also concerned about the risk of illicit mule account activity with accounts opened in this way.
We urge operators to proactively review their processes for ID verification on a regular basis to ensure they remain effective. Operators must take immediate action when any gaps are identified or when learnings suggest improvements are required to tighten processes.
Licensees are required to have robust customer due diligence and onboarding checks in place. Licensees are also required to consider whether checks on ID documents are sufficient to identify false, stolen or ‘mule’ (third party) IDs. Licence Condition 17.1.1.(1) and (4) of the LCCP states that:
‘Licensees must obtain and verify information in order to establish the identity of a customer before that customer is permitted to gamble. Information must include, but is not restricted to, the customer’s name, address and date of birth.'
‘Licensees must take reasonable steps to ensure that the information they hold on a customer’s identity remains accurate.'
We are aware of gambling operators failing to conduct sufficient due diligence measures in relation to their third-party business relationships, including white-label partnerships and monies coming into the business in the form of loans or other investments.
White-label partnerships and business investments have both been noted as high risk within the Commission’s latest risk assessment.
Operators must ensure that they have appropriately risk assessed their dealings with third-parties, including white-label partners and any entities providing loans and/or investments.
The assessment of these risks should include consideration of the risks posed to the operator by the jurisdictional location of their third-party, transactions and arrangements with business associates, and third-party suppliers such as payment providers and processors, including their beneficial ownership and source of funds. Effective management of third-party relationships should assure operators that the relationship is a legitimate one, and that they can evidence why their confidence is justified.
Licensees should also consider risks to the licensing objectives in their due diligence on white-label partners. This would include giving consideration to any activity the third-party is involved in outside of GB that the Commission considers medium or high risk as defined by our ML/TF risk assessment, as well as activity that is illegal in either GB or the territory in which it is conducted.
When accepting loans into their business, licensees are reminded of licence condition 15.2.1(3) LCCP Condition 15.2.1 - Reporting key events and the licensing objective to prevent gambling from being a source of crime or disorder, being associated with crime and disorder or being used to support crime. We are also able to request additional information about any loans or other money coming into the business, as per our Licensing, Compliance and Enforcement statement.
Statement of principles for licensing and regulation
In our latest risk assessment of the gambling industry, we noted that a ‘lack of closed loop’ payment systems is high risk. The Commission is aware of some operators (particularly non-remote betting operators) still operating open-loop payment processes.
Open-loop payment systems are a known money laundering risk as they allow the transfer of funds from one payment method to another, which can be used to disguise the origin and/or destination of funds. There is also a risk that criminals use open-loop systems to gamble with fraudulent or stolen cards.
Closed-loop systems are considered best practice and mean operators process customer withdrawals and winnings to the same payment method that was used for the deposit. Where operators do not have a closed-loop system in place, there is a significant risk of criminals being able to use the business to launder money. Therefore, it is strongly recommended that gambling operators operate a closed-loop payment system.
Where operators continue to operate an open-loop payment system, they must include this risk within their money laundering and terrorist financing risk assessment and implement appropriate and effective controls to prevent money laundering and terrorist financing.
We are aware of casino games that have been developed by software operators licensed by the Commission becoming available on unlicensed websites and accessible to British consumers illegally.
Operators conducting business (either directly, or indirectly through third-party resellers) with websites that are operating illegally are at risk of accepting funds derived from criminal activity.
Operators who only have a gambling software licence must consider their obligations to uphold the licensing objectives, including preventing gambling from being a source of crime or disorder, being associated with crime and disorder or being used to support crime. Operators with casino host licences are additionally required to comply with licence condition 12.1.1. (including the requirement to conduct a risk assessment of the business being used for money laundering and terrorist financing, and implement appropriate controls), as well as the Money Laundering Regulations and the Commission’s guidance for casino operators (opens in new tab) (PDF).
The Commission advises operators to actively monitor their business relationships to ensure that partners are not offering illegal gambling facilities to the GB market. Where such non-compliance is identified, operators must terminate these relationships immediately. It is crucial that licensees also engage proactively with the Commission when such activity is detected, providing details of the preventative measures taken to ensure the activity ceases without delay. Actively notifying the Commission and presenting a clear and prompt plan to mitigate the issue is a minimum requirement: Industry warning notice: licensed software appearing on illegal market.
We are aware of an increasing interest in cryptoassets (also known as crypto currencies) within the licensed gambling industry.
As noted by HM Treasury, cryptoassets present several vulnerabilities from a money laundering and terrorist financing perspective. For further detail please see: HM Treasury National risk assessment of money laundering and terrorist financing 2020 (opens in new tab) (PDF) chapter 8. The Commission rates cryptoassets as a high-risk payment method: The 2023 money laundering and terrorist financing risks within the British gambling industry.
We are also aware of a large theft of cryptoassets from the ByBit exchange which took place in February 2025. The group alleged to be responsible for the theft are suspected to use complex online money laundering systems which, in the past, have been thought to include remote gambling operators around the world.
We remind operators that the use and/or acceptance of cryptoassets presents challenges. As cryptoassets potentially become more prevalent, we expect that more payment providers will offer crypto payment facilities. Operators need to have a full understanding of the services provided by their payment providers.
