This box is not visible in the printed version.
The Gambling Commission's money laundering and terrorist financing risk assessment for the British gambling industry in 2023.
Published: 30 November 2023
Last updated: 30 November 2023
This version was printed or saved on: 15 May 2024
Online version: https://www.gamblingcommission.gov.uk/guidance/the-2023-money-laundering-and-terrorist-financing-risks-within-the-british
The Gambling Commission’s Money Laundering (ML) and Terrorist Financing (TF) risk assessment 2023 presents the key risks associated with each of the sectors and encompasses licensed land-based and remote activity in Great Britain’s gambling industry. This assessment builds on the previous 2020 risk assessment and, among other things, fulfils the requirements under Regulation 17 (1) of the Money Laundering and Terrorist Financing and Transfer of Funds (Information on the Payer) 2017 (the Regulations) (opens PDF).
The purpose of this risk assessment is to:
The Commission has considered a wealth of information and intelligence when assessing the key threats identified within the British gambling industry and provides revised risk ratings in this publication. In consultation with in-house and external subject-matter experts, this assessment has been developed with input from a wide range of sector and industry specialists, including law enforcement and the National Crime Agency (NCA). It also considered approaches taken by other Anti Money Laundering (AML) supervisory authorities.
The reporting period this assessment is based on is 1 June 2020 to 31 March 2023. The methodology used to assess the risks in Great Britain’s gambling industry has been developed from the previous risk assessment in 2020. For more detail on the methodology and terminology used, please refer to the methodology section of this report.
The following gambling sectors are assessed separately (compared to previous risk assessments), as they are separate and distinct sectors with differing risk areas and levels:
| Sector | Current overall risk rating |
|---|---|
| Casino, betting and bingo (remote) | High |
| Casino (non-remote) | High |
| Betting (non-remote, off-course) | High |
| Betting (non-remote, on-course) | Medium |
| Bingo (non-remote) | High |
| Adult Gaming Centres (AGCs) | Medium |
| Family Entertainment Centres (FECs) | Low |
| Society lotteries and external lottery managers (remote and non-remote | Low |
| The National Lottery (remote and non-remote) | Low |
| Gambling software (remote and non-remote) | Low |
| Gaming machine technical (remote and non-remote) | Low |
In the HM Treasury and Home Office National Risk Assessment, the gambling sector is rated as low risk. However, the National Risk Assessment captures the relative risk of ML and TF occurring across all regulated financial sectors and Designated Non-Financial Businesses and Professionals (DNFBPs), which includes:
When the vulnerability of gambling to ML and TF is considered in the context of those other sectors in the National Risk Assessment it is currently lower risk in relative terms. By contrast, the Commission’s risk assessment compares the ML and TF risks in individual gambling sub-sectors and rates them appropriately in comparison to each other, rating them high to low risk.
When compiling the National Risk Assessment, the Treasury and Home Office are required to ensure that the risk assessment is used to consider whether providers of gambling services other than casinos should continue to be excluded from the requirements of the Regulations. It is therefore imperative that the Commission and gambling operators sustain their efforts and remain on guard to the financial crime risks inherent in gambling.
In line with Licence Condition 12.1.1, gambling operators are required and must ensure that such policies, procedures and controls are implemented effectively, kept under review, revised appropriately to ensure that they remain effective, and take into account any applicable learning or guidelines published by the Gambling Commission from time to time.
Whilst some of the ratings have changed in individual sub-sector risk areas, the overall risk ratings for each gambling sector have not changed since the previous risk assessment.
| Sector | Current overall risk rating |
|---|---|
| Terrorist financing | Medium |
The impact of terrorist financing has increased from Low to High.
The assessment of the terrorist financing risk is partially based on information from the National Risk Assessment, which has assessed this area as low risk for gambling. The Commission has also collaborated closely with external stakeholders, such as the UK’s counter terrorism teams, when arriving at its risk rating to assist our understanding of the terrorist financing typologies and vulnerabilities that are applicable to the gambling industry.
This document is intended to act as a valuable resource for the industry in informing their own ML and TF risk assessments, and must be taken into account when doing so, as required under Licence Condition 12 of the Licence Conditions and Codes of Practice (LCCP)1.
It is mandatory for gambling operators from all gambling sectors to comply with the licensing objective of keeping crime and its proceeds out of gambling, as set out in the Gambling Act 2005 (the Act) (opens new tab) and the Commission’s LCCP. Furthermore, all gambling operators have legal duties under the Proceeds of Crime Act 2002 (POCA)and the Terrorism Act 2000 (TACT) (opens in a new tab) to mitigate financial crime. Casinos (both land-based and remote) have an enhanced set of legal responsibilities, as they must comply with the Regulations for casino gaming, gaming machines and any money service business activities offered2.
However, it is imperative for all gambling operators (regardless of gambling sector) to ensure they have effective risk assessments identifying ML and TF risks, and robust policies, procedures and controls in place to prevent money laundering and terrorist financing, and to continue to raise standards in these areas.
1 Licence Condition 12 requires that operators have appropriate policies, procedures and controls to prevent money laundering and terrorist financing and that such policies, procedures and controls take into account any applicable learning or guidelines published by the Gambling Commission.
2 This refers to the Regulations under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (opens in new tab) ('the Regulations') which are applicable to firms under the 'regulated sector'. Casinos are part of the 'regulated sector'.
Regulation 17 places an obligation on supervisory authorities to carry out a risk assessment of their supervised sector. The Gambling Commission (the Commission) is the supervisory authority for casinos and this obligation is met by this risk assessment. The Commission will also use this risk assessment to inform HM Government of the level of risk of Money Laundering (ML) and Terrorist Financing (TF) within the entire British gambling industry.
There may be vulnerabilities and risks attributed to a particular gambling sector that cause it to become higher risk over time. Consequently, where a gambling sector can no longer be deemed low risk in terms of the National Risk Assessment, it will likely lead to their inclusion within the provisions of the Regulations.
