This box is not visible in the printed version.
Guidance for remote and non-remote casinos: fifth edition
Published: 13 November 2020
Last updated: 27 May 2021
This version was printed or saved on: 2 April 2023
Online version: https://www.gamblingcommission.gov.uk/guidance/the-prevention-of-money-laundering-and-combating-the-financing-of-terrorism
The terms 'proceeds of crime' or 'criminal proceeds' refer to all property which a person benefits from by being party to criminal conduct, either directly or indirectly.
It also includes property that a person gains by spending the proceeds of criminal conduct. For example, if a person uses money earned from drug dealing to buy a car or a house, or spends money gained in a bank robbery to gamble.
It is defined in section 340 of the Proceeds of Crime Act 2002 (POCA) (opens in new tab). It covers a wide range of circumstances, involving any activity concerning the proceeds of any crime.
For example, this may include:
Money laundering of criminal proceeds is often needed because of the cash-intensive nature of the underlying crime. For example, drug dealing, where payments are often small amounts paid in cash. Money is placed into the financial system or retail market, or smuggled to another country.
The aim of the money launderer is to avoid detection by the authorities and to then transform the criminal proceeds into other assets.
Layering is an attempt to conceal or disguise the source and ownership of the criminal proceeds by creating complex layers of financial transactions. These layers obscure the audit trail and provide anonymity. The purpose is to disassociate the criminal proceeds from the criminal activity which generated them.
Layers are usually created by moving monies in and out of accounts and by using electronic fund transfers.
Integration involves integrating the criminal proceeds into the legitimate economic and financial system. Therefore, assimilating it with other assets.
Integration of 'clean money' into the economy is achieved by the the money launderer making it appear legally earned or obtained.
The land-based gambling industry is particularly vulnerable during the placement stage, as cash is widely used. The remote gambling industry may seem less vulnerable as electronic transfers are required for placements. However, identity theft and identity fraud can enable the money launderer to move criminal proceeds anonymously. The use of multiple internet transactions can also facilitate the layering stage of money laundering.
Casino operators should be mindful that the offence of money laundering also includes simple criminal spend (the use of criminal proceeds to fund gambling as a leisure activity). It may not include all the typical stages of the laundering process, if any at all.
The Financial Action Task Force (FATF) is the inter-governmental body responsible for setting the international standards for anti-money laundering (AML) and countering terrorist financing (CTF).
They issue recommendations which member countries should implement in order to combat money laundering and terrorist financing. These recommendations are implemented by over 190 countries.
The FATF Recommendations (opens in new tab) set out the essential measures that countries should have in place to:
Criminal offences of money laundering were first introduced in the United Kingdom in the Criminal Justice Act 1988 (opens in new tab) and the Drug Trafficking Offences Act 1986 (opens in new tab).
POCA consolidated, updated and reformed the criminal law relating to money laundering to include any dealing in 'criminal property', which is defined widely as the proceeds of any type of crime, however small the amount.
The principal offences criminalise any involvement in the proceeds of any crime if the person knows or suspects that the property is criminal property.3
These offences relate to the concealing, disguising, converting, transferring, acquisition, use and possession of criminal property, as well as an arrangement which facilitates the acquisition, retention, use or control of criminal property.
Concealing or disguising property includes concealing or disguising its:
Whilst 'converting' criminal property is not defined in POCA, it is suggested that this be given its conventional legal meaning, that is that the 'converter' has dealt with the property in a manner inconsistent with the rights of the true owner of the property. For example, a criminal steals cash in a bank robbery and then uses that cash to open a gambling account and gamble.
Section 328 of POCA (link opens in a new tab), provides that a person commits an offence if they enter into or become concerned in an arrangement which they know or suspect facilitates, by whatever means, the acquisition, retention, use or control of criminal property by or on behalf of another person.
An example of this in the gambling industry would be for a casino operator knowingly to accept stakes that are the proceeds of criminal activity.
Acquisition, use and possession under section 329(1) (link opens in a new tab) includes, for example, when a person carries, holds or looks after criminal property or acquires criminal property for 'inadequate consideration'. This means when a person buys or exchanges something which is significantly below market value (inadequate consideration). However, a person does not commit such an offence if they acquired or used or had possession of the property for adequate consideration.4
The principal money laundering offences are wide and can be committed by any person. For example, a casino employee who has knowledge or suspicion that a customer is using the proceeds of crime, or has possession of the proceeds of criminal activity.
The offence of money laundering and the duty to report under POCA apply in relation to the proceeds of any criminal activity, wherever conducted, including abroad, that would constitute an offence if it took place in the UK. However, a person does not commit an offence of money laundering where it is known or believed, on reasonable grounds, that the relevant criminal conduct occurred outside the United Kingdom and the relevant conduct was not criminal in the country where it took place and is not of a description prescribed by an order made by the Secretary of State. 5
The money laundering offences assume that a criminal offence has occurred in order to generate the criminal property which is now being laundered. This is often known as a predicate offence. No conviction for the predicate offence is necessary for a person to be prosecuted for a money laundering offence. 6
In addition, POCA contains provisions for the recovery of the proceeds of crime and forfeiture can be granted, regardless of whether a conviction for any offence has been obtained or is intended to be obtained. Under certain circumstances, criminal property can be recoverable even if it is disposed of to another person.8
The Terrorism Act 2000 (the Terrorism Act) (link opens in a new tab) establishes several offences about engaging in or facilitating terrorism, as well as raising or possessing funds for terrorist purposes. It establishes a list of proscribed organisations that are believed to be involved in terrorism. In December 2007, tipping off offences and defences to the principal terrorist property offences were introduced.9
The Terrorism Act applies to all persons and includes obligations to report suspected terrorist financing. The offences of failing to disclose and tipping off are specific to people working in firms covered by the Money Laundering Regulations (the Regulations), and who are therefore in the regulated sector, which includes casinos.
The Regulations 10 represent the UK's response to the FATF Recommendations and implement the law in the UK on this topic. They set requirements for the AML and CTF regime within the regulated sector, which includes casinos.
The Regulations apply to non-remote and remote casinos, licensed by the Commission, who act in the course of business carried on by them in the UK.
This includes remote casinos which either:
This guidance sets out how casino operators must and can comply with the law governing money laundering and terrorist financing. The law places responsibilities on the Commission as the supervisory authority for casinos. The Commission should produce guidance that helps casino operators to meet the requirements of the law, is workable in the remote and non-remote casino environments and is approved by HM Treasury. This guidance, therefore, covers the full requirements of the UK law as it affects casinos.
Operators have a responsibility to uphold the three licensing objectives set out in the Gambling Act 2005 (the Act) (link opens in a new tab). The first of those licensing objectives is to prevent gambling from being a source of crime or disorder, being associated with crime or disorder or being used to support crime.
In order to avoid committing offences under POCA, operators should report instances of known or suspected money laundering or terrorist financing by customers to the National Crime Agency (link opens in a new tab) (the NCA) and, where a defence (appropriate consent) is requested, wait for such defence (consent) to deal with a transaction or an arrangement involving the customer, or wait until a set period has elapsed before proceeding.
Operators should be aware that there is no minimum financial threshold for the management and reporting of known or suspected money laundering or terrorist financing activity.
The Commission requires operators to prevent gambling being a source of crime or disorder, being associated with crime or disorder or being used to support crime. This guidance document is an important frame of reference to help casino operators meet that objective.
Whilst potential breaches of POCA and the Terrorism Act (opens in a new tab) will normally be reported to the NCA and fall to the police to investigate, the Commission, in its role as the gambling regulator, seeks assurance that risks to the licensing objectives posed by money laundering activity and terrorist financing are effectively managed, and this guidance will assist casino operators to meet their obligations under POCA, the Regulations and the Terrorism Act (opens in a new tab), where appropriate.
Under the Regulations, 12 the Commission is designated as the supervisory authority for casinos.
The Commission therefore adopts a risk-based approach to its role as supervisory authority. We focus our attention on circumstances where the processing of criminal funds or criminal spend indicates serious failures in an operator’s arrangements for the management of risk and compliance with POCA, the Regulations and the Terrorism Act (opens in a new tab) or a breach of a licence condition, or makes a reasonably significant contribution to the financial performance of the business, particularly concerning their continued suitability to hold a licence.16
Where a casino operator fails to uphold the licensing objectives, for example by being ineffective in applying AML or CTF controls or ignoring their responsibilities under POCA, the Regulations and the Terrorism Act (opens in a new tab), or breaches an applicable licence condition, the Commission will consider reviewing the operating licence under section 116 (opens in a new tab) of the Act.
Certain activities carried out by casinos in respect of the services they offer to customers are categorised as money service business (MSB) activities. By acting as a cheque casher or currency exchange, accepting winners’ cheques and foreign currency, or transmitting money, casinos are subject to registration with, and supervision by, HM Revenue and Customs (HMRC). The exemptions that remove this requirement, where the MSB activities are occasional or very limited, do not apply to casinos because of the value of the transactions typically involved. However, in order to avoid dual regulation, and as provided by the Regulations 17 there is an agreement between HMRC and the Commission that the Commission performs the supervisory role for the MSB activities in question. This means that it is not necessary for non-remote casinos to register with HMRC in this regard. Casinos should however note that, in its capacities as a supervisory authority and a law enforcement authority, HMRC may use the UK AML regime to gather information for tax purposes.18
All gambling operators have a responsibility to keep financial crime out of gambling. POCA places an obligation on gambling operators to be alert to attempts by customers to gamble money acquired unlawfully, either to obtain legitimate or 'clean' money in return (and, in doing so, attempting to disguise the criminal source of the funds) or simply using criminal proceeds to fund gambling. Both modes of operation are described as money laundering.
This guidance sets out what is expected of casino operators and their employees in relation to the prevention of money laundering and terrorist financing, but allows them some discretion as to how they apply the requirements of the AML or CTF regime in the particular circumstances of their business. It will be of direct relevance to senior management and nominated officers in remote and non-remote casinos.
While the guidance focuses primarily on the relationship between casino operators and their customers, and the money laundering risks presented by transactions with customers, operators should also give due consideration to the money laundering risks posed by their business-to-business relationships, including any third parties they contract with.19
The purpose is to give guidance to those who set casino operators’ risk management policies, procedures and controls for preventing money laundering and terrorist financing. The guidance aims to assist casino operators with detail about how to comply with the Regulations and the wider legal requirements, and is intended to allow operators flexibility as to how they comply. Casino operators will need to establish more detailed and more specific internal arrangements directed by senior management and nominated officers to reflect the risk profile of their business.
This guidance is not intended to be a substitute for legal advice and nothing in this document should be construed as such. Anyone requiring clarification on the legal issues contained in this document should seek their own independent legal advice. Neither is this document a substitute for casino operators’ individual risk management plans. Casino operators should refer to the Regulations and associated legislation in making decisions in relation to the Regulations.
The examples used throughout are for illustrative purposes only. The references to legislation and case law are accurate at the time of writing, but these may be subject to repeal or amendment.
In this guidance, the word 'must' denotes a legal obligation, while the word 'should' is a recommendation of good practice, and is the standard that the Commission expects casino operators to adopt and evidence. The Commission will expect casino operators to be able to explain the reasons for any departures from that standard.
The guidance emphasises the responsibility of senior management to manage the casino operator’s money laundering and terrorist financing risks, and how this should be carried out on a risk-based approach. It sets out a standard approach to the identification of customers and verification of their identities, separating out basic identity from other measures relating to customer due diligence (CDD), including the obligation to monitor customer activity.
It is accepted that a proportionate risk-based approach must meet a variety of scenarios and, as such, must be based on an understanding of how the business is designed to operate. There is, therefore, a need for ongoing and repeated assessments of risk to meet changing circumstances.
POCA requires a court to take account of industry guidance, such as this, that has been approved by a Treasury minister when considering whether a person within the regulated sector has committed the offence of failing to report. Similarly, the Terrorism Act (opens in a new tab) requires a court to take account of such approved industry guidance when considering whether a person has failed to report under that Act 20. The Regulations require that a court must consider whether someone has followed this guidance if they are prosecuted for failing to comply with the Regulations.21
Casino operators must be able to demonstrate that they have taken all reasonable steps to comply with all the AML requirements. If they can demonstrate to a either a court, the Commission or both, that they have followed this guidance, then the court or the Commission is obliged to take that into account.
While the Commission is not a 'designated supervisory authority' under the Regulations 22 an ordinary code provision 23 within the licence conditions and codes of practice requires casino operators to act in accordance with this guidance.
The Commission and other agencies or authorities that have the appropriate authorisation under POCA in England and Wales 24 can, in certain circumstances, apply for orders and warrants in relation to money laundering, for the purpose of, for example:
The guidance provides a sound basis for casino operators to meet their statutory and regulatory obligations when tailored by operators to their particular business risk profile. Departures from this guidance, and the grounds for doing so, should be documented and may have to be justified to, amongst others, the Commission.
Casino operators are required to comply with the applicable licence conditions and codes of practice 25 and should read this guidance in conjunction with the conditions and codes. Should casino operators breach the licence conditions or not follow the code provisions, the Commission may consider reviewing the operating licence in accordance with section 116 (opens in a new tab) of the Act. This could result in the suspension or revocation of the operator’s licence under sections 118 (opens in a new tab) and 119 (opens in a new tab) of the Act. The Commission may also consider imposing a financial penalty where we think that a licence condition has been breached, in accordance with section 121 (opens in a new tab) of the Act.
This requires operators to:
(a) This must be done in writing, see what casino opertors must do for identifying and addressing risks.
(b) This must be done in writing, see what casino operators must maintain a record in writing of.
This requires operators based in foreign jurisdictions to comply with Parts 2 and 3 of the Regulations.
This requires operators to report the appointment of a person to a position where the holder of which has overall responsibility for the licensee’s AML or CTF compliance and/or for the reporting of known or suspected money laundering or terrorist financing activity.
