Daub Alderney Limited Decision Notice
On 12 January 2018 the Gambling Commission (the Commission) gave Daub Alderney Limited (the Licensee) notice that we were commencing a review of its operating licence. We commenced a review under section 116(2) of the Gambling Act 2005 (opens in new tab) (the Act) because:
- we had reason to suspect that activities may have been carried on in purported reliance on the licence but not in accordance with a condition of the licence (section 116(2)(a));
- we suspected that the Licensee may be unsuitable to carry on the licensed activities (section 116(2)(c)(i)); and
- we were of the view that a review would be appropriate (section 116(2)(c)(ii))
On 18 April 2018 it was decided to refer the case to the Commission’s Regulatory Panel for a decision.
The Regulatory Panel has found that the Licensee:
- breached conditions of its licence relating to anti-money laundering measures (AML)
- failed to comply with social responsibility codes of practice.
In line with the Commission’s Licensing, compliance and enforcement policy statement (opens in new tab), the Indicative Sanctions Guide (opens in new tab) and the Statement of Principles for determining Financial Penalties, the Regulatory Panel has decided to:
- Issue a warning under section 117(1)(a) of the Act
- Impose additional conditions to the Licensee’s operating licence under section 117(1)(b) of the Act; and
- Impose a financial penalty under section 121 of the Act in the sum of £7,100,000.
This summary of the Regulatory Panel decision sets out the relevant facts of the case, licence condition and social responsibility code of practice provisions, the findings and the outcome of the review.
Daub Alderney Limited Summary of Regulatory Panel decision
Findings of fact
The Regulatory Panel accepted the accuracy of the factual matters set out in the Commission’s Case Summary. The following facts were stated in the Case Summary.
Licence condition 184.108.40.206 requires an operator to conduct an assessment of the risks of their business being used for money laundering and terrorist financing. Such risk assessments must be appropriate and must be reviewed as necessary in the light of any changes of circumstances, including the introduction of new products or technology, new methods of payment by customers, changes in the customer demographic, or any other material changes, and in any event reviewed at least annually.
This licence condition has been in force since October 2016. The Gambling Commission provides guidance on risk assessments in the ‘The Prevention of Money Laundering and Combating the Financing of Terrorism - Guidance for remote and non-remote casinos’. An appropriate risk assessment allows operators to identify risks relevant to their business, including the risks associated with the customers they transact with, and conduct effective customer due diligence on the basis of this assessment, among other things.
Commission Officials found when they completed a corporate evaluation in June/July 2017 that the appropriate risk assessment was not in place. The Commission made the Licensee aware of the requirement at the time and in a letter of 5 October 2017.
In its responses, the Licensee accepted that it had breached this licence condition and subsequently provided a risk assessment approved by its Board on 23 February 2018. The Licensee mitigated that it had carried out internal audits and reviews during 2016/2017 which it considered tantamount to a risk assessment.
Licence condition attached to the licence on 1 November 2014 and Licence Condition 220.127.116.11 - Anti money laundering measures for operators based in foreign jurisdictions.
The Licensee was required to put in place and implement the measures described in Parts 2 and 3 of the Money Laundering Regulations 2007 (opens in new tab) (superseded by The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (opens in new tab)) insofar as they relate to casinos.
Commission Officials found that the Licensee did not:
- conduct appropriate ongoing monitoring of a business relationship (Regulation 14 of the 2007 Regulations).
- apply, on a risk-sensitive basis, sufficient enhanced customer due diligence measures and enhanced ongoing monitoring in situations which by their nature present a higher risk of money laundering (Regulation 14 of the 2007 Regulations).
- keep full records of the evidence and supporting documents it considered as part of its customer due diligence checks and business relationship with the customer (Regulation 19 of the 2007 Regulations).
- establish and maintain appropriate and risk-sensitive policies and procedures relating to specified matters in order to prevent activities related to money laundering and terrorist financing (Regulation 20 of the 2007 Regulations).
- provide relevant staff with regular training in how to recognise and deal with transactions and other activities which may relate to money laundering or terrorist financing (Regulation 21 of the 2007 Regulations).