A risk assessment is a key requirement to understanding the ML and TF risks that a business is exposed to. This is done through the identification, assessment, management and where possible, the mitigation to control and prevent ML and TF. By knowing and understanding the risks to which the gambling industry is exposed, HM Government, law enforcement, the Commission and operators can work together to ensure that gambling in Great Britain is a hostile place for money launderers and terrorist financers seeking to exploit it.
This risk assessment builds upon the previous one published in December 2020. It is therefore recommended that this year’s assessment should be read in conjunction with the previous risk assessment: Money laundering and terrorist financing risk assessment within the British gambling industry: 2020 as this previous publication provides further information on our previous risk ratings regarding the inherent risks within Great Britain’s gambling industry by sector.
The Money Laundering (ML) and Terrorist Financing (TF) threats that the gambling industry faces are diverse, complex and are rapidly evolving.
Money launderers and terrorist financers use similar methods to store, move and obtain funds, although their motives differ.
If left unimpeded, the threats may result in:
Gambling operators must ensure they comply with the relevant legislation, and the regulatory licence conditions and codes of practice. These are:
Further information can be found within our anti-money laundering legislation page.
Operators are required to adopt a risk-based approach in the discharging of their legal obligations which focuses compliance effort where it is most needed and will therefore have the most impact. It requires the full commitment and support of senior management and the active co-operation all employees.
For further information regarding the steps gambling operators should take in applying a risk-based approach, please see our guidance on the prevention of money laundering and combating the financing of terrorism and our guidance on duties and responsibilities under the Proceeds of Crime Act 2002.
In September 2022, the Regulations were updated to require businesses in the regulated sector to risk assess and mitigate proliferation financing. Proliferation financing is defined as:
"The act of providing funds or financial services for use (in whole or in part) in the manufacture, acquisition, development, export, trans-shipment, brokering, transport, transfer, stockpiling of, or otherwise in connection with the possession or use of chemical, biological, radiological or nuclear weapons, including the provision of funds or financial services in connection with the means of delivery of such weapons and other Chemical, Biological, Radiological and Nuclear (CBRN)-related goods and technology1, in contravention of a relevant financial sanctions obligation2."
For further information on what casinos are required to do in relation to proliferation financing, please refer to the updates of the Commission’s casino guidance.
For information on how to comply with sanctions regulation, including the UK government’s financial sanctions against Russia, please refer to the Commission’s update on sanctions.
1 The meaning of 'biological weapon', 'chemical weapon', 'CBRN-related goods and technology', 'nuclear weapon' and 'radiological weapon' are set out in regulation 16A(10).
2 A relevant financial sanctions obligation is a prohibition or requirement in regulations made under section 1 of the Sanctions and Anti-Money Laundering Act 2018 (opens in new tab) and imposed for one or more of the purposes in section 3(1) and (2) of the Act so far as it relates to compliance with a relevant United Nations (UN) obligation.
The reporting period for this risk assessment is 1 June 2020 to 31 March 2023. The risk assessment has been developed in consultation with sector and/or industry specialists.
The Gambling Commission (the Commission) has adopted a methodology based on the Financial Action Task Force (FATF) Guidance on Money Laundering and Terrorist Financing Risk Assessments. FATF sets the global standards for anti-money laundering and counter-terrorist financing1.
It is important to note that the Commission’s assessment of risk within each sector or theme is considered in the context of the British gambling industry and not in comparison to other British industries regulated under the Money Laundering Regulations, for example, the retail banking sector2. Furthermore, the Commission may not have access to the confidential source materials available to HM Treasury and the Home Office when they produce the National Risk Assessment, limiting our assessment to our own data and specialists, and sources that are available externally.
1 FATF Guidance “National Money Laundering and Terrorist Financing Risk Assessment” February 2013.
2 The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017.
The risk assessment is completed in the following stages: identification, assessment and evaluation, and management.
In this stage, known or suspected threats and vulnerabilities are used to identify emerging risks and previously unidentified risks relating to money laundering and terrorist financing to the specific sectors within the gambling industry. Risks identified in this paper were gathered from a variety of sources, including:
Our identification of risk extends to both domestic and international evidence and best practice.
In this stage, an assessment of the likelihood and impact of those risks occurring is conducted, considering controls and consequences.
The methodology uses an approach that can be represented as likelihood × impact = risk rating. This is conducted using the Commission’s Money Laundering and Terrorist Financing Risk Assessment Matrix (ML/TF RAM).
In addition to considering risk in the context of individual licensees, we consider systemic risk in the context of the collective actions or vulnerabilities in sectors, thematic indicators or the wider industry.
A moderation process, including reviews by qualified professionals, is utilised to evaluate the scores allocated to each risk, its likelihood of occurring and the impact should this occur.
The management process is conducted through reviewing The Gambling Commission's money laundering and terrorist financing risk assessment: 2020 and reporting on the current status of the risks previously identified. Each of the risks have been assessed using information sources as referred to above in the assessment section. New risks identified during the time parameter of this report, and previously identified risks have been assessed using consistent methodology.
The application of relevant concepts in this assessment are set out as follows.
Risk – risk is considered to be the potential that an event, action, or series of events or actions will have an adverse effect on the Money Laundering and Terrorist Financing and Transfer of Funds (Information on the Payer) 2017 (the Regulations), Proceeds of Crime Act (POCA), The Terrorism Act 2002 (TACT), the Gambling Commission Act 2005 (the Act) licensing objectives or the Licence Condition of Codes of Practice (LCCP).
Threats – threats can manifest through the intentional ‘washing’ of criminal funds, through criminal spending or terrorist financing. They can relate to people seeking control of gambling businesses for illegal purposes or responsible people recklessly or unwittingly facilitating money laundering or terrorist financing through their failures to discharge their responsibilities effectively.
Vulnerabilities – the Commission has grouped the relevant factors that are assessed as vulnerabilities into five categories:
Controls – the assessment of vulnerabilities requires assessment of the effectiveness of the controls in place. The absence of, or ineffectual application of controls would indicate a high level of vulnerability. The Commission considers controls to include:
Controls are primarily the responsibility of the licensees but may also include actions taken by the Commission through its licensing, compliance or enforcement actions and its supervisory authority role.