This requires operators to report any actual or potential breaches by the licensee of the requirements imposed by or under Parts 7 (opens in a new tab) or Part 8 (opens in a new tab) of the Proceeds of Crime Act 2002, or Part 3 (opens in a new tab) of the Terrorism Act (opens in a new tab).
This requires operators to report:
This requires operators to take into account the Commission’s guidance on anti-money laundering.
The Regulations impose compulsory requirements and a breach can constitute a criminal offence 26. However, within this legal framework of requirements, casinos have flexibility to devise policies, procedures and controls which best suit their assessment of the money laundering and terrorist financing risks faced by their business. The Regulations require the identification and assessment of money laundering and terrorist financing risks, and the establishment and maintenance of proportionate policies, procedures and controls to mitigate and manage effectively the risks identified. 27
Operators are already expected to manage their operations with regard to the risks posed to the licensing objectives in the Act, and measure the effectiveness of the policies, procedures and controls they have put in place to manage the risks to the licensing objectives. The approach to managing the risks of the operator being used for money laundering or terrorist financing is consistent with the regulatory requirements.
Most operators manage their commercial or business risks and measure the effectiveness of the policies, procedures and controls they have put in place to manage those risks. A similar approach is appropriate to managing the operator’s regulatory risks, including money laundering and terrorist financing risks. Existing risk management systems should, therefore, address the regulatory and money laundering and terrorist financing risks, or a separate system should be in place for that purpose. The detail and complexity of these systems will depend on the operator’s size and the complexity of their business.
The risk-based approach involves a number of discrete steps in assessing the most proportionate way to manage and mitigate the money laundering and terrorist financing risks faced by the operator.
These steps require the operator to:
The possibility of gambling facilities being used by criminals to assist in money laundering or terrorist financing poses many risks for casino operators. These include criminal and regulatory sanctions for operators and their employees, civil action against the operator and damage to the reputation of the operator, leading to a potential loss of business.
Casino operators can offset any burden of taking a risk-based approach with the benefits of having a realistic assessment of the threat of the operator being misused in connection with money laundering or terrorist financing. It focuses the effort where it is most needed and will have most impact. It is not a blanket one size fits all approach, and therefore operators have a degree of flexibility in their methods of compliance.
A risk-based approach requires the full commitment and support of senior management, and the active co-operation of all employees. It should be part of the casino operator’s philosophy and be reflected in the operator’s policies, procedures and controls. There needs to be a clear communication of the policies, procedures and controls to all employees, along with robust mechanisms to ensure that they are carried out effectively, weaknesses are identified, and improvements are made wherever necessary. Where the casino operator forms part of a larger group of companies, there needs to be sufficient senior management oversight of the management of risk.
The figures in this guidance include a proposed architecture for the risk-based process which operators can adopt as good practice within their businesses. While this architecture represents a suggested approach, it does nonetheless contain elements which are requirements under the Regulations or other financial crime legislation. These requirements are detailed throughout the guidance.
The Regulations require casino operators to take appropriate steps, taking into account the size and nature of its business, to identify and assess the risks of money laundering and terrorist financing to which its business is subject, taking into account the following:
The casino operator should assess its risks in the context of how it is most likely to be involved in money laundering, criminal spend or terrorist financing.
Operators should also give due consideration to the money laundering risks posed by their business-to-business relationships, including any third parties they contract with. The assessment of these risks is based, among other things, on the risks posed to the operator by transactions and arrangements with business associates and third-party suppliers such as payment providers and processors, including their beneficial ownership and source of funds. Effective management of third-party relationships should assure operators that the relationship is a legitimate one, and that they can evidence why their confidence is justified.30
The World Economic Forum has published good practice guidelines on conducting third party due diligence (PDF) (opens in new tab)
A money laundering and terrorist financing risk assessment is a product or process based on a methodology, agreed by the parties involved, that attempts to identify, analyse and understand money laundering and terrorist financing risks. It serves as the first step in addressing the risks and, ideally, involves making judgments about threats, vulnerabilities and consequences.
Persons, or groups of people, objects or activities with the potential to cause harm, including criminals, terrorist groups and their facilitators, their funds, as well as past, present and future money laundering or terrorist financing activities.
Things that can be exploited by the threat or that may support or facilitate its activities and means focussing on the factors that represent weaknesses in AML or CTF systems or controls or certain features of a country, particular sector, financial product or type of service that make them attractive for money laundering and terrorist financing.
This refers to the impact or harm that money laundering or terrorist financing may cause, including the effect of the underlying criminal and terrorist activity on financial systems and institutions, the economy and society more generally.
The key to any risk assessment is that it adopts an approach that attempts to distinguish the extent of different risks to assist with prioritising mitigation efforts, rather than being a generic box-ticking exercise.
The identification process begins by developing an initial list of potential risks or risk factors when combating money laundering and terrorist financing. Risk factors are the specific threats or vulnerabilities that are the causes, sources or drivers of money laundering and terrorist financing risks. This list will be drawn from known or suspected threats or vulnerabilities. The identification process should be as comprehensive as possible, although newly identified or previously unidentified risks may also be considered at any stage in the process.
Analysis involves consideration of the nature, sources, likelihood, impact and consequences of the identified risks or risk factors. The aim of this stage is to gain a comprehensive understanding of each of the risks, as a combination of threat, vulnerability and consequence, in order to assign a relative value or importance to each of them. Risk analysis can be undertaken with varying degrees of detail, depending on the type of risk, the purpose of the risk assessment, and the information, data and resources available.
The evaluation stage involves assessing the risks analysed during the previous stage to determine priorities for addressing them, taking into account the purpose established at the beginning of the assessment process. These priorities can then contribute to development of a strategy for the mitigation of the risks.
Money laundering and terrorist financing risks may be measured using a number of factors. Application of risk categories to customers and situations can provide a strategy for managing potential risks by enabling casino operators to subject customers to proportionate controls and monitoring.
Casinos should also consider the risks posed by particular products they offer.31
Some countries pose an inherently higher money laundering and terrorist financing risk than others. In addition to considering their own experiences, casino operators should take into account a variety of other credible sources of information identifying countries with risk factors in order to determine that a country and customers from that country pose a higher risk. Casino operators may wish to assess information available from FATF and non-governmental organisations which can provide a useful guide to perceptions relating to corruption in the majority of countries.
Customers that are associated with higher risk countries, as a result of their citizenship, country of business or country of residence may present a higher money laundering and terrorist financing risk, taking into account all other relevant factors. Remote casinos should check customer location because of the additional risks which arise from cross-border operations. The country or geographic risk can also be considered in conjunction with the customer risk.
Determining the potential money laundering and terrorist financing risks posed by a customer, or category of customers, is critical to the development and implementation of an overall risk-based framework. Based on its own criteria, a casino should seek to determine whether a particular customer poses a higher risk and the potential impact of any mitigating factors on that assessment. Application of risk variables may mitigate or exacerbate the risk assessment.
Casinos should consider operational aspects (products, services, games, accounts and account activities) that can be used to facilitate money laundering and terrorist financing.
Product risk includes the consideration of the vulnerabilities associated with the particular products offered by the casino operator. In non-remote casinos there are a number of gambling opportunities that offer the potential for a money launderer to place funds and generate a winning cheque or similar with minimal play. These are more fully discussed in transaction risk including means of payment and include the use of cash and casino deposit accounts, and the redemption of chips. Also, a number of gambling activities take place in remote and non-remote casinos where customers effectively play against each other. This offers the money launderer a means to transfer value by deliberately losing to the individual to whom they want to transfer the funds.
The risk categories or factors described above are not intended to be prescriptive or comprehensive. They will not apply universally to all casino operators and, even when they are present, there may be different risk outcomes for different operators and premises, depending upon a host of other factors. However, the factors are intended as a guide to help casino operators conduct their own risk assessments, and to devise AML or CTF policies, procedures and controls which accurately and proportionately reflect those assessments.
The weight given to the risk factors used by the casino operator in assessing the overall risk of money laundering and terrorist financing, both individually or in combination, may vary from one operator or premises to another, depending on their respective circumstances. Consequently, casino operators also must make their own determination as to the weight given to risk factors.
These will also have an impact on the preventative measures necessary to tackle the risks in a proportionate manner.
These variables include:
Deciding that a customer presents a higher risk of money laundering or terrorist financing does not automatically mean that the person is a criminal, money launderer or terrorist financer. Similarly, identifying a customer as presenting a low risk of money laundering or terrorist financing does not mean that the customer is definitely not laundering money or engaging in criminal spend. Employees therefore need to remain vigilant and use their experience and common sense in applying the casino operator’s risk-based criteria and rules, seeking guidance from their nominated officer as appropriate.
Many customers carry a lower money laundering or terrorist financing risk. These might include customers who are regularly employed or who have a regular source of income from a known source which supports the activity being undertaken. This applies equally to pensioners, benefit recipients, or to those whose income originates from their partner’s employment or income.
Conversely, many customers carry a higher risk of money laundering. These may include known criminals, customers who are not regularly employed or who do not have a regular source of income from a known source which supports the level of activity being undertaken, or problem gamblers.
A drug dealer, whose only legitimate source of income for ten years was state benefits, spent more than £1 million in various gambling establishments over the course of two years, and lost some £200,000. All the transactions appeared to involve cash.
A grandparent with no previous gambling history, on a state pension, began to make weekly bets of about £100. Investigations later revealed that the grandparent was placing the bets on behalf of a grandson, a known criminal, and that the money spent was the proceeds of his criminal activity.
An individual was in receipt of state benefits with no other apparent form of income, but then gambled significant amounts through a licensed operator. Deposits of over £2 million were made to an online gambling account over the course of about two years from multiple sources, such as debit card and credit card, and various e-money and e-wallet services. Investigations revealed that their gambling was funded by criminal activity.
Over an extended period, an individual who claimed to be a gambling addict stole equipment worth a substantial amount of money from their employer and resold it for their own gain. They then used most of these criminal proceeds to gamble, depositing almost £6 million into an online gambling account and losing almost £5 million, involving about 40,000 individual gambling transactions. The individual remained in employment throughout this period.
A customer spent a large volume of cash at a casino, including a significant quantity of Northern Irish and Scottish bank notes. The customer told staff that the cash came from restaurants and takeaway food establishments that they ran around the UK. This explanation was accepted at face value by the staff. However, in reality the customer did not own any legitimate businesses and was later convicted of money laundering offences arising from criminal activity.
Where a customer is assessed as presenting higher risk, additional information in respect of that customer should be collected. This will help the casino operator judge whether the higher risk that the customer is perceived to present is likely to materialise, and provide grounds for proportionate and recorded decisions. Such additional information should include an understanding of where the customer’s funds and wealth have come from. While the Commission recognises that some relationships with customers will be transient or temporary in nature, casino operators still need to give consideration to this issue.
If casinos adopt the threshold approach to CDD, part of the risk-based approach will involve making decisions about whether or when verification should take place electronically. Casino operators must determine the extent of their CDD measures, over and above the minimum requirements, on a risk-sensitive basis depending on the risk posed by the customer and their level of gambling.
In order to be able to detect customer activity that may be suspicious, it is necessary to monitor all transactions or activity 32 The monitoring of customer activity should be carried out using the risk-based approach. Higher risk customers should be subjected to a frequency and depth of scrutiny greater than may be appropriate for lower risk customers. Casino operators should be aware that the level of risk attributed to customers may not correspond to their commercial value to the business.
Casino operators are best placed to identify and mitigate risks involved in their business activity. A crucial element of this is to have systems and controls to identify and link player activity, and for senior management to oversee risk management and determine whether their policies, procedures and controls are effective in design and application. Reliance on third parties to conduct risk assessment and management functions does not relieve the operator of its responsibility to assess and manage its own risks. Third party services should not be used in isolation or relied upon solely, and casino operators should be satisfied that the information supplied by the third party is sufficiently detailed, reliable and accurate.
There is a risk that customers will place and layer criminal proceeds through gambling transactions. We recommend that one way of mitigating this risk is to link the pay out of winnings with the means by which a customer pays for gambling transactions. We acknowledge that this will not eliminate the risk, but returning winnings in the same form, for example in cash or back to the same bank account, limits the opportunity for a money launderer to layer the proceeds of criminal activity. Where it is not feasible to return funds to the source or in the same form, casino operators should have controls in place to manage the risk of money laundering or terrorist financing occurring in these circumstances.
A money laundering or terrorist financing risk assessment is not a one-off exercise. Casino operators must therefore ensure that their policies, procedures and controls for managing money laundering and terrorist financing risks, including the detection of criminal spend, are kept under regular review.
For example, industry innovation may expose operators to new risks and an appropriate assessment of the risk is recommended before implementing any new product, system, control, process or improvement.33
This should be done just like any other business risk. They should assess the level of risk in the context of how their business is structured and operated, and the controls in place to minimise the risks posed to their business by money launderers and terrorist financers, including those engaged in criminal spend. The risk-based approach means that casino operators focus their resources on the areas which represent the greatest risk. The benefits of this approach include a more efficient and effective use of resources, minimising compliance costs and the flexibility to respond to new risks as money laundering and terrorist financing methods change.
There is a specific requirement in the Regulations that, when new products, business practices or technology are adopted by casino operators, appropriate measures are taken in preparation for, and during, the adoption of such products, business practices or technology to assess and, if necessary, mitigate any money laundering or terrorist financing risks the new product, business practice or technology may cause.34
Casino operators should be mindful that some risk indicators, for example, a pattern of increasing spend or spend inconsistent with apparent source of income could be indicative of money laundering, but also equally of problem gambling, or both.
There may also be patterns of play, for example, chasing losses that appear to be indicative of problem gambling that could also be considered to indicate other risks. For example, spend that is inconsistent with the individual’s apparent legitimate income could be the proceeds of crime.
