Duties and responsibilities under the Proceeds of Crime Act 2002
4 - Risk-based approach
A risk-based approach involves a number of discrete steps to assess the most proportionate way to manage and mitigate the money laundering risks faced by the operator. These steps require the operator to:
- identify the money laundering risks that are relevant to the operator
- design and implement policies, procedures and controls to manage and mitigate these assessed risks
- monitor and improve the effective operation of these controls
- record what has been done, and why.
The possibility of gambling facilities being used by criminals to assist in money laundering poses many risks for operators. These include criminal and regulatory sanctions for operators and their employees, civil action against the operator and damage to the reputation of the operator, leading to a potential loss of business.
Operators need to continually identify, assess and manage these risks, just like any other business risk. They should assess the level of risk in the context of how their business is structured and operated, and the controls in place to minimise the risks posed to their business by money launderers, including those engaged in criminal spend. The risk-based approach means that operators focus their resources on the areas which represent the greatest risk. The benefits of this approach include a more efficient and effective use of resources, minimising compliance costs and the flexibility to respond to new risks as money laundering methods change.
Most operators manage their commercial or business risks and measure the effectiveness of the policies, procedures and controls they have put in place to manage those risks. A similar approach is appropriate to managing the operator’s regulatory risks, including money laundering risks. Existing risk management systems should, therefore, address the regulatory and money laundering risks, or a separate system should be in place for that purpose. The detail and complexity of these systems will depend on the operator’s size and the complexity of their business.
Even though operators outside the regulated sector (clarified in Offences under the Proceeds of Crime Act 2002 are not obliged to have systems and procedures in place under AML legislation, the Commission nonetheless expects AML systems and procedures to be in place in accordance with the relevant licence conditions and codes of practice. Also, POCA imposes obligations on all operators that must be satisfied, as a breach can constitute a criminal offence (Sections 327 (opens in a new tab) to 332 (opens in a new tab) of POCA). Systems and procedures assist operators in complying with these obligations, particularly in relation to reporting suspicious activity.
In order to detect customer activity that may be suspicious, it is necessary to monitor all transactions or activity. The monitoring of customer activity should be carried out using a risk-based approach. Higher risk customers should be subjected to a frequency and depth of scrutiny greater than may be appropriate for lower risk customers. Operators should be aware that the level of risk attributed to customers may not correspond to their commercial value to the business.
Where a customer is assessed as presenting a higher risk, additional information in respect of that customer should be collected. This will help the operator judge whether the higher risk that the customer is perceived to present is likely to materialise, and provide grounds for proportionate and recorded decisions. Such additional information should include an understanding of where the customer’s funds and wealth have come from. The need to 'know your customer' (KYC) is particularly relevant here. While the Commission recognises that some relationships with customers will be transient or temporary in nature, operators still need to give consideration to this issue in relation to all customers.
Operators should satisfy themselves that the sources of information employed to carry out KYC checks are suitable to mitigate the full range of risks to which they might be exposed, and these include money laundering and social responsibility risks. For example, local or open source information, such as press reports, may be particularly helpful in carrying out these checks.
Deciding that a customer presents a higher risk of money laundering does not automatically mean that the person is a criminal or is laundering money. Similarly, identifying a customer as having a low risk of money laundering does not mean that the customer is definitely not laundering money or engaging in criminal spend. Operators, therefore, need to remain vigilant and use their experience and judgement in applying their risk-based criteria and rules.
No system of checks will detect and prevent all money laundering activity. A risk-based approach will, however, serve to balance the burden placed on operators and their customers with a realistic assessment of the threat of the operator being involved, albeit unintentionally, in money laundering. It focuses the effort where it is most needed and will have the most impact. It is not a blanket, one size fits all approach, and therefore operators have a degree of flexibility in the methods they employ.
A risk-based approach requires the full commitment and support of senior management, and the active co-operation of all employees. It should be part of the operator’s philosophy and be reflected in an operator’s policies, procedures and controls. There needs to be clear communication of the policies, procedures and controls to all employees, along with robust mechanisms to ensure that they are carried out effectively, weaknesses are identified and improvements are made, wherever necessary. Where the operator forms part of a larger group of companies, there needs to be sufficient senior management oversight of the management of risk.