Consequences – this is a high-level commentary of what the Commission is seeing, to support the risk assessment produced by Commission specialists. It references information and evidence which depicts what is arising from the vulnerabilities in question.
Likelihood – in assessing the likelihood of a threat materialising, the Commission may also consider:
Impact – the impact is assessed to be the extent at which the risk materialising will influence the licensing objectives and the general interest of consumers. It also allows the Commission (as a supervisory authority) to:
The risk level is represented by a likelihood score multiplied by an impact score to provide and overall risk score.
| Likelihood of event occurring | Impact of event occurring | Overall risk (Likelihood × Impact) |
|---|---|---|
| Low (1) | Low (1) | Low (1) |
| Low (1) | Medium (2) | Low (2) |
| Low (1) | High (3) | Medium (3) |
| Medium (2) | Low (1) | Low (2) |
| Medium (2) | Medium (2) | Medium (4) |
| Medium (2) | High (3) | High (6) |
| High (3) | Low (1) | Medium (3) |
| High (3) | Medium (2) | High (6) |
| High (3) | High (3) | High (9) |
Indicators of low overall risk (likelihood and impact) (risk of 1 or 2) are:
Indicators of medium overall risk (likelihood and impact) (risk of 3 or 4) are:
Indicators of high overall risk (likelihood and impact) (risk of 6 or 9) are:
To note how the risk ratings compare to the ratings of the previous assessment, the following descriptions are used in the assessment.
New risk – this refers to identified emerging risks and previously unidentified risks that were not in the previous assessment.
New risk rating – this refers to risks that were previously given an overall risk rating and have now been assigned a likelihood and impact rating.
Decrease or increase in likelihood and impact – noting a change in the risk rating.
The methodology in this edition of the Gambling Commission’s risk assessment has been amended from previous versions to simplify the risk ratings. The risk ratings used in this assessment are low, medium and high. The ratings of very low and very high have been removed, with such risks now being rated low or high.
| Sector | Previous overall risk rating | Current overall risk rating |
|---|---|---|
| Casino (remote) | High | High |
For further information relating to the inherent risks (including vulnerabilities, consequences and controls), see our previous 2020 risk assessment.
| Vulnerability | Risk | Likelihood of event occurring | Impact of event occurring | Overall risk | Change in risk |
|---|---|---|---|---|---|
| Operator control | Operators failing to comply with prevention of money laundering and terrorist financing legislation and guidance | High (3) | High (3) | High (9) | No change |
| Operator control | High monetary thresholds | High (3) | High (3) | High (9) | New risk rating |
| Operator control | High value customer schemes | Medium (2) | High (3) | High (6) | Decrease in likelihood |
| Operator control | Failure to implement a closed loop system | Medium (2) | High (3) | High (6) | New risk rating |
| Operator control | Over reliance on payment providers for carrying out customer due diligence (CDD) measures | Medium (2) | High (3) | High (6) | New risk rating |
| Operator control | Third party business relationships and business investors | Medium (2) | High (3) | High (6) | New risk |
| Operator control | Lack of competence of key personnel and licence holders which can then potentially be exploited by criminals seeking to launder the proceeds of crime | Medium (2) | High (3) | High (6) | New risk |
| Licensing and integrity | Gambling operations being acquired by organised crime to launder criminal proceeds or the Ultimate Beneficial Ownership is a criminal or involved in criminal activity | Low (1) | High (3) | Medium (3) | No change |
| Licensing and integrity | White label providers | High (3) | High (3) | High (9) | No change |
| Customer | Customer not physically present for identification purposes | High (3) | High (3) | High (9) | No change |
| Customer | False or stolen identity documentation used to bypass controls to facilitate the laundering of criminal funds | High (3) | High (3) | High (9) | No change |
| Customer | Accessibility to multiple remote casinos | High (3) | High (3) | High (9) | No change |
| Customer | Customers who appear on financial sanctions lists laundering funds which are subject to an asset freeze | Low (1) | High (3) | Medium (3) | No change |
| Customer | Foreign politically exposed persons (PEPs) using casinos to launder illicit or criminal funds | Medium (2) | High (3) | High (6) | No change |
| Customer | Domestic PEPs using casinos to clean criminal funds identification and verification | Low (1) | Medium (2) | Medium (2) | No change |
| Customer | Customers making numerous low-level transactions to minimise suspicion and evade CDD requirements at the threshold (‘smurfing’) | High (3) | High (3) | High (9) | No change |
| Customer | Use of third parties or agents to obscure the source or ownership of money gambled by customers and their identities | High (3) | High (3) | High (9) | No change |
| Customer | Organised crime gangs | Medium (2) | High (3) | High (6) | New risk rating |
| Customer | Mule accounts | High (3) | High (3) | High (9) | New risk rating |
| Means of payment | E-wallet | Medium (2) | Medium (2) | Medium (4) | No change |
| Means of payment | Crypto asset transactions | Medium (2) | High (3) | High (6) | No change |
| Means of payment | Pre-paid cards | High (3) | High (3) | High (9) | No change |
| Means of payment | Multiple methods of payment | Medium (2) | High (3) | High (6) | New Risk |
| Means of payment | Casinos acting as Money Service Businesses (MSBs) | High (3) | High (3) | High (9) | New risk |
| Product | Peer to Peer Gaming (poker) - Business to Business and Business to Customer | High (3) | High (3) | High (9) | No change |
| Product | High-stakes gambling and feature buy-in slots | Medium (2) | High (3) | High (6) | New risk rating |
| Geographic | Customers from high-risk jurisdictions using casino facilities to launder criminal funds | Medium (2) | High (3) | High (6) | No change |
Pre-paid cards
An individual made large deposits using pre-paid cards. When the operator attempted to determine the source of the individual’s funds, the customer claimed that they received their salary in cash.