While patterns of play may be one indicator of risk, casino operators should satisfy themselves that they have asked, or are prepared to ask, the necessary questions of customers when deciding whether to establish a business relationship, maintain the relationship or terminate the relationship.
In summary, it is perfectly plausible that an individual attempting to spend criminal proceeds or launder money could also be a problem gambler, but one does not necessarily follow the other. The responsibility is on the operator to be able to understand these dynamics and mitigate any risks to the licensing objectives.
Operators have the responsibility to comply with the licensing objectives and, therefore, they should carry out appropriate enquiries and assessments to ensure they do so. While the conclusions drawn and actions taken may differ according to whether money laundering and/or social responsibility risks are identified, the effective identification and management of these risks rests upon the ability of casino operators to have a comprehensive knowledge of their customer relationships and for managers to be clear on their responsibilities.
It is also important that the casino operator is able to reconcile information relating to customers’ gambling activities in different parts of the business so that they have a more complete picture of the risks posed by the activities of individual customers.
Commercial and business information should be considered for AML as well as social responsibility purposes when transacting with an individual. This should include arrangements for the monitoring of customers with whom a business relationship has been established. For example, information about customer spend can be used by the casino operator to proactively monitor high risk customers in relation to their money laundering risk.
Customer relationships need to be managed proficiently and records should be maintained as to what information was communicated to the customer, why it was communicated and what considerations were made. If players expect that customer interaction is likely should they play with large amounts of money, or for lengthy periods, and such interaction is consistently applied, there would be less reason for players to question or become suspicious of the motives of these interactions. Casino operators may find it helpful to provide their customers with a leaflet which explains why they are being asked questions about their game play.
The Commission recognises that some casino operators may find their obligations under POCA and the Regulations challenging, particularly in relation to the management of customer relationships, but it is incumbent on operators to have policies, procedures and controls in place to ensure that they comply with all relevant provisions of POCA and the Regulations (and the Act and the relevant licence conditions and codes of practice), in particular in relation to CDD, the reporting of money laundering activity by customers and the obtaining of a defence (appropriate consent) where necessary.
At all stages of the relationship it is necessary to consider whether the customer is engaging in money laundering or terrorist financing (including criminal spend); whether there is a need to report suspicious activity or seek a defence (appropriate consent); and any risks posed to the licensing objectives.
A business relationship is a business, professional or commercial relationship between a casino operator and a customer which arises out of the business of the casino operator and is expected by the operator, at the time when the contact is established, to have an element of duration. Casino operators are advised to interpret this definition widely.
For example, this may occur when the casino starts tracking a customer's drop/win figures, other than to establish when the customer reaches the €2,000 threshold for CDD.
This list is not exhaustive and a casino operator will need to form its own view of when contact is established, or circumstances otherwise arise, with a customer from which it expects, or it could reasonably be inferred that it expects, that the relationship with the customer will have an element of duration. The Commission acknowledges that this may not necessarily be the case when a casino operator permits a customer to join a casino loyalty scheme.
Where it is known that the customer is attempting to use the casino operator to launder criminal proceeds (including criminal spend), the operator must carefully consider whether either not to establish the business relationship, or to suspend or terminate the business relationship at the earliest opportunity. In either case, it is recommended that a SAR is submitted to the NCA and, where there are funds to be returned to the customer, seek a defence (appropriate consent) to a principal money laundering offence.
Where, through their customer profile or known pattern of gambling activity, the customer appears to pose a risk of actual or potential money laundering, the casino operator must monitor the gambling activity of the customer and consider whether further due diligence measures are required. This should include a decision about whether a defence (appropriate consent) should be sought for future transactions (on a transaction by transaction basis), or whether the business relationship with the customer should be terminated where the risk of breaches of POCA are too high.
Casino operators should ensure that the arrangements that they have in place to monitor customers and the accounts they hold across outlets, products and platforms (remote and non-remote) are sufficient to manage the risks that the operator is exposed to. This should include the monitoring of account deposits and withdrawals. Those casino operators that rely heavily on gaming machines should also have practical systems in place to effectively monitor and reconcile customer spend on gaming machines. Any suspicious activity should be reported by means of a SAR to the NCA.
Once knowledge or suspicion of criminal spend is linked to a customer in one area of the business, for example gaming machine play, casino operators should monitor thecustomer’s activity in other areas of the business, for example table games.
If the customer’s patterns of gambling lead to an increasing level of suspicion of money laundering, or to actual knowledge of money laundering, casino operators should seriously consider whether they wish to allow the customer to continue using their gaming facilities, otherwise the operator may potentially commit one of the principal money laundering offences.
Customer monitoring forms part of ongoing monitoring. More information is detailed in this guide.
As already discussed, to avoid potentially committing one of the principal money laundering offences, casino operators need to consider ending the business relationship with a customer in the following circumstances:
Additionally, where, in relation to any customer, the casino operator is unable to apply CDD measures, the business relationship with the customer must be terminated and the operator must submit a SAR to the NCA where they consider the circumstances to be suspicious.
Where the casino operator terminates a business relationship with a customer and they know or suspect that the customer has engaged in money laundering, they should seek a defence (appropriate consent) from the NCA before paying out any winnings or returning funds to the customer.
'senior management' means officers or employees of the casino operator with sufficient knowledge of the operator's money laundering and terrorist financing risk exposure, and of sufficient authority, to take decisions affecting its risk exposure.37
Senior management must be fully engaged in the processes for a casino operator’s assessment of risks for money laundering and terrorist financing, and must be involved at every level of the decision making to develop the operator’s policies and processes to comply with the Regulations. Disregard for the legal requirements, for example, turning a blind eye to customers spending criminal proceeds, may result in criminal or regulatory action.
It is considered best practice, and is explicit in parts of the Regulations, that a risk-based approach should be taken to tackling money laundering and terrorist financing.
Casino operators, using a risk-based approach, should start from the principle that most customers are not money launderers or terrorist financers. However, operators should have policies, procedures and controls in place to highlight those customers who, according to criteria established by the operator, may present a higher risk. The policies, procedures and controls should be proportionate to the risks presented.
An officer of a licensed casino operator which is subject to the Regulations (that is, a director, manager, secretary, chief executive, member of the management committee, or a person purporting to act in such a capacity) who consents to, or connives in, the commission of offences under the Regulations, or where the commission of any such offence is attributable to any neglect on their part, will be individually liable for the offence.38
Senior management should require that the nominated officer provides an annual report covering the operation and effectiveness of the operator’s systems and controls to combat money laundering and terrorist financing, and take any action necessary to remedy deficiencies identified by the report in a timely manner. In practice, senior management should determine the depth and frequency of information provided by the nominated officer that they feel is necessary to discharge their responsibilities. The nominated officer may also wish to report to senior management more frequently than annually, as circumstances dictate. The nominated officer may not need to provide the names of suspected persons in any report.
Casino operators must establish and maintain policies, procedures and controls to mitigate and manage effectively the risks identified in the operator's risk assessment of money laundering and terrorist financing.
In determining what is appropriate or proportionate with regard to the size and nature of their business, casino operators may take into account any guidance issued by the Commission or appropriate body, and approved by HM Treasury. 40. An appropriate body is a body which regulates or is representative of any trade, profession, business or employment carried on by a casino operator41 (and includes trades bodies such as the Betting and Gaming Council).
Casino operators must, where relevant, communicate the policies, procedures and controls they establish and maintain to their branches and subsidiary undertakings which are located outside the UK.45
Where appropriate, with regard to the size and nature of the business, a casino operator must appoint a member of its board of directors (or equivalent management body if there is no board) or of its senior management as the officer responsible for the operator's compliance with the Regulations.46
In determining what is appropriate or proportionate with regard to the size and nature of their business, casino operators must take into account their risk assessment and should take into account any guidance issued by the Commission or appropriate body, and approved by HM Treasury.47 An appropriate body is a body which regulates or is representative of any trade, profession, business or employment carried on by a casino operator48 (and includes trades bodies such as the Betting and Gaming Council).
Where the casino operator appoints a board member as the officer responsible for the operator's compliance with the Regulations, it is important that this member and the director or senior manager who is allocated the overall responsibility for the establishment and maintenance of the operator's AML and CTF systems (where they are not the same person) are clear on their responsibilities.
The casino operator must, within 14 days of the appointment, inform the Commission of the identity of the individual appointed as the officer responsible for the operator's compliance with the Regulations, and any subsequent appointment to that position.49 In order to meet this requirement, operators should comply with licence condition 15.2.3(2) and (3).
The internal controls must, where appropriate with regard to the size and nature of the casino operator's business, also provide for:
In determining what is appropriate or proportionate with regard to the size and nature of their business, casino operators must take into account their risk assessment and should take into account any guidance issued by the Commission or appropriate body, and approved by HM Treasury.51 An appropriate body is a body which regulates or is representative of any trade, profession, business or employment carried on by a casino operator52 (and includes trades bodies such as the Betting and Gaming Council).
Casino operators must establish and maintain systems that enable them to respond fully and rapidly to enquiries from financial investigators accredited under section 3 (link opens in a new tab), of POCA, persons acting on behalf of the Scottish Ministers in their capacity as an enforcement authority under POCA, or constables or equivalent officers of any law enforcement authority, in relation to:
The Regulations require that all relevant employees of casinos must be trained on the prescribed AML and CTF topics54 .
One of the most important controls for the prevention and detection of money laundering is to have employees who are alert to the risks of money laundering and terrorist financing, and who are well trained in the identification of unusual activities or transactions which appear to be suspicious, as well as in the accurate verification of customers’ identities. The effective application of even the best designed control systems can be quickly compromised if the employees applying the systems are not adequately trained. The effectiveness of the training will therefore be important to the success of the casino operator’s AML or CTF strategy.
Casino operators should devise and implement a clear and well-articulated policy and procedure for ensuring that relevant employees are aware of their legal obligations in respect of the prevention of money laundering and terrorist financing, and for providing them with regular training in the identification and reporting of anything that gives grounds for suspicion of money laundering or terrorist financing. Casino operators should also monitor the effectiveness of such training, to ensure that all employees are trained in an appropriate and timely manner, and that the training is fit for purpose.
If they do not make an internal report to their nominated officer when necessary, they may also face criminal sanctions. It is important that employees are made aware of their legal obligations, and are given training in how to discharge them.
The Regulations require casino operators to take appropriate measures so that their relevant employees, and any agents they use for the purposes of their business whose work is of a kind mentioned in the following section, are:
Casino operators must maintain a record in writing of the appropriate training measures they have taken and, in particular, of the training given to their relevant employees and to any agents they use for the purposes of their business whose work is of a kind mentioned in the following paragraph.56
'Relevant employees' are employees whose work is relevant to the casino operator's compliance with any requirements in the Regulations, or able to contribute to:
This includes the holders of personal management licences and personal functional licences issued by the Commission, as well as employees responsible for completing CDD measures and any agents used by the operator to undertake the work mentioned above.
should take account of the guidance issued by the Commission or by any body which represents the casino industry in Britain, such as the Betting and Gaming Council. 58
The content of any training, the regularity of training and the assessment of competence following training are matters for each casino operator to assess and decide in light of the money laundering and terrorist financing risks they identify, provided the requirements of regulation 24 are met. The Commission will expect such issues to be covered in each operator’s policies and procedures. These should make provision for the attainment of an appropriate competence level by the relevant employees prior to them undertaking the duties for which they will be responsible. This may, for example, be achieved by the attainment of an appropriate pass rate in a competency test following training.
There is no single solution when determining how to deliver training and a mix of training methods may, therefore, be appropriate. Online training systems can provide a solution for many employees, but this approach may not be suitable for all employees. Classroom training can be more effective in these circumstances.
Procedure manuals, whether paper or electronic, are useful in raising employee awareness and can supplement more dedicated forms of training, but their main purpose is generally to provide ongoing reference rather than being written as training material.
Ongoing training must be given to all relevant employees at appropriate intervals. Records should be maintained to monitor who has been trained, when they received the training, the nature of the training and the effectiveness of the training.
The nominated officer should be heavily involved in devising and managing the delivery of such training, taking particular care to ensure that systems are in place to cover all part time or casual employees.
The National Crime Agency website (opens in a new tab) has resources such as threat assessments and risk profiles, which casino operators may wish to make their employees aware. The information available on this website could usefully be incorporated into operators’ training materials.
The Home Office publishes guidance on examining identity documents (PDF) (opens in new tab) that may help staff identify fraudulent documents.59
We would also recommend that casino operators consult our AML webpages (opens in new tab) which has useful information. This includes statements regarding AML controls and links to other AML resources.60
Casino operators must appoint an individual in their firm61 as a nominated officer62 ,who is responsible for:
This is as a matter of good practice. Where the function is performed by one person for multiple licensees within the same group, the Commission would seek assurances, with supporting information, that the nominated officer has sufficient oversight of AML across all those licensed entities. This does not allow the nominated officer function to be outsourced to an individual independent of the firm. The requirement to appoint a nominated officer does not apply where the casino operator does not employ, or act in association with, any other person63.
The role of the nominated officer is to apply the same rigour in their approach to managing money laundering and terrorist financing risk as the operator does in managing its commercial systems. The nominated officer should report to the board internally (or to the chief executive for small organisations), and direct to the NCA in relation to known or suspected money laundering or terrorist financing activity (including criminal spend), request a defence, or both (appropriate consent).
The nominated officer should be able to monitor the day-to-day operation of the operator’s AML or CTF policies and respond promptly to any reasonable request for information made by the Commission or law enforcement bodies. The nominated officer is expected to take ultimate managerial responsibility for AML issues, but this does not diminish senior management responsibility for AML.
The term 'nominated officer' is used and defined in the Regulations65 .