Identifying and assessing the risks
The operator should assess its risks in the context of how it is most likely to be involved in money laundering and criminal spend. Assessment of risk is based on a number of questions, including:
- What risk is posed by the business profile and the profile of customers using the gambling facilities?
- Is the business high volume, consisting of many low spending customers?
- Is the business low volume, with high spending customers?
- Is the business a mixed portfolio, that is, customers are a mix of high spenders and lower spenders and/or a mix of regular and occasional customers?
- Are procedures in place to monitor customer transactions across outlets, products and platforms and mitigate any money laundering potential?
- Is the business local with regular and generally well known customers?
- Are there a large proportion of overseas customers using foreign currency or overseas based bank cheques or debit cards?
- Are customers likely to be engaged in a business which involves significant amounts of cash?
- Are there likely to be situations where the source of funds cannot be easily established or explained by the customer?
- Is the majority of business conducted through customer accounts or some other contractual arrangement?
- Is there a local clustering of gambling outlets which makes it easier for a person to launder criminal proceeds over multiple venues and products?
- Does the customer have multiple or continually changing sources of funds (for example, multiple bank accounts and cash, particularly where this is in different currencies or uncommon bank notes)?
- Are patterns of play or a high spend profile linked to specific sporting events?
- In relation to remote gaming, does the customer use shared internet protocol addresses, dormant accounts or virtual private network (VPN) connections (amongst other things, this could indicate that a group of people are using the same device or location to gamble for the purposes of committing fraud)?
As noted in Purpose of the advice, operators should also give due consideration to the money laundering risks posed by their business-to-business relationships, including any third parties they contract with. The assessment of these risks is based, among other things, on the risks posed to the operator by transactions and arrangements with business associates and third party suppliers such as payment providers and processors, including their beneficial ownership and source of funds. Effective management of third party relationships should assure operators that the relationship is a legitimate one, and that they can evidence why their confidence is justified.
The World Economic Forum provide an example (opens in a new tab) of good practice guidelines on conducting third party due diligence.
A money laundering risk assessment is a product or process based on a methodology, agreed by the parties involved, that attempts to identify, analyse and understand money laundering risks. It serves as the first step in addressing the risks and, ideally, involves making judgments about threats, vulnerabilities and consequences.
Risk, therefore, is a function of three factors:
- threats – which are persons, or groups of people, objects or activities with the potential to cause harm, including criminals, terrorist groups and their facilitators, their funds, as well as past, present and future money laundering activities
- vulnerabilities – which are those things that can be exploited by the threat or that may support or facilitate its activities and means focussing on the factors that represent weaknesses in AML systems or controls or certain features of a country, particular sector, financial product or type of service that make them attractive for money laundering
- consequences – which refers to the impact or harm that money laundering may cause, including the effect of the underlying criminal and terrorist activity on financial systems and institutions, the economy and society more generally.
The key to any risk assessment is that it adopts an approach that attempts to distinguish the extent of different risks to assist with prioritising mitigation efforts. The risk assessment process should consist of the following standard stages:
The identification process begins by developing an initial list of potential risks or risk factors when combating money laundering. Risk factors are the specific threats or vulnerabilities that are the causes, sources or drivers of money laundering risks. This list will be drawn from known or suspected threats or vulnerabilities. The identification process should be as comprehensive as possible, although newly identified or previously unidentified risks may also be considered at any stage in the process.
Analysis involves consideration of the nature, sources, likelihood, impact and consequences of the identified risks or risk factors. The aim of this stage is to gain a comprehensive understanding of each of the risks, as a combination of threat, vulnerability and consequence, in order to assign a relative value or importance to each of them. Risk analysis can be undertaken with varying degrees of detail, depending on the type of risk, the purpose of the risk assessment, and the information, data and resources available.
The evaluation stage involves assessing the risks analysed during the previous stage to determine priorities for addressing them, taking into account the purpose established at the beginning of the assessment process. These priorities can then contribute to development of a strategy for the mitigation of the risks.