An individual deposited several thousand pounds with pre-paid cards. Subsequent checks revealed that they were unemployed.
Smurfing
An individual had several failed deposit attempts and then made a series of deposits in low amounts. Once the deposits had been made, the customer requested an immediate withdrawal without any gameplay and then made a further small deposit.
| Sector | Previous overall risk rating | Current overall risk rating |
|---|---|---|
| Casino (non-remote) | High | High |
For further information relating to the inherent risks (including vulnerabilities, consequences and controls), see our previous 2020 risk assessment.
| Vulnerability | Risk | Current likelihood of event occurring | Current impact of event occurring | Overall risk | Change in risk |
|---|---|---|---|---|---|
| Operator control | Operators failing to comply with prevention of money laundering and terrorist financing legislation and guidance | High (3) | High (3) | High (9) | No change |
| Operator control | Undermining of the Money Laundering Reporting Officer (MLRO) role by senior management which can intentionally or unintentionally lead to exploitation by money launderers | Medium (2) | High (3) | High (6) | Decrease in likelihood |
| Operator control | Lack of competence of key personnel and licence holders which can then potentially be exploited by criminals seeking to launder the proceeds of crime | Medium (2) | High (3) | High (6) | Decrease in likelihood |
| Operator control | Lack of adequate and relevant due diligence checks conducted resulting in criminals laundering money | High (3) | High (3) | High (9) | No change |
| Operator control | Lack of key person in place responsible for regulatory compliance (as required under regulation 21(1) (a)) | Medium (2) | High (3) | High (6) | New risk rating |
| Operator control | Employees who do not hold a personal licence being responsible for ID checks | Medium (2) | High (3) | High (6) | New risk rating |
| Operator control | Third party business relationships and business investors | Medium (2) | High (3) | High (6) | New risk |
| Operator control | Unlicensed casino employees with known criminal records or suspected criminal activities | Medium (2) | High (3) | High (6) | Decrease in likelihood |
| Licensing and integrity | Gambling operations being acquired by organised crime to launder criminal proceeds, or the Ultimate Beneficial Ownership is a criminal or involved in a criminal activity | Medium (2) | High (3) | High (6) | No change |
| Licensing and integrity | Employees colluding with criminals | High (3) | High (3) | High (9) | No change |
| Geographic | Customer from high-risk jurisdictions using casino facilities to launder money | Medium (2) | High (3) | High (6) | No change |
| Customer | Customers who appear on financial sanctions list laundering funds which are subject to asset freeze | Low (1) | High (3) | Medium (3) | No change |
| Customer | Foreign politically exposed persons (PEPs) using casinos to clean criminal funds | Medium (2) | High (3) | High (6) | No change |
| Customer | Domestic PEPs using casinos to clean criminal funds | Low (1) | Medium (2) | Low (2) | No change |
| Customer | False or fraudulently obtained or stolen ID docs used to bypass controls | Medium (2) | High (3) | High (6) | No change |
| Customer | Customers breaking up large amounts of cash into small transactions to minimise suspicion and evade customer due diligence (CDD) requirements at the threshold (‘smurfing’) | High (3) | High (3) | High (9) | Increase in likelihood |
| Customer | Use of third parties or agents to obscure the source or ownership of money gambled by customers and their identities | Medium (2) | High (3) | High (6) | No change |
| Means of payment | Cash transactions | High (3) | High (3) | High (9) | No change |
| Means of payment | Casinos acting as Money Service Businesses (MSBs) | High (3) | High (3) | High (9) | No change |
| Means of payment | Cryptoasset payments | Medium (2) | High (3) | High (6) | No change |
| Means of payment | Cashless payments | Medium (2) | High (3) | High (6) | New risk rating |
| Means of payment | Transfer of funds between casino customers | Medium (2) | High (3) | High (6) | No change |
| Means of payment | Scottish notes | Low (1) | High (3) | Medium (3) | New risk rating |
| Product | Bring your own devices (BYODs) | Low (1) | High (3) | Medium (3) | New risk rating |
| Product | Electronic roulette - when used with ticket in ticket out and automatic ticket redemption machines | Medium (2) | High (3) | High (6) | No change |
| Product | Gaming machines (all) | Medium (2) | High (3) | High (6) | Decrease in likelihood |
| Product | Peer to peer gaming (poker) business to customer (B2C) | High (3) | High (3) | High (6) | No change |
Scottish notes
An individual attempted to exchange a large quantity of Scottish notes at a casino cash desk and their request was denied. They were later seen on the casino’s CCTV inserting large quantities of cash into an electronic gaming machine. The machine was later checked and found to contain several thousand pounds in Scottish notes.
The Regulations designate the Gambling Commission (the Commission) as the supervisory authority for casinos in the United Kingdom (UK). While under the Regulations HMRC is the supervisory authority for authority for money service businesses facilities (MSBs), the Commission and HMRC have agreed, under Regulation 7(2), that the Commission will act as the supervisory authority for MSB activities carried out by casinos (which includes foreign exchange, third-party money transmission and third-party cheque cashing).
The Commission found that around 2 percent of business to customer remote casinos offered some form of MSB activity. In the same period, around 66 percent of non-remote casinos offered some form of MSB activity1.
Commission-based research found that:
All types of MSB activity are seen as carrying Money Laundering and Terrorist financing (ML/TF) risk as they could be used by criminals to break their funds up and conceal its source or destination, which makes it harder for the flow of funds to be tracked and disrupted.
Specific risks include:
Some red flag risk indicators identified with MSB activity are:
Third party payment MSB activity for online casinos may include cases of a spouse’s card being used to fund the gambler’s account, or the money is paid out from the account to a third party. Clearly there are risks associated with this and we expect operators to have measures in place such as identification and source of fund checks.
The Commission found that some remote casino operators were unable to separate their financial data accurately in relation to MSB activity and other activity in customers’ e-wallets. Failing to do so means that operators are not sufficiently assessing, monitoring, and controlling the risks associated with MSB activity.