The nominated officer is responsible for the oversight of all aspects of the casino operator’s AML or CTF activities at all premises. They are the focal point for all activity within the operator relating to AML. The individual appointed as nominated officer must have a sufficient level of seniority. The nominated officer should hold a personal management licence (PML) issued by the Commission. The job description of the nominated officer should clearly set out the extent of the responsibilities given to them and their objectives. The nominated officer will need to be involved in establishing the basis on which a riskbased approach to the prevention of money laundering and terrorist financing is put into practice.
In determining the status of the nominated officer and identifying the appropriate position for this officer within the overall organisational structure, casino operators need to ensure their independence within the business and that they have access to all relevant information to enable them to discharge their duties. Responsibilities will include objectively reviewing decisions and, on occasions, making recommendations that may conflict with, for instance, short term operational goals.
The Commission is content, for example, that the nominated officer may take on other compliance roles and responsibilities. However, this is subject to the key principles set out here, including the ability to report directly to the board or the head of the organisation and the NCA, and the ability to make AML decisions independently of operational concerns.
The casino operator's senior management must ensure that the nominated officer has sufficient resources available, including appropriate employees, technology and training. This should include arrangements that apply in the temporary absence of the nominated officer.
Where a nominated officer is temporarily unavailable, another PML holder may deputise. Casino operators should consider appointing a permanent deputy nominated officer.
Where a casino operator’s nominated officer delegates to another employee, the nominated officer remains responsible for AML issues and is likely to remain liable for the commission of any criminal offences relating to POCA, the Terrorism Act (opens in a new tab) or the Regulations.
A casino operator must require that anyone working for the operator, to whom information or other matter comes in the course of business, as a result of which they know or suspect, or have reasonable grounds for knowing or suspecting, that a person is engaged in money laundering or terrorist financing makes an internal report to their nominated officer.
Whilst disclosure to another of the fact that a person may be engaged in money laundering is generally an offence66 , such disclosures to a nominated officer, constable or customs officer are specifically protected, where they are made as soon as is practicable and the information came to their attention in the course of their trade, profession, business or employment.67
We recommend that casino operators make employees aware that they have a legal defence to prosecution if they make an internal report to the nominated officer as soon as is reasonably practicable after the information or other matter comes to their attention. Whether or not this defence would be successful would be a matter for the court based on the exact circumstances of the case.
Any internal report should be considered by the nominated officer, in the light of all other relevant information available to the nominated officer, to determine whether or not the report gives rise to knowledge or suspicion, or reasonable grounds for knowledge or suspicion, that a person is engaged in money laundering or terrorist financing.
The nominated officer must be fully conversant with the legal obligations to make external reports to the NCA. Many of the records required by the Regulations relate to work done, or decisions made, by the nominated officer, including records of why reports have not been made to the NCA.
In the Regulations, a key requirement is to make checks on customers, known as customer due diligence or CDD, which is designed to make it more difficult for the casino industry to be used for money laundering or terrorist financing purposes. CDD is an integral part of the risk-based approach. It involves gathering information about the customer in order for the operator to assess the extent to which the customer exposes it to money laundering and terrorist financing risks. CDD should be applied on a risk-sensitive basis depending on the type of customer, the business relationship or the nature of the transactions or activity.
Customer risk assessments or customer risk profiling will be informed by the operator’s money laundering or terrorist financing risk assessment. The operator should assess the extent to which a particular customer triggers the risk factors considered in the risk assessment and graduate the risk profile of the customer accordingly.
This allows operators to take a risk-based approach to customer due diligence, with measures being proportionate to their risk rating. The information that is collected at the commencement of the business relationship with the customer will enable the operator to determine the level of risk associated with the customer and, in turn, the initial and ongoing customer due diligence and monitoring that is required.
Full details of the source of funds to be used in the relationship will also need to be established using a risk-based approach.
The objective of risk-based customer due diligence is to ensure that, as the risks within the business relationship increase, so the level of information obtained and verified increases proportionally.
The operator should have a policy that is graduated to reflect the risk of the customer. Any risk profiling should also include screening for politically exposed persons (PEPs) and sanctioned persons.
Operators are reminded that sanctions legislation prohibits doing business with sanctioned persons, and PEPs are considered high risk under UK AML legislation68.
The authority for signing off new customers should be graduated according to risk. Higher-risk customers should always be escalated to senior management. There is also an expectation that firms will have systems in place to monitor customer behaviours and amend customer risk ratings accordingly. For example, a customer may initially be assessed as low risk but may later display activity which moves them to a high risk category.
For those customers rated as high risk, either initially or later in the business relationship, the firm will need to conduct mandatory enhanced customer due diligence69. This means employing additional measures, including approval from senior management for the business relationship, and conducting enhanced ongoing monitoring.
Source of wealth checks are mandatory for PEPs70 and in the case of business relationships with customers situated in high-risk third countries or transactions where either of the parties to the transaction are resident in a high-risk third country71.
For those customers assessed as low risk, the firm can conduct simplified customer due diligence. Those customers who are medium risk should undergo standard customer due diligence.
Regardless of whether they have established a business relationship with the customer, suspect money laundering or terrorist financing, or doubt the veracity or adequacy of documents or information previously obtained for the purposes of identification or verification, casino operators must also apply CDD measures in relation to any transaction that amounts to €2,000 or more, whether the transaction is executed in a single operation or in several operations which appear to be linked.74.
The wagering of a stake, including:
In determining whether a transaction amounts to €2,000 or more, casino operators do not need to take account of winnings from a previous transaction which had not been collected from the casino, gaming machine or remote gambling, but are being re-used in the transaction in question.76 This means that casino operators do not need to include restaked winnings (so called 'recycled winnings', 'turnover' or 'churn') when determining whether a customer has reached the €2,000 threshold.
For the purposes of CDD, 'verify' means verifying on the basis of documents or information which, in either case, have been obtained from a reliable source which is independent of the person whose identity is being verified. Documents issued or made available by an official body are to be regarded as being independent of a person even if they are provided or made available to the casino operator by, or on behalf of, that person.81
These requirements apply to customers of both remote and non-remote casinos. Aside from these checks being a statutory requirement in the Regulations, they also help casino operators to avoid the commission of criminal offences under POCA.
The Regulations define casino as 'the holder of a casino operating licence'.84 The holder of a casino operating licence does not need to repeat CDD if a customer visits another casino operated by that licensee. CDD records held by a casino operator will need to be available across the operator’s different casino premises and the policies and procedures must include details of how the operator will manage this. Casino operators should note that CDD is ongoing and may need updating for changes in the customer’s circumstances and personal details.
The ways in which a casino operator meets the requirements for CDD and the extent of the measures it takes must reflect the risk assessment it has carried out, and its assessment of the level of risk arising in any particular case. This may differ from case to case.85
Casino operators should satisfy themselves that the sources of information employed to carry out CDD checks are suitable to mitigate the full range of risks to which they might be exposed, and these would include money laundering and social responsibility risks. For example, local or open source information, such as press reports, may be helpful in carrying out these checks. However, operators should ensure that they are not placing an overreliance on one source of information to conduct these checks.
Casino operators must be able to demonstrate to the Commission that the extent of the CDD measures they take are appropriate in view of the risks of money laundering and terrorist financing, including risks:
Casino operators must comply with the requirement to verify the identity of the customer, any person claiming to act on behalf of the customer and, where applicable, any beneficial owner before the establishment of a business relationship or the carrying out of the transaction.89
The Regulations require casino operators to conduct ongoing monitoring of a business relationship.
This must include the following:
Casinos are expected to approach this requirement on a risk-sensitive basis. Dependent on how frequently a casino forms business relationships, it may be good practice to apply ongoing monitoring more widely. Regular players should be the subject of closer scrutiny and their level of play should be assessed with reference to the information already known about them, and where necessary, additional information must be collected and retained about the source of their funds.
Casino operators must apply enhanced customer due diligence measures and enhanced ongoing monitoring, in addition to the required CDD measures, to manage and mitigate the money laundering or terrorist financing risks arising in the following cases:
Depending on the requirements of the case, the enhanced measures undertaken in any case listed in enhanced customer due diligence and enhanced ongoing monitoring may also include, among other things:
When assessing whether there is a high risk of money laundering or terrorist financing in a particular situation, and the extent of the measures which should be taken to manage and mitigate the risk.
The Commission recommends that casino operators also consider the following factors when assessing whether there is a high risk of money laundering or terrorist financing:
In assessing whether there is a high risk of money laundering or terrorist financing, casino operators must bear in mind that the presence of one or more of the risk factors listed may not always indicate that there is a high risk in a particular situation.103
As discussed in customer due diligence requirements, the Regulations set out thresholds which, if customer transactions reach these levels, require the casino operator to apply customer due diligence measures.
The threshold applies to the wagering of a stake or the collection of winnings, and is to be applied to single transactions or transactions that appear to be linked.
It is to be applied to single transactions or transactions that appear to be linked. Customers may execute a series of linked transactions that are individually below the €2,000 threshold but, when taken cumulatively, they meet or exceed the threshold.
Transactions should be considered to be linked if, for example, they are carried out by the same customer through the same game or in one gaming session, or in the case of remote casinos, if they are part of the overall activity undertaken by a customer during a single period of being logged on to the operator's gambling facilities. These examples are not exhaustive and casino operators will need to consider whether there are other circumstances in which transactions are linked.
Casino operators will also need to consider, among other things, whether a customer is deliberately spreading their wagering or collection of winnings over a number of transactions in order to circumvent the CDD requirements. They should also ensure that the triggering of the threshold by a customer is not evaded through the customer opening multiple accounts under fictitious names.
This should be informed by the risk profile of the particular customer, including circumstances which alter the risk attributed to the customer.
The gaming machine limits only apply in premises-based casinos. By separating the purchase or exchange of tokens from the payment to use gaming machines there is the potential for customers to spend up to €2,000 in gaming machines in addition to the purchase or exchange of tokens up to €2,000.
Under the Regulations, 'gaming machine' has the same meaning as that in the Act105 . In premises-based casinos, automated and semi-automated table games such as touch-bet roulette are not defined as gaming machines and therefore the take in these games should be counted towards the threshold approach for tokens.
For example, a casino with a customer drop/win average considerably below the threshold will need mechanisms in place to monitor customer transactions to be sure that any customer reaching the threshold is picked up in good time to allow CDD to be conducted. Where the casino operator has a number of premises, the Commission will consider the use of the threshold approach for each casino premises rather than for an operator.
Casinos adopting the threshold approach may wish to defer both identification and verification until the threshold is triggered. Alternatively, they may consider that it is more practical to conduct both identification and verification on entry, or conduct identification on entry and defer verification until the threshold is triggered. For example, a premises-based casino may operate a membership scheme where customers are identified on admission to the casino but verification only occurs once the threshold is triggered. Similarly, remote casinos may require customers to identify themselves (and undertake age verification) on registering with the casino, but only require verification of identity if the threshold is triggered. This is sometimes called the hybrid approach.
There may be advantages in asking customers for their identification on entry, even if verification of this information is deferred until the threshold is reached, for example, identifying customers on entry means it will not be necessary to interrupt the customer’s gambling once the threshold is reached and verification becomes necessary. In deciding which approach to take, operators must satisfy themselves and the Commission on a premises-by-premises basis that they have effective procedures, controls and systems in place to track and monitor customers across all the products and platforms that are offered.
A key challenge for casinos wishing to adopt the threshold approach is keeping track of all an individual customer’s:
However, it may be appropriate to do so in light of the known spend patterns in each premises.
If casino operators choose to adopt the threshold approach, they must satisfy the Commission on a premises-by-premises basis that they have the appropriate procedures in place to manage the threshold in light of the assessed money laundering and terrorist financing risk and spending profile at each premises.
Some remote casinos operate a 'wallet' system which allows customers to use the money in their wallet in different parts of the operator’s site. An operator’s site may include some casino games as well as other games. It is only when a customer first enters the casino part of an operator’s website and deposits money that the CDD requirements apply. The Regulations do not apply to people 'window shopping' in a remote casino’s website, it applies only when money is deposited. Where an operator is unsure of what the funds in the wallet will be used for (for example, casino or sports betting), they should consider applying these controls to all customers.
Casinos using the threshold approach must be sure that they are able to end transactions with a customer who reaches the threshold if they are unable to comply with the CDD requirements.
The on-entry approach requires casinos to identify and verify the identity of the customer before entry to any premises where gaming facilities are provided, or before access is given to remote gambling facilities. Once the customer’s identity is verified, they may commence gaming. See timing of verification.
If a casino using the on-entry approach to CDD is unable to complete the appropriate CDD, they must not allow the customer access to the premises or to the remote gambling. In non-remote casinos this does not allow guests of known customers a single entry without undertaking CDD. However, casino operators should consider using variations of the threshold CDD approach for guests of casino members.
Applying CDD measures involves several steps. The casino operator is required to identify customers and then verify their identities, either upon establishing a business relationship, upon entry or when reaching the threshold. Identification of a customer means being told or coming to know of the customer’s identifying details, such as their name and address.
Verification means proving a customer is who they claim to be by obtaining and validating documents or information which supports this claim of identity. The operator identifies the customer by obtaining a range of information about the customer. The verification of the identity consists of the operator verifying some of this information against documents, data or information obtained from a reliable and independent source.
Identification of customers consists of a number of aspects, including:
It may also be helpful to obtain information on customers’ source of funds and level of legitimate income, for example their occupation. This information may assist casinos with their assessment about whether a customer’s level of gambling is proportionate to their approximate income, or whether it is suspicious.
Information about customer identity must then be verified through documents, data and information which come from a reliable and independent source.
However, the Commission expects casinos to be reasonably satisfied, following appropriate inquiry, that customers are who they claim to be. Where confirmation of a customer’s identity is obtained from employees in the same casino group, the Regulations still require casino operators to verify this identity using an independent source. This is particularly relevant where the casino providing the confirmation is located in another jurisdiction.