The Commission is reiterating the importance of operators’ responsibilities under Licence Condition 12.1.1 (1), which requires licensees to conduct an assessment of the risks their businesses face from money laundering and terrorist financing upon the introduction of new products or technology or new methods of customer payment.
Operators are also required to submit a Key Event to the Commission under Licence Condition 15.2.1(8) wherever there are changes in payment methods.
When customers indicate their funds to gamble have come from cryptoasset trading or other means linked to cryptocurrencies, it is the Commission’s expectation that this feeds into a customer’s risk profile as a high-risk indicator with sufficient due diligence then completed. Additionally, operators are encouraged to be mindful of the recent theft of cryptoassets (as discussed above) and consider their vulnerabilities and controls in this area.
Further detail about our position on cryptoassets can be found here: Blockchain technology and crypto-assets.
We are aware of several types of terminals used to facilitate customer deposits into non-remote casinos, and we have seen cases where funds received via this method are not scrutinised as closely as deposits via other methods.
Operators must assess the risks of their businesses being used for money laundering and terrorist financing. This risk assessment must include considerations of the different types of payment methods accepted by the business, including any payment terminals within the casino. Following this risk assessment, operators must implement effective policies, procedures and controls to prevent money laundering and terrorist financing. In the case of payment terminals in the casino, operators must ensure they are appropriately scrutinising funds received via this method, and not relying on the third-party terminal provider and/or payment processor to conduct checks on the funds being transferred.
We are aware that some terminal providers provide the receiving casino with the details of the bank account where the money has been sent from. Operators should consider whether the account belongs to the customer, and whether it matches with other information known about the customer, including other bank accounts they have used.
When money is received via terminals within the casinos, operators must consider how the use of this payment method feeds into the rest of the customer’s risk profile and complete an appropriate level of customer due diligence, including enhanced customer due diligence for high-risk customers.
Some non-remote casinos have experienced changes in the demographics of their customer base, which has not been reflected in their risk assessment or policies, procedures and controls.
Prior to 2020, high-end non-remote casinos had many international ultra-high-net-worth individuals as customers. During the pandemic, casino premises in Great Britain (GB) were closed, and many of the customers who previously came to GB to gamble in high-end casinos shifted their preference to other global gambling centres. This shift in behaviour was also thought to be consolidated by changes to VAT regulations in the UK.
It is believed that this caused some non-remote casinos to change their entry and membership criteria to attract a wider range of customers from within GB. However, we have seen cases where operators have not updated their risk assessment and policies to account for the changed customer base, which has meant the procedures in operation are insufficient in mitigating the risks present within the business.
As per licence condition 12.1.1, operators must ensure their money laundering and terrorist financing risk assessments are appropriate and reviewed in light of any changes of circumstances, including changes in the customer demographic. They must then have appropriate policies, procedures and controls to prevent money laundering and terrorist financing.
The Commission is aware of some adult gaming centre (AGC) premise licence holders converting to bingo premises, and there is a concern that when preparing their money laundering and terrorist financing risk assessment, and reviewing the Commission’s risk assessment (as per licence condition 12.1.1(1) and (3)), operators may not consider all relevant risks if they only consult the bingo section, and not the AGC section, of the Commission’s risk assessment.
The Commission intends to update its risk assessment to reflect this industry trend, but in the meantime, we urge bingo licensees who operate AGC-style premises to consider all relevant money laundering and terrorist financing risks to the premise, including those noted in the bingo and arcade sections of the Commission’s risk assessment.
Further information can be found in our advice document (opens in new tab) (PDF).
Licence condition 12.1.1: LCCP Condition 12.1.1 Anti-money laundering - Prevention of money laundering and terrorist financing.
Crash games have been offered within crypto casinos (which are not licenced by the Commission and are illegal if accessible via GB) for a number of years.
Crash games may have differing graphics and premises, but typically the mechanics of the games mean that, once the initial bet is made, the round begins with a starting multiplier, which grows as the game progresses. Customers have the option to cash out at any point, but if the game crashes before a customer has cashed out, they will lose the money from the multiplier as well as their stake. Rounds can last anywhere from a few seconds to a couple of minutes before either the game crashes or the customer cashes out. Crash games are highly volatile and can lead to significant losses for players.
We have been made aware of an increased interest in crash games within the legal, licensed casino sector, so we are drawing operators’ attention to the risks of this game type.
There are concerns that products of this nature can allow criminals to camouflage the high-risk behaviour of cashing out quickly with limited gameplay within the context of the crash game (where these behaviours are inherently more common), and that transactional monitoring controls may not be effective in detecting suspicious activity.
When introducing any new products (including crash games) operators must assess the risks of that product being used to launder money. Operators must then ensure they have appropriate procedures and controls in place to prevent money laundering. In this case, this would include controls to identify and prevent suspicious wagering patterns, and processes to feed the use of crash games into a customer’s overall risk profile and commence appropriate due diligence. Where operators know or suspect money laundering has occurred, they must submit a suspicious activity report (SAR).