This highlights the importance of operators adopting a risk-based approach in order to mitigate the potential money laundering and terrorism financing risks associated with MSB activity.
1 In the period between 1 January 2020 to 31 December 2021. Please note this time frame includes the COVID-19 lockdown period, and so may not be fully reflective of the number of casinos that offer MSB activities.
| Sector | Previous overall risk rating | Current overall risk rating |
|---|---|---|
| Betting (remote) | High | High |
For further information relating to the inherent risks (including vulnerabilities, consequences and controls), see our previous 2020 risk assessment.
| Vulnerability | Risk | Current likelihood of event occurring | Current impact of event occurring | Overall risk | Change in risk |
|---|---|---|---|---|---|
| Operator control | Operators failing to comply with prevention of money laundering and terrorist financing legislation and guidance | High (3) | High (3) | High (9) | No change |
| Operator control | Operators staking and winning directly and indirectly on their own products | Low (1) | Medium (2) | Low (2) | No change |
| Operator control | Lack of competence of key personnel and licence holders which can then be exploited by criminals seeking to launder the proceeds of crime | Medium (2) | High (3) | High (6) | Decrease in likelihood |
| Operator control | Inadequate or lack of ‘know your customer’ (KYC) checks resulting in criminals laundering criminal proceeds or risk of this occurring | High (3) | High (3) | High (9) | No change |
| Operator control | ‘High value’ customer schemes | Medium (2) | High (3) | High (6) | No change |
| Operator control | High monetary thresholds | High (3) | High (3) | High (9) | New risk rating |
| Operator control | KYC completed at the point of withdrawal | Medium (2) | High (3) | High (6) | New risk rating |
| Operator control | Third party business relationships and business investors | Medium (2) | High (3) | High (6) | New risk rating |
| Licensing and integrity | Gambling operations run or acquired by organised criminals to launder criminally derived funds | Low (1) | High (3) | Medium (3) | Decrease in likelihood |
| Licensing and integrity | White label providers | High (3) | High (3) | High (9) | No change |
| Customer | False or stolen documentation used to bypass controls to launder criminally derived funds | High (3) | High (3) | High (9) | No change |
| Customer | Accessibility to multiple remote accounts | Medium (2) | High (3) | High (6) | Decrease in likelihood |
| Customer | Customers from high risk or non-cooperative jurisdictions using remote facilities to launder criminally derived funds | Medium (2) | High (3) | High (6) | Decrease in likelihood |
| Customer | Customers who appear on international financial sanctions lists laundering criminal funds | Low (1) | High (3) | Medium (3) | No change | Customer | ‘Smurfing’ | High (3) | High (3) | High (9) | Increase in risk | Customer | ‘Mule’ betting accounts | High (3) | High (3) | High (9) | No change | Customer | Politically exposed persons (PEPs) | Medium (2) | High (3) | High (6) | New risk rating | Customer | Business customers (betting exchange) | Medium (2) | High (3) | High (9) | New risk rating |
| Customer | Use of third parties or agents to obscure the source or ownership of money gambled by customers and their identities | High (3) | High (3) | High (9) | No change |
| Means of payment | E-wallets | Medium (2) | Medium (2) | Medium (4) | No change |
| Means of payment | Cryptoasset transactions | Medium (2) | High (3) | High (6) | No change |
| Means of payment | Pre-paid cards | High (3) | High (3) | High (9) | No change |
| Means of payment | Lack of ‘closed loop’ system | Medium (2) | High (3) | High (6) | New risk rating |
| Means of payment | Multiple methods of payment | Medium (2) | High (3) | High (6) | New risk |
| Product | Peer to peer betting | High (3) | High (3) | High (9) | Increase score |
| Product | Unregulated betting events | Medium (2) | High (3) | High (6) | New risk rating |
Mule accounts
A student with no formal employment was asked for source of funds information by an operator as part of Know your customer (KYC) checks. The student provided a bank statement which showed them making large cash deposits into their bank account, which was followed by smaller transfers to other individuals with the payment references naming other gambling operators.
Smurfing
An individual was identified as having made regular deposits in relatively low increments, which were then placed on low-risk bets with an almost guaranteed return. The customer attempted to withdraw using an e-wallet and was asked for evidence that they were the legitimate owner of the wallet. At this point, the individual confirmed their e-wallet account had been closed.
| Sector | Previous overall risk rating | Current overall risk rating |
|---|---|---|
| Betting (non-remote) | High | High |
| Off-course | High | High |
| On-course | Medium | Medium |
For further information relating to the inherent risks (including vulnerabilities, consequences and controls), see our previous 2020 risk assessment.