It is considered good practice to request the following evidence from a customer:
Some casinos have adopted the practice of allowing celebrities who are household names to by-pass the identification procedures agreed under the 2003 Regulations. Identification under these circumstances is not an issue. Verification may not be an issue owing to the easy availability of open source data and public knowledge that can be relied on as 'information from an independent and reliable source'. If such circumstances apply, then the casino must keep records of the celebrity’s presence at the casino, how their identity has been verified and, where necessary, the supporting records of their gaming.
The way in which CDD is conducted in relation to a customer’s celebrity status is a subjective decision and must be supported by adequate records, and, as with other cases, still requires the casino to be reasonably satisfied that the customer is who they say they are.
Increasingly casinos use reliable electronic systems to help with verification. Some of these systems also have the advantage of assisting with the identification of PEPs. The amount of electronic information available about individuals will vary, depending on the extent of their electronic 'footprint'.
Electronic data sources can provide a wide range of confirmatory material without necessarily requiring the customer to produce documents. Electronic sources can be a convenient method of verification. They can be used either as the sole method of verification, or in combination with traditional document checks, on a risk basis.
For an electronic check to provide satisfactory evidence of identity on its own it must:
An electronic check that accesses data from a single source, for example, a single check against the electoral roll is not enough on its own to verify identity.
Where such sources are used for a credit check, the customer’s permission is required under the Data Protection Act 2018 (the Data Protection Act) (opens in a new tab). Credit checks can provide inexpensive information on which to assess a customer’s access to funds and to obtain a credit profile to match against spending patterns. For example, a criminal spending large amounts of criminal property would most likely not match their credit profile. A search for identity verification for AML and CTF purposes, however, leaves a different footprint on the customer’s electronic record, and the customer’s permission is not required, but they must be informed that this check is to take place. There are systems available that give typical financial and lifestyle profiles of people in a given postcode. Such systems do not amount to a credit check and do not require the use of personal information, but can provide helpful indicators of someone’s expected financial profile.
Some external electronic databases are accessible directly by casinos, but it is more likely they will be purchased from an independent third-party organisation. The size of the electronic 'footprint' in relation to the depth, breadth and quality of data, and the degree of corroboration of the data supplied by the customer may provide a useful basis for an assessment of the degree of confidence in the product.
A number of commercial agencies which access many data sources are accessible online by casino operators and may provide a composite and comprehensive level of electronic verification through a single interface. Such agencies use databases of both positive and negative information, and many also access high-risk alerts that utilise specific data sources to identify high-risk conditions, for example, known identity frauds or inclusion on a sanctions list.
Positive information relating to full name, current address and date of birth can prove that an individual exists, but some can offer a higher degree of confidence than others. Such information should include data from more robust sources. This may be a source that requires an individual to prove their identity, or address, in some way in order to be included, as opposed to one where no such proof is required.
Checking against such information may be appropriate where other factors suggest an increased risk of impersonation fraud.
Before using a commercial agency for electronic verification, casino operators should be satisfied that information supplied by the verification provider is considered to be sufficiently extensive, reliable and accurate.
In addition, a commercial agency should have processes that allow the enquirer to capture and store the information they used to verify identity. It is important that the process of electronic verification meets a standard level of confirmation before it can be relied on.
Commercial agencies that provide electronic verification use various methods of displaying results – for example, by the number of documents checked or through scoring mechanisms. Casino operators should ensure that they understand the basis of the system they use, in order to be satisfied that the sources of the underlying data meet the required standard.
If verification is undertaken using documents, casino operators should usually rely upon documents issued by an authoritative source that can be assessed against official and published guidance on identity documents.
Original documents should be examined so that, as far as reasonably practicable, forgeries are not accepted. Casino operators should recognise that some documents are more easily forged than others. If suspicions are raised in relation to any document offered, operators should take whatever practical and proportionate steps are available to establish whether the document offered is a forgery or has been reported as lost or stolen. While the presentation of false documents does not, in itself, amount to money laundering, it may constitute an offence under the Fraud Act 2006 (opens in a new tab) or Identity Cards Act 2006 (opens in a new tab) and should, in appropriate circumstances, be reported to the police or the NCA.
For example, the following fake documents which are freely available through the internet:
Commercial software is available that checks the algorithms used to generate passport numbers. This can be used to check the validity of passports of any country that issues machine-readable passports.
If documents are in a foreign language, appropriate steps should be taken to be reasonably satisfied that the documents in fact provide evidence of the customer’s identity. For example, a translation of the relevant sections.
These documents differ in their integrity, reliability and independence. Some are issued after CDD on the holder of the document is carried out by the issuing authority. There is a broad hierarchy of documents.
Documents issued by government departments and agencies that contain a photograph may be considered reliable. In practical terms, for face-to-face verification conducted by non-remote casinos, production of a valid passport or photo card driving licence should enable most individuals to meet the identification requirement for AML/CTF purposes. These documents will also confirm either residential address or date of birth.
Alternatively, documents from an authoritative source without a photograph which incorporate the customer’s full name may be used, supported by a second document, which is issued by an authoritative source, or issued by a public sector body or authority. This second document must also include the customer’s full name and either their residential address or their date of birth.
Customers who are not resident in the UK should be asked to produce their passport, national identity card or photo card driving licence. If the casino has concerns that the identity document presented by a customer is not genuine, they should contact the relevant embassy or consulate.
Non-remote casinos have adopted the practice of photographing new customers on their first visit to the casino as part of the CDD records. Doing so assists with casino security issues and with customer tracking. It is a matter for each casino operator, but the Commission views the use of customer photographs as good practice in the casino environment that contributes to the prevention and detection of money laundering and terrorist financing.
A PEP is an individual who is entrusted with prominent public functions, other than middle-ranking or more junior officials, including the following individuals:
When deciding whether an individual is a known close associate of a PEP, casino operators need only consider information which is in their possession, or credible information which is publicly available. 109
PEP status itself does not incriminate individuals or entities. It does, however, put a customer into a high-risk category.
The nature and scope of a particular casino’s business will help to determine the likelihood of PEPs in their customer base, and whether the casino operator needs to consider screening all customers for this purpose.
Establishing whether individuals are PEPs is not always straightforward and can present difficulties. Where casino operators need to carry out specific checks, they may be able to rely on an internet search or consult relevant reports and databases on corruption risk published by specialised national, international, non-governmental and commercial organisations. Resources such as the Transparency International Corruption Perceptions Index (opens in new tab), which ranks approximately 150 countries according to their perceived level of corruption, may be helpful in assessing the risk. Another useful source of information is KnowYourCountry (opens in new tab). The International Monetary Fund, World Bank and some non-governmental organisations also publish relevant reports. If there is a need to conduct more thorough checks, or if there is a high likelihood of a casino operator having PEPs for customers, subscription to a specialist PEP database may be a valuable tool in assessing the risk.
New and existing customers may not initially meet the definition of a PEP, but that position may change over time. Equally, individuals who are initially identified as PEPs may cease to be PEPs. For example, the Regulations provide that casino operators must continue applying enhanced customer due diligence to PEPs for at least 12 months after they cease to hold a prominent public function. 110 The casino operator should, as far as practicable, be alert to public information relating to possible changes in the status of its customers with regard to political exposure.
These situations include:
Although under the definition of a PEP an individual ceases to be so regarded after they have left office for 12 months, casino operators are encouraged to apply a risk-based approach in determining whether or when they should cease carrying out appropriately enhanced monitoring of transactions. In cases where the PEP presents a high risk of money laundering or terrorist financing, a longer period might be appropriate in order to ensure that the higher risks associated with the individual’s previous position have adequately abated. 111
Casino operators are required, on a risk-sensitive basis, to:
Each casino operator’s policies and procedures should cover when and how customers will be checked for PEP status and how and when senior management approval will be sought and provided, and deal with how the customer will be dealt with if there is any delay to approval being provided by senior management.
The appropriateness of the risk management systems and procedures adopted must take account of:
There is a hierarchy of risk for individual PEPs, where some PEPs have higher relative risk and others have lower relative risk. The measures taken for particular PEPs should therefore be informed by the relative risk attributed to the PEP, including consideration of the jurisdiction from which they originate. The Financial Conduct Authority (the FCA) has published guidance in relation to the treatment of PEPs and, while casino operators are not subject to the rules made by the FCA 115, they are advised to consult this guidance when considering the level of risk posed by a particular PEP. The guidance provides advice on who should be treated as a PEP, who should be treated as a family member or known close associate of a PEP, and the level of risk posed by particular PEPs, family members and close associates. Among other things, it recommends that only those individuals in the UK who hold truly prominent positions should be treated as PEPs, and not to apply the definition to local government, more junior members of the senior civil service or anyone other than the most senior military officials. 116
However, this recommendation does not apply when dealing with PEPs from foreign jurisdictions. The FCA guidance also notes that a PEP entrusted with a prominent public function by the UK should be treated as lower risk, unless a regulated firm assesses that risk factors not linked to their position as a PEP mean that they pose a higher risk.
A casino operator who proposes to have, or to continue, a business relationship with a PEP, or a family member or known close associate of a PEP must, in addition to the enhanced customer due diligence measures described in the Enhanced customer due diligence and enhanced ongoing monitoring section:
When an individual who was a PEP is no longer entrusted with a prominent public function, casino operators are no longer required to apply enhanced customer due diligence measures to the family members or close associates of the PEP. The 12-month period referred to above does not apply in this case. 119
A casino operator is permitted to apply simplified customer due diligence measures in relation to a particular business relationship or transaction if it determines that the business relationship or transaction presents a low degree of money laundering and terrorist financing risk, taking into account its money laundering and terrorist financing risk assessment, any relevant information made available by the Commission and the risk factors in the paragraph that follows. 120
The casino operator’s risk assessment should identify what products, services, transactions, customers or countries present a low degree of money laundering and terrorist financing risk. Remote casinos operators should note that business relationships and transactions with its customers cannot be considered to present a low degree of money laundering and terrorist financing risk, if no safeguards are in place (see Enhanced customer due diligence and enhanced ongoing monitoring section.
When assessing whether there is a low degree of risk of money laundering and terrorist financing in a particular situation, and the extent of the simplified customer due diligence in that situation.
Among other things, whether the country where the customer is resident is:
In making an assessment of a low degree of risk, casino operators must bear in mind that the presence of one or more risk factors may not always indicate that there is a low risk of money laundering and terrorist financing in a particular situation.
A casino operator may rely on certain third parties to apply the required CDD measures, however, the operator remains liable for any failure to apply such measures. 125
A casino operator may not rely on a third party established in a country which has been identified by the European Commission as a high risk third country. 127
A casino operator is permitted to apply CDD measures by means of an agent or an outsourcing service provider, provided that the arrangements between the operator and the agent or service provider make clear that the operator remains liable for any failure to apply the CDD measures. 130
In this context, an outsourcing service provider is a person who performs a process, service or activity on behalf of the casino operator and is not an employee of the operator. 131
We recommend also refering to our information on the purpose of this guidance which highlights the need for operators to consider the risks posed by third parties they contract with.
Where a casino operator is unable to apply the required CDD measures in relation to a particular customer, the operator:
Where the casino operator is required not to carry out a transaction with or for a customer through a bank account, this does not prevent money deposited in a customer's gambling account being repaid to the customer, provided that, where the operator is required to make a report to the NCA, the operator has a defence (appropriate consent) under POCA, or consent under the Terrorism Act (opens in a new tab), to the transaction. 133
Casinos must therefore have clear policies in place on how they will manage situations where they are unable to apply the CDD measures.
Where remote casino operators are unable to complete or apply the required CDD measures 134 in relation to a particular customer at the point the CDD threshold for transactions 135 is reached, and are accordingly required to cease transactions or terminate the business relationship with the customer, 136 they should adopt the following procedure:
The customer should be made fully aware of the procedures adopted by the remote casino operator when they first register with the operator so that there is no misunderstanding at a later stage.
The UK operates financial sanctions on persons and entities following their designation at the United Nations or in accordance with other international obligations. The UK also operates a domestic counter-terrorism regime, where the Government decides to impose financial restrictions on certain persons and entities. There are specific financial restrictions targeted at organisations and entities involved in terrorism and terrorist financing.
Financial restrictions in the UK are governed by the Sanctions and Anti-Money Laundering Act 2018 137 and various regulations thereunder. The purpose of imposing financial restrictions is to restrict access to finance by designated persons and to prevent the diversion of funds to terrorism and terrorist purposes. In all circumstances where an asset freeze is imposed, it is unlawful to make payments to, or allow payments to be made to, designated persons.
The Consolidated List (opens in new tab) of persons designated as being subject to financial restrictions can be found on GOV.UK. The purpose of the Consolidated List is to draw together, in one place, all the names of designated persons for the various financial restrictions regimes effective in the UK. Further information on the financial restrictions including guidance, can be found on the OFSI website (opens in new tab).
There are prohibitions for carrying out certain activities or behaving in a certain way if financial sanctions apply. This will depend on the exact terms of the UK legislation which imposes the financial sanction in the given situation. Further information regarding the prohibitions can be found in OFSI's financial sanctions guidance and information on monetary penalties (opens in new tab).
Requests to disapply the financial restrictions in relation to a designated person are considered by OFSI on a case-by-case basis to ensure that there is no risk of funds being diverted to otherwise restricted purposes.
Contact OFSI using the following details. Further regime-specific guidance (opens in new tab) concerning licensing and compliance can be found in the OFSI and HM Treasury publication.
Casino operators need to have the necessary policies, procedures and controls in place to monitor financial transactions so that payments are not made to designated persons, thereby preventing breaches of the financial restrictions legislation. For manual checking, operators can register with the OFSI update service (directly or via a third party). If checking is automated, operators will need to ensure that the relevant software includes checks against the latest Consolidated List.