More information about appropriate policies, procedures and controls can be found in our guidance document (opens in new tab) (PDF).
Application registration cards (ARCs) are issued by the Home Office to individuals who claim asylum. ARCs contain information about the holder but are not evidence of identity and must not be accepted as a form of identity documentation.
Those presenting ARCs when attempting to open a gambling account, or access gambling premises, may also be at a higher risk of exploitation and mule account activity.
Operators are reminded that they must have appropriate policies, procedures and controls in place to ensure the requirements for customer identification and verification are met. This includes detailing acceptable forms of identification documentation in line with the Commission’s guidance and the government guidance (see links below). An ARC is not an acceptable form of identification.
Operators then need to train their staff members and implement measures to ensure that policies and procedures in relation to customer identification and verification are followed.
If an operator believes that someone is being exploited, they can report it to the Modern Slavery and Exploitation Helpline on 08000 121 700 or via the online form but, if they think someone is in immediate danger, they should contact the police.
For more information please see:
In February 2025, FATF updated its list of high-risk jurisdictions (sometimes known as the FATF "black list") and the list of jurisdictions subject to increased monitoring (sometimes known as the FATF "grey list").
More information can be found on the FATF's website about:
Operators need to review the lists above and ensure they have effective policies, procedures and controls in place to identify customers and relationships with links to high-risk jurisdictions, including those subject to calls for action and subject to enhanced monitoring.
Operators are reminded to conduct robust enhanced customer due diligence checks in relation to any customer relationships which are associated with high-risk jurisdictions, including those subject to enhanced monitoring by FATF in order to mitigate the risk of money laundering and terrorist financing, including proliferation financing.
More information about managing geographical risk can be found in our guidance: Anti-money laundering responsibilities for casino businesses.
There are an increasing number of instances of multiple stolen debit cards being used to fund online gambling activities. This, along with virtual debit card products that allow multiple virtual debit cards to be linked to one bank account, pose a significant money laundering and terrorist financing risk. Some ‘red flag’ indicators that operators should be mindful of include (but are not limited to) instances where:
Licensees are required to have robust customer due diligence and onboarding checks in place. This includes (see Licence Condition 12 of the LCCP ) reviewing their money laundering and terrorist financing risk assessment as necessary in the light of any changes of circumstances, including the introduction of new products or technology or new methods of payment by customers. Licensees are also required to consider whether checks on ID documents are sufficient to identify false, stolen or ‘mule’ (third party) IDs. Licence Condition 17.1.1.(1) and (4) of the states that:
‘Licensees must obtain and verify information in order to establish the identity of a customer before that customer is permitted to gamble. Information must include, but is not restricted to, the customer’s name, address and date of birth.'
‘Licensees must must take reasonable steps to ensure that the information they hold on a customer’s identity remains accurate.’
Some functions, roles or responsibilities may give individuals access to third party funds (either funds belonging to other people or to businesses). These may include access to:
Those customers who have access to third party funds should be considered to present higher inherent risk.
This should be considered when risk profiling customers at the start of the customer relationship, i.e. when a customer first opens a gambling account, and before any deposits are made. However, in order to sufficiently identify these risks, customer monitoring should be an ongoing process.
The Democratic Republic of the Congo, Mozambique and Tanzania have been added to the list of jurisdictions that are under an increased level of monitoring by the Financial Action Task Force (FATF). Such jurisdictions are placed on the FATF’s ‘grey list' due to strategic deficiencies in their regimes to counter money laundering, terrorist financing and proliferation financing. The current list of jurisdictions is as follows (as of October 2023): Jurisdictions under Increased Monitoring - 27 October 2023 (opens in new tab)
Operators are reminded to conduct robust customer due diligence checks in relation to any customer relationships which are associated with the above jurisdictions in order to mitigate the risk of money laundering and terrorist financing, including proliferation financing.
The Commission is aware of cases of operators not sufficiently considering the risks associated with customer funds where the funds have originated from crypto-assets.
Operators are reminded that crypto-assets are considered high risk by the Commission and licensees are expected to appropriately scrutinise transactions throughout the course of customer and business relationships.
Ineffective source of fund (SOF) checks and enhanced customer due diligence (ECDD) or ‘know your customer’ (KYC) triggers – there continues to be numerous instances of customers being able to deposit large amounts of money due to insufficient measures and checks in place (such as a SOF checks). Ineffective ECDD or KYC triggers are allowing customers to deposit large sums of money before the first AML review is undertaken against a customer.
Failure to critically review SOF documents – operators have been identified as failing to critically review SOF documentation and relying on electronic checks (including relying solely on open-source information such as Companies House information for example to verify SOF information). Other issues include operators failing to provide sufficient guidance to staff on how to review and verify SOF information and what supporting documents should be requested in this regard.
In order to mitigate the risks in this area, the Commission recommends:
a) Operators setting realistic and effective monetary and non-monetary thresholds/triggers for determining when customer interaction should take place.
b) Carrying out such interactions earlier on in the customer relationship.
c) Ongoing customer monitoring (including monitoring all transactions or activity). The monitoring of customer activity should be carried out using a risk-based approach. Higher risk customers should be subjected to a frequency and depth of scrutiny greater than may be appropriate for lower risk customers.
d) Considering geographical, customer, transactional and product risk in all customer relationships.