In relation to the 2017 Regulations, Commission officials had set out examples where they considered that the Licensee had failed to consistently apply enhanced customer due diligence and enhanced ongoing monitoring on a risk-sensitive basis, contrary to regulations 28 and 33 of the 2017 Regulations. Regulation 28(11) of the 2017 Regulations requires the Licensee to conduct ongoing monitoring (which includes scrutiny of the transactions undertaken by the customer throughout the course of the business relationship, including the source of funds), and Regulation 33 of the 2017 Regulations includes the requirement to apply enhanced customer due diligence measures and enhanced ongoing monitoring in situations where there is a high risk of money laundering or terrorist financing.
The Licensee accepted that at the time of the corporate evaluation, it had not been compliant with the 2007 Regulations and was not compliant with the 2017 Regulations. It agreed that it had failed to document in adequate detail its risk-sensitive policies and procedures relating to anti-money laundering (AML) and terrorist financing.
In addition the Licensee accepted that whilst it was subject to the 2007 Regulations, improvements could have been made to the training provided to staff in how to recognise and deal with transactions and other activities which may relate to money laundering or terrorist financing. The Licensee stated that at the time of the corporate evaluation it had recognised the need for a training program which it had put in place and that by September 2017 appropriate additional training was in place.
The Licensee asserted that since the Commission's corporate evaluation in June and July 2017, it had made significant improvements in its anti-money laundering and counter-terrorist financing policies and procedures. It indicated improvements included the lowering of financial alerts, a consistency of alerts across platforms and the ability to review customer activity across its platforms. The Licensee indicated it had now addressed the backlog completely and had successfully filtered its entire database against its revised alerts.
The Licensee highlighted the following action that it had taken:
- it had reviewed the customers identified by the Commission during the corporate evaluation and referred to in our letter of 5 October 2017. The Licensee accepted it had made insufficient enhanced due diligence (EDD) and source of funds (SOF) enquiries in respect of those customers but did indicate that it had made some enquiries.
- in November 2017, it had carried out an extensive review of its customer base to rectify SOF issues. In doing so it had decided that its financial alert for requesting SOF from its customers should be a life time deposit of £50,000. This alert had identified 742 customers who had not provided sufficient and acceptable SOF. It has now sought appropriate information from those customers and where it has received insufficient assurance, it has closed those accounts;
- subsequently it had reviewed the £50,000 life time deposit figure, having taken the view that it was distorting its risk based approach. It decided that a more effective approach was to use a time framed approach; with an alert of £50,000 deposits by a customer within in a rolling twelve month posed. In using this alert across its customer based it identified 63 from whom satisfactory SOF information had not been received. The Licensee indicated it has ceased transacting with those customers and accounts have been blocked to prevent deposits/withdrawals.
Licence condition 18.104.22.168 - Licensees must have appropriate policies, procedures and controls to prevent money laundering and terrorist financing; and Breach of Licence condition 22.214.171.124. Such policies, procedures and controls are implemented effectively, kept under review and revised appropriately.
Officials found that at the time of the corporate evaluation:
- the Licensee’s AML policy did not appear effective in particular in relation to establishing SOF and ongoing monitoring of its customer base.
- the Licensee’s AML policies and procedures (latest dated March 2016) had not been assessed as required with no version history to evidence any reviews.
- the Licensee did not have adequate staff resource engaged in its customer due diligence teams, leading to delays in processing information gathered about customer activity
- no mitigation of the risk was put in place at the time of the staff shortages.
In its response the Licensee accepted that at the time of the corporate evaluation its written policies and procedures needed improvement. It accepted that it required additional resource within its compliance team, but it said it had provided some mitigation to the risk by providing resource from other business areas.
The Licensee indicated that it had taken a number of actions to address the Commission’s preliminary findings including:
- a Risk and Regulatory Compliance Committee (Committee) was now in place to provide oversight of compliance issues and link to its parent company Stride putting compliance firmly at the heart of its business;
- it had improved its management structure appointing a Director of Compliance and MLRO, a deputy MLRO and increasing staffing within its compliance team. The Licensee was in addition recruiting a new MLRO;
- with the assistance of external support, the Licensee had improved its written policies and procedures to ensure full compliance with the 2017 Regulations. The Licensee provided its updated Anti Money Laundering Policies approved by the board on 27 March 2018 and asserted that it was exploring options of further support from third party providers to identify a more detailed assessment of overall AML risk of players;
- the appointment of a Fraud & Risk Training and QA Manager responsible for compliance with training requirements.