OFSI may also be contacted to provide guidance and to assist with any concerns regarding financial restrictions.
020 7270 5454 (weekdays, 9am to 5pm)
In the event that a customer or a payee is identified as a designated person, payments must not proceed unless a licence is granted by OFSI, as this would be a breach of the financial restrictions. OFSI should be informed immediately and the transaction suspended pending their advice. No funds should be returned to the designated person. The operator may also need to consider whether there is an obligation to report to the NCA under POCA or the Terrorism Act.
Casino operators should consider the likelihood of sanctioned persons using the casino’s facilities, taking into account matters such as where the person is resident, and the local demographics of the casino and its customer base. Operators should bear in mind that sanctioned persons are not exclusively resident abroad but may also live and operate in the UK and use either a high-end casino or a small provincial casino.
Casino operators should also note that PEPs and financial sanctions cannot be conflated as the requirements in relation to each are different. The Regulations do not prohibit doing business with a PEP, whereas there is a prohibition on doing business with a person on the financial sanctions list, so the way in which casino operators manage the respective risks should be different.
This chapter provides guidance on appropriate record-keeping procedures required by the Regulations. The purpose of the record-keeping requirement is to ensure that there is an audit trail that could assist in any financial investigation by a law enforcement body. These records are also important when the Commission is conducting an investigation for compliance purposes.
The casino operator’s record-keeping policy and procedure should cover records in the following areas:
The policy and procedure for record keeping should also make provision for the retention of records held by an employee who leaves the business.
The record-keeping requirements for supporting records, that is, the records of ongoing transactions with a customer, are based on the nature of the relationship with that customer. There is either:
A business relationship is a business, professional or commercial relationship between a casino operator and a customer which arises out of the business of the casino operator and is expected by the operator, at the time when the contact is established, to have an element of duration. 138 Casino operators are advised to interpret this definition widely.
A business relationship with a customer of a casino operator is likely to occur when, for example:
The list above is not exhaustive and a casino operator will need to form its own view of when contact is established, or circumstances otherwise arise, with a customer from which it expects, or it could reasonably be inferred that it expects, that the relationship with the customer will have an element of duration. The Commission accepts that this may not necessarily be the case when a casino operator permits a customer to join a casino loyalty scheme.
Ongoing monitoring of business relationships is a requirement for casino operators, and includes scrutiny of transactions undertaken throughout the course of the relationship (including, where necessary, the source of funds) to ensure that the transactions are consistent with the casino’s knowledge of the customer, the customer’s business and risk profile. 139
As noted in ongoing monitoring, casinos are expected to approach this requirement on a risk-sensitive basis. Dependent on how frequently a casino forms 'business relationships' it may be good practice to apply ongoing monitoring more widely. Regular players should be the subject of closer scrutiny and their level of play should be assessed with reference to the information already known about them, and where necessary, additional information must be collected and retained about the source of their funds.
For example, customers spending low amounts at gaming during single, infrequent and irregular visits to a casino and who are not subject to tracking. There may not be an expectation at any stage that there will be any duration to the relationship with the customer. Strictly speaking, such business falls outside of the record-keeping requirements (provided the transactions are below the €2,000 threshold for CDD), however, the Commission nonetheless considers it good practice to retain such records.
In relation to the evidence of a customer’s identity casino operators must keep a copy of any documents or information obtained to satisfy the CDD measures required under the Regulations.140
A casino operator may often hold additional information beyond identity in respect of a customer for the purposes of wider CDD. As a matter of best practice, this information and any relevant documents should also be retained.
There is a separate requirement in the Regulations to ensure that documents, data or information held by casinos are kept up to date. 141
A trigger event for refreshing and extending CDD may be if a customer returns to a casino after a period of non-attendance. Refreshing information about existing customers will ensure that matters such as change of address or a customer being appointed into a role which attracts PEP status, will be picked up.
Keeping information up to date is also a requirement under the Data Protection Act (link opens in a new tab). How these issues will be dealt with in practice should be covered in the casino’s policies, procedures and controls.
Where documents verifying the identity of a customer are held in one casino premises they do not also need to be held in duplicate form in another premises in the same group. For the purposes of compliance with the Regulations, the whole group forms part of the same 'relevant person'. The records need to be accessible to all premises that have contact with the customer, the nominated officer and law enforcement. The Regulations accept that casino operators may have more than one casino premises or more than one remote casino site. It is sufficient for the operator to undertake identification and verification provided the information is available to each premises or site.
The requirement to keep supporting records is linked to 'business relationships', which is defined in the Regulations 142 and the extent and nature of the records created. In many casinos, customers (regardless of whether or not they have formed a business relationship) purchase chips with cash at gaming tables where, in low risk situations, no records are created and therefore are not available to be kept.
The Commission expects casino operators to use reasonable endeavours to create and keep supporting records and to make it clear in their policies, procedures and controls what records will be created in light of the known spending patterns and the assessed money laundering and terrorist financing risks at each premises.
Some casinos undertake a process at the end of each business day to count the total drop (cash used to purchase chips) to compare against the total amount recorded through tracking individual customer spend. The difference between the two figures is the amount of drop that is not attributable to particular customers. This in turn can be calculated against known attendance figures and the number of customers tracked to give an average amount of money used to purchase chips per customer that has not been tracked, and therefore without supporting records. Where this process is used, it should be the subject of ongoing risk assessment for each premises and the records created during the process should also be retained.
Any casino operator devising its record-keeping policy and procedure should decide how its business fits within the definition of 'business relationship'. The variation in the record-keeping requirements for different circumstances illustrates the flexibility available to casinos which allows them to focus their resources on situations with higher money laundering or terrorist financing risk.
For the purposes of supporting records, the Commission takes the view that, in most cases, this will consist of records covering the drop/win figures, subject to the requirements outlines for other casino customers for each customer. There is no requirement to keep detailed records for each customer for each table or game for AML purposes. However, HMRC may require casino operators to maintain records for each table or game, but not broken down by each customer’s transactions.
Remote casinos will, by the nature of their business, generate detailed records of all transactions with each customer but, for the purposes of the record-keeping requirements, it is sufficient to retain the deposit and withdrawal figures for each named customer.
Cash-in with cash-out gaming machines do not produce any supporting records that can be attributed to a customer. They do generate overall cash-in and cash-out data that must be retained by the casino. However, 'ticket in, ticket out' (TITO) and 'smart card' technology may mean that machines produce supporting records that can be attributed to a customer who falls within the record-keeping requirements, in which case such records must be retained in accordance with the Regulations.
In either case, unusual transactions or activities should be flagged for further examination.
In designing monitoring arrangements, it is important that appropriate account be taken of the frequency, volume and size of transactions with customers, in the context of the assessed customer risk.
Monitoring is not a mechanical process and does not necessarily require sophisticated electronic systems. The scope and complexity of the process will be influenced by the casino operator’s business activities, and whether the operator is large or small. The key elements of any system are having up-to-date customer information, on the basis of which it will be possible to spot the unusual and ask pertinent questions to elicit the reasons for unusual transactions or activities, in order to judge whether they may represent something suspicious.
Records of identification and verification of customers must be kept for a period of five years after the business relationship with the customer has ended, for example where the customer closes their gambling account with the operator or ceases to visit or use the casino. 143
Records of internal and external reports on suspicious activity should be retained for five years from when the report was made.
Most casino operators have record-keeping procedures which they keep under review, and will seek to reduce the volume and density of records which have to be stored, whilst still complying with statutory requirements. Retention may therefore be:
Records relating to ongoing investigations should, where possible, be retained until the relevant law enforcement agency has confirmed that the case has been concluded.
Where the record-keeping obligations under the Regulations are not observed, an operator or person is open to prosecution and sanctions, including imprisonment for up to two years and/or a fine, or regulatory censure. 146
Any personal data obtained by casino operators for the purposes of the Regulations may only be processed for the purposes of preventing money laundering and terrorist financing. 147
Employees in casinos are required to make a report in respect of information that comes to them in the course of their business:
In order to provide a framework within which suspicion reports may be raised and considered:
If the nominated officer determines that a report does give rise to grounds for knowledge or suspicion, they must report the matter to the NCA. Under POCA, the nominated officer is required to make a report to the NCA as soon as is practicable if he has grounds for suspicion that another person, whether or not a customer, is engaged in money laundering. Under the the Terrorism Act (opens in a new tab), similar conditions apply in relation to disclosure where there are grounds for suspicion of terrorist financing.
In the context of POCA, knowledge means actual knowledge. Having knowledge means actually knowing something to be true. In a criminal court, it must be proved that the individual in fact knew that a person was engaged in money laundering. Knowledge can be inferred from the surrounding circumstances, so, for example, a failure to ask obvious questions may be relied upon by a jury to infer knowledge. 150
The knowledge must, however, have come to the casino operator (or to the employee) in the course of casino business or (in the case of a nominated officer) as a consequence of a disclosure under section 330 of POCA (opens in a new tab). Information that comes to the casino operator or employee in other circumstances does not come within the scope of the regulated sector obligation to make a report. This does not preclude a report being made should the operator or employees choose to do so. Employees may also be obliged to make a report by other parts of the Act. Further information can be found in Part 7 of POCA (opens in a new tab). 151
"It seems to us that the essential element in the word "suspect" and its affiliates, in this context, is that the defendant must think that there is a possibility, which is more than fanciful, that the relevant facts exist. A vague feeling of unease would not suffice."
There is thus no requirement for the suspicion to be clear or firmly grounded on specific facts, but there must be a degree of satisfaction, not necessarily amounting to belief but at least extending beyond mere speculation, that an event has occurred or not.
Whether a person holds a suspicion or not is a subjective test. If a person thinks a transaction is suspicious, they are not required to know the exact nature of the criminal offence or that particular funds are definitely those arising from the crime. The person may have noticed something unusual or unexpected and, after making enquiries, the facts do not seem normal or make commercial or financial sense. It is not necessary to have evidence that money laundering is taking place to have suspicion.
Many customers will, for perfectly legitimate reasons, have an erratic pattern of gambling transactions or account activity. Even customers with a steady and predictable gambling profile will have periodic transactions that are unusual for them. So, an unusual transaction may only be the basis for further enquiry, which may in turn require judgement as to whether the transaction or activity is suspicious. A transaction or activity may not be suspicious at the time, but if suspicions are raised later, an obligation to report the activity then arises. Likewise, if concern escalates following further enquiries, it is reasonable to conclude that the transaction is suspicious and will need to be reported to the NCA.
Unusual patterns of gambling, including the spending of particularly large amounts of money in relation to the casino or customer’s profile, should receive attention, but unusual behaviour will not necessarily lead to grounds for knowledge or suspicion of money laundering, or the making of a report to the NCA. The nominated officer is required to assess all of the circumstances and, in some cases, it may be helpful to ask the customer or others more questions. The choice depends on what is already known about the customer and the transaction, and how easy it is to make further enquiries.
In order for either an internal or external report to be made it is not necessary to know or to establish the exact nature of any underlying criminal offence, or that the particular funds or property were definitely those arising from a crime. Furthermore, it is not necessary to await conviction of a customer for money laundering or other criminal offences in order to have suspicion that money laundering has taken place.
In addition to establishing a criminal offence relating to failing to report when there is suspicion or actual knowledge of money laundering, POCA creates criminal liability for failing to disclose information when reasonable grounds exist for knowing or suspecting that a person is engaged in money laundering or terrorist financing.
This lower test, which introduces an objective test of suspicion, applies to all businesses covered by the Regulations, including remote and non-remote casinos. The test would likely be met when there are demonstrated to be facts or circumstances, known to the employee in the course of business, from which a reasonable person engaged in a casino business would have inferred knowledge, or formed a suspicion, that another person was engaged in money laundering or terrorist financing.
To defend themselves against a charge that they failed to make a report when the objective test of suspicion has been satisfied, employees within remote and non-remote casinos would need to be able to demonstrate that they took reasonable steps in the particular circumstances (and in the context of a risk-based approach) to conduct the appropriate level of CDD.
It is important to bear in mind that, in practice, a court will be deciding, with the benefit of hindsight, whether the objective test was met.
There are numerous things that can make someone either know or suspect that they are dealing with the proceeds of crime. Some examples of how suspicions may be raised are listed below, although this is not an exhaustive list and there may be other circumstances which raise suspicion.
It is important to note that, once knowledge or suspicion of criminal spend is linked to a customer in one area of the business (for example, table games), it is good practice to monitor the customer’s activity in other areas of the business (for example, gaming machine play).
Employees of a casino operator have a legal defence if they report to the nominated officer where they have grounds for knowledge or suspicion of money laundering or terrorist financing. All casino operators therefore need to ensure that all relevant employees know they should report suspicions to their nominated officer. Internal reports to a nominated officer, and reports made by a nominated officer to the NCA, must be made as soon as is practicable.
The report should include full details of the customer who is the subject of concern and as full a statement as possible of the information giving rise to the grounds for knowledge or suspicion of money laundering or terrorist financing. All internal enquiries made in relation to the report should also be documented or electronically recorded. This information may be required to supplement the initial report or as evidence of good practice and best endeavours if, at some future date, there is an investigation by a law enforcement agency or the Commission.
Once an employee has properly reported their suspicion to the nominated officer, or to an individual to whom the nominated officer has delegated the responsibility to receive such internal reports, they have satisfied their statutory obligation.
The casino operator’s nominated officer must consider each report and determine whether it gives rise to grounds for knowledge or suspicion. The operator must permit the nominated officer to have access to any information in the operator’s possession, including CDD information, that could be relevant. The nominated officer may also require further information to be obtained from the customer, if necessary. Any approach to the customer should be made sensitively and preferably by someone already known to the customer, to minimise the risk of alerting the customer or an intermediary that a disclosure to the NCA is being considered.