See the Commission’s the Prevention of money laundering and combating the financing of terrorism and the Duties and responsibilities under the Proceeds of Crime Act 2002 publication for further information on the above.
It is important to note that the above recommendations are not an exhaustive list of actions that should be undertaken, and operators are reminded that a risk-based approach is required in order to mitigate the risk of money laundering and terrorist financing.
24 June 2022
Our latest emerging risks update looks at the money laundering risks associated with operators failing to comply with data protection requests, under the Data Protection Act 2018 (DPA) (opens in new tab), from law enforcement, the addition of Gibraltar to the Financial Action Task Force’s (FATF) ‘grey list’ and common operator failings, including other general risk areas.
The Commission has come across instances of operators failing to comply with DPA requests from law enforcement. This includes instances where customer accounts have been closed by operators following a DPA request from the police.
Operators are reminded that such actions can significantly hinder any police investigations and can lead to a potential breach of sections 342 and 333A of the Proceeds of Crime Act 2002 (opens in new tab) under the offences of ‘prejudicing an investigation’ and ‘tipping off’.
Such a breach is a criminal offence with a maximum imprisonment term of 5 years for the ‘prejudicing an investigation’ offence and a maximum imprisonment term of 2 years for the ‘tipping off’ offence.
Operators must carefully consider their actions upon receipt of a DPA request from law enforcement, consider the consequences of their actions and liaise with the law enforcement agency.
Further information can be found in Paragraphs 8.87 to 8.89 of the Gambling Commission’s prevention of money laundering and combating the financing of terrorism guidance.
Gibraltar has been added to the list of jurisdictions that are under an increased level of monitoring by the Financial Action Task Force (FATF). Such jurisdictions are placed on the FATF’s ‘grey list' due to strategic deficiencies in their regimes to counter money laundering, terrorist financing and proliferation financing. The current list of jurisdictions is as follows:
Malta has been removed from the FATF's 'grey list'.
Operators are reminded to conduct robust due diligence checks in any business and customer relationships which are associated to the above jurisdictions in order to mitigate the risk of money laundering and terrorist financing, including proliferation financing.
Ongoing regulatory action against operators has shown the following failings, which carry significant money laundering risks. These include failures to:
Further information on regulatory action the Commission has undertaken can be found on our public statements page.
The Commission is also reminding operators of ongoing, significant risks that they should be vigilant against. This includes risks associated with money services businesses, the acceptance of e-wallet payments from customers and the risk of ‘mule accounts’.
For further information on these risk areas and how to mitigate the chance of such risks from occurring, please refer to our money laundering and terrorist financing risks assessment of the gambling industry.
10 February 2022
Our latest emerging risks update covers the risks associated with having inadequate money laundering and terrorist financing risk assessments in place (including policies, procedures and controls), insufficient due diligence checks on third party providers and or business relationships, along with the use of Scottish notes and pre-paid cards by customers.
The Gambling Commission expects to see significant improvements by licensees around their money laundering and terrorist financing controls.
Licensees should:
be aware of the mandatory requirement under Licence Condition 12.1.1 of the Licence Conditions and Codes of Practice (LCCP) which stipulates that gambling businesses must conduct an assessment of the risks of their business being used for money laundering and terrorist financing and have appropriate policies , procedures and controls in place to mitigate the risk of money laundering and terrorist financing
be aware of the Commission’s guidance for casinos and other gambling businesses to assist with compliance, which sets out how to approach implementing a risk-based approach into your gambling business.
There are too many instances being identified where licensees are failing to meet the requirements of the The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (opens in new tab)1 and the LCCP. We would urge all licensees to review their current controls to ensure that they are fully compliant with Licence condition 12.1.1.
To assist licensees, we have published the Raising Standards for consumers - Compliance and Enforcement Report 2020 to 2021. The Report highlights failings we have identified and includes some examples of good practice to consider.
We will take regulatory action (which can include suspension and revocation of licences) where we identify significant failings by licensees. Further information about the action we have taken can be found on the Commission’s regulatory actions page.
1 applicable to casinos only
The Commission has become aware of instances of gambling operators failing to conduct sufficient due diligence measures in their third-party business relationships (including where licensees have received third party investment or entered into white label partnerships).
White label partnerships have been noted as high risk specifically for anti-money laundering failures in the Commission’s current money laundering and terrorist financing risk assessment of Britain's gambling industry.
Gambling operators are required to take account of such publications under Licence Condition 12.1.1(3) of the LCCP. Further information on white label partnerships can be found in the Commission’s publication 'Reminder to licensees regarding white label gambling websites’.
The Commission’s guidance for both casino and other gambling operators notes the following:
‘Operators should also give due consideration to the money laundering risks posed by their business-to-business relationships, including any third parties they contract with. The assessment of these risks are based, among other things, on the risks posed to the operator by the jurisdictional location of their third-party and any relevant domestic anti-money laundering legislation they must comply with, transactions and arrangements with business associates and third-party suppliers such as payment providers and processors, including their beneficial ownership and source of funds. Effective management of third-party relationships should assure operators that the relationship is a legitimate one, and that they can evidence why their confidence is justified’.