Code of practice issued under Section 24 Gambling Act 2005 - Social Responsibility Code 3.4.1 Customer Interaction. Compliance with a social responsibility code provision (SRCP) is a condition of the Licence by virtue of Section 82(1) of the Act.
Licensees must put into effect policies and procedures for customer interaction when they have concerns that a customer’s behaviour may indicate problem gambling. Code provision 3.4.1.e requires specific provision for making use of all relevant sources of information to ensure effective decision making, and to guide and deliver effective customer interaction including in particular:
- provision to identify at risk customers who may not be displaying obvious signs of, or overt behaviour associated with, problem gambling; this should be by reference to indicators such as time or money spent.
- specific provision in relation to customer designated by the Licensee as ‘high value’, ‘VIP’ or equivalent.
Commission officials found that at the time of the corporate evaluation that there were significant limitations in the Licensee’s ability to proactively identify and mitigate risk. This manifested itself in terms of resource, systems, and controls for example:
- the Social Responsibility policy and procedure was not sufficient - it only gave examples to staff of potential issues as opposed to outlining detailed action to be taken to mitigate risk, and there were no specific policies for VIP customers;
- there had been insufficient resources for identifying and mitigating SR risk.
- while examples were seen of action taken in respect of complaints relating to problem gambling, adequate systems and controls to proactively identify potential problem gambling were not in place. Officials saw no evidence to show that daily reports from the Licensee’s systems were used appropriately to identify patterns of play which may point to customers potentially having gambling problems which would require a proactive customer interaction. Officials noted that issues which related to the identification of AML risk, such as payment details not matching the customer and duplicate accounts, were not used to identify customers with potential gambling problems such as previously self-excluded individuals attempting to gamble using a relative’s payment card.
- customer bases were not joined up and the whole of the Licensee’s customer base could only be searched using a manual process involving an ad hoc report.
- Officials saw evidence of customers being offered free spins or Amazon vouchers to retain their business, but it was not clear that this was appropriate.
In its response, the Licensee acknowledged that, at the time of the corporate evaluation policies and procedures for customer interaction were not sufficient to identify problem gambling and could have been improved. The Licensee indicated that it was working with external advisors to make improvements to its responsibility policies and procedures. The Licensee:
- provided the Commission with improved social responsibility policy which included specific provision in respect of VIP customers; and confirmed that its automated ‘early warning system’ in respect of responsible gambling functioning was in place.
- recognised that its resourcing had not been sufficient and indicated that it had recruited additional staff members to address the concerns.
- Indicated that it had put in place a series of enhanced social responsibility alerts and these had been applied across both of its platforms.
Code of practice issued under Section 24 Gambling Act 2005 - Social Responsibility Code 126.96.36.199 self-exclusion. Compliance with a social responsibility code provision (SRCP) is a condition of the Licence by virtue of Section 82(1) of the Act.
On 7 September 2017, the Licensee notified the Commission of a technical failure that arose in its automated system where customers who elected to self-exclude from their platform were still able to open and/or access accounts on their casino accounts. Between 14 July and 1 September 2017, 98 self-exclusion emails and 30 problem gambling emails were not directed to customer service. 73 of the affected customers were able to continue to play depositing £17,830.33. Officials noted that the Licensee has now refunded this money to the customers.
Officials accepted that this was a technical issue and not a deliberate breach. Officials nevertheless noted that this failure occurred for such a period of time and is likely to have had a significant impact on the self-excluded customers as they were able to continue to deposit funds into, and play on, their accounts.
Code of practice issued under Section 24 Gambling Act 2005 Social responsibility code 6.1.1 Complaints and disputes. Compliance with a social responsibility code provision (SRCP) is a condition of the Licence by virtue of Section 82(1) of the Act.