If the nominated officer decides not to make a report to the NCA, the reasons for not doing so should be clearly documented or electronically recorded and retained. These records should be kept separately by the nominated officer in order that the information therein is not disclosed accidently.
It should be noted that the submission of a report to the NCA is not intended to be used as a way to obtain information from law enforcement in order to assist the nominated officer in deciding whether to continue with the business relationship with the customer, nor should the absence of a response or feedback from the NCA be taken to imply that the casino operator should continue with the business relationship until adverse information about the customer is received from the NCA or other law enforcement agency.
To avoid committing a failure to report offence, the nominated officer must make a disclosure to the NCA where he decides that a report gives rise to grounds for knowledge or suspicion. The national reception point for the disclosure of knowledge and suspicions, and for seeking a defence (consent) to proceed with the transaction or activity, is the UK Financial Intelligence Unit (UKFIU) within the NCA.
The nominated officer must report to the NCA any transaction or activity that, after their evaluation, they know or suspect, or have reasonable grounds to know or suspect, may be linked to money laundering or terrorist financing. Such reports must be made as soon as is practicable after the information comes to the nominated officer.
In addition, depending on the circumstances, a casino operator being served with a court order in relation to a customer may have cause for suspicion, or reasonable grounds for suspicion, in relation to that customer. In such an event, the nominated officer should review the information that is held about that customer in order to determine whether or not such grounds for suspicion exist and, if necessary, make a report to the NCA. Where the nominated officer decides not to make a report to the NCA, the reasons for not doing so should be clearly recorded and retained.
A consultation paper on the form and manner of reporting was issued by the Home Office in the summer of 2007, however, the Home Office decided not to proceed with the introduction of a prescribed form and manner for reporting.
The NCA accepts the submission of SARs 152 in three main ways:
SAR Online is a secure web-based reporting system for small or medium sized reporting entities with access to the internet, which allows SARs to be submitted electronically through the NCA SAR Online System (link opens in a new tab). It is the NCA’s preferred method of reporting. Reporters must register themselves as a source (reporting entity) on the system once, and then submit SARs by completing linked electronic screens that reflect the fields included in the paper-based reports.
Requests for a defence (appropriate consent) can be submitted using SAR Online and, as long as the box for consent is checked at the start of the process, the system alerts the Consent Team automatically, ensuring swift identification and management of requests for a defence (appropriate consent). It is not necessary to send the request by fax as well as submission online.
SAR Online is the NCA’s preferred method for small and medium sized reporting entities to submit SARs. The benefit to the reporter is 24/7 reporting, an automatic acknowledgment of receipt with the ELMER reference number, and investigators are able to access the information more rapidly.
Using the standard NCA Suspicious Activity Report Form. The NCA prefers submissions to be typed to enable them to be scanned and prevent errors in data entry. The form and guidance on using the form can be found on the NCA website (link opens in a new tab).
Completed forms should be posted to:
PO Box 8000
If using the form to request a defence (appropriate consent), it should be faxed immediately to 0207 238 8286, but it is not necessary to post and fax a request.
The paper-based reporting system will not elicit an acknowledgment of receipt or an ELMER reference number for your records, and the SAR will take some time to reach investigators.
Encrypted bulk data exchange is used by high volume reporters, namely reporters with more than 10,000 reports a month. If an operator believes this would be the most appropriate method of reporting for their group, they should contact the UKFIU on 0207 238 8282 to discuss the matter.
Casino operators should include in each SAR as much relevant information about the customer, transaction or activity that it has in its records. The NCA has published a glossary of terms which they prefer operators to use when completing SARs. 153 This will assist in consideration of the report by the NCA.
This may include the following:
In order that an informed overview of the situation may be maintained, all contact between the casino operator and law enforcement agencies should be controlled through, or reported back to, the nominated officer or a deputy acting in the absence of the nominated officer. The NCA may apply to the magistrates’ court (or, in Scotland, the sheriff) for an order (a further information order), following the submission of a SAR, requiring the nominated officer to provide more information in respect of the SAR. 154 Law enforcement agencies may also apply for a disclosure order requiring any person considered to have information relevant to an investigation to answer questions, provide information or to produce documents. 155
POCA also makes provision for the voluntary sharing of information between persons in the regulated sector when deciding whether to submit a SAR, and joint SARs by persons in the regulated sector, subject to certain limitations. The exchange of information in these circumstances is protected from breaching any confidentiality obligations or other restrictions. 156
If casino operators handle any proceeds of crime, they may commit one of the principal money laundering offences in POCA or the Terrorism Act (opens in a new tab). However, if the nominated officer submits a SAR to the NCA, this can provide a defence. There is a statutory mechanism which allows the NCA either to grant or to refuse the 'prohibited act' going ahead, or to prevent the suspected money laundering going ahead. 157 This statutory mechanism is called 'appropriate consent' and is referred to by the NCA as Requesting a defence from the NCA under POCA and TACT. 158
These are referred to as 'prohibited acts'.
They may choose:
A decision to proceed will mean that the operator may be committing a money laundering offence. However, if they have made an authorised disclosure and have obtained a defence (appropriate consent), they will not be committing an offence.
A nominated officer, police constable, NCA employee or customs officer can give a person (which may include, for example, a casino employee) actual 'appropriate consent' to a suspect transaction proceeding. 162 However, it should be noted that the NCA is the only body able to issue formal notification of a defence (consent) by means of an official NCA letter, which the nominated officer can then retain for their records.
Although notice can be given to a constable or customs officer, there is a need to ensure that the practices of all law enforcement agencies are consistent in this area. Therefore, the NCA operates as the national centre for all SARs and for the issue of decisions concerning the granting or refusal of a defence (appropriate consent). To avoid confusion requests for a defence (consent) should be routed through the NCA. See applying for a defence for more detail.
Casino operators should be aware that the NCA and other authorities, such as the FCA and Serious Fraud Office, can apply to the Crown Court (or, in Scotland, the sheriff) for an order to extend the moratorium period for a further 31 days. An order can be given on up to six occasions which allows the moratorium period to be extended for a maximum period of 186 days in total. To grant an order for an extension, in each case the Court must be satisfied that the NCA or other authority’s investigation is being carried out "diligently and expeditiously", additional time is needed to complete the investigation and an extension would be reasonable in the circumstances. 164
However, POCA provides that a nominated officer must not give appropriate consent unless he has himself already made a disclosure to an authorised officer of the NCA and, either:
Reporting suspicious activity before or reporting after the event are not equal options which a casino operator can choose between, and retrospective reporting is unlikely to be seen in the same light as reporting prior to the event. A report made after money laundering has already taken place will only be a legal defence if there was a 'reasonable excuse' for failing to make the report before the money laundering took place. 166 Where a customer request is received prior to a transaction or activity taking place, or arrangements being put in place (for example, where a customer requests the opening of a gambling account), and there is knowledge or suspicion, or reasonable grounds for suspicion, that the transaction, arrangements or the funds/property involved may relate to money laundering, a SAR must be submitted to the NCA and a defence (consent) sought to proceed with that transaction or activity. In such circumstances, it is an offence for a nominated officer to agree to a transaction or activity going ahead within the seven working day notice period from the working day following the date of disclosure, unless the NCA provides a defence (gives consent). 167
The NCA cannot provide a defence (consent) after the transaction or activity has occurred. A defence (consent) request which is received after the transaction or activity has taken place will therefore be dealt with as an ordinary SAR.
In the casino environment, business is often conducted out of normal office hours. In addition, gambling transactions may sometimes be more 'immediate' than, for example, depositing funds into a bank account where the funds may be withdrawn at a later date. In these circumstances it may sometimes not be feasible or practical to obtain a defence (appropriate consent) prior to or during a transaction. Knowledge or suspicion of money laundering or terrorist financing may be triggered after a customer has completed all the stages of a gambling transaction (bought in, played and then cashed out). Under those circumstances, it may be reasonable to report after the transaction. However, the defence of 'reasonable excuse' when reporting after the transaction is untested by case law and should be considered on a case-by-case basis. 168 Where the relationship with the customer is expected to have an element of duration and involves numerous transactions, it is advisable to seek a defence (consent) prior to transacting with the customer.
Casinos should include in their policies, procedures and controls details on how they will manage circumstances where there is knowledge or suspicion of money laundering or terrorist financing. If knowledge or suspicion is present, particularly if this occurs out of normal office hours, there must be a mechanism for involvement of the senior manager on duty and contact with the nominated officer as soon as is practicable. If the circumstances amount to reasonable grounds to suspect, then reporting the matter to the nominated officer should be sufficient, and for the nominated officer to receive the matter at the earliest practicable opportunity.
The nominated officer will need to think very carefully about whether or not to continue to do business with the suspected customer. Relevant considerations should be the potential commission of criminal offences under POCA or the Terrorism Act (opens in a new tab), as well as potential damage to business reputation and other commercial factors.
Casino operators should note in our view, the reporting defence is not intended to be used repeatedly in relation to the same customer.
In the case of repeated SAR submissions on the same customer, it is the Commission’s view that this is not a route by which operators can guarantee a reporting defence retrospectively. If patterns of gambling lead to an increasing level of suspicion of money laundering, or to actual knowledge of money laundering, operators must seriously consider whether they wish to allow the customer to continue using their gambling facilities. Casino operators are, of course, free to terminate their business relationships if they wish and, provided this is handled appropriately, there will be no risk of 'tipping off' or prejudicing an investigation. However, operators should think about liaising with the law enforcement investigating officer to consider whether it is likely that termination of the business relationship would alert the customer or prejudice an investigation in any other way.
They should deal with the issue in their policies, procedures and controls. As all operators are at risk of committing the principal offences, it is advisable to consider these issues carefully before they arise in practice.
For example, the casino operator may consider one transaction to be suspicious and report it to the NCA accordingly, but may be less concerned that all of an individual’s future transactions are suspicious. In these circumstances, each transaction should be considered on a case-by-case basis and reports made accordingly, and a defence (appropriate consent) sought where necessary. Where subsequent reports are also made after actual or suspected money laundering or terrorist financing has taken place or appears to have taken place, the nominated officer is encouraged to keep records about why reporting was delayed, and about why a defence (appropriate consent) was not requested before the suspected money laundering or terrorist financing took place.
Where SAR Online is used and a defence (appropriate consent) is needed, this can be done by ticking the 'consent requested' box. Alternatively, requests can be faxed to the NCA UKFIU Consent Desk (see the NCA (opens in a new tab). You are advised to make it explicit in your report that you are seeking a defence (consent) from the NCA.
Requests must be for a specified activity (or specified series of activities) and should not be open-ended, such as seeking a defence (consent) to 'handle all business dealings or transactions' relating to the subject of the request or the relevant account.
The UKFIU Consent Desk applies the criteria set out in the Home Office Circular 029/2008 Proceeds of Crime Act 2002: Obligations to report money laundering – the consent regime 169 to each request for a defence (consent), carry out the necessary internal enquiries, and will contact the appropriate law enforcement agency, where necessary, for a consent recommendation. Once the NCA’s decision has been reached, the disclosing nominated officer will be informed of the decision by telephone, and be given a reference number, which should be recorded. A formal letter from the NCA will follow.
Home Office Circular 029/2008 contains guidance on the operation of the consent regime in POCA. It was issued to ensure consistency of practice on the part of law enforcement in considering requests for consent under Part 7 (opens in a new tab) of POCA. This was in response to concerns from the financial services industry and other sectors and professions that decisions should be taken in an effective and proportionate way, with due engagement with all participants. The circular was formulated in agreement with key partner agencies and sets out the high-level principles by which the law enforcement agencies should make decisions on consent, and how these principles should be applied.
Although POCA provides that consent can be granted by a constable (which includes authorised NCA officers) or a customs officer, there is a recognised need to ensure that the practices of all law enforcement agencies are consistent in this area. Therefore, as a result of the circular, the NCA operates as the national centre for all authorised disclosures and for the issue of decisions concerning the granting or refusal of a defence (consent). To avoid confusion those making requests for a defence (consent) should route requests through the NCA. The decision-making process will consist of a collaborative effort between the NCA and the other law enforcement agencies, with the latter providing a recommendation to the NCA. While the final decision will be taken by the NCA, in most cases it is likely to be based largely on the recommendation provided by the interested law enforcement agency.
All requests for a defence (consent) are dealt with by the NCA on a case-by-case basis. It may take the maximum of seven working days to deal with a defence (consent) request, however, in most cases the NCA is able to respond to requests for a defence (consent) within three days. 170 Nominated officers should take this into account when deciding whether it is practical and reasonable to request a defence (consent) prior to the transaction or activity, rather than making a report after the transaction or activity.
In the event that the NCA does not refuse a request for a defence (consent) within seven working days (the notice period) following the working day after the report is made, the casino operator may continue to transact with the customer. However, if the request for a defence (consent) is refused within that period, the NCA can prevent the transaction or activity for a further 31 calendar days (the moratorium period) from the day the request for a defence (consent) is refused.
Once a matter has been appropriately reported to the NCA, the decision to proceed or not to proceed with a transaction or arrangement remains with the casino operator. Even if a defence (consent) is obtained from the NCA, the operator is not obliged to proceed with the transaction or arrangement.
Casino operators should note that a defence (consent) only applies in relation to individual prohibited acts and cannot provide cover to deal with a particular customer. Any subsequent activity will require separate consideration and, if necessary, separate requests for a defence from the NCA. Where a single money laundering offence consists of a course of conduct, the NCA may give consent for a series of similar transactions over a specified period. In cases where there is a range of different money laundering offences that may be committed, such as acquiring (section 329(1)(a) of POCA) (opens in a new window) and transferring (section 327(1)(d) of POCA) (opens in a new window) criminal property, the NCA may give a single consent to that person being concerned in an arrangement to facilitate acquisition and use under section 328(1) (opens in a new tab) of POCA.