| Vulnerability | Risk | Likelihood of event occurring | Impact of event occurring | Overall risk | Change in risk |
|---|---|---|---|---|---|
| Operator control | Operators failing to comply with prevention of money laundering and terrorist financing legislation and guidance (off-course only) | High (3) | High (3) | High (9) | No change | Operator control | Operators failing to comply with prevention of money laundering and terrorist financing legislation and guidance (on-course only) | Medium (2) | Medium (2) | Medium (4) | No change | Operator control | Lack of effective customer interaction resulting in a failure to prevent and/or detect Money Laundering or Terrorist financing (ML/TF) (off-course only) | Medium (2) | High (3) | High (6) | No change | Operator control | Lack of effective customer interaction resulting in a failure to prevent and/or detect ML or TF (on-course only) | Medium (2) | Medium (2) | Medium (4) | No change | Operator control | Inadequate or lack of 'know your customer' (KYC) checks resulting in criminals laundering criminal proceeds (off-course only) | High (3) | High (3) | High (9) | No change | Operator control | Inadequate or lack of KYC checks resulting in criminals laundering criminal proceeds (on-course only) | Medium (2) | Medium (2) | Medium (4) | No change | Operator control | Third party business relationships and business investors (off-course only) | Medium (2) | High (3) | High (6) | New risk | Operator control | On-course bookmakers providing unlicensed gambling activities (for example, accepting bets over the phone without having the required ancillary betting licence) | Low (1) | Medium (2) | Medium (2) | No change | Licensing and integrity | Betting operations being acquired by organised crime to launder criminal proceeds (off-course only) | Low (1) | High (3) | Medium (3) | No change | Licensing and integrity | Betting operations being acquired by organised crime to launder criminal proceeds (on-course only) | Low (1) | High (3) | Medium (3) | No change | Licensing and integrity | Betting employees acting in collusion with organised criminals to launder criminal funds (off-course only) | Medium (2) | High (3) | High (6) | No change | Licensing and integrity | Betting employees acting in collusion with organised criminals to launder criminal funds (on-course only) | Low (1) | Medium (2) | Low (2) | No change | Customer | Unverified customers laundering proceeds of crime through betting (off-course only) | High (3) | High (3) | High (9) | No change | Customer | Unverified customers laundering proceeds of crime through betting (on-course only) | Medium (2) | Medium (2) | Medium (4) | No change | Customer | Accessibility to multiple premises and operators (off-course only) | High (3) | High (3) | High (9) | No change | Customer | False or stolen identification documentation used to bypass controls to launder criminal funds (off-course only) | Medium (2) | High (3) | High (6) | Increase in impact | Customer | Organised criminal gangs (OCGs) | Low (1) | High (3) | Medium (3) | No change | Product | Gaming machines used to launder criminal funds (off-course only) | Medium (2) | High (3) | High (6) | Decrease in likelihood | Product | Self service betting terminals and ticket-in-ticket-out (TITO) machines used to launder criminal funds (off-course only) | Medium (2) | High (3) | High (6) | No change | Product | Bring your own device (BYOD) | Low (1) | Medium (2) | Low (2) | Decrease in impact and likelihood | Means of payment | Cash transactions | High (3) | High (3) | High (9) | No change | Means of payment | Cashless transactions | Medium (2) | High (3) | High (6) | Increase in impact | Means of payment | Dyed notes | Low (1) | Medium (2) | Low(2) | No change | Means of payment | Lack of ‘closed loop’ system | Medium (2) | High (3) | High (6) | No change | Means of payment | Multiple methods of payment | Medium (2) | High (3) | High (6) | New risk | Means of payment | Scottish notes | Low (1) | High (3) | Medium (3) | No change |
Dyed Notes
Two individuals deposited several hundred pounds of bank notes into a self-service betting terminal which were later found to be stained with what appeared to be anti-theft dye. The individuals were then able to withdraw clean notes from counter staff
Lack of 'closed loop' system and access to multiple premises
An individual deposited several thousand pounds on a self-service betting terminal using a debit card and made bets on several events. The bets were cashed out early before the events had started and the customer was able to withdraw the funds at a different store in the form of cash.
| Sector | Previous overall risk rating | Current overall risk rating |
|---|---|---|
| Bingo (Remote) | High | High |
The remote bingo and betting sector will be assessed separately for the purposes of this assessment as the risks differ for both sectors.
For further information relating to the inherent risks (including vulnerabilities, consequences and controls), see our previous 2020 risk assessment.
| Vulnerability | Risk | Likelihood of event occurring | Impact of event occurring | Overall risk | Change in risk |
|---|---|---|---|---|---|
| Operator Control | Operators failing to comply with prevention of money laundering and terrorist financing legislation and guidance | High (3) | High (3) | High (9) | No change | Operator control | Operators staking and winning directly and indirectly on their own products | Low (1) | Medium (2) | Low (2) | No change | Operator control | Poor source of funds checks | High (3) | High (3) | High (9) | No change | Operator control | Inadequate or lack of 'know your customer' (KYC) checks | High (3) | High (3) | High (9) | No change | Operator control | Third party business relationships and business investors | Medium (2) | High (3) | High (6) | New risk rating | Licensing and integrity | Gambling operations run by organised criminals to launder criminally derived funds | Low (1) | High (3) | Medium (3) | No change | Customer | Customer not physically present for identification | High (3) | High (3) | High (9) | No change | Customer | False or stolen documentation used to bypass controls to launder criminally derived funds | Medium (2) | High (3) | High (6) | No change | Customer | Accessibility to multiple remote accounts | Medium (2) | High (3) | High (6) | Decrease in likelihood | Customer | Customers on the sanction list | Low (1) | High (3) | Medium (3) | New risk rating | Customer | Use of third parties or agents to obscure the source or ownership of money gambled by customers and their identities | Medium (2) | High (3) | High (6) | New risk rating | Customer | ‘Smurfing’ | Medium (2) | High (3) | High (6) | New risk rating | Means of payment | Cryptoasset transactions | Medium (2) | High (3) | High (6) | New risk rating | Means of payment | Pre-paid cards | Medium (2) | High (3) | High (6) | Decrease in likelihood | Means of payment | Multiple methods of payment | Medium (2) | High (3) | High (6) | New risk | Means of payment | E-wallets | Medium (2) | Medium (2) | Medium (4) | No change |
False or stolen ID
A criminal used stolen ID and debit cards with a gambling operator. The individual deposited funds from several stolen debit cards into the gambling account and then attempted to withdraw the funds to one debit card.
Multiple methods of payment
An individual made deposits into their gambling account from several different debit cards as well as an e-wallet. When withdrawing funds, they only used the e-wallet.
A customer made multiple deposits using numerous debit cards within the first hour of opening their account.