Money laundering risks may be measured using a number of factors. Application of risk categories to customers and situations can provide a strategy for managing potential risks by enabling operators to subject customers to proportionate controls and monitoring. The risk categories which should be considered are as follows:
- country or geographic risk
- customer risk
- transaction risk
- product risk.
The risk categories used by the Commission in Money laundering and terrorist financing risk within the British gambling industry are customer, product and means of payment.
Some countries pose an inherently higher money laundering risk than others. In addition to considering their own experiences, operators (particularly those who operate in a remote environment) should take into account a variety of other credible sources of information identifying countries with risk factors in order to determine that a country and customers from that country pose a higher risk. Operators may wish to assess information available from non-governmental organisations which can provide a useful guide to perceptions relating to corruption in the majority of countries.
Customers that are associated with higher risk countries, as a result of their citizenship, country of business or country of residence may present a higher money laundering risk, taking into account all other relevant factors. Remote operators should check customer location because of the additional risks which arise from cross-border operations.
The country/geographic risk can also be considered in conjunction with the customer risk.
Determining the potential money laundering risks posed by a customer, or category of customers, is critical to the development and implementation of an overall risk-based framework. Based on their own criteria, operators should seek to determine whether a particular customer poses a higher risk and the potential impact of any mitigating factors on that assessment. Application of risk variables may mitigate or exacerbate the risk assessment. Categories of customers whose activities may indicate a higher risk include:
- unknown or anonymous customers
- high spenders – the level of spending which will be considered to be high for an individual customer will vary among operators, and among premises managed by the same operator
- disproportionate spenders – where appropriate, operators should obtain information about customers' financial resources so that they can determine whether customers' spending is proportionate to their income or wealth
- casual customers – this includes tourists and local customers who are infrequent visitors
- regular customers with changing or unusual spending patterns
- customers using forged or stolen identities to remain anonymous
- customers from high risk or non-cooperative jurisdictions (see, in particular a list of high risk and non-cooperative jurisdictions (opens in a new tab) )
- customers who appear on international sanctions lists (see, in particular consolidated list of financial sanctions targets (opens in a new tab))
- customers who are citizens or residents of, or associated with, countries assessed by non-government organisations as high risk for corruption and financial crime (for example, Transparency International (link opens in a new window) and Global Witness (opens in a new tab).
Transaction risk (including means of payment)
Operators should consider operational aspects (products, services, games, accounts and account activities) that can be used to facilitate money laundering. In addition, operators have the following potential transaction risks:
- proceeds of crime – there is a risk that the money used by a customer has been gained through criminal activity, so greater monitoring of high spenders will help to mitigate the risk
- cash – customers may use gambling premises to exchange large amounts of criminal proceeds, or may deposit criminal proceeds into an internet gambling account at gambling premises, including tracks
- transfers between customers – customers may borrow money from unconventional sources, including other customers, which can offer criminals an opportunity to introduce criminal proceeds into the legitimate financial system through the gambling operator
- depositing into accounts – criminals may use accounts to deposit criminal proceeds and then withdraw funds with little or no play
- redemption of tickets for cash or cheque, particularly after minimal or no play
- multiple gambling accounts or wallets – customers may open multiple accounts or wallets with an operator in order to obscure their spending levels or to avoid CDD threshold checks
- changes to bank accounts – customers may hold a number of bank accounts and regularly change the bank account they use for gambling purposes
- identity fraud – details of bank accounts may be stolen and used on, for example, remote gambling websites, or stolen identities may be used to open bank accounts or gambling accounts
- pre-paid cards – these cards pose the same risks as cash as operators normally cannot perform the same level of checks on the cards as they can on bank accounts
- e-wallets – some e-wallets accept cash on deposit or digital currencies, which pose a higher risk, and some customers may use e-wallets to disguise their gambling.
Product risk includes the consideration of the vulnerabilities associated with the particular products offered by the gambling operator. In non-remote premises there are a number of gambling opportunities that offer the potential for a money launderer to place funds anonymously and generate winnings, or withdraw funds after minimal play. These are more fully discussed below, and include the use of cash and automated ticket redemption facilities where there is little or no interaction with staff. Remote gambling products present a heightened money laundering risk as the customers who use the products are not present.