The NCA’s ability to grant a defence (consent) in such circumstances will depend on having sufficient detail about the future course of activity or repeated transactions in order to make an informed decision. This is considered on a case-by-case basis. It is not possible for the NCA to give 'blanket' consent for a reporter to carry out all activity and transactions on a suspicious account, individual or arrangement.
The NCA cannot give advice to nominated officers and casino operators in relation to the specific circumstances where SARs should be submitted or the terms for requesting a defence (appropriate consent).
Comprehensive guidance on requesting a defence is available on the NCA’s website (opens in new tab).171
For the purposes of this section, 'British customer' is inferred to mean a customer who is physically located in Great Britain when they use gambling facilities provided in reliance on a remote casino licence issued by the Commission, regardless of their usual residential address.
'Non-British customer' on the other hand means a customer who is not physically located in Great Britain when they use gambling facilities provided in reliance on a remote casino licence issued by the Commission, regardless of their usual residential address.
The Commission is aware that some remote casino operators not physically located in Great Britain may be required by local law to report instances of known or suspected money laundering activity by British customers to the FIU of the jurisdiction in which the operator is situated, rather than the NCA.
The Commission's view is that remote casino operators should report suspicious activity to the authorities in the area where the remote gambling equipment used in the specific suspicious transaction is located. However, in relation to transactions concerning British customers, it is the Commission's view that such reports should also be received by the authorities in this jurisdiction.
Where any of the remote gambling equipment used in a transaction which is known or suspected to involve money laundering is located in Great Britain (as well as equipment located in Northern Ireland), the known or suspected money laundering activity must be reported to the NCA. Operators must provide the Commission with the unique reference numbers allocated by the UKFIU of the NCA, for reports submitted by them, within five working days of receipt thereof, in accordance with licence condition 15.2.1.
Where the remote gambling equipment used in a transaction which is known or suspected to involve money laundering is located outside Great Britain, but involves a British customer, and the jurisdiction in which the equipment is located is not a member of the Egmont Group (or the jurisdiction does not include gambling businesses under AML or CTF legislation, or prohibits online gambling), the known or suspected money laundering activity must be reported to the NCA. Operators must provide the Commission with the unique reference numbers allocated by the UKFIU of the NCA, for reports submitted by them, within five working days of receipt thereof, in accordance with licence condition 15.2.1.
In all other cases, the known or suspected money laundering activity must be reported to the FIU of the jurisdiction in which the remote gambling equipment used in a transaction, which is known or suspected to involve money laundering, is located. The relevant report will then be shared with the NCA through the Egmont Group, where appropriate.172 Where circumstances permit, operators should provide the Commission with the unique reference numbers allocated by the applicable FIU, for reports concerning British customers, within five days of receipt thereof.
These reporting requirements are summarised in the following table.
|Customer||Location of remote gambling equipment||Member of Egmont Group?||Report suspicious activity to||Unique reference numbers (URNs)|
|British or Non-British customer*||Britain** or Northern Ireland||Yes||NCA||Operators should provide the Commission with the URNs allocated by the NCA within five working days|
|British customer*||Outside Britain**||No
Yes, but domestic FIU does not receive gambling SARs
Country prohibits online gambling
|NCA||Operators should provide the Commission with the URNs allocated by the NCA within five working days|
|British or Non-British customer*||Outside Britain**||Yes||Domestic FIU***||Where circumstances permit, operators should provide the Commission with the URNs allocated by the FIU, for reports concerning British customers, within five working days|
* See suspicious activity reporting requirements for remote casinos
** Britain means England, Scotland and Wales
*** In the case of operators where the remote gambling equipment used in a transaction which is known or suspected to involve money laundering is located in Gibraltar and involves a British customer, known or suspected money laundering activity must be reported to the Gibraltar FIU and the UKFIU.
Where remote casino operators wish to make use of the defences provided by sections 327(2)(a) (opens in a new tab), 328(2)(a) (opens in a new tab) and 329(2)(a) (opens in a new tab) of POCA where they believe that, by proceeding with a transaction with a British customer, they will be committing a prohibited act, they should apply for a defence (appropriate consent), in accordance with section 335 (link opens in a new tab) of POCA, from the NCA.173
POCA and the Terrorism Act (opens in a new tab) create offences of failing to report suspicious activity174 . Where a person fails to comply with the obligations to make disclosures to a nominated officer and/or the NCA as soon as practicable after the information giving rise to the knowledge or suspicion comes to the employee, they are open to criminal prosecution.
For all failure to disclose offences under POCA, it will be necessary to prove that the person or nominated officer either:
Casino operators and nominated officers, therefore, must comply with the reporting requirements imposed on them by POCA and the Terrorism Act (opens in a new tab).
When an enquiry is under investigation, the investigating officer may contact the nominated officer to ensure that they have all the relevant information which supports the original SAR. This contact may also include seeking supplementary information or documentation from the reporting operator and from other sources by means of a court order.
The investigating officer will work closely with the nominated officer, who will usually receive direct feedback on the stage reached in the investigation. There may, however, be cases when the nominated officer cannot be informed of the state of the investigation, either because of the confidential nature of the enquiry or because the case is being considered by a court.
POCA therefore, in this regard, contains separate offences of tipping off and prejudicing an investigation. These offences are similar and overlapping, but there are also significant differences between them. It is important for those working in the regulated sector to be aware of the conditions for each offence. Each offence relates to situations where the information on which the disclosure was based came to the person making the disclosure in the course of a business in the regulated sector. The Terrorism Act contains similar offences177 . There are a number of disclosures which are permitted and that do not give rise to these offences. More details are in the following section.
Once an internal or external report of suspicious activity has been made, it is a criminal offence for anyone to release information that is likely to prejudice an investigation that might be conducted following that disclosure. An offence is not committed if the person does not know or suspect that the disclosure is likely to prejudice an investigation, or if the disclosure is permitted under POCA or the Terrorism Act178 . Reasonable enquiries of a customer, conducted in a tactful manner, regarding the background to a transaction or activity that is inconsistent with the normal pattern of activity is prudent practice, forms an integral part of CDD measures and should not give rise to tipping off.
Where a confiscation investigation, a civil recovery investigation, a detained cash investigation or a money laundering investigation is being, or is about to be, conducted, it is a criminal offence for anyone to disclose this fact if that disclosure is likely to prejudice the investigation. It is also a criminal offence to falsify, conceal, destroy or otherwise dispose of documents which are relevant to the investigation (or to cause or permit these offences). It is, however, a defence if the person does not know or suspect that disclosure is likely to prejudice the investigation, or if the disclosure is permitted under POCA or the Terrorism Act. More details are in the following section.
An employee, officer or partner of a casino operator does not commit an offence under POCA or the Terrorism Act if the disclosure is to an employee, officer or partner of the casino operator.180
The fact that a transaction is notified to the NCA before the event, and the NCA does not refuse a request for a defence (consent) within seven working days following the day after disclosure is made, or a restraint order is not obtained within the moratorium period, does not alter the position so far as 'tipping off' is concerned.
The judgement in K v Natwest  EWCA Civ 1039 confirmed the application of these provisions. The judgement in this case also dealt with the issue of suspicion stating that the ‘The existence of suspicion is a subjective fact. There is no legal requirement that there should be reasonable grounds for the suspicion. The relevant bank employee either suspects or he does not. If he does suspect, he must (either himself or through the Bank’s nominated officer) inform the authorities.’ It was further observed that the ‘truth is that Parliament has struck a precise and workable balance of conflicting interests in the 2002 Act’. The Court appears to have approved of the seven and 31 day scheme and said that, in relation to the limited interference with private rights that this scheme entails, ‘many people would think that a reasonable balance has been struck’. A copy of the judgement is available on the NCA website (opens in a new tab).
The existence of a SAR cannot be revealed to any customer of the casino at any time, whether or not a defence (consent) has been requested. However, there is nothing in POCA which prevents casino operators from making normal enquiries about customer transactions in order to help remove any concerns about the transaction and enable the operator to decide whether to proceed with the transaction. These enquiries will only constitute tipping off if the operator discloses that a SAR has been made to the NCA or a nominated officer, or that a money laundering investigation is being carried out or is being contemplated.
The combined effect of these two offences is that one or other of them can be committed before or after a disclosure has been made.
The offence of money laundering, and the duty to report under POCA, apply in relation to the proceeds of any criminal activity, wherever conducted, including abroad, that would constitute an offence if it took place in the UK. A person does not commit an offence where it is known or believed, on reasonable grounds, that the conduct occurred outside the UK; and the conduct was not criminal in the country where it took place. However, if the criminal activity would constitute an offence in the UK if committed here and would be punishable by imprisonment for a maximum term in excess of 12 months, then the defence does not apply, except if the offence is an offence under section 23 or 25 of the Financial Services and Markets Act 2000 (link opens in new tab).
There is also a specific offence of failure to disclose terrorist financing which was added to the Terrorism Act through the Anti-terrorism Crime and Security Act 2001 (link opens in a new tab). This offence is limited to the regulated sector, which includes casinos. The offence can be committed if a person forms knowledge or suspicion of terrorist financing or reasonable grounds for suspecting terrorist financing during the course of working for a casino, but does not make a report. Guidance issued by the Commission and approved by HM Treasury must be taken into account by any court considering whether this offence has been committed.182
Normal customer enquiries will not, in the Commission’s view, amount to tipping off or prejudicing an investigation under POCA unless you know or suspect that a SAR has already been submitted and that an investigation is current or impending and make the enquiries of the customer in a way that it discloses those facts. Indeed, such customer enquiries are likely to be necessary not only in relation to money laundering but also in connection with social responsibility duties (for example, problem gambling). In regard to this offence, counter or frontline staff may not be aware that the nominated officer has submitted a SAR to the NCA. Reasonable and tactful enquiries regarding the background to a transaction or activity that is inconsistent with the customer’s normal pattern of activity is good practice, forms an integral part of CDD measures (and may be driven by social responsibility concerns) and should not give rise to tipping off or the prejudicing of an investigation.
If patterns of gambling lead to an increasing level of suspicion of money laundering, or even to actual knowledge of money laundering, casino operators should seriously consider whether they wish to allow the customer to continue using their gaming facilities. If a casino operator wishes to terminate a customer relationship, provided this is handled sensitively, there will be low risk of tipping off or prejudicing an investigation. However, if the decision has been made to terminate the relationship and there is a remaining suspicion of money laundering with funds to repatriate, consideration should be given to asking for a defence (appropriate consent).
In circumstances where a law enforcement agency requests a casino operator to continue trading with a customer as they conduct further investigations, the operator is advised to record the factors considered when agreeing or declining to do so (for example, the risks of participating in such activity, assurances provided by law enforcement, possible money laundering offences, relevant timescales provided, the gravity of the offences being investigated and the purpose of the request), and how this may change the management of risks to the licensing objectives. Given the casino operator’s heightened exposure to risk, it is advisable for the operator to ask for confirmation in writing of such requests from law enforcement. The operator should also continue to submit SARs and/or seek a defence (consent) from the NCA if they decide to continue with a business relationship with such customers.
Note: Casino operators should undertake risk assessments of each premises and each remote site and: (a) look at the average drop/win per customer, and (b) risk assess each customer.
Note: Risk-based approach – operator analysis of spending behaviours at each premises and an objective assessment made of the likelihood of customers reaching the threshold. Measures then put in place need to capture all customers likely to hit the threshold.
Note: Risk-based approach – operator analysis of spending behaviours and an objective assessment made of the likelihood of customers reaching the threshold. Measures then put in place need to capture all customers likely to hit the threshold.
Note: Operators should devise and implement a clear and articulated policy and procedure for ensuring all relevant employees are aware of their legal obligations in respect of the prevention of money laundering and terrorist financing.
A term used to describe commerce transactions between businesses, or the exchange of products, services or information between businesses. In other words, it is business which is conducted between firms, rather than between firms and consumers (or customers)
Firms holding a casino operating licence issued by the Commission.
In the context of gambling, the use of the proceeds of crime to fund gambling as a leisure activity (otherwise known as lifestyle spend)
Countering terrorist financing.
The process of capturing drop and win data for a customer.
Data recorded by casinos that covers the total value of chips purchased as well as the total loss or win for a customer over a 24- hour period.
The process by which criminal or 'dirty' money is legitimised or made 'clean', including any action taken to conceal, arrange, use or possess the proceeds of any criminal conduct. Defined in section 340 of POCA
Casinos licensed to operate commercial casino premises.
Firms holding an operating licence issued by the Commission
Personal functional licence.
The Proceeds of Crime Act 2002, which is intended to reduce money laundering and the profitability of organised crime through the use of tools such as asset recovery
Personal management licence.
Property from which a person benefits directly or indirectly, by being party to criminal activity, for example stolen money, money from drug dealing or property stolen in a burglary or robbery
Casinos licensed to offer casino games by means of remote communication.
A suspicious activity report – the means by which suspicious activity relating to possible money laundering or the financing of terrorism is reported to the NCA under POCA or the Terrorism Act
Where the funds, money or cash to finance the transaction come from
The origin of a person’s overall body of wealth (that is, their total assets), which should give an indication of the volume of wealth the person actually has, and how they acquired it.
Supervisory authorities, which are listed in regulation 7 of the Regulations. The Commission is the supervisory authority for casinos.
The Gambling Act 2000
The Gambling Commission
The National Crime Agency, which became operational in October 2013, is a crime-fighting agency with national and international reach that works in partnership with other law enforcement organisations to cut serious and organised crime. The NCA is the organisation to which suspicious activity is reported
The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017.
The Terrorism Act 2000
A country which is outside the United Kingdom
The United Kingdom Financial Intelligence Unit, which is the unit within the NCA that operates the disclosure regime for money laundering.