In one case study a gambling operator failed to conduct sufficient checks on the source of funds from an investment that had originated from cryptoassets (which was then converted to Sterling when it was invested into the gambling business). This case study highlights failings with the licensed business, including: failure to establish the source of funds for the originating cryptoassets; transactional risks of asset exchange and jurisdictional risks due to the sources of funds originating from a high risk jurisdiction.
There have been repeated examples of gambling operators failing to consider jurisdictional risk in relation to these business relationships. The Commission’s guidance for both casino and other gambling operators highlights the importance of considering jurisdictional risk. These risks are heightened where gambling operators are conducting business or customer relationships with sanctioned jurisdictions as this is a breach of the Sanctions and Anti-Money Laundering Act 2018 (SAMLA) (opens in new tab) (for example) and international law. Further information can be found on the GOV.UK (opens in new tab) website.
Please see the April and July 2020 e-bulletins for more information on the risks associated with cryptoasset payments and the importance of operators conducting robust due diligence measures in their third-party business relationships.
By failing to consider the risks associated with such relationships, operators run the risk of breaching the following:
Licence Condition 12.1.1(1) of the LCCP which requires that operators ‘must conduct an assessment of the risks of their business being used for money laundering and terrorist financing’
Licence Condition 12.1.1(3) which requires that operators ‘take into account any applicable learning or guidelines published by the Gambling Commission from time to time’
Part 7 of the Proceeds of Crime Act 2002 (opens in new tab) and Part 3 of the Terrorism Act 2000 (opens in new tab) which requires that a suspicious activity report (SAR) must be submitted to the UK Financial Intelligence Unit wherever there is knowledge or suspicion of money laundering or terrorist financing. Please refer to the May 2021 e-bulletin below which provides advice on how to submit quality SARs.
The significant, potential money laundering risks associated with the use of Scottish notes and pre-paid cards have been highlighted separately in the Commission’s current money laundering and terrorist financing risk assessment of Britain's gambling industry. However, there is now also an increased risk of Scottish notes being used to top up pre-paid cards.
Operators should remain curious as to the source of customer funds and conduct ongoing customer monitoring to ensure that customer spending levels align with your knowledge of their affordability to gamble. The Commission’s Raising Standards for consumers - Compliance and Enforcement report 2019 to 2020 shows the ‘good practice’ techniques gambling operators should be conducting in order to ensure compliance with their legal responsibilities.
28 May 2021
Our latest emerging risks bulletin looks at innovations in cryptoassets, the quality of suspicious activity report (SAR) submissions, insufficient due diligence checks, the threat of organised crime and the latest podcast from the UK’s Financial Intelligence Unit.
The Commission is reiterating the importance of operators’ responsibilities under Licence Condition 12.1.1 (1) of The LCCP which requires licensees to conduct an assessment of the risks their businesses face from money laundering and terrorist financing upon the introduction of new products or technology or new methods of customer payment.
The cryptoasset market is constantly evolving due to increasing popularity and product innovations e.g., ‘non-fungible tokens’†. Licence Condition 12.1.1.(3) requires operators to take account of any applicable learning or guidelines published by the Commission on this subject. Cryptoasset payments have been rated high risk in our current publication of the money laundering and terrorist financing risks within Great Britain’s gambling industry (2020 version). Operators are also required to submit a Key Event to the Commission under Licence Condition 15.2.1(8) wherever there are changes in payment methods.
The UK's Crown Prosecution Service (CPS) (opens in new tab) expects to see an increase in the number of Bitcoin and cryptoasset related scams in the coming years and the Commission encourages operators to remain vigilant to such changes and update their money laundering and terrorist financing risk assessments accordingly.
Also, to assist with implementing a risk-based approach, the Financial Action Task Force (FATF), the inter-governmental watchdog that establishes standards for anti-money laundering and know-your-customer requirements, has published both new standards for implementation of a risk-based approach (opens in new tab) and new draft guidance (PDF) (opens in new tab) for decentralised platforms. Operators must familiarise themselves with FATF’s guidance to help combat money laundering and terrorist financing and implement such learning into their business.
The National Crime Agency (NCA) has published guidance (opens in new tab) providing information on submitting quality SARs. The guidance acts as a useful checklist for what information should be included in a SAR to ensure the maximum impact from the information provided. During the coronavirus (COVID-19) pandemic, the NCA has seen an increase in SAR submissions and it is vital that operators submit a SAR to the United Kingdom’s Financial Intelligence Unit (UKFIU) whenever there is knowledge or suspicion of money laundering or terrorist financing (as required under The Proceeds of Crime Act 2002 (opens in new tab) (‘POCA’) and The Terrorism Act 2000 (opens in new tab) (‘TACT’)). Failure to do so can result in committing a criminal offence.