Accessibility to multiple accounts
Following Know Your Customer (KYC) checks an individual was identified as having deposits and credits with several dozen online gambling operators and payment processors during only a few months.
| Sector | Previous overall risk rating | Current overall risk rating |
|---|---|---|
| Bingo (non-remote) | Medium | Medium |
For further information relating to the inherent risks (including vulnerabilities, consequences and controls), see our previous 2020 risk assessment.
| Vulnerability | Risk | Likelihood of event occurring | Impact of event occurring | Overall risk | Change in risk |
|---|---|---|---|---|---|
| Operator control | Operators failing to comply with prevention of money laundering and terrorist financing legislation and guidance | Medium (2) | Medium (2) | Medium (4) | No change | Operator control | Lack of or inadequate ‘know your customer’ (KYC) checks conducted resulting in criminals laundering criminal proceeds | Medium (2) | Medium (2) | Medium (4) | No change | Operator control | Third party business relationships and business investors | Medium (2) | Medium (2) | Medium (4) | New risk | Licensing and integrity | Gambling operations being acquired by organised crime to launder criminal proceeds | Low (1) | Medium (2) | Low (2) | No change | Licensing and integrity | Employees colluding with criminals | Low (1) | Medium (2) | Low (2) | No change | Customer | Anonymous customers laundering proceeds of crime through gaming machines | Low (1) | Medium (2) | Low (2) | No change | Product | Electronic Betting Terminals (EBTs) including table-top gaming (either traditionally or via EBT content) | Low (1) | Medium (2) | Low (2) | No change | Product | Gaming Machines, Category B3 | Low (1) | Medium (2) | Low (2) | No change | Product | Bring your own device (BYOD) | Low (1) | Medium (2) | Low (2) | New risk rating | Means of payment | Cash payments | Medium (2) | Medium (2) | Medium (4) | No change | Means of payment | Ticket-in-ticket-out (TITO) facilities used to launder funds when used in conjunction with automatic ticket redemption machines (ATR) | Medium (2) | Medium (2) | Medium (4) | No change | Means of payment | Cashless payment | Low (1) | Medium (2) | Low (2) | No change | Means of payment | Scottish notes | Low (1) | Medium (2) | Low (2) | New risk |
Scottish notes
A customer attempted to exchange a large amount of Scottish notes for English notes at the cash desk but was unable to explain the origin of the funds when asked.
| Sector | Previous overall risk rating | Current overall risk rating |
|---|---|---|
| Adult Gaming Centres (AGCs) | Medium | Medium | Family Entertainment Centres (FECs) | Low | Low |
For further information relating to the inherent risks (including vulnerabilities, consequences and controls), see our previous 2020 risk assessment.
| Vulnerability | Risk | Likelihood of event occurring | Impact of event occurring | Overall risk | Change in risk |
|---|---|---|---|---|---|
| Operator control | Operators failing to comply with prevention of money laundering and terrorist financing legislation and guidance | Low (1) | Medium (2) | Low (2) | No change | Operator control | Lack of competency of key personnel and licence holders which can then be exploited by criminals seeking to launder the proceeds of crime (AGCs only) | Low (1) | Medium (2) | Low (2) | No change | Operator control | Lack of competency of key personnel and licence holders which can then be exploited by criminals seeking to launder the proceeds of crime (FECs only) | Low (1) | Medium (2) | Low (2) | No change | Operator control | Third party business relationships and business investors | Low (1) | Medium (2) | Low (2) | New risk | Licensing and Integrity | Arcade businesses being acquired by organised crime to launder criminal proceeds (AGCs only) | Low (1) | Medium (2) | Low (2) | No change | Licensing and Integrity | Arcade businesses being acquired by organised crime to launder criminal proceeds (FECs only) | Low (1) | Low (1) | Low (1) | No change | Customer | Anonymous customers laundering proceeds of crime through gaming machines (AGCs only) | Medium (2) | Medium (2) | Medium (4) | No change | Customer | Anonymous customers laundering proceeds of crime through gaming machines (FECs only) | Low (1) | Low (1) | Low (1) | No change | Product | Automated ticket redemption (ATR) machines used to facilitate the laundering of criminally derived funds (AGCs only) | Low (1) | Medium (2) | Low (2) | No change | Product | Gaming machines, Category B3 being used to launder criminally derived funds (AGCs only) | Medium (2) | Medium (2) | Medium (4) | No change | Product | Privacy booths (AGCs only) | Medium (2) | Medium (2) | Medium (4) | No change | Product | Privacy booths (FECs only) | Medium (2) | Low (1) | Low (2) | No change | Product | Bring your own device (BYOD) | Low (1) | Medium (2) | Low (2) | No change | Means of payment | Cash transactions | Medium (2) | Medium (2) | Medium (4) | Increase in likelihood | Means of payment | Cashless payments | Medium (2) | Medium (2) | Medium (4) | No change | Means of payment | Ticket-in-ticket-out (TITO) facilities used to launder funds, when used in conjunction with ATR machines (AGCs only) | Low (1) | Medium (2) | Low (2) | No change | Means of payment | Dyed notes | Low (1) | Medium (2) | Low (2) | No change | Means of Payment | Scottish notes | Low (1) | Medium (2) | Low (2) | New risk |
Dyed notes
Several hundred pounds of stained notes were found in gaming machines located at an AGC.
Scottish notes
Counterfeit Scottish notes have been found in gaming machines at several venues across the UK.
| Sector | Previous overall risk rating | Current overall risk rating |
|---|---|---|
| Society lotteries (remote and non-remote) | Low | Low | External Lottery managers (remote and non-remote) | Low | Low |
Society lotteries and the National Lottery are being assessed separately for the purposes of this assessment as they are two separate sectors and the risks posed differ.
For further information relating to the inherent risks (including vulnerabilities, consequences and controls), see our previous 2020 risk assessment.
| Vulnerability | Risk | Likelihood of event occurring | Impact of event occurring | Overall risk | Change in risk |
|---|---|---|---|---|---|
| Operator control | Operators failing to comply with prevention of money laundering and terrorist financing legislation and guidance | Low (1) | Low (1) | Low (1) | Decrease in likelihood | Operator control | Third party business relationships and business investors | Low (1) | Low (1) | Low (1) | No change | Operator control | Licensee failing to transfer lottery proceeds to charities | Low (1) | Medium (2) | Low (2) | Increase in impact | Licensing and integrity | Operator being acquired by organised crime to launder criminal funds | Low (1) | Low (1) | Low (1) | No change | Customer | Anonymous customers (Non-Remote) | Low (1) | Low (1) | Low (1) | No change | Customer | False and stolen identity documentation | Low (1) | Low (1) | Low (1) | No change | Customer | Customer not physically present (remote) | Low (1) | Low (1) | Low (1) | No change | Product | Interactive instant win games (online) | Low (1) | Low (1) | Low (1) | No change | Products | Scratch cards or interactive instant win games | Low (1) | Low (1) | Low (1) | No change | Means of payment | Cash transactions (non-remote only) | Low (1) | Low (1) | Low (1) | No change |
Licensee failing to transfer lottery proceeds to charities
An External Lottery Manager (ELM) was convicted of misusing lottery proceeds. The Chief Executive Officer (CEO) used lottery proceeds to cover the costs of running the business and failed to pass on the proceeds to charities.
| Sector | Previous overall risk rating | Current overall risk rating |
|---|---|---|
| National Lottery | Low | Low |
For this assessment, the risks associated with the National Lottery and society lotteries have been assessed separately.