Examples of products which may pose a money laundering risk therefore include:
- gaming machines, which can be used to launder stained or fraudulent bank notes/coins
- the use of automated ticket redemption machines, which allow a customer to avoid interaction with staff
- scratchcards (in the lottery sector)
- interactive win games and draw-based games (in the lottery sector).
The risk categories or factors described above are not intended to be prescriptive or comprehensive. They will not apply universally to all operators and, even when they are present, there may be different risk outcomes for different operators and premises, depending upon a host of other factors. However, the factors are intended as a guide to help operators conduct their own risk assessments, and to devise AML/CTF policies, procedures and controls which accurately and proportionately reflect those assessments.
The weight given to the risk factors used by the operator in assessing the overall risk of money laundering, both individually or in combination, may vary from one operator or premises to another, depending on their respective circumstances. Consequently, operators also have to make their own determination as to the weight given to risk factors.
Risk levels may be impacted by a number of variables, which will also have an impact on the preventative measures necessary to tackle the risks in a proportionate manner. These variables include:
- whether the operator’s business model is focused on:
- attracting a large number of customers who gamble relatively small amounts
- attracting a small number of customers who gamble relatively large amounts
- speed and volume of business
- for non-remote operators, the size of the premises
- the customer profile, for example whether:
- the majority of customers are regular visitors or are members
- the operator relies on passing trade, including tourists
- types of financial services offered to customers
- types of customer payments and payment methods
- types of gambling products offered
- the customers’ gambling habits
- staffing levels, and staff experience and turnover
- the type and effectiveness of existing gambling supervision measures and mechanisms
- whether the operator:
- owns or manages other gambling establishments
- offers different types of gambling
- has other internet gambling websites
- whether the premises are standalone or integrated with other leisure facilities
- whether the operator is based in one country or has a gambling presence in multiple countries.
Many customers carry a lower risk of money laundering. These might include customers who are regularly employed or who have a regular source of income from a known source which supports the activity being undertaken (this applies equally to pensioners, benefit recipients or to those whose income originates from their partner’s employment or income).
Conversely, many customers carry a higher risk of money laundering. These may include known criminals, customers who are not regularly employed or who do not have a regular source of income from a known source which supports the level of activity being undertaken, or problem gamblers.
A drug dealer, whose only legitimate source of income for ten years was > state benefits, spent more than £1million in various gambling establishments over the course of two years, and lost some £200,000. All the transactions appeared to involve cash.
A grandparent with no previous gambling history, on a state pension, began to make weekly bets of about £100. Investigations later revealed that the grandparent was placing the bets on behalf of a grandson, a known criminal, and that the money spent was the proceeds of his criminal activity.
An individual was in receipt of state benefits with no other apparent form of income, but then gambled significant amounts through a licensed operator. Deposits of over £2million were made to an online gambling account over the course of about two years from a multiple of sources, such as debit card and credit card, and various e-money and e-wallet services. Investigations revealed that their gambling was funded by criminal activity.
Over an extended period of time, an individual who claimed to be a gambling addict stole equipment worth a substantial amount of money from their employer and resold it for their own gain. They then used most of these criminal proceeds to gamble, depositing almost £6million into an online gambling account and losing almost £5million, involving about 40,000 individual gambling transactions. The individual remained in employment throughout this period.
Operators are best placed to identify and mitigate risks involved in their business activity. A crucial element of this is to ensure that systems are in place to identify and link player activity, and for senior management to oversee risk management and determine whether their policies and procedures are effective in design and application. Reliance on third parties to conduct risk assessment and management does not relieve the operator of its ultimate responsibility to assess and manage its own risks (in accordance with licence condition 12.1.1).
A money laundering risk assessment is not a one-off exercise. The relevant licence condition requires operators to review their money laundering risk assessments at least annually, but they must be reviewed as necessary in the light of any changes of circumstances, including the introduction of new products or technology, new methods of payment by customers, changes in the customer demographic or any other material changes.
Operators should ensure that their policies, procedures and controls for managing money laundering risks, including the detection of criminal spend, are kept under regular review. For example, industry innovation may expose operators to new risks and an appropriate assessment of the risk is recommended before implementing any new product, system, control, process or improvement.Previous section
Offences under the Proceeds of Crime Act 2002 Next section