Furthermore, operators are also reminded of the need to submit quality SARs as this will aid the UKFIU if further investigations need to be carried out i.e., with other law enforcement agencies. Operators are also reminded that failure to submit a Defence Against Money Laundering (DAML) SAR to the UKFIU (when needing to commit a prohibited act) could be a criminal offence under PoCA and TACT. Examples of prohibited acts include:
Operators are also reminded that a corresponding SAR Key Event which includes the SAR’s unique reference number (URN) must also be submitted under Licence Condition 15 of The LCCP.
The Commission has come across various examples of operators failing to sufficiently scrutinise the source of customer funds. It is becoming increasingly important for operators to carry out sufficient due diligence checks as the threat of serious and organised crime increases globally. Failure to conduct sufficient due diligence checks becomes even more problematic (for example) as:
The UK government has added Pakistan to the list of undesirable 21 high-risk countries with unsatisfactory money laundering and terrorist financing controls. This list of 21 countries replicates the list of countries named by FATF as high-risk or under increased monitoring.
The full list of high-risk third countries under Schedule 3ZA of The Money Laundering and Terrorist Financing (Amendment) (High-Risk Countries) Regulations 2021 (opens in new tab) (‘MLTFR 2021’) includes (in order):
According to the UK government, the nations in this category pose a threat because of weak tax controls and lack of check and balance on terrorism financing and money laundering.
The MLTFR 2021 came into force on March 26th, 2021 after the definition of a high-risk third country identified in a new Schedule 3ZA and updates The Money Laundering Regulations 2017.
All operators are required to take a risk-based approach in order to mitigate the risk of money laundering and terrorist financing. Both our casino guidance and guidance for non-casino operators makes clear that, ‘higher risk customers should be subjected to a frequency and depth of scrutiny greater than may be appropriate for lower risk customers’.
Casino businesses are also required under The Money Laundering Regulations 2017 (opens in new tab) to carry out enhanced customer due diligence measures (ECDD) wherever there is a higher risk of money laundering or terrorist financing. Please refer to our comprehensive casino guidance for further information on the circumstances in which ECDD measures must be applied.
† The risks associated with cryptoasset payments have been previously discussed in the Commission’s April 2020 emerging risks bulletin. Please refer to this further below for more information.
13 July 2020
Customer use of informal value transfer systems, Money Service Businesses, licensees’ reliance on third parties and conducting affordability checks.
The Commission is highlighting to gambling businesses that their policies, procedures and controls must be effective in establishing customers’ source of funds as well as the need to undertake sufficient ‘Know Your Customer’ (KYC) checks.
IVTS are used in some parts of the world to conduct legitimate remittances (most often by individuals seeking to send money to and from family members in their country of origin). However, IVTS (also known as ‘underground banking’) are attractive for money laundering (ML) and terrorist financing (TF) purposes for some of the following reasons:
Poor implementation of policies, procedures, and controls for KYC makes the use of IVTS easier and there is increased use of IVTS such as, ‘Hawala’ (a traditional system of money lending originating in South Asia); today it is used around the world to conduct legitimate remittances outside of the banking system. Increasing evidence of the risk that gambling businesses may be accepting customer funds that have been obtained through IVTS being exploited by criminals is emerging where criminals use IVTS for the purpose of transmitting illicit finance.
Our guidance for both casino and other operators highlight that customer monitoring is an ongoing process. Licence Condition 12 of The LCCP states that, ‘licensees must conduct an assessment of the risks of their business being used for money laundering and terrorist financing’.
All casinos are required to comply with The Money Laundering Regulations 2017 (opens in new tab) in respect of MSBs and HMRC’s guidance for foreign currency exchange, cheque cashing and money transfer to minimise the risk of ML and TF. All casinos offering MSBs are required to have effective risk assessments, policies, procedures and controls in place to prevent ML and TF and continue to raise standards in this regard.
During coronavirus (COVID-19) there has been an increased use of MSBs in the wider economy and, for those online casinos offering foreign exchange and third party money transfer, awareness and compliance with The Regulations is a continued requirement.
Some of the ML and TF risks associated with MSBs are:
The use of MSBs has been recognised as high risk in both Her Majesty’s Treasury’s National Risk Assessment (opens in new tab) and our Risk Assessment (PDF) of the money laundering and terrorist financing risks within the British gambling industry (2019 version). Casinos must effectively scrutinise source of funds and source of wealth, and (whilst online casinos continue to offer MSB facilities) mitigations to combat the use of MSB facilities for the acceptance, processing and transfer illicit finance remains a priority.
Gambling businesses are ultimately responsible for compliance with the conditions of their licence. This includes ensuring sufficient customer checks are carried out and that reliance is not placed on any third parties to conduct customer checks.
This includes (for example) relying on banks or any third party payment processors to conduct ‘KYC’ checks or reliance on other gambling businesses to establish source of funds (without further scrutiny) where a customer states that funds are winnings from another gambling business.
Carrying out sufficient customer checks become even more vital where there is a high risk of ML and TF in cases where (for example) a customer is from a high risk jurisdiction, as this will impact on the risk profile of the customer.