For further information relating to the inherent risks (including vulnerabilities, consequences and controls), see our previous 2020 risk assessment.
| Vulnerability | Risk | Likelihood of event occurring | Impact of event occurring | Overall risk | Change in risk |
|---|---|---|---|---|---|
| Operator control | Operators failing to comply with prevention of money laundering and terrorist financing legislation and guidance | Low (1) | Low (1) | Low (1) | No change | Operator control | 'Know your customer' (KYC) checks | Low (1) | Low (1) | Low (1) | New risk rating | Licensing and integrity | National Lottery acquired by organised crime to launder criminal funds | Low (1) | Medium (2) | Low (2) | No change | Customer | Anonymous customers (non-remote) | Low (1) | Medium (2) | low (2) | No change | Customer | False and stolen identity documentation | Low (1) | Low (1) | Low (1) | No change | Customer | Customer not physically present (remote) | Low (1) | Low (1) | Low (1) | No change | Product | Scratch cards or interactive instant win games | Low (1) | Low (1) | Low (1) | No change1 | Means of payment | Cash transactions | Low (1) | Low (1) | Low (1) | No change |
1 Previously rated ‘very low’ - the change reflects changes to the methodology rather than the overall risk.
| Sector | Previous overall risk rating | Current overall risk rating |
|---|---|---|
| Gambling software (remote and non-remote) | Low | Low |
The gambling software and gaming machine technical sectors have been assessed separately in this assessment as they are two separate gambling sectors.
For further information relating to the inherent risks (including vulnerabilities, consequences and controls), see our previous 2020 risk assessment.
| Vulnerability | Risk | Likelihood of event occurring | Impact of event occurring | Overall risk | Change in risk |
|---|---|---|---|---|---|
| Operator control | Operators failing to comply with prevention of money laundering and terrorist financing legislation and guidance | Low (1) | Low (1) | Low (1) | No change | Operator control | Inadequate or lack of due diligence checks on any third-party providers (for example, test houses) | Low (1) | Medium (2) | Low (2) | No change | Operator control | Third-party business relationships and business investors | Low (1) | Medium (2) | Low (2) | New risk |
| Sector | Previous overall risk rating | Current overall risk rating |
|---|---|---|
| Gaming machine technical (remote and non-remote) | Low | Low |
For further information relating to the inherent risks (including vulnerabilities, consequences and controls), see our previous 2020 risk assessment.
| Vulnerability | Risk | Likelihood of event occurring | Impact of event occurring | Overall risk | Change in risk |
|---|---|---|---|---|---|
| Operator control | Operators failing to comply with prevention of money laundering and terrorist financing legislation and guidance | Low (1) | Low (1) | Low (1) | No change | Operator control | Inadequate or lack of due diligence checks on any third-party providers (for example, test houses) | Medium (2) | Low (1) | Low (2) | No change | Operator Control | Lack of adherence with Technical Standards | Low (1) | Low (1) | Low (1) | No change | Operator control | Third-party business relationships and business investors | Low (1) | Medium (2) | Low (2) | New risk | Product | Gaming machines Category B, C and D, fixed odds betting terminals (FOBTs), self-service betting terminals (SSBTs), ticket-in-ticket-out (TITO) used to launder the proceeds of crime | Low (1) | Low (1) | Low (1) | No change | Product | TITO-enabled gaming machines used to launder funds when used with Automated ticket redemption machines (ATR) | Low (1) | Low (1) | Low (1) | No change |
| Sectors | Previous overall risk rating | Current overall risk rating |
|---|---|---|
| All sectors | Low | Medium |
For further information relating to the inherent risks (including vulnerabilities, consequences and controls), see our previous 2020 risk assessment.
| Vulnerability | Risk | Likelihood of event occurring | Impact of event occurring | Overall risk | Change in risk |
|---|---|---|---|---|---|
| Operator control | Operators failing to understand or take consideration of terrorist financing vulnerabilities and applicable legislation | Low (1) | High (3) | Medium (3) | Increase in impact | Product | Money Service Businesses (MSB) | Low (1) | High (3) | Medium (3) | Increase in impact | Product | Charities and terrorist financing | Low (1) | High (3) | Medium (3) | Increase in impact | Customer | Mule accounts | Low (1) | High (3) | Medium (3) | Increase in impact | Customer | Increase in right-wing terrorism | Low (1) | High (3) | Medium (3) | Increase in impact | Means of payment | Cryptoasset transactions | Low (1) | High (3) | Medium (3) | Increase in impact | Means of payment | Pre-paid cards | Low (1) | High (3) | Medium (3) | Increase in impact | Means of payment | Cash transactions | Low (1) | High (3) | Medium (3) | Increase in impact | Geographic | International terrorism | Low (1) | High (3) | Medium (3) | Increase in impact |
Some potential ‘red flag’ indicators that operators should be alert to, based on evidence reviewed, are:
As part their commitment to anti-money laundering and the prevention of terrorist financing, operators need to refer to The Gambling Commission's Money laundering and terrorist financing risk assessment: 2019 (opens in new tab) (PDF) and the money laundering and terrorist financing risk assessment: 2020.