At the time of the corporate evaluation, the Licensee had not put into effect a written procedure for handling customer complaints and disputes. Commission officials noted that the Licensee did have a defined complaint handling procedure and had appointed eCOGRA as its Alternative Dispute Resolution (ADR) service provider.
In its response the Licensee provided the Commission with a written complaints resolution policy.
The Panel found:
- that the Licensee did not have an appropriate risk assessment in place until February 2018. Its failure constituted a breach of licence condition 188.8.131.52 of its operating licence.
- that the Licensee had failed to implement the measures described in Parts 2 and 3 of the Money Laundering Regulations 2007 as it had not:
- conducted ongoing monitoring of a business relationship
- applied, on a risk-sensitive basis, enhanced customer due diligence
- measures and enhanced ongoing monitoring which by their nature present a higher risk of money laundering
- kept full records of evidence and supporting documents it considered as part of its customer due diligence checks and business relationship with the customer
- established and maintained appropriate and risk-sensitive policies and procedures relating to specified matters to prevent activities relating to money laundering and terrorist financing
- provided relevant staff with regular training in how to recognise and deal with transactions and other activities which may relate to money laundering or terrorist financing.
Its failure constituted a breach of licence condition 184.108.40.206 of its operating licence.
- that the Licensee had failed to establish and maintain appropriate risk-sensitive policies, procedures and controls relating to the management of its customers (including the monitoring and management of compliance with such policies and procedures) to prevent activities relating to money laundering. In doing so, the Panel found that the Licensee had breached conditions 220.127.116.11 and 18.104.22.168 of its operating licence.
- that the Licensee failed to put into effect policies and procedures for customer interaction in accordance with the requirements of SR Code 3.4.1 and at the time of the Commission’s Corporate Evaluation there were significant limitations in the Licensee’s ability to proactively identify and mitigate risk.
- that the Licensee failed to put into effect procedures for self-exclusion or take all reasonable steps to refuse service or otherwise prevent an individual who has entered into a self-exclusion agreement from participating in gambling and in so doing failed to adhere to the requirements of SR code 22.214.171.124.
- that the Licensee, at the time of the Commission’s Corporate Evaluation, had not put into effect a written procedure for handling customer complaints and disputes and in failing to do so had failed to adhere to the SR code 6.1.1.
The Panel noted that the Licensee had undertaken several actions to rectify these failings since the Commission’s Corporate Evaluation in June 2017 to July 2017.
Daub Alderney Limited Decision
Approaching the decision as to what sanction(s), if any, should be imposed under section 117 of the Act the Panel referred to the Indicative sanctions guide (June 2017) and the Statement of principles for licensing and regulation (June 2017).
The Panel agreed that given the seriousness of the licence breaches it was appropriate to:
- issue the Licensee with a warning under section 117(1)(a) of the Act;
- impose the following additional licence conditions to the Licensee’s operating licence under section 117(1) (b) of the Act requiring the Licensee to:
- appoint an appropriately qualified Money Laundering Reporting Officer who holds a Personal Management Licence (PML); in appointing the MLRO to ensure the individual must undertake annual refresher training in anti-money laundering and be able to evidence this to the Commission.
- ensure that all personal management licence holders, senior management, and key control staff undertake outsourced anti money laundering training. All such staff must undertake outsourced refresher training annually thereafter the Licensee continues to segregate funds as per Licence condition 4.1 at a level of ‘medium’ as defined by our guidance.
- continue its review of the effectiveness and implementation of its anti-money laundering (AML) and social responsibility (SR) policies and procedures, and in addition engage external auditors, whose appointment and terms of reference must be agreed with the Commission, to sample the reviews that have been carried out to provide additional assurance as to the findings. The Commission requires the outcome of the review and subsequent action plan to implement any recommendations to be reported to the Commission by the person who assumes responsibility for this action, and that the Commission will have access to all the documents relating to the work.
The Panel also agreed that it was appropriate to impose a financial penalty under section 121 of the Act. In reaching this decision the Panel had regard to the Statement of principles for determining financial penalties (June 2017). The Panel concluded that it was appropriate for the Licensee to pay a financial penalty of £7,100,000 and that this was a proportionate outcome.