Operators should also give due consideration to the ML and TF risks posed by their business to business relations (including any third parties they contract with). Social Responsibility Code Provision 1.1.2 of The LCCP state that:
‘Licensees must ensure that the terms on which they contract with such third parties: require the third party to conduct themselves in so far as they carry out activities on behalf of the licensee as if they were bound by the same licence conditions and subject to the same codes of practice as the licensee’.
Failure to conduct sufficient customer affordability checks offers opportunities for illicit finance to infiltrate licensees’ financial systems.
Licensees are reminded of the importance of assessing customer affordability when determining risk levels. Disposable income levels must be a starting point for assessing financial benchmark triggers and knowing a customer’s occupation is an important factor in determining income levels and compliments businesses ‘KYC’ knowledge.
15 June 2020
Our latest emerging risks bulletin looks at the re-opening of land-based gambling businesses, the new £20 notes; new list of high-risk jurisdictions; increased levels of theft/fraud linked to gambling; vulnerable gamblers; online ID verification and Financial Action Task Force Advice.
The recent government announcement of the re-opening of ‘non-essential’ shops on 15th June 2020 includes land-based betting shops.
Gambling businesses are reminded of their mandatory responsibilities under The Gambling Act 2005 (opens in new tab), The Licence Condition and Codes of Practice (‘LCCP’), The Proceeds of Crime Act 2002 (opens in new tab) (‘POCA’), The Terrorism Act 2000 (opens in new tab) (‘TACT’) and other applicable laws in order to keep crime out of gambling.
Linked to the above point (regarding the re-opening of some land-based businesses), on the 20th February 2020, the Bank of England launched the new polymer £20 note. Although the old paper £20 note continues to be accepted as legal tender, it will eventually be removed from circulation.
During the transition from the paper note to the polymer note, individuals with quantities of the paper £20 note (including notes that may be the proceeds of crime) are likely to try to exchange them before they are removed from circulation.
Where gambling businesses and their frontline staff have knowledge or suspicion of money laundering or terrorist financing involving the old paper £20 note, they must submit suspicious activity reports (SARs) to the UKFIU in the normal way.
More information about the new polymer £20 note can be found on the Bank of England’s website (opens in new tab).
On the 7th May 2020, the European Commission (EC) amended its list containing high risk third jurisdictions with strategic anti-money laundering deficiencies in their regime to include the following:
Customers that are associated with high risk third countries (because of citizenship, country of business or country of residence) may present a higher money laundering risk to your business. Licensees are reminded to ensure they have adequate ‘Know Your Customer’ (KYC) and/or customer due diligence checks in place. Additionally, casino businesses are required to conduct mandatory enhanced due diligence (EDD) checks where a customer resides or is situated in a high risk third country. This includes undertaking source of funds and source of wealth checks on the customer as required under The Money Laundering Regulations 2017 (opens in new tab). Please see our guidance for casino and other operators for further information regarding gambling businesses’ legal duties.
There has been a reported increase in card fraud/theft which has then been used for gambling purposes which are the proceeds of crime.
Gambling businesses are reminded to be vigilant on affordability and source of funds for their customers. Where there is knowledge or suspicion of money laundering (including criminal spend) or terrorist financing, a suspicious activity report (SAR) must be submitted to the United Kingdom’s Financial Intelligence Unit (UKFIU) as required under PoCA and TACT. Also, a Key Event must be submitted to the Commission (as required under Licence Condition 15.2.1 (15) of The LCCP) referencing the SAR’s unique reference number (URN).
Licensees must remain vigilant to the increased risk that vulnerable gamblers may seek to break their self-imposed gambling limits because of the current pandemic. Gambling businesses should consider affordability as a starting point for benchmarking customer interaction triggers. Licensees should be vigilant that a customer attempting to spend criminal proceeds or launder money could also be a problem gambler. Patterns of increased spending or spend inconsistent with apparent source of income could be indicative of money laundering but also equally of problem gambling, or both. Licensees are directed towards the Commission’s recently published guidance for online and land-based gambling businesses which shows how they should conduct customer interaction.
Licence Condition 17 of The LCCP came into effect on 7th May 2019 and covers age and verification procedures for online gambling businesses†. The change means that online gambling businesses are not permitted to allow a customer to gamble before they have verified the customer’s identity. This Licence Condition was implemented to improve industry standards by ensuring that ID checks are carried out at the start of the customer relationship and not only at a later stage. This revision is also consistent with The Money Laundering Regulations 2017 (opens in new tab) which requires ongoing monitoring of customer relationships (Regulation 28(11)) and our published guidance which states that risks should be considered at all stages of the customer relationship.
The Commission is reminding online businesses that only verifying a customer’s identity at the point of withdrawal is a high risk policy from a money laundering and terrorist financing perspective and may be in breach of Licence Condition 17, as it means that CDD or EDD checks (if required and applicable only to casinos) or KYC checks (applicable to all other operators) are carried out too late in the customer journey. This poses a risk to the Licensing Objective, ‘keeping crime out of gambling’ along with potential breaches of TACT (Part 3) and PoCA (Part 7) which requires that a SAR is submitted to the UKFIU where there is knowledge or suspicion of money laundering (including criminal spend) or terrorist financing. Failure to do so amounts to a criminal offence carrying a maximum penalty of up to 5 years imprisonment (s.330 and s.331 PoCA).
† With the exception of low frequency or subscription lotteries, gaming machine technical, gambling software, host, ancillary remote casino and ancillary remote bingo.
FATF (the global standard-setter for combating money laundering and the financing of terrorism and proliferation) has published a paper (opens in new tab) which identifies the challenges, good practices and policy responses to new money laundering and terrorist financing threats and vulnerabilities arising from the coronavirus crisis.
The Commission is drawing licensees’ attention to this advice paper, advising (where necessary) to revise their ML/TF risk assessment, policies, procedures, and controls in order to mitigate all relevant identifiable risks within their business, as set out by FATF in this paper.
Our latest emerging risks bulletin looks at the impact of coronavirus, the importance of checking digital identification and increases in online scams and fraud attempts.
The Gambling Commission recognises the major impact the current unprecedented coronavirus crisis is having on affected gambling sectors, including the closure of premises, employees furloughed and loss of business. To assist you in managing the risks this presents to your business, customers and employees, we will continue to advise you about emerging risks that we identify. Businesses will need to consider whether their money laundering and terrorist financing risk assessment needs updating as a result.
Operators are reminded to remain vigilant and comply with the LCCP, The Gambling Act 2005 (opens in new tab) and other relevant laws, i.e. the Proceeds of Crime Act 2002 (opens in new tab), the Terrorism Act 2000 (opens in new tab) and the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (opens in new tab). The Gambling Commission’s guidance to both casino and other operators along with our latest Risk Assessment of The Money Laundering and Terrorist Financing risks within the British Gambling industry (2019 version) will assist licensed operators in mitigating the emerging risks identified below.
The associated shift to online gambling during the crisis makes it more vital for online gambling businesses to ensure they are carrying out robust digital ID checks upon customer registration. It is therefore even more essential that all operators conduct thorough ‘Know Your Customer’ checks, and customer due diligence checks in the case of the casino sector, to ensure they are not dealing with illicit funds.
Operators also need to have adequate customer risk profiles in place to ensure all potential money laundering and terrorist financing risks have been considered, and that operators consider making suspicious activity reports to the National Crime Agency in the following cases:
There is evidence suggesting gambling affiliates are exploiting the coronavirus pandemic to encourage gamblers to spend more money on gambling activities. Operators are reminded:
In addition to customer checks, operators are reminded that it is important to carry out sufficiently robust background checks on employees, referred to as ‘Know Your Employee’ checks.
The coronavirus crisis has seen criminals seeking to exploit the situation with an increase in cyber-attacks, along with the increased use of digital payments (such as cryptoassets and online prepaid cards, also known as vouchers). There are reports of more online scams and fraud targeting vulnerable people. This presents a high money laundering and terrorist financing risk to the gambling industry, as criminals will seek different ways to dispose of and use illicit funds from this fraudulent activity.
The current situation has also seen increased use of digital methods, such as cryptoassets and prepaid cards, as a form of customer payment. Cryptoasset transactions are attractive to criminals as they are fast, convenient and can be carried out anonymously. Evidence shows there is a high risk of ‘smurfing’ with the use of prepaid cards, and there is evidence that this money has then been used for gambling.
Both methods of payment (cryptoassets and prepaid cards) are viewed as high risk from a money laundering and terrorist financing perspective, and operators are reminded of the need to conduct thorough source of funds and source of wealth checks (where applicable), in order to keep crime out of gambling. Operators are reminded that it is even more vital that they should also submit suspicious activity reports (SARs) where there is knowledge or suspicion of money laundering (including criminal spend) or terrorist financing. When submitting a SAR, a Key Event should also be made to the Gambling Commission in accordance with Licence Condition 15 of the LCCP.
Operators are reminded of their responsibilities under Licence Condition 12.1.1 (1), which requires licensees to review their money laundering and terrorist financing risk assessments upon the introduction of new products or technology or new methods of customer payment.
Operators are also reminded that it is mandatory to submit a key event to the Commission under Licence Condition 15.2.1(8) where there are any changes to the methods by which, and/or the payment processors through which, the licensee accepts payment from customers using their gambling facilities. When notifying the Commission under Licence Condition 15, we expect the following information to be provided as a minimum:
If the payment method relates to cryptoassets:
If cryptoassets are being accepted directly:
An increase in online scams and fraud targeting vulnerable people has seen illicit funds being transferred through third party bank accounts (‘mule’ accounts), to break the audit trail of transactions and complicate any investigation. There is evidence that ‘mule’ accounts have been used for gambling purposes by money mules, with mainly vulnerable individuals targeted.
Operators are reminded to be alert to this. A red flag indicator for this activity is the opening of a gambling account with a minimal deposit initially, which is soon followed by several larger deposits and withdrawn to an increased amount of accounts. This makes it even more vital for operators to conduct thorough source of funds and source of wealth checks (where applicable), as well as customer ID checks upon customer registration, as required under Licence Condition 17 (applicable to remote operators only).
Where appropriate, licensees should consider obtaining their own legal advice regarding the emerging risks discussed here.
For any further assistance please contact us.